--- old/src/java.base/share/classes/com/sun/crypto/provider/OAEPParameters.java	2018-05-11 15:03:27.560538200 -0700
+++ new/src/java.base/share/classes/com/sun/crypto/provider/OAEPParameters.java	2018-05-11 15:03:27.027619900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -137,6 +137,10 @@
                     mgfSpec = MGF1ParameterSpec.SHA384;
                 } else if (mgfDigestName.equals("SHA-512")) {
                     mgfSpec = MGF1ParameterSpec.SHA512;
+                } else if (mgfDigestName.equals("SHA-512/224")) {
+                    mgfSpec = MGF1ParameterSpec.SHA512_224;
+                } else if (mgfDigestName.equals("SHA-512/256")) {
+                    mgfSpec = MGF1ParameterSpec.SHA512_256;
                 } else {
                     throw new IOException(
                         "Unrecognized message digest algorithm");
--- old/src/java.base/share/classes/com/sun/crypto/provider/RSACipher.java	2018-05-11 15:03:29.671165000 -0700
+++ new/src/java.base/share/classes/com/sun/crypto/provider/RSACipher.java	2018-05-11 15:03:29.097624300 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -44,13 +44,15 @@
 
 /**
  * RSA cipher implementation. Supports RSA en/decryption and signing/verifying
- * using PKCS#1 v1.5 padding and without padding (raw RSA). Note that raw RSA
- * is supported mostly for completeness and should only be used in rare cases.
+ * using both PKCS#1 v1.5 and OAEP (v2.2) paddings and without padding (raw RSA).
+ * Note that raw RSA is supported mostly for completeness and should only be
+ * used in rare cases.
  *
  * Objects should be instantiated by calling Cipher.getInstance() using the
  * following algorithm names:
- *  . "RSA/ECB/PKCS1Padding" (or "RSA") for PKCS#1 padding. The mode (blocktype)
- *    is selected based on the en/decryption mode and public/private key used
+ *  . "RSA/ECB/PKCS1Padding" (or "RSA") for PKCS#1 v1.5 padding.
+ *  . "RSA/ECB/OAEPwith<hash>andMGF1Padding" (or "RSA/ECB/OAEPPadding") for
+ *    PKCS#1 v2.2 padding.
  *  . "RSA/ECB/NoPadding" for rsa RSA.
  *
  * We only do one RSA operation per doFinal() call. If the application passes
@@ -81,7 +83,7 @@
     private static final String PAD_NONE  = "NoPadding";
     // constant for PKCS#1 v1.5 RSA
     private static final String PAD_PKCS1 = "PKCS1Padding";
-    // constant for PKCS#2 v2.0 OAEP with MGF1
+    // constant for PKCS#2 v2.2 OAEP with MGF1
     private static final String PAD_OAEP_MGF1  = "OAEP";
 
     // current mode, one of MODE_* above. Set when init() is called
--- old/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java	2018-05-11 15:03:31.844424700 -0700
+++ new/src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java	2018-05-11 15:03:31.257872400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -132,7 +132,9 @@
                             + "|OAEPWITHSHA-224ANDMGF1PADDING"
                             + "|OAEPWITHSHA-256ANDMGF1PADDING"
                             + "|OAEPWITHSHA-384ANDMGF1PADDING"
-                            + "|OAEPWITHSHA-512ANDMGF1PADDING");
+                            + "|OAEPWITHSHA-512ANDMGF1PADDING"
+                            + "|OAEPWITHSHA-512/224ANDMGF1PADDING"
+                            + "|OAEPWITHSHA-512/256ANDMGF1PADDING");
                     put("Cipher.RSA SupportedKeyClasses",
                             "java.security.interfaces.RSAPublicKey" +
                             "|java.security.interfaces.RSAPrivateKey");
--- old/src/java.base/share/classes/java/security/Signature.java	2018-05-11 15:03:34.014694000 -0700
+++ new/src/java.base/share/classes/java/security/Signature.java	2018-05-11 15:03:33.382513800 -0700
@@ -284,6 +284,7 @@
         signatureInfo.put("sun.security.rsa.RSASignature$SHA256withRSA", TRUE);
         signatureInfo.put("sun.security.rsa.RSASignature$SHA384withRSA", TRUE);
         signatureInfo.put("sun.security.rsa.RSASignature$SHA512withRSA", TRUE);
+        signatureInfo.put("sun.security.rsa.RSAPSSSignature", TRUE);
         signatureInfo.put("com.sun.net.ssl.internal.ssl.RSASignature", TRUE);
         signatureInfo.put("sun.security.pkcs11.P11Signature", TRUE);
     }
--- old/src/java.base/share/classes/java/security/SignedObject.java	2018-05-11 15:03:36.169008100 -0700
+++ new/src/java.base/share/classes/java/security/SignedObject.java	2018-05-11 15:03:35.632966900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 package java.security;
 
 import java.io.*;
+import java.security.spec.AlgorithmParameterSpec;
 
 /**
  * <p> SignedObject is a class for the purpose of creating authentic
@@ -47,7 +48,7 @@
  * Signature signingEngine = Signature.getInstance(algorithm,
  *                                                 provider);
  * SignedObject so = new SignedObject(myobject, signingKey,
- *                                    signingEngine);
+ *                                    signingParams, signingEngine);
  * }</pre>
  *
  * <p> A typical usage for verification is the following (having
@@ -56,7 +57,7 @@
  * <pre>{@code
  * Signature verificationEngine =
  *     Signature.getInstance(algorithm, provider);
- * if (so.verify(publickey, verificationEngine))
+ * if (so.verify(verificationKey, verificationParams, verificationEngine))
  *     try {
  *         Object myobj = so.getObject();
  *     } catch (java.lang.ClassNotFoundException e) {};
@@ -67,7 +68,9 @@
  * re-initialized inside the constructor and the {@code verify}
  * method. Secondly, for verification to succeed, the specified
  * public key must be the public key corresponding to the private key
- * used to generate the SignedObject.
+ * used to generate the SignedObject. If signing parameters are used,
+ * the same parameters must be specified when calling {@code verify}
+ * method for verification to succeed.
  *
  * <p> More importantly, for flexibility reasons, the
  * constructor and {@code verify} method allow for
@@ -132,8 +135,8 @@
 
     /**
      * Constructs a SignedObject from any Serializable object.
-     * The given object is signed with the given signing key, using the
-     * designated signature engine.
+     * The given object is signed with the given signing key with
+     * no signature parameters, using the designated signature engine.
      *
      * @param object the object to be signed.
      * @param signingKey the private key for signing.
@@ -146,19 +149,64 @@
     public SignedObject(Serializable object, PrivateKey signingKey,
                         Signature signingEngine)
         throws IOException, InvalidKeyException, SignatureException {
-            // creating a stream pipe-line, from a to b
-            ByteArrayOutputStream b = new ByteArrayOutputStream();
-            ObjectOutput a = new ObjectOutputStream(b);
-
-            // write and flush the object content to byte array
-            a.writeObject(object);
-            a.flush();
-            a.close();
-            this.content = b.toByteArray();
-            b.close();
+        // creating a stream pipe-line, from a to b
+        ByteArrayOutputStream b = new ByteArrayOutputStream();
+        ObjectOutput a = new ObjectOutputStream(b);
+
+        // write and flush the object content to byte array
+        a.writeObject(object);
+        a.flush();
+        a.close();
+        this.content = b.toByteArray();
+        b.close();
 
-            // now sign the encapsulated object
-            this.sign(signingKey, signingEngine);
+        // now sign the encapsulated object
+        try {
+            this.sign(signingKey, null, signingEngine);
+        } catch (InvalidAlgorithmParameterException e) {
+            // should not happen, re-throw just in case
+            throw new SignatureException(e);
+        }
+    }
+
+    /**
+     * Constructs a SignedObject from any Serializable object.
+     * The given object is signed with the given signing key and
+     * signature parameters, using the designated signature engine.
+     * If the signature algorithm does not use any signature parameters,
+     * {@code signingParams} should be null.
+     *
+     * @param object the object to be signed.
+     * @param signingKey the private key for signing.
+     * @param signingParams the signature parameters used for signing,
+     * may be null.
+     * @param signingEngine the signature signing engine.
+     *
+     * @exception IOException if an error occurs during serialization
+     * @exception InvalidKeyException if the key is invalid.
+     * @exception InvalidAlgorithmParameterException if the given signature
+     * parameters is invalid.
+     * @exception SignatureException if signing fails.
+     * @since 11
+     */
+    public SignedObject(Serializable object, PrivateKey signingKey,
+                        AlgorithmParameterSpec signingParams,
+                        Signature signingEngine)
+        throws IOException, InvalidKeyException,
+        InvalidAlgorithmParameterException, SignatureException {
+        // creating a stream pipe-line, from a to b
+        ByteArrayOutputStream b = new ByteArrayOutputStream();
+        ObjectOutput a = new ObjectOutputStream(b);
+
+        // write and flush the object content to byte array
+        a.writeObject(object);
+        a.flush();
+        a.close();
+        this.content = b.toByteArray();
+        b.close();
+
+        // now sign the encapsulated object
+        this.sign(signingKey, signingParams, signingEngine);
     }
 
     /**
@@ -172,8 +220,7 @@
      * de-serialization
      */
     public Object getObject()
-        throws IOException, ClassNotFoundException
-    {
+        throws IOException, ClassNotFoundException {
         // creating a stream pipe-line, from b to a
         ByteArrayInputStream b = new ByteArrayInputStream(this.content);
         ObjectInput a = new ObjectInputStream(b);
@@ -206,7 +253,8 @@
     /**
      * Verifies that the signature in this SignedObject is the valid
      * signature for the object stored inside, with the given
-     * verification key, using the designated verification engine.
+     * verification key with no signature parameters, using the designated
+     * verification engine.
      *
      * @param verificationKey the public key for verification.
      * @param verificationEngine the signature verification engine.
@@ -222,9 +270,54 @@
     public boolean verify(PublicKey verificationKey,
                           Signature verificationEngine)
          throws InvalidKeyException, SignatureException {
-             verificationEngine.initVerify(verificationKey);
-             verificationEngine.update(this.content.clone());
-             return verificationEngine.verify(this.signature.clone());
+         try {
+             return verify(verificationKey, null, verificationEngine);
+         } catch (InvalidAlgorithmParameterException e) {
+            // should not happen, re-throw just in case
+            throw new SignatureException(e);
+         }
+    }
+
+    /**
+     * Verifies that the signature in this SignedObject is the valid
+     * signature for the object stored inside, with the given
+     * verification key and signature parameters, using the designated
+     * verification engine. If the signature algorithm does not use any
+     * signature parameters, {@code verificationParams} should be null.
+     * When signature parameters are used in signing, the same parameters
+     * must be specified when calling {@code verify} method for the
+     * verification to succeed.
+     *
+     * @param verificationKey the public key for verification.
+     * @param verificationParams the signature parameters for verification.
+     * @param verificationEngine the signature verification engine.
+     *
+     * @exception SignatureException if signature verification failed (an
+     *     exception prevented the signature verification engine from completing
+     *     normally).
+     * @exception InvalidKeyException if the verification key is invalid.
+     * @exception InvalidAlgorithmParameterException if the given signature
+     * parameters is invalid
+     * @return {@code true} if the signature is valid, {@code false} otherwise
+     * @since 11
+     */
+    public boolean verify(PublicKey verificationKey,
+                          AlgorithmParameterSpec verificationParams,
+                          Signature verificationEngine)
+         throws InvalidKeyException, InvalidAlgorithmParameterException,
+         SignatureException {
+         // set parameteres before Signature.initSign/initVerify call,
+         // so key can be checked when it's set
+         try {
+             verificationEngine.setParameter(verificationParams);
+         } catch (UnsupportedOperationException e) {
+             // for backward compatibility, only re-throw when
+             // parameters is not null 
+             if (verificationParams != null) throw e;
+         }
+         verificationEngine.initVerify(verificationKey);
+         verificationEngine.update(this.content.clone());
+         return verificationEngine.verify(this.signature.clone());
     }
 
     /*
@@ -232,18 +325,32 @@
      * designated signature engine.
      *
      * @param signingKey the private key for signing.
+     * @param signingParams the signature parameters for signing.
      * @param signingEngine the signature signing engine.
      *
      * @exception InvalidKeyException if the key is invalid.
+     * @exception InvalidAlgorithmParameterException if the given signature
+     * parameters is invalid
      * @exception SignatureException if signing fails.
      */
-    private void sign(PrivateKey signingKey, Signature signingEngine)
-        throws InvalidKeyException, SignatureException {
-            // initialize the signing engine
-            signingEngine.initSign(signingKey);
-            signingEngine.update(this.content.clone());
-            this.signature = signingEngine.sign().clone();
-            this.thealgorithm = signingEngine.getAlgorithm();
+    private void sign(PrivateKey signingKey,
+                      AlgorithmParameterSpec signingParams,
+                      Signature signingEngine)
+        throws InvalidKeyException, InvalidAlgorithmParameterException,
+        SignatureException {
+        // set parameteres before Signature.initSign/initVerify call,
+        // so key can be checked when it's set
+        try {
+            signingEngine.setParameter(signingParams);
+        } catch (UnsupportedOperationException e) {
+            // for backward compatibility, only re-throw when
+            // parameters is not null
+            if (signingParams != null) throw e;
+        }
+        signingEngine.initSign(signingKey);
+        signingEngine.update(this.content.clone());
+        this.signature = signingEngine.sign().clone();
+        this.thealgorithm = signingEngine.getAlgorithm();
     }
 
     /**
@@ -252,9 +359,9 @@
      */
     private void readObject(java.io.ObjectInputStream s)
         throws java.io.IOException, ClassNotFoundException {
-            java.io.ObjectInputStream.GetField fields = s.readFields();
-            content = ((byte[])fields.get("content", null)).clone();
-            signature = ((byte[])fields.get("signature", null)).clone();
-            thealgorithm = (String)fields.get("thealgorithm", null);
+        java.io.ObjectInputStream.GetField fields = s.readFields();
+        content = ((byte[])fields.get("content", null)).clone();
+        signature = ((byte[])fields.get("signature", null)).clone();
+        thealgorithm = (String)fields.get("thealgorithm", null);
     }
 }
--- old/src/java.base/share/classes/java/security/cert/X509CRL.java	2018-05-11 15:03:38.015918600 -0700
+++ new/src/java.base/share/classes/java/security/cert/X509CRL.java	2018-05-11 15:03:37.492655200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,14 +25,9 @@
 
 package java.security.cert;
 
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.InvalidKeyException;
-import java.security.SignatureException;
-import java.security.Principal;
-import java.security.Provider;
-import java.security.PublicKey;
-import java.security.Signature;
+import java.security.*;
+import java.security.spec.*;
+
 import javax.security.auth.x500.X500Principal;
 
 import java.math.BigInteger;
@@ -41,6 +36,7 @@
 import java.util.Arrays;
 
 import sun.security.x509.X509CRLImpl;
+import sun.security.util.SignatureUtil;
 
 /**
  * <p>
@@ -246,8 +242,19 @@
         Signature sig = (sigProvider == null)
             ? Signature.getInstance(getSigAlgName())
             : Signature.getInstance(getSigAlgName(), sigProvider);
+
         sig.initVerify(key);
 
+        // set parameters after Signature.initSign/initVerify call,
+        // so the deferred provider selections occur when key is set
+        try {
+            SignatureUtil.specialSetParameter(sig, getSigAlgParams());
+        } catch (ProviderException e) {
+            throw new CRLException(e.getMessage(), e.getCause());
+        } catch (InvalidAlgorithmParameterException e) {
+            throw new CRLException(e);
+        }
+
         byte[] tbsCRL = getTBSCertList();
         sig.update(tbsCRL, 0, tbsCRL.length);
 
--- old/src/java.base/share/classes/java/security/cert/X509Certificate.java	2018-05-11 15:03:39.920892300 -0700
+++ new/src/java.base/share/classes/java/security/cert/X509Certificate.java	2018-05-11 15:03:39.303451800 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,12 +27,14 @@
 
 import java.math.BigInteger;
 import java.security.*;
+import java.security.spec.*;
 import java.util.Collection;
 import java.util.Date;
 import java.util.List;
 import javax.security.auth.x500.X500Principal;
 
 import sun.security.x509.X509CertImpl;
+import sun.security.util.SignatureUtil;
 
 /**
  * <p>
@@ -677,8 +679,19 @@
         Signature sig = (sigProvider == null)
             ? Signature.getInstance(getSigAlgName())
             : Signature.getInstance(getSigAlgName(), sigProvider);
+
         sig.initVerify(key);
 
+        // set parameters after Signature.initSign/initVerify call,
+        // so the deferred provider selections occur when key is set
+        try {
+            SignatureUtil.specialSetParameter(sig, getSigAlgParams());
+        } catch (ProviderException e) {
+            throw new CertificateException(e.getMessage(), e.getCause());
+        } catch (InvalidAlgorithmParameterException e) {
+            throw new CertificateException(e);
+        }
+
         byte[] tbsCert = getTBSCertificate();
         sig.update(tbsCert, 0, tbsCert.length);
 
--- old/src/java.base/share/classes/java/security/interfaces/RSAKey.java	2018-05-11 15:03:42.023669200 -0700
+++ new/src/java.base/share/classes/java/security/interfaces/RSAKey.java	2018-05-11 15:03:41.491392500 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,9 +26,12 @@
 package java.security.interfaces;
 
 import java.math.BigInteger;
+import java.security.spec.AlgorithmParameterSpec;
 
 /**
- * The interface to an RSA public or private key.
+ * The interface to a public or private key in
+ * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard,
+ * such as those for RSA, or RSASSA-PSS algorithms.
  *
  * @author Jan Luehe
  *
@@ -46,4 +49,20 @@
      * @return the modulus
      */
     public BigInteger getModulus();
+
+    /**
+     * Returns the parameters associated with this key.
+     * The parameters are optional and may be either
+     * explicitly specified or implicitly created during
+     * key pair generation.
+     *
+     * @implSpec
+     * The default implementation returns {@code null}.
+     *
+     * @return the associated parameters, may be null
+     * @since 11
+     */
+    default AlgorithmParameterSpec getParams() {
+        return null;
+    }
 }
--- old/src/java.base/share/classes/java/security/interfaces/RSAMultiPrimePrivateCrtKey.java	2018-05-11 15:03:44.080548300 -0700
+++ new/src/java.base/share/classes/java/security/interfaces/RSAMultiPrimePrivateCrtKey.java	2018-05-11 15:03:43.538667100 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,8 +30,8 @@
 
 /**
  * The interface to an RSA multi-prime private key, as defined in the
- * PKCS#1 v2.1, using the <i>Chinese Remainder Theorem</i>
- * (CRT) information values.
+ * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard,
+ * using the <i>Chinese Remainder Theorem</i> (CRT) information values.
  *
  * @author Valerie Peng
  *
--- old/src/java.base/share/classes/java/security/interfaces/RSAPrivateCrtKey.java	2018-05-11 15:03:46.123872500 -0700
+++ new/src/java.base/share/classes/java/security/interfaces/RSAPrivateCrtKey.java	2018-05-11 15:03:45.562476700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,8 @@
 import java.math.BigInteger;
 
 /**
- * The interface to an RSA private key, as defined in the PKCS#1 standard,
+ * The interface to an RSA private key, as defined in the
+ * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard,
  * using the <i>Chinese Remainder Theorem</i> (CRT) information values.
  *
  * @author Jan Luehe
--- old/src/java.base/share/classes/java/security/interfaces/package-info.java	2018-05-11 15:03:48.459013900 -0700
+++ new/src/java.base/share/classes/java/security/interfaces/package-info.java	2018-05-11 15:03:47.851310000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -51,7 +51,7 @@
  * <h2>Package Specification</h2>
  *
  * <ul>
- *   <li>PKCS #1: RSA Encryption Standard, Version 1.5, November 1993 </li>
+ *   <li>PKCS #1: RSA Cryptography Specifications, Version 2.2 (RFC 8017)</li>
  *   <li>Federal Information Processing Standards Publication (FIPS PUB) 186:
  *     Digital Signature Standard (DSS) </li>
  * </ul>
--- old/src/java.base/share/classes/java/security/spec/MGF1ParameterSpec.java	2018-05-11 15:03:50.635974000 -0700
+++ new/src/java.base/share/classes/java/security/spec/MGF1ParameterSpec.java	2018-05-11 15:03:50.086996300 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,23 +29,31 @@
 
 /**
  * This class specifies the set of parameters used with mask generation
- * function MGF1 in OAEP Padding and RSA-PSS signature scheme, as
+ * function MGF1 in OAEP Padding and RSASSA-PSS signature scheme, as
  * defined in the
- * <a href="http://www.ietf.org/rfc/rfc3447.txt">PKCS #1 v2.1</a>
- * standard.
+ * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard.
  *
  * <p>Its ASN.1 definition in PKCS#1 standard is described below:
  * <pre>
- * MGF1Parameters ::= OAEP-PSSDigestAlgorthms
+ * PKCS1MGFAlgorithms    ALGORITHM-IDENTIFIER ::= {
+ *   { OID id-mgf1 PARAMETERS HashAlgorithm },
+ *   ...  -- Allows for future expansion --
+ * }
  * </pre>
  * where
  * <pre>
+ * HashAlgorithm ::= AlgorithmIdentifier {
+ *   {OAEP-PSSDigestAlgorithms}
+ * }
+ *
  * OAEP-PSSDigestAlgorithms    ALGORITHM-IDENTIFIER ::= {
- *   { OID id-sha1 PARAMETERS NULL   }|
- *   { OID id-sha224 PARAMETERS NULL   }|
- *   { OID id-sha256 PARAMETERS NULL }|
- *   { OID id-sha384 PARAMETERS NULL }|
- *   { OID id-sha512 PARAMETERS NULL },
+ *   { OID id-sha1       PARAMETERS NULL }|
+ *   { OID id-sha224     PARAMETERS NULL }|
+ *   { OID id-sha256     PARAMETERS NULL }|
+ *   { OID id-sha384     PARAMETERS NULL }|
+ *   { OID id-sha512     PARAMETERS NULL }|
+ *   { OID id-sha512-224 PARAMETERS NULL }|
+ *   { OID id-sha512-256 PARAMETERS NULL },
  *   ...  -- Allows for future expansion --
  * }
  * </pre>
@@ -59,31 +67,47 @@
 public class MGF1ParameterSpec implements AlgorithmParameterSpec {
 
     /**
-     * The MGF1ParameterSpec which uses "SHA-1" message digest.
+     * The MGF1ParameterSpec which uses "SHA-1" message digest
      */
     public static final MGF1ParameterSpec SHA1 =
         new MGF1ParameterSpec("SHA-1");
+
     /**
-     * The MGF1ParameterSpec which uses "SHA-224" message digest.
+     * The MGF1ParameterSpec which uses "SHA-224" message digest
      */
     public static final MGF1ParameterSpec SHA224 =
         new MGF1ParameterSpec("SHA-224");
+
     /**
-     * The MGF1ParameterSpec which uses "SHA-256" message digest.
+     * The MGF1ParameterSpec which uses "SHA-256" message digest
      */
     public static final MGF1ParameterSpec SHA256 =
         new MGF1ParameterSpec("SHA-256");
+
     /**
-     * The MGF1ParameterSpec which uses "SHA-384" message digest.
+     * The MGF1ParameterSpec which uses "SHA-384" message digest
      */
     public static final MGF1ParameterSpec SHA384 =
         new MGF1ParameterSpec("SHA-384");
+
     /**
-     * The MGF1ParameterSpec which uses SHA-512 message digest.
+     * The MGF1ParameterSpec which uses SHA-512 message digest
      */
     public static final MGF1ParameterSpec SHA512 =
         new MGF1ParameterSpec("SHA-512");
 
+    /**
+     * The MGF1ParameterSpec which uses SHA-512/224 message digest
+     */
+    public static final MGF1ParameterSpec SHA512_224 =
+        new MGF1ParameterSpec("SHA-512/224");
+
+    /**
+     * The MGF1ParameterSpec which uses SHA-512/256 message digest
+     */
+    public static final MGF1ParameterSpec SHA512_256 =
+        new MGF1ParameterSpec("SHA-512/256");
+
     private String mdName;
 
     /**
--- old/src/java.base/share/classes/java/security/spec/PSSParameterSpec.java	2018-05-11 15:03:52.661378700 -0700
+++ new/src/java.base/share/classes/java/security/spec/PSSParameterSpec.java	2018-05-11 15:03:52.096538400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,37 +25,43 @@
 
 package java.security.spec;
 
-import java.math.BigInteger;
+import java.util.Objects;
 import java.security.spec.MGF1ParameterSpec;
 
 /**
- * This class specifies a parameter spec for RSA-PSS signature scheme,
+ * This class specifies a parameter spec for RSASSA-PSS signature scheme,
  * as defined in the
- * <a href="http://www.ietf.org/rfc/rfc3447.txt">PKCS#1 v2.1</a>
- * standard.
+ * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard.
  *
  * <p>Its ASN.1 definition in PKCS#1 standard is described below:
  * <pre>
  * RSASSA-PSS-params ::= SEQUENCE {
- *   hashAlgorithm      [0] OAEP-PSSDigestAlgorithms  DEFAULT sha1,
- *   maskGenAlgorithm   [1] PKCS1MGFAlgorithms  DEFAULT mgf1SHA1,
- *   saltLength         [2] INTEGER  DEFAULT 20,
- *   trailerField       [3] INTEGER  DEFAULT 1
+ *   hashAlgorithm      [0] HashAlgorithm      DEFAULT sha1,
+ *   maskGenAlgorithm   [1] MaskGenAlgorithm   DEFAULT mgf1SHA1,
+ *   saltLength         [2] INTEGER            DEFAULT 20,
+ *   trailerField       [3] TrailerField       DEFAULT trailerFieldBC(1)
  * }
  * </pre>
  * where
  * <pre>
+ * HashAlgorithm ::= AlgorithmIdentifier {
+ *   {OAEP-PSSDigestAlgorithms}
+ * }
+ * MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
+ * TrailerField ::= INTEGER { trailerFieldBC(1) }
+ *
  * OAEP-PSSDigestAlgorithms    ALGORITHM-IDENTIFIER ::= {
- *   { OID id-sha1 PARAMETERS NULL   }|
- *   { OID id-sha224 PARAMETERS NULL   }|
- *   { OID id-sha256 PARAMETERS NULL }|
- *   { OID id-sha384 PARAMETERS NULL }|
- *   { OID id-sha512 PARAMETERS NULL },
+ *   { OID id-sha1       PARAMETERS NULL }|
+ *   { OID id-sha224     PARAMETERS NULL }|
+ *   { OID id-sha256     PARAMETERS NULL }|
+ *   { OID id-sha384     PARAMETERS NULL }|
+ *   { OID id-sha512     PARAMETERS NULL }|
+ *   { OID id-sha512-224 PARAMETERS NULL }|
+ *   { OID id-sha512-256 PARAMETERS NULL },
  *   ...  -- Allows for future expansion --
  * }
- *
  * PKCS1MGFAlgorithms    ALGORITHM-IDENTIFIER ::= {
- *   { OID id-mgf1 PARAMETERS OAEP-PSSDigestAlgorithms },
+ *   { OID id-mgf1 PARAMETERS HashAlgorithm },
  *   ...  -- Allows for future expansion --
  * }
  * </pre>
@@ -78,55 +84,60 @@
 
 public class PSSParameterSpec implements AlgorithmParameterSpec {
 
-    private String mdName = "SHA-1";
-    private String mgfName = "MGF1";
-    private AlgorithmParameterSpec mgfSpec = MGF1ParameterSpec.SHA1;
-    private int saltLen = 20;
-    private int trailerField = 1;
+    private final String mdName;
+
+    private final String mgfName;
+
+    private final AlgorithmParameterSpec mgfSpec;
+
+    private final int saltLen;
+
+    private final int trailerField;
 
     /**
-     * The PSS parameter set with all default values.
-     * @since 1.5
+     * The {@code TrailerFieldBC} constant as defined in PKCS#1
+     * @since 11
      */
-    public static final PSSParameterSpec DEFAULT = new PSSParameterSpec();
+    public static final int TRAILER_FIELD_BC = 1;
 
     /**
-     * Constructs a new {@code PSSParameterSpec} as defined in
-     * the PKCS #1 standard using the default values.
+     * The PSS parameter set with all default values
+     * @since 1.5
      */
+    public static final PSSParameterSpec DEFAULT = new PSSParameterSpec
+        ("SHA-1", "MGF1", MGF1ParameterSpec.SHA1, 20, TRAILER_FIELD_BC);
+
+
+    // disallowed
     private PSSParameterSpec() {
+        throw new RuntimeException("default constructor not allowed");
     }
 
+
     /**
      * Creates a new {@code PSSParameterSpec} as defined in
      * the PKCS #1 standard using the specified message digest,
      * mask generation function, parameters for mask generation
      * function, salt length, and trailer field values.
      *
-     * @param mdName the algorithm name of the hash function.
-     * @param mgfName the algorithm name of the mask generation
-     * function.
-     * @param mgfSpec the parameters for the mask generation
-     * function. If null is specified, null will be returned by
-     * getMGFParameters().
-     * @param saltLen the length of salt.
-     * @param trailerField the value of the trailer field.
-     * @exception NullPointerException if {@code mdName},
-     * or {@code mgfName} is null.
-     * @exception IllegalArgumentException if {@code saltLen}
-     * or {@code trailerField} is less than 0.
+     * @param mdName       the algorithm name of the hash function
+     * @param mgfName      the algorithm name of the mask generation function
+     * @param mgfSpec      the parameters for the mask generation function
+     *         If null is specified, null will be returned by
+     *         getMGFParameters()
+     * @param saltLen      the length of salt
+     * @param trailerField the value of the trailer field
+     * @exception NullPointerException if {@code mdName}, or {@code mgfName}
+     *         is null
+     * @exception IllegalArgumentException if {@code saltLen} or
+     *         {@code trailerField} is less than 0
      * @since 1.5
      */
     public PSSParameterSpec(String mdName, String mgfName,
-                            AlgorithmParameterSpec mgfSpec,
-                            int saltLen, int trailerField) {
-        if (mdName == null) {
-            throw new NullPointerException("digest algorithm is null");
-        }
-        if (mgfName == null) {
-            throw new NullPointerException("mask generation function " +
-                                           "algorithm is null");
-        }
+            AlgorithmParameterSpec mgfSpec, int saltLen, int trailerField) {
+        Objects.requireNonNull(mdName, "digest algorithm is null");
+        Objects.requireNonNull(mgfName,
+            "mask generation function algorithm is null");
         if (saltLen < 0) {
             throw new IllegalArgumentException("negative saltLen value: " +
                                                saltLen);
@@ -147,23 +158,19 @@
      * using the specified salt length and other default values as
      * defined in PKCS#1.
      *
-     * @param saltLen the length of salt in bits to be used in PKCS#1
-     * PSS encoding.
+     * @param saltLen the length of salt in bytes to be used in PKCS#1
+     * PSS encoding
      * @exception IllegalArgumentException if {@code saltLen} is
-     * less than 0.
+     * less than 0
      */
     public PSSParameterSpec(int saltLen) {
-        if (saltLen < 0) {
-            throw new IllegalArgumentException("negative saltLen value: " +
-                                               saltLen);
-        }
-        this.saltLen = saltLen;
+        this("SHA-1", "MGF1", MGF1ParameterSpec.SHA1, saltLen, TRAILER_FIELD_BC);
     }
 
     /**
      * Returns the message digest algorithm name.
      *
-     * @return the message digest algorithm name.
+     * @return the message digest algorithm name
      * @since 1.5
      */
     public String getDigestAlgorithm() {
@@ -173,7 +180,7 @@
     /**
      * Returns the mask generation function algorithm name.
      *
-     * @return the mask generation function algorithm name.
+     * @return the mask generation function algorithm name
      *
      * @since 1.5
      */
@@ -184,7 +191,7 @@
     /**
      * Returns the parameters for the mask generation function.
      *
-     * @return the parameters for the mask generation function.
+     * @return the parameters for the mask generation function
      * @since 1.5
      */
     public AlgorithmParameterSpec getMGFParameters() {
@@ -192,18 +199,18 @@
     }
 
     /**
-     * Returns the salt length in bits.
+     * Returns the salt length in bytes.
      *
-     * @return the salt length.
+     * @return the salt length
      */
     public int getSaltLength() {
         return saltLen;
     }
 
     /**
-     * Returns the value for the trailer field, i.e. bc in PKCS#1 v2.1.
+     * Returns the value for the trailer field.
      *
-     * @return the value for the trailer field, i.e. bc in PKCS#1 v2.1.
+     * @return the value for the trailer field
      * @since 1.5
      */
     public int getTrailerField() {
--- old/src/java.base/share/classes/java/security/spec/RSAKeyGenParameterSpec.java	2018-05-11 15:03:54.721316300 -0700
+++ new/src/java.base/share/classes/java/security/spec/RSAKeyGenParameterSpec.java	2018-05-11 15:03:54.179867900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,6 +43,7 @@
 
     private int keysize;
     private BigInteger publicExponent;
+    private AlgorithmParameterSpec keyParams;
 
     /**
      * The public-exponent value F0 = 3.
@@ -55,15 +56,30 @@
     public static final BigInteger F4 = BigInteger.valueOf(65537);
 
     /**
-     * Constructs a new {@code RSAParameterSpec} object from the
-     * given keysize and public-exponent value.
+     * Constructs a new {@code RSAKeyGenParameterSpec} object from the
+     * given keysize, public-exponent value, and no key parameters.
      *
      * @param keysize the modulus size (specified in number of bits)
      * @param publicExponent the public exponent
      */
     public RSAKeyGenParameterSpec(int keysize, BigInteger publicExponent) {
+        this(keysize, publicExponent, null);
+    }
+
+    /**
+     * Constructs a new {@code RSAKeyGenParameterSpec} object from the
+     * given keysize, public-exponent value, and key parameters.
+     *
+     * @param keysize the modulus size (specified in number of bits)
+     * @param publicExponent the public exponent
+     * @param keyParams the key parameters
+     * @since 11
+     */
+    public RSAKeyGenParameterSpec(int keysize, BigInteger publicExponent,
+            AlgorithmParameterSpec keyParams) {
         this.keysize = keysize;
         this.publicExponent = publicExponent;
+        this.keyParams = keyParams;
     }
 
     /**
@@ -83,4 +99,15 @@
     public BigInteger getPublicExponent() {
         return publicExponent;
     }
+
+    /**
+     * Returns the parameters to be associated with key.
+     *
+     * @return the associated parameters, may be null if
+     *         not present
+     * @since 11
+     */
+    public AlgorithmParameterSpec getKeyParams() {
+        return keyParams;
+    }
 }
--- old/src/java.base/share/classes/java/security/spec/RSAMultiPrimePrivateCrtKeySpec.java	2018-05-11 15:03:56.755919300 -0700
+++ new/src/java.base/share/classes/java/security/spec/RSAMultiPrimePrivateCrtKeySpec.java	2018-05-11 15:03:56.223543800 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,11 +26,13 @@
 package java.security.spec;
 
 import java.math.BigInteger;
+import java.util.Objects;
 
 /**
  * This class specifies an RSA multi-prime private key, as defined in the
- * PKCS#1 v2.1, using the Chinese Remainder Theorem (CRT) information
- * values for efficiency.
+ * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard
+ * using the Chinese Remainder Theorem (CRT) information values
+ * for efficiency.
  *
  * @author Valerie Peng
  *
@@ -57,34 +59,28 @@
     private final RSAOtherPrimeInfo[] otherPrimeInfo;
 
    /**
-    * Creates a new {@code RSAMultiPrimePrivateCrtKeySpec}
-    * given the modulus, publicExponent, privateExponent,
-    * primeP, primeQ, primeExponentP, primeExponentQ,
-    * crtCoefficient, and otherPrimeInfo as defined in PKCS#1 v2.1.
+    * Creates a new {@code RSAMultiPrimePrivateCrtKeySpec}.
     *
     * <p>Note that the contents of {@code otherPrimeInfo}
     * are copied to protect against subsequent modification when
     * constructing this object.
     *
-    * @param modulus the modulus n.
-    * @param publicExponent the public exponent e.
-    * @param privateExponent the private exponent d.
-    * @param primeP the prime factor p of n.
-    * @param primeQ the prime factor q of n.
-    * @param primeExponentP this is d mod (p-1).
-    * @param primeExponentQ this is d mod (q-1).
-    * @param crtCoefficient the Chinese Remainder Theorem
-    * coefficient q-1 mod p.
-    * @param otherPrimeInfo triplets of the rest of primes, null can be
-    * specified if there are only two prime factors (p and q).
-    * @exception NullPointerException if any of the parameters, i.e.
-    * {@code modulus},
-    * {@code publicExponent}, {@code privateExponent},
-    * {@code primeP}, {@code primeQ},
-    * {@code primeExponentP}, {@code primeExponentQ},
-    * {@code crtCoefficient}, is null.
+    * @param modulus         the modulus n
+    * @param publicExponent  the public exponent e
+    * @param privateExponent the private exponent d
+    * @param primeP          the prime factor p of n
+    * @param primeQ          the prime factor q of q
+    * @param primeExponentP  this is d mod (p-1)
+    * @param primeExponentQ  this is d mod (q-1)
+    * @param crtCoefficient  the Chinese Remainder Theorem
+    *                        coefficient q-1 mod p
+    * @param otherPrimeInfo  triplets of the rest of primes, null can be
+    *                        specified if there are only two prime factors
+    *                        (p and q)
+    * @exception NullPointerException     if any of the specified parameters
+    *         with the exception of {@code otherPrimeInfo} is null
     * @exception IllegalArgumentException if an empty, i.e. 0-length,
-    * {@code otherPrimeInfo} is specified.
+    *         {@code otherPrimeInfo} is specified
     */
     public RSAMultiPrimePrivateCrtKeySpec(BigInteger modulus,
                                 BigInteger publicExponent,
@@ -95,39 +91,65 @@
                                 BigInteger primeExponentQ,
                                 BigInteger crtCoefficient,
                                 RSAOtherPrimeInfo[] otherPrimeInfo) {
-        super(modulus, privateExponent);
-        if (modulus == null) {
-            throw new NullPointerException("the modulus parameter must be " +
-                                            "non-null");
-        }
-        if (publicExponent == null) {
-            throw new NullPointerException("the publicExponent parameter " +
-                                            "must be non-null");
-        }
-        if (privateExponent == null) {
-            throw new NullPointerException("the privateExponent parameter " +
-                                            "must be non-null");
-        }
-        if (primeP == null) {
-            throw new NullPointerException("the primeP parameter " +
-                                            "must be non-null");
-        }
-        if (primeQ == null) {
-            throw new NullPointerException("the primeQ parameter " +
-                                            "must be non-null");
-        }
-        if (primeExponentP == null) {
-            throw new NullPointerException("the primeExponentP parameter " +
-                                            "must be non-null");
-        }
-        if (primeExponentQ == null) {
-            throw new NullPointerException("the primeExponentQ parameter " +
-                                            "must be non-null");
-        }
-        if (crtCoefficient == null) {
-            throw new NullPointerException("the crtCoefficient parameter " +
-                                            "must be non-null");
-        }
+        this(modulus, publicExponent, privateExponent, primeP, primeQ,
+             primeExponentP, primeExponentQ, crtCoefficient, otherPrimeInfo,
+             null);
+    }
+
+   /**
+    * Creates a new {@code RSAMultiPrimePrivateCrtKeySpec} with additional
+    * key parameters.
+    *
+    * <p>Note that the contents of {@code otherPrimeInfo}
+    * are copied to protect against subsequent modification when
+    * constructing this object.
+    *
+    * @param modulus          the modulus n
+    * @param publicExponent   the public exponent e
+    * @param privateExponent  the private exponent d
+    * @param primeP           the prime factor p of n
+    * @param primeQ           the prime factor q of n
+    * @param primeExponentP   this is d mod (p-1)
+    * @param primeExponentQ   this is d mod (q-1)
+    * @param crtCoefficient   the Chinese Remainder Theorem coefficient
+    *                         q-1 mod p
+    * @param otherPrimeInfo   triplets of the rest of primes, null can be
+    *                         specified if there are only two prime factors
+    *                         (p and q)
+    * @param keyParams        the parameters associated with key
+    * @exception NullPointerException     if any of the specified parameters
+    *         with the exception of {@code otherPrimeInfo} and {@code keyParams}
+    *         is null
+    * @exception IllegalArgumentException if an empty, i.e. 0-length,
+    *         {@code otherPrimeInfo} is specified
+    * @since 11
+    */
+    public RSAMultiPrimePrivateCrtKeySpec(BigInteger modulus,
+                                BigInteger publicExponent,
+                                BigInteger privateExponent,
+                                BigInteger primeP,
+                                BigInteger primeQ,
+                                BigInteger primeExponentP,
+                                BigInteger primeExponentQ,
+                                BigInteger crtCoefficient,
+                                RSAOtherPrimeInfo[] otherPrimeInfo,
+                                AlgorithmParameterSpec keyParams) {
+        super(modulus, privateExponent, keyParams);
+        Objects.requireNonNull(modulus,
+            "the modulus parameter must be non-null");
+        Objects.requireNonNull(publicExponent, 
+            "the publicExponent parameter must be non-null");
+        Objects.requireNonNull(privateExponent,
+            "the privateExponent parameter must be non-null");
+        Objects.requireNonNull(primeP, "the primeP parameter must be non-null");
+        Objects.requireNonNull(primeQ, "the primeQ parameter must be non-null");
+        Objects.requireNonNull(primeExponentP,
+            "the primeExponentP parameter must be non-null");
+        Objects.requireNonNull(primeExponentQ,
+            "the primeExponentQ parameter must be non-null");
+        Objects.requireNonNull(crtCoefficient,
+            "the crtCoefficient parameter must be non-null");
+
         this.publicExponent = publicExponent;
         this.primeP = primeP;
         this.primeQ = primeQ;
@@ -202,8 +224,8 @@
      * Returns a copy of the otherPrimeInfo or null if there are
      * only two prime factors (p and q).
      *
-     * @return the otherPrimeInfo. Returns a new array each
-     * time this method is called.
+     * @return the otherPrimeInfo. Returns a new array each time this method
+     *         is called.
      */
     public RSAOtherPrimeInfo[] getOtherPrimeInfo() {
         if (otherPrimeInfo == null) return null;
--- old/src/java.base/share/classes/java/security/spec/RSAOtherPrimeInfo.java	2018-05-11 15:03:58.805174200 -0700
+++ new/src/java.base/share/classes/java/security/spec/RSAOtherPrimeInfo.java	2018-05-11 15:03:58.291442000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,15 +29,16 @@
 
 /**
  * This class represents the triplet (prime, exponent, and coefficient)
- * inside RSA's OtherPrimeInfo structure, as defined in the PKCS#1 v2.1.
+ * inside RSA's OtherPrimeInfo structure, as defined in the
+ * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard.
  * The ASN.1 syntax of RSA's OtherPrimeInfo is as follows:
  *
  * <pre>
  * OtherPrimeInfo ::= SEQUENCE {
- *   prime INTEGER,
- *   exponent INTEGER,
- *   coefficient INTEGER
- *   }
+ *   prime        INTEGER,
+ *   exponent     INTEGER,
+ *   coefficient  INTEGER
+ * }
  *
  * </pre>
  *
--- old/src/java.base/share/classes/java/security/spec/RSAPrivateCrtKeySpec.java	2018-05-11 15:04:01.034854400 -0700
+++ new/src/java.base/share/classes/java/security/spec/RSAPrivateCrtKeySpec.java	2018-05-11 15:04:00.408517900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,9 +28,9 @@
 import java.math.BigInteger;
 
 /**
- * This class specifies an RSA private key, as defined in the PKCS#1
- * standard, using the Chinese Remainder Theorem (CRT) information values for
- * efficiency.
+ * This class specifies an RSA private key, as defined in the
+ * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard,
+ * using the Chinese Remainder Theorem (CRT) information values for efficiency.
  *
  * @author Jan Luehe
  * @since 1.2
@@ -53,13 +53,8 @@
     private final BigInteger primeExponentQ;
     private final BigInteger crtCoefficient;
 
-
-
    /**
-    * Creates a new {@code RSAPrivateCrtKeySpec}
-    * given the modulus, publicExponent, privateExponent,
-    * primeP, primeQ, primeExponentP, primeExponentQ, and
-    * crtCoefficient as defined in PKCS#1.
+    * Creates a new {@code RSAPrivateCrtKeySpec}.
     *
     * @param modulus the modulus n
     * @param publicExponent the public exponent e
@@ -79,7 +74,36 @@
                                 BigInteger primeExponentP,
                                 BigInteger primeExponentQ,
                                 BigInteger crtCoefficient) {
-        super(modulus, privateExponent);
+        this(modulus, publicExponent, privateExponent, primeP, primeQ,
+             primeExponentP, primeExponentQ, crtCoefficient, null);
+    }
+
+   /**
+    * Creates a new {@code RSAPrivateCrtKeySpec} with additional
+    * key parameters.
+    *
+    * @param modulus the modulus n
+    * @param publicExponent the public exponent e
+    * @param privateExponent the private exponent d
+    * @param primeP the prime factor p of n
+    * @param primeQ the prime factor q of n
+    * @param primeExponentP this is d mod (p-1)
+    * @param primeExponentQ this is d mod (q-1)
+    * @param crtCoefficient the Chinese Remainder Theorem
+    * coefficient q-1 mod p
+    * @param keyParams the parameters associated with key
+    * @since 11
+    */
+    public RSAPrivateCrtKeySpec(BigInteger modulus,
+                                BigInteger publicExponent,
+                                BigInteger privateExponent,
+                                BigInteger primeP,
+                                BigInteger primeQ,
+                                BigInteger primeExponentP,
+                                BigInteger primeExponentQ,
+                                BigInteger crtCoefficient,
+                                AlgorithmParameterSpec keyParams) {
+        super(modulus, privateExponent, keyParams);
         this.publicExponent = publicExponent;
         this.primeP = primeP;
         this.primeQ = primeQ;
--- old/src/java.base/share/classes/java/security/spec/RSAPrivateKeySpec.java	2018-05-11 15:04:02.987471000 -0700
+++ new/src/java.base/share/classes/java/security/spec/RSAPrivateKeySpec.java	2018-05-11 15:04:02.416275000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2001, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -44,8 +44,9 @@
 
 public class RSAPrivateKeySpec implements KeySpec {
 
-    private BigInteger modulus;
-    private BigInteger privateExponent;
+    private final BigInteger modulus;
+    private final BigInteger privateExponent;
+    private final AlgorithmParameterSpec params;
 
     /**
      * Creates a new RSAPrivateKeySpec.
@@ -54,8 +55,22 @@
      * @param privateExponent the private exponent
      */
     public RSAPrivateKeySpec(BigInteger modulus, BigInteger privateExponent) {
+        this(modulus, privateExponent, null);
+    }
+
+    /**
+     * Creates a new RSAPrivateKeySpec with additional key parameters. 
+     *
+     * @param modulus the modulus
+     * @param privateExponent the private exponent
+     * @param params the parameters associated with this key, may be null
+     * @since 11
+     */
+    public RSAPrivateKeySpec(BigInteger modulus, BigInteger privateExponent,
+            AlgorithmParameterSpec params) {
         this.modulus = modulus;
         this.privateExponent = privateExponent;
+        this.params = params;
     }
 
     /**
@@ -75,4 +90,15 @@
     public BigInteger getPrivateExponent() {
         return this.privateExponent;
     }
+
+    /**
+     * Returns the parameters associated with this key, may be null if not
+     * present.
+     *
+     * @return the parameters associated with this key
+     * @since 11
+     */
+    public AlgorithmParameterSpec getParams() {
+        return this.params;
+    }
 }
--- old/src/java.base/share/classes/java/security/spec/RSAPublicKeySpec.java	2018-05-11 15:04:05.087645300 -0700
+++ new/src/java.base/share/classes/java/security/spec/RSAPublicKeySpec.java	2018-05-11 15:04:04.547247600 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2001, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -44,8 +44,9 @@
 
 public class RSAPublicKeySpec implements KeySpec {
 
-    private BigInteger modulus;
-    private BigInteger publicExponent;
+    private final BigInteger modulus;
+    private final BigInteger publicExponent;
+    private final AlgorithmParameterSpec params;
 
     /**
      * Creates a new RSAPublicKeySpec.
@@ -54,10 +55,25 @@
      * @param publicExponent the public exponent
      */
     public RSAPublicKeySpec(BigInteger modulus, BigInteger publicExponent) {
+        this(modulus, publicExponent, null);
+    }
+
+    /**
+     * Creates a new RSAPublicKeySpec with additional key parameters.
+     *
+     * @param modulus the modulus
+     * @param publicExponent the public exponent
+     * @param params the parameters associated with this key, may be null
+     * @since 11
+     */
+    public RSAPublicKeySpec(BigInteger modulus, BigInteger publicExponent,
+            AlgorithmParameterSpec params) {
         this.modulus = modulus;
         this.publicExponent = publicExponent;
+        this.params = params;
     }
 
+
     /**
      * Returns the modulus.
      *
@@ -75,4 +91,16 @@
     public BigInteger getPublicExponent() {
         return this.publicExponent;
     }
+
+    /**
+     * Returns the parameters associated with this key, may be null if not
+     * present.
+     *
+     * @return the parameters associated with this key
+     * @since 11
+     */
+    public AlgorithmParameterSpec getParams() {
+        return this.params;
+    }
+
 }
--- old/src/java.base/share/classes/java/security/spec/package-info.java	2018-05-11 15:04:07.182521900 -0700
+++ new/src/java.base/share/classes/java/security/spec/package-info.java	2018-05-11 15:04:06.656621400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -42,7 +42,7 @@
  * <h2>Package Specification</h2>
  *
  * <ul>
- *   <li>PKCS #1: RSA Encryption Standard, Version 1.5, November 1993</li>
+ *   <li>PKCS #1: RSA Cryptography Specifications, Version 2.2 (RFC 8017)</li>
  *   <li>PKCS #8: Private-Key Information Syntax Standard,
  *     Version 1.2, November 1993</li>
  *   <li>Federal Information Processing Standards Publication (FIPS PUB) 186:
--- old/src/java.base/share/classes/javax/crypto/Cipher.java	2018-05-11 15:04:09.257433800 -0700
+++ new/src/java.base/share/classes/javax/crypto/Cipher.java	2018-05-11 15:04:08.685731100 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -321,11 +321,15 @@
             while (parser.hasMoreTokens() && count < 3) {
                 parts[count++] = parser.nextToken().trim();
             }
-            if (count == 0 || count == 2 || parser.hasMoreTokens()) {
+            if (count == 0 || count == 2) {
                 throw new NoSuchAlgorithmException("Invalid transformation"
                                                + " format:" +
                                                transformation);
             }
+            // treats all subsequent tokens as part of padding
+            if (count == 3 && parser.hasMoreTokens()) {
+                parts[2] = parts[2] + parser.nextToken("\r\n");
+            }
         } catch (NoSuchElementException e) {
             throw new NoSuchAlgorithmException("Invalid transformation " +
                                            "format:" + transformation);
--- old/src/java.base/share/classes/javax/crypto/spec/OAEPParameterSpec.java	2018-05-11 15:04:11.544696600 -0700
+++ new/src/java.base/share/classes/javax/crypto/spec/OAEPParameterSpec.java	2018-05-11 15:04:11.001450100 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,40 +32,53 @@
 /**
  * This class specifies the set of parameters used with OAEP Padding,
  * as defined in the
- * <a href="http://www.ietf.org/rfc/rfc3447.txt">PKCS #1</a>
- * standard.
+ * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard.
  *
  * Its ASN.1 definition in PKCS#1 standard is described below:
  * <pre>
  * RSAES-OAEP-params ::= SEQUENCE {
- *   hashAlgorithm      [0] OAEP-PSSDigestAlgorithms     DEFAULT sha1,
- *   maskGenAlgorithm   [1] PKCS1MGFAlgorithms  DEFAULT mgf1SHA1,
- *   pSourceAlgorithm   [2] PKCS1PSourceAlgorithms  DEFAULT pSpecifiedEmpty
+ *   hashAlgorithm      [0] HashAlgorithm     DEFAULT sha1,
+ *   maskGenAlgorithm   [1] MaskGenAlgorithm  DEFAULT mgf1SHA1,
+ *   pSourceAlgorithm   [2] PSourceAlgorithm  DEFAULT pSpecifiedEmpty
  * }
  * </pre>
  * where
  * <pre>
+ * HashAlgorithm ::= AlgorithmIdentifier {
+ *   {OAEP-PSSDigestAlgorithms}
+ * }
+ * MaskGenAlgorithm ::= AlgorithmIdentifier { {PKCS1MGFAlgorithms} }
+ * PSourceAlgorithm ::= AlgorithmIdentifier {
+ *   {PKCS1PSourceAlgorithms}
+ * }
+ *
  * OAEP-PSSDigestAlgorithms    ALGORITHM-IDENTIFIER ::= {
- *   { OID id-sha1 PARAMETERS NULL   }|
- *   { OID id-sha256 PARAMETERS NULL }|
- *   { OID id-sha384 PARAMETERS NULL }|
- *   { OID id-sha512 PARAMETERS NULL },
+ *   { OID id-sha1       PARAMETERS NULL }|
+ *   { OID id-sha224     PARAMETERS NULL }|
+ *   { OID id-sha256     PARAMETERS NULL }|
+ *   { OID id-sha384     PARAMETERS NULL }|
+ *   { OID id-sha512     PARAMETERS NULL }|
+ *   { OID id-sha512-224 PARAMETERS NULL }|
+ *   { OID id-sha512-256 PARAMETERS NULL },
  *   ...  -- Allows for future expansion --
  * }
  * PKCS1MGFAlgorithms    ALGORITHM-IDENTIFIER ::= {
- *   { OID id-mgf1 PARAMETERS OAEP-PSSDigestAlgorithms },
+ *   { OID id-mgf1 PARAMETERS HashAlgorithm },
  *   ...  -- Allows for future expansion --
  * }
  * PKCS1PSourceAlgorithms    ALGORITHM-IDENTIFIER ::= {
- *   { OID id-pSpecified PARAMETERS OCTET STRING },
+ *   { OID id-pSpecified PARAMETERS EncodingParameters },
  *   ...  -- Allows for future expansion --
  * }
+ * EncodingParameters ::= OCTET STRING(SIZE(0..MAX))
  * </pre>
  * <p>Note: the OAEPParameterSpec.DEFAULT uses the following:
+ * <pre>
  *     message digest  -- "SHA-1"
  *     mask generation function (mgf) -- "MGF1"
  *     parameters for mgf -- MGF1ParameterSpec.SHA1
  *     source of encoding input -- PSource.PSpecified.DEFAULT
+ * </pre>
  *
  * @see java.security.spec.MGF1ParameterSpec
  * @see PSource
--- old/src/java.base/share/classes/javax/crypto/spec/PSource.java	2018-05-11 15:04:13.818845600 -0700
+++ new/src/java.base/share/classes/javax/crypto/spec/PSource.java	2018-05-11 15:04:13.075518900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,13 +28,19 @@
 /**
  * This class specifies the source for encoding input P in OAEP Padding,
  * as defined in the
- * <a href="http://www.ietf.org/rfc/rfc3447.txt">PKCS #1</a>
- * standard.
+ * <a href="https://tools.ietf.org/rfc/rfc8017.txt">PKCS#1 v2.2</a> standard.
+ * <pre>
+ * PSourceAlgorithm ::= AlgorithmIdentifier {
+ *   {PKCS1PSourceAlgorithms}
+ * }
+ * </pre>
+ * where
  * <pre>
  * PKCS1PSourceAlgorithms    ALGORITHM-IDENTIFIER ::= {
- *   { OID id-pSpecified PARAMETERS OCTET STRING },
+ *   { OID id-pSpecified PARAMETERS EncodingParameters },
  *   ...  -- Allows for future expansion --
  * }
+ * EncodingParameters ::= OCTET STRING(SIZE(0..MAX))
  * </pre>
  * @author Valerie Peng
  *
--- old/src/java.base/share/classes/javax/crypto/spec/package-info.java	2018-05-11 15:04:16.007453400 -0700
+++ new/src/java.base/share/classes/javax/crypto/spec/package-info.java	2018-05-11 15:04:15.401511200 -0700
@@ -42,6 +42,7 @@
  *
  *
  * <ul>
+ * <li>PKCS #1: RSA Cryptography Specifications, Version 2.2 (RFC 8017)</li>
  * <li>PKCS #3: Diffie-Hellman Key-Agreement Standard, Version 1.4,
  * November 1993.</li>
  * <li>PKCS #5: Password-Based Encryption Standard, Version 1.5,
--- old/src/java.base/share/classes/module-info.java	2018-05-11 15:04:18.563621300 -0700
+++ new/src/java.base/share/classes/module-info.java	2018-05-11 15:04:17.858939500 -0700
@@ -349,7 +349,6 @@
     // JDK-internal service types
 
     uses jdk.internal.logger.DefaultLoggerFinder;
-    uses sun.security.ssl.ClientKeyExchangeService;
     uses sun.text.spi.JavaTimeDateTimePatternProvider;
     uses sun.util.spi.CalendarProvider;
     uses sun.util.locale.provider.LocaleDataMetaInfo;
--- old/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java	2018-05-11 15:04:20.803263700 -0700
+++ new/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java	2018-05-11 15:04:20.158440700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,20 +28,12 @@
 import java.io.OutputStream;
 import java.io.IOException;
 import java.math.BigInteger;
-import java.security.CryptoPrimitive;
-import java.security.InvalidKeyException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
-import java.security.Principal;
-import java.security.PublicKey;
-import java.security.Signature;
-import java.security.SignatureException;
-import java.security.Timestamp;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.CertPath;
 import java.security.cert.X509Certificate;
+import java.security.*;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
@@ -62,6 +54,7 @@
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.X500Name;
 import sun.security.x509.KeyUsageExtension;
+import sun.security.util.SignatureUtil;
 
 /**
  * A SignerInfo, as defined in PKCS#7's signedData type.
@@ -453,30 +446,37 @@
             }
 
             Signature sig = Signature.getInstance(algname);
+
+            // set parameters before Signature.initSign/initVerify call,
+            // so key can be checked when it's set
+            AlgorithmParameters ap =
+                digestEncryptionAlgorithmId.getParameters();
+            try {
+                SignatureUtil.specialSetParameter(sig, ap);
+            } catch (ProviderException | InvalidAlgorithmParameterException e) {
+                throw new SignatureException(e.getMessage(), e);
+            }
+
             sig.initVerify(key);
             sig.update(dataSigned);
             if (sig.verify(encryptedDigest)) {
                 return this;
             }
-
         } catch (IOException e) {
             throw new SignatureException("IO error verifying signature:\n" +
                                          e.getMessage());
-
         } catch (InvalidKeyException e) {
             throw new SignatureException("InvalidKey: " + e.getMessage());
-
         }
         return null;
     }
 
     /* Verify the content of the pkcs7 block. */
     SignerInfo verify(PKCS7 block)
-    throws NoSuchAlgorithmException, SignatureException {
+        throws NoSuchAlgorithmException, SignatureException {
         return verify(block, null);
     }
 
-
     public BigInteger getVersion() {
             return version;
     }
--- old/src/java.base/share/classes/sun/security/pkcs10/PKCS10.java	2018-05-11 15:04:23.009290500 -0700
+++ new/src/java.base/share/classes/sun/security/pkcs10/PKCS10.java	2018-05-11 15:04:22.361623600 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,11 +31,8 @@
 import java.math.BigInteger;
 
 import java.security.cert.CertificateException;
-import java.security.NoSuchAlgorithmException;
-import java.security.InvalidKeyException;
-import java.security.Signature;
-import java.security.SignatureException;
-import java.security.PublicKey;
+import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
 
 import java.util.Base64;
 
@@ -43,6 +40,8 @@
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.X509Key;
 import sun.security.x509.X500Name;
+import sun.security.util.SignatureUtil;
+
 
 /**
  * A PKCS #10 certificate request is created and sent to a Certificate
@@ -169,12 +168,23 @@
         try {
             sigAlg = id.getName();
             sig = Signature.getInstance(sigAlg);
+
+            // set parameters before Signature.initSign/initVerify call,
+            // so key can be checked when it's set
+            SignatureUtil.specialSetParameter(sig, id.getParameters());
+
             sig.initVerify(subjectPublicKeyInfo);
             sig.update(data);
-            if (!sig.verify(sigData))
+            if (!sig.verify(sigData)) {
                 throw new SignatureException("Invalid PKCS #10 signature");
+            }
         } catch (InvalidKeyException e) {
-            throw new SignatureException("invalid key");
+            throw new SignatureException("Invalid key");
+        } catch (InvalidAlgorithmParameterException e) {
+            throw new SignatureException("Invalid signature parameters", e);
+        } catch (ProviderException e) {
+            throw new SignatureException("Error parsing signature parameters",
+                e.getCause());
         }
     }
 
--- old/src/java.base/share/classes/sun/security/provider/DSA.java	2018-05-11 15:04:25.271995800 -0700
+++ new/src/java.base/share/classes/sun/security/provider/DSA.java	2018-05-11 15:04:24.620624700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,6 +33,7 @@
 import java.security.*;
 import java.security.SecureRandom;
 import java.security.interfaces.*;
+import java.security.spec.*;
 
 import sun.security.util.Debug;
 import sun.security.util.DerValue;
@@ -370,11 +371,24 @@
         throw new InvalidParameterException("No parameter accepted");
     }
 
+    @Override
+    protected void engineSetParameter(AlgorithmParameterSpec params)
+            throws InvalidAlgorithmParameterException {
+        if (params != null) {
+            throw new InvalidAlgorithmParameterException("No parameter accepted");
+        }
+    }
+
     @Deprecated
     protected Object engineGetParameter(String key) {
         return null;
     }
 
+    @Override
+    protected AlgorithmParameters engineGetParameters() {
+        return null;
+    }
+
 
     private BigInteger generateR(BigInteger p, BigInteger q, BigInteger g,
                          BigInteger k) {
--- old/src/java.base/share/classes/sun/security/rsa/RSAKeyFactory.java	2018-05-11 15:04:27.207470800 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/RSAKeyFactory.java	2018-05-11 15:04:26.665503900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,10 +32,15 @@
 import java.security.spec.*;
 
 import sun.security.action.GetPropertyAction;
+import sun.security.x509.AlgorithmId;
+import static sun.security.rsa.RSAUtil.KeyType;
 
 /**
- * KeyFactory for RSA keys. Keys must be instances of PublicKey or PrivateKey
- * and getAlgorithm() must return "RSA". For such keys, it supports conversion
+ * KeyFactory for RSA keys, e.g. "RSA", "RSASSA-PSS".
+ * Keys must be instances of PublicKey or PrivateKey
+ * and getAlgorithm() must return a value which matches the type which are
+ * specified during construction time of the KeyFactory object.
+ * For such keys, it supports conversion
  * between the following:
  *
  * For public keys:
@@ -58,21 +63,21 @@
  * @since   1.5
  * @author  Andreas Sterbenz
  */
-public final class RSAKeyFactory extends KeyFactorySpi {
+public class RSAKeyFactory extends KeyFactorySpi {
 
-    private static final Class<?> rsaPublicKeySpecClass =
-                                                RSAPublicKeySpec.class;
-    private static final Class<?> rsaPrivateKeySpecClass =
-                                                RSAPrivateKeySpec.class;
-    private static final Class<?> rsaPrivateCrtKeySpecClass =
-                                                RSAPrivateCrtKeySpec.class;
-
-    private static final Class<?> x509KeySpecClass  = X509EncodedKeySpec.class;
-    private static final Class<?> pkcs8KeySpecClass = PKCS8EncodedKeySpec.class;
+    private static final Class<?> RSA_PUB_KEYSPEC_CLS = RSAPublicKeySpec.class;
+    private static final Class<?> RSA_PRIV_KEYSPEC_CLS =
+            RSAPrivateKeySpec.class;
+    private static final Class<?> RSA_PRIVCRT_KEYSPEC_CLS =
+            RSAPrivateCrtKeySpec.class;
+    private static final Class<?> X509_KEYSPEC_CLS = X509EncodedKeySpec.class;
+    private static final Class<?> PKCS8_KEYSPEC_CLS = PKCS8EncodedKeySpec.class;
 
     public static final int MIN_MODLEN = 512;
     public static final int MAX_MODLEN = 16384;
 
+    private final KeyType type;
+
     /*
      * If the modulus length is above this value, restrict the size of
      * the exponent to something that can be reasonably computed.  We
@@ -87,11 +92,18 @@
         "true".equalsIgnoreCase(GetPropertyAction.privilegedGetProperty(
                 "sun.security.rsa.restrictRSAExponent", "true"));
 
-    // instance used for static translateKey();
-    private static final RSAKeyFactory INSTANCE = new RSAKeyFactory();
+    static RSAKeyFactory getInstance(KeyType type) {
+        return new RSAKeyFactory(type);
+    }
 
-    public RSAKeyFactory() {
-        // empty
+    // Internal utility method for checking key algorithm
+    private static void checkKeyAlgo(Key key, String expectedAlg)
+            throws InvalidKeyException {
+        String keyAlg = key.getAlgorithm();
+        if (!(keyAlg.equalsIgnoreCase(expectedAlg))) {
+            throw new InvalidKeyException("Expected a " + expectedAlg
+                    + " key, but got " + keyAlg);
+        }
     }
 
     /**
@@ -107,7 +119,14 @@
             (key instanceof RSAPublicKeyImpl)) {
             return (RSAKey)key;
         } else {
-            return (RSAKey)INSTANCE.engineTranslateKey(key);
+            try {
+                String keyAlgo = key.getAlgorithm();
+                KeyType type = KeyType.lookup(keyAlgo);
+                RSAKeyFactory kf = RSAKeyFactory.getInstance(type);
+                return (RSAKey) kf.engineTranslateKey(key);
+            } catch (ProviderException e) {
+                throw new InvalidKeyException(e);
+            }
         }
     }
 
@@ -171,6 +190,15 @@
         }
     }
 
+    // disallowed as KeyType is required
+    private RSAKeyFactory() {
+        this.type = KeyType.RSA;
+    }
+
+    public RSAKeyFactory(KeyType type) {
+        this.type = type;
+    }
+
     /**
      * Translate an RSA key into a SunRsaSign RSA key. If conversion is
      * not possible, throw an InvalidKeyException.
@@ -180,9 +208,14 @@
         if (key == null) {
             throw new InvalidKeyException("Key must not be null");
         }
-        String keyAlg = key.getAlgorithm();
-        if (keyAlg.equals("RSA") == false) {
-            throw new InvalidKeyException("Not an RSA key: " + keyAlg);
+        // ensure the key algorithm matches the current KeyFactory instance
+        checkKeyAlgo(key, type.keyAlgo());
+
+        // no translation needed if the key is already our own impl 
+        if ((key instanceof RSAPrivateKeyImpl) ||
+            (key instanceof RSAPrivateCrtKeyImpl) ||
+            (key instanceof RSAPublicKeyImpl)) {
+            return key;
         }
         if (key instanceof PublicKey) {
             return translatePublicKey((PublicKey)key);
@@ -221,22 +254,22 @@
     private PublicKey translatePublicKey(PublicKey key)
             throws InvalidKeyException {
         if (key instanceof RSAPublicKey) {
-            if (key instanceof RSAPublicKeyImpl) {
-                return key;
-            }
             RSAPublicKey rsaKey = (RSAPublicKey)key;
             try {
                 return new RSAPublicKeyImpl(
+                    RSAUtil.createAlgorithmId(type, rsaKey.getParams()),
                     rsaKey.getModulus(),
-                    rsaKey.getPublicExponent()
-                );
-            } catch (RuntimeException e) {
+                    rsaKey.getPublicExponent());
+            } catch (ProviderException e) {
                 // catch providers that incorrectly implement RSAPublicKey
                 throw new InvalidKeyException("Invalid key", e);
             }
         } else if ("X.509".equals(key.getFormat())) {
             byte[] encoded = key.getEncoded();
-            return new RSAPublicKeyImpl(encoded);
+            RSAPublicKey translated = new RSAPublicKeyImpl(encoded);
+            // ensure the key algorithm matches the current KeyFactory instance
+            checkKeyAlgo(translated, type.keyAlgo());
+            return translated;
         } else {
             throw new InvalidKeyException("Public keys must be instance "
                 + "of RSAPublicKey or have X.509 encoding");
@@ -247,12 +280,10 @@
     private PrivateKey translatePrivateKey(PrivateKey key)
             throws InvalidKeyException {
         if (key instanceof RSAPrivateCrtKey) {
-            if (key instanceof RSAPrivateCrtKeyImpl) {
-                return key;
-            }
             RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey)key;
             try {
                 return new RSAPrivateCrtKeyImpl(
+                    RSAUtil.createAlgorithmId(type, rsaKey.getParams()),
                     rsaKey.getModulus(),
                     rsaKey.getPublicExponent(),
                     rsaKey.getPrivateExponent(),
@@ -262,27 +293,28 @@
                     rsaKey.getPrimeExponentQ(),
                     rsaKey.getCrtCoefficient()
                 );
-            } catch (RuntimeException e) {
+            } catch (ProviderException e) {
                 // catch providers that incorrectly implement RSAPrivateCrtKey
                 throw new InvalidKeyException("Invalid key", e);
             }
         } else if (key instanceof RSAPrivateKey) {
-            if (key instanceof RSAPrivateKeyImpl) {
-                return key;
-            }
             RSAPrivateKey rsaKey = (RSAPrivateKey)key;
             try {
                 return new RSAPrivateKeyImpl(
+                    RSAUtil.createAlgorithmId(type, rsaKey.getParams()),
                     rsaKey.getModulus(),
                     rsaKey.getPrivateExponent()
                 );
-            } catch (RuntimeException e) {
+            } catch (ProviderException e) {
                 // catch providers that incorrectly implement RSAPrivateKey
                 throw new InvalidKeyException("Invalid key", e);
             }
         } else if ("PKCS#8".equals(key.getFormat())) {
             byte[] encoded = key.getEncoded();
-            return RSAPrivateCrtKeyImpl.newKey(encoded);
+            RSAPrivateKey translated = RSAPrivateCrtKeyImpl.newKey(encoded);
+            // ensure the key algorithm matches the current KeyFactory instance
+            checkKeyAlgo(translated, type.keyAlgo());
+            return translated;
         } else {
             throw new InvalidKeyException("Private keys must be instance "
                 + "of RSAPrivate(Crt)Key or have PKCS#8 encoding");
@@ -294,13 +326,21 @@
             throws GeneralSecurityException {
         if (keySpec instanceof X509EncodedKeySpec) {
             X509EncodedKeySpec x509Spec = (X509EncodedKeySpec)keySpec;
-            return new RSAPublicKeyImpl(x509Spec.getEncoded());
+            RSAPublicKey generated = new RSAPublicKeyImpl(x509Spec.getEncoded());
+            // ensure the key algorithm matches the current KeyFactory instance
+            checkKeyAlgo(generated, type.keyAlgo());
+            return generated;
         } else if (keySpec instanceof RSAPublicKeySpec) {
             RSAPublicKeySpec rsaSpec = (RSAPublicKeySpec)keySpec;
-            return new RSAPublicKeyImpl(
-                rsaSpec.getModulus(),
-                rsaSpec.getPublicExponent()
-            );
+            try {
+                return new RSAPublicKeyImpl(
+                    RSAUtil.createAlgorithmId(type, rsaSpec.getParams()),
+                    rsaSpec.getModulus(),
+                    rsaSpec.getPublicExponent()
+                );
+            } catch (ProviderException e) {
+                throw new InvalidKeySpecException(e);
+            }
         } else {
             throw new InvalidKeySpecException("Only RSAPublicKeySpec "
                 + "and X509EncodedKeySpec supported for RSA public keys");
@@ -312,25 +352,38 @@
             throws GeneralSecurityException {
         if (keySpec instanceof PKCS8EncodedKeySpec) {
             PKCS8EncodedKeySpec pkcsSpec = (PKCS8EncodedKeySpec)keySpec;
-            return RSAPrivateCrtKeyImpl.newKey(pkcsSpec.getEncoded());
+            RSAPrivateKey generated = RSAPrivateCrtKeyImpl.newKey(pkcsSpec.getEncoded());
+            // ensure the key algorithm matches the current KeyFactory instance
+            checkKeyAlgo(generated, type.keyAlgo());
+            return generated;
         } else if (keySpec instanceof RSAPrivateCrtKeySpec) {
             RSAPrivateCrtKeySpec rsaSpec = (RSAPrivateCrtKeySpec)keySpec;
-            return new RSAPrivateCrtKeyImpl(
-                rsaSpec.getModulus(),
-                rsaSpec.getPublicExponent(),
-                rsaSpec.getPrivateExponent(),
-                rsaSpec.getPrimeP(),
-                rsaSpec.getPrimeQ(),
-                rsaSpec.getPrimeExponentP(),
-                rsaSpec.getPrimeExponentQ(),
-                rsaSpec.getCrtCoefficient()
-            );
+            try {
+                return new RSAPrivateCrtKeyImpl(
+                    RSAUtil.createAlgorithmId(type, rsaSpec.getParams()),
+                    rsaSpec.getModulus(),
+                    rsaSpec.getPublicExponent(),
+                    rsaSpec.getPrivateExponent(),
+                    rsaSpec.getPrimeP(),
+                    rsaSpec.getPrimeQ(),
+                    rsaSpec.getPrimeExponentP(),
+                    rsaSpec.getPrimeExponentQ(),
+                    rsaSpec.getCrtCoefficient()
+                );
+            } catch (ProviderException e) {
+                throw new InvalidKeySpecException(e);
+            }
         } else if (keySpec instanceof RSAPrivateKeySpec) {
             RSAPrivateKeySpec rsaSpec = (RSAPrivateKeySpec)keySpec;
-            return new RSAPrivateKeyImpl(
-                rsaSpec.getModulus(),
-                rsaSpec.getPrivateExponent()
-            );
+            try {
+                return new RSAPrivateKeyImpl(
+                    RSAUtil.createAlgorithmId(type, rsaSpec.getParams()),
+                    rsaSpec.getModulus(),
+                    rsaSpec.getPrivateExponent()
+                );
+            } catch (ProviderException e) {
+                throw new InvalidKeySpecException(e);
+            }
         } else {
             throw new InvalidKeySpecException("Only RSAPrivate(Crt)KeySpec "
                 + "and PKCS8EncodedKeySpec supported for RSA private keys");
@@ -349,12 +402,13 @@
         }
         if (key instanceof RSAPublicKey) {
             RSAPublicKey rsaKey = (RSAPublicKey)key;
-            if (rsaPublicKeySpecClass.isAssignableFrom(keySpec)) {
+            if (RSA_PUB_KEYSPEC_CLS.isAssignableFrom(keySpec)) {
                 return keySpec.cast(new RSAPublicKeySpec(
                     rsaKey.getModulus(),
-                    rsaKey.getPublicExponent()
+                    rsaKey.getPublicExponent(),
+                    rsaKey.getParams()
                 ));
-            } else if (x509KeySpecClass.isAssignableFrom(keySpec)) {
+            } else if (X509_KEYSPEC_CLS.isAssignableFrom(keySpec)) {
                 return keySpec.cast(new X509EncodedKeySpec(key.getEncoded()));
             } else {
                 throw new InvalidKeySpecException
@@ -362,9 +416,9 @@
                         + "X509EncodedKeySpec for RSA public keys");
             }
         } else if (key instanceof RSAPrivateKey) {
-            if (pkcs8KeySpecClass.isAssignableFrom(keySpec)) {
+            if (PKCS8_KEYSPEC_CLS.isAssignableFrom(keySpec)) {
                 return keySpec.cast(new PKCS8EncodedKeySpec(key.getEncoded()));
-            } else if (rsaPrivateCrtKeySpecClass.isAssignableFrom(keySpec)) {
+            } else if (RSA_PRIVCRT_KEYSPEC_CLS.isAssignableFrom(keySpec)) {
                 if (key instanceof RSAPrivateCrtKey) {
                     RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)key;
                     return keySpec.cast(new RSAPrivateCrtKeySpec(
@@ -375,17 +429,19 @@
                         crtKey.getPrimeQ(),
                         crtKey.getPrimeExponentP(),
                         crtKey.getPrimeExponentQ(),
-                        crtKey.getCrtCoefficient()
+                        crtKey.getCrtCoefficient(),
+                        crtKey.getParams()
                     ));
                 } else {
                     throw new InvalidKeySpecException
                     ("RSAPrivateCrtKeySpec can only be used with CRT keys");
                 }
-            } else if (rsaPrivateKeySpecClass.isAssignableFrom(keySpec)) {
+            } else if (RSA_PRIV_KEYSPEC_CLS.isAssignableFrom(keySpec)) {
                 RSAPrivateKey rsaKey = (RSAPrivateKey)key;
                 return keySpec.cast(new RSAPrivateKeySpec(
                     rsaKey.getModulus(),
-                    rsaKey.getPrivateExponent()
+                    rsaKey.getPrivateExponent(),
+                    rsaKey.getParams()
                 ));
             } else {
                 throw new InvalidKeySpecException
@@ -397,4 +453,16 @@
             throw new InvalidKeySpecException("Neither public nor private key");
         }
     }
+
+    public static final class Legacy extends RSAKeyFactory {
+        public Legacy() {
+            super(KeyType.RSA);
+        }
+    }
+
+    public static final class PSS extends RSAKeyFactory {
+        public PSS() {
+            super(KeyType.PSS);
+        }
+    }
 }
--- old/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java	2018-05-11 15:04:29.252737200 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/RSAKeyPairGenerator.java	2018-05-11 15:04:28.700831400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,6 +33,9 @@
 
 import sun.security.jca.JCAUtil;
 import static sun.security.util.SecurityProviderConstants.DEF_RSA_KEY_SIZE;
+import static sun.security.util.SecurityProviderConstants.DEF_RSASSA_PSS_KEY_SIZE;
+import sun.security.x509.AlgorithmId;
+import static sun.security.rsa.RSAUtil.KeyType;
 
 /**
  * RSA keypair generation. Standard algorithm, minimum key length 512 bit.
@@ -43,7 +46,7 @@
  * @since   1.5
  * @author  Andreas Sterbenz
  */
-public final class RSAKeyPairGenerator extends KeyPairGeneratorSpi {
+public abstract class RSAKeyPairGenerator extends KeyPairGeneratorSpi {
 
     // public exponent to use
     private BigInteger publicExponent;
@@ -51,35 +54,31 @@
     // size of the key to generate, >= RSAKeyFactory.MIN_MODLEN
     private int keySize;
 
+    private final KeyType type;
+    private AlgorithmId rsaId;
+
     // PRNG to use
     private SecureRandom random;
 
-    public RSAKeyPairGenerator() {
+    RSAKeyPairGenerator(KeyType type, int defKeySize) {
+        this.type = type;
         // initialize to default in case the app does not call initialize()
-        initialize(DEF_RSA_KEY_SIZE, null);
+        initialize(defKeySize, null);
     }
 
     // initialize the generator. See JCA doc
     public void initialize(int keySize, SecureRandom random) {
-
-        // do not allow unreasonably small or large key sizes,
-        // probably user error
         try {
-            RSAKeyFactory.checkKeyLengths(keySize, RSAKeyGenParameterSpec.F4,
-                512, 64 * 1024);
-        } catch (InvalidKeyException e) {
-            throw new InvalidParameterException(e.getMessage());
+            initialize(new RSAKeyGenParameterSpec(keySize,
+                    RSAKeyGenParameterSpec.F4), null); 
+        } catch (InvalidAlgorithmParameterException iape) {
+            throw new InvalidParameterException(iape.getMessage());
         }
-
-        this.keySize = keySize;
-        this.random = random;
-        this.publicExponent = RSAKeyGenParameterSpec.F4;
     }
 
     // second initialize method. See JCA doc.
     public void initialize(AlgorithmParameterSpec params, SecureRandom random)
             throws InvalidAlgorithmParameterException {
-
         if (params instanceof RSAKeyGenParameterSpec == false) {
             throw new InvalidAlgorithmParameterException
                 ("Params must be instance of RSAKeyGenParameterSpec");
@@ -88,6 +87,7 @@
         RSAKeyGenParameterSpec rsaSpec = (RSAKeyGenParameterSpec)params;
         int tmpKeySize = rsaSpec.getKeysize();
         BigInteger tmpPublicExponent = rsaSpec.getPublicExponent();
+        AlgorithmParameterSpec tmpParams = rsaSpec.getKeyParams();
 
         if (tmpPublicExponent == null) {
             tmpPublicExponent = RSAKeyGenParameterSpec.F4;
@@ -111,6 +111,13 @@
                 "Invalid key sizes", e);
         }
 
+        try {
+            this.rsaId = RSAUtil.createAlgorithmId(type, tmpParams);
+        } catch (ProviderException e) {
+            throw new InvalidAlgorithmParameterException(
+                "Invalid key parameters", e);
+        }
+
         this.keySize = tmpKeySize;
         this.publicExponent = tmpPublicExponent;
         this.random = random;
@@ -166,9 +173,9 @@
             BigInteger coeff = q.modInverse(p);
 
             try {
-                PublicKey publicKey = new RSAPublicKeyImpl(n, e);
-                PrivateKey privateKey =
-                        new RSAPrivateCrtKeyImpl(n, e, d, p, q, pe, qe, coeff);
+                PublicKey publicKey = new RSAPublicKeyImpl(rsaId, n, e);
+                PrivateKey privateKey = new RSAPrivateCrtKeyImpl(
+                    rsaId, n, e, d, p, q, pe, qe, coeff);
                 return new KeyPair(publicKey, privateKey);
             } catch (InvalidKeyException exc) {
                 // invalid key exception only thrown for keys < 512 bit,
@@ -178,4 +185,15 @@
         }
     }
 
+    public static final class Legacy extends RSAKeyPairGenerator {
+        public Legacy() {
+            super(KeyType.RSA, DEF_RSA_KEY_SIZE);
+        }
+    }
+
+    public static final class PSS extends RSAKeyPairGenerator {
+        public PSS() {
+            super(KeyType.PSS, DEF_RSASSA_PSS_KEY_SIZE);
+        }
+    }
 }
--- old/src/java.base/share/classes/sun/security/rsa/RSAPadding.java	2018-05-11 15:04:31.669539100 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/RSAPadding.java	2018-05-11 15:04:31.077218200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -39,16 +39,13 @@
 /**
  * RSA padding and unpadding.
  *
- * The various PKCS#1 versions can be found in the EMC/RSA Labs
- * web site, which is currently:
+ * The various PKCS#1 versions can be found in the IETF RFCs
+ * tracking the corresponding PKCS#1 standards.
  *
- *     http://www.emc.com/emc-plus/rsa-labs/index.htm
- *
- * or in the IETF RFCs derived from the above PKCS#1 standards.
- *
- *     RFC 2313: v1.5
- *     RFC 2437: v2.0
- *     RFC 3447: v2.1
+ *     RFC 2313: PKCS#1 v1.5
+ *     RFC 2437: PKCS#1 v2.0
+ *     RFC 3447: PKCS#1 v2.1
+ *     RFC 8017: PKCS#1 v2.2
  *
  * The format of PKCS#1 v1.5 padding is:
  *
@@ -105,11 +102,11 @@
     // maximum size of the data
     private final int maxDataSize;
 
-    // OAEP: main messagedigest
+    // OAEP: main message digest
     private MessageDigest md;
 
-    // OAEP: message digest for MGF1
-    private MessageDigest mgfMd;
+    // OAEP: MGF1
+    private MGF1 mgf;
 
     // OAEP: value of digest of data (user-supplied or zero-length) using md
     private byte[] lHash;
@@ -164,7 +161,7 @@
             break;
         case PAD_OAEP_MGF1:
             String mdName = "SHA-1";
-            String mgfMdName = "SHA-1";
+            String mgfMdName = mdName;
             byte[] digestInput = null;
             try {
                 if (spec != null) {
@@ -185,10 +182,9 @@
                     digestInput = ((PSource.PSpecified) pSrc).getValue();
                 }
                 md = MessageDigest.getInstance(mdName);
-                mgfMd = MessageDigest.getInstance(mgfMdName);
+                mgf = new MGF1(mgfMdName);
             } catch (NoSuchAlgorithmException e) {
-                throw new InvalidKeyException
-                        ("Digest " + mdName + " not available", e);
+                throw new InvalidKeyException("Digest not available", e);
             }
             lHash = getInitialHash(md, digestInput);
             int digestLen = lHash.length;
@@ -196,7 +192,7 @@
             if (maxDataSize <= 0) {
                 throw new InvalidKeyException
                         ("Key is too short for encryption using OAEPPadding" +
-                         " with " + mdName + " and MGF1" + mgfMdName);
+                         " with " + mdName + " and " + mgf.getName());
             }
             break;
         default:
@@ -431,10 +427,10 @@
         System.arraycopy(M, 0, EM, mStart, M.length);
 
         // produce maskedDB
-        mgf1(EM, seedStart, seedLen, EM, dbStart, dbLen);
+        mgf.generateAndXor(EM, seedStart, seedLen, dbLen, EM, dbStart);
 
         // produce maskSeed
-        mgf1(EM, dbStart, dbLen, EM, seedStart, seedLen);
+        mgf.generateAndXor(EM, dbStart, dbLen, seedLen, EM, seedStart);
 
         return EM;
     }
@@ -457,8 +453,8 @@
         int dbStart = hLen + 1;
         int dbLen = EM.length - dbStart;
 
-        mgf1(EM, dbStart, dbLen, EM, seedStart, seedLen);
-        mgf1(EM, seedStart, seedLen, EM, dbStart, dbLen);
+        mgf.generateAndXor(EM, dbStart, dbLen, seedLen, EM, seedStart);
+        mgf.generateAndXor(EM, seedStart, seedLen, dbLen, EM, dbStart);
 
         // verify lHash == lHash'
         for (int i = 0; i < hLen; i++) {
@@ -506,37 +502,4 @@
             return m;
         }
     }
-
-    /**
-     * Compute MGF1 using mgfMD as the message digest.
-     * Note that we combine MGF1 with the XOR operation to reduce data
-     * copying.
-     *
-     * We generate maskLen bytes of MGF1 from the seed and XOR it into
-     * out[] starting at outOfs;
-     */
-    private void mgf1(byte[] seed, int seedOfs, int seedLen,
-            byte[] out, int outOfs, int maskLen)  throws BadPaddingException {
-        byte[] C = new byte[4]; // 32 bit counter
-        byte[] digest = new byte[mgfMd.getDigestLength()];
-        while (maskLen > 0) {
-            mgfMd.update(seed, seedOfs, seedLen);
-            mgfMd.update(C);
-            try {
-                mgfMd.digest(digest, 0, digest.length);
-            } catch (DigestException e) {
-                // should never happen
-                throw new BadPaddingException(e.toString());
-            }
-            for (int i = 0; (i < digest.length) && (maskLen > 0); maskLen--) {
-                out[outOfs++] ^= digest[i++];
-            }
-            if (maskLen > 0) {
-                // increment counter
-                for (int i = C.length - 1; (++C[i] == 0) && (i > 0); i--) {
-                    // empty
-                }
-            }
-        }
-    }
 }
--- old/src/java.base/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java	2018-05-11 15:04:33.603343500 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java	2018-05-11 15:04:33.065284700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,16 +29,20 @@
 import java.math.BigInteger;
 
 import java.security.*;
+import java.security.spec.*;
 import java.security.interfaces.*;
 
 import sun.security.util.*;
+
 import sun.security.x509.AlgorithmId;
 import sun.security.pkcs.PKCS8Key;
 
+import static sun.security.rsa.RSAUtil.KeyType;
+
 /**
- * Key implementation for RSA private keys, CRT form. For non-CRT private
- * keys, see RSAPrivateKeyImpl. We need separate classes to ensure
- * correct behavior in instanceof checks, etc.
+ * RSA private key implementation for "RSA", "RSASSA-PSS" algorithms in CRT form.
+ * For non-CRT private keys, see RSAPrivateKeyImpl. We need separate classes
+ * to ensure correct behavior in instanceof checks, etc.
  *
  * Note: RSA keys must be at least 512 bits long
  *
@@ -62,9 +66,10 @@
     private BigInteger qe;      // prime exponent q
     private BigInteger coeff;   // CRT coeffcient
 
-    // algorithmId used to identify RSA keys
-    static final AlgorithmId rsaId =
-        new AlgorithmId(AlgorithmId.RSAEncryption_oid);
+    // Optional parameters associated with this RSA key
+    // specified in the encoding of its AlgorithmId.
+    // Must be null for "RSA" keys.
+    private AlgorithmParameterSpec keyParams;
 
     /**
      * Generate a new key from its encoding. Returns a CRT key if possible
@@ -73,9 +78,16 @@
     public static RSAPrivateKey newKey(byte[] encoded)
             throws InvalidKeyException {
         RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded);
-        if (key.getPublicExponent().signum() == 0) {
-            // public exponent is missing, return a non-CRT key
+        // check all CRT-specific components are available, if any one
+        // missing, return a non-CRT key instead
+        if ((key.getPublicExponent().signum() == 0) ||
+            (key.getPrimeExponentP().signum() == 0) ||
+            (key.getPrimeExponentQ().signum() == 0) ||
+            (key.getPrimeP().signum() == 0) ||
+            (key.getPrimeQ().signum() == 0) ||
+            (key.getCrtCoefficient().signum() == 0)) {
             return new RSAPrivateKeyImpl(
+                key.algid,
                 key.getModulus(),
                 key.getPrivateExponent()
             );
@@ -85,20 +97,52 @@
     }
 
     /**
+     * Generate a new key from the specified type and components.
+     * Returns a CRT key if possible and a non-CRT key otherwise. 
+     * Used by SunPKCS11 provider.
+     */
+    public static RSAPrivateKey newKey(KeyType type,
+            AlgorithmParameterSpec params,
+            BigInteger n, BigInteger e, BigInteger d,
+            BigInteger p, BigInteger q, BigInteger pe, BigInteger qe,
+            BigInteger coeff) throws InvalidKeyException {
+        RSAPrivateKey key;
+        AlgorithmId rsaId = RSAUtil.createAlgorithmId(type, params);
+        if ((e.signum() == 0) || (p.signum() == 0) ||
+            (q.signum() == 0) || (pe.signum() == 0) ||
+            (qe.signum() == 0) || (coeff.signum() == 0)) {
+            // if any component is missing, return a non-CRT key
+            return new RSAPrivateKeyImpl(rsaId, n, d);
+        } else {
+            return new RSAPrivateCrtKeyImpl(rsaId, n, e, d,
+                p, q, pe, qe, coeff);
+        }
+    }
+
+    /**
      * Construct a key from its encoding. Called from newKey above.
      */
     RSAPrivateCrtKeyImpl(byte[] encoded) throws InvalidKeyException {
         decode(encoded);
         RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e);
+        try {
+            // this will check the validity of params
+            this.keyParams = RSAUtil.getParamSpec(algid);
+        } catch (ProviderException e) {
+            throw new InvalidKeyException(e);
+        }
     }
 
     /**
-     * Construct a key from its components. Used by the
+     * Construct a RSA key from its components. Used by the
      * RSAKeyFactory and the RSAKeyPairGenerator.
      */
-    RSAPrivateCrtKeyImpl(BigInteger n, BigInteger e, BigInteger d,
+    RSAPrivateCrtKeyImpl(AlgorithmId rsaId,
+            BigInteger n, BigInteger e, BigInteger d,
             BigInteger p, BigInteger q, BigInteger pe, BigInteger qe,
             BigInteger coeff) throws InvalidKeyException {
+        RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e);
+
         this.n = n;
         this.e = e;
         this.d = d;
@@ -107,7 +151,7 @@
         this.pe = pe;
         this.qe = qe;
         this.coeff = coeff;
-        RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e);
+        this.keyParams = RSAUtil.getParamSpec(rsaId);
 
         // generate the encoding
         algid = rsaId;
@@ -132,50 +176,73 @@
     }
 
     // see JCA doc
+    @Override
     public String getAlgorithm() {
-        return "RSA";
+        return algid.getName();
     }
 
     // see JCA doc
+    @Override
     public BigInteger getModulus() {
         return n;
     }
 
     // see JCA doc
+    @Override
     public BigInteger getPublicExponent() {
         return e;
     }
 
     // see JCA doc
+    @Override
     public BigInteger getPrivateExponent() {
         return d;
     }
 
     // see JCA doc
+    @Override
     public BigInteger getPrimeP() {
         return p;
     }
 
     // see JCA doc
+    @Override
     public BigInteger getPrimeQ() {
         return q;
     }
 
     // see JCA doc
+    @Override
     public BigInteger getPrimeExponentP() {
         return pe;
     }
 
     // see JCA doc
+    @Override
     public BigInteger getPrimeExponentQ() {
         return qe;
     }
 
     // see JCA doc
+    @Override
     public BigInteger getCrtCoefficient() {
         return coeff;
     }
 
+    // see JCA doc
+    @Override
+    public AlgorithmParameterSpec getParams() {
+        return keyParams;
+    }
+
+    // return a string representation of this key for debugging
+    @Override
+    public String toString() {
+        return "SunRsaSign " + getAlgorithm() + " private CRT key, " + n.bitLength()
+               + " bits" + "\n  params: " + keyParams + "\n  modulus: " + n
+               + "\n  private exponent: " + d;
+    }
+
     /**
      * Parse the key. Called by PKCS8Key.
      */
--- old/src/java.base/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java	2018-05-11 15:04:35.614021200 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java	2018-05-11 15:04:35.103418800 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,15 +29,18 @@
 import java.math.BigInteger;
 
 import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
 import java.security.interfaces.*;
 
 import sun.security.util.*;
+import sun.security.x509.AlgorithmId;
 import sun.security.pkcs.PKCS8Key;
 
 /**
- * Key implementation for RSA private keys, non-CRT form (modulus, private
- * exponent only). For CRT private keys, see RSAPrivateCrtKeyImpl. We need
- * separate classes to ensure correct behavior in instanceof checks, etc.
+ * RSA private key implementation for "RSA", "RSASSA-PSS" algorithms in non-CRT
+ * form (modulus, private exponent only). For CRT private keys, see
+ * RSAPrivateCrtKeyImpl. We need separate classes to ensure correct behavior
+ * in instanceof checks, etc.
  *
  * Note: RSA keys must be at least 512 bits long
  *
@@ -54,16 +57,25 @@
     private final BigInteger n;         // modulus
     private final BigInteger d;         // private exponent
 
+    // optional parameters associated with this RSA key
+    // specified in the encoding of its AlgorithmId.
+    // must be null for "RSA" keys.
+    private final AlgorithmParameterSpec keyParams;
+
     /**
      * Construct a key from its components. Used by the
      * RSAKeyFactory and the RSAKeyPairGenerator.
      */
-    RSAPrivateKeyImpl(BigInteger n, BigInteger d) throws InvalidKeyException {
+    RSAPrivateKeyImpl(AlgorithmId rsaId, BigInteger n, BigInteger d)
+            throws InvalidKeyException {
+        RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), null);
+
         this.n = n;
         this.d = d;
-        RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), null);
+        this.keyParams = RSAUtil.getParamSpec(rsaId);
+
         // generate the encoding
-        algid = RSAPrivateCrtKeyImpl.rsaId;
+        algid = rsaId;
         try {
             DerOutputStream out = new DerOutputStream();
             out.putInteger(0); // version must be 0
@@ -85,17 +97,34 @@
     }
 
     // see JCA doc
+    @Override
     public String getAlgorithm() {
-        return "RSA";
+        return algid.getName();
     }
 
     // see JCA doc
+    @Override
     public BigInteger getModulus() {
         return n;
     }
 
     // see JCA doc
+    @Override
     public BigInteger getPrivateExponent() {
         return d;
     }
+
+    // see JCA doc
+    @Override
+    public AlgorithmParameterSpec getParams() {
+        return keyParams;
+    }
+
+    // return a string representation of this key for debugging
+    @Override
+    public String toString() {
+        return "Sun " + getAlgorithm() + " private key, " + n.bitLength()
+               + " bits" + "\n  params: " + keyParams + "\n  modulus: " + n
+               + "\n  private exponent: " + d;
+    }
 }
--- old/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java	2018-05-11 15:04:37.668228000 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/RSAPublicKeyImpl.java	2018-05-11 15:04:37.109358900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,17 +29,22 @@
 import java.math.BigInteger;
 
 import java.security.*;
+import java.security.spec.*;
 import java.security.interfaces.*;
 
 import sun.security.util.*;
 import sun.security.x509.X509Key;
+import sun.security.x509.AlgorithmId;
+
+import static sun.security.rsa.RSAUtil.KeyType;
 
 /**
- * Key implementation for RSA public keys.
+ * RSA public key implementation for "RSA", "RSASSA-PSS" algorithms.
  *
  * Note: RSA keys must be at least 512 bits long
  *
  * @see RSAPrivateCrtKeyImpl
+ * @see RSAPrivateKeyImpl
  * @see RSAKeyFactory
  *
  * @since   1.5
@@ -53,18 +58,46 @@
     private BigInteger n;       // modulus
     private BigInteger e;       // public exponent
 
+    // optional parameters associated with this RSA key
+    // specified in the encoding of its AlgorithmId
+    // must be null for "RSA" keys.
+    private AlgorithmParameterSpec keyParams;
+
+    /**
+     * Generate a new RSAPublicKey from the specified encoding.
+     * Used by SunPKCS11 provider.
+     */
+    public static RSAPublicKey newKey(byte[] encoded)
+            throws InvalidKeyException {
+        return new RSAPublicKeyImpl(encoded);
+    }
+
+    /**
+     * Generate a new RSAPublicKey from the specified type and components.
+     * Used by SunPKCS11 provider.
+     */
+    public static RSAPublicKey newKey(KeyType type,
+            AlgorithmParameterSpec params, BigInteger n, BigInteger e)
+            throws InvalidKeyException {
+        AlgorithmId rsaId = RSAUtil.createAlgorithmId(type, params);
+        return new RSAPublicKeyImpl(rsaId, n, e);
+    }
+
     /**
-     * Construct a key from its components. Used by the
-     * RSAKeyFactory and the RSAKeyPairGenerator.
+     * Construct a RSA key from AlgorithmId and its components. Used by
+     * RSAKeyFactory and RSAKeyPairGenerator.
      */
-    public RSAPublicKeyImpl(BigInteger n, BigInteger e)
+    RSAPublicKeyImpl(AlgorithmId rsaId, BigInteger n, BigInteger e)
             throws InvalidKeyException {
+        RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e);
+        checkExponentRange(n, e);
+
         this.n = n;
         this.e = e;
-        RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e);
-        checkExponentRange();
+        this.keyParams = RSAUtil.getParamSpec(rsaId);
+
         // generate the encoding
-        algid = RSAPrivateCrtKeyImpl.rsaId;
+        algid = rsaId;
         try {
             DerOutputStream out = new DerOutputStream();
             out.putInteger(n);
@@ -82,39 +115,57 @@
     /**
      * Construct a key from its encoding. Used by RSAKeyFactory.
      */
-    public RSAPublicKeyImpl(byte[] encoded) throws InvalidKeyException {
-        decode(encoded);
+    RSAPublicKeyImpl(byte[] encoded) throws InvalidKeyException {
+        decode(encoded); // this sets n and e value
         RSAKeyFactory.checkRSAProviderKeyLengths(n.bitLength(), e);
-        checkExponentRange();
+        checkExponentRange(n, e);
+
+        try {
+            // this will check the validity of params
+            this.keyParams = RSAUtil.getParamSpec(algid);
+        } catch (ProviderException e) {
+            throw new InvalidKeyException(e);
+        }
     }
 
-    private void checkExponentRange() throws InvalidKeyException {
+    // pkg private utility method for checking RSA modulus and public exponent
+    static void checkExponentRange(BigInteger mod, BigInteger exp)
+            throws InvalidKeyException {
         // the exponent should be smaller than the modulus
-        if (e.compareTo(n) >= 0) {
+        if (exp.compareTo(mod) >= 0) {
             throw new InvalidKeyException("exponent is larger than modulus");
         }
 
         // the exponent should be at least 3
-        if (e.compareTo(THREE) < 0) {
+        if (exp.compareTo(THREE) < 0) {
             throw new InvalidKeyException("exponent is smaller than 3");
         }
     }
 
     // see JCA doc
+    @Override
     public String getAlgorithm() {
-        return "RSA";
+        return algid.getName();
     }
 
     // see JCA doc
+    @Override
     public BigInteger getModulus() {
         return n;
     }
 
     // see JCA doc
+    @Override
     public BigInteger getPublicExponent() {
         return e;
     }
 
+    // see JCA doc
+    @Override
+    public AlgorithmParameterSpec getParams() {
+        return keyParams;
+    }
+
     /**
      * Parse the key. Called by X509Key.
      */
@@ -137,9 +188,11 @@
     }
 
     // return a string representation of this key for debugging
+    @Override
     public String toString() {
-        return "Sun RSA public key, " + n.bitLength() + " bits\n  modulus: "
-                + n + "\n  public exponent: " + e;
+        return "Sun " + getAlgorithm() + " public key, " + n.bitLength()
+               + " bits" + "\n  params: " + keyParams + "\n  modulus: " + n
+               + "\n  public exponent: " + e;
     }
 
     protected Object writeReplace() throws java.io.ObjectStreamException {
--- old/src/java.base/share/classes/sun/security/rsa/RSASignature.java	2018-05-11 15:04:39.659080900 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/RSASignature.java	2018-05-11 15:04:39.132934700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,16 +30,18 @@
 
 import java.security.*;
 import java.security.interfaces.*;
+import java.security.spec.AlgorithmParameterSpec;
 
+import sun.security.rsa.RSAUtil.KeyType;
 import sun.security.util.*;
 import sun.security.x509.AlgorithmId;
 
 /**
- * PKCS#1 RSA signatures with the various message digest algorithms.
+ * PKCS#1 v1.5 RSA signatures with the various message digest algorithms.
  * This file contains an abstract base class with all the logic plus
  * a nested static class for each of the message digest algorithms
  * (see end of the file). We support MD2, MD5, SHA-1, SHA-224, SHA-256,
- * SHA-384, and SHA-512.
+ * SHA-384, SHA-512, SHA-512/224, and SHA-512/256.
  *
  * @since   1.5
  * @author  Andreas Sterbenz
@@ -85,6 +87,7 @@
     }
 
     // initialize for verification. See JCA doc
+    @Override
     protected void engineInitVerify(PublicKey publicKey)
             throws InvalidKeyException {
         RSAPublicKey rsaKey = (RSAPublicKey)RSAKeyFactory.toRSAKey(publicKey);
@@ -94,12 +97,14 @@
     }
 
     // initialize for signing. See JCA doc
+    @Override
     protected void engineInitSign(PrivateKey privateKey)
             throws InvalidKeyException {
         engineInitSign(privateKey, null);
     }
 
     // initialize for signing. See JCA doc
+    @Override
     protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
             throws InvalidKeyException {
         RSAPrivateKey rsaKey =
@@ -114,6 +119,11 @@
      */
     private void initCommon(RSAKey rsaKey, SecureRandom random)
             throws InvalidKeyException {
+        try {
+            RSAUtil.checkParamsAgainstType(KeyType.RSA, rsaKey.getParams());
+        } catch (ProviderException e) {
+            throw new InvalidKeyException("Invalid key for RSA signatures", e);
+        }
         resetDigest();
         int keySize = RSACore.getByteLength(rsaKey);
         try {
@@ -148,12 +158,14 @@
     }
 
     // update the signature with the plaintext data. See JCA doc
+    @Override
     protected void engineUpdate(byte b) throws SignatureException {
         md.update(b);
         digestReset = false;
     }
 
     // update the signature with the plaintext data. See JCA doc
+    @Override
     protected void engineUpdate(byte[] b, int off, int len)
             throws SignatureException {
         md.update(b, off, len);
@@ -161,13 +173,18 @@
     }
 
     // update the signature with the plaintext data. See JCA doc
+    @Override
     protected void engineUpdate(ByteBuffer b) {
         md.update(b);
         digestReset = false;
     }
 
     // sign the data and return the signature. See JCA doc
+    @Override
     protected byte[] engineSign() throws SignatureException {
+        if (privateKey == null) {
+            throw new SignatureException("Missing private key");
+        }
         byte[] digest = getDigestValue();
         try {
             byte[] encoded = encodeSignature(digestOID, digest);
@@ -183,7 +200,11 @@
 
     // verify the data and return the result. See JCA doc
     // should be reset to the state after engineInitVerify call.
+    @Override
     protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
+        if (publicKey == null) {
+            throw new SignatureException("Missing public key");
+        }
         try {
             if (sigBytes.length != RSACore.getByteLength(publicKey)) {
                 throw new SignatureException("Signature length not correct: got " +
@@ -248,18 +269,35 @@
 
     // set parameter, not supported. See JCA doc
     @Deprecated
+    @Override
     protected void engineSetParameter(String param, Object value)
             throws InvalidParameterException {
         throw new UnsupportedOperationException("setParameter() not supported");
     }
 
+    // See JCA doc
+    @Override
+    protected void engineSetParameter(AlgorithmParameterSpec params)
+        throws InvalidAlgorithmParameterException {
+        if (params != null) {
+            throw new InvalidAlgorithmParameterException("No parameters accepted");
+        }
+    }
+
     // get parameter, not supported. See JCA doc
     @Deprecated
+    @Override
     protected Object engineGetParameter(String param)
             throws InvalidParameterException {
         throw new UnsupportedOperationException("getParameter() not supported");
     }
 
+    // See JCA doc
+    @Override
+    protected AlgorithmParameters engineGetParameters() {
+        return null;
+    }
+
     // Nested class for MD2withRSA signatures
     public static final class MD2withRSA extends RSASignature {
         public MD2withRSA() {
@@ -309,4 +347,17 @@
         }
     }
 
+    // Nested class for SHA512/224withRSA signatures
+    public static final class SHA512_224withRSA extends RSASignature {
+        public SHA512_224withRSA() {
+            super("SHA-512/224", AlgorithmId.SHA512_224_oid, 11);
+        }
+    }
+
+    // Nested class for SHA512/256withRSA signatures
+    public static final class SHA512_256withRSA extends RSASignature {
+        public SHA512_256withRSA() {
+            super("SHA-512/256", AlgorithmId.SHA512_256_oid, 11);
+        }
+    }
 }
--- old/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java	2018-05-11 15:04:41.703611300 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/SunRsaSignEntries.java	2018-05-11 15:04:41.149702200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -41,11 +41,10 @@
     public static void putEntries(Map<Object, Object> map) {
 
         // main algorithms
-
         map.put("KeyFactory.RSA",
-                "sun.security.rsa.RSAKeyFactory");
+                "sun.security.rsa.RSAKeyFactory$Legacy");
         map.put("KeyPairGenerator.RSA",
-                "sun.security.rsa.RSAKeyPairGenerator");
+                "sun.security.rsa.RSAKeyPairGenerator$Legacy");
         map.put("Signature.MD2withRSA",
                 "sun.security.rsa.RSASignature$MD2withRSA");
         map.put("Signature.MD5withRSA",
@@ -60,9 +59,21 @@
                 "sun.security.rsa.RSASignature$SHA384withRSA");
         map.put("Signature.SHA512withRSA",
                 "sun.security.rsa.RSASignature$SHA512withRSA");
+        map.put("Signature.SHA512/224withRSA",
+                "sun.security.rsa.RSASignature$SHA512_224withRSA");
+        map.put("Signature.SHA512/256withRSA",
+                "sun.security.rsa.RSASignature$SHA512_256withRSA");
+
+        map.put("KeyFactory.RSASSA-PSS",
+                "sun.security.rsa.RSAKeyFactory$PSS");
+        map.put("KeyPairGenerator.RSASSA-PSS",
+                "sun.security.rsa.RSAKeyPairGenerator$PSS");
+        map.put("Signature.RSASSA-PSS",
+                "sun.security.rsa.RSAPSSSignature");
+        map.put("AlgorithmParameters.RSASSA-PSS",
+                "sun.security.rsa.PSSParameters");
 
         // attributes for supported key classes
-
         String rsaKeyClasses = "java.security.interfaces.RSAPublicKey" +
                 "|java.security.interfaces.RSAPrivateKey";
         map.put("Signature.MD2withRSA SupportedKeyClasses", rsaKeyClasses);
@@ -72,9 +83,11 @@
         map.put("Signature.SHA256withRSA SupportedKeyClasses", rsaKeyClasses);
         map.put("Signature.SHA384withRSA SupportedKeyClasses", rsaKeyClasses);
         map.put("Signature.SHA512withRSA SupportedKeyClasses", rsaKeyClasses);
+        map.put("Signature.SHA512/224withRSA SupportedKeyClasses", rsaKeyClasses);
+        map.put("Signature.SHA512/256withRSA SupportedKeyClasses", rsaKeyClasses);
+        map.put("Signature.RSASSA-PSS SupportedKeyClasses", rsaKeyClasses);
 
         // aliases
-
         map.put("Alg.Alias.KeyFactory.1.2.840.113549.1.1",     "RSA");
         map.put("Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1", "RSA");
 
@@ -102,6 +115,21 @@
 
         map.put("Alg.Alias.Signature.1.2.840.113549.1.1.13",     "SHA512withRSA");
         map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.13", "SHA512withRSA");
+        map.put("Alg.Alias.Signature.1.2.840.113549.1.1.15",     "SHA512/224withRSA");
+        map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.15", "SHA512/224withRSA");
+        map.put("Alg.Alias.Signature.1.2.840.113549.1.1.16",     "SHA512/256withRSA");
+        map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.16", "SHA512/256withRSA");
+
+        map.put("Alg.Alias.KeyFactory.1.2.840.113549.1.1.10",     "RSASSA-PSS");
+        map.put("Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1.10", "RSASSA-PSS");
+
+        map.put("Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1.10",     "RSASSA-PSS");
+        map.put("Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1.10", "RSASSA-PSS");
+
+        map.put("Alg.Alias.Signature.1.2.840.113549.1.1.10",     "RSASSA-PSS");
+        map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.10", "RSASSA-PSS");
 
+        map.put("Alg.Alias.AlgorithmParameters.1.2.840.113549.1.1.10",     "RSASSA-PSS");
+        map.put("Alg.Alias.AlgorithmParameters.OID.1.2.840.113549.1.1.10", "RSASSA-PSS");
     }
 }
--- old/src/java.base/share/classes/sun/security/ssl/Authenticator.java	2018-05-11 15:04:43.667614600 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/Authenticator.java	2018-05-11 15:04:43.075320000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,94 +25,80 @@
 
 package sun.security.ssl;
 
+import java.nio.ByteBuffer;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import sun.security.ssl.CipherSuite.MacAlg;
 
 /**
  * This class represents an SSL/TLS/DTLS message authentication token,
  * which encapsulates a sequence number and ensures that attempts to
  * delete or reorder messages can be detected.
- *
- * Each connection state contains a sequence number, which is maintained
- * separately for read and write states.
- *
- * For SSL/TLS protocols, the sequence number MUST be set to zero
- * whenever a connection state is made the active state.
- *
- * DTLS uses an explicit sequence number, rather than an implicit one.
- * Sequence numbers are maintained separately for each epoch, with
- * each sequence number initially being 0 for each epoch.  The sequence
- * number used to compute the DTLS MAC is the 64-bit value formed by
- * concatenating the epoch and the sequence number.
- *
- * Sequence numbers do not wrap.  If an implementation would need to wrap
- * a sequence number, it must renegotiate instead.  A sequence number is
- * incremented after each record: specifically, the first record transmitted
- * under a particular connection state MUST use sequence number 0.
  */
-class Authenticator {
-
+abstract class Authenticator {
     // byte array containing the additional authentication information for
     // each record
-    private final byte[] block;
-
-    // the block size of SSL v3.0:
-    // sequence number + record type + + record length
-    private static final int BLOCK_SIZE_SSL = 8 + 1 + 2;
-
-    // the block size of TLS v1.0 and later:
-    // sequence number + record type + protocol version + record length
-    private static final int BLOCK_SIZE_TLS = 8 + 1 + 2 + 2;
-
-    // the block size of DTLS v1.0 and later:
-    // epoch + sequence number + record type + protocol version + record length
-    private static final int BLOCK_SIZE_DTLS = 2 + 6 + 1 + 2 + 2;
-
-    private final boolean isDTLS;
-
-    /**
-     * Default construct, no message authentication token is initialized.
-     *
-     * Note that this construct can only be called for null MAC
-     */
-    protected Authenticator(boolean isDTLS) {
-        if (isDTLS) {
-            // For DTLS protocols, plaintexts use explicit epoch and
-            // sequence number in each record.  The first 8 byte of
-            // the block is initialized for null MAC so that the
-            // epoch and sequence number can be acquired to generate
-            // plaintext records.
-            block = new byte[8];
-        } else {
-            block = new byte[0];
-        }
+    protected final byte[] block;   // at least 8 bytes for sequence number
 
-        this.isDTLS = isDTLS;
+    private Authenticator(byte[] block) {
+        this.block = block;
     }
 
     /**
      * Constructs the message authentication token for the specified
      * SSL/TLS protocol.
      */
-    Authenticator(ProtocolVersion protocolVersion) {
-        if (protocolVersion.isDTLSProtocol()) {
-            block = new byte[BLOCK_SIZE_DTLS];
-            block[9] = protocolVersion.major;
-            block[10] = protocolVersion.minor;
-
-            this.isDTLS = true;
-        } else if (protocolVersion.v >= ProtocolVersion.TLS10.v) {
-            block = new byte[BLOCK_SIZE_TLS];
-            block[9] = protocolVersion.major;
-            block[10] = protocolVersion.minor;
-
-            this.isDTLS = false;
+    static Authenticator valueOf(ProtocolVersion protocolVersion) {
+        if (protocolVersion.isDTLS) {
+            if (protocolVersion.useTLS13PlusSpec()) {
+                return new DTLS13Authenticator(protocolVersion);
+            } else {
+                return new DTLS10Authenticator(protocolVersion);
+            }
         } else {
-            block = new byte[BLOCK_SIZE_SSL];
+            if (protocolVersion.useTLS13PlusSpec()) {
+                return new TLS13Authenticator(protocolVersion);
+            } else if (protocolVersion.useTLS10PlusSpec()) {
+                return new TLS10Authenticator(protocolVersion);
+            } else {
+                return new SSL30Authenticator();
+            }
+        }
+    }
 
-            this.isDTLS = false;
+    @SuppressWarnings({"unchecked"})
+    static <T extends Authenticator & MAC> T
+         valueOf(ProtocolVersion protocolVersion, MacAlg macAlg,
+                 SecretKey key) throws NoSuchAlgorithmException,
+                        InvalidKeyException {
+        if (protocolVersion.isDTLS) {
+            if (protocolVersion.useTLS13PlusSpec()) {
+                throw new RuntimeException("No MacAlg used in DTLS 1.3");
+            } else {
+                return (T)(new DTLS10Mac(protocolVersion, macAlg, key));
+            }
+        } else {
+            if (protocolVersion.useTLS13PlusSpec()) {
+                throw new RuntimeException("No MacAlg used in TLS 1.3");
+            } else if (protocolVersion.useTLS10PlusSpec()) {
+                return (T)(new TLS10Mac(protocolVersion, macAlg, key));
+            } else {
+                return (T)(new SSL30Mac(protocolVersion, macAlg, key));
+            }
         }
     }
 
+    static Authenticator nullTlsMac() {
+        return new SSLNullMac();
+    }
+
+    static Authenticator nullDtlsMac() {
+        return new DTLSNullMac();
+    }
+
     /**
      * Checks whether the sequence number is close to wrap.
      *
@@ -122,25 +108,7 @@
      *
      * @return true if the sequence number is close to wrap
      */
-    final boolean seqNumOverflow() {
-        /*
-         * Conservatively, we don't allow more records to be generated
-         * when there are only 2^8 sequence numbers left.
-         */
-        if (isDTLS) {
-            return (block.length != 0 &&
-                // no epoch bytes, block[0] and block[1]
-                block[2] == (byte)0xFF && block[3] == (byte)0xFF &&
-                block[4] == (byte)0xFF && block[5] == (byte)0xFF &&
-                block[6] == (byte)0xFF);
-        } else {
-            return (block.length != 0 &&
-                block[0] == (byte)0xFF && block[1] == (byte)0xFF &&
-                block[2] == (byte)0xFF && block[3] == (byte)0xFF &&
-                block[4] == (byte)0xFF && block[5] == (byte)0xFF &&
-                block[6] == (byte)0xFF);
-        }
-    }
+    abstract boolean seqNumOverflow();
 
     /**
      * Checks whether the sequence number close to renew.
@@ -152,21 +120,7 @@
      *
      * @return true if the sequence number is huge enough to renew
      */
-    final boolean seqNumIsHuge() {
-        /*
-         * Conservatively, we should ask for renegotiation when there are
-         * only 2^32 sequence numbers left.
-         */
-        if (isDTLS) {
-            return (block.length != 0 &&
-                // no epoch bytes, block[0] and block[1]
-                block[2] == (byte)0xFF && block[3] == (byte)0xFF);
-        } else {
-            return (block.length != 0 &&
-                block[0] == (byte)0xFF && block[1] == (byte)0xFF &&
-                block[2] == (byte)0xFF && block[3] == (byte)0xFF);
-        }
-    }
+    abstract boolean seqNumIsHuge();
 
     /**
      * Gets the current sequence number, including the epoch number for
@@ -181,14 +135,9 @@
     /**
      * Sets the epoch number (only apply to DTLS protocols).
      */
-    final void setEpochNumber(int epoch) {
-        if (!isDTLS) {
-            throw new RuntimeException(
+    void setEpochNumber(int epoch) {
+        throw new UnsupportedOperationException(
                 "Epoch numbers apply to DTLS protocols only");
-        }
-
-        block[0] = (byte)((epoch >> 8) & 0xFF);
-        block[1] = (byte)(epoch & 0xFF);
     }
 
     /**
@@ -208,7 +157,7 @@
     /**
      * Acquires the current message authentication information with the
      * specified record type and fragment length, and then increases the
-     * sequence number.
+     * sequence number if using implicit sequence number.
      *
      * @param  type the record type
      * @param  length the fragment of the record
@@ -216,32 +165,465 @@
      *
      * @return the byte array of the current message authentication information
      */
-    final byte[] acquireAuthenticationBytes(
+    byte[] acquireAuthenticationBytes(
             byte type, int length, byte[] sequence) {
+        throw new UnsupportedOperationException("Used by AEAD algorithms only");
+    }
+
+    private static class SSLAuthenticator extends Authenticator {
+        private SSLAuthenticator(byte[] block) {
+            super(block);
+        }
 
-        byte[] copy = block.clone();
-        if (sequence != null) {
-            if (sequence.length != 8) {
-                throw new RuntimeException(
-                        "Insufficient explicit sequence number bytes");
+        @Override
+        boolean seqNumOverflow() {
+            /*
+             * Conservatively, we don't allow more records to be generated
+             * when there are only 2^8 sequence numbers left.
+             */
+            return (block.length != 0 &&
+                block[0] == (byte)0xFF && block[1] == (byte)0xFF &&
+                block[2] == (byte)0xFF && block[3] == (byte)0xFF &&
+                block[4] == (byte)0xFF && block[5] == (byte)0xFF &&
+                block[6] == (byte)0xFF);
+        }
+
+        @Override
+        boolean seqNumIsHuge() {
+            return (block.length != 0 &&
+                block[0] == (byte)0xFF && block[1] == (byte)0xFF &&
+                block[2] == (byte)0xFF && block[3] == (byte)0xFF);
+        }
+    }
+
+    // For null MAC only.
+    private static class SSLNullAuthenticator extends SSLAuthenticator {
+        private SSLNullAuthenticator() {
+            super(new byte[8]);
+        }
+    }
+
+    // For SSL 3.0
+    private static class SSL30Authenticator extends SSLAuthenticator {
+        // Block size of SSL v3.0:
+        //     sequence number + record type + + record length
+        private static final int BLOCK_SIZE = 11;   // 8 + 1 + 2
+
+        private SSL30Authenticator() {
+            super(new byte[BLOCK_SIZE]);
+        }
+
+        @Override
+        byte[] acquireAuthenticationBytes(
+                byte type, int length, byte[] sequence) {
+            byte[] ad = block.clone();
+
+            // Increase the implicit sequence number in the block array.
+            increaseSequenceNumber();
+
+            ad[8] = type;
+            ad[9] = (byte)(length >> 8);
+            ad[10] = (byte)(length);
+
+            return ad;
+        }
+    }
+
+    // For TLS 1.0 - 1.2
+    private static class TLS10Authenticator extends SSLAuthenticator {
+        // Block size of TLS v1.0/1.1/1.2.
+        //     sequence number + record type + protocol version + record length
+        private static final int BLOCK_SIZE = 13;   // 8 + 1 + 2 + 2
+
+        private TLS10Authenticator(ProtocolVersion protocolVersion) {
+            super(new byte[BLOCK_SIZE]);
+            block[9] = protocolVersion.major;
+            block[10] = protocolVersion.minor;
+        }
+
+        @Override
+        byte[] acquireAuthenticationBytes(
+                byte type, int length, byte[] sequence) {
+            byte[] ad = block.clone();
+            if (sequence != null) {
+                if (sequence.length != 8) {
+                    throw new RuntimeException(
+                            "Insufficient explicit sequence number bytes");
+                }
+
+                System.arraycopy(sequence, 0, ad, 0, sequence.length);
+            } else {    // Otherwise, use the implicit sequence number.
+                // Increase the implicit sequence number in the block array.
+                increaseSequenceNumber();
             }
 
-            System.arraycopy(sequence, 0, copy, 0, sequence.length);
-        }   // Otherwise, use the implicit sequence number.
+            ad[8] = type;
+            ad[11] = (byte)(length >> 8);
+            ad[12] = (byte)(length);
+
+            return ad;
+        }
+    }
 
-        if (block.length != 0) {
-            copy[8] = type;
+    // For TLS 1.3
+    private static final class TLS13Authenticator extends SSLAuthenticator {
+        // Block size of TLS v1.3:
+        //     sequence number + record type + protocol version + record length
+        private static final int BLOCK_SIZE = 13;   // 8 + 1 + 2 + 2
+
+        private TLS13Authenticator(ProtocolVersion protocolVersion) {
+            super(new byte[BLOCK_SIZE]);
+            block[9] = ProtocolVersion.TLS12.major;
+            block[10] = ProtocolVersion.TLS12.minor;
+        }
 
-            copy[copy.length - 2] = (byte)(length >> 8);
-            copy[copy.length - 1] = (byte)(length);
+        @Override
+        byte[] acquireAuthenticationBytes(
+                byte type, int length, byte[] sequence) {
+            byte[] ad = Arrays.copyOfRange(block, 8, 13);
+
+            // Increase the implicit sequence number in the block array.
+            increaseSequenceNumber();
+
+            ad[0] = type;
+            ad[3] = (byte)(length >> 8);
+            ad[4] = (byte)(length & 0xFF);
 
-            if (sequence == null || sequence.length != 0) {
+            return ad;
+        }
+    }
+
+    private static class DTLSAuthenticator extends Authenticator {
+        private DTLSAuthenticator(byte[] block) {
+            super(block);
+        }
+
+        @Override
+        boolean seqNumOverflow() {
+            /*
+             * Conservatively, we don't allow more records to be generated
+             * when there are only 2^8 sequence numbers left.
+             */
+            return (block.length != 0 &&
+                // no epoch bytes, block[0] and block[1]
+                block[2] == (byte)0xFF && block[3] == (byte)0xFF &&
+                block[4] == (byte)0xFF && block[5] == (byte)0xFF &&
+                block[6] == (byte)0xFF);
+        }
+
+        @Override
+        boolean seqNumIsHuge() {
+            return (block.length != 0 &&
+                // no epoch bytes, block[0] and block[1]
+                block[2] == (byte)0xFF && block[3] == (byte)0xFF);
+        }
+
+        @Override
+        void setEpochNumber(int epoch) {
+            block[0] = (byte)((epoch >> 8) & 0xFF);
+            block[1] = (byte)(epoch & 0xFF);
+        }
+    }
+
+    // For null MAC only.
+    private static class DTLSNullAuthenticator extends DTLSAuthenticator {
+        private DTLSNullAuthenticator() {
+            // For DTLS protocols, plaintexts use explicit epoch and
+            // sequence number in each record.  The first 8 byte of
+            // the block is initialized for null MAC so that the
+            // epoch and sequence number can be acquired to generate
+            // plaintext records.
+            super(new byte[8]);
+        }
+    }
+
+    // DTLS 1.0/1.2
+    private static class DTLS10Authenticator extends DTLSAuthenticator {
+        // Block size of DTLS v1.0 and later:
+        //     epoch + sequence number +
+        //     record type + protocol version + record length
+        private static final int BLOCK_SIZE = 13;  // 2 + 6 + 1 + 2 + 2;
+
+        private DTLS10Authenticator(ProtocolVersion protocolVersion) {
+            super(new byte[BLOCK_SIZE]);
+            block[9] = protocolVersion.major;
+            block[10] = protocolVersion.minor;
+        }
+
+        @Override
+        byte[] acquireAuthenticationBytes(
+                byte type, int length, byte[] sequence) {
+            byte[] ad = block.clone();
+            if (sequence != null) {
+                if (sequence.length != 8) {
+                    throw new RuntimeException(
+                            "Insufficient explicit sequence number bytes");
+                }
+
+                System.arraycopy(sequence, 0, ad, 0, sequence.length);
+            } else {    // Otherwise, use the implicit sequence number.
                 // Increase the implicit sequence number in the block array.
                 increaseSequenceNumber();
             }
+
+            ad[8] = type;
+            ad[11] = (byte)(length >> 8);
+            ad[12] = (byte)(length);
+
+            return ad;
+        }
+    }
+
+    // DTLS 1.3
+    private static final class DTLS13Authenticator extends DTLSAuthenticator {
+        // Block size of DTLS v1.0 and later:
+        //     epoch + sequence number +
+        //     record type + protocol version + record length
+        private static final int BLOCK_SIZE = 13;  // 2 + 6 + 1 + 2 + 2;
+
+        private DTLS13Authenticator(ProtocolVersion protocolVersion) {
+            super(new byte[BLOCK_SIZE]);
+            block[9] = ProtocolVersion.TLS12.major;
+            block[10] = ProtocolVersion.TLS12.minor;
+        }
+
+        @Override
+        byte[] acquireAuthenticationBytes(
+                byte type, int length, byte[] sequence) {
+            byte[] ad = Arrays.copyOfRange(block, 8, 13);
+
+            // Increase the implicit sequence number in the block array.
+            increaseSequenceNumber();
+
+            ad[0] = type;
+            ad[3] = (byte)(length >> 8);
+            ad[4] = (byte)(length & 0xFF);
+
+            return ad;
+        }
+    }
+
+    static interface MAC {
+        MacAlg macAlg();
+
+        /**
+         * Compute and returns the MAC for the remaining data
+         * in this ByteBuffer.
+         *
+         * On return, the bb position == limit, and limit will
+         * have not changed.
+         *
+         * @param type record type
+         * @param bb a ByteBuffer in which the position and limit
+         *          demarcate the data to be MAC'd.
+         * @param isSimulated if true, simulate the MAC computation
+         * @param sequence the explicit sequence number, or null if using
+         *        the implicit sequence number for the computation
+         *
+         * @return the MAC result
+         */
+        byte[] compute(byte type, ByteBuffer bb,
+                byte[] sequence, boolean isSimulated);
+
+
+        /**
+         * Compute and returns the MAC for the remaining data
+         * in this ByteBuffer.
+         *
+         * On return, the bb position == limit, and limit will
+         * have not changed.
+         *
+         * @param type record type
+         * @param bb a ByteBuffer in which the position and limit
+         *        demarcate the data to be MAC'd.
+         * @param isSimulated if true, simulate the MAC computation
+         *
+         * @return the MAC result
+         */
+        default byte[] compute(byte type, ByteBuffer bb, boolean isSimulated) {
+            return compute(type, bb, null, isSimulated);
+        }
+    }
+
+    private class MacImpl implements MAC {
+        // internal identifier for the MAC algorithm
+        private final MacAlg macAlg;
+
+        // JCE Mac object
+        private final Mac mac;
+
+        private MacImpl() {
+            macAlg = MacAlg.M_NULL;
+            mac = null;
+        }
+
+        private MacImpl(ProtocolVersion protocolVersion, MacAlg macAlg,
+                SecretKey key) throws NoSuchAlgorithmException,
+                        InvalidKeyException {
+            if (macAlg == null) {
+                throw new RuntimeException("Null MacAlg");
+            }
+
+            // using SSL MAC computation?
+            boolean useSSLMac = (protocolVersion.id < ProtocolVersion.TLS10.id);
+            String algorithm;
+            switch (macAlg) {
+                case M_MD5:
+                    algorithm = useSSLMac ? "SslMacMD5" : "HmacMD5";
+                    break;
+                case M_SHA:
+                    algorithm = useSSLMac ? "SslMacSHA1" : "HmacSHA1";
+                    break;
+                case M_SHA256:
+                    algorithm = "HmacSHA256";    // TLS 1.2+
+                    break;
+                case M_SHA384:
+                    algorithm = "HmacSHA384";    // TLS 1.2+
+                    break;
+                default:
+                    throw new RuntimeException("Unknown MacAlg " + macAlg);
+            }
+
+            Mac m = JsseJce.getMac(algorithm);
+            m.init(key);
+            this.macAlg = macAlg;
+            this.mac = m;
+        }
+
+        @Override
+        public MacAlg macAlg() {
+            return macAlg;
+        }
+
+        @Override
+        public byte[] compute(byte type, ByteBuffer bb,
+                byte[] sequence, boolean isSimulated) {
+
+            if (macAlg.size == 0) {
+                return new byte[0];
+            }
+
+            if (!isSimulated) {
+                // Uses the explicit sequence number for the computation.
+                byte[] additional =
+                    acquireAuthenticationBytes(type, bb.remaining(), sequence);
+                mac.update(additional);
+            }
+            mac.update(bb);
+
+            return mac.doFinal();
+        }
+    }
+
+    // NULL SSL MAC
+    private static final
+            class SSLNullMac extends SSLNullAuthenticator implements MAC {
+        private final MacImpl macImpl;
+        public SSLNullMac() {
+            super();
+            this.macImpl = new MacImpl();
         }
 
-        return copy;
+        @Override
+        public MacAlg macAlg() {
+            return macImpl.macAlg;
+        }
+
+        @Override
+        public byte[] compute(byte type, ByteBuffer bb,
+                byte[] sequence, boolean isSimulated) {
+            return macImpl.compute(type, bb, sequence, isSimulated);
+        }
+    }
+
+    // For SSL 3.0
+    private static final
+            class SSL30Mac extends SSL30Authenticator implements MAC {
+        private final MacImpl macImpl;
+        public SSL30Mac(ProtocolVersion protocolVersion,
+                MacAlg macAlg, SecretKey key) throws NoSuchAlgorithmException,
+                        InvalidKeyException {
+            super();
+            this.macImpl = new MacImpl(protocolVersion, macAlg, key);
+        }
+
+        @Override
+        public MacAlg macAlg() {
+            return macImpl.macAlg;
+        }
+
+        @Override
+        public byte[] compute(byte type, ByteBuffer bb,
+                byte[] sequence, boolean isSimulated) {
+            return macImpl.compute(type, bb, sequence, isSimulated);
+        }
+    }
+
+    // For TLS 1.0 - 1.2
+    private static final
+            class TLS10Mac extends TLS10Authenticator implements MAC {
+        private final MacImpl macImpl;
+        public TLS10Mac(ProtocolVersion protocolVersion,
+                MacAlg macAlg, SecretKey key) throws NoSuchAlgorithmException,
+                        InvalidKeyException {
+            super(protocolVersion);
+            this.macImpl = new MacImpl(protocolVersion, macAlg, key);
+        }
+
+        @Override
+        public MacAlg macAlg() {
+            return macImpl.macAlg;
+        }
+
+        @Override
+        public byte[] compute(byte type, ByteBuffer bb,
+                byte[] sequence, boolean isSimulated) {
+            return macImpl.compute(type, bb, sequence, isSimulated);
+        }
+    }
+
+    // NULL DTLS MAC
+    private static final
+            class DTLSNullMac extends DTLSNullAuthenticator implements MAC {
+        private final MacImpl macImpl;
+        public DTLSNullMac() {
+            super();
+            this.macImpl = new MacImpl();
+        }
+
+        @Override
+        public MacAlg macAlg() {
+            return macImpl.macAlg;
+        }
+
+        @Override
+        public byte[] compute(byte type, ByteBuffer bb,
+                byte[] sequence, boolean isSimulated) {
+            return macImpl.compute(type, bb, sequence, isSimulated);
+        }
+    }
+
+    // DTLS 1.0/1.2
+    private static final class DTLS10Mac
+            extends DTLS10Authenticator implements MAC {
+        private final MacImpl macImpl;
+        public DTLS10Mac(ProtocolVersion protocolVersion,
+                MacAlg macAlg, SecretKey key) throws NoSuchAlgorithmException,
+                        InvalidKeyException {
+            super(protocolVersion);
+            this.macImpl = new MacImpl(protocolVersion, macAlg, key);
+        }
+
+        @Override
+        public MacAlg macAlg() {
+            return macImpl.macAlg;
+        }
+
+        @Override
+        public byte[] compute(byte type, ByteBuffer bb,
+                byte[] sequence, boolean isSimulated) {
+            return macImpl.compute(type, bb, sequence, isSimulated);
+        }
     }
 
     static final long toLong(byte[] recordEnS) {
--- old/src/java.base/share/classes/sun/security/ssl/BaseSSLSocketImpl.java	2018-05-11 15:04:45.871198800 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/BaseSSLSocketImpl.java	2018-05-11 15:04:45.218524700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,24 +26,23 @@
 package sun.security.ssl;
 
 import java.io.*;
-import java.nio.channels.SocketChannel;
 import java.net.*;
+import java.nio.channels.SocketChannel;
 import java.util.Set;
-
 import javax.net.ssl.*;
 
 /**
- * Abstract base class for SSLSocketImpl. Its purpose is to house code with
- * no SSL related logic (or no logic at all). This makes SSLSocketImpl shorter
- * and easier to read. It contains a few constants and static methods plus
- * overridden java.net.Socket methods.
+ * Abstract base class for SSLSocketImpl.
+ *
+ * Its purpose is to house code with no SSL related logic (or no logic at all).
+ * This makes SSLSocketImpl shorter and easier to read. It contains a few
+ * constants and static methods plus overridden java.net.Socket methods.
  *
  * Methods are defined final to ensure that they are not accidentally
  * overridden in SSLSocketImpl.
  *
  * @see javax.net.ssl.SSLSocket
  * @see SSLSocketImpl
- *
  */
 abstract class BaseSSLSocketImpl extends SSLSocket {
 
@@ -92,7 +91,7 @@
                                 "com.sun.net.ssl.requireCloseNotify";
 
     static final boolean requireCloseNotify =
-                                Debug.getBooleanProperty(PROP_NAME, false);
+                                Utilities.getBooleanProperty(PROP_NAME, false);
 
     //
     // MISC SOCKET METHODS
--- old/src/java.base/share/classes/sun/security/ssl/CipherSuite.java	2018-05-11 15:04:48.056150800 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/CipherSuite.java	2018-05-11 15:04:47.513056500 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,171 +23,949 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
-import java.util.*;
-
-import java.security.NoSuchAlgorithmException;
-import java.security.InvalidKeyException;
-import java.security.SecureRandom;
-import java.security.KeyManagementException;
-
-import javax.crypto.Cipher;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.SecretKeySpec;
-
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+import static sun.security.ssl.CipherSuite.HashAlg.*;
 import static sun.security.ssl.CipherSuite.KeyExchange.*;
-import static sun.security.ssl.CipherSuite.PRF.*;
-import static sun.security.ssl.CipherSuite.CipherType.*;
 import static sun.security.ssl.CipherSuite.MacAlg.*;
-import static sun.security.ssl.CipherSuite.BulkCipher.*;
-import static sun.security.ssl.JsseJce.*;
-import static sun.security.ssl.NamedGroupType.*;
-
-/**
- * An SSL/TLS CipherSuite. Constants for the standard key exchange, cipher,
- * and mac algorithms are also defined in this class.
- *
- * The CipherSuite class and the inner classes defined in this file roughly
- * follow the type safe enum pattern described in Effective Java. This means:
- *
- *  . instances are immutable, classes are final
- *
- *  . there is a unique instance of every value, i.e. there are never two
- *    instances representing the same CipherSuite, etc. This means equality
- *    tests can be performed using == instead of equals() (although that works
- *    as well). [A minor exception are *unsupported* CipherSuites read from a
- *    handshake message, but this is usually irrelevant]
- *
- *  . instances are obtained using the static valueOf() factory methods.
- *
- *  . properties are defined as final variables and made available as
- *    package private variables without method accessors
- *
- *  . if the member variable allowed is false, the given algorithm is either
- *    unavailable or disabled at compile time
- *
- */
-final class CipherSuite implements Comparable<CipherSuite> {
-
-    // minimum priority for supported CipherSuites
-    static final int SUPPORTED_SUITES_PRIORITY = 1;
+import static sun.security.ssl.SSLCipher.*;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
+import static sun.security.ssl.SupportedGroupsExtension.NamedGroupType.*;
 
-    // minimum priority for default enabled CipherSuites
-    static final int DEFAULT_SUITES_PRIORITY = 300;
+enum CipherSuite {
+    //
+    // in preference order
+    //
 
-    private static final boolean ALLOW_ECC = Debug.getBooleanProperty
-        ("com.sun.net.ssl.enableECC", true);
+    // Definition of the CipherSuites that are enabled by default.
+    //
+    // They are listed in preference order, most preferred first, using
+    // the following criteria:
+    // 1. Prefer Suite B compliant cipher suites, see RFC6460 (To be
+    //    changed later, see below).
+    // 2. Prefer the stronger bulk cipher, in the order of AES_256(GCM),
+    //    AES_128(GCM), AES_256, AES_128, 3DES-EDE.
+    // 3. Prefer the stronger MAC algorithm, in the order of SHA384,
+    //    SHA256, SHA, MD5.
+    // 4. Prefer the better performance of key exchange and digital
+    //    signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA,
+    //    RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS.
+
+    TLS_AES_128_GCM_SHA256(
+            0x1301, true, "TLS_AES_128_GCM_SHA256",
+            ProtocolVersion.PROTOCOLS_OF_13, B_AES_128_GCM_IV, H_SHA256),
+    TLS_AES_256_GCM_SHA384(
+            0x1302, true, "TLS_AES_256_GCM_SHA384",
+            ProtocolVersion.PROTOCOLS_OF_13, B_AES_256_GCM_IV, H_SHA384),
 
-    // Map Integer(id) -> CipherSuite
-    // contains all known CipherSuites
-    private static final Map<Integer,CipherSuite> idMap;
+    // Suite B compliant cipher suites, see RFC 6460.
+    //
+    // Note that, at present this provider is not Suite B compliant. The
+    // preference order of the GCM cipher suites does not follow the spec
+    // of RFC 6460.  In this section, only two cipher suites are listed
+    // so that applications can make use of Suite-B compliant cipher
+    // suite firstly.
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(
+            0xC02C, true, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_ECDHE_ECDSA, B_AES_256_GCM, M_NULL, H_SHA384),
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(
+            0xC02B, true, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_ECDHE_ECDSA, B_AES_128_GCM, M_NULL, H_SHA256),
+
+    // AES_256(GCM)
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(
+            0xC030, true, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_ECDHE_RSA, B_AES_256_GCM, M_NULL, H_SHA384),
+    TLS_RSA_WITH_AES_256_GCM_SHA384(
+            0x009D, true, "TLS_RSA_WITH_AES_256_GCM_SHA384", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_RSA, B_AES_256_GCM, M_NULL, H_SHA384),
+    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(
+            0xC02E, true, "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_ECDH_ECDSA, B_AES_256_GCM, M_NULL, H_SHA384),
+    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(
+            0xC032, true, "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_ECDH_RSA, B_AES_256_GCM, M_NULL, H_SHA384),
+    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(
+            0x009F, true, "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_DHE_RSA, B_AES_256_GCM, M_NULL, H_SHA384),
+    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(
+            0x00A3, true, "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_DHE_DSS, B_AES_256_GCM, M_NULL, H_SHA384),
+
+    // AES_128(GCM)
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(
+            0xC02F, true, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_ECDHE_RSA, B_AES_128_GCM, M_NULL, H_SHA256),
+    TLS_RSA_WITH_AES_128_GCM_SHA256(
+            0x009C, true, "TLS_RSA_WITH_AES_128_GCM_SHA256", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_RSA, B_AES_128_GCM, M_NULL, H_SHA256),
+    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(
+            0xC02D, true, "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_ECDH_ECDSA, B_AES_128_GCM, M_NULL, H_SHA256),
+    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(
+            0xC031, true, "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "",
+                ProtocolVersion.PROTOCOLS_OF_12,
+                K_ECDH_RSA, B_AES_128_GCM, M_NULL, H_SHA256),
+    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(
+            0x009E, true, "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "",
+                ProtocolVersion.PROTOCOLS_OF_12,
+                K_DHE_RSA, B_AES_128_GCM, M_NULL, H_SHA256),
+    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(
+            0x00A2, true, "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_DHE_DSS, B_AES_128_GCM, M_NULL, H_SHA256),
+
+    // AES_256(CBC)
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(
+            0xC024, true, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_ECDHE_ECDSA, B_AES_256, M_SHA384, H_SHA384),
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(
+            0xC028, true, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_ECDHE_RSA, B_AES_256, M_SHA384, H_SHA384),
+    TLS_RSA_WITH_AES_256_CBC_SHA256(
+            0x003D, true, "TLS_RSA_WITH_AES_256_CBC_SHA256", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_RSA, B_AES_256, M_SHA384, H_SHA384),
+    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(
+            0xC026, true, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_ECDH_ECDSA, B_AES_256, M_SHA384, H_SHA384),
+    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(
+            0xC02A, true, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_ECDH_RSA, B_AES_256, M_SHA384, H_SHA384),
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(
+            0x006B, true, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_DHE_RSA, B_AES_256, M_SHA384, H_SHA256),
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(
+            0x006A, true, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_DHE_DSS, B_AES_256, M_SHA384, H_SHA256),
+
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(
+            0xC00A, true, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDHE_ECDSA, B_AES_256, M_SHA, H_SHA256),
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(
+            0xC014, true, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDHE_RSA, B_AES_256, M_SHA, H_SHA256),
+    TLS_RSA_WITH_AES_256_CBC_SHA(
+            0x0035, true, "TLS_RSA_WITH_AES_256_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_RSA, B_AES_256, M_SHA, H_SHA256),
+    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(
+            0xC005, true, "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDH_ECDSA, B_AES_256, M_SHA, H_SHA256),
+    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(
+            0xC00F, true, "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDH_RSA, B_AES_256, M_SHA, H_SHA256),
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA(
+            0x0039, true, "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_DHE_RSA, B_AES_256, M_SHA, H_SHA256),
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA(
+            0x0038, true, "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_DHE_DSS, B_AES_256, M_SHA, H_SHA256),
+
+    // AES_128(CBC)
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(
+            0xC023, true, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_ECDHE_ECDSA, B_AES_128, M_SHA256, H_SHA256),
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(
+            0xC027, true, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_ECDHE_RSA, B_AES_128, M_SHA256, H_SHA256),
+    TLS_RSA_WITH_AES_128_CBC_SHA256(
+            0x003C, true, "TLS_RSA_WITH_AES_128_CBC_SHA256", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_RSA, B_AES_128, M_SHA256, H_SHA256),
+    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(
+            0xC025, true, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_ECDH_ECDSA, B_AES_128, M_SHA256, H_SHA256),
+    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(
+            0xC029, true, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_ECDH_RSA, B_AES_128, M_SHA256, H_SHA256),
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(
+            0x0067, true, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_DHE_RSA, B_AES_128, M_SHA256, H_SHA256),
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(
+            0x0040, true, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "",
+                    ProtocolVersion.PROTOCOLS_OF_12,
+                    K_DHE_DSS, B_AES_128, M_SHA256, H_SHA256),
+
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(
+            0xC009, true, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDHE_ECDSA, B_AES_128, M_SHA, H_SHA256),
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(
+            0xC013, true, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDHE_RSA, B_AES_128, M_SHA, H_SHA256),
+    TLS_RSA_WITH_AES_128_CBC_SHA(
+            0x002F, true, "TLS_RSA_WITH_AES_128_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_RSA, B_AES_128, M_SHA, H_SHA256),
+    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(
+            0xC004, true, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDH_ECDSA, B_AES_128, M_SHA, H_SHA256),
+    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(
+            0xC00E, true, "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDH_RSA, B_AES_128, M_SHA, H_SHA256),
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA(
+            0x0033, true, "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_DHE_RSA, B_AES_128, M_SHA, H_SHA256),
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA(
+            0x0032, true, "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_DHE_DSS, B_AES_128, M_SHA, H_SHA256),
+
+    // 3DES_EDE
+    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(
+            0xC008, true, "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDHE_ECDSA, B_3DES, M_SHA, H_SHA256),
+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA(
+            0xC012, true, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDHE_RSA, B_3DES, M_SHA, H_SHA256),
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA(
+            0x000A, true, "SSL_RSA_WITH_3DES_EDE_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_RSA, B_3DES, M_SHA, H_SHA256),
+    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA(
+            0xC003, true, "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDH_ECDSA, B_3DES, M_SHA, H_SHA256),
+    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA(
+            0xC00D, true, "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_ECDH_RSA, B_3DES, M_SHA, H_SHA256),
+    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(
+            0x0016, true, "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_DHE_RSA, B_3DES, M_SHA, H_SHA256),
+    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA(
+            0x0013, true, "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_DHE_DSS, B_3DES, M_SHA, H_SHA256),
+
+    // Renegotiation protection request Signalling Cipher Suite Value (SCSV).
+    TLS_EMPTY_RENEGOTIATION_INFO_SCSV(        //  RFC 5746, TLS 1.2 and prior
+            0x00FF, true, "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "",
+                    ProtocolVersion.PROTOCOLS_TO_12,
+                    K_SCSV, B_NULL, M_NULL, H_NONE),
+
+    // Definition of the CipherSuites that are supported but not enabled
+    // by default.
+    // They are listed in preference order, preferred first, using the
+    // following criteria:
+    // 1. CipherSuites for KRB5 need additional KRB5 service
+    //    configuration, and these suites are not common in practice,
+    //    so we put KRB5 based cipher suites at the end of the supported
+    //    list.
+    // 2. If a cipher suite has been obsoleted, we put it at the end of
+    //    the list.
+    // 3. Prefer the stronger bulk cipher, in the order of AES_256,
+    //    AES_128, 3DES-EDE, RC-4, DES, DES40, RC4_40, NULL.
+    // 4. Prefer the stronger MAC algorithm, in the order of SHA384,
+    //    SHA256, SHA, MD5.
+    // 5. Prefer the better performance of key exchange and digital
+    //    signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA,
+    //    RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous.
+    TLS_DH_anon_WITH_AES_256_GCM_SHA384(
+            0x00A7, false, "TLS_DH_anon_WITH_AES_256_GCM_SHA384", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_DH_ANON, B_AES_256_GCM, M_NULL, H_SHA384),
+    TLS_DH_anon_WITH_AES_128_GCM_SHA256(
+            0x00A6, false, "TLS_DH_anon_WITH_AES_128_GCM_SHA256", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_DH_ANON, B_AES_128_GCM, M_NULL, H_SHA256),
+    TLS_DH_anon_WITH_AES_256_CBC_SHA256(
+            0x006D, false, "TLS_DH_anon_WITH_AES_256_CBC_SHA256", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_DH_ANON, B_AES_256, M_SHA256, H_SHA256),
+    TLS_ECDH_anon_WITH_AES_256_CBC_SHA(
+            0xC019, false, "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDH_ANON, B_AES_256, M_SHA, H_SHA256),
+    TLS_DH_anon_WITH_AES_256_CBC_SHA(
+            0x003A, false, "TLS_DH_anon_WITH_AES_256_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_DH_ANON, B_AES_256, M_SHA, H_SHA256),
+    TLS_DH_anon_WITH_AES_128_CBC_SHA256(
+            0x006C, false, "TLS_DH_anon_WITH_AES_128_CBC_SHA256", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_DH_ANON, B_AES_128, M_SHA256, H_SHA256),
+    TLS_ECDH_anon_WITH_AES_128_CBC_SHA(
+            0xC018, false, "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDH_ANON, B_AES_128, M_SHA, H_SHA256),
+    TLS_DH_anon_WITH_AES_128_CBC_SHA(
+            0x0034, false, "TLS_DH_anon_WITH_AES_128_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_DH_ANON, B_AES_128, M_SHA, H_SHA256),
+    TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA(
+            0xC017, false, "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDH_ANON, B_3DES, M_SHA, H_SHA256),
+    SSL_DH_anon_WITH_3DES_EDE_CBC_SHA(
+            0x001B, false, "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_DH_ANON, B_3DES, M_SHA, H_SHA256),
+
+    // RC-4
+    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA(
+            0xC007, false, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDHE_ECDSA, B_RC4_128, M_SHA, H_SHA256),
+    TLS_ECDHE_RSA_WITH_RC4_128_SHA(
+            0xC011, false, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDHE_RSA, B_RC4_128, M_SHA, H_SHA256),
+    SSL_RSA_WITH_RC4_128_SHA(
+            0x0005, false, "SSL_RSA_WITH_RC4_128_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_RSA, B_RC4_128, M_SHA, H_SHA256),
+    TLS_ECDH_ECDSA_WITH_RC4_128_SHA(
+            0xC002, false, "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDH_ECDSA, B_RC4_128, M_SHA, H_SHA256),
+    TLS_ECDH_RSA_WITH_RC4_128_SHA(
+            0xC00C, false, "TLS_ECDH_RSA_WITH_RC4_128_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDH_RSA, B_RC4_128, M_SHA, H_SHA256),
+    SSL_RSA_WITH_RC4_128_MD5(
+            0x0004, false, "SSL_RSA_WITH_RC4_128_MD5", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_RSA, B_RC4_128, M_MD5, H_SHA256),
+    TLS_ECDH_anon_WITH_RC4_128_SHA(
+            0xC016, false, "TLS_ECDH_anon_WITH_RC4_128_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDH_ANON, B_RC4_128, M_SHA, H_SHA256),
+    SSL_DH_anon_WITH_RC4_128_MD5(
+            0x0018, false, "SSL_DH_anon_WITH_RC4_128_MD5", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_DH_ANON, B_RC4_128, M_MD5, H_SHA256),
+
+    // weak cipher suites obsoleted in TLS 1.2
+    SSL_RSA_WITH_DES_CBC_SHA(
+            0x0009, false, "SSL_RSA_WITH_DES_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_11,
+            K_RSA, B_DES, M_SHA, H_NONE),
+    SSL_DHE_RSA_WITH_DES_CBC_SHA(
+            0x0015, false, "SSL_DHE_RSA_WITH_DES_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_11,
+            K_DHE_RSA, B_DES, M_SHA, H_NONE),
+    SSL_DHE_DSS_WITH_DES_CBC_SHA(
+            0x0012, false, "SSL_DHE_DSS_WITH_DES_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_11,
+            K_DHE_DSS, B_DES, M_SHA, H_NONE),
+    SSL_DH_anon_WITH_DES_CBC_SHA(
+            0x001A, false, "SSL_DH_anon_WITH_DES_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_11,
+            K_DH_ANON, B_DES, M_SHA, H_NONE),
+
+    // weak cipher suites obsoleted in TLS 1.1
+    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA(
+            0x0008, false, "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_10,
+            K_RSA_EXPORT, B_DES_40, M_SHA, H_NONE),
+    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA(
+            0x0014, false, "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_10,
+            K_DHE_RSA_EXPORT, B_DES_40, M_SHA, H_NONE),
+    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA(
+            0x0011, false, "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_10,
+            K_DHE_DSS_EXPORT, B_DES_40, M_SHA, H_NONE),
+    SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA(
+            0x0019, false, "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_10,
+            K_DH_ANON_EXPORT, B_DES_40, M_SHA, H_NONE),
+    SSL_RSA_EXPORT_WITH_RC4_40_MD5(
+            0x0003, false, "SSL_RSA_EXPORT_WITH_RC4_40_MD5", "",
+            ProtocolVersion.PROTOCOLS_TO_10,
+            K_RSA_EXPORT, B_DES_40, M_MD5, H_NONE),
+    SSL_DH_anon_EXPORT_WITH_RC4_40_MD5(
+            0x0017, false, "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", "",
+            ProtocolVersion.PROTOCOLS_TO_10,
+            K_DH_ANON, B_DES_40, M_MD5, H_NONE),
+
+    // no traffic encryption cipher suites
+    TLS_RSA_WITH_NULL_SHA256(
+            0x003B, false, "TLS_RSA_WITH_NULL_SHA256", "",
+            ProtocolVersion.PROTOCOLS_OF_12,
+            K_RSA, B_NULL, M_SHA256, H_SHA256),
+    TLS_ECDHE_ECDSA_WITH_NULL_SHA(
+            0xC006, false, "TLS_ECDHE_ECDSA_WITH_NULL_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDHE_ECDSA, B_NULL, M_SHA, H_SHA256),
+    TLS_ECDHE_RSA_WITH_NULL_SHA(
+            0xC010, false, "TLS_ECDHE_RSA_WITH_NULL_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDHE_RSA, B_NULL, M_SHA, H_SHA256),
+    SSL_RSA_WITH_NULL_SHA(
+            0x0002, false, "SSL_RSA_WITH_NULL_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_RSA, B_NULL, M_SHA, H_SHA256),
+    TLS_ECDH_ECDSA_WITH_NULL_SHA(
+            0xC001, false, "TLS_ECDH_ECDSA_WITH_NULL_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDH_ECDSA, B_NULL, M_SHA, H_SHA256),
+    TLS_ECDH_RSA_WITH_NULL_SHA(
+            0xC00B, false, "TLS_ECDH_RSA_WITH_NULL_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDH_RSA, B_NULL, M_SHA, H_SHA256),
+    TLS_ECDH_anon_WITH_NULL_SHA(
+            0xC015, false, "TLS_ECDH_anon_WITH_NULL_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_ECDH_ANON, B_NULL, M_SHA, H_SHA256),
+    SSL_RSA_WITH_NULL_MD5(
+            0x0001, false, "SSL_RSA_WITH_NULL_MD5", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_RSA, B_NULL, M_MD5, H_SHA256),
+
+    // supported Kerberos ciphersuites from RFC2712
+    TLS_KRB5_WITH_3DES_EDE_CBC_SHA(
+            0x001F, false, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_KRB5, B_3DES, M_SHA, H_SHA256),
+    TLS_KRB5_WITH_3DES_EDE_CBC_MD5(
+            0x0023, false, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_KRB5, B_3DES, M_MD5, H_SHA256),
+    TLS_KRB5_WITH_RC4_128_SHA(
+            0x0020, false, "TLS_KRB5_WITH_RC4_128_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_KRB5, B_RC4_128, M_SHA, H_SHA256),
+    TLS_KRB5_WITH_RC4_128_MD5(
+            0x0024, false, "TLS_KRB5_WITH_RC4_128_MD5", "",
+            ProtocolVersion.PROTOCOLS_TO_12,
+            K_KRB5, B_RC4_128, M_MD5, H_SHA256),
+    TLS_KRB5_WITH_DES_CBC_SHA(
+            0x001e, false, "TLS_KRB5_WITH_DES_CBC_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_11,
+            K_KRB5, B_DES, M_SHA, H_NONE),
+    TLS_KRB5_WITH_DES_CBC_MD5(
+            0x0022, false, "TLS_KRB5_WITH_DES_CBC_MD5", "",
+            ProtocolVersion.PROTOCOLS_TO_11,
+            K_KRB5, B_DES, M_MD5, H_NONE),
+    TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA(
+            0x0026, false, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_10,
+            K_KRB5_EXPORT, B_DES_40, M_SHA, H_NONE),
+    TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5(
+            0x0029, false, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "",
+            ProtocolVersion.PROTOCOLS_TO_10,
+            K_KRB5_EXPORT, B_DES_40, M_MD5, H_NONE),
+    TLS_KRB5_EXPORT_WITH_RC4_40_SHA(
+            0x0028, false, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "",
+            ProtocolVersion.PROTOCOLS_TO_10,
+            K_KRB5_EXPORT, B_RC4_40, M_SHA, H_NONE),
+    TLS_KRB5_EXPORT_WITH_RC4_40_MD5(
+            0x002B, false, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "",
+            ProtocolVersion.PROTOCOLS_TO_10,
+            K_KRB5_EXPORT, B_RC4_40, M_MD5, H_NONE),
 
-    // Map String(name) -> CipherSuite
-    // contains only supported CipherSuites (i.e. allowed == true)
-    private static final Map<String,CipherSuite> nameMap;
+    // Other values from the TLS Cipher Suite Registry, as of August 2010.
+    //
+    // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
+    //
+    // Range      Registration Procedures   Notes
+    // 000-191    Standards Action          Refers to value of first byte
+    // 192-254    Specification Required    Refers to value of first byte
+    // 255        Reserved for Private Use  Refers to value of first byte
+
+    TLS_CHACHA20_POLY1305_SHA256(                    // TLS 1.3
+            "TLS_CHACHA20_POLY1305_SHA256", 0x1303),
+    TLS_AES_128_CCM_SHA256(                          // TLS 1.3
+            "TLS_AES_128_CCM_SHA256", 0x1304),
+    TLS_AES_128_CCM_8_SHA256(                        // TLS 1.3
+            "TLS_AES_128_CCM_8_SHA256", 0x1305),
+
+    // remaining unsupported ciphersuites defined in RFC2246.
+    CS_0006("SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5",           0x0006),
+    CS_0007("SSL_RSA_WITH_IDEA_CBC_SHA",                    0x0007),
+    CS_000B("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",         0x000b),
+    CS_000C("SSL_DH_DSS_WITH_DES_CBC_SHA",                  0x000c),
+    CS_000D("SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA",             0x000d),
+    CS_000E("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",         0x000e),
+    CS_000F("SSL_DH_RSA_WITH_DES_CBC_SHA",                  0x000f),
+    CS_0010("SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA",             0x0010),
+
+    // SSL 3.0 Fortezza ciphersuites
+    CS_001C("SSL_FORTEZZA_DMS_WITH_NULL_SHA",               0x001c),
+    CS_001D("SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA",       0x001d),
+
+    // 1024/56 bit exportable ciphersuites from expired internet draft
+    CS_0062("SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA",          0x0062),
+    CS_0063("SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",      0x0063),
+    CS_0064("SSL_RSA_EXPORT1024_WITH_RC4_56_SHA",           0x0064),
+    CS_0065("SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",       0x0065),
+    CS_0066("SSL_DHE_DSS_WITH_RC4_128_SHA",                 0x0066),
+
+    // Netscape old and new SSL 3.0 FIPS ciphersuites
+    // see http://www.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
+    CS_FFE0("NETSCAPE_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",      0xffe0),
+    CS_FFE1("NETSCAPE_RSA_FIPS_WITH_DES_CBC_SHA",           0xffe1),
+    CS_FEFE("SSL_RSA_FIPS_WITH_DES_CBC_SHA",                0xfefe),
+    CS_FEFF("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",           0xfeff),
+
+    // Unsupported Kerberos cipher suites from RFC 2712
+    CS_0021("TLS_KRB5_WITH_IDEA_CBC_SHA",                   0x0021),
+    CS_0025("TLS_KRB5_WITH_IDEA_CBC_MD5",                   0x0025),
+    CS_0027("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",          0x0027),
+    CS_002A("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",          0x002a),
+
+    // Unsupported cipher suites from RFC 4162
+    CS_0096("TLS_RSA_WITH_SEED_CBC_SHA",                    0x0096),
+    CS_0097("TLS_DH_DSS_WITH_SEED_CBC_SHA",                 0x0097),
+    CS_0098("TLS_DH_RSA_WITH_SEED_CBC_SHA",                 0x0098),
+    CS_0099("TLS_DHE_DSS_WITH_SEED_CBC_SHA",                0x0099),
+    CS_009A("TLS_DHE_RSA_WITH_SEED_CBC_SHA",                0x009a),
+    CS_009B("TLS_DH_anon_WITH_SEED_CBC_SHA",                0x009b),
+
+    // Unsupported cipher suites from RFC 4279
+    CS_008A("TLS_PSK_WITH_RC4_128_SHA",                     0x008a),
+    CS_008B("TLS_PSK_WITH_3DES_EDE_CBC_SHA",                0x008b),
+    CS_008C("TLS_PSK_WITH_AES_128_CBC_SHA",                 0x008c),
+    CS_008D("TLS_PSK_WITH_AES_256_CBC_SHA",                 0x008d),
+    CS_008E("TLS_DHE_PSK_WITH_RC4_128_SHA",                 0x008e),
+    CS_008F("TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",            0x008f),
+    CS_0090("TLS_DHE_PSK_WITH_AES_128_CBC_SHA",             0x0090),
+    CS_0091("TLS_DHE_PSK_WITH_AES_256_CBC_SHA",             0x0091),
+    CS_0092("TLS_RSA_PSK_WITH_RC4_128_SHA",                 0x0092),
+    CS_0093("TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",            0x0093),
+    CS_0094("TLS_RSA_PSK_WITH_AES_128_CBC_SHA",             0x0094),
+    CS_0095("TLS_RSA_PSK_WITH_AES_256_CBC_SHA",             0x0095),
+
+    // Unsupported cipher suites from RFC 4785
+    CS_002C("TLS_PSK_WITH_NULL_SHA",                        0x002c),
+    CS_002D("TLS_DHE_PSK_WITH_NULL_SHA",                    0x002d),
+    CS_002E("TLS_RSA_PSK_WITH_NULL_SHA",                    0x002e),
+
+    // Unsupported cipher suites from RFC 5246
+    CS_0030("TLS_DH_DSS_WITH_AES_128_CBC_SHA",              0x0030),
+    CS_0031("TLS_DH_RSA_WITH_AES_128_CBC_SHA",              0x0031),
+    CS_0036("TLS_DH_DSS_WITH_AES_256_CBC_SHA",              0x0036),
+    CS_0037("TLS_DH_RSA_WITH_AES_256_CBC_SHA",              0x0037),
+    CS_003E("TLS_DH_DSS_WITH_AES_128_CBC_SHA256",           0x003e),
+    CS_003F("TLS_DH_RSA_WITH_AES_128_CBC_SHA256",           0x003f),
+    CS_0068("TLS_DH_DSS_WITH_AES_256_CBC_SHA256",           0x0068),
+    CS_0069("TLS_DH_RSA_WITH_AES_256_CBC_SHA256",           0x0069),
+
+    // Unsupported cipher suites from RFC 5288
+    CS_00A0("TLS_DH_RSA_WITH_AES_128_GCM_SHA256",           0x00a0),
+    CS_00A1("TLS_DH_RSA_WITH_AES_256_GCM_SHA384",           0x00a1),
+    CS_00A4("TLS_DH_DSS_WITH_AES_128_GCM_SHA256",           0x00a4),
+    CS_00A5("TLS_DH_DSS_WITH_AES_256_GCM_SHA384",           0x00a5),
+
+    // Unsupported cipher suites from RFC 5487
+    CS_00A8("TLS_PSK_WITH_AES_128_GCM_SHA256",              0x00a8),
+    CS_00A9("TLS_PSK_WITH_AES_256_GCM_SHA384",              0x00a9),
+    CS_00AA("TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",          0x00aa),
+    CS_00AB("TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",          0x00ab),
+    CS_00AC("TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",          0x00ac),
+    CS_00AD("TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",          0x00ad),
+    CS_00AE("TLS_PSK_WITH_AES_128_CBC_SHA256",              0x00ae),
+    CS_00AF("TLS_PSK_WITH_AES_256_CBC_SHA384",              0x00af),
+    CS_00B0("TLS_PSK_WITH_NULL_SHA256",                     0x00b0),
+    CS_00B1("TLS_PSK_WITH_NULL_SHA384",                     0x00b1),
+    CS_00B2("TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",          0x00b2),
+    CS_00B3("TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",          0x00b3),
+    CS_00B4("TLS_DHE_PSK_WITH_NULL_SHA256",                 0x00b4),
+    CS_00B5("TLS_DHE_PSK_WITH_NULL_SHA384",                 0x00b5),
+    CS_00B6("TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",          0x00b6),
+    CS_00B7("TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",          0x00b7),
+    CS_00B8("TLS_RSA_PSK_WITH_NULL_SHA256",                 0x00b8),
+    CS_00B9("TLS_RSA_PSK_WITH_NULL_SHA384",                 0x00b9),
+
+    // Unsupported cipher suites from RFC 5932
+    CS_0041("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",            0x0041),
+    CS_0042("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",         0x0042),
+    CS_0043("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",         0x0043),
+    CS_0044("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",        0x0044),
+    CS_0045("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",        0x0045),
+    CS_0046("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",        0x0046),
+    CS_0084("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",            0x0084),
+    CS_0085("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",         0x0085),
+    CS_0086("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",         0x0086),
+    CS_0087("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",        0x0087),
+    CS_0088("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",        0x0088),
+    CS_0089("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",        0x0089),
+    CS_00BA("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",         0x00ba),
+    CS_00BB("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",      0x00bb),
+    CS_00BC("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",      0x00bc),
+    CS_00BD("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",     0x00bd),
+    CS_00BE("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",     0x00be),
+    CS_00BF("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",     0x00bf),
+    CS_00C0("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",         0x00c0),
+    CS_00C1("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",      0x00c1),
+    CS_00C2("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",      0x00c2),
+    CS_00C3("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",     0x00c3),
+    CS_00C4("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",     0x00c4),
+    CS_00C5("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",     0x00c5),
+
+    // TLS Fallback Signaling Cipher Suite Value (SCSV) RFC 7507
+    CS_5600("TLS_FALLBACK_SCSV",                            0x5600),
+
+    // Unsupported cipher suites from RFC 5054
+    CS_C01A("TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",            0xc01a),
+    CS_C01B("TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",        0xc01b),
+    CS_C01C("TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",        0xc01c),
+    CS_C01D("TLS_SRP_SHA_WITH_AES_128_CBC_SHA",             0xc01d),
+    CS_C01E("TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",         0xc01e),
+    CS_C01F("TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",         0xc01f),
+    CS_C020("TLS_SRP_SHA_WITH_AES_256_CBC_SHA",             0xc020),
+    CS_C021("TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",         0xc021),
+    CS_C022("TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",         0xc022),
+
+    // Unsupported cipher suites from RFC 5489
+    CS_C033("TLS_ECDHE_PSK_WITH_RC4_128_SHA",               0xc033),
+    CS_C034("TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",          0xc034),
+    CS_C035("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",           0xc035),
+    CS_C036("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",           0xc036),
+    CS_C037("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",        0xc037),
+    CS_C038("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",        0xc038),
+    CS_C039("TLS_ECDHE_PSK_WITH_NULL_SHA",                  0xc039),
+    CS_C03A("TLS_ECDHE_PSK_WITH_NULL_SHA256",               0xc03a),
+    CS_C03B("TLS_ECDHE_PSK_WITH_NULL_SHA384",               0xc03b),
+
+    // Unsupported cipher suites from RFC 6209
+    CS_C03C("TLS_RSA_WITH_ARIA_128_CBC_SHA256",             0xc03c),
+    CS_C03D("TLS_RSA_WITH_ARIA_256_CBC_SHA384",             0xc03d),
+    CS_C03E("TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",          0xc03e),
+    CS_C03F("TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",          0xc03f),
+    CS_C040("TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",          0xc040),
+    CS_C041("TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",          0xc041),
+    CS_C042("TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",         0xc042),
+    CS_C043("TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",         0xc043),
+    CS_C044("TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",         0xc044),
+    CS_C045("TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",         0xc045),
+    CS_C046("TLS_DH_anon_WITH_ARIA_128_CBC_SHA256",         0xc046),
+    CS_C047("TLS_DH_anon_WITH_ARIA_256_CBC_SHA384",         0xc047),
+    CS_C048("TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",     0xc048),
+    CS_C049("TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",     0xc049),
+    CS_C04A("TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",      0xc04a),
+    CS_C04B("TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",      0xc04b),
+    CS_C04C("TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",       0xc04c),
+    CS_C04D("TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",       0xc04d),
+    CS_C04E("TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",        0xc04e),
+    CS_C04F("TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",        0xc04f),
+    CS_C050("TLS_RSA_WITH_ARIA_128_GCM_SHA256",             0xc050),
+    CS_C051("TLS_RSA_WITH_ARIA_256_GCM_SHA384",             0xc051),
+    CS_C052("TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256",         0xc052),
+    CS_C053("TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384",         0xc053),
+    CS_C054("TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",          0xc054),
+    CS_C055("TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",          0xc055),
+    CS_C056("TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256",         0xc056),
+    CS_C057("TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384",         0xc057),
+    CS_C058("TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",          0xc058),
+    CS_C059("TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",          0xc059),
+    CS_C05A("TLS_DH_anon_WITH_ARIA_128_GCM_SHA256",         0xc05a),
+    CS_C05B("TLS_DH_anon_WITH_ARIA_256_GCM_SHA384",         0xc05b),
+    CS_C05C("TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256",     0xc05c),
+    CS_C05D("TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384",     0xc05d),
+    CS_C05E("TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",      0xc05e),
+    CS_C05F("TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",      0xc05f),
+    CS_C060("TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256",       0xc060),
+    CS_C061("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",       0xc061),
+    CS_C062("TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",        0xc062),
+    CS_C063("TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",        0xc063),
+    CS_C064("TLS_PSK_WITH_ARIA_128_CBC_SHA256",             0xc064),
+    CS_C065("TLS_PSK_WITH_ARIA_256_CBC_SHA384",             0xc065),
+    CS_C066("TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",         0xc066),
+    CS_C067("TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",         0xc067),
+    CS_C068("TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",         0xc068),
+    CS_C069("TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",         0xc069),
+    CS_C06A("TLS_PSK_WITH_ARIA_128_GCM_SHA256",             0xc06a),
+    CS_C06B("TLS_PSK_WITH_ARIA_256_GCM_SHA384",             0xc06b),
+    CS_C06C("TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256",         0xc06c),
+    CS_C06D("TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384",         0xc06d),
+    CS_C06E("TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",         0xc06e),
+    CS_C06F("TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",         0xc06f),
+    CS_C070("TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",       0xc070),
+    CS_C071("TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",       0xc071),
+
+    // Unsupported cipher suites from RFC 6367
+    CS_C072("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", 0xc072),
+    CS_C073("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", 0xc073),
+    CS_C074("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",  0xc074),
+    CS_C075("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",  0xc075),
+    CS_C076("TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",   0xc076),
+    CS_C077("TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",   0xc077),
+    CS_C078("TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",    0xc078),
+    CS_C079("TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",    0xc079),
+    CS_C07A("TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",         0xc07a),
+    CS_C07B("TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",         0xc07b),
+    CS_C07C("TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",     0xc07c),
+    CS_C07D("TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",     0xc07d),
+    CS_C07E("TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",      0xc07e),
+    CS_C07F("TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",      0xc07f),
+    CS_C080("TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256",     0xc080),
+    CS_C081("TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384",     0xc081),
+    CS_C082("TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",      0xc082),
+    CS_C083("TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",      0xc083),
+    CS_C084("TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256",     0xc084),
+    CS_C085("TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384",     0xc085),
+    CS_C086("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc086),
+    CS_C087("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc087),
+    CS_C088("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",  0xc088),
+    CS_C089("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",  0xc089),
+    CS_C08A("TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",   0xc08a),
+    CS_C08B("TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",   0xc08b),
+    CS_C08C("TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",    0xc08c),
+    CS_C08D("TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",    0xc08d),
+    CS_C08E("TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",         0xc08e),
+    CS_C08F("TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",         0xc08f),
+    CS_C090("TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256",     0xc090),
+    CS_C091("TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384",     0xc091),
+    CS_C092("TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",     0xc092),
+    CS_C093("TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",     0xc093),
+    CS_C094("TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",         0xc094),
+    CS_C095("TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",         0xc095),
+    CS_C096("TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",     0xc096),
+    CS_C097("TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",     0xc097),
+    CS_C098("TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",     0xc098),
+    CS_C099("TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",     0xc099),
+    CS_C09A("TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",   0xc09a),
+    CS_C09B("TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",   0xc09b),
+
+    // Unsupported cipher suites from RFC 6655
+    CS_C09C("TLS_RSA_WITH_AES_128_CCM",                     0xc09c),
+    CS_C09D("TLS_RSA_WITH_AES_256_CCM",                     0xc09d),
+    CS_C09E("TLS_DHE_RSA_WITH_AES_128_CCM",                 0xc09e),
+    CS_C09F("TLS_DHE_RSA_WITH_AES_256_CCM",                 0xc09f),
+    CS_C0A0("TLS_RSA_WITH_AES_128_CCM_8",                   0xc0A0),
+    CS_C0A1("TLS_RSA_WITH_AES_256_CCM_8",                   0xc0A1),
+    CS_C0A2("TLS_DHE_RSA_WITH_AES_128_CCM_8",               0xc0A2),
+    CS_C0A3("TLS_DHE_RSA_WITH_AES_256_CCM_8",               0xc0A3),
+    CS_C0A4("TLS_PSK_WITH_AES_128_CCM",                     0xc0A4),
+    CS_C0A5("TLS_PSK_WITH_AES_256_CCM",                     0xc0A5),
+    CS_C0A6("TLS_DHE_PSK_WITH_AES_128_CCM",                 0xc0A6),
+    CS_C0A7("TLS_DHE_PSK_WITH_AES_256_CCM",                 0xc0A7),
+    CS_C0A8("TLS_PSK_WITH_AES_128_CCM_8",                   0xc0A8),
+    CS_C0A9("TLS_PSK_WITH_AES_256_CCM_8",                   0xc0A9),
+    CS_C0AA("TLS_PSK_DHE_WITH_AES_128_CCM_8",               0xc0Aa),
+    CS_C0AB("TLS_PSK_DHE_WITH_AES_256_CCM_8",               0xc0Ab),
+
+    // Unsupported cipher suites from RFC 7251
+    CS_C0AC("TLS_ECDHE_ECDSA_WITH_AES_128_CCM",             0xc0Ac),
+    CS_C0AD("TLS_ECDHE_ECDSA_WITH_AES_256_CCM",             0xc0Ad),
+    CS_C0AE("TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",           0xc0Ae),
+    CS_C0AF("TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",           0xc0Af),
 
-    // Protocol defined CipherSuite name, e.g. SSL_RSA_WITH_RC4_128_MD5
-    // we use TLS_* only for new CipherSuites, still SSL_* for old ones
-    final String name;
+    C_NULL("SSL_NULL_WITH_NULL_NULL", 0x0000);
 
-    // id in 16 bit MSB format, i.e. 0x0004 for SSL_RSA_WITH_RC4_128_MD5
     final int id;
-
-    // priority for the internal default preference order. the higher the
-    // better. Each supported CipherSuite *must* have a unique priority.
-    // Ciphersuites with priority >= DEFAULT_SUITES_PRIORITY are enabled
-    // by default
-    final int priority;
-
-    // key exchange, bulk cipher, mac and prf algorithms. See those
-    // classes below.
+    final boolean isDefaultEnabled;
+    final String name;
+    final List<String> aliases;
+    final List<ProtocolVersion> supportedProtocols;
     final KeyExchange keyExchange;
-    final BulkCipher cipher;
+    final SSLCipher bulkCipher;
     final MacAlg macAlg;
-    final PRF prfAlg;
+    final HashAlg hashAlg;
 
-    // whether a CipherSuite qualifies as exportable under 512/40 bit rules.
-    // TLS 1.1+ (RFC 4346) must not negotiate to these suites.
     final boolean exportable;
 
-    // true iff implemented and enabled at compile time
-    final boolean allowed;
-
-    // obsoleted since protocol version
-    //
-    // TLS version is used.  If checking DTLS versions, please map to
-    // TLS version firstly.  See ProtocolVersion.mapToTLSProtocol().
-    final int obsoleted;
-
-    // supported since protocol version (TLS version is used)
-    //
-    // TLS version is used.  If checking DTLS versions, please map to
-    // TLS version firstly.  See ProtocolVersion.mapToTLSProtocol().
-    final int supported;
+    // known but unsupported cipher suite
+    private CipherSuite(String name, int id) {
+        this(id, false, name, "",
+                ProtocolVersion.PROTOCOLS_EMPTY, null, null, null, null);
+    }
 
-    /**
-     * Constructor for implemented CipherSuites.
-     */
-    private CipherSuite(String name, int id, int priority,
-            KeyExchange keyExchange, BulkCipher cipher, MacAlg mac,
-            boolean allowed, int obsoleted, int supported, PRF prfAlg) {
-        this.name = name;
+    // TLS 1.3 cipher suite
+    private CipherSuite(int id, boolean isDefaultEnabled,
+            String name, ProtocolVersion[] supportedProtocols,
+            SSLCipher bulkCipher, HashAlg hashAlg) {
+        this(id, isDefaultEnabled, name, "",
+                supportedProtocols, null, bulkCipher, M_NULL, hashAlg);
+    }
+
+    private CipherSuite(int id, boolean isDefaultEnabled,
+            String name, String aliases,
+            ProtocolVersion[] supportedProtocols,
+            KeyExchange keyExchange, SSLCipher cipher,
+            MacAlg macAlg, HashAlg hashAlg) {
         this.id = id;
-        this.priority = priority;
+        this.isDefaultEnabled = isDefaultEnabled;
+        this.name = name;
+        if (aliases.isEmpty()) {
+            this.aliases = Arrays.asList(aliases.split(","));
+        } else {
+            this.aliases = Collections.emptyList();
+        }
+        this.supportedProtocols = Arrays.asList(supportedProtocols);
         this.keyExchange = keyExchange;
-        this.cipher = cipher;
-        this.macAlg = mac;
-        this.exportable = cipher.exportable;
-        allowed &= keyExchange.allowed;
-        allowed &= cipher.allowed;
-        this.allowed = allowed;
-        this.obsoleted = obsoleted;
-        this.supported = supported;
-        this.prfAlg = prfAlg;
+        this.bulkCipher = cipher;
+        this.macAlg = macAlg;
+        this.hashAlg = hashAlg;
+
+        this.exportable = (cipher == null ? false : cipher.exportable);
     }
 
-    /**
-     * Constructor for unimplemented CipherSuites.
-     */
-    private CipherSuite(String name, int id) {
-        this.name = name;
-        this.id = id;
-        this.allowed = false;
+    static CipherSuite nameOf(String ciperSuiteName) {
+        for (CipherSuite cs : CipherSuite.values()) {
+            if (cs.name.equals(ciperSuiteName) ||
+                    cs.aliases.contains(ciperSuiteName)) {
+                return cs;
+            }
+        }
 
-        this.priority = 0;
-        this.keyExchange = null;
-        this.cipher = null;
-        this.macAlg = null;
-        this.exportable = false;
-        this.obsoleted = ProtocolVersion.LIMIT_MAX_VALUE;
-        this.supported = ProtocolVersion.LIMIT_MIN_VALUE;
-        this.prfAlg = P_NONE;
+        return null;
+    }
+
+    static CipherSuite valueOf(int id) {
+        for (CipherSuite cs : CipherSuite.values()) {
+            if (cs.id == id) {
+                return cs;
+            }
+        }
+
+        return null;
+    }
+
+    static String nameOf(int id) {
+        for (CipherSuite cs : CipherSuite.values()) {
+            if (cs.id == id) {
+                return cs.name;
+            }
+        }
+
+        return "UNKNOWN-CIPHER-SUITE(" + Utilities.byte16HexString(id) + ")";
+    }
+
+    static Collection<CipherSuite> allowedCipherSuites() {
+        Collection<CipherSuite> cipherSuites = new LinkedList<>();
+        for (CipherSuite cs : CipherSuite.values()) {
+            if (!cs.supportedProtocols.isEmpty()) {
+                cipherSuites.add(cs);
+            } else {
+                // The following cipher suites are not supported.
+                break;
+            }
+        }
+        return cipherSuites;
+    }
+
+    static Collection<CipherSuite> defaultCipherSuites() {
+        Collection<CipherSuite> cipherSuites = new LinkedList<>();
+        for (CipherSuite cs : CipherSuite.values()) {
+            if (cs.isDefaultEnabled) {
+                cipherSuites.add(cs);
+            } else {
+                // The following cipher suites are not default enabled..
+                break;
+            }
+        }
+        return cipherSuites;
     }
 
     /**
-     * Return whether this CipherSuite is available for use. A
-     * CipherSuite may be unavailable even if it is supported
-     * (i.e. allowed == true) if the required JCE cipher is not installed.
+     * Validates and converts an array of cipher suite names.
+     *
+     * @throws IllegalArgumentException if the array or any of its elements
+     *          is null or if the ciphersuite name is unrecognized or
+     *          unsupported using currently installed providers
      */
+    static List<CipherSuite> validValuesOf(String[] names) {
+        if (names == null || names.length == 0) {
+            return Collections.emptyList();
+        }
+
+        List<CipherSuite> cipherSuites = new ArrayList<>(names.length);
+        for (String name : names) {
+            boolean found = false;
+            for (CipherSuite cs : CipherSuite.values()) {
+                if (!cs.supportedProtocols.isEmpty()) {
+                    if (cs.name.equals(name) ||
+                            cs.aliases.contains(name)) {
+                        cipherSuites.add(cs);
+                        found = true;
+                        break;
+                    }
+                } else {
+                    // The following cipher suites are not supported.
+                    break;
+                }
+            }
+            if (!found) {
+                throw new IllegalArgumentException(
+                        "Cannot support "  + name +
+                        " with currently installed providers");
+            }
+        }
+
+        return Collections.unmodifiableList(cipherSuites);
+    }
+
+    static String[] namesOf(List<CipherSuite> cipherSuites) {
+        String[] names = new String[cipherSuites.size()];
+        int i = 0;
+        for (CipherSuite cipherSuite : cipherSuites) {
+            names[i++] = cipherSuite.name;
+        }
+
+        return names;
+    }
+
     boolean isAvailable() {
-        return allowed && keyExchange.isAvailable() && cipher.isAvailable();
+        return !supportedProtocols.isEmpty() &&
+                (keyExchange == null || keyExchange.isAvailable()) &&
+                bulkCipher != null && bulkCipher.isAvailable();
+    }
+
+    public boolean supports(ProtocolVersion protocolVersion) {
+        return supportedProtocols.contains(protocolVersion);
     }
 
     boolean isNegotiable() {
-        return this != C_SCSV && isAvailable();
+        return this != TLS_EMPTY_RENEGOTIATION_INFO_SCSV && isAvailable();
     }
 
-    // See also CipherBox.calculatePacketSize().
+    boolean isAnonymous() {
+        return (keyExchange != null && keyExchange.isAnonymous);
+    }
+
+    // See also SSLWriteCipher.calculatePacketSize().
     int calculatePacketSize(int fragmentSize,
             ProtocolVersion protocolVersion, boolean isDTLS) {
-
         int packetSize = fragmentSize;
-        if (cipher != B_NULL) {
-            int blockSize = cipher.ivSize;
-            switch (cipher.cipherType) {
+        if (bulkCipher != null && bulkCipher != B_NULL) {
+            int blockSize = bulkCipher.ivSize;
+            switch (bulkCipher.cipherType) {
                 case BLOCK_CIPHER:
                     packetSize += macAlg.size;
                     packetSize += 1;        // 1 byte padding length field
@@ -199,8 +977,11 @@
 
                     break;
             case AEAD_CIPHER:
-                packetSize += cipher.ivSize - cipher.fixedIvSize;   // record IV
-                packetSize += cipher.tagSize;
+                if (protocolVersion == ProtocolVersion.TLS12 ||
+                        protocolVersion == ProtocolVersion.DTLS12) {
+                    packetSize += bulkCipher.ivSize - bulkCipher.fixedIvSize;
+                }
+                packetSize += bulkCipher.tagSize;
 
                 break;
             default:    // NULL_CIPHER or STREAM_CIPHER
@@ -215,12 +996,11 @@
     // See also CipherBox.calculateFragmentSize().
     int calculateFragSize(int packetLimit,
             ProtocolVersion protocolVersion, boolean isDTLS) {
-
         int fragSize = packetLimit -
                 (isDTLS ? DTLSRecord.headerSize : SSLRecord.headerSize);
-        if (cipher != B_NULL) {
-            int blockSize = cipher.ivSize;
-            switch (cipher.cipherType) {
+        if (bulkCipher != null && bulkCipher != B_NULL) {
+            int blockSize = bulkCipher.ivSize;
+            switch (bulkCipher.cipherType) {
             case BLOCK_CIPHER:
                 if (protocolVersion.useTLS11PlusSpec()) {
                     fragSize -= blockSize;              // explicit IV
@@ -232,8 +1012,8 @@
 
                 break;
             case AEAD_CIPHER:
-                fragSize -= cipher.tagSize;
-                fragSize -= cipher.ivSize - cipher.fixedIvSize;     // record IV
+                fragSize -= bulkCipher.tagSize;
+                fragSize -= bulkCipher.ivSize - bulkCipher.fixedIvSize;
 
                 break;
             default:    // NULL_CIPHER or STREAM_CIPHER
@@ -245,172 +1025,53 @@
     }
 
     /**
-     * Compares CipherSuites based on their priority. Has the effect of
-     * sorting CipherSuites when put in a sorted collection, which is
-     * used by CipherSuiteList. Follows standard Comparable contract.
-     *
-     * Note that for unsupported CipherSuites parsed from a handshake
-     * message we violate the equals() contract.
-     */
-    @Override
-    public int compareTo(CipherSuite o) {
-        return o.priority - priority;
-    }
-
-    /**
-     * Returns this.name.
-     */
-    @Override
-    public String toString() {
-        return name;
-    }
-
-    /**
-     * Return a CipherSuite for the given name. The returned CipherSuite
-     * is supported by this implementation but may not actually be
-     * currently useable. See isAvailable().
-     *
-     * @exception IllegalArgumentException if the CipherSuite is unknown or
-     * unsupported.
-     */
-    static CipherSuite valueOf(String s) {
-        if (s == null) {
-            throw new IllegalArgumentException("Name must not be null");
-        }
-
-        CipherSuite c = nameMap.get(s);
-        if ((c == null) || (c.allowed == false)) {
-            throw new IllegalArgumentException("Unsupported ciphersuite " + s);
-        }
-
-        return c;
-    }
-
-    /**
-     * Return a CipherSuite with the given ID. A temporary object is
-     * constructed if the ID is unknown. Use isAvailable() to verify that
-     * the CipherSuite can actually be used.
-     */
-    static CipherSuite valueOf(int id1, int id2) {
-        id1 &= 0xff;
-        id2 &= 0xff;
-        int id = (id1 << 8) | id2;
-        CipherSuite c = idMap.get(id);
-        if (c == null) {
-            String h1 = Integer.toString(id1, 16);
-            String h2 = Integer.toString(id2, 16);
-            c = new CipherSuite("Unknown 0x" + h1 + ":0x" + h2, id);
-        }
-        return c;
-    }
-
-    // for use by SSLContextImpl only
-    static Collection<CipherSuite> allowedCipherSuites() {
-        return nameMap.values();
-    }
-
-    /*
-     * Use this method when all of the values need to be specified.
-     * This is primarily used when defining a new ciphersuite for
-     * TLS 1.2+ that doesn't use the "default" PRF.
-     */
-    private static void add(String name, int id, int priority,
-            KeyExchange keyExchange, BulkCipher cipher, MacAlg mac,
-            boolean allowed, int obsoleted, int supported, PRF prf) {
-
-        CipherSuite c = new CipherSuite(name, id, priority, keyExchange,
-            cipher, mac, allowed, obsoleted, supported, prf);
-        if (idMap.put(id, c) != null) {
-            throw new RuntimeException("Duplicate ciphersuite definition: "
-                                        + id + ", " + name);
-        }
-        if (c.allowed) {
-            if (nameMap.put(name, c) != null) {
-                throw new RuntimeException("Duplicate ciphersuite definition: "
-                                            + id + ", " + name);
-            }
-        }
-    }
-
-    /*
-     * Use this method when there is no lower protocol limit where this
-     * suite can be used, and the PRF is P_SHA256.  That is, the
-     * existing ciphersuites.  From RFC 5246:
-     *
-     *     All cipher suites in this document use P_SHA256.
-     */
-    private static void add(String name, int id, int priority,
-            KeyExchange keyExchange, BulkCipher cipher, MacAlg mac,
-            boolean allowed, int obsoleted) {
-        PRF prf = obsoleted < ProtocolVersion.TLS12.v ? P_NONE : P_SHA256;
-
-        add(name, id, priority, keyExchange, cipher, mac, allowed, obsoleted,
-            ProtocolVersion.LIMIT_MIN_VALUE, prf);
-    }
-
-    /*
-     * Use this method when there is no upper protocol limit.  That is,
-     * suites which have not been obsoleted.
-     */
-    private static void add(String name, int id, int priority,
-            KeyExchange keyExchange, BulkCipher cipher, MacAlg mac,
-            boolean allowed) {
-        add(name, id, priority, keyExchange, cipher, mac, allowed,
-                ProtocolVersion.LIMIT_MAX_VALUE);
-    }
-
-    /*
-     * Use this method to define an unimplemented suite.  This provides
-     * a number<->name mapping that can be used for debugging.
-     */
-    private static void add(String name, int id) {
-        CipherSuite c = new CipherSuite(name, id);
-        if (idMap.put(id, c) != null) {
-            throw new RuntimeException("Duplicate ciphersuite definition: "
-                                        + id + ", " + name);
-        }
-    }
-
-    /**
      * An SSL/TLS key exchange algorithm.
      */
     static enum KeyExchange {
-
-        // key exchange algorithms
-        K_NULL       ("NULL",       false,      NAMED_GROUP_NONE),
-        K_RSA        ("RSA",        true,       NAMED_GROUP_NONE),
-        K_RSA_EXPORT ("RSA_EXPORT", true,       NAMED_GROUP_NONE),
-        K_DH_RSA     ("DH_RSA",     false,      NAMED_GROUP_NONE),
-        K_DH_DSS     ("DH_DSS",     false,      NAMED_GROUP_NONE),
-        K_DHE_DSS    ("DHE_DSS",    true,       NAMED_GROUP_FFDHE),
-        K_DHE_RSA    ("DHE_RSA",    true,       NAMED_GROUP_FFDHE),
-        K_DH_ANON    ("DH_anon",    true,       NAMED_GROUP_FFDHE),
-
-        K_ECDH_ECDSA ("ECDH_ECDSA",  ALLOW_ECC, NAMED_GROUP_ECDHE),
-        K_ECDH_RSA   ("ECDH_RSA",    ALLOW_ECC, NAMED_GROUP_ECDHE),
-        K_ECDHE_ECDSA("ECDHE_ECDSA", ALLOW_ECC, NAMED_GROUP_ECDHE),
-        K_ECDHE_RSA  ("ECDHE_RSA",   ALLOW_ECC, NAMED_GROUP_ECDHE),
-        K_ECDH_ANON  ("ECDH_anon",   ALLOW_ECC, NAMED_GROUP_ECDHE),
+        K_NULL       ("NULL",       false,      true,   NAMED_GROUP_NONE),
+        K_RSA        ("RSA",        true,       false,  NAMED_GROUP_NONE),
+        K_RSA_EXPORT ("RSA_EXPORT", true,       false,  NAMED_GROUP_NONE),
+        K_DH_RSA     ("DH_RSA",     false,      false,  NAMED_GROUP_NONE),
+        K_DH_DSS     ("DH_DSS",     false,      false,  NAMED_GROUP_NONE),
+        K_DHE_DSS    ("DHE_DSS",    true,       false,  NAMED_GROUP_FFDHE),
+        K_DHE_DSS_EXPORT("DHE_DSS_EXPORT", true, false, NAMED_GROUP_NONE),
+        K_DHE_RSA    ("DHE_RSA",    true,       false,  NAMED_GROUP_FFDHE),
+        K_DHE_RSA_EXPORT("DHE_RSA_EXPORT", true, false, NAMED_GROUP_NONE),
+        K_DH_ANON    ("DH_anon",    true,       true,   NAMED_GROUP_FFDHE),
+        K_DH_ANON_EXPORT("DH_anon_EXPORT",true, true,   NAMED_GROUP_NONE),
+
+        K_ECDH_ECDSA ("ECDH_ECDSA",  true,      false,  NAMED_GROUP_ECDHE),
+        K_ECDH_RSA   ("ECDH_RSA",    true,      false,  NAMED_GROUP_ECDHE),
+        K_ECDHE_ECDSA("ECDHE_ECDSA", true,      false,  NAMED_GROUP_ECDHE),
+        K_ECDHE_RSA  ("ECDHE_RSA",   true,      false,  NAMED_GROUP_ECDHE),
+        K_ECDH_ANON  ("ECDH_anon",   true,      true,   NAMED_GROUP_ECDHE),
 
         // Kerberos cipher suites
-        K_KRB5       ("KRB5", true,             NAMED_GROUP_NONE),
-        K_KRB5_EXPORT("KRB5_EXPORT", true,      NAMED_GROUP_NONE),
+        K_KRB5       ("KRB5", true,             false,  NAMED_GROUP_NONE),
+        K_KRB5_EXPORT("KRB5_EXPORT", true,      false,  NAMED_GROUP_NONE),
 
         // renegotiation protection request signaling cipher suite
-        K_SCSV       ("SCSV",        true,      NAMED_GROUP_NONE);
+        K_SCSV       ("SCSV",        true,      true,   NAMED_GROUP_NONE);
 
         // name of the key exchange algorithm, e.g. DHE_DSS
         final String name;
         final boolean allowed;
         final NamedGroupType groupType;
         private final boolean alwaysAvailable;
+        private final boolean isAnonymous;
 
-        KeyExchange(String name, boolean allowed, NamedGroupType groupType) {
+        KeyExchange(String name, boolean allowed,
+                boolean isAnonymous, NamedGroupType groupType) {
             this.name = name;
-            this.allowed = allowed;
+            if (groupType == NAMED_GROUP_ECDHE) {
+                this.allowed = JsseJce.ALLOW_ECC;
+            } else {
+                this.allowed = allowed;
+            }
             this.groupType = groupType;
             this.alwaysAvailable = allowed &&
                 (!name.startsWith("EC")) && (!name.startsWith("KRB"));
+            this.isAnonymous = isAnonymous;
         }
 
         boolean isAvailable() {
@@ -433,192 +1094,6 @@
         }
     }
 
-    static enum CipherType {
-        NULL_CIPHER,           // null cipher
-        STREAM_CIPHER,         // stream cipher
-        BLOCK_CIPHER,          // block cipher in CBC mode
-        AEAD_CIPHER            // AEAD cipher
-    }
-
-    /**
-     * An SSL/TLS bulk cipher algorithm. One instance per combination of
-     * cipher and key length.
-     *
-     * Also contains a factory method to obtain in initialized CipherBox
-     * for this algorithm.
-     */
-    static enum BulkCipher {
-
-        // export strength ciphers
-        B_NULL("NULL", NULL_CIPHER, 0, 0, 0, 0, true),
-        B_RC4_40(CIPHER_RC4, STREAM_CIPHER, 5, 16, 0, 0, true),
-        B_RC2_40("RC2", BLOCK_CIPHER, 5, 16, 8, 0, false),
-        B_DES_40(CIPHER_DES,  BLOCK_CIPHER, 5, 8, 8, 0, true),
-
-        // domestic strength ciphers
-        B_RC4_128(CIPHER_RC4, STREAM_CIPHER, 16, 0, 0, true),
-        B_DES(CIPHER_DES, BLOCK_CIPHER, 8, 8, 0, true),
-        B_3DES(CIPHER_3DES, BLOCK_CIPHER, 24, 8, 0, true),
-        B_IDEA("IDEA", BLOCK_CIPHER, 16, 8, 0, false),
-        B_AES_128(CIPHER_AES, BLOCK_CIPHER, 16, 16, 0, true),
-        B_AES_256(CIPHER_AES, BLOCK_CIPHER, 32, 16, 0, true),
-        B_AES_128_GCM(CIPHER_AES_GCM, AEAD_CIPHER, 16, 12, 4, true),
-        B_AES_256_GCM(CIPHER_AES_GCM, AEAD_CIPHER, 32, 12, 4, true);
-
-        // descriptive name including key size, e.g. AES/128
-        final String description;
-
-        // JCE cipher transformation string, e.g. AES/CBC/NoPadding
-        final String transformation;
-
-        // algorithm name, e.g. AES
-        final String algorithm;
-
-        // supported and compile time enabled. Also see isAvailable()
-        final boolean allowed;
-
-        // number of bytes of entropy in the key
-        final int keySize;
-
-        // length of the actual cipher key in bytes.
-        // for non-exportable ciphers, this is the same as keySize
-        final int expandedKeySize;
-
-        // size of the IV
-        final int ivSize;
-
-        // size of fixed IV
-        //
-        // record_iv_length = ivSize - fixedIvSize
-        final int fixedIvSize;
-
-        // exportable under 512/40 bit rules
-        final boolean exportable;
-
-        // Is the cipher algorithm of Cipher Block Chaining (CBC) mode?
-        final CipherType cipherType;
-
-        // size of the authentication tag, only applicable to cipher suites in
-        // Galois Counter Mode (GCM)
-        //
-        // As far as we know, all supported GCM cipher suites use 128-bits
-        // authentication tags.
-        final int tagSize = 16;
-
-        // The secure random used to detect the cipher availability.
-        private static final SecureRandom secureRandom;
-
-        // runtime availability
-        private final boolean isAvailable;
-
-        static {
-            try {
-                secureRandom = JsseJce.getSecureRandom();
-            } catch (KeyManagementException kme) {
-                throw new RuntimeException(kme);
-            }
-        }
-
-        BulkCipher(String transformation, CipherType cipherType, int keySize,
-                int expandedKeySize, int ivSize,
-                int fixedIvSize, boolean allowed) {
-
-            this.transformation = transformation;
-            String[] splits = transformation.split("/");
-            this.algorithm = splits[0];
-            this.cipherType = cipherType;
-            this.description = this.algorithm + "/" + (keySize << 3);
-            this.keySize = keySize;
-            this.ivSize = ivSize;
-            this.fixedIvSize = fixedIvSize;
-            this.allowed = allowed;
-
-            this.expandedKeySize = expandedKeySize;
-            this.exportable = true;
-
-            // availability of this bulk cipher
-            //
-            // Currently all supported ciphers except AES are always available
-            // via the JSSE internal implementations. We also assume AES/128 of
-            // CBC mode is always available since it is shipped with the SunJCE
-            // provider.  However, AES/256 is unavailable when the default JCE
-            // policy jurisdiction files are installed because of key length
-            // restrictions.
-            this.isAvailable =
-                    allowed ? isUnlimited(keySize, transformation) : false;
-        }
-
-        BulkCipher(String transformation, CipherType cipherType, int keySize,
-                int ivSize, int fixedIvSize, boolean allowed) {
-            this.transformation = transformation;
-            String[] splits = transformation.split("/");
-            this.algorithm = splits[0];
-            this.cipherType = cipherType;
-            this.description = this.algorithm + "/" + (keySize << 3);
-            this.keySize = keySize;
-            this.ivSize = ivSize;
-            this.fixedIvSize = fixedIvSize;
-            this.allowed = allowed;
-
-            this.expandedKeySize = keySize;
-            this.exportable = false;
-
-            // availability of this bulk cipher
-            //
-            // Currently all supported ciphers except AES are always available
-            // via the JSSE internal implementations. We also assume AES/128 of
-            // CBC mode is always available since it is shipped with the SunJCE
-            // provider.  However, AES/256 is unavailable when the default JCE
-            // policy jurisdiction files are installed because of key length
-            // restrictions.
-            this.isAvailable =
-                    allowed ? isUnlimited(keySize, transformation) : false;
-        }
-
-        /**
-         * Return an initialized CipherBox for this BulkCipher.
-         * IV must be null for stream ciphers.
-         *
-         * @exception NoSuchAlgorithmException if anything goes wrong
-         */
-        CipherBox newCipher(ProtocolVersion version, SecretKey key,
-                IvParameterSpec iv, SecureRandom random,
-                boolean encrypt) throws NoSuchAlgorithmException {
-            return CipherBox.newCipherBox(version, this,
-                                            key, iv, random, encrypt);
-        }
-
-        /**
-         * Test if this bulk cipher is available. For use by CipherSuite.
-         */
-        boolean isAvailable() {
-            return this.isAvailable;
-        }
-
-        private static boolean isUnlimited(int keySize, String transformation) {
-            int keySizeInBits = keySize * 8;
-            if (keySizeInBits > 128) {    // need the JCE unlimited
-                                          // strength jurisdiction policy
-                try {
-                    if (Cipher.getMaxAllowedKeyLength(
-                            transformation) < keySizeInBits) {
-
-                        return false;
-                    }
-                } catch (Exception e) {
-                    return false;
-                }
-            }
-
-            return true;
-        }
-
-        @Override
-        public String toString() {
-            return description;
-        }
-    }
-
     /**
      * An SSL/TLS key MAC algorithm.
      *
@@ -653,17 +1128,6 @@
             this.minimalPaddingSize = minimalPaddingSize;
         }
 
-        /**
-         * Return an initialized MAC for this MacAlg. ProtocolVersion
-         * must either be SSL30 (SSLv3 custom MAC) or TLS10 (std. HMAC).
-         *
-         * @exception NoSuchAlgorithmException if anything goes wrong
-         */
-        MAC newMac(ProtocolVersion protocolVersion, SecretKey secret)
-                throws NoSuchAlgorithmException, InvalidKeyException {
-            return new MAC(this, protocolVersion, secret);
-        }
-
         @Override
         public String toString() {
             return name;
@@ -671,975 +1135,32 @@
     }
 
     /**
-     * PRFs (PseudoRandom Function) from TLS specifications.
-     *
-     * TLS 1.1- uses a single MD5/SHA1-based PRF algorithm for generating
-     * the necessary material.
+     * The hash algorithms used for PRF (PseudoRandom Function) or HKDF.
      *
-     * In TLS 1.2+, all existing/known CipherSuites use SHA256, however
-     * new Ciphersuites (e.g. RFC 5288) can define specific PRF hash
-     * algorithms.
+     * Note that TLS 1.1- uses a single MD5/SHA1-based PRF algorithm for
+     * generating the necessary material.
      */
-    static enum PRF {
+    static enum HashAlg {
 
         // PRF algorithms
-        P_NONE(     "NONE",  0,   0),
-        P_SHA256("SHA-256", 32,  64),
-        P_SHA384("SHA-384", 48, 128),
-        P_SHA512("SHA-512", 64, 128);  // not currently used.
+        H_NONE(     "NONE",  0,   0),
+        H_SHA256("SHA-256", 32,  64),
+        H_SHA384("SHA-384", 48, 128);
 
         // PRF characteristics
-        private final String prfHashAlg;
-        private final int prfHashLength;
-        private final int prfBlockSize;
-
-        PRF(String prfHashAlg, int prfHashLength, int prfBlockSize) {
-            this.prfHashAlg = prfHashAlg;
-            this.prfHashLength = prfHashLength;
-            this.prfBlockSize = prfBlockSize;
-        }
-
-        String getPRFHashAlg() {
-            return prfHashAlg;
-        }
+        final String name;
+        final int hashLength;
+        final int blockSize;
 
-        int getPRFHashLength() {
-            return prfHashLength;
+        HashAlg(String hashAlg, int hashLength, int blockSize) {
+            this.name = hashAlg;
+            this.hashLength = hashLength;
+            this.blockSize = blockSize;
         }
 
-        int getPRFBlockSize() {
-            return prfBlockSize;
+        @Override
+        public String toString() {
+            return name;
         }
     }
-
-    static {
-        idMap = new HashMap<Integer,CipherSuite>();
-        nameMap = new HashMap<String,CipherSuite>();
-
-        final boolean F = false;
-        final boolean T = true;
-        // N: ciphersuites only allowed if we are not in FIPS mode
-        final boolean N = (SunJSSE.isFIPS() == false);
-
-        /*
-         * TLS Cipher Suite Registry, as of November 2015.
-         *
-         * http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
-         *
-         * Range      Registration Procedures   Notes
-         * 000-191    Standards Action          Refers to value of first byte
-         * 192-254    Specification Required    Refers to value of first byte
-         * 255        Reserved for Private Use  Refers to value of first byte
-         *
-         * Value      Description                                   Reference
-         * 0x00,0x00  TLS_NULL_WITH_NULL_NULL                       [RFC5246]
-         * 0x00,0x01  TLS_RSA_WITH_NULL_MD5                         [RFC5246]
-         * 0x00,0x02  TLS_RSA_WITH_NULL_SHA                         [RFC5246]
-         * 0x00,0x03  TLS_RSA_EXPORT_WITH_RC4_40_MD5                [RFC4346]
-         * 0x00,0x04  TLS_RSA_WITH_RC4_128_MD5                      [RFC5246]
-         * 0x00,0x05  TLS_RSA_WITH_RC4_128_SHA                      [RFC5246]
-         * 0x00,0x06  TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5            [RFC4346]
-         * 0x00,0x07  TLS_RSA_WITH_IDEA_CBC_SHA                     [RFC5469]
-         * 0x00,0x08  TLS_RSA_EXPORT_WITH_DES40_CBC_SHA             [RFC4346]
-         * 0x00,0x09  TLS_RSA_WITH_DES_CBC_SHA                      [RFC5469]
-         * 0x00,0x0A  TLS_RSA_WITH_3DES_EDE_CBC_SHA                 [RFC5246]
-         * 0x00,0x0B  TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA          [RFC4346]
-         * 0x00,0x0C  TLS_DH_DSS_WITH_DES_CBC_SHA                   [RFC5469]
-         * 0x00,0x0D  TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA              [RFC5246]
-         * 0x00,0x0E  TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA          [RFC4346]
-         * 0x00,0x0F  TLS_DH_RSA_WITH_DES_CBC_SHA                   [RFC5469]
-         * 0x00,0x10  TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA              [RFC5246]
-         * 0x00,0x11  TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA         [RFC4346]
-         * 0x00,0x12  TLS_DHE_DSS_WITH_DES_CBC_SHA                  [RFC5469]
-         * 0x00,0x13  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA             [RFC5246]
-         * 0x00,0x14  TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA         [RFC4346]
-         * 0x00,0x15  TLS_DHE_RSA_WITH_DES_CBC_SHA                  [RFC5469]
-         * 0x00,0x16  TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA             [RFC5246]
-         * 0x00,0x17  TLS_DH_anon_EXPORT_WITH_RC4_40_MD5            [RFC4346]
-         * 0x00,0x18  TLS_DH_anon_WITH_RC4_128_MD5                  [RFC5246]
-         * 0x00,0x19  TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA         [RFC4346]
-         * 0x00,0x1A  TLS_DH_anon_WITH_DES_CBC_SHA                  [RFC5469]
-         * 0x00,0x1B  TLS_DH_anon_WITH_3DES_EDE_CBC_SHA             [RFC5246]
-         * 0x00,0x1C-1D Reserved to avoid conflicts with SSLv3      [RFC5246]
-         * 0x00,0x1E  TLS_KRB5_WITH_DES_CBC_SHA                     [RFC2712]
-         * 0x00,0x1F  TLS_KRB5_WITH_3DES_EDE_CBC_SHA                [RFC2712]
-         * 0x00,0x20  TLS_KRB5_WITH_RC4_128_SHA                     [RFC2712]
-         * 0x00,0x21  TLS_KRB5_WITH_IDEA_CBC_SHA                    [RFC2712]
-         * 0x00,0x22  TLS_KRB5_WITH_DES_CBC_MD5                     [RFC2712]
-         * 0x00,0x23  TLS_KRB5_WITH_3DES_EDE_CBC_MD5                [RFC2712]
-         * 0x00,0x24  TLS_KRB5_WITH_RC4_128_MD5                     [RFC2712]
-         * 0x00,0x25  TLS_KRB5_WITH_IDEA_CBC_MD5                    [RFC2712]
-         * 0x00,0x26  TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA           [RFC2712]
-         * 0x00,0x27  TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA           [RFC2712]
-         * 0x00,0x28  TLS_KRB5_EXPORT_WITH_RC4_40_SHA               [RFC2712]
-         * 0x00,0x29  TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5           [RFC2712]
-         * 0x00,0x2A  TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5           [RFC2712]
-         * 0x00,0x2B  TLS_KRB5_EXPORT_WITH_RC4_40_MD5               [RFC2712]
-         * 0x00,0x2C  TLS_PSK_WITH_NULL_SHA                         [RFC4785]
-         * 0x00,0x2D  TLS_DHE_PSK_WITH_NULL_SHA                     [RFC4785]
-         * 0x00,0x2E  TLS_RSA_PSK_WITH_NULL_SHA                     [RFC4785]
-         * 0x00,0x2F  TLS_RSA_WITH_AES_128_CBC_SHA                  [RFC5246]
-         * 0x00,0x30  TLS_DH_DSS_WITH_AES_128_CBC_SHA               [RFC5246]
-         * 0x00,0x31  TLS_DH_RSA_WITH_AES_128_CBC_SHA               [RFC5246]
-         * 0x00,0x32  TLS_DHE_DSS_WITH_AES_128_CBC_SHA              [RFC5246]
-         * 0x00,0x33  TLS_DHE_RSA_WITH_AES_128_CBC_SHA              [RFC5246]
-         * 0x00,0x34  TLS_DH_anon_WITH_AES_128_CBC_SHA              [RFC5246]
-         * 0x00,0x35  TLS_RSA_WITH_AES_256_CBC_SHA                  [RFC5246]
-         * 0x00,0x36  TLS_DH_DSS_WITH_AES_256_CBC_SHA               [RFC5246]
-         * 0x00,0x37  TLS_DH_RSA_WITH_AES_256_CBC_SHA               [RFC5246]
-         * 0x00,0x38  TLS_DHE_DSS_WITH_AES_256_CBC_SHA              [RFC5246]
-         * 0x00,0x39  TLS_DHE_RSA_WITH_AES_256_CBC_SHA              [RFC5246]
-         * 0x00,0x3A  TLS_DH_anon_WITH_AES_256_CBC_SHA              [RFC5246]
-         * 0x00,0x3B  TLS_RSA_WITH_NULL_SHA256                      [RFC5246]
-         * 0x00,0x3C  TLS_RSA_WITH_AES_128_CBC_SHA256               [RFC5246]
-         * 0x00,0x3D  TLS_RSA_WITH_AES_256_CBC_SHA256               [RFC5246]
-         * 0x00,0x3E  TLS_DH_DSS_WITH_AES_128_CBC_SHA256            [RFC5246]
-         * 0x00,0x3F  TLS_DH_RSA_WITH_AES_128_CBC_SHA256            [RFC5246]
-         * 0x00,0x40  TLS_DHE_DSS_WITH_AES_128_CBC_SHA256           [RFC5246]
-         * 0x00,0x41  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA             [RFC5932]
-         * 0x00,0x42  TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA          [RFC5932]
-         * 0x00,0x43  TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA          [RFC5932]
-         * 0x00,0x44  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA         [RFC5932]
-         * 0x00,0x45  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA         [RFC5932]
-         * 0x00,0x46  TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA         [RFC5932]
-         * 0x00,0x47-4F Reserved to avoid conflicts with
-         *            deployed implementations                  [Pasi_Eronen]
-         * 0x00,0x50-58 Reserved to avoid conflicts             [Pasi Eronen]
-         * 0x00,0x59-5C Reserved to avoid conflicts with
-         *            deployed implementations                  [Pasi_Eronen]
-         * 0x00,0x5D-5F Unassigned
-         * 0x00,0x60-66 Reserved to avoid conflicts with widely
-         *            deployed implementations                  [Pasi_Eronen]
-         * 0x00,0x67  TLS_DHE_RSA_WITH_AES_128_CBC_SHA256           [RFC5246]
-         * 0x00,0x68  TLS_DH_DSS_WITH_AES_256_CBC_SHA256            [RFC5246]
-         * 0x00,0x69  TLS_DH_RSA_WITH_AES_256_CBC_SHA256            [RFC5246]
-         * 0x00,0x6A  TLS_DHE_DSS_WITH_AES_256_CBC_SHA256           [RFC5246]
-         * 0x00,0x6B  TLS_DHE_RSA_WITH_AES_256_CBC_SHA256           [RFC5246]
-         * 0x00,0x6C  TLS_DH_anon_WITH_AES_128_CBC_SHA256           [RFC5246]
-         * 0x00,0x6D  TLS_DH_anon_WITH_AES_256_CBC_SHA256           [RFC5246]
-         * 0x00,0x6E-83 Unassigned
-         * 0x00,0x84  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA             [RFC5932]
-         * 0x00,0x85  TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA          [RFC5932]
-         * 0x00,0x86  TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA          [RFC5932]
-         * 0x00,0x87  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA         [RFC5932]
-         * 0x00,0x88  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA         [RFC5932]
-         * 0x00,0x89  TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA         [RFC5932]
-         * 0x00,0x8A  TLS_PSK_WITH_RC4_128_SHA                      [RFC4279]
-         * 0x00,0x8B  TLS_PSK_WITH_3DES_EDE_CBC_SHA                 [RFC4279]
-         * 0x00,0x8C  TLS_PSK_WITH_AES_128_CBC_SHA                  [RFC4279]
-         * 0x00,0x8D  TLS_PSK_WITH_AES_256_CBC_SHA                  [RFC4279]
-         * 0x00,0x8E  TLS_DHE_PSK_WITH_RC4_128_SHA                  [RFC4279]
-         * 0x00,0x8F  TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA             [RFC4279]
-         * 0x00,0x90  TLS_DHE_PSK_WITH_AES_128_CBC_SHA              [RFC4279]
-         * 0x00,0x91  TLS_DHE_PSK_WITH_AES_256_CBC_SHA              [RFC4279]
-         * 0x00,0x92  TLS_RSA_PSK_WITH_RC4_128_SHA                  [RFC4279]
-         * 0x00,0x93  TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA             [RFC4279]
-         * 0x00,0x94  TLS_RSA_PSK_WITH_AES_128_CBC_SHA              [RFC4279]
-         * 0x00,0x95  TLS_RSA_PSK_WITH_AES_256_CBC_SHA              [RFC4279]
-         * 0x00,0x96  TLS_RSA_WITH_SEED_CBC_SHA                     [RFC4162]
-         * 0x00,0x97  TLS_DH_DSS_WITH_SEED_CBC_SHA                  [RFC4162]
-         * 0x00,0x98  TLS_DH_RSA_WITH_SEED_CBC_SHA                  [RFC4162]
-         * 0x00,0x99  TLS_DHE_DSS_WITH_SEED_CBC_SHA                 [RFC4162]
-         * 0x00,0x9A  TLS_DHE_RSA_WITH_SEED_CBC_SHA                 [RFC4162]
-         * 0x00,0x9B  TLS_DH_anon_WITH_SEED_CBC_SHA                 [RFC4162]
-         * 0x00,0x9C  TLS_RSA_WITH_AES_128_GCM_SHA256               [RFC5288]
-         * 0x00,0x9D  TLS_RSA_WITH_AES_256_GCM_SHA384               [RFC5288]
-         * 0x00,0x9E  TLS_DHE_RSA_WITH_AES_128_GCM_SHA256           [RFC5288]
-         * 0x00,0x9F  TLS_DHE_RSA_WITH_AES_256_GCM_SHA384           [RFC5288]
-         * 0x00,0xA0  TLS_DH_RSA_WITH_AES_128_GCM_SHA256            [RFC5288]
-         * 0x00,0xA1  TLS_DH_RSA_WITH_AES_256_GCM_SHA384            [RFC5288]
-         * 0x00,0xA2  TLS_DHE_DSS_WITH_AES_128_GCM_SHA256           [RFC5288]
-         * 0x00,0xA3  TLS_DHE_DSS_WITH_AES_256_GCM_SHA384           [RFC5288]
-         * 0x00,0xA4  TLS_DH_DSS_WITH_AES_128_GCM_SHA256            [RFC5288]
-         * 0x00,0xA5  TLS_DH_DSS_WITH_AES_256_GCM_SHA384            [RFC5288]
-         * 0x00,0xA6  TLS_DH_anon_WITH_AES_128_GCM_SHA256           [RFC5288]
-         * 0x00,0xA7  TLS_DH_anon_WITH_AES_256_GCM_SHA384           [RFC5288]
-         * 0x00,0xA8  TLS_PSK_WITH_AES_128_GCM_SHA256               [RFC5487]
-         * 0x00,0xA9  TLS_PSK_WITH_AES_256_GCM_SHA384               [RFC5487]
-         * 0x00,0xAA  TLS_DHE_PSK_WITH_AES_128_GCM_SHA256           [RFC5487]
-         * 0x00,0xAB  TLS_DHE_PSK_WITH_AES_256_GCM_SHA384           [RFC5487]
-         * 0x00,0xAC  TLS_RSA_PSK_WITH_AES_128_GCM_SHA256           [RFC5487]
-         * 0x00,0xAD  TLS_RSA_PSK_WITH_AES_256_GCM_SHA384           [RFC5487]
-         * 0x00,0xAE  TLS_PSK_WITH_AES_128_CBC_SHA256               [RFC5487]
-         * 0x00,0xAF  TLS_PSK_WITH_AES_256_CBC_SHA384               [RFC5487]
-         * 0x00,0xB0  TLS_PSK_WITH_NULL_SHA256                      [RFC5487]
-         * 0x00,0xB1  TLS_PSK_WITH_NULL_SHA384                      [RFC5487]
-         * 0x00,0xB2  TLS_DHE_PSK_WITH_AES_128_CBC_SHA256           [RFC5487]
-         * 0x00,0xB3  TLS_DHE_PSK_WITH_AES_256_CBC_SHA384           [RFC5487]
-         * 0x00,0xB4  TLS_DHE_PSK_WITH_NULL_SHA256                  [RFC5487]
-         * 0x00,0xB5  TLS_DHE_PSK_WITH_NULL_SHA384                  [RFC5487]
-         * 0x00,0xB6  TLS_RSA_PSK_WITH_AES_128_CBC_SHA256           [RFC5487]
-         * 0x00,0xB7  TLS_RSA_PSK_WITH_AES_256_CBC_SHA384           [RFC5487]
-         * 0x00,0xB8  TLS_RSA_PSK_WITH_NULL_SHA256                  [RFC5487]
-         * 0x00,0xB9  TLS_RSA_PSK_WITH_NULL_SHA384                  [RFC5487]
-         * 0x00,0xBA  TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256          [RFC5932]
-         * 0x00,0xBB  TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256       [RFC5932]
-         * 0x00,0xBC  TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256       [RFC5932]
-         * 0x00,0xBD  TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256      [RFC5932]
-         * 0x00,0xBE  TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256      [RFC5932]
-         * 0x00,0xBF  TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256      [RFC5932]
-         * 0x00,0xC0  TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256          [RFC5932]
-         * 0x00,0xC1  TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256       [RFC5932]
-         * 0x00,0xC2  TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256       [RFC5932]
-         * 0x00,0xC3  TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256      [RFC5932]
-         * 0x00,0xC4  TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256      [RFC5932]
-         * 0x00,0xC5  TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256      [RFC5932]
-         * 0x00,0xC6-FE         Unassigned
-         * 0x00,0xFF  TLS_EMPTY_RENEGOTIATION_INFO_SCSV             [RFC5746]
-         * 0x01-55,*  Unassigned
-         * 0x56,0x00  TLS_FALLBACK_SCSV                             [RFC7507]
-         * 0x56,0x01-0xC0,0x00  Unassigned
-         * 0xC0,0x01  TLS_ECDH_ECDSA_WITH_NULL_SHA                  [RFC4492]
-         * 0xC0,0x02  TLS_ECDH_ECDSA_WITH_RC4_128_SHA               [RFC4492]
-         * 0xC0,0x03  TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA          [RFC4492]
-         * 0xC0,0x04  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA           [RFC4492]
-         * 0xC0,0x05  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA           [RFC4492]
-         * 0xC0,0x06  TLS_ECDHE_ECDSA_WITH_NULL_SHA                 [RFC4492]
-         * 0xC0,0x07  TLS_ECDHE_ECDSA_WITH_RC4_128_SHA              [RFC4492]
-         * 0xC0,0x08  TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA         [RFC4492]
-         * 0xC0,0x09  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA          [RFC4492]
-         * 0xC0,0x0A  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA          [RFC4492]
-         * 0xC0,0x0B  TLS_ECDH_RSA_WITH_NULL_SHA                    [RFC4492]
-         * 0xC0,0x0C  TLS_ECDH_RSA_WITH_RC4_128_SHA                 [RFC4492]
-         * 0xC0,0x0D  TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA            [RFC4492]
-         * 0xC0,0x0E  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA             [RFC4492]
-         * 0xC0,0x0F  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA             [RFC4492]
-         * 0xC0,0x10  TLS_ECDHE_RSA_WITH_NULL_SHA                   [RFC4492]
-         * 0xC0,0x11  TLS_ECDHE_RSA_WITH_RC4_128_SHA                [RFC4492]
-         * 0xC0,0x12  TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA           [RFC4492]
-         * 0xC0,0x13  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA            [RFC4492]
-         * 0xC0,0x14  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA            [RFC4492]
-         * 0xC0,0x15  TLS_ECDH_anon_WITH_NULL_SHA                   [RFC4492]
-         * 0xC0,0x16  TLS_ECDH_anon_WITH_RC4_128_SHA                [RFC4492]
-         * 0xC0,0x17  TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA           [RFC4492]
-         * 0xC0,0x18  TLS_ECDH_anon_WITH_AES_128_CBC_SHA            [RFC4492]
-         * 0xC0,0x19  TLS_ECDH_anon_WITH_AES_256_CBC_SHA            [RFC4492]
-         * 0xC0,0x1A  TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA             [RFC5054]
-         * 0xC0,0x1B  TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA         [RFC5054]
-         * 0xC0,0x1C  TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA         [RFC5054]
-         * 0xC0,0x1D  TLS_SRP_SHA_WITH_AES_128_CBC_SHA              [RFC5054]
-         * 0xC0,0x1E  TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA          [RFC5054]
-         * 0xC0,0x1F  TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA          [RFC5054]
-         * 0xC0,0x20  TLS_SRP_SHA_WITH_AES_256_CBC_SHA              [RFC5054]
-         * 0xC0,0x21  TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA          [RFC5054]
-         * 0xC0,0x22  TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA          [RFC5054]
-         * 0xC0,0x23  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256       [RFC5289]
-         * 0xC0,0x24  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384       [RFC5289]
-         * 0xC0,0x25  TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256        [RFC5289]
-         * 0xC0,0x26  TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384        [RFC5289]
-         * 0xC0,0x27  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256         [RFC5289]
-         * 0xC0,0x28  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384         [RFC5289]
-         * 0xC0,0x29  TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256          [RFC5289]
-         * 0xC0,0x2A  TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384          [RFC5289]
-         * 0xC0,0x2B  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256       [RFC5289]
-         * 0xC0,0x2C  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384       [RFC5289]
-         * 0xC0,0x2D  TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256        [RFC5289]
-         * 0xC0,0x2E  TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384        [RFC5289]
-         * 0xC0,0x2F  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256         [RFC5289]
-         * 0xC0,0x30  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384         [RFC5289]
-         * 0xC0,0x31  TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256          [RFC5289]
-         * 0xC0,0x32  TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384          [RFC5289]
-         * 0xC0,0x33  TLS_ECDHE_PSK_WITH_RC4_128_SHA                [RFC5489]
-         * 0xC0,0x34  TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA           [RFC5489]
-         * 0xC0,0x35  TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA            [RFC5489]
-         * 0xC0,0x36  TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA            [RFC5489]
-         * 0xC0,0x37  TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256         [RFC5489]
-         * 0xC0,0x38  TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384         [RFC5489]
-         * 0xC0,0x39  TLS_ECDHE_PSK_WITH_NULL_SHA                   [RFC5489]
-         * 0xC0,0x3A  TLS_ECDHE_PSK_WITH_NULL_SHA256                [RFC5489]
-         * 0xC0,0x3B  TLS_ECDHE_PSK_WITH_NULL_SHA384                [RFC5489]
-         * 0xC0,0x3C  TLS_RSA_WITH_ARIA_128_CBC_SHA256              [RFC6209]
-         * 0xC0,0x3D  TLS_RSA_WITH_ARIA_256_CBC_SHA384              [RFC6209]
-         * 0xC0,0x3E  TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256           [RFC6209]
-         * 0xC0,0x3F  TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384           [RFC6209]
-         * 0xC0,0x40  TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256           [RFC6209]
-         * 0xC0,0x41  TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384           [RFC6209]
-         * 0xC0,0x42  TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256          [RFC6209]
-         * 0xC0,0x43  TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384          [RFC6209]
-         * 0xC0,0x44  TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256          [RFC6209]
-         * 0xC0,0x45  TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384          [RFC6209]
-         * 0xC0,0x46  TLS_DH_anon_WITH_ARIA_128_CBC_SHA256          [RFC6209]
-         * 0xC0,0x47  TLS_DH_anon_WITH_ARIA_256_CBC_SHA384          [RFC6209]
-         * 0xC0,0x48  TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256      [RFC6209]
-         * 0xC0,0x49  TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384      [RFC6209]
-         * 0xC0,0x4A  TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256       [RFC6209]
-         * 0xC0,0x4B  TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384       [RFC6209]
-         * 0xC0,0x4C  TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256        [RFC6209]
-         * 0xC0,0x4D  TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384        [RFC6209]
-         * 0xC0,0x4E  TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256         [RFC6209]
-         * 0xC0,0x4F  TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384         [RFC6209]
-         * 0xC0,0x50  TLS_RSA_WITH_ARIA_128_GCM_SHA256              [RFC6209]
-         * 0xC0,0x51  TLS_RSA_WITH_ARIA_256_GCM_SHA384              [RFC6209]
-         * 0xC0,0x52  TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256          [RFC6209]
-         * 0xC0,0x53  TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384          [RFC6209]
-         * 0xC0,0x54  TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256           [RFC6209]
-         * 0xC0,0x55  TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384           [RFC6209]
-         * 0xC0,0x56  TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256          [RFC6209]
-         * 0xC0,0x57  TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384          [RFC6209]
-         * 0xC0,0x58  TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256           [RFC6209]
-         * 0xC0,0x59  TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384           [RFC6209]
-         * 0xC0,0x5A  TLS_DH_anon_WITH_ARIA_128_GCM_SHA256          [RFC6209]
-         * 0xC0,0x5B  TLS_DH_anon_WITH_ARIA_256_GCM_SHA384          [RFC6209]
-         * 0xC0,0x5C  TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256      [RFC6209]
-         * 0xC0,0x5D  TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384      [RFC6209]
-         * 0xC0,0x5E  TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256       [RFC6209]
-         * 0xC0,0x5F  TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384       [RFC6209]
-         * 0xC0,0x60  TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256        [RFC6209]
-         * 0xC0,0x61  TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384        [RFC6209]
-         * 0xC0,0x62  TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256         [RFC6209]
-         * 0xC0,0x63  TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384         [RFC6209]
-         * 0xC0,0x64  TLS_PSK_WITH_ARIA_128_CBC_SHA256              [RFC6209]
-         * 0xC0,0x65  TLS_PSK_WITH_ARIA_256_CBC_SHA384              [RFC6209]
-         * 0xC0,0x66  TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256          [RFC6209]
-         * 0xC0,0x67  TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384          [RFC6209]
-         * 0xC0,0x68  TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256          [RFC6209]
-         * 0xC0,0x69  TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384          [RFC6209]
-         * 0xC0,0x6A  TLS_PSK_WITH_ARIA_128_GCM_SHA256              [RFC6209]
-         * 0xC0,0x6B  TLS_PSK_WITH_ARIA_256_GCM_SHA384              [RFC6209]
-         * 0xC0,0x6C  TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256          [RFC6209]
-         * 0xC0,0x6D  TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384          [RFC6209]
-         * 0xC0,0x6E  TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256          [RFC6209]
-         * 0xC0,0x6F  TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384          [RFC6209]
-         * 0xC0,0x70  TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256        [RFC6209]
-         * 0xC0,0x71  TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384        [RFC6209]
-         * 0xC0,0x72  TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256  [RFC6367]
-         * 0xC0,0x73  TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384  [RFC6367]
-         * 0xC0,0x74  TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256   [RFC6367]
-         * 0xC0,0x75  TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384   [RFC6367]
-         * 0xC0,0x76  TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256    [RFC6367]
-         * 0xC0,0x77  TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384    [RFC6367]
-         * 0xC0,0x78  TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256     [RFC6367]
-         * 0xC0,0x79  TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384     [RFC6367]
-         * 0xC0,0x7A  TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256          [RFC6367]
-         * 0xC0,0x7B  TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384          [RFC6367]
-         * 0xC0,0x7C  TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256      [RFC6367]
-         * 0xC0,0x7D  TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384      [RFC6367]
-         * 0xC0,0x7E  TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256       [RFC6367]
-         * 0xC0,0x7F  TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384       [RFC6367]
-         * 0xC0,0x80  TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256      [RFC6367]
-         * 0xC0,0x81  TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384      [RFC6367]
-         * 0xC0,0x82  TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256       [RFC6367]
-         * 0xC0,0x83  TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384       [RFC6367]
-         * 0xC0,0x84  TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256      [RFC6367]
-         * 0xC0,0x85  TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384      [RFC6367]
-         * 0xC0,0x86  TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256  [RFC6367]
-         * 0xC0,0x87  TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384  [RFC6367]
-         * 0xC0,0x88  TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256   [RFC6367]
-         * 0xC0,0x89  TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384   [RFC6367]
-         * 0xC0,0x8A  TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256    [RFC6367]
-         * 0xC0,0x8B  TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384    [RFC6367]
-         * 0xC0,0x8C  TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256     [RFC6367]
-         * 0xC0,0x8D  TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384     [RFC6367]
-         * 0xC0,0x8E  TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256          [RFC6367]
-         * 0xC0,0x8F  TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384          [RFC6367]
-         * 0xC0,0x90  TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256      [RFC6367]
-         * 0xC0,0x91  TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384      [RFC6367]
-         * 0xC0,0x92  TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256      [RFC6367]
-         * 0xC0,0x93  TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384      [RFC6367]
-         * 0xC0,0x94  TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256          [RFC6367]
-         * 0xC0,0x95  TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384          [RFC6367]
-         * 0xC0,0x96  TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256      [RFC6367]
-         * 0xC0,0x97  TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384      [RFC6367]
-         * 0xC0,0x98  TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256      [RFC6367]
-         * 0xC0,0x99  TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384      [RFC6367]
-         * 0xC0,0x9A  TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256    [RFC6367]
-         * 0xC0,0x9B  TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384    [RFC6367]
-         * 0xC0,0x9C  TLS_RSA_WITH_AES_128_CCM                      [RFC6655]
-         * 0xC0,0x9D  TLS_RSA_WITH_AES_256_CCM                      [RFC6655]
-         * 0xC0,0x9E  TLS_DHE_RSA_WITH_AES_128_CCM                  [RFC6655]
-         * 0xC0,0x9F  TLS_DHE_RSA_WITH_AES_256_CCM                  [RFC6655]
-         * 0xC0,0xA0  TLS_RSA_WITH_AES_128_CCM_8                    [RFC6655]
-         * 0xC0,0xA1  TLS_RSA_WITH_AES_256_CCM_8                    [RFC6655]
-         * 0xC0,0xA2  TLS_DHE_RSA_WITH_AES_128_CCM_8                [RFC6655]
-         * 0xC0,0xA3  TLS_DHE_RSA_WITH_AES_256_CCM_8                [RFC6655]
-         * 0xC0,0xA4  TLS_PSK_WITH_AES_128_CCM                      [RFC6655]
-         * 0xC0,0xA5  TLS_PSK_WITH_AES_256_CCM                      [RFC6655]
-         * 0xC0,0xA6  TLS_DHE_PSK_WITH_AES_128_CCM                  [RFC6655]
-         * 0xC0,0xA7  TLS_DHE_PSK_WITH_AES_256_CCM                  [RFC6655]
-         * 0xC0,0xA8  TLS_PSK_WITH_AES_128_CCM_8                    [RFC6655]
-         * 0xC0,0xA9  TLS_PSK_WITH_AES_256_CCM_8                    [RFC6655]
-         * 0xC0,0xAA  TLS_PSK_DHE_WITH_AES_128_CCM_8                [RFC6655]
-         * 0xC0,0xAB  TLS_PSK_DHE_WITH_AES_256_CCM_8                [RFC6655]
-         * 0xC0,0xAC  TLS_ECDHE_ECDSA_WITH_AES_128_CCM              [RFC7251]
-         * 0xC0,0xAD  TLS_ECDHE_ECDSA_WITH_AES_256_CCM              [RFC7251]
-         * 0xC0,0xAE  TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8            [RFC7251]
-         * 0xC0,0xAF  TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8            [RFC7251]
-         * 0xC0,0xB0-FF  Unassigned
-         * 0xC1-FD,*  Unassigned
-         * 0xFE,0x00-FD Unassigned
-         * 0xFE,0xFE-FF Reserved to avoid conflicts with widely
-         *            deployed implementations                  [Pasi_Eronen]
-         * 0xFF,0x00-FF Reserved for Private Use                [RFC5246]
-         */
-
-        add("SSL_NULL_WITH_NULL_NULL", 0x0000,
-                1,      K_NULL,     B_NULL,     M_NULL,     F);
-
-        /*
-         * Definition of the CipherSuites that are enabled by default.
-         * They are listed in preference order, most preferred first, using
-         * the following criteria:
-         * 1. Prefer Suite B compliant cipher suites, see RFC6460 (To be
-         *    changed later, see below).
-         * 2. Prefer the stronger bulk cipher, in the order of AES_256(GCM),
-         *    AES_128(GCM), AES_256, AES_128, 3DES-EDE.
-         * 3. Prefer the stronger MAC algorithm, in the order of SHA384,
-         *    SHA256, SHA, MD5.
-         * 4. Prefer the better performance of key exchange and digital
-         *    signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA,
-         *    RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS.
-         */
-        int p = DEFAULT_SUITES_PRIORITY * 2;
-
-        // shorten names to fit the following table cleanly.
-        int max = ProtocolVersion.LIMIT_MAX_VALUE;
-        int tls11 = ProtocolVersion.TLS11.v;
-        int tls12 = ProtocolVersion.TLS12.v;
-
-        //  ID           Key Exchange   Cipher     A  obs  suprt  PRF
-        //  ======       ============   =========  =  ===  =====  ========
-
-        // Suite B compliant cipher suites, see RFC 6460.
-        //
-        // Note that, at present this provider is not Suite B compliant. The
-        // preference order of the GCM cipher suites does not follow the spec
-        // of RFC 6460.  In this section, only two cipher suites are listed
-        // so that applications can make use of Suite-B compliant cipher
-        // suite firstly.
-        add("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",  0xc02c, --p,
-            K_ECDHE_ECDSA, B_AES_256_GCM, M_NULL,   T, max, tls12, P_SHA384);
-        add("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",  0xc02b, --p,
-            K_ECDHE_ECDSA, B_AES_128_GCM, M_NULL,   T, max, tls12, P_SHA256);
-
-        // AES_256(GCM)
-        add("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",    0xc030, --p,
-            K_ECDHE_RSA,   B_AES_256_GCM, M_NULL,   T, max, tls12, P_SHA384);
-        add("TLS_RSA_WITH_AES_256_GCM_SHA384",          0x009d, --p,
-            K_RSA,         B_AES_256_GCM, M_NULL,   T, max, tls12, P_SHA384);
-        add("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",   0xc02e, --p,
-            K_ECDH_ECDSA,  B_AES_256_GCM, M_NULL,   T, max, tls12, P_SHA384);
-        add("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",     0xc032, --p,
-            K_ECDH_RSA,    B_AES_256_GCM, M_NULL,   T, max, tls12, P_SHA384);
-        add("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",      0x009f, --p,
-            K_DHE_RSA,     B_AES_256_GCM, M_NULL,   T, max, tls12, P_SHA384);
-        add("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",      0x00a3, --p,
-            K_DHE_DSS,     B_AES_256_GCM, M_NULL,   T, max, tls12, P_SHA384);
-
-        // AES_128(GCM)
-        add("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",    0xc02f, --p,
-            K_ECDHE_RSA,   B_AES_128_GCM, M_NULL,   T, max, tls12, P_SHA256);
-        add("TLS_RSA_WITH_AES_128_GCM_SHA256",          0x009c, --p,
-            K_RSA,         B_AES_128_GCM, M_NULL,   T, max, tls12, P_SHA256);
-        add("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",   0xc02d, --p,
-            K_ECDH_ECDSA,  B_AES_128_GCM, M_NULL,   T, max, tls12, P_SHA256);
-        add("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",     0xc031, --p,
-            K_ECDH_RSA,    B_AES_128_GCM, M_NULL,   T, max, tls12, P_SHA256);
-        add("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",      0x009e, --p,
-            K_DHE_RSA,     B_AES_128_GCM, M_NULL,   T, max, tls12, P_SHA256);
-        add("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",      0x00a2, --p,
-            K_DHE_DSS,     B_AES_128_GCM, M_NULL,   T, max, tls12, P_SHA256);
-
-        // AES_256(CBC)
-        add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",  0xc024, --p,
-            K_ECDHE_ECDSA, B_AES_256,     M_SHA384, T, max, tls12, P_SHA384);
-        add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",    0xc028, --p,
-            K_ECDHE_RSA,   B_AES_256,     M_SHA384, T, max, tls12, P_SHA384);
-        add("TLS_RSA_WITH_AES_256_CBC_SHA256",          0x003d, --p,
-            K_RSA,         B_AES_256,     M_SHA256, T, max, tls12, P_SHA256);
-        add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",   0xc026, --p,
-            K_ECDH_ECDSA,  B_AES_256,     M_SHA384, T, max, tls12, P_SHA384);
-        add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",     0xc02a, --p,
-            K_ECDH_RSA,    B_AES_256,     M_SHA384, T, max, tls12, P_SHA384);
-        add("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",      0x006b, --p,
-            K_DHE_RSA,     B_AES_256,     M_SHA256, T, max, tls12, P_SHA256);
-        add("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",      0x006a, --p,
-            K_DHE_DSS,     B_AES_256,     M_SHA256, T, max, tls12, P_SHA256);
-
-        add("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",     0xC00A, --p,
-            K_ECDHE_ECDSA, B_AES_256,     M_SHA,    T);
-        add("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",       0xC014, --p,
-            K_ECDHE_RSA,   B_AES_256,     M_SHA,    T);
-        add("TLS_RSA_WITH_AES_256_CBC_SHA",             0x0035, --p,
-            K_RSA,         B_AES_256,     M_SHA,    T);
-        add("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",      0xC005, --p,
-            K_ECDH_ECDSA,  B_AES_256,     M_SHA,    T);
-        add("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",        0xC00F, --p,
-            K_ECDH_RSA,    B_AES_256,     M_SHA,    T);
-        add("TLS_DHE_RSA_WITH_AES_256_CBC_SHA",         0x0039, --p,
-            K_DHE_RSA,     B_AES_256,     M_SHA,    T);
-        add("TLS_DHE_DSS_WITH_AES_256_CBC_SHA",         0x0038, --p,
-            K_DHE_DSS,     B_AES_256,     M_SHA,    T);
-
-        // AES_128(CBC)
-        add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",  0xc023, --p,
-            K_ECDHE_ECDSA, B_AES_128,     M_SHA256, T, max, tls12, P_SHA256);
-        add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",    0xc027, --p,
-            K_ECDHE_RSA,   B_AES_128,     M_SHA256, T, max, tls12, P_SHA256);
-        add("TLS_RSA_WITH_AES_128_CBC_SHA256",          0x003c, --p,
-            K_RSA,         B_AES_128,     M_SHA256, T, max, tls12, P_SHA256);
-        add("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",   0xc025, --p,
-            K_ECDH_ECDSA,  B_AES_128,     M_SHA256, T, max, tls12, P_SHA256);
-        add("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",     0xc029, --p,
-            K_ECDH_RSA,    B_AES_128,     M_SHA256, T, max, tls12, P_SHA256);
-        add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",      0x0067, --p,
-            K_DHE_RSA,     B_AES_128,     M_SHA256, T, max, tls12, P_SHA256);
-        add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",      0x0040, --p,
-            K_DHE_DSS,     B_AES_128,     M_SHA256, T, max, tls12, P_SHA256);
-
-        add("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",     0xC009, --p,
-            K_ECDHE_ECDSA, B_AES_128,     M_SHA,    T);
-        add("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",       0xC013, --p,
-            K_ECDHE_RSA,   B_AES_128,     M_SHA,    T);
-        add("TLS_RSA_WITH_AES_128_CBC_SHA",             0x002f, --p,
-            K_RSA,         B_AES_128,     M_SHA,    T);
-        add("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",      0xC004, --p,
-            K_ECDH_ECDSA,  B_AES_128,     M_SHA,    T);
-        add("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",        0xC00E, --p,
-            K_ECDH_RSA,    B_AES_128,     M_SHA,    T);
-        add("TLS_DHE_RSA_WITH_AES_128_CBC_SHA",         0x0033, --p,
-            K_DHE_RSA,     B_AES_128,     M_SHA,    T);
-        add("TLS_DHE_DSS_WITH_AES_128_CBC_SHA",         0x0032, --p,
-            K_DHE_DSS,     B_AES_128,     M_SHA,    T);
-
-        // 3DES_EDE
-        add("TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",    0xC008, --p,
-            K_ECDHE_ECDSA, B_3DES,        M_SHA,    T);
-        add("TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",      0xC012, --p,
-            K_ECDHE_RSA,   B_3DES,        M_SHA,    T);
-        add("SSL_RSA_WITH_3DES_EDE_CBC_SHA",            0x000a, --p,
-            K_RSA,         B_3DES,        M_SHA,    T);
-        add("TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",     0xC003, --p,
-            K_ECDH_ECDSA,  B_3DES,        M_SHA,    T);
-        add("TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",       0xC00D, --p,
-            K_ECDH_RSA,    B_3DES,        M_SHA,    T);
-        add("SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",        0x0016, --p,
-            K_DHE_RSA,     B_3DES,        M_SHA,    T);
-        add("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",        0x0013, --p,
-            K_DHE_DSS,     B_3DES,        M_SHA,    N);
-
-        // Renegotiation protection request Signalling Cipher Suite Value (SCSV)
-        add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV",        0x00ff, --p,
-            K_SCSV,        B_NULL,        M_NULL,   T);
-
-        /*
-         * Definition of the CipherSuites that are supported but not enabled
-         * by default.
-         * They are listed in preference order, preferred first, using the
-         * following criteria:
-         * 1. CipherSuites for KRB5 need additional KRB5 service
-         *    configuration, and these suites are not common in practice,
-         *    so we put KRB5 based cipher suites at the end of the supported
-         *    list.
-         * 2. If a cipher suite has been obsoleted, we put it at the end of
-         *    the list.
-         * 3. Prefer the stronger bulk cipher, in the order of AES_256,
-         *    AES_128, 3DES-EDE, RC-4, DES, DES40, RC4_40, NULL.
-         * 4. Prefer the stronger MAC algorithm, in the order of SHA384,
-         *    SHA256, SHA, MD5.
-         * 5. Prefer the better performance of key exchange and digital
-         *    signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA,
-         *    RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous.
-         */
-        p = DEFAULT_SUITES_PRIORITY;
-
-        add("TLS_DH_anon_WITH_AES_256_GCM_SHA384",      0x00a7, --p,
-            K_DH_ANON,     B_AES_256_GCM, M_NULL,   N, max, tls12, P_SHA384);
-        add("TLS_DH_anon_WITH_AES_128_GCM_SHA256",      0x00a6, --p,
-            K_DH_ANON,     B_AES_128_GCM, M_NULL,   N, max, tls12, P_SHA256);
-
-        add("TLS_DH_anon_WITH_AES_256_CBC_SHA256",      0x006d, --p,
-            K_DH_ANON,     B_AES_256,     M_SHA256, N, max, tls12, P_SHA256);
-        add("TLS_ECDH_anon_WITH_AES_256_CBC_SHA",       0xC019, --p,
-            K_ECDH_ANON,   B_AES_256,     M_SHA,    N);
-        add("TLS_DH_anon_WITH_AES_256_CBC_SHA",         0x003a, --p,
-            K_DH_ANON,     B_AES_256,     M_SHA,    N);
-
-        add("TLS_DH_anon_WITH_AES_128_CBC_SHA256",      0x006c, --p,
-            K_DH_ANON,     B_AES_128,     M_SHA256, N, max, tls12, P_SHA256);
-        add("TLS_ECDH_anon_WITH_AES_128_CBC_SHA",       0xC018, --p,
-            K_ECDH_ANON,   B_AES_128,     M_SHA,    N);
-        add("TLS_DH_anon_WITH_AES_128_CBC_SHA",         0x0034, --p,
-            K_DH_ANON,     B_AES_128,     M_SHA,    N);
-
-        add("TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",      0xC017, --p,
-            K_ECDH_ANON,   B_3DES,        M_SHA,    N);
-        add("SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",        0x001b, --p,
-            K_DH_ANON,     B_3DES,        M_SHA,    N);
-
-        // RC-4
-        add("TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",         0xC007, --p,
-            K_ECDHE_ECDSA, B_RC4_128,     M_SHA,    N);
-        add("TLS_ECDHE_RSA_WITH_RC4_128_SHA",           0xC011, --p,
-            K_ECDHE_RSA,   B_RC4_128,     M_SHA,    N);
-        add("SSL_RSA_WITH_RC4_128_SHA",                 0x0005, --p,
-            K_RSA,         B_RC4_128,     M_SHA,    N);
-        add("TLS_ECDH_ECDSA_WITH_RC4_128_SHA",          0xC002, --p,
-            K_ECDH_ECDSA,  B_RC4_128,     M_SHA,    N);
-        add("TLS_ECDH_RSA_WITH_RC4_128_SHA",            0xC00C, --p,
-            K_ECDH_RSA,    B_RC4_128,     M_SHA,    N);
-        add("SSL_RSA_WITH_RC4_128_MD5",                 0x0004, --p,
-            K_RSA,         B_RC4_128,     M_MD5,    N);
-
-        add("TLS_ECDH_anon_WITH_RC4_128_SHA",           0xC016, --p,
-            K_ECDH_ANON,   B_RC4_128,     M_SHA,    N);
-        add("SSL_DH_anon_WITH_RC4_128_MD5",             0x0018, --p,
-            K_DH_ANON,     B_RC4_128,     M_MD5,    N);
-
-        // weak cipher suites obsoleted in TLS 1.2
-        add("SSL_RSA_WITH_DES_CBC_SHA",                 0x0009, --p,
-            K_RSA,         B_DES,         M_SHA,    N, tls12);
-        add("SSL_DHE_RSA_WITH_DES_CBC_SHA",             0x0015, --p,
-            K_DHE_RSA,     B_DES,         M_SHA,    N, tls12);
-        add("SSL_DHE_DSS_WITH_DES_CBC_SHA",             0x0012, --p,
-            K_DHE_DSS,     B_DES,         M_SHA,    N, tls12);
-        add("SSL_DH_anon_WITH_DES_CBC_SHA",             0x001a, --p,
-            K_DH_ANON,     B_DES,         M_SHA,    N, tls12);
-
-        // weak cipher suites obsoleted in TLS 1.1
-        add("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",        0x0008, --p,
-            K_RSA_EXPORT,  B_DES_40,      M_SHA,    N, tls11);
-        add("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",    0x0014, --p,
-            K_DHE_RSA,     B_DES_40,      M_SHA,    N, tls11);
-        add("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",    0x0011, --p,
-            K_DHE_DSS,     B_DES_40,      M_SHA,    N, tls11);
-        add("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",    0x0019, --p,
-            K_DH_ANON,     B_DES_40,      M_SHA,    N, tls11);
-
-        add("SSL_RSA_EXPORT_WITH_RC4_40_MD5",           0x0003, --p,
-            K_RSA_EXPORT,  B_RC4_40,      M_MD5,    N, tls11);
-        add("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",       0x0017, --p,
-            K_DH_ANON,     B_RC4_40,      M_MD5,    N, tls11);
-
-        add("TLS_RSA_WITH_NULL_SHA256",                 0x003b, --p,
-            K_RSA,         B_NULL,        M_SHA256, N, max, tls12, P_SHA256);
-        add("TLS_ECDHE_ECDSA_WITH_NULL_SHA",            0xC006, --p,
-            K_ECDHE_ECDSA, B_NULL,        M_SHA,    N);
-        add("TLS_ECDHE_RSA_WITH_NULL_SHA",              0xC010, --p,
-            K_ECDHE_RSA,   B_NULL,        M_SHA,    N);
-        add("SSL_RSA_WITH_NULL_SHA",                    0x0002, --p,
-            K_RSA,         B_NULL,        M_SHA,    N);
-        add("TLS_ECDH_ECDSA_WITH_NULL_SHA",             0xC001, --p,
-            K_ECDH_ECDSA,  B_NULL,        M_SHA,    N);
-        add("TLS_ECDH_RSA_WITH_NULL_SHA",               0xC00B, --p,
-            K_ECDH_RSA,    B_NULL,        M_SHA,    N);
-        add("TLS_ECDH_anon_WITH_NULL_SHA",              0xC015, --p,
-            K_ECDH_ANON,   B_NULL,        M_SHA,    N);
-        add("SSL_RSA_WITH_NULL_MD5",                    0x0001, --p,
-            K_RSA,         B_NULL,        M_MD5,    N);
-
-        // Supported Kerberos ciphersuites from RFC2712
-        add("TLS_KRB5_WITH_3DES_EDE_CBC_SHA",           0x001f, --p,
-            K_KRB5,        B_3DES,        M_SHA,    N);
-        add("TLS_KRB5_WITH_3DES_EDE_CBC_MD5",           0x0023, --p,
-            K_KRB5,        B_3DES,        M_MD5,    N);
-        add("TLS_KRB5_WITH_RC4_128_SHA",                0x0020, --p,
-            K_KRB5,        B_RC4_128,     M_SHA,    N);
-        add("TLS_KRB5_WITH_RC4_128_MD5",                0x0024, --p,
-            K_KRB5,        B_RC4_128,     M_MD5,    N);
-        add("TLS_KRB5_WITH_DES_CBC_SHA",                0x001e, --p,
-            K_KRB5,        B_DES,         M_SHA,    N, tls12);
-        add("TLS_KRB5_WITH_DES_CBC_MD5",                0x0022, --p,
-            K_KRB5,        B_DES,         M_MD5,    N, tls12);
-        add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",      0x0026, --p,
-            K_KRB5_EXPORT, B_DES_40,      M_SHA,    N, tls11);
-        add("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",      0x0029, --p,
-            K_KRB5_EXPORT, B_DES_40,      M_MD5,    N, tls11);
-        add("TLS_KRB5_EXPORT_WITH_RC4_40_SHA",          0x0028, --p,
-            K_KRB5_EXPORT, B_RC4_40,      M_SHA,    N, tls11);
-        add("TLS_KRB5_EXPORT_WITH_RC4_40_MD5",          0x002b, --p,
-            K_KRB5_EXPORT, B_RC4_40,      M_MD5,    N, tls11);
-
-        /*
-         * Other values from the TLS Cipher Suite Registry, as of August 2010.
-         *
-         * http://www.iana.org/assignments/tls-parameters/tls-parameters.xml
-         *
-         * Range      Registration Procedures   Notes
-         * 000-191    Standards Action          Refers to value of first byte
-         * 192-254    Specification Required    Refers to value of first byte
-         * 255        Reserved for Private Use  Refers to value of first byte
-         */
-
-        // Register the names of a few additional CipherSuites.
-        // Makes them show up as names instead of numbers in
-        // the debug output.
-
-        // remaining unsupported ciphersuites defined in RFC2246.
-        add("SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5",           0x0006);
-        add("SSL_RSA_WITH_IDEA_CBC_SHA",                    0x0007);
-        add("SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA",         0x000b);
-        add("SSL_DH_DSS_WITH_DES_CBC_SHA",                  0x000c);
-        add("SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA",             0x000d);
-        add("SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA",         0x000e);
-        add("SSL_DH_RSA_WITH_DES_CBC_SHA",                  0x000f);
-        add("SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA",             0x0010);
-
-        // SSL 3.0 Fortezza ciphersuites
-        add("SSL_FORTEZZA_DMS_WITH_NULL_SHA",               0x001c);
-        add("SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA",       0x001d);
-
-        // 1024/56 bit exportable ciphersuites from expired internet draft
-        add("SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA",          0x0062);
-        add("SSL_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA",      0x0063);
-        add("SSL_RSA_EXPORT1024_WITH_RC4_56_SHA",           0x0064);
-        add("SSL_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA",       0x0065);
-        add("SSL_DHE_DSS_WITH_RC4_128_SHA",                 0x0066);
-
-        // Netscape old and new SSL 3.0 FIPS ciphersuites
-        // see http://www.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
-        add("NETSCAPE_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",      0xffe0);
-        add("NETSCAPE_RSA_FIPS_WITH_DES_CBC_SHA",           0xffe1);
-        add("SSL_RSA_FIPS_WITH_DES_CBC_SHA",                0xfefe);
-        add("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA",           0xfeff);
-
-        // Unsupported Kerberos cipher suites from RFC 2712
-        add("TLS_KRB5_WITH_IDEA_CBC_SHA",                   0x0021);
-        add("TLS_KRB5_WITH_IDEA_CBC_MD5",                   0x0025);
-        add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA",          0x0027);
-        add("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5",          0x002a);
-
-        // Unsupported cipher suites from RFC 4162
-        add("TLS_RSA_WITH_SEED_CBC_SHA",                    0x0096);
-        add("TLS_DH_DSS_WITH_SEED_CBC_SHA",                 0x0097);
-        add("TLS_DH_RSA_WITH_SEED_CBC_SHA",                 0x0098);
-        add("TLS_DHE_DSS_WITH_SEED_CBC_SHA",                0x0099);
-        add("TLS_DHE_RSA_WITH_SEED_CBC_SHA",                0x009a);
-        add("TLS_DH_anon_WITH_SEED_CBC_SHA",                0x009b);
-
-        // Unsupported cipher suites from RFC 4279
-        add("TLS_PSK_WITH_RC4_128_SHA",                     0x008a);
-        add("TLS_PSK_WITH_3DES_EDE_CBC_SHA",                0x008b);
-        add("TLS_PSK_WITH_AES_128_CBC_SHA",                 0x008c);
-        add("TLS_PSK_WITH_AES_256_CBC_SHA",                 0x008d);
-        add("TLS_DHE_PSK_WITH_RC4_128_SHA",                 0x008e);
-        add("TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA",            0x008f);
-        add("TLS_DHE_PSK_WITH_AES_128_CBC_SHA",             0x0090);
-        add("TLS_DHE_PSK_WITH_AES_256_CBC_SHA",             0x0091);
-        add("TLS_RSA_PSK_WITH_RC4_128_SHA",                 0x0092);
-        add("TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA",            0x0093);
-        add("TLS_RSA_PSK_WITH_AES_128_CBC_SHA",             0x0094);
-        add("TLS_RSA_PSK_WITH_AES_256_CBC_SHA",             0x0095);
-
-        // Unsupported cipher suites from RFC 4785
-        add("TLS_PSK_WITH_NULL_SHA",                        0x002c);
-        add("TLS_DHE_PSK_WITH_NULL_SHA",                    0x002d);
-        add("TLS_RSA_PSK_WITH_NULL_SHA",                    0x002e);
-
-        // Unsupported cipher suites from RFC 5246
-        add("TLS_DH_DSS_WITH_AES_128_CBC_SHA",              0x0030);
-        add("TLS_DH_RSA_WITH_AES_128_CBC_SHA",              0x0031);
-        add("TLS_DH_DSS_WITH_AES_256_CBC_SHA",              0x0036);
-        add("TLS_DH_RSA_WITH_AES_256_CBC_SHA",              0x0037);
-        add("TLS_DH_DSS_WITH_AES_128_CBC_SHA256",           0x003e);
-        add("TLS_DH_RSA_WITH_AES_128_CBC_SHA256",           0x003f);
-        add("TLS_DH_DSS_WITH_AES_256_CBC_SHA256",           0x0068);
-        add("TLS_DH_RSA_WITH_AES_256_CBC_SHA256",           0x0069);
-
-        // Unsupported cipher suites from RFC 5288
-        add("TLS_DH_RSA_WITH_AES_128_GCM_SHA256",           0x00a0);
-        add("TLS_DH_RSA_WITH_AES_256_GCM_SHA384",           0x00a1);
-        add("TLS_DH_DSS_WITH_AES_128_GCM_SHA256",           0x00a4);
-        add("TLS_DH_DSS_WITH_AES_256_GCM_SHA384",           0x00a5);
-
-        // Unsupported cipher suites from RFC 5487
-        add("TLS_PSK_WITH_AES_128_GCM_SHA256",              0x00a8);
-        add("TLS_PSK_WITH_AES_256_GCM_SHA384",              0x00a9);
-        add("TLS_DHE_PSK_WITH_AES_128_GCM_SHA256",          0x00aa);
-        add("TLS_DHE_PSK_WITH_AES_256_GCM_SHA384",          0x00ab);
-        add("TLS_RSA_PSK_WITH_AES_128_GCM_SHA256",          0x00ac);
-        add("TLS_RSA_PSK_WITH_AES_256_GCM_SHA384",          0x00ad);
-        add("TLS_PSK_WITH_AES_128_CBC_SHA256",              0x00ae);
-        add("TLS_PSK_WITH_AES_256_CBC_SHA384",              0x00af);
-        add("TLS_PSK_WITH_NULL_SHA256",                     0x00b0);
-        add("TLS_PSK_WITH_NULL_SHA384",                     0x00b1);
-        add("TLS_DHE_PSK_WITH_AES_128_CBC_SHA256",          0x00b2);
-        add("TLS_DHE_PSK_WITH_AES_256_CBC_SHA384",          0x00b3);
-        add("TLS_DHE_PSK_WITH_NULL_SHA256",                 0x00b4);
-        add("TLS_DHE_PSK_WITH_NULL_SHA384",                 0x00b5);
-        add("TLS_RSA_PSK_WITH_AES_128_CBC_SHA256",          0x00b6);
-        add("TLS_RSA_PSK_WITH_AES_256_CBC_SHA384",          0x00b7);
-        add("TLS_RSA_PSK_WITH_NULL_SHA256",                 0x00b8);
-        add("TLS_RSA_PSK_WITH_NULL_SHA384",                 0x00b9);
-
-        // Unsupported cipher suites from RFC 5932
-        add("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA",            0x0041);
-        add("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA",         0x0042);
-        add("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA",         0x0043);
-        add("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA",        0x0044);
-        add("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA",        0x0045);
-        add("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA",        0x0046);
-        add("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA",            0x0084);
-        add("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA",         0x0085);
-        add("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA",         0x0086);
-        add("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA",        0x0087);
-        add("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA",        0x0088);
-        add("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA",        0x0089);
-        add("TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256",         0x00ba);
-        add("TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256",      0x00bb);
-        add("TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256",      0x00bc);
-        add("TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256",     0x00bd);
-        add("TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",     0x00be);
-        add("TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256",     0x00bf);
-        add("TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256",         0x00c0);
-        add("TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256",      0x00c1);
-        add("TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256",      0x00c2);
-        add("TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256",     0x00c3);
-        add("TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256",     0x00c4);
-        add("TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256",     0x00c5);
-
-        // TLS Fallback Signaling Cipher Suite Value (SCSV) RFC 7507
-        add("TLS_FALLBACK_SCSV", 0x5600);
-
-        // Unsupported cipher suites from RFC 5054
-        add("TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA",            0xc01a);
-        add("TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA",        0xc01b);
-        add("TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA",        0xc01c);
-        add("TLS_SRP_SHA_WITH_AES_128_CBC_SHA",             0xc01d);
-        add("TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA",         0xc01e);
-        add("TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA",         0xc01f);
-        add("TLS_SRP_SHA_WITH_AES_256_CBC_SHA",             0xc020);
-        add("TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA",         0xc021);
-        add("TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA",         0xc022);
-
-        // Unsupported cipher suites from RFC 5489
-        add("TLS_ECDHE_PSK_WITH_RC4_128_SHA",               0xc033);
-        add("TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA",          0xc034);
-        add("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA",           0xc035);
-        add("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA",           0xc036);
-        add("TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256",        0xc037);
-        add("TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384",        0xc038);
-        add("TLS_ECDHE_PSK_WITH_NULL_SHA",                  0xc039);
-        add("TLS_ECDHE_PSK_WITH_NULL_SHA256",               0xc03a);
-        add("TLS_ECDHE_PSK_WITH_NULL_SHA384",               0xc03b);
-
-        // Unsupported cipher suites from RFC 6209
-        add("TLS_RSA_WITH_ARIA_128_CBC_SHA256",             0xc03c);
-        add("TLS_RSA_WITH_ARIA_256_CBC_SHA384",             0xc03d);
-        add("TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256",          0xc03e);
-        add("TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384",          0xc03f);
-        add("TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256",          0xc040);
-        add("TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384",          0xc041);
-        add("TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256",         0xc042);
-        add("TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384",         0xc043);
-        add("TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256",         0xc044);
-        add("TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384",         0xc045);
-        add("TLS_DH_anon_WITH_ARIA_128_CBC_SHA256",         0xc046);
-        add("TLS_DH_anon_WITH_ARIA_256_CBC_SHA384",         0xc047);
-        add("TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256",     0xc048);
-        add("TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384",     0xc049);
-        add("TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256",      0xc04a);
-        add("TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384",      0xc04b);
-        add("TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256",       0xc04c);
-        add("TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384",       0xc04d);
-        add("TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256",        0xc04e);
-        add("TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384",        0xc04f);
-        add("TLS_RSA_WITH_ARIA_128_GCM_SHA256",             0xc050);
-        add("TLS_RSA_WITH_ARIA_256_GCM_SHA384",             0xc051);
-        add("TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256",         0xc052);
-        add("TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384",         0xc053);
-        add("TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256",          0xc054);
-        add("TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384",          0xc055);
-        add("TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256",         0xc056);
-        add("TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384",         0xc057);
-        add("TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256",          0xc058);
-        add("TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384",          0xc059);
-        add("TLS_DH_anon_WITH_ARIA_128_GCM_SHA256",         0xc05a);
-        add("TLS_DH_anon_WITH_ARIA_256_GCM_SHA384",         0xc05b);
-        add("TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256",     0xc05c);
-        add("TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384",     0xc05d);
-        add("TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256",      0xc05e);
-        add("TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384",      0xc05f);
-        add("TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256",       0xc060);
-        add("TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384",       0xc061);
-        add("TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256",        0xc062);
-        add("TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384",        0xc063);
-        add("TLS_PSK_WITH_ARIA_128_CBC_SHA256",             0xc064);
-        add("TLS_PSK_WITH_ARIA_256_CBC_SHA384",             0xc065);
-        add("TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256",         0xc066);
-        add("TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384",         0xc067);
-        add("TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256",         0xc068);
-        add("TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384",         0xc069);
-        add("TLS_PSK_WITH_ARIA_128_GCM_SHA256",             0xc06a);
-        add("TLS_PSK_WITH_ARIA_256_GCM_SHA384",             0xc06b);
-        add("TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256",         0xc06c);
-        add("TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384",         0xc06d);
-        add("TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256",         0xc06e);
-        add("TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384",         0xc06f);
-        add("TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256",       0xc070);
-        add("TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384",       0xc071);
-
-        // Unsupported cipher suites from RFC 6367
-        add("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256", 0xc072);
-        add("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384", 0xc073);
-        add("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256",  0xc074);
-        add("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384",  0xc075);
-        add("TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256",   0xc076);
-        add("TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384",   0xc077);
-        add("TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256",    0xc078);
-        add("TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384",    0xc079);
-        add("TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256",         0xc07a);
-        add("TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384",         0xc07b);
-        add("TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",     0xc07c);
-        add("TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",     0xc07d);
-        add("TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256",      0xc07e);
-        add("TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384",      0xc07f);
-        add("TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256",     0xc080);
-        add("TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384",     0xc081);
-        add("TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256",      0xc082);
-        add("TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384",      0xc083);
-        add("TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256",     0xc084);
-        add("TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384",     0xc085);
-        add("TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256", 0xc086);
-        add("TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384", 0xc087);
-        add("TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256",  0xc088);
-        add("TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384",  0xc089);
-        add("TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256",   0xc08a);
-        add("TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384",   0xc08b);
-        add("TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256",    0xc08c);
-        add("TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384",    0xc08d);
-        add("TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256",         0xc08e);
-        add("TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384",         0xc08f);
-        add("TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256",     0xc090);
-        add("TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384",     0xc091);
-        add("TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256",     0xc092);
-        add("TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384",     0xc093);
-        add("TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256",         0xc094);
-        add("TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384",         0xc095);
-        add("TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",     0xc096);
-        add("TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",     0xc097);
-        add("TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256",     0xc098);
-        add("TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384",     0xc099);
-        add("TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256",   0xc09a);
-        add("TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384",   0xc09b);
-
-        // Unsupported cipher suites from RFC 6655
-        add("TLS_RSA_WITH_AES_128_CCM",                     0xc09c);
-        add("TLS_RSA_WITH_AES_256_CCM",                     0xc09d);
-        add("TLS_DHE_RSA_WITH_AES_128_CCM",                 0xc09e);
-        add("TLS_DHE_RSA_WITH_AES_256_CCM",                 0xc09f);
-        add("TLS_RSA_WITH_AES_128_CCM_8",                   0xc0A0);
-        add("TLS_RSA_WITH_AES_256_CCM_8",                   0xc0A1);
-        add("TLS_DHE_RSA_WITH_AES_128_CCM_8",               0xc0A2);
-        add("TLS_DHE_RSA_WITH_AES_256_CCM_8",               0xc0A3);
-        add("TLS_PSK_WITH_AES_128_CCM",                     0xc0A4);
-        add("TLS_PSK_WITH_AES_256_CCM",                     0xc0A5);
-        add("TLS_DHE_PSK_WITH_AES_128_CCM",                 0xc0A6);
-        add("TLS_DHE_PSK_WITH_AES_256_CCM",                 0xc0A7);
-        add("TLS_PSK_WITH_AES_128_CCM_8",                   0xc0A8);
-        add("TLS_PSK_WITH_AES_256_CCM_8",                   0xc0A9);
-        add("TLS_PSK_DHE_WITH_AES_128_CCM_8",               0xc0Aa);
-        add("TLS_PSK_DHE_WITH_AES_256_CCM_8",               0xc0Ab);
-
-        // Unsupported cipher suites from RFC 7251
-        add("TLS_ECDHE_ECDSA_WITH_AES_128_CCM",             0xc0Ac);
-        add("TLS_ECDHE_ECDSA_WITH_AES_256_CCM",             0xc0Ad);
-        add("TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8",           0xc0Ae);
-        add("TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8",           0xc0Af);
-    }
-
-    // ciphersuite SSL_NULL_WITH_NULL_NULL
-    static final CipherSuite C_NULL = CipherSuite.valueOf(0, 0);
-
-    // ciphersuite TLS_EMPTY_RENEGOTIATION_INFO_SCSV
-    static final CipherSuite C_SCSV = CipherSuite.valueOf(0x00, 0xff);
 }
--- old/src/java.base/share/classes/sun/security/ssl/Ciphertext.java	2018-05-11 15:04:50.102541700 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/Ciphertext.java	2018-05-11 15:04:49.554395900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,120 +26,30 @@
 package sun.security.ssl;
 
 import javax.net.ssl.SSLEngineResult.HandshakeStatus;
-import static sun.security.ssl.HandshakeMessage.*;
 
 /*
- * enumeration of record type
+ * Ciphertext
  */
 final class Ciphertext {
     static final Ciphertext CIPHERTEXT_NULL = new Ciphertext();
 
-    RecordType recordType;
-    long recordSN;
+    final byte contentType;
+    final byte handshakeType;
+    final long recordSN;
 
     HandshakeStatus handshakeStatus;    // null if not used or not handshaking
 
-    Ciphertext() {
-        this.recordType = null;
+    private Ciphertext() {
+        this.contentType = 0;
+        this.handshakeType = -1;
         this.recordSN = -1L;
         this.handshakeStatus = null;
     }
 
-    Ciphertext(RecordType recordType, long recordSN) {
-        this.recordType = recordType;
+    Ciphertext(byte contentType, byte handshakeType, long recordSN) {
+        this.contentType = contentType;
+        this.handshakeType = handshakeType;
         this.recordSN = recordSN;
         this.handshakeStatus = null;
     }
-
-    static enum RecordType {
-        RECORD_CHANGE_CIPHER_SPEC (
-                Record.ct_change_cipher_spec, ht_not_applicable),
-        RECORD_ALERT (
-                Record.ct_alert, ht_not_applicable),
-        RECORD_HELLO_REQUEST (
-                Record.ct_handshake, ht_hello_request),
-        RECORD_CLIENT_HELLO (
-                Record.ct_handshake, ht_client_hello),
-        RECORD_SERVER_HELLO (
-                Record.ct_handshake, ht_server_hello),
-        RECORD_HELLO_VERIFY_REQUEST (
-                Record.ct_handshake, ht_hello_verify_request),
-        RECORD_NEW_SESSION_TICKET (
-                Record.ct_handshake, ht_new_session_ticket),
-        RECORD_CERTIFICATE (
-                Record.ct_handshake, ht_certificate),
-        RECORD_SERVER_KEY_EXCHANGE (
-                Record.ct_handshake, ht_server_key_exchange),
-        RECORD_CERTIFICATE_REQUEST (
-                Record.ct_handshake, ht_certificate_request),
-        RECORD_SERVER_HELLO_DONE (
-                Record.ct_handshake, ht_server_hello_done),
-        RECORD_CERTIFICATE_VERIFY (
-                Record.ct_handshake, ht_certificate_verify),
-        RECORD_CLIENT_KEY_EXCHANGE (
-                Record.ct_handshake, ht_client_key_exchange),
-        RECORD_FINISHED (
-                Record.ct_handshake, ht_finished),
-        RECORD_CERTIFICATE_URL (
-                Record.ct_handshake, ht_certificate_url),
-        RECORD_CERTIFICATE_STATUS (
-                Record.ct_handshake, ht_certificate_status),
-        RECORD_SUPPLIEMENTAL_DATA (
-                Record.ct_handshake, ht_supplemental_data),
-        RECORD_APPLICATION_DATA (
-                Record.ct_application_data, ht_not_applicable);
-
-        byte contentType;
-        byte handshakeType;
-
-        private RecordType(byte contentType, byte handshakeType) {
-            this.contentType = contentType;
-            this.handshakeType = handshakeType;
-        }
-
-        static RecordType valueOf(byte contentType, byte handshakeType) {
-            if (contentType == Record.ct_change_cipher_spec) {
-                return RECORD_CHANGE_CIPHER_SPEC;
-            } else if (contentType == Record.ct_alert) {
-                return RECORD_ALERT;
-            } else if (contentType == Record.ct_application_data) {
-                return RECORD_APPLICATION_DATA;
-            } else if (handshakeType == ht_hello_request) {
-                return RECORD_HELLO_REQUEST;
-            } else if (handshakeType == ht_client_hello) {
-                return RECORD_CLIENT_HELLO;
-            } else if (handshakeType == ht_server_hello) {
-                return RECORD_SERVER_HELLO;
-            } else if (handshakeType == ht_hello_verify_request) {
-                return RECORD_HELLO_VERIFY_REQUEST;
-            } else if (handshakeType == ht_new_session_ticket) {
-                return RECORD_NEW_SESSION_TICKET;
-            } else if (handshakeType == ht_certificate) {
-                return RECORD_CERTIFICATE;
-            } else if (handshakeType == ht_server_key_exchange) {
-                return RECORD_SERVER_KEY_EXCHANGE;
-            } else if (handshakeType == ht_certificate_request) {
-                return RECORD_CERTIFICATE_REQUEST;
-            } else if (handshakeType == ht_server_hello_done) {
-                return RECORD_SERVER_HELLO_DONE;
-            } else if (handshakeType == ht_certificate_verify) {
-                return RECORD_CERTIFICATE_VERIFY;
-            } else if (handshakeType == ht_client_key_exchange) {
-                return RECORD_CLIENT_KEY_EXCHANGE;
-            } else if (handshakeType == ht_finished) {
-                return RECORD_FINISHED;
-            } else if (handshakeType == ht_certificate_url) {
-                return RECORD_CERTIFICATE_URL;
-            } else if (handshakeType == ht_certificate_status) {
-                return RECORD_CERTIFICATE_STATUS;
-            } else if (handshakeType == ht_supplemental_data) {
-                return RECORD_SUPPLIEMENTAL_DATA;
-            }
-
-            // otherwise, invalid record type
-            throw new IllegalArgumentException(
-                    "Invalid record type (ContentType:" + contentType +
-                    ", HandshakeType:" + handshakeType + ")");
-        }
-    }
 }
--- old/src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java	2018-05-11 15:04:52.167752700 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java	2018-05-11 15:04:51.635019400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,36 +25,87 @@
 
 package sun.security.ssl;
 
-import javax.crypto.SecretKey;
 import java.io.IOException;
-import java.io.PrintStream;
-import java.security.Principal;
+import java.nio.ByteBuffer;
+import java.util.Map;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
 
 /**
- * Models a non-certificate based ClientKeyExchange
+ * Pack of the "ClientKeyExchange" handshake message.
  */
-public abstract class ClientKeyExchange extends HandshakeMessage {
-
-    public ClientKeyExchange() {
+final class ClientKeyExchange {
+    static final SSLConsumer handshakeConsumer =
+            new ClientKeyExchangeConsumer();
+    static final HandshakeProducer handshakeProducer =
+            new ClientKeyExchangeProducer();
+
+
+    /**
+     * The "ClientKeyExchange" handshake message producer.
+     */
+    private static final
+            class ClientKeyExchangeProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private ClientKeyExchangeProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            SSLKeyExchange ke =
+                SSLKeyExchange.valueOf(chc.negotiatedCipherSuite.keyExchange);
+            if (ke != null) {
+                for (Map.Entry<Byte, HandshakeProducer> hp :
+                        ke.getHandshakeProducers(chc)) {
+                    if (hp.getKey() == SSLHandshake.CLIENT_KEY_EXCHANGE.id) {
+                        return hp.getValue().produce(context, message);
+                    }
+                }
+            }
+
+            // not comsumer defined.
+            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected ClientKeyExchange handshake message.");
+            return null;    // make the compiler happe
+        }
     }
 
-    @Override
-    int messageType() {
-        return ht_client_key_exchange;
+    /**
+     * The "ClientKeyExchange" handshake message consumer.
+     */
+    private static final
+            class ClientKeyExchangeConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private ClientKeyExchangeConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            // clean up this consumer
+            shc.handshakeConsumers.remove(SSLHandshake.CLIENT_KEY_EXCHANGE.id);
+            SSLKeyExchange ke =
+                SSLKeyExchange.valueOf(shc.negotiatedCipherSuite.keyExchange);
+            if (ke != null) {
+                for (Map.Entry<Byte, SSLConsumer> hc :
+                        ke.getHandshakeConsumers(shc)) {
+                    if (hc.getKey() == SSLHandshake.CLIENT_KEY_EXCHANGE.id) {
+                        hc.getValue().consume(context, message);
+                        return;
+                    }
+                }
+            }
+
+            // not comsumer defined.
+            shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected ClientKeyExchange handshake message.");
+        }
     }
-
-    @Override
-    public abstract int messageLength();
-
-    @Override
-    public abstract void send(HandshakeOutStream s) throws IOException;
-
-    @Override
-    public abstract void print(PrintStream s) throws IOException;
-
-    public abstract SecretKey clientKeyExchange();
-
-    public abstract Principal getPeerPrincipal();
-
-    public abstract Principal getLocalPrincipal();
 }
+
--- old/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java	2018-05-11 15:04:54.107641600 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java	2018-05-11 15:04:53.567552400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,88 +23,295 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
 import java.io.IOException;
-import java.io.PrintStream;
 import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.security.CryptoPrimitive;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.text.MessageFormat;
+import java.util.EnumSet;
+import java.util.Locale;
+import javax.crypto.SecretKey;
+import javax.crypto.interfaces.DHPublicKey;
+import javax.crypto.spec.DHParameterSpec;
+import javax.crypto.spec.DHPublicKeySpec;
 import javax.net.ssl.SSLHandshakeException;
+import sun.security.ssl.DHKeyExchange.DHECredentials;
+import sun.security.ssl.DHKeyExchange.DHEPossession;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+import sun.security.util.HexDumpEncoder;
 
-/*
- * Message used by clients to send their Diffie-Hellman public
- * keys to servers.
- *
- * @author David Brownell
+/**
+ * Pack of the "ClientKeyExchange" handshake message.
  */
-final class DHClientKeyExchange extends HandshakeMessage {
+final class DHClientKeyExchange {
+    static final DHClientKeyExchangeConsumer dhHandshakeConsumer =
+            new DHClientKeyExchangeConsumer();
+    static final DHClientKeyExchangeProducer dhHandshakeProducer =
+            new DHClientKeyExchangeProducer();
+
+    /**
+     * The DiffieHellman ClientKeyExchange handshake message.
+     *
+     * If the client has sent a certificate which contains a suitable
+     * DiffieHellman key (for fixed_dh client authentication), then the
+     * client public value is implicit and does not need to be sent again.
+     * In this case, the client key exchange message will be sent, but it
+     * MUST be empty.
+     *
+     * Currently, we don't support cipher suite that requires implicit public
+     * key of client.
+     */
+    private static final
+            class DHClientKeyExchangeMessage extends HandshakeMessage {
+        private byte[] y;        // 1 to 2^16 - 1 bytes
+
+        DHClientKeyExchangeMessage(
+                HandshakeContext handshakeContext) throws IOException {
+            super(handshakeContext);
+            // This happens in client side only.
+            ClientHandshakeContext chc =
+                    (ClientHandshakeContext)handshakeContext;
+
+            DHEPossession dhePossession = null;
+            for (SSLPossession possession : chc.handshakePossessions) {
+                if (possession instanceof DHEPossession) {
+                    dhePossession = (DHEPossession)possession;
+                    break;
+                }
+            }
+
+            if (dhePossession == null) {
+                // unlikely
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No DHE credentials negotiated for client key exchange");
+            }
+
+            DHPublicKey publicKey = dhePossession.publicKey;
+            DHParameterSpec params = publicKey.getParams();
+            this.y = Utilities.toByteArray(publicKey.getY());
+        }
 
-    @Override
-    int messageType() {
-        return ht_client_key_exchange;
-    }
+        DHClientKeyExchangeMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+            // This happens in server side only.
+            ServerHandshakeContext shc =
+                    (ServerHandshakeContext)handshakeContext;
+
+            if (m.remaining() < 3) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "Invalid DH ClientKeyExchange message: insufficient data");
+            }
+
+            this.y = Record.getBytes16(m);
+
+            if (m.hasRemaining()) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "Invalid DH ClientKeyExchange message: unknown extra data");
+            }
+        }
 
-    /*
-     * This value may be empty if it was included in the
-     * client's certificate ...
-     */
-    private byte[] dh_Yc;               // 1 to 2^16 -1 bytes
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CLIENT_KEY_EXCHANGE;
+        }
 
-    BigInteger getClientPublicKey() {
-        return dh_Yc == null ? null : new BigInteger(1, dh_Yc);
-    }
+        @Override
+        public int messageLength() {
+            return y.length + 2;    // 2: length filed
+        }
 
-    /*
-     * Either pass the client's public key explicitly (because it's
-     * using DHE or DH_anon), or implicitly (the public key was in the
-     * certificate).
-     */
-    DHClientKeyExchange(BigInteger publicKey) {
-        dh_Yc = toByteArray(publicKey);
-    }
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putBytes16(y);
+        }
 
-    DHClientKeyExchange() {
-        dh_Yc = null;
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"DH ClientKeyExchange\": '{'\n" +
+                "  \"parameters\": '{'\n" +
+                "    \"dh_Yc\": '{'\n" +
+                "{0}\n" +
+                "    '}',\n" +
+                "  '}'\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            Object[] messageFields = {
+                Utilities.indent(
+                        hexEncoder.encodeBuffer(y), "      "),
+            };
+            return messageFormat.format(messageFields);
+        }
     }
 
-    /*
-     * Get the client's public key either explicitly or implicitly.
-     * (It's ugly to have an empty record be sent in the latter case,
-     * but that's what the protocol spec requires.)
+    /**
+     * The DiffieHellman "ClientKeyExchange" handshake message producer.
      */
-    DHClientKeyExchange(HandshakeInStream input) throws IOException {
-        if (input.available() >= 2) {
-            dh_Yc = input.getBytes16();
-        } else {
-            // currently, we don't support cipher suites that requires
-            // implicit public key of client.
-            throw new SSLHandshakeException(
-                    "Unsupported implicit client DiffieHellman public key");
+    private static final
+            class DHClientKeyExchangeProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private DHClientKeyExchangeProducer() {
+            // blank
         }
-    }
 
-    @Override
-    int messageLength() {
-        if (dh_Yc == null) {
-            return 0;
-        } else {
-            return dh_Yc.length + 2;
-        }
-    }
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            DHECredentials dheCredentials = null;
+            for (SSLCredentials cd : chc.handshakeCredentials) {
+                if (cd instanceof DHECredentials) {
+                    dheCredentials = (DHECredentials)cd;
+                    break;
+                }
+            }
+
+            if (dheCredentials == null) {
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No DHE credentials negotiated for client key exchange");
+            }
+
+
+            DHEPossession dhePossession = new DHEPossession(
+                    dheCredentials, chc.sslContext.getSecureRandom());
+            chc.handshakePossessions.add(dhePossession);
+            DHClientKeyExchangeMessage ckem =
+                    new DHClientKeyExchangeMessage(chc);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced DH ClientKeyExchange handshake message", ckem);
+            }
+
+            // Output the handshake message.
+            ckem.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // update the states
+            SSLKeyExchange ke =
+                SSLKeyExchange.valueOf(chc.negotiatedCipherSuite.keyExchange);
+            if (ke == null) {
+                // unlikely
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key exchange type");
+            } else {
+                SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
+                SecretKey masterSecret = masterKD.deriveKey("TODO", null);
+                chc.handshakeSession.setMasterSecret(masterSecret);
+
+                SSLTrafficKeyDerivation kd =
+                        SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
+                if (kd == null) {
+                    // unlikely
+                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Not supported key derivation: " +
+                            chc.negotiatedProtocol);
+                } else {
+                    chc.handshakeKeyDerivation =
+                        kd.createKeyDerivation(chc, masterSecret);
+                }
+            }
 
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        if (dh_Yc != null && dh_Yc.length != 0) {
-            s.putBytes16(dh_Yc);
+            // The handshake message has been delivered.
+            return null;
         }
     }
 
-    @Override
-    void print(PrintStream s) throws IOException {
-        s.println("*** ClientKeyExchange, DH");
+    /**
+     * The DiffieHellman "ClientKeyExchange" handshake message consumer.
+     */
+    private static final
+            class DHClientKeyExchangeConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private DHClientKeyExchangeConsumer() {
+            // blank
+        }
 
-        if (debug != null && Debug.isOn("verbose")) {
-            Debug.println(s, "DH Public key", dh_Yc);
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            DHEPossession dhePossession = null;
+            for (SSLPossession possession : shc.handshakePossessions) {
+                if (possession instanceof DHEPossession) {
+                    dhePossession = (DHEPossession)possession;
+                    break;
+                }
+            }
+
+            if (dhePossession == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No expected DHE possessions for client key exchange");
+            }
+
+            SSLKeyExchange ke = SSLKeyExchange.valueOf(
+                    shc.negotiatedCipherSuite.keyExchange);
+            if (ke == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key exchange type");
+            }
+
+            DHClientKeyExchangeMessage ckem =
+                    new DHClientKeyExchangeMessage(shc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Consuming DH ClientKeyExchange handshake message", ckem);
+            }
+
+            // create the credentials
+            try {
+                DHParameterSpec params = dhePossession.publicKey.getParams();
+                DHPublicKeySpec spec = new DHPublicKeySpec(
+                        new BigInteger(1, ckem.y),
+                        params.getP(), params.getG());
+                KeyFactory kf = JsseJce.getKeyFactory("DH");
+                DHPublicKey peerPublicKey =
+                        (DHPublicKey)kf.generatePublic(spec);
+
+                // check constraints of peer DHPublicKey
+                if (!shc.algorithmConstraints.permits(
+                        EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                        peerPublicKey)) {
+                    throw new SSLHandshakeException(
+                        "DHPublicKey does not comply to algorithm constraints");
+                }
+
+                NamedGroup namedGroup = NamedGroup.valueOf(params);
+                shc.handshakeCredentials.add(
+                        new DHECredentials(peerPublicKey, namedGroup));
+            } catch (GeneralSecurityException | java.io.IOException e) {
+                throw (SSLHandshakeException)(new SSLHandshakeException(
+                        "Could not generate DHPublicKey").initCause(e));
+            }
+
+            // update the states
+            SSLKeyDerivation masterKD = ke.createKeyDerivation(shc);
+            SecretKey masterSecret = masterKD.deriveKey("TODO", null);
+            shc.handshakeSession.setMasterSecret(masterSecret);
+
+            SSLTrafficKeyDerivation kd =
+                    SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
+            if (kd == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "Not supported key derivation: " + shc.negotiatedProtocol);
+            } else {
+                shc.handshakeKeyDerivation =
+                    kd.createKeyDerivation(shc, masterSecret);
+            }
         }
     }
 }
--- old/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java	2018-05-11 15:04:56.263536300 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/DTLSInputRecord.java	2018-05-11 15:04:55.669680300 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -18,7 +18,7 @@
  * 2 along with this work; if not, write to the Free Software Foundation,
  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 9406+5 USA
  * or visit www.oracle.com if you need additional information or have any
  * questions.
  */
@@ -27,47 +27,26 @@
 
 import java.io.*;
 import java.nio.*;
+import java.security.GeneralSecurityException;
 import java.util.*;
 import javax.crypto.BadPaddingException;
-
 import javax.net.ssl.*;
-
-import sun.security.util.HexDumpEncoder;
-import static sun.security.ssl.HandshakeMessage.*;
+import sun.security.ssl.SSLCipher.SSLReadCipher;
 
 /**
  * DTLS {@code InputRecord} implementation for {@code SSLEngine}.
  */
 final class DTLSInputRecord extends InputRecord implements DTLSRecord {
-
     private DTLSReassembler reassembler = null;
+    private int             readEpoch;
 
-    int                 readEpoch;
-
-    int                 prevReadEpoch;
-    Authenticator       prevReadAuthenticator;
-    CipherBox           prevReadCipher;
-
-    DTLSInputRecord() {
+    DTLSInputRecord(HandshakeHash handshakeHash) {
+        super(handshakeHash, SSLReadCipher.nullDTlsReadCipher());
         this.readEpoch = 0;
-        this.readAuthenticator = new MAC(true);
-
-        this.prevReadEpoch = 0;
-        this.prevReadCipher = CipherBox.NULL;
-        this.prevReadAuthenticator = new MAC(true);
     }
 
     @Override
-    void changeReadCiphers(Authenticator readAuthenticator,
-            CipherBox readCipher) {
-
-        prevReadCipher.dispose();
-
-        this.prevReadAuthenticator = this.readAuthenticator;
-        this.prevReadCipher = this.readCipher;
-        this.prevReadEpoch = this.readEpoch;
-
-        this.readAuthenticator = readAuthenticator;
+    void changeReadCiphers(SSLReadCipher readCipher) {
         this.readCipher = readCipher;
         this.readEpoch++;
     }
@@ -75,7 +54,6 @@
     @Override
     public synchronized void close() throws IOException {
         if (!isClosed) {
-            prevReadCipher.dispose();
             super.close();
         }
     }
@@ -87,14 +65,8 @@
 
     @Override
     int estimateFragmentSize(int packetSize) {
-        int macLen = 0;
-        if (readAuthenticator instanceof MAC) {
-            macLen = ((MAC)readAuthenticator).MAClen();
-        }
-
         if (packetSize > 0) {
-            return readCipher.estimateFragmentSize(
-                    packetSize, macLen, headerSize);
+            return readCipher.estimateFragmentSize(packetSize, headerSize);
         } else {
             return Record.maxDataSize;
         }
@@ -108,6 +80,11 @@
     }
 
     @Override
+    void finishHandshake() {
+        reassembler = null;
+    }
+
+    @Override
     Plaintext acquirePlaintext() {
         if (reassembler != null) {
             return reassembler.acquirePlaintext();
@@ -116,16 +93,28 @@
         return null;
     }
 
-    @Override
-    Plaintext decode(ByteBuffer packet) {
+     @Override
+    Plaintext[] decode(ByteBuffer[] srcs, int srcsOffset,
+            int srcsLength) throws IOException, BadPaddingException {
+        if (srcs == null || srcs.length == 0 || srcsLength == 0) {
+            Plaintext pt = acquirePlaintext();
+            return pt == null ? new Plaintext[0] : new Plaintext[] { pt };
+        } else if (srcsLength == 1) {
+            return decode(srcs[srcsOffset]);
+        } else {
+            ByteBuffer packet = extract(srcs,
+                    srcsOffset, srcsLength, DTLSRecord.headerSize);
+            return decode(packet);
+        }
+    }
 
+    Plaintext[] decode(ByteBuffer packet) {
         if (isClosed) {
             return null;
         }
 
-        if (debug != null && Debug.isOn("packet")) {
-             Debug.printHex(
-                    "[Raw read]: length = " + packet.remaining(), packet);
+        if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+            SSLLogger.fine("Raw read", packet);
         }
 
         // The caller should have validated the record.
@@ -149,20 +138,20 @@
         int contentLen = ((packet.get() & 0xFF) << 8) |
                           (packet.get() & 0xFF);           // pos: 11, 12
 
-        if (debug != null && Debug.isOn("record")) {
-            Debug.log("READ: " +
-                    ProtocolVersion.valueOf(majorVersion, minorVersion) +
-                    " " + Record.contentName(contentType) + ", length = " +
+        if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+            SSLLogger.fine("READ: " +
+                    ProtocolVersion.nameOf(majorVersion, minorVersion) +
+                    " " + ContentType.nameOf(contentType) + ", length = " +
                     contentLen);
         }
 
         int recLim = srcPos + DTLSRecord.headerSize + contentLen;
 
-        if (this.prevReadEpoch > recordEpoch) {
+        if (this.readEpoch > recordEpoch) {
             // Reset the position of the packet buffer.
             packet.position(recLim);
-            if (debug != null && Debug.isOn("record")) {
-                Debug.printHex("READ: discard this old record", recordEnS);
+            if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+                SSLLogger.fine("READ: discard this old record", recordEnS);
             }
             return null;
         }
@@ -171,20 +160,23 @@
         if (this.readEpoch < recordEpoch) {
             // Discard the record younger than the current epcoh if:
             // 1. it is not a handshake message, or
-            // 2. it is not of next epoch.
-            if (((contentType != Record.ct_handshake) &&
-                    (contentType != Record.ct_change_cipher_spec)) ||
+            // 3. it is not of next epoch.
+            if ((contentType != ContentType.HANDSHAKE.id &&
+                    contentType != ContentType.CHANGE_CIPHER_SPEC.id) ||
+                (reassembler == null &&
+                    contentType != ContentType.HANDSHAKE.id) ||
                 (this.readEpoch < (recordEpoch - 1))) {
 
                 packet.position(recLim);
 
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("Premature record (epoch), discard it.");
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine("Premature record (epoch), discard it.");
                 }
 
                 return null;
             }
 
+
             // Not ready to decrypt this record, may be an encrypted Finished
             // message, need to buffer it.
             byte[] fragment = new byte[contentLen];
@@ -193,38 +185,34 @@
                     majorVersion, minorVersion,
                     recordEnS, recordEpoch, recordSeq, true);
 
+            if (reassembler == null) {
+                reassembler = new DTLSReassembler(recordEpoch);
+            }
             reassembler.queueUpFragment(buffered);
 
             // consume the full record in the packet buffer.
             packet.position(recLim);
 
-            return reassembler.acquirePlaintext();
+            Plaintext pt = reassembler.acquirePlaintext();
+            return pt == null ? null : new Plaintext[] { pt };
         }
 
         //
-        // Now, the message is of this epoch or the previous epoch.
+        // Now, the message is of this epoch.
         //
-        Authenticator decodeAuthenticator;
-        CipherBox decodeCipher;
-        if (this.readEpoch == recordEpoch) {
-            decodeAuthenticator = readAuthenticator;
-            decodeCipher = readCipher;
-        } else {                        // prevReadEpoch == recordEpoch
-            decodeAuthenticator = prevReadAuthenticator;
-            decodeCipher = prevReadCipher;
-        }
-
         // decrypt the fragment
         packet.limit(recLim);
         packet.position(srcPos + DTLSRecord.headerSize);
 
         ByteBuffer plaintextFragment;
         try {
-            plaintextFragment = decrypt(decodeAuthenticator,
-                    decodeCipher, contentType, packet, recordEnS);
-        } catch (BadPaddingException bpe) {
-            if (debug != null && Debug.isOn("ssl")) {
-                Debug.log("Discard invalid record: " + bpe);
+            Plaintext plaintext =
+                    readCipher.decrypt(contentType, packet, recordEnS);
+            plaintextFragment = plaintext.fragment;
+            contentType = plaintext.contentType;
+        } catch (GeneralSecurityException gse) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.fine("Discard invalid record: " + gse);
             }
 
             // invalid, discard this record [section 4.1.2.7, RFC 6347]
@@ -235,38 +223,27 @@
             packet.position(recLim);
         }
 
-        if (contentType != Record.ct_change_cipher_spec &&
-            contentType != Record.ct_handshake) {   // app data or alert
+        if (contentType != ContentType.CHANGE_CIPHER_SPEC.id &&
+            contentType != ContentType.HANDSHAKE.id) {   // app data or alert
                                                     // no retransmission
             // Cleanup the handshake reassembler if necessary.
             if ((reassembler != null) &&
                     (reassembler.handshakeEpoch < recordEpoch)) {
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("Cleanup the handshake reassembler");
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine("Cleanup the handshake reassembler");
                 }
 
                 reassembler = null;
             }
 
-            return new Plaintext(contentType, majorVersion, minorVersion,
-                    recordEpoch, Authenticator.toLong(recordEnS),
-                    plaintextFragment);
+            return new Plaintext[] {
+                    new Plaintext(contentType, majorVersion, minorVersion,
+                            recordEpoch, Authenticator.toLong(recordEnS),
+                            plaintextFragment)};
         }
 
-        if (contentType == Record.ct_change_cipher_spec) {
+        if (contentType == ContentType.CHANGE_CIPHER_SPEC.id) {
             if (reassembler == null) {
-                if (this.readEpoch != recordEpoch) {
-                    // handshake has not started, should be an
-                    // old handshake message, discard it.
-
-                    if (debug != null && Debug.isOn("verbose")) {
-                        Debug.log(
-                                "Lagging behind ChangeCipherSpec, discard it.");
-                    }
-
-                    return null;
-                }
-
                 reassembler = new DTLSReassembler(recordEpoch);
             }
 
@@ -284,26 +261,15 @@
 
                 if (hsFrag == null) {
                     // invalid, discard this record
-                    if (debug != null && Debug.isOn("verbose")) {
-                        Debug.log("Invalid handshake message, discard it.");
+                    if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                        SSLLogger.fine(
+                                "Invalid handshake message, discard it.");
                     }
 
                     return null;
                 }
 
                 if (reassembler == null) {
-                    if (this.readEpoch != recordEpoch) {
-                        // handshake has not started, should be an
-                        // old handshake message, discard it.
-
-                        if (debug != null && Debug.isOn("verbose")) {
-                            Debug.log(
-                                "Lagging behind handshake record, discard it.");
-                        }
-
-                        return null;
-                    }
-
                     reassembler = new DTLSReassembler(recordEpoch);
                 }
 
@@ -314,18 +280,25 @@
         // Completed the read of the full record.  Acquire the reassembled
         // messages.
         if (reassembler != null) {
-            return reassembler.acquirePlaintext();
+            Plaintext pt = reassembler.acquirePlaintext();
+            return pt == null ? null : new Plaintext[] { pt };
         }
 
-        if (debug != null && Debug.isOn("verbose")) {
-            Debug.log("The reassembler is not initialized yet.");
+        if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+             SSLLogger.fine("The reassembler is not initialized yet.");
         }
 
         return null;
     }
 
     @Override
-    int bytesInCompletePacket(ByteBuffer packet) throws SSLException {
+    int bytesInCompletePacket(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength) throws IOException {
+
+        return bytesInCompletePacket(srcs[srcsOffset]);
+    }
+
+    private int bytesInCompletePacket(ByteBuffer packet) throws SSLException {
 
         // DTLS length field is in bytes 11/12
         if (packet.remaining() < headerSize) {
@@ -337,15 +310,20 @@
 
         // Check the content type of the record.
         byte contentType = packet.get(pos);
-        if (!Record.isValidContentType(contentType)) {
+        if (ContentType.valueOf(contentType) == null) {
             throw new SSLException(
                     "Unrecognized SSL message, plaintext connection?");
         }
 
         // Check the protocol version of the record.
-        ProtocolVersion recordVersion =
-            ProtocolVersion.valueOf(packet.get(pos + 1), packet.get(pos + 2));
-        checkRecordVersion(recordVersion, false);
+        byte majorVersion = packet.get(pos + 1);
+        byte minorVersion = packet.get(pos + 2);
+        if (!ProtocolVersion.isNegotiable(
+                majorVersion, minorVersion, true, false)) {
+            throw new SSLException("Unrecognized record version " +
+                    ProtocolVersion.nameOf(majorVersion, minorVersion) +
+                    " , plaintext connection?");
+        }
 
         // Get the fragment length of the record.
         int fragLen = ((packet.get(pos + 11) & 0xFF) << 8) +
@@ -359,17 +337,6 @@
         return fragLen;
     }
 
-    @Override
-    void checkRecordVersion(ProtocolVersion recordVersion,
-            boolean allowSSL20Hello) throws SSLException {
-
-        if (!recordVersion.maybeDTLSProtocol()) {
-            throw new SSLException(
-                    "Unrecognized record version " + recordVersion +
-                    " , plaintext connection?");
-        }
-    }
-
     private static HandshakeFragment parseHandshakeMessage(
             byte contentType, byte majorVersion, byte minorVersion,
             byte[] recordEnS, int recordEpoch, long recordSeq,
@@ -377,8 +344,8 @@
 
         int remaining = plaintextFragment.remaining();
         if (remaining < handshakeHeaderSize) {
-            if (debug != null && Debug.isOn("ssl")) {
-                Debug.log("Discard invalid record: " +
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.fine("Discard invalid record: " +
                         "too small record to hold a handshake fragment");
             }
 
@@ -403,8 +370,8 @@
                 ((plaintextFragment.get() & 0xFF) << 8) |
                  (plaintextFragment.get() & 0xFF);          // pos: 9-11
         if ((remaining - handshakeHeaderSize) < fragmentLength) {
-            if (debug != null && Debug.isOn("ssl")) {
-                Debug.log("Discard invalid record: " +
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.fine("Discard invalid record: " +
                         "not a complete handshake fragment in the record");
             }
 
@@ -461,20 +428,20 @@
 
         @Override
         public int compareTo(RecordFragment o) {
-            if (this.contentType == Record.ct_change_cipher_spec) {
-                if (o.contentType == Record.ct_change_cipher_spec) {
+            if (this.contentType == ContentType.CHANGE_CIPHER_SPEC.id) {
+                if (o.contentType == ContentType.CHANGE_CIPHER_SPEC.id) {
                     // Only one incoming ChangeCipherSpec message for an epoch.
                     //
                     // Ignore duplicated ChangeCipherSpec messages.
                     return Integer.compare(this.recordEpoch, o.recordEpoch);
                 } else if ((this.recordEpoch == o.recordEpoch) &&
-                        (o.contentType == Record.ct_handshake)) {
+                        (o.contentType == ContentType.HANDSHAKE.id)) {
                     // ChangeCipherSpec is the latest message of an epoch.
                     return 1;
                 }
-            } else if (o.contentType == Record.ct_change_cipher_spec) {
+            } else if (o.contentType == ContentType.CHANGE_CIPHER_SPEC.id) {
                 if ((this.recordEpoch == o.recordEpoch) &&
-                        (this.contentType == Record.ct_handshake)) {
+                        (this.contentType == ContentType.HANDSHAKE.id)) {
                     // ChangeCipherSpec is the latest message of an epoch.
                     return -1;
                 } else {
@@ -539,7 +506,7 @@
 
                 // Should be repacked for suitable fragment length.
                 //
-                // Note that the acquiring processes will reassemble
+                // Note that the acquiring processes will reassemble the
                 // the fragments later.
                 return compareToSequence(o.recordEpoch, o.recordSeq);
             }
@@ -559,7 +526,7 @@
     }
 
     private static final class HandshakeFlight implements Cloneable {
-        static final byte HF_UNKNOWN = HandshakeMessage.ht_not_applicable;
+        static final byte HF_UNKNOWN = SSLHandshake.NOT_APPLICABLE.id;
 
         byte        handshakeType;      // handshake type
         int         flightEpoch;        // the epoch of the first message
@@ -665,7 +632,7 @@
             }
 
             if (isMinimalFlightMessage && (hsf.fragmentOffset == 0) &&
-                    (hsf.handshakeType != HandshakeMessage.ht_finished)) {
+                    (hsf.handshakeType != SSLHandshake.FINISHED.id)) {
 
                 // reset the handshake flight
                 handshakeFlight.handshakeType = hsf.handshakeType;
@@ -673,7 +640,7 @@
                 handshakeFlight.minMessageSeq = hsf.messageSeq;
             }
 
-            if (hsf.handshakeType == HandshakeMessage.ht_finished) {
+            if (hsf.handshakeType == SSLHandshake.FINISHED.id) {
                 handshakeFlight.maxMessageSeq = hsf.messageSeq;
                 handshakeFlight.maxRecordEpoch = hsf.recordEpoch;
                 handshakeFlight.maxRecordSeq = hsf.recordSeq;
@@ -718,8 +685,8 @@
                 // It's OK to discard retransmission as the handshake hash
                 // is computed as if each handshake message had been sent
                 // as a single fragment.
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("Have got the full message, discard it.");
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine("Have got the full message, discard it.");
                 }
 
                 return;
@@ -742,8 +709,8 @@
                         ((hole.limit > hsf.fragmentOffset) &&
                          (hole.limit < fragmentLimit))) {
 
-                        if (debug != null && Debug.isOn("ssl")) {
-                            Debug.log("Discard invalid record: " +
+                        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                            SSLLogger.fine("Discard invalid record: " +
                                 "handshake fragment ranges are overlapping");
                         }
 
@@ -773,7 +740,7 @@
             }
 
             // buffer this fragment
-            if (hsf.handshakeType == HandshakeMessage.ht_finished) {
+            if (hsf.handshakeType == SSLHandshake.FINISHED.id) {
                 // Need no status update.
                 bufferedFragments.add(hsf);
             } else {
@@ -849,7 +816,9 @@
                         if (precedingFlight.maxMessageSeq  < hsf.messageSeq) {
                             isNewFlight = true;
                         }
-                    } else if (rf.contentType != Record.ct_change_cipher_spec) {
+                    } else if (
+                        rf.contentType != ContentType.CHANGE_CIPHER_SPEC.id) {
+
                         // ciphertext
                         if (precedingFlight.maxRecordEpoch < rf.recordEpoch) {
                             isNewFlight = true;
@@ -904,8 +873,9 @@
             int previousEpoch = nextRecordEpoch - 1;
             if (rf.recordEpoch < previousEpoch) {
                 // Too old to use, discard this record.
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("Too old epoch to use this record, discard it.");
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine(
+                            "Too old epoch to use this record, discard it.");
                 }
 
                 return false;
@@ -932,7 +902,9 @@
                         if (precedingFlight.minMessageSeq > hsf.messageSeq) {
                             isDesired = false;
                         }
-                    } else if (rf.contentType == Record.ct_change_cipher_spec) {
+                    } else if (
+                        rf.contentType == ContentType.CHANGE_CIPHER_SPEC.id) {
+
                         // ChangeCipherSpec
                         if (precedingFlight.flightEpoch != rf.recordEpoch) {
                             isDesired = false;
@@ -948,8 +920,9 @@
 
                 if (!isDesired) {
                     // Too old to use, discard this retransmitted record
-                    if (debug != null && Debug.isOn("verbose")) {
-                        Debug.log("Too old retransmission to use, discard it.");
+                    if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                        SSLLogger.fine(
+                                "Too old retransmission to use, discard it.");
                     }
 
                     return false;
@@ -960,8 +933,9 @@
                 // Previously disordered record for the current epoch.
                 //
                 // Should has been retransmitted. Discard this record.
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("Lagging behind record (sequence), discard it.");
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine(
+                            "Lagging behind record (sequence), discard it.");
                 }
 
                 return false;
@@ -978,8 +952,8 @@
 
         Plaintext acquirePlaintext() {
             if (bufferedFragments.isEmpty()) {
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("No received handshake messages");
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine("No received handshake messages");
                 }
                 return null;
             }
@@ -999,8 +973,8 @@
                         // Reset the next handshake flight.
                         resetHandshakeFlight(precedingFlight);
 
-                        if (debug != null && Debug.isOn("verbose")) {
-                            Debug.log("Received a retransmission flight.");
+                        if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                            SSLLogger.fine("Received a retransmission flight.");
                         }
 
                         return Plaintext.PLAINTEXT_NULL;
@@ -1011,9 +985,10 @@
             }
 
             if (!flightIsReady) {
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("The handshake flight is not ready to use: " +
-                                handshakeFlight.handshakeType);
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine(
+                            "The handshake flight is not ready to use: " +
+                            handshakeFlight.handshakeType);
                 }
                 return null;
             }
@@ -1036,7 +1011,7 @@
                     resetHandshakeFlight(precedingFlight);
 
                     if (expectCCSFlight &&
-                            (precedingFlight.flightEpoch ==
+                            (precedingFlight.handshakeType ==
                                     HandshakeFlight.HF_UNKNOWN)) {
                         expectCCSFlight = false;
                     }
@@ -1088,13 +1063,13 @@
         }
 
         private Plaintext acquireCachedMessage() {
-
             RecordFragment rFrag = bufferedFragments.first();
             if (readEpoch != rFrag.recordEpoch) {
                 if (readEpoch > rFrag.recordEpoch) {
                     // discard old records
-                    if (debug != null && Debug.isOn("verbose")) {
-                        Debug.log("Discard old buffered ciphertext fragments.");
+                    if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                        SSLLogger.fine(
+                                "Discard old buffered ciphertext fragments.");
                     }
                     bufferedFragments.remove(rFrag);    // popup the fragment
                 }
@@ -1104,8 +1079,9 @@
                     flightIsReady = false;
                 }
 
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("Not yet ready to decrypt the cached fragments.");
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine(
+                            "Not yet ready to decrypt the cached fragments.");
                 }
                 return null;
             }
@@ -1115,11 +1091,13 @@
             ByteBuffer fragment = ByteBuffer.wrap(rFrag.fragment);
             ByteBuffer plaintextFragment = null;
             try {
-                plaintextFragment = decrypt(readAuthenticator, readCipher,
+                Plaintext plaintext = readCipher.decrypt(
                         rFrag.contentType, fragment, rFrag.recordEnS);
-            } catch (BadPaddingException bpe) {
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("Discard invalid record: " + bpe);
+                plaintextFragment = plaintext.fragment;
+                rFrag.contentType = plaintext.contentType;
+            } catch (GeneralSecurityException gse) {
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine("Discard invalid record: ", gse);
                 }
 
                 // invalid, discard this record [section 4.1.2.7, RFC 6347]
@@ -1130,7 +1108,7 @@
             // end of this flight), ClinetHello or HelloRequest (the
             // beginning of the next flight) message.  Need not to check
             // any ChangeCipherSpec message.
-            if (rFrag.contentType == Record.ct_handshake) {
+            if (rFrag.contentType == ContentType.HANDSHAKE.id) {
                 while (plaintextFragment.remaining() > 0) {
                     HandshakeFragment hsFrag = parseHandshakeMessage(
                             rFrag.contentType,
@@ -1140,8 +1118,8 @@
 
                     if (hsFrag == null) {
                         // invalid, discard this record
-                        if (debug != null && Debug.isOn("verbose")) {
-                            Debug.printHex(
+                        if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                            SSLLogger.fine(
                                     "Invalid handshake fragment, discard it",
                                     plaintextFragment);
                         }
@@ -1153,7 +1131,7 @@
                     // been checked and updated for the Finished handshake
                     // message before the decryption.  Please don't update
                     // flightIsReady for Finished messages.
-                    if (hsFrag.handshakeType != HandshakeMessage.ht_finished) {
+                    if (hsFrag.handshakeType != SSLHandshake.FINISHED.id) {
                         flightIsReady = false;
                         needToCheckFlight = true;
                     }
@@ -1172,7 +1150,7 @@
         private Plaintext acquireHandshakeMessage() {
 
             RecordFragment rFrag = bufferedFragments.first();
-            if (rFrag.contentType == Record.ct_change_cipher_spec) {
+            if (rFrag.contentType == ContentType.CHANGE_CIPHER_SPEC.id) {
                 this.nextRecordEpoch = rFrag.recordEpoch + 1;
 
                 // For retransmissions, the next record sequence number is a
@@ -1183,16 +1161,12 @@
 
                 // Popup the fragment.
                 bufferedFragments.remove(rFrag);
-
-                // Reload if this message has been reserved for handshake hash.
-                handshakeHash.reload();
-
                 return new Plaintext(rFrag.contentType,
                         rFrag.majorVersion, rFrag.minorVersion,
                         rFrag.recordEpoch,
                         Authenticator.toLong(rFrag.recordEnS),
                         ByteBuffer.wrap(rFrag.fragment));
-            } else {    // rFrag.contentType == Record.ct_handshake
+            } else {    // rFrag.contentType == ContentType.HANDSHAKE.id
                 HandshakeFragment hsFrag = (HandshakeFragment)rFrag;
                 if ((hsFrag.messageLength == hsFrag.fragmentLength) &&
                     (hsFrag.fragmentOffset == 0)) {     // no fragmentation
@@ -1204,7 +1178,8 @@
 
                     // Note: may try to avoid byte array copy in the future.
                     byte[] recordFrag = new byte[hsFrag.messageLength + 4];
-                    Plaintext plaintext = new Plaintext(hsFrag.contentType,
+                    Plaintext plaintext = new Plaintext(
+                            hsFrag.contentType,
                             hsFrag.majorVersion, hsFrag.minorVersion,
                             hsFrag.recordEpoch,
                             Authenticator.toLong(hsFrag.recordEnS),
@@ -1230,7 +1205,8 @@
                     //
                     // Note: may try to avoid byte array copy in the future.
                     byte[] recordFrag = new byte[hsFrag.messageLength + 4];
-                    Plaintext plaintext = new Plaintext(hsFrag.contentType,
+                    Plaintext plaintext = new Plaintext(
+                            hsFrag.contentType,
                             hsFrag.majorVersion, hsFrag.minorVersion,
                             hsFrag.recordEpoch,
                             Authenticator.toLong(hsFrag.recordEnS),
@@ -1264,7 +1240,7 @@
                         // read the next buffered record
                         if (!bufferedFragments.isEmpty()) {
                             rFrag = bufferedFragments.first();
-                            if (rFrag.contentType != Record.ct_handshake) {
+                            if (rFrag.contentType != ContentType.HANDSHAKE.id) {
                                 break;
                             } else {
                                 hmFrag = (HandshakeFragment)rFrag;
@@ -1293,29 +1269,30 @@
                 if (expectCCSFlight) {
                     // Have the ChangeCipherSpec/Finished flight been received?
                     boolean isReady = hasFinishedMessage(bufferedFragments);
-                    if (debug != null && Debug.isOn("verbose")) {
-                        Debug.log(
+                    if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                        SSLLogger.fine(
                             "Has the final flight been received? " + isReady);
                     }
 
                     return isReady;
                 }
 
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("No flight is received yet.");
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine("No flight is received yet.");
                 }
 
                 return false;
             }
 
-            if ((flightType == HandshakeMessage.ht_client_hello) ||
-                (flightType == HandshakeMessage.ht_hello_request) ||
-                (flightType == HandshakeMessage.ht_hello_verify_request)) {
+            if ((flightType == SSLHandshake.CLIENT_HELLO.id) ||
+                (flightType == SSLHandshake.HELLO_REQUEST.id) ||
+                (flightType == SSLHandshake.HELLO_VERIFY_REQUEST.id)) {
 
                 // single handshake message flight
                 boolean isReady = hasCompleted(flightType);
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("Is the handshake message completed? " + isReady);
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine(
+                            "Is the handshake message completed? " + isReady);
                 }
 
                 return isReady;
@@ -1324,11 +1301,11 @@
             //
             // the ServerHello flight
             //
-            if (flightType == HandshakeMessage.ht_server_hello) {
+            if (flightType == SSLHandshake.SERVER_HELLO.id) {
                 // Firstly, check the first flight handshake message.
                 if (!hasCompleted(flightType)) {
-                    if (debug != null && Debug.isOn("verbose")) {
-                        Debug.log(
+                    if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                        SSLLogger.fine(
                             "The ServerHello message is not completed yet.");
                     }
 
@@ -1339,8 +1316,8 @@
                 // an abbreviated handshake
                 //
                 if (hasFinishedMessage(bufferedFragments)) {
-                    if (debug != null && Debug.isOn("verbose")) {
-                        Debug.log("It's an abbreviated handshake.");
+                    if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                        SSLLogger.fine("It's an abbreviated handshake.");
                     }
 
                     return true;
@@ -1350,11 +1327,12 @@
                 // a full handshake
                 //
                 List<HoleDescriptor> holes = handshakeFlight.holesMap.get(
-                        HandshakeMessage.ht_server_hello_done);
+                        SSLHandshake.SERVER_HELLO_DONE.id);
                 if ((holes == null) || !holes.isEmpty()) {
                     // Not yet got the final message of the flight.
-                    if (debug != null && Debug.isOn("verbose")) {
-                        Debug.log("Not yet got the ServerHelloDone message");
+                    if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                        SSLLogger.fine(
+                                "Not yet got the ServerHelloDone message");
                     }
 
                     return false;
@@ -1364,8 +1342,9 @@
                 boolean isReady = hasCompleted(bufferedFragments,
                             handshakeFlight.minMessageSeq,
                             handshakeFlight.maxMessageSeq);
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("Is the ServerHello flight (message " +
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine(
+                            "Is the ServerHello flight (message " +
                             handshakeFlight.minMessageSeq + "-" +
                             handshakeFlight.maxMessageSeq +
                             ") completed? " + isReady);
@@ -1381,13 +1360,13 @@
             //       ht_supplemental_data and ht_certificate_url are
             //       suppported in the future.
             //
-            if ((flightType == HandshakeMessage.ht_certificate) ||
-                (flightType == HandshakeMessage.ht_client_key_exchange)) {
+            if ((flightType == SSLHandshake.CERTIFICATE.id) ||
+                (flightType == SSLHandshake.CLIENT_KEY_EXCHANGE.id)) {
 
                 // Firstly, check the first flight handshake message.
                 if (!hasCompleted(flightType)) {
-                    if (debug != null && Debug.isOn("verbose")) {
-                        Debug.log(
+                    if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                        SSLLogger.fine(
                             "The ClientKeyExchange or client Certificate " +
                             "message is not completed yet.");
                     }
@@ -1396,12 +1375,12 @@
                 }
 
                 // Is client CertificateVerify a mandatory message?
-                if (flightType == HandshakeMessage.ht_certificate) {
+                if (flightType == SSLHandshake.CERTIFICATE.id) {
                     if (needClientVerify(bufferedFragments) &&
-                        !hasCompleted(ht_certificate_verify)) {
+                        !hasCompleted(SSLHandshake.CERTIFICATE_VERIFY.id)) {
 
-                        if (debug != null && Debug.isOn("verbose")) {
-                            Debug.log(
+                        if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                            SSLLogger.fine(
                                 "Not yet have the CertificateVerify message");
                         }
 
@@ -1411,8 +1390,8 @@
 
                 if (!hasFinishedMessage(bufferedFragments)) {
                     // not yet have the ChangeCipherSpec/Finished messages
-                    if (debug != null && Debug.isOn("verbose")) {
-                        Debug.log(
+                    if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                        SSLLogger.fine(
                             "Not yet have the ChangeCipherSpec and " +
                             "Finished messages");
                     }
@@ -1424,8 +1403,9 @@
                 boolean isReady = hasCompleted(bufferedFragments,
                             handshakeFlight.minMessageSeq,
                             handshakeFlight.maxMessageSeq);
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log("Is the ClientKeyExchange flight (message " +
+                if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine(
+                            "Is the ClientKeyExchange flight (message " +
                             handshakeFlight.minMessageSeq + "-" +
                             handshakeFlight.maxMessageSeq +
                             ") completed? " + isReady);
@@ -1437,8 +1417,8 @@
             //
             // Otherwise, need to receive more handshake messages.
             //
-            if (debug != null && Debug.isOn("verbose")) {
-                Debug.log("Need to receive more handshake messages");
+            if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                SSLLogger.fine("Need to receive more handshake messages");
             }
 
             return false;
@@ -1456,12 +1436,12 @@
             boolean hasCCS = false;
             boolean hasFin = false;
             for (RecordFragment fragment : fragments) {
-                if (fragment.contentType == Record.ct_change_cipher_spec) {
+                if (fragment.contentType == ContentType.CHANGE_CIPHER_SPEC.id) {
                     if (hasFin) {
                         return true;
                     }
                     hasCCS = true;
-                } else if (fragment.contentType == Record.ct_handshake) {
+                } else if (fragment.contentType == ContentType.HANDSHAKE.id) {
                     // Finished is the first expected message of a new epoch.
                     if (fragment.isCiphertext) {
                         if (hasCCS) {
@@ -1484,13 +1464,13 @@
             // The caller should have checked the completion of the first
             // present handshake message.  Need not to check it again.
             for (RecordFragment rFrag : fragments) {
-                if ((rFrag.contentType != Record.ct_handshake) ||
+                if ((rFrag.contentType != ContentType.HANDSHAKE.id) ||
                         rFrag.isCiphertext) {
                     break;
                 }
 
                 HandshakeFragment hsFrag = (HandshakeFragment)rFrag;
-                if (hsFrag.handshakeType != HandshakeMessage.ht_certificate) {
+                if (hsFrag.handshakeType != SSLHandshake.CERTIFICATE.id) {
                     continue;
                 }
 
@@ -1519,7 +1499,7 @@
             // The caller should have checked the completion of the first
             // present handshake message.  Need not to check it again.
             for (RecordFragment rFrag : fragments) {
-                if ((rFrag.contentType != Record.ct_handshake) ||
+                if ((rFrag.contentType != ContentType.HANDSHAKE.id) ||
                         rFrag.isCiphertext) {
                     break;
                 }
@@ -1546,32 +1526,16 @@
 
         private void handshakeHashing(
                 HandshakeFragment hsFrag, Plaintext plaintext) {
-
             byte hsType = hsFrag.handshakeType;
-            if ((hsType == HandshakeMessage.ht_hello_request) ||
-                (hsType == HandshakeMessage.ht_hello_verify_request)) {
-
+            if (!handshakeHash.isHashable(hsType)) {
                 // omitted from handshake hash computation
                 return;
             }
 
-            if ((hsFrag.messageSeq == 0) &&
-                (hsType == HandshakeMessage.ht_client_hello)) {
-
-                // omit initial ClientHello message
-                //
-                //  4: handshake header
-                //  2: ClientHello.client_version
-                // 32: ClientHello.random
-                int sidLen = plaintext.fragment.get(38);
-
-                if (sidLen == 0) {      // empty session_id, initial handshake
-                    return;
-                }
-            }
-
-            // calculate the DTLS header
-            byte[] temporary = new byte[12];    // 12: handshake header size
+            // calculate the DTLS header and reserve the handshake message
+            plaintext.fragment.position(4);     // ignore the TLS header
+            byte[] temporary = new byte[plaintext.fragment.remaining() + 12];
+                                                // 12: handshake header size
 
             // Handshake.msg_type
             temporary[0] = hsFrag.handshakeType;
@@ -1595,25 +1559,9 @@
             temporary[10] = temporary[2];
             temporary[11] = temporary[3];
 
-            plaintext.fragment.position(4);     // ignore the TLS header
-            if ((hsType != HandshakeMessage.ht_finished) &&
-                (hsType != HandshakeMessage.ht_certificate_verify)) {
-
-                if (handshakeHash == null) {
-                    // used for cache only
-                    handshakeHash = new HandshakeHash(false);
-                }
-                handshakeHash.update(temporary, 0, 12);
-                handshakeHash.update(plaintext.fragment);
-            } else {
-                // Reserve until this handshake message has been processed.
-                if (handshakeHash == null) {
-                    // used for cache only
-                    handshakeHash = new HandshakeHash(false);
-                }
-                handshakeHash.reserve(temporary, 0, 12);
-                handshakeHash.reserve(plaintext.fragment);
-            }
+            plaintext.fragment.get(temporary,
+                    12, plaintext.fragment.remaining());
+            handshakeHash.receive(temporary);
             plaintext.fragment.position(0);     // restore the position
         }
     }
--- old/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java	2018-05-11 15:04:58.485160300 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/DTLSOutputRecord.java	2018-05-11 15:04:57.964822500 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,13 +28,8 @@
 import java.io.*;
 import java.nio.*;
 import java.util.*;
-
-import javax.crypto.BadPaddingException;
-
 import javax.net.ssl.*;
-
-import sun.security.util.HexDumpEncoder;
-import static sun.security.ssl.Ciphertext.RecordType;
+import sun.security.ssl.SSLCipher.SSLWriteCipher;
 
 /**
  * DTLS {@code OutputRecord} implementation for {@code SSLEngine}.
@@ -47,54 +42,62 @@
 
     int                 prevWriteEpoch;
     Authenticator       prevWriteAuthenticator;
-    CipherBox           prevWriteCipher;
+    SSLWriteCipher      prevWriteCipher;
 
-    private LinkedList<RecordMemo> alertMemos = new LinkedList<>();
+    private final LinkedList<RecordMemo> alertMemos = new LinkedList<>();
 
-    DTLSOutputRecord() {
-        this.writeAuthenticator = new MAC(true);
+    DTLSOutputRecord(HandshakeHash handshakeHash) {
+        super(handshakeHash, SSLWriteCipher.nullDTlsWriteCipher());
 
         this.writeEpoch = 0;
         this.prevWriteEpoch = 0;
-        this.prevWriteCipher = CipherBox.NULL;
-        this.prevWriteAuthenticator = new MAC(true);
+        this.prevWriteCipher = SSLWriteCipher.nullDTlsWriteCipher();
 
         this.packetSize = DTLSRecord.maxRecordSize;
-        this.protocolVersion = ProtocolVersion.DEFAULT_DTLS;
+        this.protocolVersion = ProtocolVersion.NONE;
+    }
+
+    @Override
+    void initHandshaker() {
+        // clean up
+        fragmenter = null;
     }
 
     @Override
-    void changeWriteCiphers(Authenticator writeAuthenticator,
-            CipherBox writeCipher) throws IOException {
+    void finishHandshake() {
+//        fragmenter = null;
+    }
 
-        encodeChangeCipherSpec();
+    @Override
+    void changeWriteCiphers(SSLWriteCipher writeCipher,
+            boolean useChangeCipherSpec) throws IOException {
+        if (useChangeCipherSpec) {
+            encodeChangeCipherSpec();
+        }
 
         prevWriteCipher.dispose();
 
-        this.prevWriteAuthenticator = this.writeAuthenticator;
         this.prevWriteCipher = this.writeCipher;
         this.prevWriteEpoch = this.writeEpoch;
 
-        this.writeAuthenticator = writeAuthenticator;
         this.writeCipher = writeCipher;
         this.writeEpoch++;
 
         this.isFirstAppOutputRecord = true;
 
         // set the epoch number
-        this.writeAuthenticator.setEpochNumber(this.writeEpoch);
+        this.writeCipher.authenticator.setEpochNumber(this.writeEpoch);
     }
 
     @Override
     void encodeAlert(byte level, byte description) throws IOException {
         RecordMemo memo = new RecordMemo();
 
-        memo.contentType = Record.ct_alert;
+        memo.contentType = ContentType.ALERT.id;
         memo.majorVersion = protocolVersion.major;
         memo.minorVersion = protocolVersion.minor;
         memo.encodeEpoch = writeEpoch;
         memo.encodeCipher = writeCipher;
-        memo.encodeAuthenticator = writeAuthenticator;
 
         memo.fragment = new byte[2];
         memo.fragment[0] = level;
@@ -114,7 +117,6 @@
     @Override
     void encodeHandshake(byte[] source,
             int offset, int length) throws IOException {
-
         if (firstMessage) {
             firstMessage = false;
         }
@@ -127,30 +129,53 @@
     }
 
     @Override
-    Ciphertext encode(ByteBuffer[] sources, int offset, int length,
+    Ciphertext encode(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength,
+        ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
+        return encode(srcs, srcsOffset, srcsLength, dsts[0]);
+    }
+
+    private Ciphertext encode(ByteBuffer[] sources, int offset, int length,
             ByteBuffer destination) throws IOException {
 
-        if (writeAuthenticator.seqNumOverflow()) {
-            if (debug != null && Debug.isOn("ssl")) {
-                System.out.println(Thread.currentThread().getName() +
-                    ", sequence number extremely close to overflow " +
+        if (writeCipher.authenticator.seqNumOverflow()) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.fine(
+                    "sequence number extremely close to overflow " +
                     "(2^64-1 packets). Closing connection.");
             }
 
             throw new SSLHandshakeException("sequence number overflow");
         }
 
-        // not apply to handshake message
-        int macLen = 0;
-        if (writeAuthenticator instanceof MAC) {
-            macLen = ((MAC)writeAuthenticator).MAClen();
+        // Don't process the incoming record until all of the buffered records
+        // get handled.  May need retransmission if no sources specified.
+        if (!isEmpty() || sources == null || sources.length == 0) {
+            Ciphertext ct = acquireCiphertext(destination);
+            if (ct != null) {
+                return ct;
+            }
+        }
+
+        if (sources == null || sources.length == 0) {
+            return null;
+        }
+
+        int srcsRemains = 0;
+        for (int i = offset; i < offset + length; i++) {
+            srcsRemains += sources[i].remaining();
+        }
+
+        if (srcsRemains == 0) {
+            return null;
         }
 
+        // not apply to handshake message
         int fragLen;
         if (packetSize > 0) {
             fragLen = Math.min(maxRecordSize, packetSize);
             fragLen = writeCipher.calculateFragmentSize(
-                    fragLen, macLen, headerSize);
+                    fragLen, headerSize);
 
             fragLen = Math.min(fragLen, Record.maxDataSize);
         } else {
@@ -183,44 +208,38 @@
         destination.limit(destination.position());
         destination.position(dstContent);
 
-        if ((debug != null) && Debug.isOn("record")) {
-            System.out.println(Thread.currentThread().getName() +
-                    ", WRITE: " + protocolVersion + " " +
-                    Record.contentName(Record.ct_application_data) +
+        if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+            SSLLogger.fine(
+                    "WRITE: " + protocolVersion + " " +
+                    ContentType.APPLICATION_DATA.name +
                     ", length = " + destination.remaining());
         }
 
         // Encrypt the fragment and wrap up a record.
-        long recordSN = encrypt(writeAuthenticator, writeCipher,
-                Record.ct_application_data, destination,
+        long recordSN = encrypt(writeCipher,
+                ContentType.APPLICATION_DATA.id, destination,
                 dstPos, dstLim, headerSize,
-                protocolVersion, true);
+                protocolVersion);
 
-        if ((debug != null) && Debug.isOn("packet")) {
+        if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
             ByteBuffer temporary = destination.duplicate();
             temporary.limit(temporary.position());
             temporary.position(dstPos);
-            Debug.printHex(
-                    "[Raw write]: length = " + temporary.remaining(),
-                    temporary);
+            SSLLogger.fine("Raw write", temporary);
         }
 
         // remain the limit unchanged
         destination.limit(dstLim);
 
-        return new Ciphertext(RecordType.RECORD_APPLICATION_DATA, recordSN);
+        return new Ciphertext(ContentType.APPLICATION_DATA.id,
+                SSLHandshake.NOT_APPLICABLE.id, recordSN);
     }
 
-    @Override
-    Ciphertext acquireCiphertext(ByteBuffer destination) throws IOException {
+    private Ciphertext acquireCiphertext(
+            ByteBuffer destination) throws IOException {
         if (alertMemos != null && !alertMemos.isEmpty()) {
             RecordMemo memo = alertMemos.pop();
 
-            int macLen = 0;
-            if (memo.encodeAuthenticator instanceof MAC) {
-                macLen = ((MAC)memo.encodeAuthenticator).MAClen();
-            }
-
             int dstPos = destination.position();
             int dstLim = destination.limit();
             int dstContent = dstPos + headerSize +
@@ -232,32 +251,32 @@
             destination.limit(destination.position());
             destination.position(dstContent);
 
-            if ((debug != null) && Debug.isOn("record")) {
-                System.out.println(Thread.currentThread().getName() +
-                        ", WRITE: " + protocolVersion + " " +
-                        Record.contentName(Record.ct_alert) +
+            if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+                SSLLogger.fine(
+                        "WRITE: " + protocolVersion + " " +
+                        ContentType.ALERT.name +
                         ", length = " + destination.remaining());
             }
 
             // Encrypt the fragment and wrap up a record.
-            long recordSN = encrypt(memo.encodeAuthenticator, memo.encodeCipher,
-                    Record.ct_alert, destination, dstPos, dstLim, headerSize,
+            long recordSN = encrypt(memo.encodeCipher,
+                    ContentType.ALERT.id,
+                    destination, dstPos, dstLim, headerSize,
                     ProtocolVersion.valueOf(memo.majorVersion,
-                            memo.minorVersion), true);
+                            memo.minorVersion));
 
-            if ((debug != null) && Debug.isOn("packet")) {
+            if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
                 ByteBuffer temporary = destination.duplicate();
                 temporary.limit(temporary.position());
                 temporary.position(dstPos);
-                Debug.printHex(
-                        "[Raw write]: length = " + temporary.remaining(),
-                        temporary);
+                SSLLogger.fine("Raw write", temporary);
             }
 
             // remain the limit unchanged
             destination.limit(dstLim);
 
-            return new Ciphertext(RecordType.RECORD_ALERT, recordSN);
+            return new Ciphertext(ContentType.ALERT.id,
+                    SSLHandshake.NOT_APPLICABLE.id, recordSN);
         }
 
         if (fragmenter != null) {
@@ -274,12 +293,6 @@
     }
 
     @Override
-    void initHandshaker() {
-        // clean up
-        fragmenter = null;
-    }
-
-    @Override
     void launchRetransmission() {
         // Note: Please don't retransmit if there are handshake messages
         // or alerts waiting in the queue.
@@ -295,8 +308,7 @@
         byte            majorVersion;
         byte            minorVersion;
         int             encodeEpoch;
-        CipherBox       encodeCipher;
-        Authenticator   encodeAuthenticator;
+        SSLWriteCipher  encodeCipher;
 
         byte[]          fragment;
     }
@@ -308,7 +320,8 @@
     }
 
     private final class DTLSFragmenter {
-        private LinkedList<RecordMemo> handshakeMemos = new LinkedList<>();
+        private final LinkedList<RecordMemo> handshakeMemos =
+                new LinkedList<>();
         private int acquireIndex = 0;
         private int messageSequence = 0;
         private boolean flightIsReady = false;
@@ -336,12 +349,11 @@
 
             RecordMemo memo = new RecordMemo();
 
-            memo.contentType = Record.ct_change_cipher_spec;
+            memo.contentType = ContentType.CHANGE_CIPHER_SPEC.id;
             memo.majorVersion = protocolVersion.major;
             memo.minorVersion = protocolVersion.minor;
             memo.encodeEpoch = writeEpoch;
             memo.encodeCipher = writeCipher;
-            memo.encodeAuthenticator = writeAuthenticator;
 
             memo.fragment = new byte[1];
             memo.fragment[0] = 1;
@@ -361,12 +373,11 @@
 
             HandshakeMemo memo = new HandshakeMemo();
 
-            memo.contentType = Record.ct_handshake;
+            memo.contentType = ContentType.HANDSHAKE.id;
             memo.majorVersion = protocolVersion.major;
             memo.minorVersion = protocolVersion.minor;
             memo.encodeEpoch = writeEpoch;
             memo.encodeCipher = writeCipher;
-            memo.encodeAuthenticator = writeAuthenticator;
 
             memo.handshakeType = buf[offset];
             memo.messageSequence = messageSequence++;
@@ -379,12 +390,12 @@
             handshakeHashing(memo, memo.fragment);
             handshakeMemos.add(memo);
 
-            if ((memo.handshakeType == HandshakeMessage.ht_client_hello) ||
-                (memo.handshakeType == HandshakeMessage.ht_hello_request) ||
+            if ((memo.handshakeType == SSLHandshake.CLIENT_HELLO.id) ||
+                (memo.handshakeType == SSLHandshake.HELLO_REQUEST.id) ||
                 (memo.handshakeType ==
-                        HandshakeMessage.ht_hello_verify_request) ||
-                (memo.handshakeType == HandshakeMessage.ht_server_hello_done) ||
-                (memo.handshakeType == HandshakeMessage.ht_finished)) {
+                        SSLHandshake.HELLO_VERIFY_REQUEST.id) ||
+                (memo.handshakeType == SSLHandshake.SERVER_HELLO_DONE.id) ||
+                (memo.handshakeType == SSLHandshake.FINISHED.id)) {
 
                 flightIsReady = true;
             }
@@ -401,22 +412,17 @@
 
             RecordMemo memo = handshakeMemos.get(acquireIndex);
             HandshakeMemo hsMemo = null;
-            if (memo.contentType == Record.ct_handshake) {
+            if (memo.contentType == ContentType.HANDSHAKE.id) {
                 hsMemo = (HandshakeMemo)memo;
             }
 
-            int macLen = 0;
-            if (memo.encodeAuthenticator instanceof MAC) {
-                macLen = ((MAC)memo.encodeAuthenticator).MAClen();
-            }
-
             // ChangeCipherSpec message is pretty small.  Don't worry about
             // the fragmentation of ChangeCipherSpec record.
             int fragLen;
             if (packetSize > 0) {
                 fragLen = Math.min(maxRecordSize, packetSize);
                 fragLen = memo.encodeCipher.calculateFragmentSize(
-                        fragLen, macLen, 25);   // 25: header size
+                        fragLen, 25);   // 25: header size
                                                 //   13: DTLS record
                                                 //   12: DTLS handshake message
                 fragLen = Math.min(fragLen, Record.maxDataSize);
@@ -459,27 +465,26 @@
             dstBuf.limit(dstBuf.position());
             dstBuf.position(dstContent);
 
-            if ((debug != null) && Debug.isOn("record")) {
-                System.out.println(Thread.currentThread().getName() +
-                        ", WRITE: " + protocolVersion + " " +
-                        Record.contentName(memo.contentType) +
+            if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+                SSLLogger.fine(
+                        "WRITE: " + protocolVersion + " " +
+                        ContentType.nameOf(memo.contentType) +
                         ", length = " + dstBuf.remaining());
             }
 
             // Encrypt the fragment and wrap up a record.
-            long recordSN = encrypt(memo.encodeAuthenticator, memo.encodeCipher,
+            long recordSN = encrypt(memo.encodeCipher,
                     memo.contentType, dstBuf,
                     dstPos, dstLim, headerSize,
                     ProtocolVersion.valueOf(memo.majorVersion,
-                            memo.minorVersion), true);
+                            memo.minorVersion));
 
-            if ((debug != null) && Debug.isOn("packet")) {
+            if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
                 ByteBuffer temporary = dstBuf.duplicate();
                 temporary.limit(temporary.position());
                 temporary.position(dstPos);
-                Debug.printHex(
-                        "[Raw write]: length = " + temporary.remaining(),
-                        temporary);
+                SSLLogger.fine(
+                        "Raw write (" + temporary.remaining() + ")", temporary);
             }
 
             // remain the limit unchanged
@@ -492,39 +497,23 @@
                     acquireIndex++;
                 }
 
-                return new Ciphertext(RecordType.valueOf(
-                        hsMemo.contentType, hsMemo.handshakeType), recordSN);
+                return new Ciphertext(hsMemo.contentType,
+                        hsMemo.handshakeType, recordSN);
             } else {
                 acquireIndex++;
-                return new Ciphertext(
-                        RecordType.RECORD_CHANGE_CIPHER_SPEC, recordSN);
+                return new Ciphertext(ContentType.CHANGE_CIPHER_SPEC.id,
+                        SSLHandshake.NOT_APPLICABLE.id, recordSN);
             }
         }
 
         private void handshakeHashing(HandshakeMemo hsFrag, byte[] hsBody) {
 
             byte hsType = hsFrag.handshakeType;
-            if ((hsType == HandshakeMessage.ht_hello_request) ||
-                (hsType == HandshakeMessage.ht_hello_verify_request)) {
-
+            if (!handshakeHash.isHashable(hsType)) {
                 // omitted from handshake hash computation
                 return;
             }
 
-            if ((hsFrag.messageSequence == 0) &&
-                (hsType == HandshakeMessage.ht_client_hello)) {
-
-                // omit initial ClientHello message
-                //
-                //  2: ClientHello.client_version
-                // 32: ClientHello.random
-                int sidLen = hsBody[34];
-
-                if (sidLen == 0) {      // empty session_id, initial handshake
-                    return;
-                }
-            }
-
             // calculate the DTLS header
             byte[] temporary = new byte[12];    // 12: handshake header size
 
@@ -550,17 +539,8 @@
             temporary[10] = temporary[2];
             temporary[11] = temporary[3];
 
-            if ((hsType != HandshakeMessage.ht_finished) &&
-                (hsType != HandshakeMessage.ht_certificate_verify)) {
-
-                handshakeHash.update(temporary, 0, 12);
-                handshakeHash.update(hsBody, 0, hsBody.length);
-            } else {
-                // Reserve until this handshake message has been processed.
-                handshakeHash.reserve(temporary, 0, 12);
-                handshakeHash.reserve(hsBody, 0, hsBody.length);
-            }
-
+            handshakeHash.deliver(temporary, 0, 12);
+            handshakeHash.deliver(hsBody, 0, hsBody.length);
         }
 
         boolean isEmpty() {
--- old/src/java.base/share/classes/sun/security/ssl/DTLSRecord.java	2018-05-11 15:05:01.265609800 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/DTLSRecord.java	2018-05-11 15:05:00.634602100 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
--- old/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java	2018-05-11 15:05:03.957538400 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java	2018-05-11 15:05:03.369554300 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,60 +26,507 @@
 package sun.security.ssl;
 
 import java.io.IOException;
-import java.io.PrintStream;
-
+import java.nio.ByteBuffer;
+import java.security.AlgorithmConstraints;
+import java.security.CryptoPrimitive;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.PrivateKey;
 import java.security.PublicKey;
+import java.security.interfaces.ECPrivateKey;
 import java.security.interfaces.ECPublicKey;
-import java.security.spec.*;
+import java.security.spec.ECParameterSpec;
+import java.security.spec.ECPoint;
+import java.security.spec.ECPublicKeySpec;
+import java.text.MessageFormat;
+import java.util.EnumSet;
+import java.util.Locale;
+import javax.crypto.SecretKey;
+import javax.net.ssl.SSLHandshakeException;
+import sun.security.ssl.ECDHKeyExchange.ECDHECredentials;
+import sun.security.ssl.ECDHKeyExchange.ECDHEPossession;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+import sun.security.ssl.X509Authentication.X509Credentials;
+import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.HexDumpEncoder;
 
 /**
- * ClientKeyExchange message for all ECDH based key exchange methods. It
- * contains the client's ephemeral public value.
- *
- * @since   1.6
- * @author  Andreas Sterbenz
+ * Pack of the "ClientKeyExchange" handshake message.
  */
-final class ECDHClientKeyExchange extends HandshakeMessage {
+final class ECDHClientKeyExchange {
+    static final SSLConsumer ecdhHandshakeConsumer =
+            new ECDHClientKeyExchangeConsumer();
+    static final HandshakeProducer ecdhHandshakeProducer =
+            new ECDHClientKeyExchangeProducer();
+
+    static final SSLConsumer ecdheHandshakeConsumer =
+            new ECDHEClientKeyExchangeConsumer();
+    static final HandshakeProducer ecdheHandshakeProducer =
+            new ECDHEClientKeyExchangeProducer();
+
+    /**
+     * The ECDH/ECDHE ClientKeyExchange handshake message.
+     */
+    private static final
+            class ECDHClientKeyExchangeMessage extends HandshakeMessage {
+        private final byte[] encodedPoint;
+
+        ECDHClientKeyExchangeMessage(HandshakeContext handshakeContext,
+                ECPublicKey publicKey) {
+            super(handshakeContext);
+
+            ECPoint point = publicKey.getW();
+            ECParameterSpec params = publicKey.getParams();
+            encodedPoint = JsseJce.encodePoint(point, params.getCurve());
+        }
 
-    @Override
-    int messageType() {
-        return ht_client_key_exchange;
-    }
+        ECDHClientKeyExchangeMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+            if (m.remaining() != 0) {       // explicit PublicValueEncoding
+                this.encodedPoint = Record.getBytes8(m);
+            } else {
+                this.encodedPoint = new byte[0];
+            }
+        }
 
-    private byte[] encodedPoint;
+        // Check constraints of the specified EC public key.
+        static void checkConstraints(AlgorithmConstraints constraints,
+                ECPublicKey publicKey,
+                byte[] encodedPoint) throws SSLHandshakeException {
+
+            try {
+                ECParameterSpec params = publicKey.getParams();
+                ECPoint point =
+                        JsseJce.decodePoint(encodedPoint, params.getCurve());
+                ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
+
+                KeyFactory kf = JsseJce.getKeyFactory("EC");
+                ECPublicKey peerPublicKey =
+                        (ECPublicKey)kf.generatePublic(spec);
+
+                // check constraints of ECPublicKey
+                if (!constraints.permits(
+                        EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                        peerPublicKey)) {
+                    throw new SSLHandshakeException(
+                        "ECPublicKey does not comply to algorithm constraints");
+                }
+            } catch (GeneralSecurityException | java.io.IOException e) {
+                throw (SSLHandshakeException) new SSLHandshakeException(
+                        "Could not generate ECPublicKey").initCause(e);
+            }
+        }
 
-    byte[] getEncodedPoint() {
-        return encodedPoint;
-    }
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CLIENT_KEY_EXCHANGE;
+        }
+
+        @Override
+        public int messageLength() {
+            if (encodedPoint == null || encodedPoint.length == 0) {
+                return 0;
+            } else {
+                return 1 + encodedPoint.length;
+            }
+        }
 
-    // Called by the client with its ephemeral public key.
-    ECDHClientKeyExchange(PublicKey publicKey) {
-        ECPublicKey ecKey = (ECPublicKey)publicKey;
-        ECPoint point = ecKey.getW();
-        ECParameterSpec params = ecKey.getParams();
-        encodedPoint = JsseJce.encodePoint(point, params.getCurve());
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            if (encodedPoint != null && encodedPoint.length != 0) {
+                hos.putBytes8(encodedPoint);
+            }
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"ECDH ClientKeyExchange\": '{'\n" +
+                "  \"ecdh public\": '{'\n" +
+                "{0}\n" +
+                "  '}',\n" +
+                "'}'",
+                Locale.ENGLISH);
+            if (encodedPoint == null || encodedPoint.length == 0) {
+                Object[] messageFields = {
+                    "    <implicit>"
+                };
+                return messageFormat.format(messageFields);
+            } else {
+                HexDumpEncoder hexEncoder = new HexDumpEncoder();
+                Object[] messageFields = {
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(encodedPoint), "    "),
+                };
+                return messageFormat.format(messageFields);
+            }
+        }
     }
 
-    ECDHClientKeyExchange(HandshakeInStream input) throws IOException {
-        encodedPoint = input.getBytes8();
+    /**
+     * The ECDH "ClientKeyExchange" handshake message producer.
+     */
+    private static final
+            class ECDHClientKeyExchangeProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private ECDHClientKeyExchangeProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            X509Credentials x509Credentials = null;
+            for (SSLCredentials credential : chc.handshakeCredentials) {
+                if (credential instanceof X509Credentials) {
+                    x509Credentials = (X509Credentials)credential;
+                    break;
+                }
+            }
+
+            if (x509Credentials == null) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "No server certificate for ECDH client key exchange");
+            }
+
+            PublicKey publicKey = x509Credentials.popPublicKey;
+            if (!publicKey.getAlgorithm().equals("EC")) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Not EC server certificate for ECDH client key exchange");
+            }
+
+            ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
+            NamedGroup namedGroup = NamedGroup.valueOf(params);
+            if (namedGroup == null) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Unsupported EC server cert for ECDH client key exchange");
+            }
+
+            ECDHEPossession ecdhePossession = new ECDHEPossession(
+                    namedGroup, chc.sslContext.getSecureRandom());
+            chc.handshakePossessions.add(ecdhePossession);
+            ECDHClientKeyExchangeMessage cke =
+                    new ECDHClientKeyExchangeMessage(
+                            chc, ecdhePossession.publicKey);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced ECDH ClientKeyExchange handshake message", cke);
+            }
+
+            // Output the handshake message.
+            cke.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // update the states
+            SSLKeyExchange ke =
+                SSLKeyExchange.valueOf(chc.negotiatedCipherSuite.keyExchange);
+            if (ke == null) {
+                // unlikely
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key exchange type");
+            } else {
+                SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
+                SecretKey masterSecret = masterKD.deriveKey("TODO", null);
+                chc.handshakeSession.setMasterSecret(masterSecret);
+
+                SSLTrafficKeyDerivation kd =
+                        SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
+                if (kd == null) {
+                    // unlikely
+                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Not supported key derivation: " +
+                            chc.negotiatedProtocol);
+                } else {
+                    chc.handshakeKeyDerivation =
+                        kd.createKeyDerivation(chc, masterSecret);
+                }
+            }
+
+            // The handshake message has been delivered.
+            return null;
+        }
     }
 
-    @Override
-    int messageLength() {
-        return encodedPoint.length + 1;
+    /**
+     * The ECDH "ClientKeyExchange" handshake message consumer.
+     */
+    private static final
+            class ECDHClientKeyExchangeConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private ECDHClientKeyExchangeConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            X509Possession x509Possession = null;
+            for (SSLPossession possession : shc.handshakePossessions) {
+                if (possession instanceof X509Possession) {
+                    x509Possession = (X509Possession)possession;
+                    break;
+                }
+            }
+
+            if (x509Possession == null) {
+                // unlikely, have been checked during cipher suite negotiation.
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "No expected EC server cert for ECDH client key exchange");
+                return;     // make the compiler happy
+            }
+
+            PrivateKey privateKey = x509Possession.popPrivateKey;
+            if (!privateKey.getAlgorithm().equals("EC")) {
+                // unlikely, have been checked during cipher suite negotiation.
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Not EC server cert for ECDH client key exchange");
+            }
+
+            ECParameterSpec params = ((ECPrivateKey)privateKey).getParams();
+            NamedGroup namedGroup = NamedGroup.valueOf(params);
+            if (namedGroup == null) {
+                // unlikely, have been checked during cipher suite negotiation.
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Unsupported EC server cert for ECDH client key exchange");
+            }
+
+            SSLKeyExchange ke = SSLKeyExchange.valueOf(
+                    shc.negotiatedCipherSuite.keyExchange);
+            if (ke == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key exchange type");
+                return;     // make the compiler happy
+            }
+
+            // parse the handshake message
+            ECDHClientKeyExchangeMessage cke =
+                    new ECDHClientKeyExchangeMessage(shc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Consuming ECDH ClientKeyExchange handshake message", cke);
+            }
+
+            // create the credentials
+            try {
+                ECPoint point =
+                    JsseJce.decodePoint(cke.encodedPoint, params.getCurve());
+                ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
+
+                KeyFactory kf = JsseJce.getKeyFactory("EC");
+                ECPublicKey peerPublicKey =
+                        (ECPublicKey)kf.generatePublic(spec);
+
+                // check constraints of peer ECPublicKey
+                if (!shc.algorithmConstraints.permits(
+                        EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                        peerPublicKey)) {
+                    throw new SSLHandshakeException(
+                        "ECPublicKey does not comply to algorithm constraints");
+                }
+
+                shc.handshakeCredentials.add(new ECDHECredentials(
+                        peerPublicKey, namedGroup));
+            } catch (GeneralSecurityException | java.io.IOException e) {
+                throw (SSLHandshakeException)(new SSLHandshakeException(
+                        "Could not generate ECPublicKey").initCause(e));
+            }
+
+            // update the states
+            SSLKeyDerivation masterKD = ke.createKeyDerivation(shc);
+            SecretKey masterSecret = masterKD.deriveKey("TODO", null);
+            shc.handshakeSession.setMasterSecret(masterSecret);
+
+            SSLTrafficKeyDerivation kd =
+                    SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
+            if (kd == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "Not supported key derivation: " + shc.negotiatedProtocol);
+            } else {
+                shc.handshakeKeyDerivation =
+                    kd.createKeyDerivation(shc, masterSecret);
+            }
+        }
     }
 
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putBytes8(encodedPoint);
+    /**
+     * The ECDHE "ClientKeyExchange" handshake message producer.
+     */
+    private static final
+            class ECDHEClientKeyExchangeProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private ECDHEClientKeyExchangeProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            ECDHECredentials ecdheCredentials = null;
+            for (SSLCredentials cd : chc.handshakeCredentials) {
+                if (cd instanceof ECDHECredentials) {
+                    ecdheCredentials = (ECDHECredentials)cd;
+                    break;
+                }
+            }
+
+            if (ecdheCredentials == null) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "No ECDHE credentials negotiated for client key exchange");
+            }
+
+            ECDHEPossession ecdhePossession = new ECDHEPossession(
+                    ecdheCredentials, chc.sslContext.getSecureRandom());
+            chc.handshakePossessions.add(ecdhePossession);
+            ECDHClientKeyExchangeMessage cke =
+                    new ECDHClientKeyExchangeMessage(
+                            chc, ecdhePossession.publicKey);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced ECDHE ClientKeyExchange handshake message", cke);
+            }
+
+            // Output the handshake message.
+            cke.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // update the states
+            SSLKeyExchange ke =
+                SSLKeyExchange.valueOf(chc.negotiatedCipherSuite.keyExchange);
+            if (ke == null) {
+                // unlikely
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key exchange type");
+            } else {
+                SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
+                SecretKey masterSecret = masterKD.deriveKey("TODO", null);
+                chc.handshakeSession.setMasterSecret(masterSecret);
+
+                SSLTrafficKeyDerivation kd =
+                        SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
+                if (kd == null) {
+                    // unlikely
+                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Not supported key derivation: " +
+                            chc.negotiatedProtocol);
+                } else {
+                    chc.handshakeKeyDerivation =
+                        kd.createKeyDerivation(chc, masterSecret);
+                }
+            }
+
+            // The handshake message has been delivered.
+            return null;
+        }
     }
 
-    @Override
-    void print(PrintStream s) throws IOException {
-        s.println("*** ECDHClientKeyExchange");
+    /**
+     * The ECDHE "ClientKeyExchange" handshake message consumer.
+     */
+    private static final
+            class ECDHEClientKeyExchangeConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private ECDHEClientKeyExchangeConsumer() {
+            // blank
+        }
 
-        if (debug != null && Debug.isOn("verbose")) {
-            Debug.println(s, "ECDH Public value", encodedPoint);
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            ECDHEPossession ecdhePossession = null;
+            for (SSLPossession possession : shc.handshakePossessions) {
+                if (possession instanceof ECDHEPossession) {
+                    ecdhePossession = (ECDHEPossession)possession;
+                    break;
+                }
+            }
+            if (ecdhePossession == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "No expected ECDHE possessions for client key exchange");
+                return;     // make the compiler happy
+            }
+
+            ECParameterSpec params = ecdhePossession.publicKey.getParams();
+            NamedGroup namedGroup = NamedGroup.valueOf(params);
+            if (namedGroup == null) {
+                // unlikely, have been checked during cipher suite negotiation.
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Unsupported EC server cert for ECDHE client key exchange");
+            }
+
+            SSLKeyExchange ke = SSLKeyExchange.valueOf(
+                    shc.negotiatedCipherSuite.keyExchange);
+            if (ke == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key exchange type");
+                return;     // make the compiler happy
+            }
+
+            // parse the handshake message
+            ECDHClientKeyExchangeMessage cke =
+                    new ECDHClientKeyExchangeMessage(shc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Consuming ECDHE ClientKeyExchange handshake message", cke);
+            }
+
+            // create the credentials
+            try {
+                ECPoint point =
+                    JsseJce.decodePoint(cke.encodedPoint, params.getCurve());
+                ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
+
+                KeyFactory kf = JsseJce.getKeyFactory("EC");
+                ECPublicKey peerPublicKey =
+                        (ECPublicKey)kf.generatePublic(spec);
+
+                // check constraints of peer ECPublicKey
+                if (!shc.algorithmConstraints.permits(
+                        EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                        peerPublicKey)) {
+                    throw new SSLHandshakeException(
+                        "ECPublicKey does not comply to algorithm constraints");
+                }
+
+                shc.handshakeCredentials.add(new ECDHECredentials(
+                        peerPublicKey, namedGroup));
+            } catch (GeneralSecurityException | java.io.IOException e) {
+                throw (SSLHandshakeException)(new SSLHandshakeException(
+                        "Could not generate ECPublicKey").initCause(e));
+            }
+
+            // update the states
+            SSLKeyDerivation masterKD = ke.createKeyDerivation(shc);
+            SecretKey masterSecret = masterKD.deriveKey("TODO", null);
+            shc.handshakeSession.setMasterSecret(masterSecret);
+
+            SSLTrafficKeyDerivation kd =
+                    SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
+            if (kd == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "Not supported key derivation: " + shc.negotiatedProtocol);
+            } else {
+                shc.handshakeKeyDerivation =
+                    kd.createKeyDerivation(shc, masterSecret);
+            }
         }
     }
 }
--- old/src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java	2018-05-11 15:05:06.556861100 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/EphemeralKeyManager.java	2018-05-11 15:05:05.988511500 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
--- old/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java	2018-05-11 15:05:08.910691700 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java	2018-05-11 15:05:08.310959900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, Red Hat, Inc. and/or its affiliates.
+ * Copyright (c) 2017, 2018, Red Hat, Inc. and/or its affiliates.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,46 +26,360 @@
 package sun.security.ssl;
 
 import java.io.IOException;
+import java.nio.ByteBuffer;
 import javax.net.ssl.SSLProtocolException;
+import static sun.security.ssl.SSLConfiguration.allowLegacyMasterSecret;
+import static sun.security.ssl.SSLConfiguration.allowLegacyResumption;
+import static sun.security.ssl.SSLExtension.CH_EXTENDED_MASTER_SECRET;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import static sun.security.ssl.SSLExtension.SH_EXTENDED_MASTER_SECRET;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
 
 /**
- * Extended Master Secret TLS extension (TLS 1.0+). This extension
- * defines how to calculate the TLS connection master secret and
- * mitigates some types of man-in-the-middle attacks.
- *
- * See further information in
- * <a href="https://tools.ietf.org/html/rfc7627">RFC 7627</a>.
- *
- * @author Martin Balao (mbalao@redhat.com)
+ * Pack of the "extended_master_secret" extensions [RFC 5746].
  */
-final class ExtendedMasterSecretExtension extends HelloExtension {
-    ExtendedMasterSecretExtension() {
-        super(ExtensionType.EXT_EXTENDED_MASTER_SECRET);
+final class ExtendedMasterSecretExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHExtendedMasterSecretProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHExtendedMasterSecretConsumer();
+    static final HandshakeAbsence chOnLoadAbsence =
+            new CHExtendedMasterSecretAbsence();
+
+    static final HandshakeProducer shNetworkProducer =
+            new SHExtendedMasterSecretProducer();
+    static final ExtensionConsumer shOnLoadConcumer =
+            new SHExtendedMasterSecretConsumer();
+    static final HandshakeAbsence shOnLoadAbsence =
+            new SHExtendedMasterSecretAbsence();
+
+    static final SSLStringize emsStringize =
+            new ExtendedMasterSecretStringize();
+
+    /**
+     * The "extended_master_secret" extension.
+     */
+    static final class ExtendedMasterSecretSpec implements SSLExtensionSpec {
+        // A nominal object that does not holding any real renegotiation info.
+        static final ExtendedMasterSecretSpec NOMINAL =
+                new ExtendedMasterSecretSpec();
+
+        private ExtendedMasterSecretSpec() {
+            // blank
+        }
+
+        private ExtendedMasterSecretSpec(ByteBuffer m) throws IOException {
+            // Parse the extension.
+            if (m.hasRemaining()) {
+                throw new SSLProtocolException(
+                    "Invalid extended_master_secret extension data: " +
+                    "not empty");
+            }
+        }
+
+        @Override
+        public String toString() {
+            return "<empty>";
+        }
+    }
+
+    private static final
+            class ExtendedMasterSecretStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new ExtendedMasterSecretSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    /**
+     * Network data producer of a "extended_master_secret" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHExtendedMasterSecretProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHExtendedMasterSecretProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(CH_EXTENDED_MASTER_SECRET)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable extended_master_secret extension");
+                }
+
+                return null;
+            }
+
+            if (chc.handshakeSession == null ||
+                    chc.handshakeSession.useExtendedMasterSecret) {
+                byte[] extData = new byte[0];
+                chc.handshakeExtensions.put(CH_EXTENDED_MASTER_SECRET,
+                        ExtendedMasterSecretSpec.NOMINAL);
+
+                return extData;
+            }
+
+            return null;
+        }
+    }
+
+    /**
+     * Network data producer of a "extended_master_secret" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class CHExtendedMasterSecretConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHExtendedMasterSecretConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(CH_EXTENDED_MASTER_SECRET)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("Ignore unavailable extension: " +
+                            CH_EXTENDED_MASTER_SECRET.name);
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            ExtendedMasterSecretSpec spec;
+            try {
+                spec = new ExtendedMasterSecretSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            if (shc.isResumption && shc.resumingSession != null &&
+                    !shc.resumingSession.useExtendedMasterSecret) {
+                // For abbreviated handshake request, If the original
+                // session did not use the "extended_master_secret"
+                // extension but the new ClientHello contains the
+                // extension, then the server MUST NOT perform the
+                // abbreviated handshake.  Instead, it SHOULD continue
+                // with a full handshake.
+                shc.isResumption = false;
+                shc.resumingSession = null;
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "abort session resumption which did not use " +
+                        "Extended Master Secret extension");
+                }
+            }
+
+            // Update the context.
+            //
+            shc.handshakeExtensions.put(
+                CH_EXTENDED_MASTER_SECRET, ExtendedMasterSecretSpec.NOMINAL);
+
+            // No impact on session resumption.
+        }
     }
 
-    ExtendedMasterSecretExtension(HandshakeInStream s,
-            int len) throws IOException {
-        super(ExtensionType.EXT_EXTENDED_MASTER_SECRET);
+    /**
+     * The absence processing if a "extended_master_secret" extension is
+     * not present in the ClientHello handshake message.
+     */
+    private static final
+            class CHExtendedMasterSecretAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(CH_EXTENDED_MASTER_SECRET)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("Ignore unavailable extension: " +
+                            CH_EXTENDED_MASTER_SECRET.name);
+                }
+                return;     // ignore the extension
+            }
 
-        if (len != 0) {
-            throw new SSLProtocolException("Invalid " + type + " extension");
+            if (!allowLegacyMasterSecret) {
+                // For full handshake, if the server receives a ClientHello
+                // without the extension, it SHOULD abort the handshake if
+                // it does not wish to interoperate with legacy clients.
+                //
+                // As if extended master extension is required for full
+                // handshake, it MUST be used in abbreviated handshake too.
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "Extended Master Secret extension is required");
+            }
+
+            if (shc.isResumption && shc.resumingSession != null) {
+                if (shc.resumingSession.useExtendedMasterSecret) {
+                    // For abbreviated handshake request, if the original
+                    // session used the "extended_master_secret" extension
+                    // but the new ClientHello does not contain it, the
+                    // server MUST abort the abbreviated handshake.
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "Missing Extended Master Secret extension " +
+                            "on session resumption");
+                } else {
+                    // For abbreviated handshake request, if neither the
+                    // original session nor the new ClientHello uses the
+                    // extension, the server SHOULD abort the handshake.
+                    if (!allowLegacyResumption) {
+                        shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "Missing Extended Master Secret extension " +
+                            "on session resumption");
+                    } else {  // Otherwise, continue with a full handshake.
+                        shc.isResumption = false;
+                        shc.resumingSession = null;
+                        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                            SSLLogger.fine(
+                                "abort session resumption, " +
+                                "missing Extended Master Secret extension");
+                        }
+                    }
+                }
+            }
         }
     }
 
-    @Override
-    int length() {
-        return 4;       // 4: extension type and length fields
+    /**
+     * Network data producer of a "extended_master_secret" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class SHExtendedMasterSecretProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private SHExtendedMasterSecretProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            if (shc.handshakeSession.useExtendedMasterSecret) {
+                byte[] extData = new byte[0];
+                shc.handshakeExtensions.put(SH_EXTENDED_MASTER_SECRET,
+                        ExtendedMasterSecretSpec.NOMINAL);
+
+                return extData;
+            }
+
+            return null;
+        }
     }
 
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(type.id);    // ExtensionType extension_type;
-        s.putInt16(0);          // extension_data length
+    /**
+     * Network data consumer of a "extended_master_secret" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class SHExtendedMasterSecretConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHExtendedMasterSecretConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to the client extended_master_secret extension
+            // request, which is mandatory for ClientHello message.
+            ExtendedMasterSecretSpec requstedSpec = (ExtendedMasterSecretSpec)
+                    chc.handshakeExtensions.get(CH_EXTENDED_MASTER_SECRET);
+            if (requstedSpec == null) {
+                chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
+                        "Server sent the extended_master_secret " +
+                        "extension improperly");
+            }
+
+            // Parse the extension.
+            ExtendedMasterSecretSpec spec;
+            try {
+                spec = new ExtendedMasterSecretSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            if (chc.isResumption && chc.resumingSession != null &&
+                    !chc.resumingSession.useExtendedMasterSecret) {
+                chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
+                        "Server sent an unexpected extended_master_secret " +
+                        "extension on session resumption");
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                SH_EXTENDED_MASTER_SECRET, ExtendedMasterSecretSpec.NOMINAL);
+
+            // No impact on session resumption.
+        }
     }
 
-    @Override
-    public String toString() {
-        return "Extension " + type;
+    /**
+     * The absence processing if a "extended_master_secret" extension is
+     * not present in the ServerHello handshake message.
+     */
+    private static final
+            class SHExtendedMasterSecretAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            if (SSLConfiguration.useExtendedMasterSecret
+                    && !SSLConfiguration.allowLegacyMasterSecret) {
+                // For full handshake, if a client receives a ServerHello
+                // without the extension, it SHOULD abort the handshake if
+                // it does not wish to interoperate with legacy servers.
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Extended Master Secret extension is required");
+            }
+
+            if (chc.isResumption && chc.resumingSession != null) {
+                if (chc.resumingSession.useExtendedMasterSecret) {
+                    // For abbreviated handshake, if the original session used
+                    // the "extended_master_secret" extension but the new
+                    // ServerHello does not contain the extension, the client
+                    // MUST abort the handshake.
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "Missing Extended Master Secret extension " +
+                            "on session resumption");
+                } else if (SSLConfiguration.useExtendedMasterSecret &&
+                        !SSLConfiguration.allowLegacyResumption) {
+                    // Unlikely, abbreviated handshake should be discarded.
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Extended Master Secret extension is required");
+                }
+            }
+        }
     }
 }
 
--- old/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java	2018-05-11 15:05:11.235687400 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/HandshakeHash.java	2018-05-11 15:05:10.561898200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,514 +23,627 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
 import java.io.ByteArrayOutputStream;
-import java.security.*;
-import java.util.Locale;
+import java.io.IOException;
 import java.nio.ByteBuffer;
+import java.security.MessageDigest;
+import java.util.Arrays;
+import java.util.LinkedList;
+import javax.crypto.SecretKey;
+import sun.security.util.MessageDigestSpi2;
 
-/**
- * Abstraction for the SSL/TLS hash of all handshake messages that is
- * maintained to verify the integrity of the negotiation. Internally,
- * it consists of an MD5 and an SHA1 digest. They are used in the client
- * and server finished messages and in certificate verify messages (if sent).
- *
- * This class transparently deals with cloneable and non-cloneable digests.
- *
- * This class now supports TLS 1.2 also. The key difference for TLS 1.2
- * is that you cannot determine the hash algorithms for CertificateVerify
- * at a early stage. On the other hand, it's simpler than TLS 1.1 (and earlier)
- * that there is no messy MD5+SHA1 digests.
- *
- * You need to obey these conventions when using this class:
- *
- * 1. protocolDetermined(version) should be called when the negotiated
- * protocol version is determined.
- *
- * 2. Before protocolDetermined() is called, only update(), and reset()
- * and setFinishedAlg() can be called.
- *
- * 3. After protocolDetermined() is called, reset() cannot be called.
- *
- * 4. After protocolDetermined() is called, if the version is pre-TLS 1.2,
- * getFinishedHash() cannot be called. Otherwise,
- * getMD5Clone() and getSHAClone() cannot be called.
- *
- * 5. getMD5Clone() and getSHAClone() can only be called after
- * protocolDetermined() is called and version is pre-TLS 1.2.
- *
- * 6. getFinishedHash() can only be called after protocolDetermined()
- * and setFinishedAlg() have been called and the version is TLS 1.2.
- *
- * Suggestion: Call protocolDetermined() and setFinishedAlg()
- * as early as possible.
- *
- * Example:
- * <pre>
- * HandshakeHash hh = new HandshakeHash(...)
- * hh.protocolDetermined(ProtocolVersion.TLS12);
- * hh.update(clientHelloBytes);
- * hh.setFinishedAlg("SHA-256");
- * hh.update(serverHelloBytes);
- * ...
- * hh.update(CertificateVerifyBytes);
- * ...
- * hh.update(finished1);
- * byte[] finDigest1 = hh.getFinishedHash();
- * hh.update(finished2);
- * byte[] finDigest2 = hh.getFinishedHash();
- * </pre>
- */
 final class HandshakeHash {
+    private TranscriptHash transcriptHash;
+    private LinkedList<byte[]> reserves;    // one handshake message per entry
+    private boolean hasBeenUsed;
+
+    HandshakeHash() {
+        this.transcriptHash = new CacheOnlyHash();
+        this.reserves = new LinkedList<>();
+        this.hasBeenUsed = false;
+    }
+
+    // fix the negotiated protocol version and cipher suite
+    void determine(ProtocolVersion protocolVersion,
+            CipherSuite cipherSuite) {
+        if (!(transcriptHash instanceof CacheOnlyHash)) {
+            throw new IllegalStateException(
+                    "Not expected instance of transcript hash");
+        }
+
+        CacheOnlyHash coh = (CacheOnlyHash)transcriptHash;
+        if (protocolVersion.useTLS13PlusSpec()) {
+            transcriptHash = new T13HandshakeHash(cipherSuite);
+        } else if (protocolVersion.useTLS12PlusSpec()) {
+            transcriptHash = new T12HandshakeHash(cipherSuite);
+        } else if (protocolVersion.useTLS10PlusSpec()) {
+            transcriptHash = new T10HandshakeHash(cipherSuite);
+        } else {
+            transcriptHash = new S30HandshakeHash(cipherSuite);
+        }
+
+        byte[] reserved = coh.baos.toByteArray();
+        if (reserved.length != 0) {
+            transcriptHash.update(reserved, 0, reserved.length);
+        }
+    }
+
+    HandshakeHash copy() {
+        if (transcriptHash instanceof CacheOnlyHash) {
+            HandshakeHash result = new HandshakeHash();
+            result.transcriptHash = ((CacheOnlyHash)transcriptHash).copy();
+            result.reserves = new LinkedList<>(reserves);
+            result.hasBeenUsed = hasBeenUsed;
+            return result;
+        } else {
+            throw new IllegalStateException("Hash does not support copying");
+        }
+    }
 
-    // Common
+    void receive(byte[] input) {
+        reserves.add(Arrays.copyOf(input, input.length));
+    }
 
-    // -1:  unknown
-    //  1:  <=TLS 1.1
-    //  2:  TLS 1.2
-    private int version = -1;
-    private ByteArrayOutputStream data = new ByteArrayOutputStream();
-
-    // For TLS 1.1
-    private MessageDigest md5, sha;
-    private final int clonesNeeded;    // needs to be saved for later use
-
-    // For TLS 1.2
-    private MessageDigest finMD;
-
-    // Cache for input record handshake hash computation
-    private ByteArrayOutputStream reserve = new ByteArrayOutputStream();
-
-    /**
-     * Create a new HandshakeHash. needCertificateVerify indicates whether
-     * a hash for the certificate verify message is required.
-     */
-    HandshakeHash(boolean needCertificateVerify) {
-        // We may rework the code later, but for now we use hard-coded number
-        // of clones if the underlying MessageDigests are not cloneable.
-        //
-        // The number used here is based on the current handshake protocols and
-        // implementation.  It may be changed if the handshake processe gets
-        // changed in the future, for example adding a new extension that
-        // requires handshake hash.  Please be careful about the number of
-        // clones if additional handshak hash is required in the future.
-        //
-        // For the current implementation, the handshake hash is required for
-        // the following items:
-        //     . CertificateVerify handshake message (optional)
-        //     . client Finished handshake message
-        //     . server Finished Handshake message
-        //     . the extended Master Secret extension [RFC 7627]
-        //
-        // Note that a late call to server setNeedClientAuth dose not update
-        // the number of clones.  We may address the issue later.
-        //
-        // Note for safety, we allocate one more clone for the current
-        // implementation.  We may consider it more carefully in the future
-        // for the exact number or rework the code in a different way.
-        clonesNeeded = needCertificateVerify ? 5 : 4;
+    void receive(byte[] input, int offset, int length) {
+        reserves.add(Arrays.copyOfRange(input, offset, offset + length));
     }
 
-    void reserve(ByteBuffer input) {
+    void receive(ByteBuffer input, int length) {
         if (input.hasArray()) {
-            reserve.write(input.array(),
+            int from = input.position() + input.arrayOffset();
+            int to = from + length;
+            reserves.add(Arrays.copyOfRange(input.array(), from, to));
+        } else {
+            int inPos = input.position();
+            byte[] holder = new byte[length];
+            input.get(holder);
+            input.position(inPos);
+            reserves.add(Arrays.copyOf(holder, holder.length));
+        }
+    }
+    void receive(ByteBuffer input) {
+        receive(input, input.remaining());
+    }
+
+    // For HelloRetryRequest only! Please use this method very carefully!
+    void push(byte[] input) {
+        reserves.push(Arrays.copyOf(input, input.length));
+    }
+
+    // For PreSharedKey to modify the state of the PSK binder hash
+    byte[] removeLastReceived() {
+        return reserves.removeLast();
+    }
+
+    void deliver(byte[] input) {
+        update();
+        transcriptHash.update(input, 0, input.length);
+    }
+
+    void deliver(byte[] input, int offset, int length) {
+        update();
+        transcriptHash.update(input, offset, length);
+    }
+
+    void deliver(ByteBuffer input) {
+        update();
+        if (input.hasArray()) {
+            transcriptHash.update(input.array(),
                     input.position() + input.arrayOffset(), input.remaining());
         } else {
             int inPos = input.position();
             byte[] holder = new byte[input.remaining()];
             input.get(holder);
             input.position(inPos);
-            reserve.write(holder, 0, holder.length);
+            transcriptHash.update(holder, 0, holder.length);
+        }
+    }
+
+    // Use one handshake message if it has not been used.
+    void utilize() {
+        if (hasBeenUsed) {
+            return;
+        }
+        if (reserves.size() != 0) {
+            byte[] holder = reserves.remove();
+            transcriptHash.update(holder, 0, holder.length);
+            hasBeenUsed = true;
         }
     }
 
-    void reserve(byte[] b, int offset, int len) {
-        reserve.write(b, offset, len);
+    // Consume one handshake message if it has not been consumed.
+    void consume() {
+        if (hasBeenUsed) {
+            hasBeenUsed = false;
+            return;
+        }
+        if (reserves.size() != 0) {
+            byte[] holder = reserves.remove();
+            transcriptHash.update(holder, 0, holder.length);
+        }
     }
 
-    void reload() {
-        if (reserve.size() != 0) {
-            byte[] bytes = reserve.toByteArray();
-            reserve.reset();
-            update(bytes, 0, bytes.length);
+    void update() {
+        while (reserves.size() != 0) {
+            byte[] holder = reserves.remove();
+            transcriptHash.update(holder, 0, holder.length);
         }
+        hasBeenUsed = false;
     }
 
-    void update(ByteBuffer input) {
+    byte[] digest() {
+        // Note that the reserve handshake message may be not a part of
+        // the expected digest.
+        return transcriptHash.digest();
+    }
 
-        // reload if there are reserved messages.
-        reload();
+    void finish() {
+        this.transcriptHash = new CacheOnlyHash();
+        this.reserves = new LinkedList<>();
+        this.hasBeenUsed = false;
+    }
 
-        int inPos = input.position();
-        switch (version) {
-            case 1:
-                md5.update(input);
-                input.position(inPos);
+    // Optional
+    byte[] archived() {
+        // Note that the reserve handshake message may be not a part of
+        // the expected digest.
+        return transcriptHash.archived();
+    }
 
-                sha.update(input);
-                input.position(inPos);
+    // Optional, TLS 1.0/1.1 only
+    byte[] digest(String algorithm) {
+        T10HandshakeHash hh = (T10HandshakeHash)transcriptHash;
+        return hh.digest(algorithm);
+    }
 
-                break;
-            default:
-                if (finMD != null) {
-                    finMD.update(input);
-                    input.position(inPos);
-                }
-                if (input.hasArray()) {
-                    data.write(input.array(),
-                            inPos + input.arrayOffset(), input.remaining());
-                } else {
-                    byte[] holder = new byte[input.remaining()];
-                    input.get(holder);
-                    input.position(inPos);
-                    data.write(holder, 0, holder.length);
-                }
-                break;
-        }
+    // Optional, SSL 3.0 only
+    byte[] digest(String algorithm, SecretKey masterSecret) {
+        S30HandshakeHash hh = (S30HandshakeHash)transcriptHash;
+        return hh.digest(algorithm, masterSecret);
     }
 
-    void update(byte handshakeType, byte[] handshakeBody) {
+    // Optional, SSL 3.0 only
+    byte[] digest(boolean useClientLabel, SecretKey masterSecret) {
+        S30HandshakeHash hh = (S30HandshakeHash)transcriptHash;
+        return hh.digest(useClientLabel, masterSecret);
+    }
 
-        // reload if there are reserved messages.
-        reload();
+    public boolean isHashable(byte handshakeType) {
+        return handshakeType != SSLHandshake.HELLO_REQUEST.id &&
+               handshakeType != SSLHandshake.HELLO_VERIFY_REQUEST.id;
+    }
 
-        switch (version) {
-            case 1:
-                md5.update(handshakeType);
-                sha.update(handshakeType);
-
-                md5.update((byte)((handshakeBody.length >> 16) & 0xFF));
-                sha.update((byte)((handshakeBody.length >> 16) & 0xFF));
-                md5.update((byte)((handshakeBody.length >> 8) & 0xFF));
-                sha.update((byte)((handshakeBody.length >> 8) & 0xFF));
-                md5.update((byte)(handshakeBody.length & 0xFF));
-                sha.update((byte)(handshakeBody.length & 0xFF));
-
-                md5.update(handshakeBody);
-                sha.update(handshakeBody);
-                break;
-            default:
-                if (finMD != null) {
-                    finMD.update(handshakeType);
-                    finMD.update((byte)((handshakeBody.length >> 16) & 0xFF));
-                    finMD.update((byte)((handshakeBody.length >> 8) & 0xFF));
-                    finMD.update((byte)(handshakeBody.length & 0xFF));
-                    finMD.update(handshakeBody);
-                }
-                data.write(handshakeType);
-                data.write((byte)((handshakeBody.length >> 16) & 0xFF));
-                data.write((byte)((handshakeBody.length >> 8) & 0xFF));
-                data.write((byte)(handshakeBody.length & 0xFF));
-                data.write(handshakeBody, 0, handshakeBody.length);
-                break;
-        }
+    interface TranscriptHash {
+        void update(byte[] input, int offset, int length);
+        byte[] digest();
+        byte[] archived();  // optional
     }
 
-    void update(byte[] b, int offset, int len) {
-
-        // reload if there are reserved messages.
-        reload();
-
-        switch (version) {
-            case 1:
-                md5.update(b, offset, len);
-                sha.update(b, offset, len);
-                break;
-            default:
-                if (finMD != null) {
-                    finMD.update(b, offset, len);
-                }
-                data.write(b, offset, len);
-                break;
+    // For cache only.
+    private static final class CacheOnlyHash implements TranscriptHash {
+        private final ByteArrayOutputStream baos;
+
+        CacheOnlyHash() {
+            this.baos = new ByteArrayOutputStream();
         }
-    }
 
-    /**
-     * Reset the remaining digests. Note this does *not* reset the number of
-     * digest clones that can be obtained. Digests that have already been
-     * cloned and are gone remain gone.
-     */
-    void reset() {
-        if (version != -1) {
-            throw new RuntimeException(
-                    "reset() can be only be called before protocolDetermined");
+        @Override
+        public void update(byte[] input, int offset, int length) {
+            baos.write(input, offset, length);
+        }
+
+        @Override
+        public byte[] digest() {
+            throw new IllegalStateException(
+                    "Not expected call to handshake hash digest");
+        }
+
+        @Override
+        public byte[] archived() {
+            return baos.toByteArray();
+        }
+
+        CacheOnlyHash copy() {
+            CacheOnlyHash result = new CacheOnlyHash();
+            try {
+                baos.writeTo(result.baos);
+            } catch (IOException ex) {
+                throw new RuntimeException("unable to to clone hash state");
+            }
+            return result;
         }
-        data.reset();
     }
 
+    static final class S30HandshakeHash implements TranscriptHash {
+        static final byte[] MD5_pad1 = genPad(0x36, 48);
+        static final byte[] MD5_pad2 = genPad(0x5c, 48);
 
-    void protocolDetermined(ProtocolVersion pv) {
+        static final byte[] SHA_pad1 = genPad(0x36, 40);
+        static final byte[] SHA_pad2 = genPad(0x5c, 40);
 
-        // Do not set again, will ignore
-        if (version != -1) {
-            return;
+        private static final byte[] SSL_CLIENT = { 0x43, 0x4C, 0x4E, 0x54 };
+        private static final byte[] SSL_SERVER = { 0x53, 0x52, 0x56, 0x52 };
+
+        private final MessageDigest mdMD5;
+        private final MessageDigest mdSHA;
+        private final TranscriptHash md5;
+        private final TranscriptHash sha;
+        private final ByteArrayOutputStream baos;
+
+        S30HandshakeHash(CipherSuite cipherSuite) {
+            this.mdMD5 = JsseJce.getMessageDigest("MD5");
+            this.mdSHA = JsseJce.getMessageDigest("SHA");
+
+            boolean hasArchived = false;
+            if (mdMD5 instanceof Cloneable) {
+                md5 = new CloneableHash(mdMD5);
+            } else {
+                hasArchived = true;
+                md5 = new NonCloneableHash(mdMD5);
+            }
+            if (mdSHA instanceof Cloneable) {
+                sha = new CloneableHash(mdSHA);
+            } else {
+                hasArchived = true;
+                sha = new NonCloneableHash(mdSHA);
+            }
+
+            if (hasArchived) {
+                this.baos = null;
+            } else {
+                this.baos = new ByteArrayOutputStream();
+            }
         }
 
-        if (pv.maybeDTLSProtocol()) {
-            version = pv.compareTo(ProtocolVersion.DTLS12) >= 0 ? 2 : 1;
-        } else {
-            version = pv.compareTo(ProtocolVersion.TLS12) >= 0 ? 2 : 1;
+        @Override
+        public void update(byte[] input, int offset, int length) {
+            md5.update(input, offset, length);
+            sha.update(input, offset, length);
+            if (baos != null) {
+                baos.write(input, offset, length);
+            }
+        }
+
+        @Override
+        public byte[] digest() {
+            byte[] digest = new byte[36];
+            System.arraycopy(md5.digest(), 0, digest, 0, 16);
+            System.arraycopy(sha.digest(), 0, digest, 16, 20);
+
+            return digest;
         }
-        switch (version) {
-            case 1:
-                // initiate md5, sha and call update on saved array
+
+        @Override
+        public byte[] archived() {
+            if (baos != null) {
+                return baos.toByteArray();
+            } else if (md5 instanceof NonCloneableHash) {
+                return md5.archived();
+            } else {
+                return sha.archived();
+            }
+        }
+
+        byte[] digest(boolean useClientLabel, SecretKey masterSecret) {
+            MessageDigest md5Clone = cloneMd5();
+            MessageDigest shaClone = cloneSha();
+
+            if (useClientLabel) {
+                md5Clone.update(SSL_CLIENT);
+                shaClone.update(SSL_CLIENT);
+            } else {
+                md5Clone.update(SSL_SERVER);
+                shaClone.update(SSL_SERVER);
+            }
+
+            updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterSecret);
+            updateDigest(shaClone, SHA_pad1, SHA_pad2, masterSecret);
+
+            byte[] digest = new byte[36];
+            System.arraycopy(md5Clone.digest(), 0, digest, 0, 16);
+            System.arraycopy(shaClone.digest(), 0, digest, 16, 20);
+
+            return digest;
+        }
+
+        byte[] digest(String algorithm, SecretKey masterSecret) {
+            if ("RSA".equalsIgnoreCase(algorithm)) {
+                MessageDigest md5Clone = cloneMd5();
+                MessageDigest shaClone = cloneSha();
+                updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterSecret);
+                updateDigest(shaClone, SHA_pad1, SHA_pad2, masterSecret);
+
+                byte[] digest = new byte[36];
+                System.arraycopy(md5Clone.digest(), 0, digest, 0, 16);
+                System.arraycopy(shaClone.digest(), 0, digest, 16, 20);
+
+                return digest;
+            } else {
+                MessageDigest shaClone = cloneSha();
+                updateDigest(shaClone, SHA_pad1, SHA_pad2, masterSecret);
+                return shaClone.digest();
+            }
+        }
+
+        private static byte[] genPad(int b, int count) {
+            byte[] padding = new byte[count];
+            Arrays.fill(padding, (byte)b);
+            return padding;
+        }
+
+        private MessageDigest cloneMd5() {
+            MessageDigest md5Clone;
+            if (mdMD5 instanceof Cloneable) {
                 try {
-                    md5 = CloneableDigest.getDigest("MD5", clonesNeeded);
-                    sha = CloneableDigest.getDigest("SHA", clonesNeeded);
-                } catch (NoSuchAlgorithmException e) {
-                    throw new RuntimeException
-                                ("Algorithm MD5 or SHA not available", e);
+                    md5Clone = (MessageDigest)mdMD5.clone();
+                } catch (CloneNotSupportedException ex) {   // unlikely
+                    throw new RuntimeException(
+                            "MessageDigest does no support clone operation");
                 }
-                byte[] bytes = data.toByteArray();
-                update(bytes, 0, bytes.length);
-                break;
-            case 2:
-                break;
+            } else {
+                md5Clone = JsseJce.getMessageDigest("MD5");
+                md5Clone.update(md5.archived());
+            }
+
+            return md5Clone;
         }
-    }
 
-    /////////////////////////////////////////////////////////////
-    // Below are old methods for pre-TLS 1.1
-    /////////////////////////////////////////////////////////////
+        private MessageDigest cloneSha() {
+            MessageDigest shaClone;
+            if (mdSHA instanceof Cloneable) {
+                try {
+                    shaClone = (MessageDigest)mdSHA.clone();
+                } catch (CloneNotSupportedException ex) {   // unlikely
+                    throw new RuntimeException(
+                            "MessageDigest does no support clone operation");
+                }
+            } else {
+                shaClone = JsseJce.getMessageDigest("SHA");
+                shaClone.update(sha.archived());
+            }
 
-    /**
-     * Return a new MD5 digest updated with all data hashed so far.
-     */
-    MessageDigest getMD5Clone() {
-        if (version != 1) {
-            throw new RuntimeException(
-                    "getMD5Clone() can be only be called for TLS 1.1");
+            return shaClone;
         }
-        return cloneDigest(md5);
-    }
 
-    /**
-     * Return a new SHA digest updated with all data hashed so far.
-     */
-    MessageDigest getSHAClone() {
-        if (version != 1) {
-            throw new RuntimeException(
-                    "getSHAClone() can be only be called for TLS 1.1");
+        private static void updateDigest(MessageDigest md,
+                byte[] pad1, byte[] pad2, SecretKey masterSecret) {
+            byte[] keyBytes = "RAW".equals(masterSecret.getFormat())
+                            ? masterSecret.getEncoded() : null;
+            if (keyBytes != null) {
+                md.update(keyBytes);
+            } else {
+                digestKey(md, masterSecret);
+            }
+            md.update(pad1);
+            byte[] temp = md.digest();
+
+            if (keyBytes != null) {
+                md.update(keyBytes);
+            } else {
+                digestKey(md, masterSecret);
+            }
+            md.update(pad2);
+            md.update(temp);
         }
-        return cloneDigest(sha);
-    }
 
-    private static MessageDigest cloneDigest(MessageDigest digest) {
-        try {
-            return (MessageDigest)digest.clone();
-        } catch (CloneNotSupportedException e) {
-            // cannot occur for digests generated via CloneableDigest
-            throw new RuntimeException("Could not clone digest", e);
+        private static void digestKey(MessageDigest md, SecretKey key) {
+            try {
+                if (md instanceof MessageDigestSpi2) {
+                    ((MessageDigestSpi2)md).engineUpdate(key);
+                } else {
+                    throw new Exception(
+                        "Digest does not support implUpdate(SecretKey)");
+                }
+            } catch (Exception e) {
+                throw new RuntimeException(
+                    "Could not obtain encoded key and "
+                    + "MessageDigest cannot digest key", e);
+            }
         }
     }
 
-    /////////////////////////////////////////////////////////////
-    // Below are new methods for TLS 1.2
-    /////////////////////////////////////////////////////////////
-
-    private static String normalizeAlgName(String alg) {
-        alg = alg.toUpperCase(Locale.US);
-        if (alg.startsWith("SHA")) {
-            if (alg.length() == 3) {
-                return "SHA-1";
+    // TLS 1.0 and TLS 1.1
+    static final class T10HandshakeHash implements TranscriptHash {
+        private final TranscriptHash md5;
+        private final TranscriptHash sha;
+        private final ByteArrayOutputStream baos;
+
+        T10HandshakeHash(CipherSuite cipherSuite) {
+            MessageDigest mdMD5 = JsseJce.getMessageDigest("MD5");
+            MessageDigest mdSHA = JsseJce.getMessageDigest("SHA");
+
+            boolean hasArchived = false;
+            if (mdMD5 instanceof Cloneable) {
+                md5 = new CloneableHash(mdMD5);
+            } else {
+                hasArchived = true;
+                md5 = new NonCloneableHash(mdMD5);
+            }
+            if (mdSHA instanceof Cloneable) {
+                sha = new CloneableHash(mdSHA);
+            } else {
+                hasArchived = true;
+                sha = new NonCloneableHash(mdSHA);
             }
-            if (alg.charAt(3) != '-') {
-                return "SHA-" + alg.substring(3);
+
+            if (hasArchived) {
+                this.baos = null;
+            } else {
+                this.baos = new ByteArrayOutputStream();
             }
         }
-        return alg;
-    }
-    /**
-     * Specifies the hash algorithm used in Finished. This should be called
-     * based in info in ServerHello.
-     * Can be called multiple times.
-     */
-    void setFinishedAlg(String s) {
-        if (s == null) {
-            throw new RuntimeException(
-                    "setFinishedAlg's argument cannot be null");
+
+        @Override
+        public void update(byte[] input, int offset, int length) {
+            md5.update(input, offset, length);
+            sha.update(input, offset, length);
+            if (baos != null) {
+                baos.write(input, offset, length);
+            }
         }
 
-        // Can be called multiple times, but only set once
-        if (finMD != null) return;
+        @Override
+        public byte[] digest() {
+            byte[] digest = new byte[36];
+            System.arraycopy(md5.digest(), 0, digest, 0, 16);
+            System.arraycopy(sha.digest(), 0, digest, 16, 20);
 
-        try {
-            // See comment in the contructor.
-            finMD = CloneableDigest.getDigest(normalizeAlgName(s), 4);
-        } catch (NoSuchAlgorithmException e) {
-            throw new Error(e);
+            return digest;
         }
-        finMD.update(data.toByteArray());
-    }
 
-    byte[] getAllHandshakeMessages() {
-        return data.toByteArray();
-    }
+        byte[] digest(String algorithm) {
+            if ("RSA".equalsIgnoreCase(algorithm)) {
+                return digest();
+            } else {
+                return sha.digest();
+            }
+        }
 
-    /**
-     * Calculates the hash in Finished. Must be called after setFinishedAlg().
-     * This method can be called twice, for Finished messages of the server
-     * side and client side respectively.
-     */
-    byte[] getFinishedHash() {
-        try {
-            return cloneDigest(finMD).digest();
-        } catch (Exception e) {
-            throw new Error("Error during hash calculation", e);
+        @Override
+        public byte[] archived() {
+            if (baos != null) {
+                return baos.toByteArray();
+            } else if (md5 instanceof NonCloneableHash) {
+                return md5.archived();
+            } else {
+                return sha.archived();
+            }
         }
     }
-}
 
-/**
- * A wrapper for MessageDigests that simulates cloning of non-cloneable
- * digests. It uses the standard MessageDigest API and therefore can be used
- * transparently in place of a regular digest.
- *
- * Note that we extend the MessageDigest class directly rather than
- * MessageDigestSpi. This works because MessageDigest was originally designed
- * this way in the JDK 1.1 days which allows us to avoid creating an internal
- * provider.
- *
- * It can be "cloned" a limited number of times, which is specified at
- * construction time. This is achieved by internally maintaining n digests
- * in parallel. Consequently, it is only 1/n-th times as fast as the original
- * digest.
- *
- * Example:
- *   MessageDigest md = CloneableDigest.getDigest("SHA", 2);
- *   md.update(data1);
- *   MessageDigest md2 = (MessageDigest)md.clone();
- *   md2.update(data2);
- *   byte[] d1 = md2.digest(); // digest of data1 || data2
- *   md.update(data3);
- *   byte[] d2 = md.digest();  // digest of data1 || data3
- *
- * This class is not thread safe.
- *
- */
-final class CloneableDigest extends MessageDigest implements Cloneable {
+    static final class T12HandshakeHash implements TranscriptHash {
+        private final TranscriptHash transcriptHash;
+        private final ByteArrayOutputStream baos;
+
+        T12HandshakeHash(CipherSuite cipherSuite) {
+            MessageDigest md =
+                    JsseJce.getMessageDigest(cipherSuite.hashAlg.name);
+            if (md instanceof Cloneable) {
+                transcriptHash = new CloneableHash(md);
+                this.baos = null;
+            } else {
+                transcriptHash = new NonCloneableHash(md);
+                this.baos = new ByteArrayOutputStream();
+            }
+        }
 
-    /**
-     * The individual MessageDigests. Initially, all elements are non-null.
-     * When clone() is called, the non-null element with the maximum index is
-     * returned and the array element set to null.
-     *
-     * All non-null element are always in the same state.
-     */
-    private final MessageDigest[] digests;
-
-    private CloneableDigest(MessageDigest digest, int n, String algorithm)
-            throws NoSuchAlgorithmException {
-        super(algorithm);
-        digests = new MessageDigest[n];
-        digests[0] = digest;
-        for (int i = 1; i < n; i++) {
-            digests[i] = JsseJce.getMessageDigest(algorithm);
+        @Override
+        public void update(byte[] input, int offset, int length) {
+            transcriptHash.update(input, offset, length);
+            if (baos != null) {
+                baos.write(input, offset, length);
+            }
         }
-    }
 
-    /**
-     * Return a MessageDigest for the given algorithm that can be cloned the
-     * specified number of times. If the default implementation supports
-     * cloning, it is returned. Otherwise, an instance of this class is
-     * returned.
-     */
-    static MessageDigest getDigest(String algorithm, int n)
-            throws NoSuchAlgorithmException {
-        MessageDigest digest = JsseJce.getMessageDigest(algorithm);
-        try {
-            digest.clone();
-            // already cloneable, use it
-            return digest;
-        } catch (CloneNotSupportedException e) {
-            return new CloneableDigest(digest, n, algorithm);
+        @Override
+        public byte[] digest() {
+            return transcriptHash.digest();
         }
-    }
 
-    /**
-     * Check if this object is still usable. If it has already been cloned the
-     * maximum number of times, there are no digests left and this object can no
-     * longer be used.
-     */
-    private void checkState() {
-        // XXX handshaking currently doesn't stop updating hashes...
-        // if (digests[0] == null) {
-        //     throw new IllegalStateException("no digests left");
-        // }
+        @Override
+        public byte[] archived() {
+            if (baos != null) {
+                return baos.toByteArray();
+            } else {
+                return transcriptHash.archived();
+            }
+        }
     }
 
-    @Override
-    protected int engineGetDigestLength() {
-        checkState();
-        return digests[0].getDigestLength();
-    }
+    static final class T13HandshakeHash implements TranscriptHash {
+        private final TranscriptHash transcriptHash;
+        private final ByteArrayOutputStream baos;
+
+        T13HandshakeHash(CipherSuite cipherSuite) {
+            MessageDigest md =
+                    JsseJce.getMessageDigest(cipherSuite.hashAlg.name);
+            if (md instanceof Cloneable) {
+                transcriptHash = new CloneableHash(md);
+                this.baos = null;
+            } else {
+                transcriptHash = new NonCloneableHash(md);
+                this.baos = new ByteArrayOutputStream();
+            }
+        }
 
-    @Override
-    protected void engineUpdate(byte b) {
-        checkState();
-        for (int i = 0; (i < digests.length) && (digests[i] != null); i++) {
-            digests[i].update(b);
+        @Override
+        public void update(byte[] input, int offset, int length) {
+            transcriptHash.update(input, offset, length);
+            if (baos != null) {
+                baos.write(input, offset, length);
+            }
         }
-    }
 
-    @Override
-    protected void engineUpdate(byte[] b, int offset, int len) {
-        checkState();
-        for (int i = 0; (i < digests.length) && (digests[i] != null); i++) {
-            digests[i].update(b, offset, len);
+        @Override
+        public byte[] digest() {
+            return transcriptHash.digest();
         }
-    }
 
-    @Override
-    protected byte[] engineDigest() {
-        checkState();
-        byte[] digest = digests[0].digest();
-        digestReset();
-        return digest;
-    }
+        @Override
+        public byte[] archived() {
+            if (baos != null) {
+                return baos.toByteArray();
+            } else {
+                return transcriptHash.archived();
+            }
 
-    @Override
-    protected int engineDigest(byte[] buf, int offset, int len)
-            throws DigestException {
-        checkState();
-        int n = digests[0].digest(buf, offset, len);
-        digestReset();
-        return n;
+            // throw new UnsupportedOperationException("Not supported yet.");
+        }
     }
 
-    /**
-     * Reset all digests after a digest() call. digests[0] has already been
-     * implicitly reset by the digest() call and does not need to be reset
-     * again.
-     */
-    private void digestReset() {
-        for (int i = 1; (i < digests.length) && (digests[i] != null); i++) {
-            digests[i].reset();
+    static final class CloneableHash implements TranscriptHash {
+        private final MessageDigest md;
+
+        CloneableHash(MessageDigest md) {
+            this.md = md;
         }
-    }
 
-    @Override
-    protected void engineReset() {
-        checkState();
-        for (int i = 0; (i < digests.length) && (digests[i] != null); i++) {
-            digests[i].reset();
+        @Override
+        public void update(byte[] input, int offset, int length) {
+            md.update(input, offset, length);
         }
-    }
 
-    @Override
-    public Object clone() {
-        checkState();
-        for (int i = digests.length - 1; i >= 0; i--) {
-            if (digests[i] != null) {
-                MessageDigest digest = digests[i];
-                digests[i] = null;
-                return digest;
+        @Override
+        public byte[] digest() {
+            try {
+                return ((MessageDigest)md.clone()).digest();
+            } catch (CloneNotSupportedException ex) {
+                // unlikely
+                return new byte[0];
             }
         }
-        // cannot occur
-        throw new InternalError();
+
+        @Override
+        public byte[] archived() {
+            throw new UnsupportedOperationException("Not supported yet.");
+        }
     }
 
+    static final class NonCloneableHash implements TranscriptHash {
+        private final MessageDigest md;
+        private final ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        NonCloneableHash(MessageDigest md) {
+            this.md = md;
+        }
+
+        @Override
+        public void update(byte[] input, int offset, int length) {
+            baos.write(input, offset, length);
+        }
+
+        @Override
+        public byte[] digest() {
+            byte[] bytes = baos.toByteArray();
+            md.reset();
+            return md.digest(bytes);
+        }
+
+        @Override
+        public byte[] archived() {
+            return baos.toByteArray();
+        }
+    }
 }
--- old/src/java.base/share/classes/sun/security/ssl/HandshakeOutStream.java	2018-05-11 15:05:13.477922500 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/HandshakeOutStream.java	2018-05-11 15:05:12.937891600 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -56,11 +56,12 @@
             throw new RuntimeException("handshake message is not available");
         }
 
-        // outputRecord cannot be null
-        outputRecord.encodeHandshake(buf, 0, count);
+        if (outputRecord != null) {
+            outputRecord.encodeHandshake(buf, 0, count);
 
-        // reset the byte array output stream
-        reset();
+            // reset the byte array output stream
+            reset();
+        }   // otherwise, the handshake outstream is temporarily used only.
     }
 
     //
@@ -76,7 +77,9 @@
 
     @Override
     public void flush() throws IOException {
-        outputRecord.flush();
+        if (outputRecord != null) {
+            outputRecord.flush();
+        }
     }
 
     //
@@ -104,6 +107,13 @@
         super.write(i >> 16);
         super.write(i >> 8);
         super.write(i);
+    }
+
+    void putInt32(int i) throws IOException {
+        super.write(i >> 24);
+        super.write(i >> 16);
+        super.write(i >> 8);
+        super.write(i);
     }
 
     /*
--- old/src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java	2018-05-11 15:05:16.086966700 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/HelloCookieManager.java	2018-05-11 15:05:15.313950200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,119 +26,321 @@
 package sun.security.ssl;
 
 import java.io.IOException;
-import javax.net.ssl.SSLProtocolException;
 import java.security.MessageDigest;
 import java.security.SecureRandom;
+import java.util.Arrays;
+import static sun.security.ssl.ClientHello.ClientHelloMessage;
 
-import sun.security.ssl.HandshakeMessage.ClientHello;
-
-/*
- * HelloVerifyRequest cookie manager
+/**
+ *  (D)TLS handshake cookie manager
  */
-final class HelloCookieManager {
-    // the cookie secret life time
-    private static long COOKIE_TIMING_WINDOW = 3600000;     // in milliseconds
-    private static int  COOKIE_MAX_LENGTH_DTLS10 = 32;      // 32 bytes
-    private static int  COOKIE_MAX_LENGTH_DTLS12 = 0xFF;    // 2^8 -1 bytes
-
-    private final SecureRandom          secureRandom;
-    private final MessageDigest         cookieDigest;
-
-    private int                         cookieVersion;      // allow to wrap
-    private long                        secretLifetime;
-    private byte[]                      cookieSecret;
+class HelloCookieManager {
+    final SecureRandom secureRandom;
 
-    private int                         prevCookieVersion;
-    private byte[]                      prevCookieSecret;
+    private volatile D10HelloCookieManager d10HelloCookieManager;
+    private volatile D13HelloCookieManager d13HelloCookieManager;
+    private volatile T13HelloCookieManager t13HelloCookieManager;
 
     HelloCookieManager(SecureRandom secureRandom) {
         this.secureRandom = secureRandom;
-        this.cookieDigest = JsseJce.getMessageDigest("SHA-256");
+    }
+
+    HelloCookieManager valueOf(ProtocolVersion protocolVersion) {
+        if (protocolVersion.isDTLS) {
+            if (protocolVersion.useTLS13PlusSpec()) {
+                if (d13HelloCookieManager != null) {
+                    return d13HelloCookieManager;
+                }
+
+                synchronized (this) {
+                    if (d13HelloCookieManager == null) {
+                        d13HelloCookieManager =
+                                new D13HelloCookieManager(secureRandom);
+                    }
+                }
 
-        this.cookieVersion = secureRandom.nextInt();
-        this.secretLifetime = 0;
-        this.cookieSecret = null;
-
-        this.prevCookieVersion = 0;
-        this.prevCookieSecret = null;
-    }
-
-    // Used by server side to generate cookies in HelloVerifyRequest message.
-    synchronized byte[] getCookie(ClientHello clientHelloMsg) {
-        if (secretLifetime < System.currentTimeMillis()) {
-            if (cookieSecret != null) {
-                prevCookieVersion = cookieVersion;
-                prevCookieSecret = cookieSecret.clone();
+                return d13HelloCookieManager;
             } else {
-                cookieSecret = new byte[32];
+                if (d10HelloCookieManager != null) {
+                    return d10HelloCookieManager;
+                }
+
+                synchronized (this) {
+                    if (d10HelloCookieManager == null) {
+                        d10HelloCookieManager =
+                                new D10HelloCookieManager(secureRandom);
+                    }
+                }
+
+                return d10HelloCookieManager;
             }
+        } else {
+            if (protocolVersion.useTLS13PlusSpec()) {
+                if (t13HelloCookieManager != null) {
+                    return t13HelloCookieManager;
+                }
+
+                synchronized (this) {
+                    if (t13HelloCookieManager == null) {
+                        t13HelloCookieManager =
+                                new T13HelloCookieManager(secureRandom);
+                    }
+                }
 
-            cookieVersion++;
-            secureRandom.nextBytes(cookieSecret);
-            secretLifetime = System.currentTimeMillis() + COOKIE_TIMING_WINDOW;
+                return t13HelloCookieManager;
+            }
         }
 
-        clientHelloMsg.updateHelloCookie(cookieDigest);
-        byte[] cookie = cookieDigest.digest(cookieSecret);      // 32 bytes
-        cookie[0] = (byte)((cookieVersion >> 24) & 0xFF);
-        cookie[1] = (byte)((cookieVersion >> 16) & 0xFF);
-        cookie[2] = (byte)((cookieVersion >> 8) & 0xFF);
-        cookie[3] = (byte)(cookieVersion & 0xFF);
+        return null;
+    }
+
+    byte[] createCookie(ConnectionContext context,
+                ClientHelloMessage clientHello) throws IOException {
+        throw new UnsupportedOperationException(
+                "Not yet supported handshake cookie manager");
+    }
 
-        return cookie;
+    boolean isCookieValid(ConnectionContext context,
+            ClientHelloMessage clientHello, byte[] cookie) throws IOException {
+        throw new UnsupportedOperationException(
+                "Not yet supported handshake cookie manager");
     }
 
-    // Used by server side to check the cookie in ClientHello message.
-    synchronized boolean isValid(ClientHello clientHelloMsg) {
-        byte[] cookie = clientHelloMsg.cookie;
+    // DTLS 1.0/1.2
+    private static final
+            class D10HelloCookieManager extends HelloCookieManager {
+        private int         cookieVersion;  // allow to wrap, version + sequence
+        private byte[]      cookieSecret;
+        private byte[]      legacySecret;
+
+        D10HelloCookieManager(SecureRandom secureRandom) {
+            super(secureRandom);
+
+            this.cookieVersion = secureRandom.nextInt();
+            this.cookieSecret = new byte[32];
+            this.legacySecret = new byte[32];
 
-        // no cookie exchange or not a valid cookie length
-        if ((cookie == null) || (cookie.length != 32)) {
-            return false;
+            secureRandom.nextBytes(cookieSecret);
+            System.arraycopy(cookieSecret, 0, legacySecret, 0, 32);
         }
 
-        int version = ((cookie[0] & 0xFF) << 24) |
-                      ((cookie[1] & 0xFF) << 16) |
-                      ((cookie[2] & 0xFF) << 8) |
-                       (cookie[3] & 0xFF);
+        @Override
+        byte[] createCookie(ConnectionContext context,
+                ClientHelloMessage clientHello) throws IOException {
+            int version;
+            byte[] secret;
+
+            synchronized (this) {
+                version = cookieVersion;
+                secret = cookieSecret;
+
+                // the cookie secret usage limit is 2^24
+                if ((cookieVersion & 0xFFFFFF) == 0) {  // reset the secret
+                    System.arraycopy(cookieSecret, 0, legacySecret, 0, 32);
+                    secureRandom.nextBytes(cookieSecret);
+                }
 
-        byte[] secret;
-        if (version == cookieVersion) {
-            secret = cookieSecret;
-        } else if (version == prevCookieVersion) {
-            secret = prevCookieSecret;
-        } else {
-            return false;       // may be out of the timing window
-        }
+                cookieVersion++;
+            }
+
+            MessageDigest md = JsseJce.getMessageDigest("SHA-256");
+            byte[] helloBytes = clientHello.getHelloCookieBytes();
+            md.update(helloBytes);
+            byte[] cookie = md.digest(secret);      // 32 bytes
+            cookie[0] = (byte)((version >> 24) & 0xFF);
 
-        clientHelloMsg.updateHelloCookie(cookieDigest);
-        byte[] target = cookieDigest.digest(secret);            // 32 bytes
+            return cookie;
+        }
 
-        for (int i = 4; i < 32; i++) {
-            if (cookie[i] != target[i]) {
+        @Override
+        boolean isCookieValid(ConnectionContext context,
+            ClientHelloMessage clientHello, byte[] cookie) throws IOException {
+            // no cookie exchange or not a valid cookie length
+            if ((cookie == null) || (cookie.length != 32)) {
                 return false;
             }
+
+            byte[] secret;
+            synchronized (this) {
+                if (((cookieVersion >> 24) & 0xFF) == cookie[0]) {
+                    secret = cookieSecret;
+                } else {
+                    secret = legacySecret;  // including out of window cookies
+                }
+            }
+
+            MessageDigest md = JsseJce.getMessageDigest("SHA-256");
+            byte[] helloBytes = clientHello.getHelloCookieBytes();
+            md.update(helloBytes);
+            byte[] target = md.digest(secret);      // 32 bytes
+            target[0] = cookie[0];
+
+            return Arrays.equals(target, cookie);
+        }
+    }
+
+    private static final
+            class D13HelloCookieManager extends HelloCookieManager {
+        D13HelloCookieManager(SecureRandom secureRandom) {
+            super(secureRandom);
         }
 
-        return true;
+        @Override
+        byte[] createCookie(ConnectionContext context,
+                ClientHelloMessage clientHello) throws IOException {
+            throw new UnsupportedOperationException("Not supported yet.");
+        }
+
+        @Override
+        boolean isCookieValid(ConnectionContext context,
+            ClientHelloMessage clientHello, byte[] cookie) throws IOException {
+            throw new UnsupportedOperationException("Not supported yet.");
+        }
     }
 
-    // Used by client side to check the cookie in HelloVerifyRequest message.
-    static void checkCookie(ProtocolVersion protocolVersion,
-            byte[] cookie) throws IOException {
-        if (cookie != null && cookie.length != 0) {
-            int limit = COOKIE_MAX_LENGTH_DTLS12;
-            if (protocolVersion.v == ProtocolVersion.DTLS10.v) {
-                limit = COOKIE_MAX_LENGTH_DTLS10;
-            }
+    private static final
+            class T13HelloCookieManager extends HelloCookieManager {
+        private int             cookieVersion;      // version + sequence
+        private final byte[]    cookieSecret;
+        private final byte[]    legacySecret;
+
+        T13HelloCookieManager(SecureRandom secureRandom) {
+            super(secureRandom);
+
+            this.cookieVersion = secureRandom.nextInt();
+            this.cookieSecret = new byte[64];
+            this.legacySecret = new byte[64];
+
+            secureRandom.nextBytes(cookieSecret);
+            System.arraycopy(cookieSecret, 0, legacySecret, 0, 64);
+        }
 
-            if (cookie.length > COOKIE_MAX_LENGTH_DTLS10) {
-                throw new SSLProtocolException(
-                        "Invalid HelloVerifyRequest.cookie (length = " +
-                         cookie.length + " bytes)");
+        @Override
+        byte[] createCookie(ConnectionContext context,
+                ClientHelloMessage clientHello) throws IOException {
+            int version;
+            byte[] secret;
+
+            synchronized (this) {
+                version = cookieVersion;
+                secret = cookieSecret;
+
+                // the cookie secret usage limit is 2^24
+                if ((cookieVersion & 0xFFFFFF) == 0) {  // reset the secret
+                    System.arraycopy(cookieSecret, 0, legacySecret, 0, 64);
+                    secureRandom.nextBytes(cookieSecret);
+                }
+
+                cookieVersion++;        // allow wrapped version number
             }
+
+            // happens in server side only
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            MessageDigest md = JsseJce.getMessageDigest(
+                    shc.negotiatedCipherSuite.hashAlg.name);
+            byte[] headerBytes = clientHello.getHeaderBytes();
+            md.update(headerBytes);
+            byte[] headerCookie = md.digest(secret);
+
+            // hash of ClientHello handshake message
+            shc.handshakeHash.update();
+            byte[] clientHelloHash = shc.handshakeHash.digest();
+
+            // version and cipher suite
+            //
+            // Store the negotiated cipher suite in the cookie as well.
+            // cookie[0]/[1]: cipher suite
+            // cookie[2]: cookie version
+            // + (hash length): Mac(ClientHello header)
+            // + (hash length): Hash(ClientHello)
+            byte[] prefix = new byte[] {
+                    (byte)((shc.negotiatedCipherSuite.id >> 8) & 0xFF),
+                    (byte)(shc.negotiatedCipherSuite.id & 0xFF),
+                    (byte)((version >> 24) & 0xFF)
+                };
+
+            byte[] cookie = Arrays.copyOf(prefix,
+                prefix.length + headerCookie.length + clientHelloHash.length);
+            System.arraycopy(headerCookie, 0, cookie,
+                prefix.length, headerCookie.length);
+            System.arraycopy(clientHelloHash, 0, cookie,
+                prefix.length + headerCookie.length, clientHelloHash.length);
+
+            return cookie;
         }
 
-        // Otherwise, no cookie exchange.
+        @Override
+        boolean isCookieValid(ConnectionContext context,
+            ClientHelloMessage clientHello, byte[] cookie) throws IOException {
+            // no cookie exchange or not a valid cookie length
+            if ((cookie == null) || (cookie.length <= 32)) {    // 32: roughly
+                return false;
+            }
+
+            int csId = ((cookie[0] & 0xFF) << 8) | (cookie[1] & 0xFF);
+            CipherSuite cs = CipherSuite.valueOf(csId);
+            if (cs == null || cs.hashAlg == null || cs.hashAlg.hashLength == 0) {
+                return false;
+            }
+
+            int hashLen = cs.hashAlg.hashLength;
+            if (cookie.length != (3 + hashLen * 2)) {
+                return false;
+            }
+
+            byte[] prevHeadCookie =
+                    Arrays.copyOfRange(cookie, 3, 3 + hashLen);
+            byte[] prevClientHelloHash =
+                    Arrays.copyOfRange(cookie, 3 + hashLen, cookie.length);
+
+            byte[] secret;
+            synchronized (this) {
+                if ((byte)((cookieVersion >> 24) & 0xFF) == cookie[2]) {
+                    secret = cookieSecret;
+                } else {
+                    secret = legacySecret;  // including out of window cookies
+                }
+            }
+
+            // happens in server side only
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            MessageDigest md = JsseJce.getMessageDigest(cs.hashAlg.name);
+            byte[] headerBytes = clientHello.getHeaderBytes();
+            md.update(headerBytes);
+            byte[] headerCookie = md.digest(secret);
+
+            if (!Arrays.equals(headerCookie, prevHeadCookie)) {
+                return false;
+            }
+
+            // Use the ClientHello hash in the cookie for transtript
+            // hash calculation for stateless HelloRetryRequest.
+            //
+            // Transcript-Hash(ClientHello1, HelloRetryRequest, ... Mn) =
+            //   Hash(message_hash ||    /* Handshake type */
+            //     00 00 Hash.length ||  /* Handshake message length (bytes) */
+            //     Hash(ClientHello1) || /* Hash of ClientHello1 */
+            //     HelloRetryRequest || ... || Mn)
+
+            // Reproduce HelloRetryRequest handshake message
+            byte[] hrrMessage =
+                    ServerHello.hrrReproducer.produce(context, clientHello);
+            shc.handshakeHash.push(hrrMessage);
+
+            // Construct the 1st ClientHello message for transcript hash
+            byte[] hashedClientHello = new byte[4 + hashLen];
+            hashedClientHello[0] = SSLHandshake.MESSAGE_HASH.id;
+            hashedClientHello[1] = (byte)0x00;
+            hashedClientHello[2] = (byte)0x00;
+            hashedClientHello[3] = (byte)(hashLen & 0xFF);
+            System.arraycopy(prevClientHelloHash, 0,
+                    hashedClientHello, 4, hashLen);
+
+            shc.handshakeHash.push(hashedClientHello);
+
+            return true;
+        }
     }
 }
--- old/src/java.base/share/classes/sun/security/ssl/InputRecord.java	2018-05-11 15:05:18.189867900 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/InputRecord.java	2018-05-11 15:05:17.658901600 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,14 +27,8 @@
 
 import java.io.*;
 import java.nio.*;
-import java.util.*;
-
 import javax.crypto.BadPaddingException;
-
-import javax.net.ssl.*;
-
-import sun.security.util.HexDumpEncoder;
-
+import sun.security.ssl.SSLCipher.SSLReadCipher;
 
 /**
  * {@code InputRecord} takes care of the management of SSL/TLS/DTLS input
@@ -42,15 +36,10 @@
  *
  * @author David Brownell
  */
-class InputRecord implements Record, Closeable {
-
-    /* Class and subclass dynamic debugging support */
-    static final Debug debug = Debug.getInstance("ssl");
-
-    Authenticator       readAuthenticator;
-    CipherBox           readCipher;
+abstract class InputRecord implements Record, Closeable {
+    SSLReadCipher       readCipher;
 
-    HandshakeHash       handshakeHash;
+    final HandshakeHash handshakeHash;
     boolean             isClosed;
 
     // The ClientHello version to accept. If set to ProtocolVersion.SSL20Hello
@@ -61,10 +50,11 @@
     // fragment size
     int                 fragmentSize;
 
-    InputRecord() {
-        this.readCipher = CipherBox.NULL;
-        this.readAuthenticator = null;      // Please override this assignment.
-        this.helloVersion = ProtocolVersion.DEFAULT_HELLO;
+    InputRecord(HandshakeHash handshakeHash, SSLReadCipher readCipher) {
+        this.readCipher = readCipher;
+        this.helloVersion = ProtocolVersion.TLS10;
+        this.handshakeHash = handshakeHash;
+        this.isClosed = false;
         this.fragmentSize = Record.maxDataSize;
     }
 
@@ -76,37 +66,9 @@
         return helloVersion;
     }
 
-    /*
-     * Set instance for the computation of handshake hashes.
-     *
-     * For handshaking, we need to be able to hash every byte above the
-     * record marking layer.  This is where we're guaranteed to see those
-     * bytes, so this is where we can hash them ... especially in the
-     * case of hashing the initial V2 message!
-     */
-    void setHandshakeHash(HandshakeHash handshakeHash) {
-        if (handshakeHash != null) {
-            byte[] reserved = null;
-            if (this.handshakeHash != null) {
-                reserved = this.handshakeHash.getAllHandshakeMessages();
-            }
-            if ((reserved != null) && (reserved.length != 0)) {
-                handshakeHash.update(reserved, 0, reserved.length);
-
-               if (debug != null && Debug.isOn("data")) {
-                    Debug.printHex(
-                        "[reserved] handshake hash: len = " + reserved.length,
-                        reserved);
-               }
-            }
-        }
-
-        this.handshakeHash = handshakeHash;
-    }
-
     boolean seqNumIsHuge() {
-        return (readAuthenticator != null) &&
-                        readAuthenticator.seqNumIsHuge();
+        return (readCipher.authenticator != null) &&
+                        readCipher.authenticator.seqNumIsHuge();
     }
 
     boolean isEmpty() {
@@ -118,6 +80,11 @@
         // blank
     }
 
+    // apply to DTLS SSLEngine
+    void finishHandshake() {
+        // blank
+    }
+
     /**
      * Prevent any more data from being read into this record,
      * and flag the record as holding no data.
@@ -130,9 +97,12 @@
         }
     }
 
+    synchronized boolean isClosed() {
+        return isClosed;
+    }
+
     // apply to SSLSocket and SSLEngine
-    void changeReadCiphers(
-            Authenticator readAuthenticator, CipherBox readCipher) {
+    void changeReadCiphers(SSLReadCipher readCipher) {
 
         /*
          * Dispose of any intermediate state in the underlying cipher.
@@ -144,7 +114,6 @@
          */
         readCipher.dispose();
 
-        this.readAuthenticator = readAuthenticator;
         this.readCipher = readCipher;
     }
 
@@ -160,22 +129,20 @@
      * @return -1 if there are not enough bytes to tell (small header),
      */
     // apply to SSLEngine only
-    int bytesInCompletePacket(ByteBuffer buf) throws SSLException {
-        throw new UnsupportedOperationException();
+    int bytesInCompletePacket(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength) throws IOException {
+
+        throw new UnsupportedOperationException("Not supported yet.");
     }
 
     // apply to SSLSocket only
-    int bytesInCompletePacket(InputStream is) throws IOException {
+    int bytesInCompletePacket() throws IOException {
         throw new UnsupportedOperationException();
     }
 
-    /**
-     * Return true if the specified record protocol version is out of the
-     * range of the possible supported versions.
-     */
-    void checkRecordVersion(ProtocolVersion version,
-            boolean allowSSL20Hello) throws SSLException {
-        // blank
+    // apply to SSLSocket only
+    void setReceiverStream(InputStream inputStream) {
+        throw new UnsupportedOperationException();
     }
 
     // apply to DTLS SSLEngine only
@@ -186,17 +153,8 @@
 
     // read, decrypt and decompress the network record.
     //
-    // apply to SSLEngine only
-    Plaintext decode(ByteBuffer netData)
-            throws IOException, BadPaddingException {
-        throw new UnsupportedOperationException();
-    }
-
-    // apply to SSLSocket only
-    Plaintext decode(InputStream is, ByteBuffer destination)
-            throws IOException, BadPaddingException {
-        throw new UnsupportedOperationException();
-    }
+    abstract Plaintext[] decode(ByteBuffer[] srcs, int srcsOffset,
+            int srcsLength) throws IOException, BadPaddingException;
 
     // apply to SSLSocket only
     void setDeliverStream(OutputStream outputStream) {
@@ -216,9 +174,7 @@
 
     // Not apply to DTLS
     static ByteBuffer convertToClientHello(ByteBuffer packet) {
-
         int srcPos = packet.position();
-        int srcLim = packet.limit();
 
         byte firstByte = packet.get();
         byte secondByte = packet.get();
@@ -244,7 +200,7 @@
         //  1: length byte of ClientHello.session_id
         //  2: length bytes of ClientHello.cipher_suites
         //  2: empty ClientHello.compression_methods
-        int requiredSize = 48 + sessionIdLen + ((cipherSpecLen * 2 ) / 3 );
+        int requiredSize = 48 + sessionIdLen + ((cipherSpecLen * 2 ) / 3);
         byte[] converted = new byte[requiredSize];
 
         /*
@@ -252,7 +208,7 @@
          * that's now buffered up.  (Lengths are fixed up later).
          */
         // Note: need not to set the header actually.
-        converted[0] = ct_handshake;
+        converted[0] = ContentType.HANDSHAKE.id;
         converted[1] = majorVersion;
         converted[2] = minorVersion;
         // header [3..4] for handshake message length
@@ -372,237 +328,61 @@
         return ByteBuffer.wrap(converted, 5, pointer - 5);  // 5: header size
     }
 
-    static ByteBuffer decrypt(Authenticator authenticator, CipherBox box,
-            byte contentType, ByteBuffer bb) throws BadPaddingException {
-
-        return decrypt(authenticator, box, contentType, bb, null);
-    }
-
-    static ByteBuffer decrypt(Authenticator authenticator,
-            CipherBox box, byte contentType, ByteBuffer bb,
-            byte[] sequence) throws BadPaddingException {
-
-        BadPaddingException reservedBPE = null;
-        int tagLen =
-            (authenticator instanceof MAC) ? ((MAC)authenticator).MAClen() : 0;
-        int cipheredLength = bb.remaining();
-        int srcPos = bb.position();
-        if (!box.isNullCipher()) {
-            try {
-                // apply explicit nonce for AEAD/CBC cipher suites if needed
-                int nonceSize = box.applyExplicitNonce(
-                        authenticator, contentType, bb, sequence);
-
-                // decrypt the content
-                if (box.isAEADMode()) {
-                    // DON'T decrypt the nonce_explicit for AEAD mode
-                    bb.position(srcPos + nonceSize);
-                }   // The explicit IV for CBC mode can be decrypted.
-
-                // Note that the CipherBox.decrypt() does not change
-                // the capacity of the buffer.
-                box.decrypt(bb, tagLen);
-                // We don't actually remove the nonce.
-                bb.position(srcPos + nonceSize);
-            } catch (BadPaddingException bpe) {
-                // RFC 2246 states that decryption_failed should be used
-                // for this purpose. However, that allows certain attacks,
-                // so we just send bad record MAC. We also need to make
-                // sure to always check the MAC to avoid a timing attack
-                // for the same issue. See paper by Vaudenay et al and the
-                // update in RFC 4346/5246.
-                //
-                // Failover to message authentication code checking.
-                reservedBPE = bpe;
-            }
-        }
-
-        // Requires message authentication code for null, stream and block
-        // cipher suites.
-        if ((authenticator instanceof MAC) && (tagLen != 0)) {
-            MAC signer = (MAC)authenticator;
-            int contentLen = bb.remaining() - tagLen;
-
-            // Note that although it is not necessary, we run the same MAC
-            // computation and comparison on the payload for both stream
-            // cipher and CBC block cipher.
-            if (contentLen < 0) {
-                // negative data length, something is wrong
-                if (reservedBPE == null) {
-                    reservedBPE = new BadPaddingException("bad record");
+    // Extract an SSL/(D)TLS record from the specified source buffers.
+    static ByteBuffer extract(
+            ByteBuffer[] buffers, int offset, int length, int headerSize) {
+
+        boolean hasFullHeader = false;
+        int contentLen = -1;
+        for (int i = offset, j = 0;
+                i < (offset + length) && j < headerSize; i++) {
+            int remains = buffers[i].remaining();
+            int pos = buffers[i].position();
+            for (int k = 0; k < remains && j < headerSize; j++, k++) {
+                byte b = buffers[i].get(pos + k);
+                if (j == (headerSize - 2)) {
+                    contentLen = ((b & 0xFF) << 8);
+                } else if (j == (headerSize -1)) {
+                    contentLen |= (b & 0xFF);
+                    hasFullHeader = true;
+                    break;
                 }
-
-                // set offset of the dummy MAC
-                contentLen = cipheredLength - tagLen;
-                bb.limit(srcPos + cipheredLength);
             }
-
-            // Run MAC computation and comparison on the payload.
-            //
-            // MAC data would be stripped off during the check.
-            if (checkMacTags(contentType, bb, signer, sequence, false)) {
-                if (reservedBPE == null) {
-                    reservedBPE = new BadPaddingException("bad record MAC");
-                }
-            }
-
-            // Run MAC computation and comparison on the remainder.
-            //
-            // It is only necessary for CBC block cipher.  It is used to get a
-            // constant time of MAC computation and comparison on each record.
-            if (box.isCBCMode()) {
-                int remainingLen = calculateRemainingLen(
-                                        signer, cipheredLength, contentLen);
-
-                // NOTE: remainingLen may be bigger (less than 1 block of the
-                // hash algorithm of the MAC) than the cipheredLength.
-                //
-                // Is it possible to use a static buffer, rather than allocate
-                // it dynamically?
-                remainingLen += signer.MAClen();
-                ByteBuffer temporary = ByteBuffer.allocate(remainingLen);
-
-                // Won't need to worry about the result on the remainder. And
-                // then we won't need to worry about what's actual data to
-                // check MAC tag on.  We start the check from the header of the
-                // buffer so that we don't need to construct a new byte buffer.
-                checkMacTags(contentType, temporary, signer, sequence, true);
-            }
-        }
-
-        // Is it a failover?
-        if (reservedBPE != null) {
-            throw reservedBPE;
         }
 
-        return bb.slice();
-    }
-
-    /*
-     * Run MAC computation and comparison
-     *
-     */
-    private static boolean checkMacTags(byte contentType, ByteBuffer bb,
-            MAC signer, byte[] sequence, boolean isSimulated) {
-
-        int tagLen = signer.MAClen();
-        int position = bb.position();
-        int lim = bb.limit();
-        int macOffset = lim - tagLen;
-
-        bb.limit(macOffset);
-        byte[] hash = signer.compute(contentType, bb, sequence, isSimulated);
-        if (hash == null || tagLen != hash.length) {
-            // Something is wrong with MAC implementation.
-            throw new RuntimeException("Internal MAC error");
+        if (!hasFullHeader) {
+            throw new BufferUnderflowException();
         }
 
-        bb.position(macOffset);
-        bb.limit(lim);
-        try {
-            int[] results = compareMacTags(bb, hash);
-            return (results[0] != 0);
-        } finally {
-            // reset to the data
-            bb.position(position);
-            bb.limit(macOffset);
-        }
-    }
-
-    /*
-     * A constant-time comparison of the MAC tags.
-     *
-     * Please DON'T change the content of the ByteBuffer parameter!
-     */
-    private static int[] compareMacTags(ByteBuffer bb, byte[] tag) {
-
-        // An array of hits is used to prevent Hotspot optimization for
-        // the purpose of a constant-time check.
-        int[] results = {0, 0};     // {missed #, matched #}
-
-        // The caller ensures there are enough bytes available in the buffer.
-        // So we won't need to check the remaining of the buffer.
-        for (int i = 0; i < tag.length; i++) {
-            if (bb.get() != tag[i]) {
-                results[0]++;       // mismatched bytes
-            } else {
-                results[1]++;       // matched bytes
+        int packetLen = headerSize + contentLen;
+        int remains = 0;
+        for (int i = offset; i < offset + length; i++) {
+            remains += buffers[i].remaining();
+            if (remains >= packetLen) {
+                break;
             }
         }
 
-        return results;
-    }
-
-    /*
-     * Run MAC computation and comparison
-     *
-     * Please DON'T change the content of the byte buffer parameter!
-     */
-    private static boolean checkMacTags(byte contentType, byte[] buffer,
-            int offset, int contentLen, MAC signer, boolean isSimulated) {
-
-        int tagLen = signer.MAClen();
-        byte[] hash = signer.compute(
-                contentType, buffer, offset, contentLen, isSimulated);
-        if (hash == null || tagLen != hash.length) {
-            // Something is wrong with MAC implementation.
-            throw new RuntimeException("Internal MAC error");
+        if (remains < packetLen) {
+            throw new BufferUnderflowException();
         }
 
-        int[] results = compareMacTags(buffer, offset + contentLen, hash);
-        return (results[0] != 0);
-    }
-
-    /*
-     * A constant-time comparison of the MAC tags.
-     *
-     * Please DON'T change the content of the byte buffer parameter!
-     */
-    private static int[] compareMacTags(
-            byte[] buffer, int offset, byte[] tag) {
+        byte[] packet = new byte[packetLen];
+        int packetOffset = 0;
+        int packetSpaces = packetLen;
+        for (int i = offset; i < offset + length; i++) {
+            if (buffers[i].hasRemaining()) {
+                int len = Math.min(packetSpaces, buffers[i].remaining());
+                buffers[i].get(packet, packetOffset, len);
+                packetOffset += len;
+                packetSpaces -= len;
+            }
 
-        // An array of hits is used to prevent Hotspot optimization for
-        // the purpose of a constant-time check.
-        int[] results = {0, 0};    // {missed #, matched #}
-
-        // The caller ensures there are enough bytes available in the buffer.
-        // So we won't need to check the length of the buffer.
-        for (int i = 0; i < tag.length; i++) {
-            if (buffer[offset + i] != tag[i]) {
-                results[0]++;       // mismatched bytes
-            } else {
-                results[1]++;       // matched bytes
+            if (packetSpaces <= 0) {
+                break;
             }
         }
 
-        return results;
-    }
-
-    /*
-     * Calculate the length of a dummy buffer to run MAC computation
-     * and comparison on the remainder.
-     *
-     * The caller MUST ensure that the fullLen is not less than usedLen.
-     */
-    private static int calculateRemainingLen(
-            MAC signer, int fullLen, int usedLen) {
-
-        int blockLen = signer.hashBlockLen();
-        int minimalPaddingLen = signer.minimalPaddingLen();
-
-        // (blockLen - minimalPaddingLen) is the maximum message size of
-        // the last block of hash function operation. See FIPS 180-4, or
-        // MD5 specification.
-        fullLen += 13 - (blockLen - minimalPaddingLen);
-        usedLen += 13 - (blockLen - minimalPaddingLen);
-
-        // Note: fullLen is always not less than usedLen, and blockLen
-        // is always bigger than minimalPaddingLen, so we don't worry
-        // about negative values. 0x01 is added to the result to ensure
-        // that the return value is positive.  The extra one byte does
-        // not impact the overall MAC compression function evaluations.
-        return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) -
-                Math.ceil(usedLen/(1.0d * blockLen))) * blockLen;
+        return ByteBuffer.wrap(packet);
     }
 }
-
--- old/src/java.base/share/classes/sun/security/ssl/JsseJce.java	2018-05-11 15:05:20.018858500 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/JsseJce.java	2018-05-11 15:05:19.540898900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,25 +25,16 @@
 
 package sun.security.ssl;
 
-import java.util.*;
 import java.math.BigInteger;
-
 import java.security.*;
 import java.security.interfaces.RSAPublicKey;
 import java.security.spec.*;
-
+import java.util.*;
 import javax.crypto.*;
-
-// explicit import to override the Provider class in this package
-import java.security.Provider;
-
-// need internal Sun classes for FIPS tricks
-import sun.security.jca.Providers;
 import sun.security.jca.ProviderList;
-
-import sun.security.util.ECUtil;
-
+import sun.security.jca.Providers;
 import static sun.security.ssl.SunJSSE.cryptoProvider;
+import sun.security.util.ECUtil;
 import static sun.security.util.SecurityConstants.PROVIDER_VER;
 
 /**
@@ -53,18 +44,11 @@
  * @author  Andreas Sterbenz
  */
 final class JsseJce {
+    static final boolean ALLOW_ECC =
+            Utilities.getBooleanProperty("com.sun.net.ssl.enableECC", true);
 
     private static final ProviderList fipsProviderList;
 
-    // Flag indicating whether Kerberos crypto is available.
-    // If true, then all the Kerberos-based crypto we need is available.
-    private static final boolean kerberosAvailable;
-    static {
-        ClientKeyExchangeService p =
-                ClientKeyExchangeService.find("KRB5");
-        kerberosAvailable = (p != null);
-    }
-
     static {
         // force FIPS flag initialization
         // Because isFIPS() is synchronized and cryptoProvider is not modified
@@ -181,7 +165,7 @@
     }
 
     static boolean isKerberosAvailable() {
-        return kerberosAvailable;
+        return false;
     }
 
     /**
@@ -299,7 +283,8 @@
         for (Provider.Service s : cryptoProvider.getServices()) {
             if (s.getType().equals("SecureRandom")) {
                 try {
-                    return SecureRandom.getInstance(s.getAlgorithm(), cryptoProvider);
+                    return SecureRandom.getInstance(
+                            s.getAlgorithm(), cryptoProvider);
                 } catch (NoSuchAlgorithmException ee) {
                     // ignore
                 }
@@ -394,7 +379,7 @@
     // See Effective Java Second Edition: Item 71.
     private static class EcAvailability {
         // Is EC crypto available?
-        private final static boolean isAvailable;
+        private static final boolean isAvailable;
 
         static {
             boolean mediator = true;
--- old/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java	2018-05-11 15:05:21.985927700 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java	2018-05-11 15:05:21.434429700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -91,9 +91,11 @@
                 keyManager = new X509KeyManagerImpl(
                         Collections.<Builder>emptyList());
             } else {
-                if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)) {
-                    throw new KeyStoreException("FIPS mode: KeyStore must be "
-                        + "from provider " + SunJSSE.cryptoProvider.getName());
+                if (SunJSSE.isFIPS() &&
+                        (ks.getProvider() != SunJSSE.cryptoProvider)) {
+                    throw new KeyStoreException(
+                        "FIPS mode: KeyStore must be " +
+                        "from provider " + SunJSSE.cryptoProvider.getName());
                 }
                 try {
                     Builder builder = Builder.newInstance(ks,
--- old/src/java.base/share/classes/sun/security/ssl/OutputRecord.java	2018-05-11 15:05:23.787091800 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/OutputRecord.java	2018-05-11 15:05:23.274235800 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,30 +25,27 @@
 
 package sun.security.ssl;
 
-import java.io.*;
-import java.nio.*;
-import java.util.Arrays;
-
-import javax.net.ssl.SSLException;
-import sun.security.util.HexDumpEncoder;
-
+import java.io.ByteArrayOutputStream;
+import java.io.Closeable;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.ByteBuffer;
+import sun.security.ssl.SSLCipher.SSLWriteCipher;
 
 /**
- * {@code OutputRecord} takes care of the management of SSL/TLS/DTLS output
- * records, including buffering, encryption, handshake messages marshal, etc.
+ * {@code OutputRecord} takes care of the management of SSL/(D)TLS
+ * output records, including buffering, encryption, handshake
+ * messages marshal, etc.
  *
  * @author David Brownell
  */
-abstract class OutputRecord extends ByteArrayOutputStream
-            implements Record, Closeable {
-
-    /* Class and subclass dynamic debugging support */
-    static final Debug          debug = Debug.getInstance("ssl");
-
-    Authenticator               writeAuthenticator;
-    CipherBox                   writeCipher;
+abstract class OutputRecord
+        extends ByteArrayOutputStream implements Record, Closeable {
+    SSLWriteCipher              writeCipher;
+    // Needed for KeyUpdate
+    TransportContext            tc;
 
-    HandshakeHash               handshakeHash;
+    final HandshakeHash         handshakeHash;
     boolean                     firstMessage;
 
     // current protocol version, sent as record version
@@ -75,16 +72,18 @@
      * Mappings from V3 cipher suite encodings to their pure V2 equivalents.
      * This is taken from the SSL V3 specification, Appendix E.
      */
-    private static int[] V3toV2CipherMap1 =
+    private static final int[] V3toV2CipherMap1 =
         {-1, -1, -1, 0x02, 0x01, -1, 0x04, 0x05, -1, 0x06, 0x07};
-    private static int[] V3toV2CipherMap3 =
+    private static final int[] V3toV2CipherMap3 =
         {-1, -1, -1, 0x80, 0x80, -1, 0x80, 0x80, -1, 0x40, 0xC0};
 
-    OutputRecord() {
-        this.writeCipher = CipherBox.NULL;
+    OutputRecord(HandshakeHash handshakeHash, SSLWriteCipher writeCipher) {
+        this.writeCipher = writeCipher;
         this.firstMessage = true;
         this.fragmentSize = Record.maxDataSize;
 
+        this.handshakeHash = handshakeHash;
+
         // Please set packetSize and protocolVersion in the implementation.
     }
 
@@ -100,15 +99,6 @@
     }
 
     /*
-     * For handshaking, we need to be able to hash every byte above the
-     * record marking layer.  This is where we're guaranteed to see those
-     * bytes, so this is where we can hash them.
-     */
-    void setHandshakeHash(HandshakeHash handshakeHash) {
-        this.handshakeHash = handshakeHash;
-    }
-
-    /*
      * Return true iff the record is empty -- to avoid doing the work
      * of sending empty records over the network.
      */
@@ -117,8 +107,8 @@
     }
 
     boolean seqNumIsHuge() {
-        return (writeAuthenticator != null) &&
-                        writeAuthenticator.seqNumIsHuge();
+        return (writeCipher.authenticator != null) &&
+                        writeCipher.authenticator.seqNumIsHuge();
     }
 
     // SSLEngine and SSLSocket
@@ -132,8 +122,10 @@
     abstract void encodeChangeCipherSpec() throws IOException;
 
     // apply to SSLEngine only
-    Ciphertext encode(ByteBuffer[] sources, int offset, int length,
-            ByteBuffer destination) throws IOException {
+    Ciphertext encode(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength,
+        ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
+
         throw new UnsupportedOperationException();
     }
 
@@ -143,7 +135,8 @@
     }
 
     // apply to SSLSocket only
-    void deliver(byte[] source, int offset, int length) throws IOException {
+    void deliver(
+            byte[] source, int offset, int length) throws IOException {
         throw new UnsupportedOperationException();
     }
 
@@ -152,15 +145,11 @@
         throw new UnsupportedOperationException();
     }
 
-    // apply to SSLEngine only
-    Ciphertext acquireCiphertext(ByteBuffer destination) throws IOException {
-        throw new UnsupportedOperationException();
-    }
-
-    void changeWriteCiphers(Authenticator writeAuthenticator,
-            CipherBox writeCipher) throws IOException {
-
-        encodeChangeCipherSpec();
+    void changeWriteCiphers(SSLWriteCipher writeCipher,
+            boolean useChangeCipherSpec) throws IOException {
+        if (useChangeCipherSpec) {
+            encodeChangeCipherSpec();
+        }
 
         /*
          * Dispose of any intermediate state in the underlying cipher.
@@ -172,7 +161,6 @@
          */
         writeCipher.dispose();
 
-        this.writeAuthenticator = writeAuthenticator;
         this.writeCipher = writeCipher;
         this.isFirstAppOutputRecord = true;
     }
@@ -195,6 +183,11 @@
     }
 
     // apply to DTLS SSLEngine
+    void finishHandshake() {
+        // blank
+    }
+
+    // apply to DTLS SSLEngine
     void launchRetransmission() {
         // blank
     }
@@ -207,6 +200,10 @@
         }
     }
 
+    synchronized boolean isClosed() {
+        return isClosed;
+    }
+
     //
     // shared helpers
     //
@@ -216,103 +213,133 @@
     // To be consistent with the spec of SSLEngine.wrap() methods, the
     // destination ByteBuffer's position is updated to reflect the amount
     // of data produced.  The limit remains the same.
-    static long encrypt(Authenticator authenticator,
-            CipherBox encCipher, byte contentType, ByteBuffer destination,
+    static long encrypt(
+            SSLWriteCipher encCipher, byte contentType, ByteBuffer destination,
             int headerOffset, int dstLim, int headerSize,
-            ProtocolVersion protocolVersion, boolean isDTLS) {
-
-        byte[] sequenceNumber = null;
-        int dstContent = destination.position();
-
-        // Acquire the current sequence number before using.
+            ProtocolVersion protocolVersion) {
+        boolean isDTLS = protocolVersion.isDTLS;
         if (isDTLS) {
-            sequenceNumber = authenticator.sequenceNumber();
+            if (protocolVersion.useTLS13PlusSpec()) {
+                return d13Encrypt(encCipher,
+                        contentType, destination, headerOffset,
+                        dstLim, headerSize, protocolVersion);
+            } else {
+                return d10Encrypt(encCipher,
+                        contentType, destination, headerOffset,
+                        dstLim, headerSize, protocolVersion);
+            }
+        } else {
+            if (protocolVersion.useTLS13PlusSpec()) {
+                return t13Encrypt(encCipher,
+                        contentType, destination, headerOffset,
+                        dstLim, headerSize, protocolVersion);
+            } else {
+                return t10Encrypt(encCipher,
+                        contentType, destination, headerOffset,
+                        dstLim, headerSize, protocolVersion);
+            }
         }
+    }
 
-        // The sequence number may be shared for different purpose.
-        boolean sharedSequenceNumber = false;
+    static long d13Encrypt(
+            SSLWriteCipher encCipher, byte contentType, ByteBuffer destination,
+            int headerOffset, int dstLim, int headerSize,
+            ProtocolVersion protocolVersion) {
+        throw new UnsupportedOperationException("Not supported yet.");
+    }
 
-        // "flip" but skip over header again, add MAC & encrypt
-        if (authenticator instanceof MAC) {
-            MAC signer = (MAC)authenticator;
-            if (signer.MAClen() != 0) {
-                byte[] hash = signer.compute(contentType, destination, false);
-
-                /*
-                 * position was advanced to limit in MAC compute above.
-                 *
-                 * Mark next area as writable (above layers should have
-                 * established that we have plenty of room), then write
-                 * out the hash.
-                 */
-                destination.limit(destination.limit() + hash.length);
-                destination.put(hash);
-
-                // reset the position and limit
-                destination.limit(destination.position());
-                destination.position(dstContent);
-
-                // The signer has used and increased the sequence number.
-                if (isDTLS) {
-                    sharedSequenceNumber = true;
-                }
-            }
-        }
+    private static long d10Encrypt(
+            SSLWriteCipher encCipher, byte contentType, ByteBuffer destination,
+            int headerOffset, int dstLim, int headerSize,
+            ProtocolVersion protocolVersion) {
+        byte[] sequenceNumber = encCipher.authenticator.sequenceNumber();
+        encCipher.encrypt(contentType, destination);
+
+        // Finish out the record header.
+        int fragLen = destination.limit() - headerOffset - headerSize;
+
+        destination.put(headerOffset, contentType);         // content type
+        destination.put(headerOffset + 1, protocolVersion.major);
+        destination.put(headerOffset + 2, protocolVersion.minor);
+
+        // epoch and sequence_number
+        destination.put(headerOffset + 3, sequenceNumber[0]);
+        destination.put(headerOffset + 4, sequenceNumber[1]);
+        destination.put(headerOffset + 5, sequenceNumber[2]);
+        destination.put(headerOffset + 6, sequenceNumber[3]);
+        destination.put(headerOffset + 7, sequenceNumber[4]);
+        destination.put(headerOffset + 8, sequenceNumber[5]);
+        destination.put(headerOffset + 9, sequenceNumber[6]);
+        destination.put(headerOffset + 10, sequenceNumber[7]);
+
+        // fragment length
+        destination.put(headerOffset + 11, (byte)(fragLen >> 8));
+        destination.put(headerOffset + 12, (byte)fragLen);
+
+        // Update destination position to reflect the amount of data produced.
+        destination.position(destination.limit());
+
+        return Authenticator.toLong(sequenceNumber);
+    }
 
+    static long t13Encrypt(
+            SSLWriteCipher encCipher, byte contentType, ByteBuffer destination,
+            int headerOffset, int dstLim, int headerSize,
+            ProtocolVersion protocolVersion) {
         if (!encCipher.isNullCipher()) {
-            if (protocolVersion.useTLS11PlusSpec() &&
-                    (encCipher.isCBCMode() || encCipher.isAEADMode())) {
-                byte[] nonce = encCipher.createExplicitNonce(
-                        authenticator, contentType, destination.remaining());
-                destination.position(headerOffset + headerSize);
-                destination.put(nonce);
-            }
-            if (!encCipher.isAEADMode()) {
-                // The explicit IV in TLS 1.1 and later can be encrypted.
-                destination.position(headerOffset + headerSize);
-            }   // Otherwise, DON'T encrypt the nonce_explicit for AEAD mode
-
-            // Encrypt may pad, so again the limit may be changed.
-            encCipher.encrypt(destination, dstLim);
-
-            // The cipher has used and increased the sequence number.
-            if (isDTLS && encCipher.isAEADMode()) {
-                sharedSequenceNumber = true;
-            }
-        } else {
+            // inner plaintext, using zero length padding.
+            int pos = destination.position();
             destination.position(destination.limit());
+            destination.limit(destination.limit() + 1);
+            destination.put(contentType);
+            destination.position(pos);
+        }
+
+        // use the right TLSCiphertext.opaque_type and legacy_record_version
+        ProtocolVersion pv = protocolVersion;
+        if (!encCipher.isNullCipher()) {
+            pv = ProtocolVersion.TLS12;
+            contentType = ContentType.APPLICATION_DATA.id;
+        } else if (protocolVersion.useTLS13PlusSpec()) {
+            pv = ProtocolVersion.TLS12;
         }
 
+        byte[] sequenceNumber = encCipher.authenticator.sequenceNumber();
+        encCipher.encrypt(contentType, destination);
+
+        // Finish out the record header.
+        int fragLen = destination.limit() - headerOffset - headerSize;
+        destination.put(headerOffset, contentType);
+        destination.put(headerOffset + 1, pv.major);
+        destination.put(headerOffset + 2, pv.minor);
+
+        // fragment length
+        destination.put(headerOffset + 3, (byte)(fragLen >> 8));
+        destination.put(headerOffset + 4, (byte)fragLen);
+
+        // Update destination position to reflect the amount of data produced.
+        destination.position(destination.limit());
+
+        return Authenticator.toLong(sequenceNumber);
+    }
+
+    static long t10Encrypt(
+            SSLWriteCipher encCipher, byte contentType, ByteBuffer destination,
+            int headerOffset, int dstLim, int headerSize,
+            ProtocolVersion protocolVersion) {
+        byte[] sequenceNumber = encCipher.authenticator.sequenceNumber();
+        encCipher.encrypt(contentType, destination);
+
         // Finish out the record header.
         int fragLen = destination.limit() - headerOffset - headerSize;
 
         destination.put(headerOffset, contentType);         // content type
         destination.put(headerOffset + 1, protocolVersion.major);
         destination.put(headerOffset + 2, protocolVersion.minor);
-        if (!isDTLS) {
-            // fragment length
-            destination.put(headerOffset + 3, (byte)(fragLen >> 8));
-            destination.put(headerOffset + 4, (byte)fragLen);
-        } else {
-            // epoch and sequence_number
-            destination.put(headerOffset + 3, sequenceNumber[0]);
-            destination.put(headerOffset + 4, sequenceNumber[1]);
-            destination.put(headerOffset + 5, sequenceNumber[2]);
-            destination.put(headerOffset + 6, sequenceNumber[3]);
-            destination.put(headerOffset + 7, sequenceNumber[4]);
-            destination.put(headerOffset + 8, sequenceNumber[5]);
-            destination.put(headerOffset + 9, sequenceNumber[6]);
-            destination.put(headerOffset + 10, sequenceNumber[7]);
-
-            // fragment length
-            destination.put(headerOffset + 11, (byte)(fragLen >> 8));
-            destination.put(headerOffset + 12, (byte)fragLen);
-
-            // Increase the sequence number for next use if it is not shared.
-            if (!sharedSequenceNumber) {
-                authenticator.increaseSequenceNumber();
-            }
-        }
+
+        // fragment length
+        destination.put(headerOffset + 3, (byte)(fragLen >> 8));
+        destination.put(headerOffset + 4, (byte)fragLen);
 
         // Update destination position to reflect the amount of data produced.
         destination.position(destination.limit());
@@ -324,55 +351,78 @@
     //
     // Uses the internal expandable buf variable and the current
     // protocolVersion variable.
-    void encrypt(Authenticator authenticator,
-            CipherBox encCipher, byte contentType, int headerSize) {
+    long encrypt(
+            SSLWriteCipher encCipher, byte contentType, int headerSize) {
+        if (protocolVersion.useTLS13PlusSpec()) {
+            return t13Encrypt(encCipher, contentType, headerSize);
+        } else {
+            return t10Encrypt(encCipher, contentType, headerSize);
+        }
+    }
 
-        int position = headerSize + writeCipher.getExplicitNonceSize();
+    private static final class T13PaddingHolder {
+        private static final byte[] zeros = new byte[16];
+    }
 
-        // "flip" but skip over header again, add MAC & encrypt
-        int macLen = 0;
-        if (authenticator instanceof MAC) {
-            MAC signer = (MAC)authenticator;
-            macLen = signer.MAClen();
-            if (macLen != 0) {
-                byte[] hash = signer.compute(contentType,
-                        buf, position, (count - position), false);
+    long t13Encrypt(
+            SSLWriteCipher encCipher, byte contentType, int headerSize) {
+        if (!encCipher.isNullCipher()) {
+            // inner plaintext
+            write(contentType);
+            write(T13PaddingHolder.zeros, 0, T13PaddingHolder.zeros.length);
+        }
 
-                write(hash, 0, hash.length);
-            }
+        byte[] sequenceNumber = encCipher.authenticator.sequenceNumber();
+        int position = headerSize;
+        int contentLen = count - position;
+
+        // ensure the capacity
+        int packetSize = encCipher.calculatePacketSize(contentLen, headerSize);
+        if (packetSize > buf.length) {
+            byte[] newBuf = new byte[packetSize];
+            System.arraycopy(buf, 0, newBuf, 0, count);
+            buf = newBuf;
         }
 
+        // use the right TLSCiphertext.opaque_type and legacy_record_version
+        ProtocolVersion pv = protocolVersion;
         if (!encCipher.isNullCipher()) {
-            // Requires explicit IV/nonce for CBC/AEAD cipher suites for
-            // TLS 1.1 or later.
-            if (protocolVersion.useTLS11PlusSpec() &&
-                    (encCipher.isCBCMode() || encCipher.isAEADMode())) {
-
-                byte[] nonce = encCipher.createExplicitNonce(
-                        authenticator, contentType, (count - position));
-                int noncePos = position - nonce.length;
-                System.arraycopy(nonce, 0, buf, noncePos, nonce.length);
-            }
+            pv = ProtocolVersion.TLS12;
+            contentType = ContentType.APPLICATION_DATA.id;
+        } else {
+            pv = ProtocolVersion.TLS12;
+        }
 
-            if (!encCipher.isAEADMode()) {
-                // The explicit IV in TLS 1.1 and later can be encrypted.
-                position = headerSize;
-            }   // Otherwise, DON'T encrypt the nonce_explicit for AEAD mode
-
-            // increase buf capacity if necessary
-            int fragSize = count - position;
-            int packetSize =
-                    encCipher.calculatePacketSize(fragSize, macLen, headerSize);
-            if (packetSize > (buf.length - position)) {
-                byte[] newBuf = new byte[position + packetSize];
-                System.arraycopy(buf, 0, newBuf, 0, count);
-                buf = newBuf;
-            }
+        ByteBuffer destination = ByteBuffer.wrap(buf, position, contentLen);
+        count = headerSize + encCipher.encrypt(contentType, destination);
+
+        // Fill out the header, write it and the message.
+        int fragLen = count - headerSize;
 
-            // Encrypt may pad, so again the count may be changed.
-            count = position +
-                    encCipher.encrypt(buf, position, (count - position));
+        buf[0] = contentType;
+        buf[1] = pv.major;
+        buf[2] = pv.minor;
+        buf[3] = (byte)((fragLen >> 8) & 0xFF);
+        buf[4] = (byte)(fragLen & 0xFF);
+
+        return Authenticator.toLong(sequenceNumber);
+    }
+
+    long t10Encrypt(
+            SSLWriteCipher encCipher, byte contentType, int headerSize) {
+        byte[] sequenceNumber = encCipher.authenticator.sequenceNumber();
+        int position = headerSize + writeCipher.getExplicitNonceSize();
+        int contentLen = count - position;
+
+        // ensure the capacity
+        int packetSize = encCipher.calculatePacketSize(contentLen, headerSize);
+        if (packetSize > buf.length) {
+            byte[] newBuf = new byte[packetSize];
+            System.arraycopy(buf, 0, newBuf, 0, count);
+            buf = newBuf;
         }
+        ByteBuffer destination = ByteBuffer.wrap(buf, position, contentLen);
+        count = headerSize + encCipher.encrypt(contentType, destination);
 
         // Fill out the header, write it and the message.
         int fragLen = count - headerSize;
@@ -381,11 +431,12 @@
         buf[2] = protocolVersion.minor;
         buf[3] = (byte)((fragLen >> 8) & 0xFF);
         buf[4] = (byte)(fragLen & 0xFF);
+
+        return Authenticator.toLong(sequenceNumber);
     }
 
     static ByteBuffer encodeV2ClientHello(
             byte[] fragment, int offset, int length) throws IOException {
-
         int v3SessIdLenOffset = offset + 34;      //  2: client_version
                                                   // 32: random
 
@@ -449,7 +500,7 @@
         dstBuf.position(0);
         dstBuf.put((byte)(0x80 | ((msgLen >>> 8) & 0xFF)));  // pos: 0
         dstBuf.put((byte)(msgLen & 0xFF));                   // pos: 1
-        dstBuf.put(HandshakeMessage.ht_client_hello);        // pos: 2
+        dstBuf.put(SSLHandshake.CLIENT_HELLO.id);            // pos: 2
         dstBuf.put(fragment[offset]);         // major version, pos: 3
         dstBuf.put(fragment[offset + 1]);     // minor version, pos: 4
         dstBuf.put((byte)(v2CSLen >>> 8));                   // pos: 5
--- old/src/java.base/share/classes/sun/security/ssl/Plaintext.java	2018-05-11 15:05:25.707951400 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/Plaintext.java	2018-05-11 15:05:25.156791000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,16 +34,16 @@
 final class Plaintext {
     static final Plaintext PLAINTEXT_NULL = new Plaintext();
 
-    byte            contentType;
-    byte            majorVersion;
-    byte            minorVersion;
-    int             recordEpoch;    // incremented on every cipher state change
-    long            recordSN;       // contains epcoh number (epoch | sequence)
-    ByteBuffer      fragment;       // null if need to be reassembled
+    final byte       contentType;
+    final byte       majorVersion;
+    final byte       minorVersion;
+    final int        recordEpoch;     // increments on every cipher state change
+    final long       recordSN;        // epoch | sequence number
+    final ByteBuffer fragment;        // null if need to be reassembled
 
-    HandshakeStatus handshakeStatus;    // null if not used or not handshaking
+    HandshakeStatus  handshakeStatus; // null if not used or not handshaking
 
-    Plaintext() {
+    private Plaintext() {
         this.contentType = 0;
         this.majorVersion = 0;
         this.minorVersion = 0;
@@ -53,7 +53,8 @@
         this.handshakeStatus = null;
     }
 
-    Plaintext(byte contentType, byte majorVersion, byte minorVersion,
+    Plaintext(byte contentType,
+            byte majorVersion, byte minorVersion,
             int recordEpoch, long recordSN, ByteBuffer fragment) {
 
         this.contentType = contentType;
@@ -66,6 +67,7 @@
         this.handshakeStatus = null;
     }
 
+    @Override
     public String toString() {
         return "contentType: " + contentType + "/" +
                "majorVersion: " + majorVersion + "/" +
--- old/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java	2018-05-11 15:05:27.684995100 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/PredefinedDHParameterSpecs.java	2018-05-11 15:05:27.121754400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,21 +25,19 @@
 
 package sun.security.ssl;
 
-import java.security.*;
 import java.math.BigInteger;
-import java.util.regex.Pattern;
-import java.util.regex.Matcher;
-import java.util.Map;
-import java.util.HashMap;
+import java.security.*;
 import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 import javax.crypto.spec.DHParameterSpec;
 
 /**
  * Predefined default DH ephemeral parameters.
  */
 final class PredefinedDHParameterSpecs {
-    private final static boolean debugIsOn =
-            (Debug.getInstance("ssl") != null) && Debug.isOn("sslctx");
 
     //
     // Default DH ephemeral parameters
@@ -209,15 +207,15 @@
     // a measure of the uncertainty that prime modulus p is not a prime
     //
     // see BigInteger.isProbablePrime(int certainty)
-    private final static int PRIME_CERTAINTY = 120;
+    private static final int PRIME_CERTAINTY = 120;
 
     // the known security property, jdk.tls.server.defaultDHEParameters
-    private final static String PROPERTY_NAME =
+    private static final String PROPERTY_NAME =
             "jdk.tls.server.defaultDHEParameters";
 
     private static final Pattern spacesPattern = Pattern.compile("\\s+");
 
-    private final static Pattern syntaxPattern = Pattern.compile(
+    private static final Pattern syntaxPattern = Pattern.compile(
             "(\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})" +
             "(,\\{[0-9A-Fa-f]+,[0-9A-Fa-f]+\\})*");
 
@@ -225,10 +223,10 @@
             "\\{([0-9A-Fa-f]+),([0-9A-Fa-f]+)\\}");
 
     // cache of predefined default DH ephemeral parameters
-    final static Map<Integer, DHParameterSpec> definedParams;
+    static final Map<Integer, DHParameterSpec> definedParams;
 
     // cache of Finite Field DH Ephemeral parameters (RFC 7919/FFDHE)
-    final static Map<Integer, DHParameterSpec> ffdheParams;
+    static final Map<Integer, DHParameterSpec> ffdheParams;
 
     static {
         String property = AccessController.doPrivileged(
@@ -252,8 +250,9 @@
             Matcher spacesMatcher = spacesPattern.matcher(property);
             property = spacesMatcher.replaceAll("");
 
-            if (debugIsOn) {
-                System.out.println("The Security Property " +
+            if (SSLLogger.isOn && SSLLogger.isOn("sslctx")) {
+                SSLLogger.fine(
+                        "The Security Property " +
                         PROPERTY_NAME + ": " + property);
             }
         }
@@ -267,8 +266,8 @@
                     String primeModulus = paramsFinder.group(1);
                     BigInteger p = new BigInteger(primeModulus, 16);
                     if (!p.isProbablePrime(PRIME_CERTAINTY)) {
-                        if (debugIsOn) {
-                            System.out.println(
+                        if (SSLLogger.isOn && SSLLogger.isOn("sslctx")) {
+                            SSLLogger.fine(
                                 "Prime modulus p in Security Property, " +
                                 PROPERTY_NAME + ", is not a prime: " +
                                 primeModulus);
@@ -284,8 +283,8 @@
                     int primeLen = p.bitLength();
                     defaultParams.put(primeLen, spec);
                 }
-            } else if (debugIsOn) {
-                System.out.println("Invalid Security Property, " +
+            } else if (SSLLogger.isOn && SSLLogger.isOn("sslctx")) {
+                SSLLogger.fine("Invalid Security Property, " +
                         PROPERTY_NAME + ", definition");
             }
         }
--- old/src/java.base/share/classes/sun/security/ssl/ProtocolVersion.java	2018-05-11 15:05:29.781607100 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ProtocolVersion.java	2018-05-11 15:05:29.205518000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,33 +25,41 @@
 
 package sun.security.ssl;
 
-import java.util.*;
 import java.security.CryptoPrimitive;
-import sun.security.ssl.CipherSuite.*;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.List;
 
 /**
- * Type safe enum for an SSL/TLS protocol version. Instances are obtained
- * using the static factory methods or by referencing the static members
- * in this class. Member variables are final and can be accessed without
- * accessor methods.
- *
- * There is only ever one instance per supported protocol version, this
- * means == can be used for comparision instead of equals() if desired.
- *
- * Checks for a particular version number should generally take this form:
- *
- * <pre>{@code
- * if (protocolVersion.v >= ProtocolVersion.TLS10) {
- *   // TLS 1.0 code goes here
- * } else {
- *   // SSL 3.0 code here
- * }
- * }</pre>
+ * Enum for an SSL/TLS/DTLS protocol version.
  *
  * @author  Andreas Sterbenz
  * @since   1.4.1
  */
-public final class ProtocolVersion implements Comparable<ProtocolVersion> {
+enum ProtocolVersion {
+//    TLS13           (0x0304,    "TLSv1.3",      false),
+    TLS13           (SSLConfiguration.tls13VN,    "TLSv1.3",      false),
+    TLS12           (0x0303,    "TLSv1.2",      false),
+    TLS11           (0x0302,    "TLSv1.1",      false),
+    TLS10           (0x0301,    "TLSv1",        false),
+    SSL30           (0x0300,    "SSLv3",        false),
+    SSL20Hello      (0x0002,    "SSLv2Hello",   false),
+
+    DTLS13          (0xFEFC,    "DTLSv1.3",     true),
+    DTLS12          (0xFEFD,    "DTLSv1.2",     true),
+    DTLS10          (0xFEFF,    "DTLSv1.0",     true),
+
+    // Dummy protocol version value for invalid SSLSession
+    NONE            (-1,        "NONE",         false);
+
+
+    final int id;
+    final String name;
+    final boolean isDTLS;
+    final byte major;
+    final byte minor;
+    final boolean isAvailable;
 
     // The limit of maximum protocol version
     static final int LIMIT_MAX_VALUE = 0xFFFF;
@@ -59,257 +67,336 @@
     // The limit of minimum protocol version
     static final int LIMIT_MIN_VALUE = 0x0000;
 
-    // Dummy protocol version value for invalid SSLSession
-    static final ProtocolVersion NONE = new ProtocolVersion(-1, "NONE");
-
-    // If enabled, send/accept SSLv2 hello messages
-    static final ProtocolVersion SSL20Hello =
-                                new ProtocolVersion(0x0002, "SSLv2Hello");
-
-    // SSL 3.0
-    static final ProtocolVersion SSL30 = new ProtocolVersion(0x0300, "SSLv3");
-
-    // TLS 1.0
-    static final ProtocolVersion TLS10 = new ProtocolVersion(0x0301, "TLSv1");
+    // (D)TLS ProtocolVersion array for TLS 1.0 and previous versions.
+    static final ProtocolVersion[] PROTOCOLS_TO_10 = new ProtocolVersion[] {
+            TLS10, SSL30
+        };
+
+    // (D)TLS ProtocolVersion array for TLS 1.1/DTLS 1.0 and previous versions.
+    static final ProtocolVersion[] PROTOCOLS_TO_11 = new ProtocolVersion[] {
+            TLS11, TLS10, SSL30, DTLS10
+        };
+
+    // (D)TLS ProtocolVersion array for (D)TLS 1.2 and previous versions.
+    static final ProtocolVersion[] PROTOCOLS_TO_12 = new ProtocolVersion[] {
+            TLS12, TLS11, TLS10, SSL30, DTLS12, DTLS10
+        };
+
+    // (D)TLS ProtocolVersion array for (D)TLS 1.3 and previous versions.
+    static final ProtocolVersion[] PROTOCOLS_TO_13 = new ProtocolVersion[] {
+            TLS13, TLS12, TLS11, TLS10, SSL30, DTLS13, DTLS12, DTLS10
+        };
+
+    // No protocol version specified.
+    static final ProtocolVersion[] PROTOCOLS_OF_NONE = new ProtocolVersion[] {
+            NONE
+        };
+
+    // (D)TLS ProtocolVersion array for (D)TLS 1.3.
+    static final ProtocolVersion[] PROTOCOLS_OF_30 = new ProtocolVersion[] {
+            SSL30
+        };
+
+    // (D)TLS ProtocolVersion array for TLS 1.1/DTSL 1.0.
+    static final ProtocolVersion[] PROTOCOLS_OF_11 = new ProtocolVersion[] {
+            TLS11, DTLS10
+        };
+
+    // (D)TLS ProtocolVersion array for (D)TLS 1.2.
+    static final ProtocolVersion[] PROTOCOLS_OF_12 = new ProtocolVersion[] {
+            TLS12, DTLS12
+        };
+
+    // (D)TLS ProtocolVersion array for (D)TLS 1.3.
+    static final ProtocolVersion[] PROTOCOLS_OF_13 = new ProtocolVersion[] {
+            TLS13, DTLS13
+        };
+
+    // (D)TLS ProtocolVersion array for TSL 1.0/1.1 and DTLS 1.0.
+    static final ProtocolVersion[] PROTOCOLS_10_11 = new ProtocolVersion[] {
+            TLS11, TLS10, DTLS10
+        };
+
+    // (D)TLS ProtocolVersion array for TSL 1.1/1.2 and DTLS 1.0/1.2.
+    static final ProtocolVersion[] PROTOCOLS_11_12 = new ProtocolVersion[] {
+            TLS12, TLS11, DTLS12, DTLS10
+        };
+
+    // (D)TLS ProtocolVersion array for TSL 1.2/1.3 and DTLS 1.2/1.3.
+    static final ProtocolVersion[] PROTOCOLS_12_13 = new ProtocolVersion[] {
+            TLS13, TLS12, DTLS13, DTLS12
+        };
+
+    // (D)TLS ProtocolVersion array for TSL 1.0/1.1/1.2 and DTLS 1.0/1.2.
+    static final ProtocolVersion[] PROTOCOLS_10_12 = new ProtocolVersion[] {
+            TLS12, TLS11, TLS10, DTLS12, DTLS10
+        };
 
-    // TLS 1.1
-    static final ProtocolVersion TLS11 = new ProtocolVersion(0x0302, "TLSv1.1");
+    // Empty ProtocolVersion array
+    static final ProtocolVersion[] PROTOCOLS_EMPTY = new ProtocolVersion[0];
 
-    // TLS 1.2
-    static final ProtocolVersion TLS12 = new ProtocolVersion(0x0303, "TLSv1.2");
-
-    // DTLS 1.0
-    // {254, 255}, the version value of DTLS 1.0.
-    static final ProtocolVersion DTLS10 =
-                                new ProtocolVersion(0xFEFF, "DTLSv1.0");
+    private ProtocolVersion(int id, String name, boolean isDTLS) {
+        this.id = id;
+        this.name = name;
+        this.isDTLS = isDTLS;
+        this.major = (byte)((id >>> 8) & 0xFF);
+        this.minor = (byte)(id & 0xFF);
+
+        this.isAvailable = SSLAlgorithmConstraints.DEFAULT_SSL_ONLY.permits(
+                EnumSet.<CryptoPrimitive>of(CryptoPrimitive.KEY_AGREEMENT),
+                name, null);
+    }
 
-    // No DTLS 1.1, that version number was skipped in order to harmonize
-    // version numbers with TLS.
+    /**
+     * Return a ProtocolVersion with the specified major and minor
+     * version numbers.
+     */
+    static ProtocolVersion valueOf(byte major, byte minor) {
+        for (ProtocolVersion pv : ProtocolVersion.values()) {
+            if ((pv.major == major) && (pv.minor == minor)) {
+                return pv;
+            }
+        }
 
-    // DTLS 1.2
-    // {254, 253}, the version value of DTLS 1.2.
-    static final ProtocolVersion DTLS12 =
-                                new ProtocolVersion(0xFEFD, "DTLSv1.2");
+        return null;
+    }
 
-    private static final boolean FIPS = SunJSSE.isFIPS();
+    /**
+     * Return a ProtocolVersion with the specified version number.
+     */
+    static ProtocolVersion valueOf(int id) {
+        for (ProtocolVersion pv : ProtocolVersion.values()) {
+            if (pv.id == id) {
+                return pv;
+            }
+        }
 
-    // minimum version we implement (SSL 3.0)
-    static final ProtocolVersion MIN = FIPS ? TLS10 : SSL30;
+        return null;
+    }
 
-    // maximum version we implement (TLS 1.2)
-    static final ProtocolVersion MAX = TLS12;
+    /**
+     * Return name of a (D)TLS protocol specified by major and
+     * minor version numbers.
+     */
+    static String nameOf(byte major, byte minor) {
+        for (ProtocolVersion pv : ProtocolVersion.values()) {
+            if ((pv.major == major) && (pv.minor == minor)) {
+                return pv.name;
+            }
+        }
 
-    // SSL/TLS ProtocolVersion to use by default (TLS 1.2)
-    static final ProtocolVersion DEFAULT_TLS = TLS12;
+        return "(D)TLS-" + major + "." + minor;
+    }
 
-    // DTLS ProtocolVersion to use by default (TLS 1.2)
-    static final ProtocolVersion DEFAULT_DTLS = DTLS12;
+    /**
+     * Return name of a (D)TLS protocol specified by a protocol number.
+     */
+    static String nameOf(int id) {
+        return nameOf((byte)((id >>> 8) & 0xFF), (byte)(id & 0xFF));
+    }
 
-    // Default version for hello messages (SSLv2Hello)
-    static final ProtocolVersion DEFAULT_HELLO = FIPS ? TLS10 : SSL30;
+    /**
+     * Return a ProtocolVersion for the given (D)TLS protocol name.
+     */
+    static ProtocolVersion nameOf(String name) {
+        for (ProtocolVersion pv : ProtocolVersion.values()) {
+            if (pv.name.equals(name)) {
+                return pv;
+            }
+        }
 
-    // Available protocols
-    //
-    // Including all supported protocols except the disabled ones.
-    static final Set<ProtocolVersion> availableProtocols;
+        return null;
+    }
 
-    // version in 16 bit MSB format as it appears in records and
-    // messages, i.e. 0x0301 for TLS 1.0
-    public final int v;
+    /**
+     * Return true if the specific (D)TLS protocol is negotiable.
+     */
+    static boolean isNegotiable(
+            byte major, byte minor, boolean isDTLS, boolean allowSSL20Hello) {
 
-    // major and minor version
-    public final byte major, minor;
+        int v = ((major & 0xFF) << 8) | (minor & 0xFF);
+        if (isDTLS) {
+            return v <= DTLS10.id;
+        } else {
+            if (v < SSL30.id) {
+               if (!allowSSL20Hello || (v != SSL20Hello.id)) {
+                   return false;
+               }
+            }
+        }
 
-    // name used in JSSE (e.g. TLSv1 for TLS 1.0)
-    final String name;
+        return true;
+    }
 
-    // Initialize the available protocols.
-    static {
-        Set<ProtocolVersion> protocols = new HashSet<>(7);
-
-        ProtocolVersion[] pvs = new ProtocolVersion[] {
-                SSL20Hello, SSL30, TLS10, TLS11, TLS12, DTLS10, DTLS12};
-        EnumSet<CryptoPrimitive> cryptoPrimitives =
-            EnumSet.<CryptoPrimitive>of(CryptoPrimitive.KEY_AGREEMENT);
-        for (ProtocolVersion p : pvs) {
-            if (SSLAlgorithmConstraints.DEFAULT_SSL_ONLY.permits(
-                    cryptoPrimitives, p.name, null)) {
-                protocols.add(p);
+    /**
+     * Get names of a list of ProtocolVersion objects.
+     */
+    static String[] toStringArray(List<ProtocolVersion> protocolVersions) {
+        if ((protocolVersions != null) && !protocolVersions.isEmpty()) {
+            String[] protocolNames = new String[protocolVersions.size()];
+            int i = 0;
+            for (ProtocolVersion pv : protocolVersions) {
+                protocolNames[i++] = pv.name;
             }
+
+            return protocolNames;
         }
 
-        availableProtocols =
-                Collections.<ProtocolVersion>unmodifiableSet(protocols);
+        return new String[0];
     }
 
-    // private
-    private ProtocolVersion(int v, String name) {
-        this.v = v;
-        this.name = name;
-        major = (byte)(v >>> 8);
-        minor = (byte)(v & 0xFF);
-    }
+    /**
+     * Get names of a list of protocol version identifiers.
+     */
+    static String[] toStringArray(int[] protocolVersions) {
+        if ((protocolVersions != null) && protocolVersions.length != 0) {
+            String[] protocolNames = new String[protocolVersions.length];
+            int i = 0;
+            for (int pv : protocolVersions) {
+                protocolNames[i++] = ProtocolVersion.nameOf(pv);
+            }
 
-    // private
-    private static ProtocolVersion valueOf(int v) {
-        if (v == SSL30.v) {
-            return SSL30;
-        } else if (v == TLS10.v) {
-            return TLS10;
-        } else if (v == TLS11.v) {
-            return TLS11;
-        } else if (v == TLS12.v) {
-            return TLS12;
-        } else if (v == SSL20Hello.v) {
-            return SSL20Hello;
-        } else if (v == DTLS10.v) {
-            return DTLS10;
-        } else if (v == DTLS12.v) {
-            return DTLS12;
-        } else {
-            int major = (v >>> 8) & 0xFF;
-            int minor = v & 0xFF;
-            return new ProtocolVersion(v, "Unknown-" + major + "." + minor);
+            return protocolNames;
         }
+
+        return new String[0];
     }
 
     /**
-     * Return a ProtocolVersion with the specified major and minor version
-     * numbers. Never throws exceptions.
+     * Get a list of ProtocolVersion objects of an array protocol
+     * version names.
      */
-    public static ProtocolVersion valueOf(int major, int minor) {
-        return valueOf(((major & 0xFF) << 8) | (minor & 0xFF));
+    static List<ProtocolVersion> namesOf(String[] protocolNames) {
+        if (protocolNames == null || protocolNames.length == 0) {
+            return Collections.emptyList();
+        }
+
+        if ((protocolNames != null) && (protocolNames.length != 0)) {
+            List<ProtocolVersion> pvs = new ArrayList<>(protocolNames.length);
+            for (String pn : protocolNames) {
+                ProtocolVersion pv = ProtocolVersion.nameOf(pn);
+                if (pv == null) {
+                    throw new IllegalArgumentException(
+                            "Unsupported protocol" + pn);
+                }
+
+                pvs.add(pv);
+            }
+
+            return Collections.unmodifiableList(pvs);
+        }
+
+        return Collections.<ProtocolVersion>emptyList();
     }
 
     /**
-     * Return a ProtocolVersion for the given name.
-     *
-     * @exception IllegalArgumentException if name is null or does not
-     * identify a supported protocol
+     * Return true if the specific protocol version name is
+     * of (D)TLS 1.2 or newer version.
      */
-    static ProtocolVersion valueOf(String name) {
-        if (name == null) {
-            throw new IllegalArgumentException("Protocol cannot be null");
-        }
-
-        if (FIPS && (name.equals(SSL30.name) || name.equals(SSL20Hello.name))) {
-            throw new IllegalArgumentException(
-                    "Only TLS 1.0 or later allowed in FIPS mode");
-        }
-
-        if (name.equals(SSL30.name)) {
-            return SSL30;
-        } else if (name.equals(TLS10.name)) {
-            return TLS10;
-        } else if (name.equals(TLS11.name)) {
-            return TLS11;
-        } else if (name.equals(TLS12.name)) {
-            return TLS12;
-        } else if (name.equals(SSL20Hello.name)) {
-            return SSL20Hello;
-        } else if (name.equals(DTLS10.name)) {
-            return DTLS10;
-        } else if (name.equals(DTLS12.name)) {
-            return DTLS12;
-        } else {
-            throw new IllegalArgumentException(name);
+    static boolean useTLS12PlusSpec(String name) {
+        ProtocolVersion pv = ProtocolVersion.nameOf(name);
+        if (pv != null && pv != NONE) {
+            return pv.isDTLS ? (pv.id <= DTLS12.id) : (pv.id >= TLS12.id);
         }
-    }
 
-    @Override
-    public String toString() {
-        return name;
+        return false;
     }
 
     /**
-     * Compares this object with the specified object for order.
+     * Compares this object with the specified ProtocolVersion.
+     *
+     * @see java.lang.Comparable
      */
-    @Override
-    public int compareTo(ProtocolVersion protocolVersion) {
-        if (maybeDTLSProtocol()) {
-            if (!protocolVersion.maybeDTLSProtocol()) {
-                throw new IllegalArgumentException("Not DTLS protocol");
-            }
+    int compare(ProtocolVersion that) {
+        if (this == that) {
+            return 0;
+        }
 
-            return protocolVersion.v - this.v;
-        } else {
-            if (protocolVersion.maybeDTLSProtocol()) {
-                throw new IllegalArgumentException("Not TLS protocol");
-            }
+        if (this == ProtocolVersion.NONE) {
+            return -1;
+        } else if (that == ProtocolVersion.NONE) {
+            return 1;
+        }
 
-            return this.v - protocolVersion.v;
+        if (isDTLS) {
+            return that.id - this.id;
+        } else {
+            return this.id - that.id;
         }
     }
 
     /**
-     * Returns true if a ProtocolVersion represents a DTLS protocol.
+     * Return true if this ProtocolVersion object is of (D)TLS 1.3 or
+     * newer version.
      */
-    boolean isDTLSProtocol() {
-        return this.v == DTLS12.v || this.v == DTLS10.v;
+    boolean useTLS13PlusSpec() {
+        return isDTLS ? (this.id <= DTLS13.id) : (this.id >= TLS13.id);
     }
 
     /**
-     * Returns true if a ProtocolVersion may represent a DTLS protocol.
+     * Return true if this ProtocolVersion object is of (D)TLS 1.2 or
+     * newer version.
      */
-    boolean maybeDTLSProtocol() {
-        return (this.major & 0x80) != 0;
-    }
-
     boolean useTLS12PlusSpec() {
-        return maybeDTLSProtocol() ? (this.v <= DTLS12.v) : (this.v >= TLS12.v);
+        return isDTLS ? (this.id <= DTLS12.id) : (this.id >= TLS12.id);
     }
 
+    /**
+     * Return true if this ProtocolVersion object is of
+     * TLS 1.1/DTLS 1.0 or newer version.
+     */
     boolean useTLS11PlusSpec() {
-        return maybeDTLSProtocol() ? true : (this.v >= TLS11.v);
+        return isDTLS ? true : (this.id >= TLS11.id);
     }
 
+    /**
+     * Return true if this ProtocolVersion object is of TLS 1.0 or
+     * newer version.
+     */
     boolean useTLS10PlusSpec() {
-        return maybeDTLSProtocol() ? true : (this.v >= TLS10.v);
+        return isDTLS ? true : (this.id >= TLS10.id);
     }
 
-    boolean obsoletes(CipherSuite suite) {
-        ProtocolVersion proto = this;
-        if (proto.isDTLSProtocol()) {
-            // DTLS bans stream ciphers.
-            if (suite.cipher.cipherType == CipherType.STREAM_CIPHER) {
-                return true;
-            }
-
-            proto = mapToTLSProtocol(this);
-        }
-
-        return (proto.v >= suite.obsoleted);
+    /**
+     * Return true if this ProtocolVersion object is of TLS 1.0 or
+     * newer version.
+     */
+    static boolean useTLS10PlusSpec(int id, boolean isDTLS) {
+        return isDTLS ? true : (id >= TLS10.id);
     }
 
-    boolean supports(CipherSuite suite) {
-        ProtocolVersion proto = this;
-        if (proto.isDTLSProtocol()) {
-            // DTLS bans stream ciphers.
-            if (suite.cipher.cipherType == CipherType.STREAM_CIPHER) {
-                return false;
-            }
-
-            proto = mapToTLSProtocol(this);
-        }
-
-        return (proto.v >= suite.supported);
+    /**
+     * Return true if this ProtocolVersion object is of TLS 1.3 or
+     * newer version.
+     */
+    static boolean useTLS13PlusSpec(int id, boolean isDTLS) {
+        return isDTLS ? (id <= DTLS13.id) : (id >= TLS13.id);
     }
 
-    // Map a specified protocol to the corresponding TLS version.
-    //
-    // DTLS 1.2 -> TLS 1.2
-    // DTLS 1.0 -> TLS 1.1
-    private static ProtocolVersion mapToTLSProtocol(
-            ProtocolVersion protocolVersion) {
-
-        if (protocolVersion.isDTLSProtocol()) {
-            if (protocolVersion.v == DTLS10.v) {
-                protocolVersion = TLS11;
-            } else {    // DTLS12
-                protocolVersion = TLS12;
+    /**
+     * Select the lower of that suggested protocol version and
+     * the highest of the listed protocol versions.
+     *
+     * @param listedVersions    the listed protocol version
+     * @param suggestedVersion  the suggested protocol version
+     */
+    static ProtocolVersion selectedFrom(
+            List<ProtocolVersion> listedVersions, int suggestedVersion) {
+        ProtocolVersion selectedVersion = ProtocolVersion.NONE;
+        for (ProtocolVersion pv : listedVersions) {
+            if (pv.id == suggestedVersion) {
+                return pv;
+            } else if (pv.isDTLS) {
+                if (pv.id > suggestedVersion && pv.id < selectedVersion.id) {
+                    selectedVersion = pv;
+                }
+            } else {
+                if (pv.id < suggestedVersion && pv.id > selectedVersion.id) {
+                    selectedVersion = pv;
+                }
             }
         }
 
-        return protocolVersion;
+        return selectedVersion;
     }
 }
--- old/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java	2018-05-11 15:05:31.873218900 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java	2018-05-11 15:05:31.299603200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,247 +23,298 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
-import java.io.*;
-import java.security.*;
-
-import javax.crypto.*;
-
-import javax.net.ssl.*;
-
-import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec;
-import sun.security.util.KeyUtil;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.text.MessageFormat;
+import java.util.Locale;
+import javax.crypto.SecretKey;
+import sun.security.ssl.RSAKeyExchange.EphemeralRSACredentials;
+import sun.security.ssl.RSAKeyExchange.EphemeralRSAPossession;
+import sun.security.ssl.RSAKeyExchange.RSAPremasterSecret;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.X509Authentication.X509Credentials;
+import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.HexDumpEncoder;
 
 /**
- * This is the client key exchange message (CLIENT --> SERVER) used with
- * all RSA key exchanges; it holds the RSA-encrypted pre-master secret.
- *
- * The message is encrypted using PKCS #1 block type 02 encryption with the
- * server's public key.  The padding and resulting message size is a function
- * of this server's public key modulus size, but the pre-master secret is
- * always exactly 48 bytes.
- *
+ * Pack of the "ClientKeyExchange" handshake message.
  */
-final class RSAClientKeyExchange extends HandshakeMessage {
+final class RSAClientKeyExchange {
+    static final SSLConsumer rsaHandshakeConsumer =
+        new RSAClientKeyExchangeConsumer();
+    static final HandshakeProducer rsaHandshakeProducer =
+        new RSAClientKeyExchangeProducer();
 
-    /*
-     * The following field values were encrypted with the server's public
-     * key (or temp key from server key exchange msg) and are presented
-     * here in DECRYPTED form.
+    /**
+     * The RSA ClientKeyExchange handshake message.
      */
-    private ProtocolVersion protocolVersion; // preMaster [0,1]
-    SecretKey preMaster;
-    private byte[] encrypted;           // same size as public modulus
-
-    /*
-     * Client randomly creates a pre-master secret and encrypts it
-     * using the server's RSA public key; only the server can decrypt
-     * it, using its RSA private key.  Result is the same size as the
-     * server's public key, and uses PKCS #1 block format 02.
-     */
-    @SuppressWarnings("deprecation")
-    RSAClientKeyExchange(ProtocolVersion protocolVersion,
-            ProtocolVersion maxVersion,
-            SecureRandom generator, PublicKey publicKey) throws IOException {
-        if (publicKey.getAlgorithm().equals("RSA") == false) {
-            throw new SSLKeyException("Public key not of type RSA: " +
-                publicKey.getAlgorithm());
+    private static final
+            class RSAClientKeyExchangeMessage extends HandshakeMessage {
+        final int protocolVersion;
+        final boolean useTLS10PlusSpec;
+        final byte[] encrypted;
+
+        RSAClientKeyExchangeMessage(HandshakeContext context,
+                RSAPremasterSecret premaster,
+                PublicKey publicKey) throws GeneralSecurityException {
+            super(context);
+            this.protocolVersion = context.clientHelloVersion;
+            this.encrypted = premaster.getEncoded(
+                    publicKey, context.sslContext.getSecureRandom());
+            this.useTLS10PlusSpec = ProtocolVersion.useTLS10PlusSpec(
+                    protocolVersion, context.sslContext.isDTLS());
+        }
+
+        RSAClientKeyExchangeMessage(HandshakeContext context,
+                ByteBuffer m) throws IOException {
+            super(context);
+            // This happens in server side only.
+            ServerHandshakeContext shc =
+                    (ServerHandshakeContext)handshakeContext;
+
+            if (m.remaining() < 2) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "Invalid RSA ClientKeyExchange message: insufficient data");
+            }
+
+            this.protocolVersion = context.clientHelloVersion;
+            this.useTLS10PlusSpec = ProtocolVersion.useTLS10PlusSpec(
+                    protocolVersion, context.sslContext.isDTLS());
+            if (useTLS10PlusSpec) {
+                this.encrypted = Record.getBytes16(m);
+            } else {    //  SSL 3.0
+                this.encrypted = new byte[m.remaining()];
+                m.get(encrypted);
+            }
         }
-        this.protocolVersion = protocolVersion;
 
-        try {
-            String s = protocolVersion.useTLS12PlusSpec() ?
-                "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret";
-            KeyGenerator kg = JsseJce.getKeyGenerator(s);
-            kg.init(new TlsRsaPremasterSecretParameterSpec(
-                    maxVersion.v, protocolVersion.v), generator);
-            preMaster = kg.generateKey();
-
-            Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
-            cipher.init(Cipher.WRAP_MODE, publicKey, generator);
-            encrypted = cipher.wrap(preMaster);
-        } catch (GeneralSecurityException e) {
-            throw (SSLKeyException)new SSLKeyException
-                                ("RSA premaster secret error").initCause(e);
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CLIENT_KEY_EXCHANGE;
         }
-    }
 
-    /*
-     * Retrieving the cipher's provider name for the debug purposes
-     * can throw an exception by itself.
-     */
-    private static String safeProviderName(Cipher cipher) {
-        try {
-            return cipher.getProvider().toString();
-        } catch (Exception e) {
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println("Retrieving The Cipher provider name" +
-                        " caused exception " + e.getMessage());
+        @Override
+        public int messageLength() {
+            if (useTLS10PlusSpec) {
+                return encrypted.length + 2;
+            } else {
+                return encrypted.length;
             }
         }
-        try {
-            return cipher.toString() + " (provider name not available)";
-        } catch (Exception e) {
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println("Retrieving The Cipher name" +
-                        " caused exception " + e.getMessage());
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            if (useTLS10PlusSpec) {
+                hos.putBytes16(encrypted);
+            } else {
+                hos.write(encrypted);
             }
         }
-        return "(cipher/provider names not available)";
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"RSA ClientKeyExchange\": '{'\n" +
+                "  \"client_version\":  {0}\n" +
+                "  \"encncrypted\": '{'\n" +
+                "{1}\n" +
+                "  '}'\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            Object[] messageFields = {
+                ProtocolVersion.nameOf(protocolVersion),
+                Utilities.indent(
+                        hexEncoder.encodeBuffer(encrypted), "    "),
+            };
+            return messageFormat.format(messageFields);
+        }
     }
 
-    /*
-     * Server gets the PKCS #1 (block format 02) data, decrypts
-     * it with its private key.
+    /**
+     * The RSA "ClientKeyExchange" handshake message producer.
      */
-    @SuppressWarnings("deprecation")
-    RSAClientKeyExchange(ProtocolVersion currentVersion,
-            ProtocolVersion maxVersion,
-            SecureRandom generator, HandshakeInStream input,
-            int messageSize, PrivateKey privateKey) throws IOException {
-
-        if (privateKey.getAlgorithm().equals("RSA") == false) {
-            throw new SSLKeyException("Private key not of type RSA: " +
-                 privateKey.getAlgorithm());
-        }
+    private static final
+            class RSAClientKeyExchangeProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private RSAClientKeyExchangeProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // This happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            EphemeralRSACredentials rsaCredentials = null;
+            X509Credentials x509Credentials = null;
+            for (SSLCredentials credential : chc.handshakeCredentials) {
+                if (credential instanceof EphemeralRSACredentials) {
+                    rsaCredentials = (EphemeralRSACredentials)credential;
+                    if (x509Credentials != null) {
+                        break;
+                    }
+                } else if (credential instanceof X509Credentials) {
+                    x509Credentials = (X509Credentials)credential;
+                    if (rsaCredentials != null) {
+                        break;
+                    }
+                }
+            }
 
-        if (currentVersion.useTLS10PlusSpec()) {
-            encrypted = input.getBytes16();
-        } else {
-            encrypted = new byte [messageSize];
-            if (input.read(encrypted) != messageSize) {
-                throw new SSLProtocolException(
-                        "SSL: read PreMasterSecret: short read");
+            if (rsaCredentials == null && x509Credentials == null) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "No RSA credentials negotiated for client key exchange");
             }
-        }
 
-        byte[] encoded = null;
-        try {
-            boolean needFailover = false;
-            Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
+            PublicKey publicKey = (rsaCredentials != null) ?
+                    rsaCredentials.popPublicKey : x509Credentials.popPublicKey;
+            if (!publicKey.getAlgorithm().equals("RSA")) {      // unlikely
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Not RSA public key for client key exchange");
+            }
+
+            RSAPremasterSecret premaster;
+            RSAClientKeyExchangeMessage ckem;
             try {
-                // Try UNWRAP_MODE mode firstly.
-                cipher.init(Cipher.UNWRAP_MODE, privateKey,
-                        new TlsRsaPremasterSecretParameterSpec(
-                                maxVersion.v, currentVersion.v),
-                        generator);
-
-                // The provider selection can be delayed, please don't call
-                // any Cipher method before the call to Cipher.init().
-                needFailover = !KeyUtil.isOracleJCEProvider(
-                        cipher.getProvider().getName());
-            } catch (InvalidKeyException | UnsupportedOperationException iue) {
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println("The Cipher provider "
-                            + safeProviderName(cipher)
-                            + " caused exception: " + iue.getMessage());
-                }
+                premaster = RSAPremasterSecret.createPremasterSecret(chc);
+                chc.handshakePossessions.add(premaster);
+                ckem = new RSAClientKeyExchangeMessage(
+                        chc, premaster, publicKey);
+            } catch (GeneralSecurityException gse) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Cannot generate RSA premaster secret", gse);
 
-                needFailover = true;
+                return null;    // make the compiler happy
+            }
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced RSA ClientKeyExchange handshake message", ckem);
             }
 
-            if (needFailover) {
-                // The cipher might be spoiled by unsuccessful call to init(),
-                // so request a fresh instance
-                cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
-
-                // Use DECRYPT_MODE and dispose the previous initialization.
-                cipher.init(Cipher.DECRYPT_MODE, privateKey);
-                boolean failed = false;
-                try {
-                    encoded = cipher.doFinal(encrypted);
-                } catch (BadPaddingException bpe) {
-                    // Note: encoded == null
-                    failed = true;
-                }
-                encoded = KeyUtil.checkTlsPreMasterSecretKey(
-                                maxVersion.v, currentVersion.v,
-                                generator, encoded, failed);
-                preMaster = generatePreMasterSecret(
-                                maxVersion.v, currentVersion.v,
-                                encoded, generator);
+            // Output the handshake message.
+            ckem.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // update the states
+            SSLKeyExchange ke =
+                SSLKeyExchange.valueOf(chc.negotiatedCipherSuite.keyExchange);
+            if (ke == null) {   // unlikely
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key exchange type");
             } else {
-                // the cipher should have been initialized
-                preMaster = (SecretKey)cipher.unwrap(encrypted,
-                        "TlsRsaPremasterSecret", Cipher.SECRET_KEY);
-            }
-        } catch (InvalidKeyException ibk) {
-            // the message is too big to process with RSA
-            throw new SSLException(
-                "Unable to process PreMasterSecret", ibk);
-        } catch (Exception e) {
-            // unlikely to happen, otherwise, must be a provider exception
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println("RSA premaster secret decryption error:");
-                e.printStackTrace(System.out);
+                SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
+                SecretKey masterSecret = masterKD.deriveKey("TODO", null);
+
+                // update the states
+                chc.handshakeSession.setMasterSecret(masterSecret);
+                SSLTrafficKeyDerivation kd =
+                        SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
+                if (kd == null) {   // unlikely
+                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Not supported key derivation: " +
+                            chc.negotiatedProtocol);
+                } else {
+                    chc.handshakeKeyDerivation =
+                        kd.createKeyDerivation(chc, masterSecret);
+                }
             }
-            throw new RuntimeException("Could not generate dummy secret", e);
+
+            // The handshake message has been delivered.
+            return null;
         }
     }
 
-    // generate a premaster secret with the specified version number
-    @SuppressWarnings("deprecation")
-    private static SecretKey generatePreMasterSecret(
-            int clientVersion, int serverVersion,
-            byte[] encodedSecret, SecureRandom generator) {
+    /**
+     * The RSA "ClientKeyExchange" handshake message consumer.
+     */
+    private static final
+            class RSAClientKeyExchangeConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private RSAClientKeyExchangeConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            EphemeralRSAPossession rsaPossession = null;
+            X509Possession x509Possession = null;
+            for (SSLPossession possession : shc.handshakePossessions) {
+                if (possession instanceof EphemeralRSAPossession) {
+                    rsaPossession = (EphemeralRSAPossession)possession;
+                    break;
+                } else if (possession instanceof X509Possession) {
+                    x509Possession = (X509Possession)possession;
+                    if (rsaPossession != null) {
+                        break;
+                    }
+                }
+            }
 
-        if (debug != null && Debug.isOn("handshake")) {
-            System.out.println("Generating a premaster secret");
-        }
+            if (rsaPossession == null && x509Possession == null) {  // unlikely
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "No RSA possessions negotiated for client key exchange");
+            }
 
-        try {
-            String s = ((clientVersion >= ProtocolVersion.TLS12.v) ?
-                "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret");
-            KeyGenerator kg = JsseJce.getKeyGenerator(s);
-            kg.init(new TlsRsaPremasterSecretParameterSpec(
-                    clientVersion, serverVersion, encodedSecret),
-                    generator);
-            return kg.generateKey();
-        } catch (InvalidAlgorithmParameterException |
-                NoSuchAlgorithmException iae) {
-            // unlikely to happen, otherwise, must be a provider exception
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println("RSA premaster secret generation error:");
-                iae.printStackTrace(System.out);
+            PrivateKey privateKey = (rsaPossession != null) ?
+                    rsaPossession.popPrivateKey : x509Possession.popPrivateKey;
+            if (!privateKey.getAlgorithm().equals("RSA")) {     // unlikely
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Not RSA private key for client key exchange");
             }
-            throw new RuntimeException("Could not generate premaster secret", iae);
-        }
-    }
 
-    @Override
-    int messageType() {
-        return ht_client_key_exchange;
-    }
+            RSAClientKeyExchangeMessage ckem =
+                    new RSAClientKeyExchangeMessage(shc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Consuming RSA ClientKeyExchange handshake message", ckem);
+            }
 
-    @Override
-    int messageLength() {
-        if (protocolVersion.useTLS10PlusSpec()) {
-            return encrypted.length + 2;
-        } else {
-            return encrypted.length;
-        }
-    }
+            // create the credentials
+            RSAPremasterSecret premaster;
+            try {
+                premaster =
+                    RSAPremasterSecret.decode(shc, privateKey, ckem.encrypted);
+                shc.handshakeCredentials.add(premaster);
+            } catch (GeneralSecurityException gse) {
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Cannot decode RSA premaster secret", gse);
+            }
 
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        if (protocolVersion.useTLS10PlusSpec()) {
-            s.putBytes16(encrypted);
-        } else {
-            s.write(encrypted);
-        }
-    }
+            // update the states
+            SSLKeyExchange ke =
+                SSLKeyExchange.valueOf(shc.negotiatedCipherSuite.keyExchange);
+            if (ke == null) {   // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key exchange type");
+            } else {
+                SSLKeyDerivation masterKD = ke.createKeyDerivation(shc);
+                SecretKey masterSecret = masterKD.deriveKey("TODO", null);
 
-    @Override
-    void print(PrintStream s) throws IOException {
-        String version = "version not available/extractable";
-
-        byte[] ba = preMaster.getEncoded();
-        if (ba != null && ba.length >= 2) {
-            version = ProtocolVersion.valueOf(ba[0], ba[1]).name;
+                // update the states
+                shc.handshakeSession.setMasterSecret(masterSecret);
+                SSLTrafficKeyDerivation kd =
+                        SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
+                if (kd == null) {       // unlikely
+                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Not supported key derivation: " +
+                            shc.negotiatedProtocol);
+                } else {
+                    shc.handshakeKeyDerivation =
+                        kd.createKeyDerivation(shc, masterSecret);
+                }
+            }
         }
-
-        s.println("*** ClientKeyExchange, RSA PreMasterSecret, " + version);
     }
 }
--- old/src/java.base/share/classes/sun/security/ssl/RSASignature.java	2018-05-11 15:05:33.823483100 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/RSASignature.java	2018-05-11 15:05:33.254792600 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,10 +23,10 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
 import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
 
 /**
  * Signature implementation for the SSL/TLS RSA Signature variant with both
@@ -45,35 +45,35 @@
  * getInternalInstance() method.
  *
  * This class is not thread safe.
- *
  */
 public final class RSASignature extends SignatureSpi {
-
     private final Signature rawRsa;
-    private MessageDigest md5, sha;
-
-    // flag indicating if the MessageDigests are in reset state
-    private boolean isReset;
+    private final MessageDigest mdMD5;
+    private final MessageDigest mdSHA;
 
     public RSASignature() throws NoSuchAlgorithmException {
         super();
         rawRsa = JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
-        isReset = true;
+        this.mdMD5 = JsseJce.getMessageDigest("MD5");
+        this.mdSHA = JsseJce.getMessageDigest("SHA");
     }
 
     /**
-     * Get an implementation for the RSA signature. Follows the standard
-     * JCA getInstance() model, so it return the implementation from the
-     * provider with the highest precedence, which may be this class.
+     * Get an implementation for the RSA signature.
+     *
+     * Follows the standard JCA getInstance() model, so it return the
+     * implementation from the  provider with the highest precedence,
+     * which may be this class.
      */
     static Signature getInstance() throws NoSuchAlgorithmException {
         return JsseJce.getSignature(JsseJce.SIGNATURE_SSLRSA);
     }
 
     /**
-     * Get an internal implementation for the RSA signature. Used for RSA
-     * client authentication, which needs the ability to set the digests
-     * to externally provided values via the setHashes() method.
+     * Get an internal implementation for the RSA signature.
+     *
+     * Used for RSA client authentication, which needs the ability to set
+     * the digests to externally provided values via the setHashes() method.
      */
     static Signature getInternalInstance()
             throws NoSuchAlgorithmException, NoSuchProviderException {
@@ -88,28 +88,14 @@
         sig.setParameter("hashes", new MessageDigest[] {md5, sha});
     }
 
-    /**
-     * Reset the MessageDigests unless they are already reset.
-     */
-    private void reset() {
-        if (isReset == false) {
-            md5.reset();
-            sha.reset();
-            isReset = true;
-        }
-    }
-
-    private static void checkNull(Key key) throws InvalidKeyException {
-        if (key == null) {
-            throw new InvalidKeyException("Key must not be null");
-        }
-    }
-
     @Override
     protected void engineInitVerify(PublicKey publicKey)
             throws InvalidKeyException {
-        checkNull(publicKey);
-        reset();
+        if (publicKey == null) {
+            throw new InvalidKeyException("Public key must not be null");
+        }
+        mdMD5.reset();
+        mdSHA.reset();
         rawRsa.initVerify(publicKey);
     }
 
@@ -122,42 +108,31 @@
     @Override
     protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
             throws InvalidKeyException {
-        checkNull(privateKey);
-        reset();
-        rawRsa.initSign(privateKey, random);
-    }
-
-    // lazily initialize the MessageDigests
-    private void initDigests() {
-        if (md5 == null) {
-            md5 = JsseJce.getMD5();
-            sha = JsseJce.getSHA();
+        if (privateKey == null) {
+            throw new InvalidKeyException("Private key must not be null");
         }
+        mdMD5.reset();
+        mdSHA.reset();
+        rawRsa.initSign(privateKey, random);
     }
 
     @Override
     protected void engineUpdate(byte b) {
-        initDigests();
-        isReset = false;
-        md5.update(b);
-        sha.update(b);
+        mdMD5.update(b);
+        mdSHA.update(b);
     }
 
     @Override
     protected void engineUpdate(byte[] b, int off, int len) {
-        initDigests();
-        isReset = false;
-        md5.update(b, off, len);
-        sha.update(b, off, len);
+        mdMD5.update(b, off, len);
+        mdSHA.update(b, off, len);
     }
 
     private byte[] getDigest() throws SignatureException {
         try {
-            initDigests();
             byte[] data = new byte[36];
-            md5.digest(data, 0, 16);
-            sha.digest(data, 16, 20);
-            isReset = true;
+            mdMD5.digest(data, 0, 16);
+            mdSHA.digest(data, 16, 20);
             return data;
         } catch (DigestException e) {
             // should never occur
@@ -185,26 +160,28 @@
 
     @Override
     @SuppressWarnings("deprecation")
-    protected void engineSetParameter(String param, Object value)
-            throws InvalidParameterException {
-        if (param.equals("hashes") == false) {
-            throw new InvalidParameterException
-                ("Parameter not supported: " + param);
-        }
-        if (value instanceof MessageDigest[] == false) {
-            throw new InvalidParameterException
-                ("value must be MessageDigest[]");
+    protected void engineSetParameter(String param,
+            Object value) throws InvalidParameterException {
+        throw new InvalidParameterException("Parameters not supported");
+    }
+
+    @Override
+    protected void engineSetParameter(AlgorithmParameterSpec params)
+            throws InvalidAlgorithmParameterException {
+        if (params != null) {
+            throw new InvalidAlgorithmParameterException("No parameters accepted");
         }
-        MessageDigest[] digests = (MessageDigest[])value;
-        md5 = digests[0];
-        sha = digests[1];
     }
 
     @Override
     @SuppressWarnings("deprecation")
-    protected Object engineGetParameter(String param)
-            throws InvalidParameterException {
+    protected Object engineGetParameter(
+            String param) throws InvalidParameterException {
         throw new InvalidParameterException("Parameters not supported");
     }
 
+    @Override
+    protected AlgorithmParameters engineGetParameters() {
+        return null;
+    }
 }
--- old/src/java.base/share/classes/sun/security/ssl/RandomCookie.java	2018-05-11 15:05:35.862844300 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/RandomCookie.java	2018-05-11 15:05:35.227065400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,11 +23,12 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
 import java.io.*;
+import java.nio.ByteBuffer;
 import java.security.SecureRandom;
+import java.util.Arrays;
 
 /*
  * RandomCookie ... SSL hands standard format random cookies (nonces)
@@ -37,33 +38,57 @@
  * @author David Brownell
  */
 final class RandomCookie {
+    final byte[] randomBytes = new byte[32];   // exactly 32 bytes
+
+    private static final byte[] hrrRandomBytes = new byte[] {
+            (byte)0xCF, (byte)0x21, (byte)0xAD, (byte)0x74,
+            (byte)0xE5, (byte)0x9A, (byte)0x61, (byte)0x11,
+            (byte)0xBE, (byte)0x1D, (byte)0x8C, (byte)0x02,
+            (byte)0x1E, (byte)0x65, (byte)0xB8, (byte)0x91,
+            (byte)0xC2, (byte)0xA2, (byte)0x11, (byte)0x16,
+            (byte)0x7A, (byte)0xBB, (byte)0x8C, (byte)0x5E,
+            (byte)0x07, (byte)0x9E, (byte)0x09, (byte)0xE2,
+            (byte)0xC8, (byte)0xA8, (byte)0x33, (byte)0x9C
+        };
+
+    private static final byte[] t12Protection = new byte[] {
+            (byte)0x44, (byte)0x4F, (byte)0x57, (byte)0x4E,
+            (byte)0x47, (byte)0x52, (byte)0x44, (byte)0x01
+        };
+
+    private static final byte[] t11Protection = new byte[] {
+            (byte)0x44, (byte)0x4F, (byte)0x57, (byte)0x4E,
+            (byte)0x47, (byte)0x52, (byte)0x44, (byte)0x01
+        };
 
-    byte[] random_bytes;  // exactly 32 bytes
+    static final RandomCookie hrrRandom = new RandomCookie(hrrRandomBytes);
 
     RandomCookie(SecureRandom generator) {
-        random_bytes = new byte[32];
-        generator.nextBytes(random_bytes);
+        generator.nextBytes(randomBytes);
+    }
+
+    RandomCookie(ByteBuffer m) throws IOException {
+        m.get(randomBytes);
+    }
+
+    private RandomCookie(byte[] randomBytes) {
+        System.arraycopy(randomBytes, 0, this.randomBytes, 0, 32);
+    }
+
+    @Override
+    public String toString() {
+        return "random_bytes = {" + Utilities.toHexString(randomBytes) + "}";
+    }
+
+    boolean isHelloRetryRequest() {
+        return Arrays.equals(hrrRandomBytes, randomBytes);
+    }
+
+    boolean isT12Downgrade() {
+        return Arrays.equals(hrrRandomBytes, 24, 31, t12Protection, 0, 7);
     }
 
-    RandomCookie(HandshakeInStream m) throws IOException {
-        random_bytes = new byte[32];
-        m.read(random_bytes, 0, 32);
-    }
-
-    void send(HandshakeOutStream out) throws IOException {
-        out.write(random_bytes, 0, 32);
-    }
-
-    void print(PrintStream s) {
-        s.print("random_bytes = {");
-        for (int i = 0; i < 32; i++) {
-            int k = random_bytes[i] & 0xFF;
-            if (i != 0) {
-                s.print(' ');
-            }
-            s.print(Utilities.hexDigits[k >>> 4]);
-            s.print(Utilities.hexDigits[k & 0xf]);
-        }
-        s.println("}");
+    boolean isT11Downgrade() {
+        return Arrays.equals(hrrRandomBytes, 24, 31, t11Protection, 0, 7);
     }
 }
--- old/src/java.base/share/classes/sun/security/ssl/Record.java	2018-05-11 15:05:37.948218600 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/Record.java	2018-05-11 15:05:37.407674400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,27 +25,19 @@
 
 package sun.security.ssl;
 
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import javax.net.ssl.SSLException;
+
 /**
- * SSL/TLS/DTLS records, as pulled off (and put onto) a TCP stream.  This is
- * the base interface, which defines common information and interfaces
+ * SSL/(D)TLS record.
+ *
+ * This is the base interface, which defines common information and interfaces
  * used by both Input and Output records.
  *
  * @author David Brownell
  */
 interface Record {
-
-    /*
-     * There are four record types, which are part of the interface
-     * to this level (along with the maximum record size).
-     *
-     * enum { change_cipher_spec(20), alert(21), handshake(22),
-     *      application_data(23), (255) } ContentType;
-     */
-    static final byte   ct_change_cipher_spec = 20;
-    static final byte   ct_alert = 21;
-    static final byte   ct_handshake = 22;
-    static final byte   ct_application_data = 23;
-
     static final int    maxMacSize = 48;        // the max supported MAC or
                                                 // AEAD tag size
     static final int    maxDataSize = 16384;    // 2^14 bytes of data
@@ -59,35 +51,146 @@
      * System property to enable/disable CBC protection in SSL3/TLS1.
      */
     static final boolean enableCBCProtection =
-            Debug.getBooleanProperty("jsse.enableCBCProtection", true);
+            Utilities.getBooleanProperty("jsse.enableCBCProtection", true);
 
     /*
      * The overflow values of integers of 8, 16 and 24 bits.
      */
-    static final int OVERFLOW_OF_INT08 = (1 << 8);
-    static final int OVERFLOW_OF_INT16 = (1 << 16);
-    static final int OVERFLOW_OF_INT24 = (1 << 24);
-
-    /**
-     * Return a description for the given content type.
-     */
-    static String contentName(byte contentType) {
-        switch (contentType) {
-        case ct_change_cipher_spec:
-            return "Change Cipher Spec";
-        case ct_alert:
-            return "Alert";
-        case ct_handshake:
-            return "Handshake";
-        case ct_application_data:
-            return "Application Data";
-        default:
-            return "contentType = " + contentType;
+    static final int OVERFLOW_OF_INT08 = (0x01 << 8);
+    static final int OVERFLOW_OF_INT16 = (0x01 << 16);
+    static final int OVERFLOW_OF_INT24 = (0x01 << 24);
+
+    /*
+     * Read 8, 16, 24, and 32 bit integer data types, encoded
+     * in standard big-endian form.
+     */
+    static int getInt8(ByteBuffer m) throws IOException {
+        Record.verifyLength(m, 1);
+        return (m.get() & 0xFF);
+    }
+
+    static int getInt16(ByteBuffer m) throws IOException {
+        Record.verifyLength(m, 2);
+        return ((m.get() & 0xFF) << 8) |
+                (m.get() & 0xFF);
+    }
+
+    static int getInt24(ByteBuffer m) throws IOException {
+        Record.verifyLength(m, 3);
+        return ((m.get() & 0xFF) << 16) |
+               ((m.get() & 0xFF) <<  8) |
+                (m.get() & 0xFF);
+    }
+
+    static int getInt32(ByteBuffer m) throws IOException {
+        Record.verifyLength(m, 4);
+        return ((m.get() & 0xFF) << 24) |
+               ((m.get() & 0xFF) << 16) |
+               ((m.get() & 0xFF) <<  8) |
+                (m.get() & 0xFF);
+    }
+
+    /*
+     * Read byte vectors with 8, 16, and 24 bit length encodings.
+     */
+    static byte[] getBytes8(ByteBuffer m) throws IOException {
+        int len = Record.getInt8(m);
+        Record.verifyLength(m, len);
+        byte[] b = new byte[len];
+
+        m.get(b);
+        return b;
+    }
+
+    static byte[] getBytes16(ByteBuffer m) throws IOException {
+        int len = Record.getInt16(m);
+        Record.verifyLength(m, len);
+        byte[] b = new byte[len];
+
+        m.get(b);
+        return b;
+    }
+
+    static byte[] getBytes24(ByteBuffer m) throws IOException {
+        int len = Record.getInt24(m);
+        Record.verifyLength(m, len);
+        byte[] b = new byte[len];
+
+        m.get(b);
+        return b;
+    }
+
+    /*
+     * Write 8, 16, 24, and 32 bit integer data types, encoded
+     * in standard big-endian form.
+     */
+    static void putInt8(ByteBuffer m, int i) throws IOException {
+        Record.verifyLength(m, 1);
+        m.put((byte)(i & 0xFF));
+    }
+
+    static void putInt16(ByteBuffer m, int i) throws IOException {
+        Record.verifyLength(m, 2);
+        m.put((byte)((i >> 8) & 0xFF));
+        m.put((byte)(i & 0xFF));
+    }
+
+    static void putInt24(ByteBuffer m, int i) throws IOException {
+        Record.verifyLength(m, 3);
+        m.put((byte)((i >> 16) & 0xFF));
+        m.put((byte)((i >> 8) & 0xFF));
+        m.put((byte)(i & 0xFF));
+    }
+
+    static void putInt32(ByteBuffer m, int i) throws IOException {
+        m.put((byte)((i >> 24) & 0xFF));
+        m.put((byte)((i >> 16) & 0xFF));
+        m.put((byte)((i >> 8) & 0xFF));
+        m.put((byte)(i & 0xFF));
+    }
+
+    /*
+     * Write byte vectors with 8, 16, and 24 bit length encodings.
+     */
+    static void putBytes8(ByteBuffer m, byte[] s) throws IOException {
+        if (s == null || s.length == 0) {
+            Record.verifyLength(m, 1);
+            putInt8(m, 0);
+        } else {
+            Record.verifyLength(m, 1 + s.length);
+            putInt8(m, s.length);
+            m.put(s);
         }
     }
 
-    static boolean isValidContentType(byte contentType) {
-        return (contentType == 20) || (contentType == 21) ||
-               (contentType == 22) || (contentType == 23);
+    static void putBytes16(ByteBuffer m, byte[] s) throws IOException {
+        if (s == null || s.length == 0) {
+            Record.verifyLength(m, 2);
+            putInt16(m, 0);
+        } else {
+            Record.verifyLength(m, 2 + s.length);
+            putInt16(m, s.length);
+            m.put(s);
+        }
+    }
+
+    static void putBytes24(ByteBuffer m, byte[] s) throws IOException {
+        if (s == null || s.length == 0) {
+            Record.verifyLength(m, 3);
+            putInt24(m, 0);
+        } else {
+            Record.verifyLength(m, 3 + s.length);
+            putInt24(m, s.length);
+            m.put(s);
+        }
+    }
+
+    // Verify that the buffer has sufficient remaining.
+    static void verifyLength(
+            ByteBuffer m, int len) throws SSLException {
+        if (len > m.remaining()) {
+            throw new SSLException("Insufficient space in the buffer, " +
+                    "may be cause by unexpected end of handshake data.");
+        }
     }
 }
--- old/src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java	2018-05-11 15:05:39.955941600 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java	2018-05-11 15:05:39.401815600 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,18 +26,13 @@
 package sun.security.ssl;
 
 import java.security.AlgorithmConstraints;
-import java.security.CryptoPrimitive;
 import java.security.AlgorithmParameters;
-
-import javax.net.ssl.*;
-
+import java.security.CryptoPrimitive;
 import java.security.Key;
-
 import java.util.Set;
-
+import javax.net.ssl.*;
 import sun.security.util.DisabledAlgorithmConstraints;
 import static sun.security.util.DisabledAlgorithmConstraints.*;
-import sun.security.ssl.CipherSuite.*;
 
 /**
  * Algorithm constraints for disabled algorithms property
@@ -55,10 +50,10 @@
             new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS,
                     new SSLAlgorithmDecomposer(true));
 
-    private AlgorithmConstraints userAlgConstraints = null;
-    private AlgorithmConstraints peerAlgConstraints = null;
+    private final AlgorithmConstraints userSpecifiedConstraints;
+    private final AlgorithmConstraints peerSpecifiedConstraints;
 
-    private boolean enabledX509DisabledAlgConstraints = true;
+    private final boolean enabledX509DisabledAlgConstraints;
 
     // the default algorithm constraints
     static final AlgorithmConstraints DEFAULT =
@@ -68,60 +63,86 @@
     static final AlgorithmConstraints DEFAULT_SSL_ONLY =
                         new SSLAlgorithmConstraints((SSLSocket)null, false);
 
-    SSLAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
-        userAlgConstraints = algorithmConstraints;
+    SSLAlgorithmConstraints(AlgorithmConstraints userSpecifiedConstraints) {
+        this.userSpecifiedConstraints = userSpecifiedConstraints;
+        this.peerSpecifiedConstraints = null;
+        this.enabledX509DisabledAlgConstraints = true;
     }
 
     SSLAlgorithmConstraints(SSLSocket socket,
             boolean withDefaultCertPathConstraints) {
+        AlgorithmConstraints configuredConstraints = null;
         if (socket != null) {
-            userAlgConstraints =
-                socket.getSSLParameters().getAlgorithmConstraints();
-        }
-
-        if (!withDefaultCertPathConstraints) {
-            enabledX509DisabledAlgConstraints = false;
-        }
+            HandshakeContext hc =
+                    ((SSLSocketImpl)socket).conContext.handshakeContext;
+            if (hc != null) {
+                configuredConstraints = hc.sslConfig.algorithmConstraints;
+            } else {
+                configuredConstraints = null;
+            }
+        }
+        this.userSpecifiedConstraints = configuredConstraints;
+        this.peerSpecifiedConstraints = null;
+        this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
     }
 
     SSLAlgorithmConstraints(SSLEngine engine,
             boolean withDefaultCertPathConstraints) {
+        AlgorithmConstraints configuredConstraints = null;
         if (engine != null) {
-            userAlgConstraints =
-                engine.getSSLParameters().getAlgorithmConstraints();
-        }
-
-        if (!withDefaultCertPathConstraints) {
-            enabledX509DisabledAlgConstraints = false;
-        }
+            HandshakeContext hc =
+                    ((SSLEngineImpl)engine).conContext.handshakeContext;
+            if (hc != null) {
+                configuredConstraints = hc.sslConfig.algorithmConstraints;
+            } else {
+                configuredConstraints = null;
+            }
+        }
+        this.userSpecifiedConstraints = configuredConstraints;
+        this.peerSpecifiedConstraints = null;
+        this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
     }
 
     SSLAlgorithmConstraints(SSLSocket socket, String[] supportedAlgorithms,
             boolean withDefaultCertPathConstraints) {
+        AlgorithmConstraints configuredConstraints = null;
+        AlgorithmConstraints negotiatedConstraints = null;
         if (socket != null) {
-            userAlgConstraints =
-                socket.getSSLParameters().getAlgorithmConstraints();
-            peerAlgConstraints =
-                new SupportedSignatureAlgorithmConstraints(supportedAlgorithms);
-        }
+            HandshakeContext hc =
+                    ((SSLSocketImpl)socket).conContext.handshakeContext;
+            if (hc != null) {
+                configuredConstraints = hc.sslConfig.algorithmConstraints;
+            } else {
+                configuredConstraints = null;
+            }
 
-        if (!withDefaultCertPathConstraints) {
-            enabledX509DisabledAlgConstraints = false;
+            negotiatedConstraints =
+                new SupportedSignatureAlgorithmConstraints(supportedAlgorithms);
         }
+        this.userSpecifiedConstraints = configuredConstraints;
+        this.peerSpecifiedConstraints = negotiatedConstraints;
+        this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
     }
 
     SSLAlgorithmConstraints(SSLEngine engine, String[] supportedAlgorithms,
             boolean withDefaultCertPathConstraints) {
+        AlgorithmConstraints configuredConstraints = null;
+        AlgorithmConstraints negotiatedConstraints = null;
         if (engine != null) {
-            userAlgConstraints =
-                engine.getSSLParameters().getAlgorithmConstraints();
-            peerAlgConstraints =
-                new SupportedSignatureAlgorithmConstraints(supportedAlgorithms);
-        }
+            HandshakeContext hc =
+                    ((SSLEngineImpl)engine).conContext.handshakeContext;
+            if (hc != null) {
+                configuredConstraints = hc.sslConfig.algorithmConstraints;
+            } else {
+                configuredConstraints = null;
+            }
 
-        if (!withDefaultCertPathConstraints) {
-            enabledX509DisabledAlgConstraints = false;
+            negotiatedConstraints =
+                new SupportedSignatureAlgorithmConstraints(supportedAlgorithms);
         }
+        this.userSpecifiedConstraints = configuredConstraints;
+        this.peerSpecifiedConstraints = negotiatedConstraints;
+        this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints;
     }
 
     @Override
@@ -130,13 +151,13 @@
 
         boolean permitted = true;
 
-        if (peerAlgConstraints != null) {
-            permitted = peerAlgConstraints.permits(
+        if (peerSpecifiedConstraints != null) {
+            permitted = peerSpecifiedConstraints.permits(
                                     primitives, algorithm, parameters);
         }
 
-        if (permitted && userAlgConstraints != null) {
-            permitted = userAlgConstraints.permits(
+        if (permitted && userSpecifiedConstraints != null) {
+            permitted = userSpecifiedConstraints.permits(
                                     primitives, algorithm, parameters);
         }
 
@@ -158,12 +179,12 @@
 
         boolean permitted = true;
 
-        if (peerAlgConstraints != null) {
-            permitted = peerAlgConstraints.permits(primitives, key);
+        if (peerSpecifiedConstraints != null) {
+            permitted = peerSpecifiedConstraints.permits(primitives, key);
         }
 
-        if (permitted && userAlgConstraints != null) {
-            permitted = userAlgConstraints.permits(primitives, key);
+        if (permitted && userSpecifiedConstraints != null) {
+            permitted = userSpecifiedConstraints.permits(primitives, key);
         }
 
         if (permitted) {
@@ -183,13 +204,13 @@
 
         boolean permitted = true;
 
-        if (peerAlgConstraints != null) {
-            permitted = peerAlgConstraints.permits(
+        if (peerSpecifiedConstraints != null) {
+            permitted = peerSpecifiedConstraints.permits(
                                     primitives, algorithm, key, parameters);
         }
 
-        if (permitted && userAlgConstraints != null) {
-            permitted = userAlgConstraints.permits(
+        if (permitted && userSpecifiedConstraints != null) {
+            permitted = userSpecifiedConstraints.permits(
                                     primitives, algorithm, key, parameters);
         }
 
--- old/src/java.base/share/classes/sun/security/ssl/SSLAlgorithmDecomposer.java	2018-05-11 15:05:42.161895400 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLAlgorithmDecomposer.java	2018-05-11 15:05:41.576807800 -0700
@@ -27,9 +27,22 @@
 
 import java.util.HashSet;
 import java.util.Set;
-import sun.security.util.AlgorithmDecomposer;
-import static sun.security.ssl.CipherSuite.*;
+import sun.security.ssl.CipherSuite.HashAlg;
+import sun.security.ssl.CipherSuite.KeyExchange;
 import static sun.security.ssl.CipherSuite.KeyExchange.*;
+import sun.security.ssl.CipherSuite.MacAlg;
+import static sun.security.ssl.SSLCipher.B_3DES;
+import static sun.security.ssl.SSLCipher.B_AES_128;
+import static sun.security.ssl.SSLCipher.B_AES_128_GCM;
+import static sun.security.ssl.SSLCipher.B_AES_256;
+import static sun.security.ssl.SSLCipher.B_AES_256_GCM;
+import static sun.security.ssl.SSLCipher.B_DES;
+import static sun.security.ssl.SSLCipher.B_DES_40;
+import static sun.security.ssl.SSLCipher.B_NULL;
+import static sun.security.ssl.SSLCipher.B_RC2_40;
+import static sun.security.ssl.SSLCipher.B_RC4_128;
+import static sun.security.ssl.SSLCipher.B_RC4_40;
+import sun.security.util.AlgorithmDecomposer;
 
 /**
  * The class decomposes standard SSL/TLS cipher suites into sub-elements.
@@ -126,18 +139,13 @@
                 }
                 break;
             default:
-                if (ClientKeyExchangeService.find(keyExchange.name) != null) {
-                    if (!onlyX509) {
-                        components.add(keyExchange.name);
-                    }
-                }
                 // otherwise ignore
             }
 
         return components;
     }
 
-    private Set<String> decomposes(CipherSuite.BulkCipher bulkCipher) {
+    private Set<String> decomposes(SSLCipher bulkCipher) {
         Set<String> components = new HashSet<>();
 
         if (bulkCipher.transformation != null) {
@@ -185,7 +193,7 @@
     }
 
     private Set<String> decomposes(CipherSuite.MacAlg macAlg,
-            BulkCipher cipher) {
+            SSLCipher cipher) {
         Set<String> components = new HashSet<>();
 
         if (macAlg == CipherSuite.MacAlg.M_NULL
@@ -211,8 +219,26 @@
         return components;
     }
 
-    private Set<String> decompose(KeyExchange keyExchange, BulkCipher cipher,
-            MacAlg macAlg) {
+    private Set<String> decomposes(CipherSuite.HashAlg hashAlg) {
+        Set<String> components = new HashSet<>();
+
+        if (hashAlg == CipherSuite.HashAlg.H_SHA256) {
+            components.add("SHA256");
+            components.add("SHA-256");
+            components.add("HmacSHA256");
+        } else if (hashAlg == CipherSuite.HashAlg.H_SHA384) {
+            components.add("SHA384");
+            components.add("SHA-384");
+            components.add("HmacSHA384");
+        }
+
+        return components;
+    }
+
+    private Set<String> decompose(KeyExchange keyExchange,
+            SSLCipher cipher,
+            MacAlg macAlg,
+            HashAlg hashAlg) {
         Set<String> components = new HashSet<>();
 
         if (keyExchange != null) {
@@ -233,6 +259,10 @@
             components.addAll(decomposes(macAlg, cipher));
         }
 
+        if (hashAlg != null) {
+            components.addAll(decomposes(hashAlg));
+        }
+
         return components;
     }
 
@@ -241,18 +271,19 @@
         if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) {
             CipherSuite cipherSuite = null;
             try {
-                cipherSuite = CipherSuite.valueOf(algorithm);
+                cipherSuite = CipherSuite.nameOf(algorithm);
             } catch (IllegalArgumentException iae) {
                 // ignore: unknown or unsupported ciphersuite
             }
 
             if (cipherSuite != null) {
-                return decompose(cipherSuite.keyExchange, cipherSuite.cipher,
-                        cipherSuite.macAlg);
+                return decompose(cipherSuite.keyExchange,
+                        cipherSuite.bulkCipher,
+                        cipherSuite.macAlg,
+                        cipherSuite.hashAlg);
             }
         }
 
         return super.decompose(algorithm);
     }
-
 }
--- old/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java	2018-05-11 15:05:44.248201800 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java	2018-05-11 15:05:43.677921900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,23 +25,23 @@
 
 package sun.security.ssl;
 
-import java.net.Socket;
-
 import java.io.*;
-import java.util.*;
+import java.net.Socket;
 import java.security.*;
 import java.security.cert.*;
-import java.security.cert.Certificate;
-
+import java.util.*;
 import javax.net.ssl.*;
-
-import sun.security.provider.certpath.AlgorithmChecker;
 import sun.security.action.GetPropertyAction;
+import sun.security.provider.certpath.AlgorithmChecker;
 import sun.security.validator.Validator;
 
-public abstract class SSLContextImpl extends SSLContextSpi {
+/**
+ * Implementation of an SSLContext.
+ *
+ * Instances of this class are immutable after the context is initialized.
+ */
 
-    private static final Debug debug = Debug.getInstance("ssl");
+public abstract class SSLContextImpl extends SSLContextSpi {
 
     private final EphemeralKeyManager ephemeralKeyManager;
     private final SSLSessionContextImpl clientCache;
@@ -56,13 +56,13 @@
     // DTLS cookie exchange manager
     private volatile HelloCookieManager helloCookieManager;
 
-    private final boolean clientEnableStapling = Debug.getBooleanProperty(
+    private final boolean clientEnableStapling = Utilities.getBooleanProperty(
             "jdk.tls.client.enableStatusRequestExtension", true);
-    private final boolean serverEnableStapling = Debug.getBooleanProperty(
+    private final boolean serverEnableStapling = Utilities.getBooleanProperty(
             "jdk.tls.server.enableStatusRequestExtension", false);
-    private final static Collection<CipherSuite> clientCustomizedCipherSuites =
+    private static final Collection<CipherSuite> clientCustomizedCipherSuites =
             getCustomizedCipherSuites("jdk.tls.client.cipherSuites");
-    private final static Collection<CipherSuite> serverCustomizedCipherSuites =
+    private static final Collection<CipherSuite> serverCustomizedCipherSuites =
             getCustomizedCipherSuites("jdk.tls.server.cipherSuites");
 
     private volatile StatusResponseManager statusResponseManager;
@@ -109,12 +109,12 @@
          * first connection to timeout and fail. Make sure it is
          * primed and ready by getting some initial output from it.
          */
-        if (debug != null && Debug.isOn("sslctx")) {
-            System.out.println("trigger seeding of SecureRandom");
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
+            SSLLogger.finest("trigger seeding of SecureRandom");
         }
         secureRandom.nextInt();
-        if (debug != null && Debug.isOn("sslctx")) {
-            System.out.println("done seeding SecureRandom");
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
+            SSLLogger.finest("done seeding of SecureRandom");
         }
 
         isInitialized = true;
@@ -168,10 +168,10 @@
             if (km instanceof X509ExtendedKeyManager) {
                 return (X509ExtendedKeyManager)km;
             }
-            if (debug != null && Debug.isOn("sslctx")) {
-                System.out.println(
-                    "X509KeyManager passed to " +
-                    "SSLContext.init():  need an " +
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
+                SSLLogger.warning(
+                    "X509KeyManager passed to SSLContext.init():  need an " +
                     "X509ExtendedKeyManager for SSLEngine use");
             }
             return new AbstractKeyManagerWrapper((X509KeyManager)km);
@@ -242,36 +242,27 @@
         return ephemeralKeyManager;
     }
 
-    // Used for DTLS in server mode only, see ServerHandshaker.
-    HelloCookieManager getHelloCookieManager() {
-        if (!isInitialized) {
-            throw new IllegalStateException("SSLContext is not initialized");
-        }
-
+    // Used for DTLS in server mode only.
+    HelloCookieManager getHelloCookieManager(ProtocolVersion protocolVersion) {
         if (helloCookieManager != null) {
-            return helloCookieManager;
+            return helloCookieManager.valueOf(protocolVersion);
         }
 
         synchronized (this) {
             if (helloCookieManager == null) {
-                helloCookieManager = getHelloCookieManager(secureRandom);
+                helloCookieManager = new HelloCookieManager(secureRandom);
             }
         }
 
-        return helloCookieManager;
-    }
-
-    HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) {
-        throw new UnsupportedOperationException(
-                "Cookie exchange applies to DTLS only");
+        return helloCookieManager.valueOf(protocolVersion);
     }
 
     StatusResponseManager getStatusResponseManager() {
         if (serverEnableStapling && statusResponseManager == null) {
             synchronized (this) {
                 if (statusResponseManager == null) {
-                    if (debug != null && Debug.isOn("sslctx")) {
-                        System.out.println(
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
+                        SSLLogger.finest(
                                 "Initializing StatusResponseManager");
                     }
                     statusResponseManager = new StatusResponseManager();
@@ -282,52 +273,55 @@
         return statusResponseManager;
     }
 
-    // Get supported ProtocolList.
-    abstract ProtocolList getSuportedProtocolList();
+    // Get supported protocols.
+    abstract List<ProtocolVersion> getSuportedProtocolVersions();
+
+    // Get default protocols for server mode.
+    abstract List<ProtocolVersion> getServerDefaultProtocolVersions();
 
-    // Get default ProtocolList for server mode.
-    abstract ProtocolList getServerDefaultProtocolList();
+    // Get default protocols for client mode.
+    abstract List<ProtocolVersion> getClientDefaultProtocolVersions();
 
-    // Get default ProtocolList for client mode.
-    abstract ProtocolList getClientDefaultProtocolList();
+    // Get supported CipherSuite list.
+    abstract List<CipherSuite> getSupportedCipherSuites();
 
-    // Get supported CipherSuiteList.
-    abstract CipherSuiteList getSupportedCipherSuiteList();
+    // Get default CipherSuite list for server mode.
+    abstract List<CipherSuite> getServerDefaultCipherSuites();
 
-    // Get default CipherSuiteList for server mode.
-    abstract CipherSuiteList getServerDefaultCipherSuiteList();
+    // Get default CipherSuite list for client mode.
+    abstract List<CipherSuite> getClientDefaultCipherSuites();
 
-    // Get default CipherSuiteList for client mode.
-    abstract CipherSuiteList getClientDefaultCipherSuiteList();
+    // Is the context for DTLS protocols?
+    abstract boolean isDTLS();
 
-    // Get default ProtocolList.
-    ProtocolList getDefaultProtocolList(boolean roleIsServer) {
-        return roleIsServer ? getServerDefaultProtocolList()
-                            : getClientDefaultProtocolList();
+    // Get default protocols.
+    List<ProtocolVersion> getDefaultProtocolVersions(boolean roleIsServer) {
+        return roleIsServer ? getServerDefaultProtocolVersions()
+                            : getClientDefaultProtocolVersions();
     }
 
-    // Get default CipherSuiteList.
-    CipherSuiteList getDefaultCipherSuiteList(boolean roleIsServer) {
-        return roleIsServer ? getServerDefaultCipherSuiteList()
-                            : getClientDefaultCipherSuiteList();
+    // Get default CipherSuite list.
+    List<CipherSuite> getDefaultCipherSuites(boolean roleIsServer) {
+        return roleIsServer ? getServerDefaultCipherSuites()
+                            : getClientDefaultCipherSuites();
     }
 
     /**
      * Return whether a protocol list is the original default enabled
      * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()
      */
-    boolean isDefaultProtocolList(ProtocolList protocols) {
-        return (protocols == getServerDefaultProtocolList()) ||
-               (protocols == getClientDefaultProtocolList());
+    boolean isDefaultProtocolVesions(List<ProtocolVersion> protocols) {
+        return (protocols == getServerDefaultProtocolVersions()) ||
+               (protocols == getClientDefaultProtocolVersions());
     }
 
     /**
      * Return whether a protocol list is the original default enabled
      * protocols.  See: SSLSocket/SSLEngine.setEnabledProtocols()
      */
-    boolean isDefaultCipherSuiteList(CipherSuiteList cipherSuites) {
-        return (cipherSuites == getServerDefaultCipherSuiteList()) ||
-               (cipherSuites == getClientDefaultCipherSuiteList());
+    boolean isDefaultCipherSuiteList(List<CipherSuite> cipherSuites) {
+        return (cipherSuites == getServerDefaultCipherSuites()) ||
+               (cipherSuites == getClientDefaultCipherSuites());
     }
 
     /**
@@ -342,93 +336,83 @@
         return isClient ? clientEnableStapling : serverEnableStapling;
     }
 
-
     /*
      * Return the list of all available CipherSuites that are supported
      * using currently installed providers.
      */
-    private static CipherSuiteList getApplicableSupportedCipherSuiteList(
-            ProtocolList protocols) {
+    private static List<CipherSuite> getApplicableSupportedCipherSuites(
+            List<ProtocolVersion> protocols) {
 
-        return getApplicableCipherSuiteList(
-                CipherSuite.allowedCipherSuites(),
-                protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY);
+        return getApplicableCipherSuites(
+                CipherSuite.allowedCipherSuites(), protocols);
     }
 
     /*
      * Return the list of all available CipherSuites that are default enabled
      * in client or server side.
      */
-    private static CipherSuiteList getApplicableEnabledCipherSuiteList(
-            ProtocolList protocols, boolean isClient) {
+    private static List<CipherSuite> getApplicableEnabledCipherSuites(
+            List<ProtocolVersion> protocols, boolean isClient) {
 
         if (isClient) {
             if (!clientCustomizedCipherSuites.isEmpty()) {
-                return getApplicableCipherSuiteList(
-                        clientCustomizedCipherSuites,
-                        protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY);
+                return getApplicableCipherSuites(
+                        clientCustomizedCipherSuites, protocols);
             }
         } else {
             if (!serverCustomizedCipherSuites.isEmpty()) {
-                return getApplicableCipherSuiteList(
-                        serverCustomizedCipherSuites,
-                        protocols, CipherSuite.SUPPORTED_SUITES_PRIORITY);
+                return getApplicableCipherSuites(
+                        serverCustomizedCipherSuites, protocols);
             }
         }
 
-        return getApplicableCipherSuiteList(
-                CipherSuite.allowedCipherSuites(),
-                protocols, CipherSuite.DEFAULT_SUITES_PRIORITY);
+        return getApplicableCipherSuites(
+                CipherSuite.defaultCipherSuites(), protocols);
     }
 
     /*
      * Return the list of available CipherSuites which are applicable to
      * the specified protocols.
      */
-    private static CipherSuiteList getApplicableCipherSuiteList(
+    private static List<CipherSuite> getApplicableCipherSuites(
             Collection<CipherSuite> allowedCipherSuites,
-            ProtocolList protocols, int minPriority) {
-
+            List<ProtocolVersion> protocols) {
         TreeSet<CipherSuite> suites = new TreeSet<>();
-        if (!(protocols.collection().isEmpty()) &&
-                protocols.min.v != ProtocolVersion.NONE.v) {
+        if (protocols != null && (!protocols.isEmpty())) {
             for (CipherSuite suite : allowedCipherSuites) {
-                if (!suite.allowed || suite.priority < minPriority) {
+                if (!suite.isAvailable()) {
                     continue;
                 }
 
-                if (suite.isAvailable() &&
-                        !protocols.min.obsoletes(suite) &&
-                        protocols.max.supports(suite)) {
+                boolean isSupported = false;
+                for (ProtocolVersion protocol : protocols) {
+                    if (!suite.supports(protocol)) {
+                        continue;
+                    }
+
                     if (SSLAlgorithmConstraints.DEFAULT.permits(
                             EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                             suite.name, null)) {
                         suites.add(suite);
-                    } else {
-                        if (debug != null && Debug.isOn("sslctx") &&
-                                Debug.isOn("verbose")) {
-                            System.out.println(
-                                    "Ignoring disabled cipher suite: " +
-                                            suite.name);
-                        }
-                    }
-                } else if (debug != null &&
-                        Debug.isOn("sslctx") && Debug.isOn("verbose")) {
-                    if (protocols.min.obsoletes(suite)) {
-                        System.out.println(
-                            "Ignoring obsoleted cipher suite: " + suite);
-                    } else if (!protocols.max.supports(suite)) {
-                        System.out.println(
-                            "Ignoring unsupported cipher suite: " + suite);
-                    } else {
-                        System.out.println(
-                            "Ignoring unavailable cipher suite: " + suite);
+                        isSupported = true;
+                    } else if (SSLLogger.isOn &&
+                            SSLLogger.isOn("ssl,sslctx,verbose")) {
+                        SSLLogger.fine(
+                                "Ignore disabled cipher suite: " + suite.name);
                     }
+
+                    break;
+                }
+
+                if (!isSupported && SSLLogger.isOn &&
+                        SSLLogger.isOn("ssl,sslctx,verbose")) {
+                    SSLLogger.finest(
+                            "Ignore unsupported cipher suite: " + suite);
                 }
             }
         }
 
-        return new CipherSuiteList(suites);
+        return Arrays.asList(suites.toArray(new CipherSuite[0]));
     }
 
     /*
@@ -438,8 +422,8 @@
             String propertyName) {
 
         String property = GetPropertyAction.privilegedGetProperty(propertyName);
-        if (debug != null && Debug.isOn("sslctx")) {
-            System.out.println(
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
+            SSLLogger.fine(
                     "System property " + propertyName + " is set to '" +
                     property + "'");
         }
@@ -463,10 +447,10 @@
 
                 CipherSuite suite;
                 try {
-                    suite = CipherSuite.valueOf(cipherSuiteNames[i]);
+                    suite = CipherSuite.nameOf(cipherSuiteNames[i]);
                 } catch (IllegalArgumentException iae) {
-                    if (debug != null && Debug.isOn("sslctx")) {
-                        System.out.println(
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
+                        SSLLogger.fine(
                                 "Unknown or unsupported cipher suite name: " +
                                 cipherSuiteNames[i]);
                     }
@@ -474,11 +458,11 @@
                     continue;
                 }
 
-                if (suite.isAvailable()) {
+                if (suite != null && suite.isAvailable()) {
                     cipherSuites.add(suite);
                 } else {
-                    if (debug != null && Debug.isOn("sslctx")) {
-                        System.out.println(
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,sslctx")) {
+                        SSLLogger.fine(
                                 "The current installed providers do not " +
                                 "support cipher suite: " + cipherSuiteNames[i]);
                     }
@@ -492,23 +476,23 @@
     }
 
 
-    private static String[] getAvailableProtocols(
+    private static List<ProtocolVersion> getAvailableProtocols(
             ProtocolVersion[] protocolCandidates) {
 
-        List<String> availableProtocols = Collections.<String>emptyList();
+        List<ProtocolVersion> availableProtocols =
+                Collections.<ProtocolVersion>emptyList();
         if (protocolCandidates !=  null && protocolCandidates.length != 0) {
             availableProtocols = new ArrayList<>(protocolCandidates.length);
             for (ProtocolVersion p : protocolCandidates) {
-                if (ProtocolVersion.availableProtocols.contains(p)) {
-                    availableProtocols.add(p.name);
+                if (p.isAvailable) {
+                    availableProtocols.add(p);
                 }
             }
         }
 
-        return availableProtocols.toArray(new String[0]);
+        return availableProtocols;
     }
 
-
     /*
      * The SSLContext implementation for SSL/(D)TLS algorithm
      *
@@ -548,79 +532,88 @@
      * @see SSLContext
      */
     private abstract static class AbstractTLSContext extends SSLContextImpl {
-        private static final ProtocolList supportedProtocolList;
-        private static final ProtocolList serverDefaultProtocolList;
+        private static final List<ProtocolVersion> supportedProtocols;
+        private static final List<ProtocolVersion> serverDefaultProtocols;
 
-        private static final CipherSuiteList supportedCipherSuiteList;
-        private static final CipherSuiteList serverDefaultCipherSuiteList;
+        private static final List<CipherSuite> supportedCipherSuites;
+        private static final List<CipherSuite> serverDefaultCipherSuites;
 
         static {
             if (SunJSSE.isFIPS()) {
-                supportedProtocolList = new ProtocolList(new String[] {
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name,
-                    ProtocolVersion.TLS12.name
-                });
+                supportedProtocols = Arrays.asList(
+                    ProtocolVersion.TLS13,
+                    ProtocolVersion.TLS12,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS10
+                );
 
-                serverDefaultProtocolList = new ProtocolList(
-                        getAvailableProtocols(new ProtocolVersion[] {
-                    ProtocolVersion.TLS10,
+                serverDefaultProtocols = getAvailableProtocols(
+                        new ProtocolVersion[] {
+                    ProtocolVersion.TLS13,
+                    ProtocolVersion.TLS12,
                     ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS12
-                }));
-            } else {
-                supportedProtocolList = new ProtocolList(new String[] {
-                    ProtocolVersion.SSL20Hello.name,
-                    ProtocolVersion.SSL30.name,
-                    ProtocolVersion.TLS10.name,
-                    ProtocolVersion.TLS11.name,
-                    ProtocolVersion.TLS12.name
+                    ProtocolVersion.TLS10
                 });
-
-                serverDefaultProtocolList = new ProtocolList(
-                        getAvailableProtocols(new ProtocolVersion[] {
-                    ProtocolVersion.SSL20Hello,
-                    ProtocolVersion.SSL30,
+            } else {
+                supportedProtocols = Arrays.asList(
+                    ProtocolVersion.TLS13,
+                    ProtocolVersion.TLS12,
+                    ProtocolVersion.TLS11,
                     ProtocolVersion.TLS10,
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.SSL20Hello
+                );
+
+                serverDefaultProtocols = getAvailableProtocols(
+                        new ProtocolVersion[] {
+                    ProtocolVersion.TLS13,
+                    ProtocolVersion.TLS12,
                     ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS12
-                }));
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.SSL30,
+                    ProtocolVersion.SSL20Hello
+                });
             }
 
-            supportedCipherSuiteList = getApplicableSupportedCipherSuiteList(
-                    supportedProtocolList);
-            serverDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
-                    serverDefaultProtocolList, false);
+            supportedCipherSuites = getApplicableSupportedCipherSuites(
+                    supportedProtocols);
+            serverDefaultCipherSuites = getApplicableEnabledCipherSuites(
+                    serverDefaultProtocols, false);
         }
 
         @Override
-        ProtocolList getSuportedProtocolList() {
-            return supportedProtocolList;
+        List<ProtocolVersion> getSuportedProtocolVersions() {
+            return supportedProtocols;
         }
 
         @Override
-        CipherSuiteList getSupportedCipherSuiteList() {
-            return supportedCipherSuiteList;
+        List<CipherSuite> getSupportedCipherSuites() {
+            return supportedCipherSuites;
         }
 
         @Override
-        ProtocolList getServerDefaultProtocolList() {
-            return serverDefaultProtocolList;
+        List<ProtocolVersion> getServerDefaultProtocolVersions() {
+            return serverDefaultProtocols;
         }
 
         @Override
-        CipherSuiteList getServerDefaultCipherSuiteList() {
-            return serverDefaultCipherSuiteList;
+        List<CipherSuite> getServerDefaultCipherSuites() {
+            return serverDefaultCipherSuites;
         }
 
         @Override
         SSLEngine createSSLEngineImpl() {
-            return new SSLEngineImpl(this, false);
+            return new SSLEngineImpl(this);
         }
 
         @Override
         SSLEngine createSSLEngineImpl(String host, int port) {
-            return new SSLEngineImpl(this, host, port, false);
+            return new SSLEngineImpl(this, host, port);
+        }
+
+        @Override
+        boolean isDTLS() {
+            return false;
         }
     }
 
@@ -630,35 +623,35 @@
      * @see SSLContext
      */
     public static final class TLS10Context extends AbstractTLSContext {
-        private static final ProtocolList clientDefaultProtocolList;
-        private static final CipherSuiteList clientDefaultCipherSuiteList;
+        private static final List<ProtocolVersion> clientDefaultProtocols;
+        private static final List<CipherSuite> clientDefaultCipherSuites;
 
         static {
             if (SunJSSE.isFIPS()) {
-                clientDefaultProtocolList = new ProtocolList(
-                        getAvailableProtocols(new ProtocolVersion[] {
+                clientDefaultProtocols = getAvailableProtocols(
+                        new ProtocolVersion[] {
                     ProtocolVersion.TLS10
-                }));
+                });
             } else {
-                clientDefaultProtocolList = new ProtocolList(
-                        getAvailableProtocols(new ProtocolVersion[] {
-                    ProtocolVersion.SSL30,
-                    ProtocolVersion.TLS10
-                }));
+                clientDefaultProtocols = getAvailableProtocols(
+                        new ProtocolVersion[] {
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.SSL30
+                });
             }
 
-            clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
-                    clientDefaultProtocolList, true);
+            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
+                    clientDefaultProtocols, true);
         }
 
         @Override
-        ProtocolList getClientDefaultProtocolList() {
-            return clientDefaultProtocolList;
+        List<ProtocolVersion> getClientDefaultProtocolVersions() {
+            return clientDefaultProtocols;
         }
 
         @Override
-        CipherSuiteList getClientDefaultCipherSuiteList() {
-            return clientDefaultCipherSuiteList;
+        List<CipherSuite> getClientDefaultCipherSuites() {
+            return clientDefaultCipherSuites;
         }
     }
 
@@ -668,38 +661,38 @@
      * @see SSLContext
      */
     public static final class TLS11Context extends AbstractTLSContext {
-        private static final ProtocolList clientDefaultProtocolList;
-        private static final CipherSuiteList clientDefaultCipherSuiteList;
+        private static final List<ProtocolVersion> clientDefaultProtocols;
+        private static final List<CipherSuite> clientDefaultCipherSuites;
 
         static {
             if (SunJSSE.isFIPS()) {
-                clientDefaultProtocolList = new ProtocolList(
-                        getAvailableProtocols(new ProtocolVersion[] {
-                    ProtocolVersion.TLS10,
-                    ProtocolVersion.TLS11
-                }));
+                clientDefaultProtocols = getAvailableProtocols(
+                        new ProtocolVersion[] {
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS10
+                });
             } else {
-                clientDefaultProtocolList = new ProtocolList(
-                        getAvailableProtocols(new ProtocolVersion[] {
-                    ProtocolVersion.SSL30,
+                clientDefaultProtocols = getAvailableProtocols(
+                        new ProtocolVersion[] {
+                    ProtocolVersion.TLS11,
                     ProtocolVersion.TLS10,
-                    ProtocolVersion.TLS11
-                }));
+                    ProtocolVersion.SSL30
+                });
             }
 
-            clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
-                    clientDefaultProtocolList, true);
+            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
+                    clientDefaultProtocols, true);
 
         }
 
         @Override
-        ProtocolList getClientDefaultProtocolList() {
-            return clientDefaultProtocolList;
+        List<ProtocolVersion> getClientDefaultProtocolVersions() {
+            return clientDefaultProtocols;
         }
 
         @Override
-        CipherSuiteList getClientDefaultCipherSuiteList() {
-            return clientDefaultCipherSuiteList;
+        List<CipherSuite> getClientDefaultCipherSuites() {
+            return clientDefaultCipherSuites;
         }
     }
 
@@ -709,39 +702,83 @@
      * @see SSLContext
      */
     public static final class TLS12Context extends AbstractTLSContext {
-        private static final ProtocolList clientDefaultProtocolList;
-        private static final CipherSuiteList clientDefaultCipherSuiteList;
+        private static final List<ProtocolVersion> clientDefaultProtocols;
+        private static final List<CipherSuite> clientDefaultCipherSuites;
 
         static {
             if (SunJSSE.isFIPS()) {
-                clientDefaultProtocolList = new ProtocolList(
-                        getAvailableProtocols(new ProtocolVersion[] {
-                    ProtocolVersion.TLS10,
+                clientDefaultProtocols = getAvailableProtocols(
+                        new ProtocolVersion[] {
+                    ProtocolVersion.TLS12,
                     ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS12
-                }));
+                    ProtocolVersion.TLS10
+                });
             } else {
-                clientDefaultProtocolList = new ProtocolList(
-                        getAvailableProtocols(new ProtocolVersion[] {
-                    ProtocolVersion.SSL30,
+                clientDefaultProtocols = getAvailableProtocols(
+                        new ProtocolVersion[] {
+                    ProtocolVersion.TLS12,
+                    ProtocolVersion.TLS11,
                     ProtocolVersion.TLS10,
+                    ProtocolVersion.SSL30
+                });
+            }
+
+            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
+                    clientDefaultProtocols, true);
+        }
+
+        @Override
+        List<ProtocolVersion> getClientDefaultProtocolVersions() {
+            return clientDefaultProtocols;
+        }
+
+        @Override
+        List<CipherSuite> getClientDefaultCipherSuites() {
+            return clientDefaultCipherSuites;
+        }
+    }
+
+    /*
+     * The SSLContext implementation for TLS1.3 algorithm
+     *
+     * @see SSLContext
+     */
+    public static final class TLS13Context extends AbstractTLSContext {
+        private static final List<ProtocolVersion> clientDefaultProtocols;
+        private static final List<CipherSuite> clientDefaultCipherSuites;
+
+        static {
+            if (SunJSSE.isFIPS()) {
+                clientDefaultProtocols = getAvailableProtocols(
+                        new ProtocolVersion[] {
+                    ProtocolVersion.TLS13,
+                    ProtocolVersion.TLS12,
                     ProtocolVersion.TLS11,
-                    ProtocolVersion.TLS12
-                }));
+                    ProtocolVersion.TLS10
+                });
+            } else {
+                clientDefaultProtocols = getAvailableProtocols(
+                        new ProtocolVersion[] {
+                    ProtocolVersion.TLS13,
+                    ProtocolVersion.TLS12,
+                    ProtocolVersion.TLS11,
+                    ProtocolVersion.TLS10,
+                    ProtocolVersion.SSL30
+                });
             }
 
-            clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
-                    clientDefaultProtocolList, true);
+            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
+                    clientDefaultProtocols, true);
         }
 
         @Override
-        ProtocolList getClientDefaultProtocolList() {
-            return clientDefaultProtocolList;
+        List<ProtocolVersion> getClientDefaultProtocolVersions() {
+            return clientDefaultProtocols;
         }
 
         @Override
-        CipherSuiteList getClientDefaultCipherSuiteList() {
-            return clientDefaultCipherSuiteList;
+        List<CipherSuite> getClientDefaultCipherSuites() {
+            return clientDefaultCipherSuites;
         }
     }
 
@@ -753,7 +790,7 @@
     private static class CustomizedSSLProtocols {
         private static final String PROPERTY_NAME = "jdk.tls.client.protocols";
         static IllegalArgumentException reservedException = null;
-        static ArrayList<ProtocolVersion>
+        static final ArrayList<ProtocolVersion>
                                 customizedProtocols = new ArrayList<>();
 
         // Don't want a java.lang.LinkageError for illegal system property.
@@ -778,28 +815,27 @@
                 for (int i = 0; i < protocols.length; i++) {
                     protocols[i] = protocols[i].trim();
                     // Is it a supported protocol name?
-                    try {
-                        ProtocolVersion pro =
-                                ProtocolVersion.valueOf(protocols[i]);
-
-                        if (SunJSSE.isFIPS() &&
-                                ((pro.v == ProtocolVersion.SSL30.v) ||
-                                 (pro.v == ProtocolVersion.SSL20Hello.v))) {
-                            reservedException = new IllegalArgumentException(
-                                    PROPERTY_NAME + ": " + pro +
-                                    " is not FIPS compliant");
-
-                            break;
-                        }
+                    ProtocolVersion pv =
+                            ProtocolVersion.nameOf(protocols[i]);
+                    if (pv == null) {
+                        reservedException = new IllegalArgumentException(
+                            PROPERTY_NAME + ": " + protocols[i] +
+                            " is not a supported SSL protocol name");
+                    }
 
-                        // ignore duplicated protocols
-                        if (!customizedProtocols.contains(pro)) {
-                            customizedProtocols.add(pro);
-                        }
-                    } catch (IllegalArgumentException iae) {
+                    if (SunJSSE.isFIPS() &&
+                            ((pv == ProtocolVersion.SSL30) ||
+                             (pv == ProtocolVersion.SSL20Hello))) {
                         reservedException = new IllegalArgumentException(
-                                PROPERTY_NAME + ": " + protocols[i] +
-                                " is not a standard SSL protocol name", iae);
+                                PROPERTY_NAME + ": " + pv +
+                                " is not FIPS compliant");
+
+                        break;
+                    }
+
+                    // ignore duplicated protocols
+                    if (!customizedProtocols.contains(pv)) {
+                        customizedProtocols.add(pv);
                     }
                 }
             }
@@ -813,10 +849,9 @@
      */
     private static class CustomizedTLSContext extends AbstractTLSContext {
 
-        private static final ProtocolList clientDefaultProtocolList;
-        private static final CipherSuiteList clientDefaultCipherSuiteList;
-
-        private static IllegalArgumentException reservedException = null;
+        private static final List<ProtocolVersion> clientDefaultProtocols;
+        private static final List<CipherSuite> clientDefaultCipherSuites;
+        private static final IllegalArgumentException reservedException;
 
         // Don't want a java.lang.LinkageError for illegal system property.
         //
@@ -831,7 +866,7 @@
                         customizedTLSProtocols = new ArrayList<>();
                 for (ProtocolVersion protocol :
                         CustomizedSSLProtocols.customizedProtocols) {
-                    if (!protocol.isDTLSProtocol()) {
+                    if (!protocol.isDTLS) {
                         customizedTLSProtocols.add(protocol);
                     }
                 }
@@ -843,16 +878,18 @@
                     // customized TLS protocols.
                     if (SunJSSE.isFIPS()) {
                         candidates = new ProtocolVersion[] {
-                            ProtocolVersion.TLS10,
+                            ProtocolVersion.TLS13,
+                            ProtocolVersion.TLS12,
                             ProtocolVersion.TLS11,
-                            ProtocolVersion.TLS12
+                            ProtocolVersion.TLS10
                         };
                     } else {
                         candidates = new ProtocolVersion[] {
-                            ProtocolVersion.SSL30,
-                            ProtocolVersion.TLS10,
+                            ProtocolVersion.TLS13,
+                            ProtocolVersion.TLS12,
                             ProtocolVersion.TLS11,
-                            ProtocolVersion.TLS12
+                            ProtocolVersion.TLS10,
+                            ProtocolVersion.SSL30
                         };
                     }
                 } else {
@@ -862,14 +899,13 @@
                     candidates = customizedTLSProtocols.toArray(candidates);
                 }
 
-                clientDefaultProtocolList = new ProtocolList(
-                        getAvailableProtocols(candidates));
-                clientDefaultCipherSuiteList =
-                        getApplicableEnabledCipherSuiteList(
-                                clientDefaultProtocolList, true);
+                clientDefaultProtocols = getAvailableProtocols(candidates);
+                clientDefaultCipherSuites =
+                        getApplicableEnabledCipherSuites(
+                                clientDefaultProtocols, true);
             } else {
-                clientDefaultProtocolList = null;       // unlikely to be used
-                clientDefaultCipherSuiteList = null;    // unlikely to be used
+                clientDefaultProtocols = null;       // unlikely to be used
+                clientDefaultCipherSuites = null;    // unlikely to be used
             }
         }
 
@@ -880,13 +916,13 @@
         }
 
         @Override
-        ProtocolList getClientDefaultProtocolList() {
-            return clientDefaultProtocolList;
+        List<ProtocolVersion> getClientDefaultProtocolVersions() {
+            return clientDefaultProtocols;
         }
 
         @Override
-        CipherSuiteList getClientDefaultCipherSuiteList() {
-            return clientDefaultCipherSuiteList;
+        List<CipherSuite> getClientDefaultCipherSuites() {
+            return clientDefaultCipherSuites;
         }
     }
 
@@ -909,30 +945,33 @@
         private static final TrustManager[] trustManagers;
         private static final KeyManager[] keyManagers;
 
-        static Exception reservedException = null;
+        private static final Exception reservedException;
 
         static {
+            Exception reserved = null;
             TrustManager[] tmMediator;
             try {
                 tmMediator = getTrustManagers();
             } catch (Exception e) {
-                reservedException = e;
+                reserved = e;
                 tmMediator = new TrustManager[0];
             }
             trustManagers = tmMediator;
 
-            if (reservedException == null) {
+            if (reserved == null) {
                 KeyManager[] kmMediator;
                 try {
                     kmMediator = getKeyManagers();
                 } catch (Exception e) {
-                    reservedException = e;
+                    reserved = e;
                     kmMediator = new KeyManager[0];
                 }
                 keyManagers = kmMediator;
             } else {
                 keyManagers = new KeyManager[0];
             }
+
+            reservedException = reserved;
         }
 
         private static TrustManager[] getTrustManagers() throws Exception {
@@ -976,11 +1015,11 @@
             final String defaultKeyStore = props.get("keyStore");
             String defaultKeyStoreType = props.get("keyStoreType");
             String defaultKeyStoreProvider = props.get("keyStoreProvider");
-            if (debug != null && Debug.isOn("defaultctx")) {
-                System.out.println("keyStore is : " + defaultKeyStore);
-                System.out.println("keyStore type is : " +
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
+                SSLLogger.fine("keyStore is : " + defaultKeyStore);
+                SSLLogger.fine("keyStore type is : " +
                                         defaultKeyStoreType);
-                System.out.println("keyStore provider is : " +
+                SSLLogger.fine("keyStore provider is : " +
                                         defaultKeyStoreProvider);
             }
 
@@ -1014,8 +1053,8 @@
                  * Try to initialize key store.
                  */
                 if ((defaultKeyStoreType.length()) != 0) {
-                    if (debug != null && Debug.isOn("defaultctx")) {
-                        System.out.println("init keystore");
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
+                        SSLLogger.finest("init keystore");
                     }
                     if (defaultKeyStoreProvider.length() == 0) {
                         ks = KeyStore.getInstance(defaultKeyStoreType);
@@ -1037,8 +1076,8 @@
             /*
              * Try to initialize key manager.
              */
-            if (debug != null && Debug.isOn("defaultctx")) {
-                System.out.println("init keymanager of type " +
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
+                SSLLogger.fine("init keymanager of type " +
                     KeyManagerFactory.getDefaultAlgorithm());
             }
             KeyManagerFactory kmf = KeyManagerFactory.getInstance(
@@ -1095,8 +1134,8 @@
                 super.engineInit(DefaultManagersHolder.keyManagers,
                         DefaultManagersHolder.trustManagers, null);
             } catch (Exception e) {
-                if (debug != null && Debug.isOn("defaultctx")) {
-                    System.out.println("default context init failed: " + e);
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,defaultctx")) {
+                    SSLLogger.fine("default context init failed: ", e);
                 }
                 throw e;
             }
@@ -1128,65 +1167,65 @@
      * @see SSLContext
      */
     private abstract static class AbstractDTLSContext extends SSLContextImpl {
-        private static final ProtocolList supportedProtocolList;
-        private static final ProtocolList serverDefaultProtocolList;
+        private static final List<ProtocolVersion> supportedProtocols;
+        private static final List<ProtocolVersion> serverDefaultProtocols;
 
-        private static final CipherSuiteList supportedCipherSuiteList;
-        private static final CipherSuiteList serverDefaultCipherSuiteList;
+        private static final List<CipherSuite> supportedCipherSuites;
+        private static final List<CipherSuite> serverDefaultCipherSuites;
 
         static {
             // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode.
-            supportedProtocolList = new ProtocolList(new String[] {
-                ProtocolVersion.DTLS10.name,
-                ProtocolVersion.DTLS12.name
-            });
+            supportedProtocols = Arrays.asList(
+                ProtocolVersion.DTLS12,
+                ProtocolVersion.DTLS10
+            );
 
             // available protocols for server mode
-            serverDefaultProtocolList = new ProtocolList(
-                    getAvailableProtocols(new ProtocolVersion[] {
-                ProtocolVersion.DTLS10,
-                ProtocolVersion.DTLS12
-            }));
+            serverDefaultProtocols = getAvailableProtocols(
+                    new ProtocolVersion[] {
+                ProtocolVersion.DTLS12,
+                ProtocolVersion.DTLS10
+            });
 
-            supportedCipherSuiteList = getApplicableSupportedCipherSuiteList(
-                    supportedProtocolList);
-            serverDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
-                    serverDefaultProtocolList, false);
+            supportedCipherSuites = getApplicableSupportedCipherSuites(
+                    supportedProtocols);
+            serverDefaultCipherSuites = getApplicableEnabledCipherSuites(
+                    serverDefaultProtocols, false);
         }
 
         @Override
-        ProtocolList getSuportedProtocolList() {
-            return supportedProtocolList;
+        List<ProtocolVersion> getSuportedProtocolVersions() {
+            return supportedProtocols;
         }
 
         @Override
-        CipherSuiteList getSupportedCipherSuiteList() {
-            return supportedCipherSuiteList;
+        List<CipherSuite> getSupportedCipherSuites() {
+            return supportedCipherSuites;
         }
 
         @Override
-        ProtocolList getServerDefaultProtocolList() {
-            return serverDefaultProtocolList;
+        List<ProtocolVersion> getServerDefaultProtocolVersions() {
+            return serverDefaultProtocols;
         }
 
         @Override
-        CipherSuiteList getServerDefaultCipherSuiteList() {
-            return serverDefaultCipherSuiteList;
+        List<CipherSuite> getServerDefaultCipherSuites() {
+            return serverDefaultCipherSuites;
         }
 
         @Override
         SSLEngine createSSLEngineImpl() {
-            return new SSLEngineImpl(this, true);
+            return new SSLEngineImpl(this);
         }
 
         @Override
         SSLEngine createSSLEngineImpl(String host, int port) {
-            return new SSLEngineImpl(this, host, port, true);
+            return new SSLEngineImpl(this, host, port);
         }
 
         @Override
-        HelloCookieManager getHelloCookieManager(SecureRandom secureRandom) {
-            return new HelloCookieManager(secureRandom);
+        boolean isDTLS() {
+            return true;
         }
     }
 
@@ -1196,28 +1235,28 @@
      * @see SSLContext
      */
     public static final class DTLS10Context extends AbstractDTLSContext {
-        private static final ProtocolList clientDefaultProtocolList;
-        private static final CipherSuiteList clientDefaultCipherSuiteList;
+        private static final List<ProtocolVersion> clientDefaultProtocols;
+        private static final List<CipherSuite> clientDefaultCipherSuites;
 
         static {
             // available protocols for client mode
-            clientDefaultProtocolList = new ProtocolList(
-                    getAvailableProtocols(new ProtocolVersion[] {
+            clientDefaultProtocols = getAvailableProtocols(
+                    new ProtocolVersion[] {
                 ProtocolVersion.DTLS10
-            }));
+            });
 
-            clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
-                    clientDefaultProtocolList, true);
+            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
+                    clientDefaultProtocols, true);
         }
 
         @Override
-        ProtocolList getClientDefaultProtocolList() {
-            return clientDefaultProtocolList;
+        List<ProtocolVersion> getClientDefaultProtocolVersions() {
+            return clientDefaultProtocols;
         }
 
         @Override
-        CipherSuiteList getClientDefaultCipherSuiteList() {
-            return clientDefaultCipherSuiteList;
+        List<CipherSuite> getClientDefaultCipherSuites() {
+            return clientDefaultCipherSuites;
         }
     }
 
@@ -1227,29 +1266,29 @@
      * @see SSLContext
      */
     public static final class DTLS12Context extends AbstractDTLSContext {
-        private static final ProtocolList clientDefaultProtocolList;
-        private static final CipherSuiteList clientDefaultCipherSuiteList;
+        private static final List<ProtocolVersion> clientDefaultProtocols;
+        private static final List<CipherSuite> clientDefaultCipherSuites;
 
         static {
             // available protocols for client mode
-            clientDefaultProtocolList = new ProtocolList(
-                    getAvailableProtocols(new ProtocolVersion[] {
-                ProtocolVersion.DTLS10,
-                ProtocolVersion.DTLS12
-            }));
+            clientDefaultProtocols = getAvailableProtocols(
+                    new ProtocolVersion[] {
+                ProtocolVersion.DTLS12,
+                ProtocolVersion.DTLS10
+            });
 
-            clientDefaultCipherSuiteList = getApplicableEnabledCipherSuiteList(
-                    clientDefaultProtocolList, true);
+            clientDefaultCipherSuites = getApplicableEnabledCipherSuites(
+                    clientDefaultProtocols, true);
         }
 
         @Override
-        ProtocolList getClientDefaultProtocolList() {
-            return clientDefaultProtocolList;
+        List<ProtocolVersion> getClientDefaultProtocolVersions() {
+            return clientDefaultProtocols;
         }
 
         @Override
-        CipherSuiteList getClientDefaultCipherSuiteList() {
-            return clientDefaultCipherSuiteList;
+        List<CipherSuite> getClientDefaultCipherSuites() {
+            return clientDefaultCipherSuites;
         }
     }
 
@@ -1259,8 +1298,8 @@
      * @see SSLContext
      */
     private static class CustomizedDTLSContext extends AbstractDTLSContext {
-        private static final ProtocolList clientDefaultProtocolList;
-        private static final CipherSuiteList clientDefaultCipherSuiteList;
+        private static final List<ProtocolVersion> clientDefaultProtocols;
+        private static final List<CipherSuite> clientDefaultCipherSuites;
 
         private static IllegalArgumentException reservedException = null;
 
@@ -1277,7 +1316,7 @@
                         customizedDTLSProtocols = new ArrayList<>();
                 for (ProtocolVersion protocol :
                         CustomizedSSLProtocols.customizedProtocols) {
-                    if (protocol.isDTLSProtocol()) {
+                    if (protocol.isDTLS) {
                         customizedDTLSProtocols.add(protocol);
                     }
                 }
@@ -1290,8 +1329,8 @@
                     //
                     // Both DTLSv1.0 and DTLSv1.2 can be used in FIPS mode.
                     candidates = new ProtocolVersion[] {
-                        ProtocolVersion.DTLS10,
-                        ProtocolVersion.DTLS12
+                        ProtocolVersion.DTLS12,
+                        ProtocolVersion.DTLS10
                     };
 
                 } else {
@@ -1301,14 +1340,13 @@
                     candidates = customizedDTLSProtocols.toArray(candidates);
                 }
 
-                clientDefaultProtocolList = new ProtocolList(
-                        getAvailableProtocols(candidates));
-                clientDefaultCipherSuiteList =
-                        getApplicableEnabledCipherSuiteList(
-                                clientDefaultProtocolList, true);
+                clientDefaultProtocols = getAvailableProtocols(candidates);
+                clientDefaultCipherSuites =
+                        getApplicableEnabledCipherSuites(
+                                clientDefaultProtocols, true);
             } else {
-                clientDefaultProtocolList = null;       // unlikely to be used
-                clientDefaultCipherSuiteList = null;    // unlikely to be used
+                clientDefaultProtocols = null;       // unlikely to be used
+                clientDefaultCipherSuites = null;    // unlikely to be used
             }
         }
 
@@ -1319,13 +1357,13 @@
         }
 
         @Override
-        ProtocolList getClientDefaultProtocolList() {
-            return clientDefaultProtocolList;
+        List<ProtocolVersion> getClientDefaultProtocolVersions() {
+            return clientDefaultProtocols;
         }
 
         @Override
-        CipherSuiteList getClientDefaultCipherSuiteList() {
-            return clientDefaultCipherSuiteList;
+        List<CipherSuite> getClientDefaultCipherSuites() {
+            return clientDefaultCipherSuites;
         }
     }
 
@@ -1340,7 +1378,6 @@
 
 }
 
-
 final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
             implements X509TrustManager {
 
@@ -1417,10 +1454,8 @@
             }
 
             // try the best to check the algorithm constraints
-            ProtocolVersion protocolVersion =
-                ProtocolVersion.valueOf(session.getProtocol());
-            AlgorithmConstraints constraints = null;
-            if (protocolVersion.useTLS12PlusSpec()) {
+            AlgorithmConstraints constraints;
+            if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
                 if (session instanceof ExtendedSSLSession) {
                     ExtendedSSLSession extSession =
                                     (ExtendedSSLSession)session;
@@ -1459,10 +1494,8 @@
             }
 
             // try the best to check the algorithm constraints
-            ProtocolVersion protocolVersion =
-                ProtocolVersion.valueOf(session.getProtocol());
-            AlgorithmConstraints constraints = null;
-            if (protocolVersion.useTLS12PlusSpec()) {
+            AlgorithmConstraints constraints;
+            if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
                 if (session instanceof ExtendedSSLSession) {
                     ExtendedSSLSession extSession =
                                     (ExtendedSSLSession)session;
@@ -1484,8 +1517,8 @@
     }
 
     private void checkAlgorithmConstraints(X509Certificate[] chain,
-            AlgorithmConstraints constraints, boolean isClient) throws CertificateException {
-
+            AlgorithmConstraints constraints,
+            boolean isClient) throws CertificateException {
         try {
             // Does the certificate chain end with a trusted certificate?
             int checkedLength = chain.length - 1;
@@ -1503,11 +1536,12 @@
             // A forward checker, need to check from trust to target
             if (checkedLength >= 0) {
                 AlgorithmChecker checker =
-                        new AlgorithmChecker(constraints, null,
-                                (isClient ? Validator.VAR_TLS_CLIENT : Validator.VAR_TLS_SERVER));
+                    new AlgorithmChecker(constraints, null,
+                            (isClient ? Validator.VAR_TLS_CLIENT :
+                                        Validator.VAR_TLS_SERVER));
                 checker.init(false);
                 for (int i = checkedLength; i >= 0; i--) {
-                    Certificate cert = chain[i];
+                    X509Certificate cert = chain[i];
                     // We don't care about the unresolved critical extensions.
                     checker.check(cert, Collections.<String>emptySet());
                 }
--- old/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java	2018-05-11 15:05:46.657745500 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java	2018-05-11 15:05:45.906625600 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,761 +25,464 @@
 
 package sun.security.ssl;
 
-import java.io.*;
-import java.nio.*;
-import java.security.*;
-import java.util.*;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.nio.ReadOnlyBufferException;
+import java.security.AccessController;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.List;
+import java.util.Map;
 import java.util.function.BiFunction;
-
-import javax.crypto.BadPaddingException;
-
-import javax.net.ssl.*;
-import javax.net.ssl.SSLEngineResult.*;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.SSLEngineResult.HandshakeStatus;
+import javax.net.ssl.SSLEngineResult.Status;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLKeyException;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLProtocolException;
+import javax.net.ssl.SSLSession;
 
 /**
  * Implementation of an non-blocking SSLEngine.
  *
- * *Currently*, the SSLEngine code exists in parallel with the current
- * SSLSocket.  As such, the current implementation is using legacy code
- * with many of the same abstractions.  However, it varies in many
- * areas, most dramatically in the IO handling.
- *
- * There are three main I/O threads that can be existing in parallel:
- * wrap(), unwrap(), and beginHandshake().  We are encouraging users to
- * not call multiple instances of wrap or unwrap, because the data could
- * appear to flow out of the SSLEngine in a non-sequential order.  We
- * take all steps we can to at least make sure the ordering remains
- * consistent, but once the calls returns, anything can happen.  For
- * example, thread1 and thread2 both call wrap, thread1 gets the first
- * packet, thread2 gets the second packet, but thread2 gets control back
- * before thread1, and sends the data.  The receiving side would see an
- * out-of-order error.
- *
  * @author Brad Wetmore
  */
-public final class SSLEngineImpl extends SSLEngine {
+final class SSLEngineImpl extends SSLEngine implements SSLTransport {
+    private final SSLContextImpl        sslContext;
+    final TransportContext              conContext;
 
-    //
-    // Fields and global comments
-    //
-
-    /*
-     * There's a state machine associated with each connection, which
-     * among other roles serves to negotiate session changes.
-     *
-     * - START with constructor, until the TCP connection's around.
-     * - HANDSHAKE picks session parameters before allowing traffic.
-     *          There are many substates due to sequencing requirements
-     *          for handshake messages.
-     * - DATA may be transmitted.
-     * - RENEGOTIATE state allows concurrent data and handshaking
-     *          traffic ("same" substates as HANDSHAKE), and terminates
-     *          in selection of new session (and connection) parameters
-     * - ERROR state immediately precedes abortive disconnect.
-     * - CLOSED when one side closes down, used to start the shutdown
-     *          process.  SSL connection objects are not reused.
-     *
-     * State affects what SSL record types may legally be sent:
-     *
-     * - Handshake ... only in HANDSHAKE and RENEGOTIATE states
-     * - App Data ... only in DATA and RENEGOTIATE states
-     * - Alert ... in HANDSHAKE, DATA, RENEGOTIATE
-     *
-     * Re what may be received:  same as what may be sent, except that
-     * HandshakeRequest handshaking messages can come from servers even
-     * in the application data state, to request entry to RENEGOTIATE.
-     *
-     * The state machine within HANDSHAKE and RENEGOTIATE states controls
-     * the pending session, not the connection state, until the change
-     * cipher spec and "Finished" handshake messages are processed and
-     * make the "new" session become the current one.
-     *
-     * NOTE: details of the SMs always need to be nailed down better.
-     * The text above illustrates the core ideas.
-     *
-     *                +---->-------+------>--------->-------+
-     *                |            |                        |
-     *     <-----<    ^            ^  <-----<               |
-     *START>----->HANDSHAKE>----->DATA>----->RENEGOTIATE    |
-     *                v            v               v        |
-     *                |            |               |        |
-     *                +------------+---------------+        |
-     *                |                                     |
-     *                v                                     |
-     *               ERROR>------>----->CLOSED<--------<----+
+    /**
+     * Constructor for an SSLEngine from SSLContext, without
+     * host/port hints.
      *
-     * ALSO, note that the purpose of handshaking (renegotiation is
-     * included) is to assign a different, and perhaps new, session to
-     * the connection.  The SSLv3 spec is a bit confusing on that new
-     * protocol feature.
-     */
-    private int                 connectionState;
-
-    private static final int    cs_START = 0;
-    private static final int    cs_HANDSHAKE = 1;
-    private static final int    cs_DATA = 2;
-    private static final int    cs_RENEGOTIATE = 3;
-    private static final int    cs_ERROR = 4;
-    private static final int    cs_CLOSED = 6;
-
-    /*
-     * Once we're in state cs_CLOSED, we can continue to
-     * wrap/unwrap until we finish sending/receiving the messages
-     * for close_notify.
-     */
-    private boolean             inboundDone = false;
-    private boolean             outboundDone = false;
-
-    /*
-     * The authentication context holds all information used to establish
-     * who this end of the connection is (certificate chains, private keys,
-     * etc) and who is trusted (e.g. as CAs or websites).
-     */
-    private SSLContextImpl      sslContext;
-
-    /*
-     * This connection is one of (potentially) many associated with
-     * any given session.  The output of the handshake protocol is a
-     * new session ... although all the protocol description talks
-     * about changing the cipher spec (and it does change), in fact
-     * that's incidental since it's done by changing everything that
-     * is associated with a session at the same time.  (TLS/IETF may
-     * change that to add client authentication w/o new key exchg.)
-     */
-    private Handshaker                  handshaker;
-    private SSLSessionImpl              sess;
-    private volatile SSLSessionImpl     handshakeSession;
-
-    /*
-     * Flag indicating if the next record we receive MUST be a Finished
-     * message. Temporarily set during the handshake to ensure that
-     * a change cipher spec message is followed by a finished message.
+     * This Engine will not be able to cache sessions, but must renegotiate
+     * everything by hand.
      */
-    private boolean             expectingFinished;
-
-
-    /*
-     * If someone tries to closeInbound() (say at End-Of-Stream)
-     * our engine having received a close_notify, we need to
-     * notify the app that we may have a truncation attack underway.
-     */
-    private boolean             recvCN;
+    SSLEngineImpl(SSLContextImpl sslContext) {
+        this(sslContext, null, -1);
+    }
 
-    /*
-     * For improved diagnostics, we detail connection closure
-     * If the engine is closed (connectionState >= cs_ERROR),
-     * closeReason != null indicates if the engine was closed
-     * because of an error or because or normal shutdown.
+    /**
+     * Constructor for an SSLEngine from SSLContext.
      */
-    private SSLException        closeReason;
+    SSLEngineImpl(SSLContextImpl sslContext,
+            String host, int port) {
+        super(host, port);
+        this.sslContext = sslContext;
+        HandshakeHash handshakeHash = new HandshakeHash();
+        if (sslContext.isDTLS()) {
+            this.conContext = new TransportContext(sslContext, this,
+                    new DTLSInputRecord(handshakeHash),
+                    new DTLSOutputRecord(handshakeHash));
+        } else {
+            this.conContext = new TransportContext(sslContext, this,
+                    new SSLEngineInputRecord(handshakeHash),
+                    new SSLEngineOutputRecord(handshakeHash));
+        }
 
-    /*
-     * Per-connection private state that doesn't change when the
-     * session is changed.
-     */
-    private ClientAuthType          doClientAuth =
-                                            ClientAuthType.CLIENT_AUTH_NONE;
-    private boolean                 enableSessionCreation = true;
-    InputRecord                     inputRecord;
-    OutputRecord                    outputRecord;
-    private AccessControlContext    acc;
-
-    // The cipher suites enabled for use on this connection.
-    private CipherSuiteList             enabledCipherSuites;
-
-    // the endpoint identification protocol
-    private String                      identificationProtocol = null;
-
-    // The cryptographic algorithm constraints
-    private AlgorithmConstraints        algorithmConstraints = null;
-
-    // The server name indication and matchers
-    List<SNIServerName>         serverNames =
-                                    Collections.<SNIServerName>emptyList();
-    Collection<SNIMatcher>      sniMatchers =
-                                    Collections.<SNIMatcher>emptyList();
-
-    // Configured application protocol values
-    String[] applicationProtocols = new String[0];
-
-    // Negotiated application protocol value.
-    //
-    // The value under negotiation will be obtained from handshaker.
-    String applicationProtocol = null;
-
-    // Callback function that selects the application protocol value during
-    // the SSL/TLS handshake.
-    BiFunction<SSLEngine, List<String>, String> applicationProtocolSelector;
-
-    // Have we been told whether we're client or server?
-    private boolean                     serverModeSet = false;
-    private boolean                     roleIsServer;
+        // Server name indication is a connection scope extension.
+        if (host != null) {
+            this.conContext.sslConfig.serverNames =
+                    Utilities.addToSNIServerNameList(
+                            conContext.sslConfig.serverNames, host);
+        }
+    }
 
-    /*
-     * The protocol versions enabled for use on this connection.
-     *
-     * Note: we support a pseudo protocol called SSLv2Hello which when
-     * set will result in an SSL v2 Hello being sent with SSL (version 3.0)
-     * or TLS (version 3.1, 3.2, etc.) version info.
-     */
-    private ProtocolList        enabledProtocols;
+    @Override
+    public synchronized void beginHandshake() throws SSLException {
+        if (conContext.isUnsureMode) {
+            throw new IllegalStateException(
+                    "Client/Server mode has not yet been set.");
+        }
 
-    /*
-     * The SSL version associated with this connection.
-     */
-    private ProtocolVersion     protocolVersion;
+        try {
+            conContext.kickstart();
+        } catch (IOException ioe) {
+            conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                "Couldn't kickstart handshaking", ioe);
+        } catch (Exception ex) {     // including RuntimeException
+            conContext.fatal(Alert.INTERNAL_ERROR,
+                "Fail to begin handshake", ex);
+        }
+    }
 
-    /*
-     * security parameters for secure renegotiation.
-     */
-    private boolean             secureRenegotiation;
-    private byte[]              clientVerifyData;
-    private byte[]              serverVerifyData;
-
-    /*
-     * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
-     * IMPORTANT STUFF TO UNDERSTANDING THE SYNCHRONIZATION ISSUES.
-     * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
-     *
-     * There are several locks here.
-     *
-     * The primary lock is the per-instance lock used by
-     * synchronized(this) and the synchronized methods.  It controls all
-     * access to things such as the connection state and variables which
-     * affect handshaking.  If we are inside a synchronized method, we
-     * can access the state directly, otherwise, we must use the
-     * synchronized equivalents.
-     *
-     * Note that we must never acquire the <code>this</code> lock after
-     * <code>writeLock</code> or run the risk of deadlock.
-     *
-     * Grab some coffee, and be careful with any code changes.
-     */
-    private Object              wrapLock;
-    private Object              unwrapLock;
-    Object                      writeLock;
-
-    /*
-     * Whether local cipher suites preference in server side should be
-     * honored during handshaking?
-     */
-    private boolean preferLocalCipherSuites = false;
+    @Override
+    public synchronized SSLEngineResult wrap(ByteBuffer[] appData,
+            int offset, int length, ByteBuffer netData) throws SSLException {
+        return wrap(
+                appData, offset, length, new ByteBuffer[]{ netData }, 0, 1);
+    }
 
-    /*
-     * whether DTLS handshake retransmissions should be enabled?
-     */
-    private boolean enableRetransmissions = false;
+    // @Override
+    public synchronized SSLEngineResult wrap(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength,
+        ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws SSLException {
 
-    /*
-     * The maximum expected network packet size for SSL/TLS/DTLS records.
-     */
-    private int maximumPacketSize = 0;
+        if (conContext.isUnsureMode) {
+            throw new IllegalStateException(
+                    "Client/Server mode has not yet been set.");
+        }
 
-    /*
-     * Is this an instance for Datagram Transport Layer Security (DTLS)?
-     */
-    private final boolean isDTLS;
+        // See if the handshaker needs to report back some SSLException.
+        if (conContext.outputRecord.isEmpty()) {
+            checkTaskThrown();
+        }   // Otherwise, deliver cached records before throwing task exception.
 
-    /*
-     * Class and subclass dynamic debugging support
-     */
-    private static final Debug debug = Debug.getInstance("ssl");
+        // check parameters
+        checkParams(srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
 
-    //
-    // Initialization/Constructors
-    //
+        try {
+            return writeRecord(
+                srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
+        } catch (SSLProtocolException spe) {
+            // may be an unexpected handshake message
+            conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
+        } catch (IOException ioe) {
+            conContext.fatal(Alert.INTERNAL_ERROR,
+                "problem wrapping app data", ioe);
+        } catch (Exception ex) {     // including RuntimeException
+            conContext.fatal(Alert.INTERNAL_ERROR,
+                "Fail to wrap application data", ex);
+        }
 
-    /**
-     * Constructor for an SSLEngine from SSLContext, without
-     * host/port hints.  This Engine will not be able to cache
-     * sessions, but must renegotiate everything by hand.
-     */
-    SSLEngineImpl(SSLContextImpl ctx, boolean isDTLS) {
-        super();
-        this.isDTLS = isDTLS;
-        init(ctx, isDTLS);
+        return null;    // make compiler happy
     }
 
-    /**
-     * Constructor for an SSLEngine from SSLContext.
-     */
-    SSLEngineImpl(SSLContextImpl ctx, String host, int port, boolean isDTLS) {
-        super(host, port);
-        this.isDTLS = isDTLS;
-        init(ctx, isDTLS);
-    }
+    private SSLEngineResult writeRecord(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength,
+        ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
 
-    /**
-     * Initializes the Engine
-     */
-    private void init(SSLContextImpl ctx, boolean isDTLS) {
-        if (debug != null && Debug.isOn("ssl")) {
-            System.out.println("Using SSLEngineImpl.");
+        if (isOutboundDone()) {
+            return new SSLEngineResult(
+                    Status.CLOSED, getHandshakeStatus(), 0, 0);
         }
 
-        sslContext = ctx;
-        sess = SSLSessionImpl.nullSession;
-        handshakeSession = null;
-        protocolVersion = isDTLS ?
-                ProtocolVersion.DEFAULT_DTLS : ProtocolVersion.DEFAULT_TLS;
+        HandshakeContext hc = conContext.handshakeContext;
+        HandshakeStatus hsStatus = null;
+        if (!conContext.isNegotiated) {
+            conContext.kickstart();
 
-        /*
-         * State is cs_START until we initialize the handshaker.
-         *
-         * Apps using SSLEngine are probably going to be server.
-         * Somewhat arbitrary choice.
-         */
-        roleIsServer = true;
-        connectionState = cs_START;
+            hsStatus = getHandshakeStatus();
+            if (hsStatus == HandshakeStatus.NEED_UNWRAP) {
+                /*
+                 * For DTLS, if the handshake state is
+                 * HandshakeStatus.NEED_UNWRAP, a call to SSLEngine.wrap()
+                 * means that the previous handshake packets (if delivered)
+                 * get lost, and need retransmit the handshake messages.
+                 */
+                if (!sslContext.isDTLS() || hc == null ||
+                        !hc.sslConfig.enableRetransmissions ||
+                        conContext.outputRecord.firstMessage) {
 
-        // default server name indication
-        serverNames =
-            Utilities.addToSNIServerNameList(serverNames, getPeerHost());
-
-        // default security parameters for secure renegotiation
-        secureRenegotiation = false;
-        clientVerifyData = new byte[0];
-        serverVerifyData = new byte[0];
-
-        enabledCipherSuites =
-                sslContext.getDefaultCipherSuiteList(roleIsServer);
-        enabledProtocols =
-                sslContext.getDefaultProtocolList(roleIsServer);
-
-        wrapLock = new Object();
-        unwrapLock = new Object();
-        writeLock = new Object();
+                    return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
+                }   // otherwise, need retransmission
+            }
+        }
 
-        /*
-         * Save the Access Control Context.  This will be used later
-         * for a couple of things, including providing a context to
-         * run tasks in, and for determining which credentials
-         * to use for Subject based (JAAS) decisions
-         */
-        acc = AccessController.getContext();
+        if (hsStatus == null) {
+            hsStatus = getHandshakeStatus();
+        }
 
         /*
-         * All outbound application data goes through this OutputRecord,
-         * other data goes through their respective records created
-         * elsewhere.  All inbound data goes through this one
-         * input record.
+         * If we have a task outstanding, this *MUST* be done before
+         * doing any more wrapping, because we could be in the middle
+         * of receiving a handshake message, for example, a finished
+         * message which would change the ciphers.
          */
-        if (isDTLS) {
-            enableRetransmissions = true;
+        if (hsStatus == HandshakeStatus.NEED_TASK) {
+            return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
+        }
 
-            // SSLEngine needs no record local buffer
-            outputRecord = new DTLSOutputRecord();
-            inputRecord = new DTLSInputRecord();
+        int dstsRemains = 0;
+        for (int i = dstsOffset; i < dstsOffset + dstsLength; i++) {
+            dstsRemains += dsts[i].remaining();
+        }
 
-        } else {
-            outputRecord = new SSLEngineOutputRecord();
-            inputRecord = new SSLEngineInputRecord();
+        // Check destination buffer size.
+        //
+        // We can be smarter about using smaller buffer sizes later.  For
+        // now, force it to be large enough to handle any valid record.
+        if (dstsRemains < conContext.conSession.getPacketBufferSize()) {
+            return new SSLEngineResult(
+                Status.BUFFER_OVERFLOW, getHandshakeStatus(), 0, 0);
         }
 
-        maximumPacketSize = outputRecord.getMaxPacketSize();
-    }
+        int srcsRemains = 0;
+        for (int i = srcsOffset; i < srcsOffset + srcsLength; i++) {
+            srcsRemains += srcs[i].remaining();
+        }
 
-    /**
-     * Initialize the handshaker object. This means:
-     *
-     *  . if a handshake is already in progress (state is cs_HANDSHAKE
-     *    or cs_RENEGOTIATE), do nothing and return
-     *
-     *  . if the engine is already closed, throw an Exception (internal error)
-     *
-     *  . otherwise (cs_START or cs_DATA), create the appropriate handshaker
-     *    object and advance the connection state (to cs_HANDSHAKE or
-     *    cs_RENEGOTIATE, respectively).
-     *
-     * This method is called right after a new engine is created, when
-     * starting renegotiation, or when changing client/server mode of the
-     * engine.
-     */
-    private void initHandshaker() {
-        switch (connectionState) {
+        Ciphertext ciphertext = null;
+        try {
+            // Acquire the buffered to-be-delivered records or retransmissions.
+            //
+            // May have buffered records, or need retransmission if handshaking.
+            if (!conContext.outputRecord.isEmpty() || (hc != null &&
+                    hc.sslConfig.enableRetransmissions &&
+                    hc.sslContext.isDTLS() &&
+                    hsStatus == HandshakeStatus.NEED_UNWRAP)) {
+                ciphertext = encode(null, 0, 0,
+                        dsts, dstsOffset, dstsLength);
+            }
 
-        //
-        // Starting a new handshake.
-        //
-        case cs_START:
-        case cs_DATA:
-            break;
+            if (ciphertext == null && srcsRemains != 0) {
+                ciphertext = encode(srcs, srcsOffset, srcsLength,
+                        dsts, dstsOffset, dstsLength);
+            }
+        } catch (IOException ioe) {
+            if (ioe instanceof SSLException) {
+                throw ioe;
+            } else {
+                throw new SSLException("Write problems", ioe);
+            }
+        }
 
-        //
-        // We're already in the middle of a handshake.
-        //
-        case cs_HANDSHAKE:
-        case cs_RENEGOTIATE:
-            return;
+        /*
+         * Check for status.
+         */
+        Status status = (isOutboundDone() ? Status.CLOSED : Status.OK);
+        if (ciphertext != null && ciphertext.handshakeStatus != null) {
+            hsStatus = ciphertext.handshakeStatus;
+        } else {
+            hsStatus = getHandshakeStatus();
+        }
 
-        //
-        // Anyone allowed to call this routine is required to
-        // do so ONLY if the connection state is reasonable...
-        //
-        default:
-            throw new IllegalStateException("Internal error");
+        int deltaSrcs = srcsRemains;
+        for (int i = srcsOffset; i < srcsOffset + srcsLength; i++) {
+            deltaSrcs -= srcs[i].remaining();
         }
 
-        // state is either cs_START or cs_DATA
-        if (connectionState == cs_START) {
-            connectionState = cs_HANDSHAKE;
-        } else { // cs_DATA
-            connectionState = cs_RENEGOTIATE;
-        }
-
-        if (roleIsServer) {
-            handshaker = new ServerHandshaker(this, sslContext,
-                    enabledProtocols, doClientAuth,
-                    protocolVersion, connectionState == cs_HANDSHAKE,
-                    secureRenegotiation, clientVerifyData, serverVerifyData,
-                    isDTLS);
-            handshaker.setSNIMatchers(sniMatchers);
-            handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
-        } else {
-            handshaker = new ClientHandshaker(this, sslContext,
-                    enabledProtocols,
-                    protocolVersion, connectionState == cs_HANDSHAKE,
-                    secureRenegotiation, clientVerifyData, serverVerifyData,
-                    isDTLS);
-            handshaker.setSNIServerNames(serverNames);
-        }
-        handshaker.setMaximumPacketSize(maximumPacketSize);
-        handshaker.setEnabledCipherSuites(enabledCipherSuites);
-        handshaker.setEnableSessionCreation(enableSessionCreation);
-        handshaker.setApplicationProtocols(applicationProtocols);
-        handshaker.setApplicationProtocolSelectorSSLEngine(
-            applicationProtocolSelector);
+        int deltaDsts = dstsRemains;
+        for (int i = dstsOffset; i < dstsOffset + dstsLength; i++) {
+            deltaDsts -= dsts[i].remaining();
+        }
 
-        outputRecord.initHandshaker();
+        return new SSLEngineResult(status, hsStatus, deltaSrcs, deltaDsts,
+                ciphertext != null ? ciphertext.recordSN : -1L);
     }
 
-    /*
-     * Report the current status of the Handshaker
-     */
-    private HandshakeStatus getHSStatus(HandshakeStatus hss) {
+    private Ciphertext encode(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength,
+        ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
 
-        if (hss != null) {
-            return hss;
+        Ciphertext ciphertext = null;
+        try {
+            ciphertext = conContext.outputRecord.encode(
+                srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
+        } catch (SSLHandshakeException she) {
+            // may be record sequence number overflow
+            conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
+        } catch (IOException e) {
+            conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
         }
 
-        synchronized (this) {
-            if (!outputRecord.isEmpty()) {
-                // If no handshaking, special case to wrap alters.
-                return HandshakeStatus.NEED_WRAP;
-            } else if (handshaker != null) {
-                if (handshaker.taskOutstanding()) {
-                    return HandshakeStatus.NEED_TASK;
-                } else if (isDTLS && !inputRecord.isEmpty()) {
-                    return HandshakeStatus.NEED_UNWRAP_AGAIN;
-                } else {
-                    return HandshakeStatus.NEED_UNWRAP;
-                }
-            } else if (connectionState == cs_CLOSED) {
-                /*
-                 * Special case where we're closing, but
-                 * still need the close_notify before we
-                 * can officially be closed.
-                 *
-                 * Note isOutboundDone is taken care of by
-                 * hasOutboundData() above.
-                 */
-                if (!isInboundDone()) {
-                    return HandshakeStatus.NEED_UNWRAP;
-                } // else not handshaking
+        if (ciphertext == null) {
+            return Ciphertext.CIPHERTEXT_NULL;
+        }
+
+        // Is the handshake completed?
+        boolean needRetransmission =
+                conContext.sslContext.isDTLS() &&
+                conContext.handshakeContext != null &&
+                conContext.handshakeContext.sslConfig.enableRetransmissions;
+        HandshakeStatus hsStatus =
+                tryToFinishHandshake(ciphertext.contentType);
+        if (needRetransmission &&
+                hsStatus == HandshakeStatus.FINISHED &&
+                conContext.sslContext.isDTLS() &&
+                ciphertext.handshakeType == SSLHandshake.FINISHED.id) {
+            // Retransmit the last flight for DTLS.
+            //
+            // The application data transactions may begin immediately
+            // after the last flight.  If the last flight get lost, the
+            // application data may be discarded accordingly.  As could
+            // be an issue for some applications.  This impact can be
+            // mitigated by sending the last fligth twice.
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,verbose")) {
+                SSLLogger.finest("retransmit the last flight messages");
             }
 
-            return HandshakeStatus.NOT_HANDSHAKING;
+            conContext.outputRecord.launchRetransmission();
+            hsStatus = HandshakeStatus.NEED_WRAP;
         }
-    }
 
-    private synchronized void checkTaskThrown() throws SSLException {
-        if (handshaker != null) {
-            handshaker.checkThrown();
+        if (hsStatus == null) {
+            hsStatus = conContext.getHandshakeStatus();
         }
-    }
 
-    //
-    // Handshaking and connection state code
-    //
+        // Is the sequence number is nearly overflow?
+        if (conContext.outputRecord.seqNumIsHuge()) {
+            hsStatus = tryKeyUpdate(hsStatus);
+        }
 
-    /*
-     * Provides "this" synchronization for connection state.
-     * Otherwise, you can access it directly.
-     */
-    private synchronized int getConnectionState() {
-        return connectionState;
-    }
+        // update context status
+        ciphertext.handshakeStatus = hsStatus;
 
-    private synchronized void setConnectionState(int state) {
-        connectionState = state;
+        return ciphertext;
     }
 
-    /*
-     * Get the Access Control Context.
-     *
-     * Used for a known context to
-     * run tasks in, and for determining which credentials
-     * to use for Subject-based (JAAS) decisions.
-     */
-    AccessControlContext getAcc() {
-        return acc;
-    }
+    private HandshakeStatus tryToFinishHandshake(byte contentType) {
+        HandshakeStatus hsStatus = null;
+        if ((contentType == ContentType.HANDSHAKE.id) &&
+                conContext.outputRecord.isEmpty()) {
+            if (conContext.handshakeContext == null) {
+                hsStatus = HandshakeStatus.FINISHED;
+            } else if (conContext.handshakeContext.handshakeFinished) {
+                hsStatus = conContext.finishHandshake();
+            }
+        }   // Otherwise, the followed call to getHSStatus() will help.
 
-    /*
-     * Is a handshake currently underway?
-     */
-    @Override
-    public SSLEngineResult.HandshakeStatus getHandshakeStatus() {
-        return getHSStatus(null);
+        return hsStatus;
     }
 
-    /*
-     * used by Handshaker to change the active write cipher, follows
-     * the output of the CCS message.
+    /**
+     * Try renegotiation or key update for sequence number wrap.
      *
-     * Also synchronized on "this" from readRecord/delegatedTask.
+     * Note that in order to maintain the handshake status properly, we check
+     * the sequence number after the last record reading/writing process.  As
+     * we request renegotiation or close the connection for wrapped sequence
+     * number when there is enough sequence number space left to handle a few
+     * more records, so the sequence number of the last record cannot be
+     * wrapped.
      */
-    void changeWriteCiphers() throws IOException {
-
-        Authenticator writeAuthenticator;
-        CipherBox writeCipher;
-        try {
-            writeCipher = handshaker.newWriteCipher();
-            writeAuthenticator = handshaker.newWriteAuthenticator();
-        } catch (GeneralSecurityException e) {
-            // "can't happen"
-            throw new SSLException("Algorithm missing:  ", e);
+    private HandshakeStatus tryKeyUpdate(
+            HandshakeStatus currentHandshakeStatus) throws IOException {
+        // Don't bother to kickstart the renegotiation or key update when the
+        // local is asking for it.
+        if ((conContext.handshakeContext == null) &&
+                !conContext.isClosed() && !conContext.isBroken) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.finest("key update to wrap sequence number");
+            }
+            conContext.keyUpdate();
+            return conContext.getHandshakeStatus();
         }
 
-        outputRecord.changeWriteCiphers(writeAuthenticator, writeCipher);
+        return currentHandshakeStatus;
     }
 
-    /*
-     * Updates the SSL version associated with this connection.
-     * Called from Handshaker once it has determined the negotiated version.
-     */
-    synchronized void setVersion(ProtocolVersion protocolVersion) {
-        this.protocolVersion = protocolVersion;
-        outputRecord.setVersion(protocolVersion);
-    }
+    private static void checkParams(
+            ByteBuffer[] srcs, int srcsOffset, int srcsLength,
+            ByteBuffer[] dsts, int dstsOffset, int dstsLength) {
 
+        if ((srcs == null) || (dsts == null)) {
+            throw new IllegalArgumentException(
+                    "source or destination buffer is null");
+        }
 
-    /**
-     * Kickstart the handshake if it is not already in progress.
-     * This means:
-     *
-     *  . if handshaking is already underway, do nothing and return
-     *
-     *  . if the engine is not connected or already closed, throw an
-     *    Exception.
-     *
-     *  . otherwise, call initHandshake() to initialize the handshaker
-     *    object and progress the state. Then, send the initial
-     *    handshaking message if appropriate (always on clients and
-     *    on servers when renegotiating).
-     */
-    private synchronized void kickstartHandshake() throws IOException {
-        switch (connectionState) {
+        if ((srcsOffset < 0) || (srcsLength < 0) ||
+                (srcsOffset > srcs.length - srcsLength)) {
+            throw new IndexOutOfBoundsException(
+                    "index out of bound of the source buffers");
+        }
 
-        case cs_START:
-            if (!serverModeSet) {
-                throw new IllegalStateException(
-                    "Client/Server mode not yet set.");
-            }
-            initHandshaker();
-            break;
-
-        case cs_HANDSHAKE:
-            // handshaker already setup, proceed
-            break;
-
-        case cs_DATA:
-            if (!secureRenegotiation && !Handshaker.allowUnsafeRenegotiation) {
-                throw new SSLHandshakeException(
-                        "Insecure renegotiation is not allowed");
-            }
-
-            if (!secureRenegotiation) {
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println(
-                        "Warning: Using insecure renegotiation");
-                }
-            }
+        if ((dstsOffset < 0) || (dstsLength < 0) ||
+                (dstsOffset > dsts.length - dstsLength)) {
+            throw new IndexOutOfBoundsException(
+                    "index out of bound of the destination buffers");
+        }
 
-            // initialize the handshaker, move to cs_RENEGOTIATE
-            initHandshaker();
-            break;
-
-        case cs_RENEGOTIATE:
-            // handshaking already in progress, return
-            return;
-
-        default:
-            // cs_ERROR/cs_CLOSED
-            throw new SSLException("SSLEngine is closing/closed");
+        for (int i = srcsOffset; i < srcsOffset + srcsLength; i++) {
+            if (srcs[i] == null) {
+                throw new IllegalArgumentException(
+                        "source buffer[" + i + "] == null");
+            }
         }
 
-        //
-        // Kickstart handshake state machine if we need to ...
-        //
-        if (!handshaker.activated()) {
-             // prior to handshaking, activate the handshake
-            if (connectionState == cs_RENEGOTIATE) {
-                // don't use SSLv2Hello when renegotiating
-                handshaker.activate(protocolVersion);
-            } else {
-                handshaker.activate(null);
+        for (int i = dstsOffset; i < dstsOffset + dstsLength; i++) {
+            if (dsts[i] == null) {
+                throw new IllegalArgumentException(
+                        "destination buffer[" + i + "] == null");
             }
 
-            if (handshaker instanceof ClientHandshaker) {
-                // send client hello
-                handshaker.kickstart();
-            } else {    // instanceof ServerHandshaker
-                if (connectionState == cs_HANDSHAKE) {
-                    // initial handshake, no kickstart message to send
-                } else {
-                    // we want to renegotiate, send hello request
-                    handshaker.kickstart();
-                }
+            /*
+             * Make sure the destination bufffers are writable.
+             */
+            if (dsts[i].isReadOnly()) {
+                throw new ReadOnlyBufferException();
             }
         }
     }
 
-    /*
-     * Start a SSLEngine handshake
-     */
     @Override
-    public void beginHandshake() throws SSLException {
-        try {
-            kickstartHandshake();
-        } catch (Exception e) {
-            fatal(Alerts.alert_handshake_failure,
-                "Couldn't kickstart handshaking", e);
-        }
+    public synchronized SSLEngineResult unwrap(ByteBuffer src,
+            ByteBuffer[] dsts, int offset, int length) throws SSLException {
+        return unwrap(
+                new ByteBuffer[]{src}, 0, 1, dsts, offset, length);
     }
 
+    // @Override
+    public synchronized SSLEngineResult unwrap(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength,
+        ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws SSLException {
 
-    //
-    // Read/unwrap side
-    //
-
+        if (conContext.isUnsureMode) {
+            throw new IllegalStateException(
+                    "Client/Server mode has not yet been set.");
+        }
 
-    /**
-     * Unwraps a buffer.  Does a variety of checks before grabbing
-     * the unwrapLock, which blocks multiple unwraps from occurring.
-     */
-    @Override
-    public SSLEngineResult unwrap(ByteBuffer netData, ByteBuffer[] appData,
-            int offset, int length) throws SSLException {
+        // See if the handshaker needs to report back some SSLException.
+        checkTaskThrown();
 
-        // check engine parameters
-        checkEngineParas(netData, appData, offset, length, false);
+        // check parameters
+        checkParams(srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
 
         try {
-            synchronized (unwrapLock) {
-                return readNetRecord(netData, appData, offset, length);
-            }
+            return readRecord(
+                srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
         } catch (SSLProtocolException spe) {
             // may be an unexpected handshake message
-            fatal(Alerts.alert_unexpected_message, spe.getMessage(), spe);
-            return null;  // make compiler happy
-        } catch (Exception e) {
+            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    spe.getMessage(), spe);
+        } catch (IOException ioe) {
             /*
              * Don't reset position so it looks like we didn't
              * consume anything.  We did consume something, and it
              * got us into this situation, so report that much back.
              * Our days of consuming are now over anyway.
              */
-            fatal(Alerts.alert_internal_error,
-                "problem unwrapping net record", e);
-            return null;  // make compiler happy
-        }
-    }
-
-    private static void checkEngineParas(ByteBuffer netData,
-            ByteBuffer[] appData, int offset, int len, boolean isForWrap) {
-
-        if ((netData == null) || (appData == null)) {
-            throw new IllegalArgumentException("src/dst is null");
-        }
-
-        if ((offset < 0) || (len < 0) || (offset > appData.length - len)) {
-            throw new IndexOutOfBoundsException();
-        }
-
-        /*
-         * If wrapping, make sure the destination bufffer is writable.
-         */
-        if (isForWrap && netData.isReadOnly()) {
-            throw new ReadOnlyBufferException();
+            conContext.fatal(Alert.INTERNAL_ERROR,
+                    "problem unwrapping net record", ioe);
+        } catch (Exception ex) {     // including RuntimeException
+            conContext.fatal(Alert.INTERNAL_ERROR,
+                "Fail to unwrap network record", ex);
         }
 
-        for (int i = offset; i < offset + len; i++) {
-            if (appData[i] == null) {
-                throw new IllegalArgumentException(
-                        "appData[" + i + "] == null");
-            }
-
-            /*
-             * If unwrapping, make sure the destination bufffers are writable.
-             */
-            if (!isForWrap && appData[i].isReadOnly()) {
-                throw new ReadOnlyBufferException();
-            }
-        }
+        return null;    // make compiler happy
     }
 
-    /*
-     * Makes additional checks for unwrap, but this time more
-     * specific to this packet and the current state of the machine.
-     */
-    private SSLEngineResult readNetRecord(ByteBuffer netData,
-            ByteBuffer[] appData, int offset, int length) throws IOException {
-
-        Status status = null;
-        HandshakeStatus hsStatus = null;
-
-        /*
-         * See if the handshaker needs to report back some SSLException.
-         */
-        checkTaskThrown();
+    private SSLEngineResult readRecord(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength,
+        ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
 
         /*
          * Check if we are closing/closed.
          */
         if (isInboundDone()) {
-            return new SSLEngineResult(Status.CLOSED, getHSStatus(null), 0, 0);
+            return new SSLEngineResult(
+                    Status.CLOSED, getHandshakeStatus(), 0, 0);
         }
 
-        /*
-         * If we're still in cs_HANDSHAKE, make sure it's been
-         * started.
-         */
-        synchronized (this) {
-            if ((connectionState == cs_HANDSHAKE) ||
-                    (connectionState == cs_START)) {
-                kickstartHandshake();
-
-                /*
-                 * If there's still outbound data to flush, we
-                 * can return without trying to unwrap anything.
-                 */
-                hsStatus = getHSStatus(null);
+        HandshakeStatus hsStatus = null;
+        if (!conContext.isNegotiated) {
+            conContext.kickstart();
 
-                if (hsStatus == HandshakeStatus.NEED_WRAP) {
-                    return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
-                }
+            /*
+             * If there's still outbound data to flush, we
+             * can return without trying to unwrap anything.
+             */
+            hsStatus = getHandshakeStatus();
+            if (hsStatus == HandshakeStatus.NEED_WRAP) {
+                return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
             }
         }
 
-        /*
-         * Grab a copy of this if it doesn't already exist,
-         * and we can use it several places before anything major
-         * happens on this side.  Races aren't critical
-         * here.
-         */
         if (hsStatus == null) {
-            hsStatus = getHSStatus(null);
+            hsStatus = getHandshakeStatus();
         }
 
         /*
@@ -795,42 +498,61 @@
         if (hsStatus == SSLEngineResult.HandshakeStatus.NEED_UNWRAP_AGAIN) {
             Plaintext plainText = null;
             try {
-                plainText = readRecord(null, null, 0, 0);
-            } catch (SSLException e) {
-                throw e;
-            } catch (IOException e) {
-                throw new SSLException("readRecord", e);
+                plainText = decode(null, 0, 0,
+                        dsts, dstsOffset, dstsLength);
+            } catch (IOException ioe) {
+                if (ioe instanceof SSLException) {
+                    throw ioe;
+                } else {
+                    throw new SSLException("readRecord", ioe);
+                }
             }
 
-            status = (isInboundDone() ? Status.CLOSED : Status.OK);
-            hsStatus = getHSStatus(plainText.handshakeStatus);
+            Status status = (isInboundDone() ? Status.CLOSED : Status.OK);
+            if (plainText.handshakeStatus != null) {
+                hsStatus = plainText.handshakeStatus;
+            } else {
+                hsStatus = getHandshakeStatus();
+            }
 
             return new SSLEngineResult(
                     status, hsStatus, 0, 0, plainText.recordSN);
         }
 
+        int srcsRemains = 0;
+        for (int i = srcsOffset; i < srcsOffset + srcsLength; i++) {
+            srcsRemains += srcs[i].remaining();
+        }
+
+        if (srcsRemains == 0) {
+            return new SSLEngineResult(Status.OK, getHandshakeStatus(), 0, 0);
+        }
+
         /*
          * Check the packet to make sure enough is here.
          * This will also indirectly check for 0 len packets.
          */
         int packetLen = 0;
         try {
-            packetLen = inputRecord.bytesInCompletePacket(netData);
+            packetLen = conContext.inputRecord.bytesInCompletePacket(
+                    srcs, srcsOffset, srcsLength);
         } catch (SSLException ssle) {
             // Need to discard invalid records for DTLS protocols.
-            if (isDTLS) {
-                if (debug != null && Debug.isOn("ssl")) {
-                    System.out.println(
-                        Thread.currentThread().getName() +
-                        " discard invalid record: " + ssle);
+            if (sslContext.isDTLS()) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,verbose")) {
+                    SSLLogger.finest("Discard invalid DTLS records", ssle);
                 }
 
                 // invalid, discard the entire data [section 4.1.2.7, RFC 6347]
-                int deltaNet = netData.remaining();
-                netData.position(netData.limit());
-
-                status = (isInboundDone() ? Status.CLOSED : Status.OK);
-                hsStatus = getHSStatus(hsStatus);
+                // TODO
+                int deltaNet = 0;
+                // int deltaNet = netData.remaining();
+                // netData.position(netData.limit());
+
+                Status status = (isInboundDone() ? Status.CLOSED : Status.OK);
+                if (hsStatus == null) {
+                    hsStatus = getHandshakeStatus();
+                }
 
                 return new SSLEngineResult(status, hsStatus, deltaNet, 0, -1L);
             } else {
@@ -839,10 +561,10 @@
         }
 
         // Is this packet bigger than SSL/TLS normally allows?
-        if (packetLen > sess.getPacketBufferSize()) {
-            int largestRecordSize = isDTLS ?
+        if (packetLen > conContext.conSession.getPacketBufferSize()) {
+            int largestRecordSize = sslContext.isDTLS() ?
                     DTLSRecord.maxRecordSize : SSLRecord.maxLargeRecordSize;
-            if ((packetLen <= largestRecordSize) && !isDTLS) {
+            if ((packetLen <= largestRecordSize) && !sslContext.isDTLS()) {
                 // Expand the expected maximum packet/application buffer
                 // sizes.
                 //
@@ -850,11 +572,11 @@
 
                 // Old behavior: shall we honor the System Property
                 // "jsse.SSLEngine.acceptLargeFragments" if it is "false"?
-                sess.expandBufferSizes();
+                conContext.conSession.expandBufferSizes();
             }
 
             // check the packet again
-            largestRecordSize = sess.getPacketBufferSize();
+            largestRecordSize = conContext.conSession.getPacketBufferSize();
             if (packetLen > largestRecordSize) {
                 throw new SSLProtocolException(
                         "Input record too big: max = " +
@@ -862,35 +584,28 @@
             }
         }
 
-        int netPos = netData.position();
-        int appRemains = 0;
-        for (int i = offset; i < offset + length; i++) {
-            if (appData[i] == null) {
-                throw new IllegalArgumentException(
-                        "appData[" + i + "] == null");
-            }
-            appRemains += appData[i].remaining();
-        }
-
         /*
          * Check for OVERFLOW.
          *
          * Delay enforcing the application buffer free space requirement
          * until after the initial handshaking.
          */
-        // synchronize connectionState?
-        if ((connectionState == cs_DATA) ||
-                (connectionState == cs_RENEGOTIATE)) {
+        int dstsRemains = 0;
+        for (int i = dstsOffset; i < dstsOffset + dstsLength; i++) {
+            dstsRemains += dsts[i].remaining();
+        }
 
-            int FragLen = inputRecord.estimateFragmentSize(packetLen);
-            if (FragLen > appRemains) {
+        if (conContext.isNegotiated) {
+            int FragLen =
+                    conContext.inputRecord.estimateFragmentSize(packetLen);
+            if (FragLen > dstsRemains) {
                 return new SSLEngineResult(
                         Status.BUFFER_OVERFLOW, hsStatus, 0, 0);
             }
         }
 
         // check for UNDERFLOW.
-        if ((packetLen == -1) || (netData.remaining() < packetLen)) {
+        if ((packetLen == -1) || (srcsRemains < packetLen)) {
             return new SSLEngineResult(Status.BUFFER_UNDERFLOW, hsStatus, 0, 0);
         }
 
@@ -899,1412 +614,372 @@
          */
         Plaintext plainText = null;
         try {
-            plainText = readRecord(netData, appData, offset, length);
-        } catch (SSLException e) {
-            throw e;
-        } catch (IOException e) {
-            throw new SSLException("readRecord", e);
-        }
-
-        /*
-         * Check the various condition that we could be reporting.
-         *
-         * It's *possible* something might have happened between the
-         * above and now, but it was better to minimally lock "this"
-         * during the read process.  We'll return the current
-         * status, which is more representative of the current state.
-         *
-         * status above should cover:  FINISHED, NEED_TASK
-         */
-        status = (isInboundDone() ? Status.CLOSED : Status.OK);
-        hsStatus = getHSStatus(plainText.handshakeStatus);
-
-        int deltaNet = netData.position() - netPos;
-        int deltaApp = appRemains;
-        for (int i = offset; i < offset + length; i++) {
-            deltaApp -= appData[i].remaining();
-        }
-
-        return new SSLEngineResult(
-                status, hsStatus, deltaNet, deltaApp, plainText.recordSN);
-    }
-
-    // the caller have synchronized readLock
-    void expectingFinishFlight() {
-        inputRecord.expectingFinishFlight();
-    }
-
-    /*
-     * Actually do the read record processing.
-     *
-     * Returns a Status if it can make specific determinations
-     * of the engine state.  In particular, we need to signal
-     * that a handshake just completed.
-     *
-     * It would be nice to be symmetrical with the write side and move
-     * the majority of this to SSLInputRecord, but there's too much
-     * SSLEngine state to do that cleanly.  It must still live here.
-     */
-    private Plaintext readRecord(ByteBuffer netData,
-            ByteBuffer[] appData, int offset, int length) throws IOException {
-
-        /*
-         * The various operations will return new sliced BB's,
-         * this will avoid having to worry about positions and
-         * limits in the netBB.
-         */
-        Plaintext plainText = null;
-
-        if (getConnectionState() == cs_ERROR) {
-            return Plaintext.PLAINTEXT_NULL;
-        }
-
-        /*
-         * Read a record ... maybe emitting an alert if we get a
-         * comprehensible but unsupported "hello" message during
-         * format checking (e.g. V2).
-         */
-        try {
-            if (isDTLS) {
-                // Don't process the incoming record until all of the
-                // buffered records get handled.
-                plainText = inputRecord.acquirePlaintext();
-            }
-
-            if ((!isDTLS || plainText == null) && netData != null) {
-                plainText = inputRecord.decode(netData);
-            }
-        } catch (UnsupportedOperationException unsoe) {         // SSLv2Hello
-            // Hack code to deliver SSLv2 error message for SSL/TLS connections.
-            if (!isDTLS) {
-                outputRecord.encodeV2NoCipher();
-            }
-
-            fatal(Alerts.alert_unexpected_message, unsoe);
-        } catch (BadPaddingException e) {
-            /*
-             * The basic SSLv3 record protection involves (optional)
-             * encryption for privacy, and an integrity check ensuring
-             * data origin authentication.  We do them both here, and
-             * throw a fatal alert if the integrity check fails.
-             */
-            byte alertType = (connectionState != cs_DATA) ?
-                    Alerts.alert_handshake_failure :
-                    Alerts.alert_bad_record_mac;
-            fatal(alertType, e.getMessage(), e);
-        } catch (SSLHandshakeException she) {
-            // may be record sequence number overflow
-            fatal(Alerts.alert_handshake_failure, she);
+            plainText = decode(srcs, srcsOffset, srcsLength,
+                            dsts, dstsOffset, dstsLength);
         } catch (IOException ioe) {
-            fatal(Alerts.alert_unexpected_message, ioe);
-        }
-
-        // plainText should never be null for TLS protocols
-        HandshakeStatus hsStatus = null;
-        if (plainText == Plaintext.PLAINTEXT_NULL) {
-            // Only happens for DTLS protocols.
-            //
-            // Received a retransmitted flight, and need to retransmit the
-            // previous delivered handshake flight messages.
-            if (enableRetransmissions) {
-                if (debug != null && Debug.isOn("verbose")) {
-                    Debug.log(
-                        "Retransmit the previous handshake flight messages.");
-                }
-
-                synchronized (this) {
-                    outputRecord.launchRetransmission();
-                }
-            }   // Otherwise, discard the retransmitted flight.
-        } else if (!isDTLS || plainText != null) {
-            hsStatus = processInputRecord(plainText, appData, offset, length);
-        }
-
-        if (hsStatus == null) {
-            hsStatus = getHSStatus(null);
-        }
-
-        if (plainText == null) {
-            plainText = Plaintext.PLAINTEXT_NULL;
-        }
-        plainText.handshakeStatus = hsStatus;
-
-        return plainText;
-    }
-
-    /*
-     * Process the record.
-     */
-    private synchronized HandshakeStatus processInputRecord(
-            Plaintext plainText,
-            ByteBuffer[] appData, int offset, int length) throws IOException {
-
-        HandshakeStatus hsStatus = null;
-        switch (plainText.contentType) {
-            case Record.ct_handshake:
-                /*
-                 * Handshake messages always go to a pending session
-                 * handshaker ... if there isn't one, create one.  This
-                 * must work asynchronously, for renegotiation.
-                 *
-                 * NOTE that handshaking will either resume a session
-                 * which was in the cache (and which might have other
-                 * connections in it already), or else will start a new
-                 * session (new keys exchanged) with just this connection
-                 * in it.
-                 */
-                initHandshaker();
-                if (!handshaker.activated()) {
-                    // prior to handshaking, activate the handshake
-                    if (connectionState == cs_RENEGOTIATE) {
-                        // don't use SSLv2Hello when renegotiating
-                        handshaker.activate(protocolVersion);
-                    } else {
-                        handshaker.activate(null);
-                    }
-                }
-
-                /*
-                 * process the handshake record ... may contain just
-                 * a partial handshake message or multiple messages.
-                 *
-                 * The handshaker state machine will ensure that it's
-                 * a finished message.
-                 */
-                handshaker.processRecord(plainText.fragment, expectingFinished);
-                expectingFinished = false;
-
-                if (handshaker.invalidated) {
-                    finishHandshake();
-
-                    // if state is cs_RENEGOTIATE, revert it to cs_DATA
-                    if (connectionState == cs_RENEGOTIATE) {
-                        connectionState = cs_DATA;
-                    }
-                } else if (handshaker.isDone()) {
-                    // reset the parameters for secure renegotiation.
-                    secureRenegotiation =
-                                handshaker.isSecureRenegotiation();
-                    clientVerifyData = handshaker.getClientVerifyData();
-                    serverVerifyData = handshaker.getServerVerifyData();
-                    // set connection ALPN value
-                    applicationProtocol =
-                        handshaker.getHandshakeApplicationProtocol();
-
-                    sess = handshaker.getSession();
-                    handshakeSession = null;
-                    if (outputRecord.isEmpty()) {
-                        hsStatus = finishHandshake();
-                        connectionState = cs_DATA;
-                    }
-
-                    // No handshakeListeners here.  That's a
-                    // SSLSocket thing.
-                } else if (handshaker.taskOutstanding()) {
-                    hsStatus = HandshakeStatus.NEED_TASK;
-                }
-                break;
-
-            case Record.ct_application_data:
-                // Pass this right back up to the application.
-                if ((connectionState != cs_DATA)
-                        && (connectionState != cs_RENEGOTIATE)
-                        && (connectionState != cs_CLOSED)) {
-                    throw new SSLProtocolException(
-                            "Data received in non-data state: " +
-                            connectionState);
-                }
-
-                if (expectingFinished) {
-                    throw new SSLProtocolException
-                            ("Expecting finished message, received data");
-                }
-
-                if (!inboundDone) {
-                    ByteBuffer fragment = plainText.fragment;
-                    int remains = fragment.remaining();
-
-                    // Should have enough room in appData.
-                    for (int i = offset;
-                            ((i < (offset + length)) && (remains > 0)); i++) {
-                        int amount = Math.min(appData[i].remaining(), remains);
-                        fragment.limit(fragment.position() + amount);
-                        appData[i].put(fragment);
-                        remains -= amount;
-                    }
-                }
-
-                break;
-
-            case Record.ct_alert:
-                recvAlert(plainText.fragment);
-                break;
-
-            case Record.ct_change_cipher_spec:
-                if ((connectionState != cs_HANDSHAKE
-                        && connectionState != cs_RENEGOTIATE)) {
-                    // For the CCS message arriving in the wrong state
-                    fatal(Alerts.alert_unexpected_message,
-                            "illegal change cipher spec msg, conn state = "
-                            + connectionState);
-                } else if (plainText.fragment.remaining() != 1
-                        || plainText.fragment.get() != 1) {
-                    // For structural/content issues with the CCS
-                    fatal(Alerts.alert_unexpected_message,
-                            "Malformed change cipher spec msg");
-                }
-
-                //
-                // The first message after a change_cipher_spec
-                // record MUST be a "Finished" handshake record,
-                // else it's a protocol violation.  We force this
-                // to be checked by a minor tweak to the state
-                // machine.
-                //
-                handshaker.receiveChangeCipherSpec();
-
-                CipherBox readCipher;
-                Authenticator readAuthenticator;
-                try {
-                    readCipher = handshaker.newReadCipher();
-                    readAuthenticator = handshaker.newReadAuthenticator();
-                } catch (GeneralSecurityException e) {
-                    // can't happen
-                    throw new SSLException("Algorithm missing:  ", e);
-                }
-                inputRecord.changeReadCiphers(readAuthenticator, readCipher);
-
-                // next message MUST be a finished message
-                expectingFinished = true;
-                break;
-
-            default:
-                //
-                // TLS requires that unrecognized records be ignored.
-                //
-                if (debug != null && Debug.isOn("ssl")) {
-                    System.out.println(Thread.currentThread().getName() +
-                            ", Received record type: " + plainText.contentType);
-                }
-                break;
-        } // switch
-
-        /*
-         * We only need to check the sequence number state for
-         * non-handshaking record.
-         *
-         * Note that in order to maintain the handshake status
-         * properly, we check the sequence number after the last
-         * record reading process. As we request renegotiation
-         * or close the connection for wrapped sequence number
-         * when there is enough sequence number space left to
-         * handle a few more records, so the sequence number
-         * of the last record cannot be wrapped.
-         */
-        hsStatus = getHSStatus(hsStatus);
-        if (connectionState < cs_ERROR && !isInboundDone() &&
-                (hsStatus == HandshakeStatus.NOT_HANDSHAKING) &&
-                (inputRecord.seqNumIsHuge())) {
-            /*
-             * Ask for renegotiation when need to renew sequence number.
-             *
-             * Don't bother to kickstart the renegotiation when the local is
-             * asking for it.
-             */
-            if (debug != null && Debug.isOn("ssl")) {
-                System.out.println(Thread.currentThread().getName() +
-                        ", request renegotiation " +
-                        "to avoid sequence number overflow");
-            }
-
-            beginHandshake();
-
-            hsStatus = getHSStatus(null);
-        }
-
-        return hsStatus;
-    }
-
-
-    //
-    // write/wrap side
-    //
-
-
-    /**
-     * Wraps a buffer.  Does a variety of checks before grabbing
-     * the wrapLock, which blocks multiple wraps from occurring.
-     */
-    @Override
-    public SSLEngineResult wrap(ByteBuffer[] appData,
-            int offset, int length, ByteBuffer netData) throws SSLException {
-
-        // check engine parameters
-        checkEngineParas(netData, appData, offset, length, true);
-
-        /*
-         * We can be smarter about using smaller buffer sizes later.
-         * For now, force it to be large enough to handle any valid record.
-         */
-        if (netData.remaining() < sess.getPacketBufferSize()) {
-            return new SSLEngineResult(
-                Status.BUFFER_OVERFLOW, getHSStatus(null), 0, 0);
-        }
-
-        try {
-            synchronized (wrapLock) {
-                return writeAppRecord(appData, offset, length, netData);
-            }
-        } catch (SSLProtocolException spe) {
-            // may be an unexpected handshake message
-            fatal(Alerts.alert_unexpected_message, spe.getMessage(), spe);
-            return null;  // make compiler happy
-        } catch (Exception e) {
-            fatal(Alerts.alert_internal_error,
-                "problem wrapping app data", e);
-            return null;  // make compiler happy
-        }
-    }
-
-    /*
-     * Makes additional checks for unwrap, but this time more
-     * specific to this packet and the current state of the machine.
-     */
-    private SSLEngineResult writeAppRecord(ByteBuffer[] appData,
-            int offset, int length, ByteBuffer netData) throws IOException {
-
-        Status status = null;
-        HandshakeStatus hsStatus = null;
-
-        /*
-         * See if the handshaker needs to report back some SSLException.
-         */
-        checkTaskThrown();
-
-        /*
-         * short circuit if we're closed/closing.
-         */
-        if (isOutboundDone()) {
-            return new SSLEngineResult(Status.CLOSED, getHSStatus(null), 0, 0);
-        }
-
-        /*
-         * If we're still in cs_HANDSHAKE, make sure it's been
-         * started.
-         */
-        synchronized (this) {
-            if ((connectionState == cs_HANDSHAKE) ||
-                (connectionState == cs_START)) {
-
-                kickstartHandshake();
-
-                /*
-                 * If there's no HS data available to write, we can return
-                 * without trying to wrap anything.
-                 */
-                hsStatus = getHSStatus(null);
-                if (hsStatus == HandshakeStatus.NEED_UNWRAP) {
-                    /*
-                     * For DTLS, if the handshake state is
-                     * HandshakeStatus.NEED_UNWRAP, a call to SSLEngine.wrap()
-                     * means that the previous handshake packets (if delivered)
-                     * get lost, and need retransmit the handshake messages.
-                     */
-                    if (!isDTLS || !enableRetransmissions ||
-                            (handshaker == null) || outputRecord.firstMessage) {
-
-                        return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
-                    }   // otherwise, need retransmission
-                }
-            }
-        }
-
-        /*
-         * Grab a copy of this if it doesn't already exist,
-         * and we can use it several places before anything major
-         * happens on this side.  Races aren't critical
-         * here.
-         */
-        if (hsStatus == null) {
-            hsStatus = getHSStatus(null);
-        }
-
-        /*
-         * If we have a task outstanding, this *MUST* be done before
-         * doing any more wrapping, because we could be in the middle
-         * of receiving a handshake message, for example, a finished
-         * message which would change the ciphers.
-         */
-        if (hsStatus == HandshakeStatus.NEED_TASK) {
-            return new SSLEngineResult(Status.OK, hsStatus, 0, 0);
-        }
-
-        /*
-         * This will obtain any waiting outbound data, or will
-         * process the outbound appData.
-         */
-        int netPos = netData.position();
-        int appRemains = 0;
-        for (int i = offset; i < offset + length; i++) {
-            if (appData[i] == null) {
-                throw new IllegalArgumentException(
-                        "appData[" + i + "] == null");
-            }
-            appRemains += appData[i].remaining();
-        }
-
-        Ciphertext ciphertext = null;
-        try {
-            if (appRemains != 0) {
-                synchronized (writeLock) {
-                    ciphertext = writeRecord(appData, offset, length, netData);
-                }
+            if (ioe instanceof SSLException) {
+                throw ioe;
             } else {
-                synchronized (writeLock) {
-                    ciphertext = writeRecord(null, 0, 0, netData);
-                }
+                throw new SSLException("readRecord", ioe);
             }
-        } catch (SSLException e) {
-            throw e;
-        } catch (IOException e) {
-            throw new SSLException("Write problems", e);
         }
 
         /*
-         * writeRecord might have reported some status.
-         * Now check for the remaining cases.
-         *
-         * status above should cover:  NEED_WRAP/FINISHED
-         */
-        status = (isOutboundDone() ? Status.CLOSED : Status.OK);
-        hsStatus = getHSStatus(ciphertext.handshakeStatus);
-
-        int deltaNet = netData.position() - netPos;
-        int deltaApp = appRemains;
-        for (int i = offset; i < offset + length; i++) {
-            deltaApp -= appData[i].remaining();
-        }
-
-        return new SSLEngineResult(
-                status, hsStatus, deltaApp, deltaNet, ciphertext.recordSN);
-    }
-
-    /*
-     * Central point to write/get all of the outgoing data.
-     */
-    private Ciphertext writeRecord(ByteBuffer[] appData,
-            int offset, int length, ByteBuffer netData) throws IOException {
-
-        Ciphertext ciphertext = null;
-        try {
-            // Acquire the buffered to-be-delivered records or retransmissions.
-            //
-            // May have buffered records, or need retransmission if handshaking.
-            if (!outputRecord.isEmpty() ||
-                    (enableRetransmissions && handshaker != null)) {
-                ciphertext = outputRecord.acquireCiphertext(netData);
-            }
-
-            if ((ciphertext == null) && (appData != null)) {
-                ciphertext = outputRecord.encode(
-                        appData, offset, length, netData);
-            }
-        } catch (SSLHandshakeException she) {
-            // may be record sequence number overflow
-            fatal(Alerts.alert_handshake_failure, she);
-
-            return Ciphertext.CIPHERTEXT_NULL;   // make the complier happy
-        } catch (IOException e) {
-            fatal(Alerts.alert_unexpected_message, e);
-
-            return Ciphertext.CIPHERTEXT_NULL;   // make the complier happy
-        }
-
-        if (ciphertext == null) {
-            return Ciphertext.CIPHERTEXT_NULL;
-        }
-
-        HandshakeStatus hsStatus = null;
-        Ciphertext.RecordType recordType = ciphertext.recordType;
-        if ((recordType.contentType == Record.ct_handshake) &&
-            (recordType.handshakeType == HandshakeMessage.ht_finished) &&
-            outputRecord.isEmpty()) {
-
-            if (handshaker == null) {
-                hsStatus = HandshakeStatus.FINISHED;
-            } else if (handshaker.isDone()) {
-                hsStatus = finishHandshake();
-                connectionState = cs_DATA;
-
-                // Retransmit the last flight twice.
-                //
-                // The application data transactions may begin immediately
-                // after the last flight.  If the last flight get lost, the
-                // application data may be discarded accordingly.  As could
-                // be an issue for some applications.  This impact can be
-                // mitigated by sending the last fligth twice.
-                if (isDTLS && enableRetransmissions) {
-                    if (debug != null && Debug.isOn("verbose")) {
-                        Debug.log(
-                            "Retransmit the last flight messages.");
-                    }
-
-                    synchronized (this) {
-                        outputRecord.launchRetransmission();
-                    }
-
-                    hsStatus = HandshakeStatus.NEED_WRAP;
-                }
-            }
-        }   // Otherwise, the followed call to getHSStatus() will help.
-
-        /*
-         * We only need to check the sequence number state for
-         * non-handshaking record.
+         * Check the various condition that we could be reporting.
          *
-         * Note that in order to maintain the handshake status
-         * properly, we check the sequence number after the last
-         * record writing process. As we request renegotiation
-         * or close the connection for wrapped sequence number
-         * when there is enough sequence number space left to
-         * handle a few more records, so the sequence number
-         * of the last record cannot be wrapped.
-         */
-        hsStatus = getHSStatus(hsStatus);
-        if (connectionState < cs_ERROR && !isOutboundDone() &&
-                (hsStatus == HandshakeStatus.NOT_HANDSHAKING) &&
-                (outputRecord.seqNumIsHuge())) {
-            /*
-             * Ask for renegotiation when need to renew sequence number.
-             *
-             * Don't bother to kickstart the renegotiation when the local is
-             * asking for it.
-             */
-            if (debug != null && Debug.isOn("ssl")) {
-                System.out.println(Thread.currentThread().getName() +
-                        ", request renegotiation " +
-                        "to avoid sequence number overflow");
-            }
-
-            beginHandshake();
-
-            hsStatus = getHSStatus(null);
-        }
-        ciphertext.handshakeStatus = hsStatus;
-
-        return ciphertext;
-    }
-
-    private HandshakeStatus finishHandshake() {
-        handshaker = null;
-        inputRecord.setHandshakeHash(null);
-        outputRecord.setHandshakeHash(null);
-        connectionState = cs_DATA;
-
-       return HandshakeStatus.FINISHED;
-   }
-
-    //
-    // Close code
-    //
-
-    /**
-     * Signals that no more outbound application data will be sent
-     * on this <code>SSLEngine</code>.
-     */
-    private void closeOutboundInternal() {
-
-        if ((debug != null) && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName() +
-                                    ", closeOutboundInternal()");
-        }
-
-        /*
-         * Already closed, ignore
-         */
-        if (outboundDone) {
-            return;
-        }
-
-        switch (connectionState) {
-
-        /*
-         * If we haven't even started yet, don't bother reading inbound.
-         */
-        case cs_START:
-            try {
-                outputRecord.close();
-            } catch (IOException ioe) {
-               // ignore
-            }
-            outboundDone = true;
-
-            try {
-                inputRecord.close();
-            } catch (IOException ioe) {
-               // ignore
-            }
-            inboundDone = true;
-            break;
-
-        case cs_ERROR:
-        case cs_CLOSED:
-            break;
-
-        /*
-         * Otherwise we indicate clean termination.
-         */
-        // case cs_HANDSHAKE:
-        // case cs_DATA:
-        // case cs_RENEGOTIATE:
-        default:
-            warning(Alerts.alert_close_notify);
-            try {
-                outputRecord.close();
-            } catch (IOException ioe) {
-               // ignore
-            }
-            outboundDone = true;
-            break;
-        }
-
-        connectionState = cs_CLOSED;
-    }
-
-    @Override
-    public synchronized void closeOutbound() {
-        /*
-         * Dump out a close_notify to the remote side
-         */
-        if ((debug != null) && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName() +
-                                    ", called closeOutbound()");
-        }
-
-        closeOutboundInternal();
-    }
-
-    /**
-     * Returns the outbound application data closure state
-     */
-    @Override
-    public boolean isOutboundDone() {
-        return outboundDone && outputRecord.isEmpty();
-    }
-
-    /**
-     * Signals that no more inbound network data will be sent
-     * to this <code>SSLEngine</code>.
-     */
-    private void closeInboundInternal() {
-
-        if ((debug != null) && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName() +
-                                    ", closeInboundInternal()");
-        }
-
-        /*
-         * Already closed, ignore
-         */
-        if (inboundDone) {
-            return;
-        }
-
-        closeOutboundInternal();
-
-        try {
-            inputRecord.close();
-        } catch (IOException ioe) {
-           // ignore
-        }
-        inboundDone = true;
-
-        connectionState = cs_CLOSED;
-    }
-
-    /*
-     * Close the inbound side of the connection.  We grab the
-     * lock here, and do the real work in the internal verison.
-     * We do check for truncation attacks.
-     */
-    @Override
-    public synchronized void closeInbound() throws SSLException {
-        /*
-         * Currently closes the outbound side as well.  The IETF TLS
-         * working group has expressed the opinion that 1/2 open
-         * connections are not allowed by the spec.  May change
-         * someday in the future.
-         */
-        if ((debug != null) && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName() +
-                                    ", called closeInbound()");
-        }
-
-        /*
-         * No need to throw an Exception if we haven't even started yet.
+         * It's *possible* something might have happened between the
+         * above and now, but it was better to minimally lock "this"
+         * during the read process.  We'll return the current
+         * status, which is more representative of the current state.
+         *
+         * status above should cover:  FINISHED, NEED_TASK
          */
-        if ((connectionState != cs_START) && !recvCN) {
-            recvCN = true;  // Only receive the Exception once
-            fatal(Alerts.alert_internal_error,
-                "Inbound closed before receiving peer's close_notify: " +
-                "possible truncation attack?");
+        Status status = (isInboundDone() ? Status.CLOSED : Status.OK);
+        if (plainText.handshakeStatus != null) {
+            hsStatus = plainText.handshakeStatus;
         } else {
-            /*
-             * Currently, this is a no-op, but in case we change
-             * the close inbound code later.
-             */
-            closeInboundInternal();
+            hsStatus = getHandshakeStatus();
         }
-    }
 
-    /**
-     * Returns the network inbound data closure state
-     */
-    @Override
-    public synchronized boolean isInboundDone() {
-        return inboundDone;
-    }
-
-
-    //
-    // Misc stuff
-    //
+        int deltaNet = srcsRemains;
+        for (int i = srcsOffset; i < srcsOffset + srcsLength; i++) {
+            deltaNet -= srcs[i].remaining();
+        }
 
+        int deltaApp = dstsRemains;
+        for (int i = dstsOffset; i < dstsOffset + dstsLength; i++) {
+            deltaApp -= dsts[i].remaining();
+        }
 
-    /**
-     * Returns the current <code>SSLSession</code> for this
-     * <code>SSLEngine</code>
-     * <P>
-     * These can be long lived, and frequently correspond to an
-     * entire login session for some user.
-     */
-    @Override
-    public synchronized SSLSession getSession() {
-        return sess;
+        return new SSLEngineResult(
+                status, hsStatus, deltaNet, deltaApp, plainText.recordSN);
     }
 
-    @Override
-    public synchronized SSLSession getHandshakeSession() {
-        return handshakeSession;
-    }
+    private Plaintext decode(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength,
+        ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
+
+        Plaintext pt = SSLTransport.decode(conContext,
+                            srcs, srcsOffset, srcsLength,
+                            dsts, dstsOffset, dstsLength);
+
+        // Is the handshake completed?
+        if (pt != Plaintext.PLAINTEXT_NULL) {
+            HandshakeStatus hsStatus = tryToFinishHandshake(pt.contentType);
+            if (hsStatus == null) {
+                pt.handshakeStatus = conContext.getHandshakeStatus();
+            } else {
+                pt.handshakeStatus = hsStatus;
+            }
 
-    synchronized void setHandshakeSession(SSLSessionImpl session) {
-        // update the fragment size, which may be negotiated during handshaking
-        inputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
-        outputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
+            // Is the sequence number is nearly overflow?
+            if (conContext.inputRecord.seqNumIsHuge()) {
+                pt.handshakeStatus =
+                        tryKeyUpdate(pt.handshakeStatus);
+            }
+        }
 
-        handshakeSession = session;
+        return pt;
     }
 
-    /**
-     * Returns a delegated <code>Runnable</code> task for
-     * this <code>SSLEngine</code>.
-     */
     @Override
     public synchronized Runnable getDelegatedTask() {
-        if (handshaker != null) {
-            return handshaker.getTask();
+        if (conContext.handshakeContext != null &&
+                !conContext.handshakeContext.taskDelegated &&
+                !conContext.handshakeContext.delegatedActions.isEmpty()) {
+            conContext.handshakeContext.taskDelegated = true;
+            return new DelegatedTask(this);
         }
+
         return null;
     }
 
-
-    //
-    // EXCEPTION AND ALERT HANDLING
-    //
-
-    /*
-     * Send a warning alert.
-     */
-    void warning(byte description) {
-        sendAlert(Alerts.alert_warning, description);
+    @Override
+    public synchronized void closeInbound() throws SSLException {
+        conContext.closeInbound();
     }
 
-    synchronized void fatal(byte description, String diagnostic)
-            throws SSLException {
-        fatal(description, diagnostic, null, false);
+    @Override
+    public synchronized boolean isInboundDone() {
+        return conContext.isInboundDone();
     }
 
-    synchronized void fatal(byte description, Throwable cause)
-            throws SSLException {
-        fatal(description, null, cause, false);
+    @Override
+    public synchronized void closeOutbound() {
+        conContext.closeOutbound();
     }
 
-    synchronized void fatal(byte description, String diagnostic,
-            Throwable cause) throws SSLException {
-        fatal(description, diagnostic, cause, false);
+    @Override
+    public synchronized boolean isOutboundDone() {
+        return conContext.isOutboundDone();
     }
 
-    /*
-     * We've got a fatal error here, so start the shutdown process.
-     *
-     * Because of the way the code was written, we have some code
-     * calling fatal directly when the "description" is known
-     * and some throwing Exceptions which are then caught by higher
-     * levels which then call here.  This code needs to determine
-     * if one of the lower levels has already started the process.
-     *
-     * We won't worry about Errors, if we have one of those,
-     * we're in worse trouble.  Note:  the networking code doesn't
-     * deal with Errors either.
-     */
-    synchronized void fatal(byte description, String diagnostic,
-            Throwable cause, boolean recvFatalAlert) throws SSLException {
-
-        /*
-         * If we have no further information, make a general-purpose
-         * message for folks to see.  We generally have one or the other.
-         */
-        if (diagnostic == null) {
-            diagnostic = "General SSLEngine problem";
-        }
-        if (cause == null) {
-            cause = Alerts.getSSLException(description, cause, diagnostic);
-        }
-
-        /*
-         * If we've already shutdown because of an error,
-         * there is nothing we can do except rethrow the exception.
-         *
-         * Most exceptions seen here will be SSLExceptions.
-         * We may find the occasional Exception which hasn't been
-         * converted to a SSLException, so we'll do it here.
-         */
-        if (closeReason != null) {
-            if ((debug != null) && Debug.isOn("ssl")) {
-                System.out.println(Thread.currentThread().getName() +
-                    ", fatal: engine already closed.  Rethrowing " +
-                    cause.toString());
-            }
-            if (cause instanceof RuntimeException) {
-                throw (RuntimeException)cause;
-            } else if (cause instanceof SSLException) {
-                throw (SSLException)cause;
-            } else if (cause instanceof Exception) {
-                throw new SSLException("fatal SSLEngine condition", cause);
-            }
-        }
-
-        if ((debug != null) && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName()
-                        + ", fatal error: " + description +
-                        ": " + diagnostic + "\n" + cause.toString());
-        }
-
-        /*
-         * Ok, this engine's going down.
-         */
-        int oldState = connectionState;
-        connectionState = cs_ERROR;
-
-        try {
-            inputRecord.close();
-        } catch (IOException ioe) {
-           // ignore
-        }
-        inboundDone = true;
-
-        sess.invalidate();
-        if (handshakeSession != null) {
-            handshakeSession.invalidate();
-        }
-
-        /*
-         * If we haven't even started handshaking yet, or we are the
-         * recipient of a fatal alert, no need to generate a fatal close
-         * alert.
-         */
-        if (oldState != cs_START && !recvFatalAlert) {
-            sendAlert(Alerts.alert_fatal, description);
-        }
-
-        if (cause instanceof SSLException) { // only true if != null
-            closeReason = (SSLException)cause;
-        } else {
-            /*
-             * Including RuntimeExceptions, but we'll throw those
-             * down below.  The closeReason isn't used again,
-             * except for null checks.
-             */
-            closeReason =
-                Alerts.getSSLException(description, cause, diagnostic);
-        }
-
-        try {
-            outputRecord.close();
-        } catch (IOException ioe) {
-           // ignore
-        }
-        outboundDone = true;
-
-        connectionState = cs_CLOSED;
-
-        if (cause instanceof RuntimeException) {
-            throw (RuntimeException)cause;
-        } else {
-            throw closeReason;
-        }
+    @Override
+    public String[] getSupportedCipherSuites() {
+        return CipherSuite.namesOf(sslContext.getSupportedCipherSuites());
     }
 
-    /*
-     * Process an incoming alert ... caller must already have synchronized
-     * access to "this".
-     */
-    private void recvAlert(ByteBuffer fragment) throws IOException {
-        byte level = fragment.get();
-        byte description = fragment.get();
-
-        if (debug != null && (Debug.isOn("record") ||
-                Debug.isOn("handshake"))) {
-            synchronized (System.out) {
-                System.out.print(Thread.currentThread().getName());
-                System.out.print(", RECV " + protocolVersion + " ALERT:  ");
-                if (level == Alerts.alert_fatal) {
-                    System.out.print("fatal, ");
-                } else if (level == Alerts.alert_warning) {
-                    System.out.print("warning, ");
-                } else {
-                    System.out.print("<level " + (0x0ff & level) + ">, ");
-                }
-                System.out.println(Alerts.alertDescription(description));
-            }
-        }
-
-        if (level == Alerts.alert_warning) {
-            if (description == -1) {    // check for short message
-                fatal(Alerts.alert_illegal_parameter, "Short alert message");
-            } else if (description == Alerts.alert_close_notify) {
-                if (connectionState == cs_HANDSHAKE) {
-                    fatal(Alerts.alert_unexpected_message,
-                                "Received close_notify during handshake");
-                } else {
-                    recvCN = true;
-                    closeInboundInternal();  // reply to close
-                }
-            } else {
-
-                //
-                // The other legal warnings relate to certificates,
-                // e.g. no_certificate, bad_certificate, etc; these
-                // are important to the handshaking code, which can
-                // also handle illegal protocol alerts if needed.
-                //
-                if (handshaker != null) {
-                    handshaker.handshakeAlert(description);
-                }
-            }
-        } else { // fatal or unknown level
-            String reason = "Received fatal alert: "
-                + Alerts.alertDescription(description);
-
-            // The inbound and outbound queues will be closed as part of
-            // the call to fatal.  The handhaker to needs to be set to null
-            // so subsequent calls to getHandshakeStatus will return
-            // NOT_HANDSHAKING.
-            handshaker = null;
-            Throwable cause = Alerts.getSSLException(description, reason);
-            fatal(description, null, cause, true);
-        }
+    @Override
+    public synchronized String[] getEnabledCipherSuites() {
+        return CipherSuite.namesOf(conContext.sslConfig.enabledCipherSuites);
     }
 
-
-    /*
-     * Emit alerts.  Caller must have synchronized with "this".
-     */
-    private void sendAlert(byte level, byte description) {
-        // the connectionState cannot be cs_START
-        if (connectionState >= cs_CLOSED) {
-            return;
-        }
-
-        // For initial handshaking, don't send alert message to peer if
-        // handshaker has not started.
-        //
-        // Shall we send an fatal alter to terminate the connection gracefully?
-        if (connectionState <= cs_HANDSHAKE &&
-                (handshaker == null || !handshaker.started() ||
-                        !handshaker.activated())) {
-            return;
+    @Override
+    public synchronized void setEnabledCipherSuites(String[] suites) {
+        if (suites == null) {
+            throw new IllegalArgumentException("CipherSuites cannot be null");
         }
 
-        try {
-            outputRecord.encodeAlert(level, description);
-        } catch (IOException ioe) {
-            // ignore
-        }
+        conContext.sslConfig.enabledCipherSuites =
+                CipherSuite.validValuesOf(suites);
     }
 
-
-    //
-    // VARIOUS OTHER METHODS (COMMON TO SSLSocket)
-    //
-
-
-    /**
-     * Controls whether new connections may cause creation of new SSL
-     * sessions.
-     *
-     * As long as handshaking has not started, we can change
-     * whether we enable session creations.  Otherwise,
-     * we will need to wait for the next handshake.
-     */
     @Override
-    public synchronized void setEnableSessionCreation(boolean flag) {
-        enableSessionCreation = flag;
-
-        if ((handshaker != null) && !handshaker.activated()) {
-            handshaker.setEnableSessionCreation(enableSessionCreation);
-        }
+    public String[] getSupportedProtocols() {
+        return ProtocolVersion.toStringArray(
+                sslContext.getSuportedProtocolVersions());
     }
 
-    /**
-     * Returns true if new connections may cause creation of new SSL
-     * sessions.
-     */
     @Override
-    public synchronized boolean getEnableSessionCreation() {
-        return enableSessionCreation;
+    public synchronized String[] getEnabledProtocols() {
+        return ProtocolVersion.toStringArray(
+                conContext.sslConfig.enabledProtocols);
     }
 
-
-    /**
-     * Sets the flag controlling whether a server mode engine
-     * *REQUIRES* SSL client authentication.
-     *
-     * As long as handshaking has not started, we can change
-     * whether client authentication is needed.  Otherwise,
-     * we will need to wait for the next handshake.
-     */
     @Override
-    public synchronized void setNeedClientAuth(boolean flag) {
-        doClientAuth = (flag ?
-                ClientAuthType.CLIENT_AUTH_REQUIRED :
-                ClientAuthType.CLIENT_AUTH_NONE);
-
-        if ((handshaker != null) &&
-                (handshaker instanceof ServerHandshaker) &&
-                !handshaker.activated()) {
-            ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
+    public synchronized void setEnabledProtocols(String[] protocols) {
+        if (protocols == null) {
+            throw new IllegalArgumentException("Protocols cannot be null");
         }
+
+        conContext.sslConfig.enabledProtocols =
+                ProtocolVersion.namesOf(protocols);
     }
 
     @Override
-    public synchronized boolean getNeedClientAuth() {
-        return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED);
+    public synchronized SSLSession getSession() {
+        return conContext.conSession;
     }
 
-    /**
-     * Sets the flag controlling whether a server mode engine
-     * *REQUESTS* SSL client authentication.
-     *
-     * As long as handshaking has not started, we can change
-     * whether client authentication is requested.  Otherwise,
-     * we will need to wait for the next handshake.
-     */
     @Override
-    public synchronized void setWantClientAuth(boolean flag) {
-        doClientAuth = (flag ?
-                ClientAuthType.CLIENT_AUTH_REQUESTED :
-                ClientAuthType.CLIENT_AUTH_NONE);
-
-        if ((handshaker != null) &&
-                (handshaker instanceof ServerHandshaker) &&
-                !handshaker.activated()) {
-            ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
-        }
+    public synchronized SSLSession getHandshakeSession() {
+        return conContext.handshakeContext == null ?
+                null : conContext.handshakeContext.handshakeSession;
     }
 
     @Override
-    public synchronized boolean getWantClientAuth() {
-        return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED);
+    public synchronized SSLEngineResult.HandshakeStatus getHandshakeStatus() {
+        return conContext.getHandshakeStatus();
     }
 
-
-    /**
-     * Sets the flag controlling whether the engine is in SSL
-     * client or server mode.  Must be called before any SSL
-     * traffic has started.
-     */
     @Override
-    @SuppressWarnings("fallthrough")
-    public synchronized void setUseClientMode(boolean flag) {
-        switch (connectionState) {
-
-        case cs_START:
-            /*
-             * If we need to change the socket mode and the enabled
-             * protocols and cipher suites haven't specifically been
-             * set by the user, change them to the corresponding
-             * default ones.
-             */
-            if (roleIsServer != (!flag)) {
-                if (sslContext.isDefaultProtocolList(enabledProtocols)) {
-                    enabledProtocols =
-                            sslContext.getDefaultProtocolList(!flag);
-                }
-
-                if (sslContext.isDefaultCipherSuiteList(enabledCipherSuites)) {
-                    enabledCipherSuites =
-                            sslContext.getDefaultCipherSuiteList(!flag);
-                }
-            }
-
-            roleIsServer = !flag;
-            serverModeSet = true;
-            break;
-
-        case cs_HANDSHAKE:
-            /*
-             * If we have a handshaker, but haven't started
-             * SSL traffic, we can throw away our current
-             * handshaker, and start from scratch.  Don't
-             * need to call doneConnect() again, we already
-             * have the streams.
-             */
-            assert(handshaker != null);
-            if (!handshaker.activated()) {
-                /*
-                 * If we need to change the socket mode and the enabled
-                 * protocols and cipher suites haven't specifically been
-                 * set by the user, change them to the corresponding
-                 * default ones.
-                 */
-                if (roleIsServer != (!flag)) {
-                    if (sslContext.isDefaultProtocolList(enabledProtocols)) {
-                        enabledProtocols =
-                                sslContext.getDefaultProtocolList(!flag);
-                    }
-
-                    if (sslContext.isDefaultCipherSuiteList(
-                                                    enabledCipherSuites)) {
-                        enabledCipherSuites =
-                            sslContext.getDefaultCipherSuiteList(!flag);
-                    }
-                }
-
-                roleIsServer = !flag;
-                connectionState = cs_START;
-                initHandshaker();
-                break;
-            }
-
-            // If handshake has started, that's an error.  Fall through...
-
-        default:
-            if (debug != null && Debug.isOn("ssl")) {
-                System.out.println(Thread.currentThread().getName() +
-                    ", setUseClientMode() invoked in state = " +
-                    connectionState);
-            }
-
-            /*
-             * We can let them continue if they catch this correctly,
-             * we don't need to shut this down.
-             */
-            throw new IllegalArgumentException(
-                "Cannot change mode after SSL traffic has started");
-        }
+    public synchronized void setUseClientMode(boolean mode) {
+        conContext.setUseClientMode(mode);
     }
 
     @Override
     public synchronized boolean getUseClientMode() {
-        return !roleIsServer;
+        return conContext.sslConfig.isClientMode;
     }
 
-
-    /**
-     * Returns the names of the cipher suites which could be enabled for use
-     * on an SSL connection.  Normally, only a subset of these will actually
-     * be enabled by default, since this list may include cipher suites which
-     * do not support the mutual authentication of servers and clients, or
-     * which do not protect data confidentiality.  Servers may also need
-     * certain kinds of certificates to use certain cipher suites.
-     *
-     * @return an array of cipher suite names
-     */
     @Override
-    public String[] getSupportedCipherSuites() {
-        return sslContext.getSupportedCipherSuiteList().toStringArray();
+    public synchronized void setNeedClientAuth(boolean need) {
+        conContext.sslConfig.clientAuthType =
+                (need ? ClientAuthType.CLIENT_AUTH_REQUIRED :
+                        ClientAuthType.CLIENT_AUTH_NONE);
     }
 
-    /**
-     * Controls which particular cipher suites are enabled for use on
-     * this connection.  The cipher suites must have been listed by
-     * getCipherSuites() as being supported.  Even if a suite has been
-     * enabled, it might never be used if no peer supports it or the
-     * requisite certificates (and private keys) are not available.
-     *
-     * @param suites Names of all the cipher suites to enable.
-     */
     @Override
-    public synchronized void setEnabledCipherSuites(String[] suites) {
-        enabledCipherSuites = new CipherSuiteList(suites);
-        if ((handshaker != null) && !handshaker.activated()) {
-            handshaker.setEnabledCipherSuites(enabledCipherSuites);
-        }
+    public synchronized boolean getNeedClientAuth() {
+        return (conContext.sslConfig.clientAuthType ==
+                        ClientAuthType.CLIENT_AUTH_REQUIRED);
     }
 
-    /**
-     * Returns the names of the SSL cipher suites which are currently enabled
-     * for use on this connection.  When an SSL engine is first created,
-     * all enabled cipher suites <em>(a)</em> protect data confidentiality,
-     * by traffic encryption, and <em>(b)</em> can mutually authenticate
-     * both clients and servers.  Thus, in some environments, this value
-     * might be empty.
-     *
-     * @return an array of cipher suite names
-     */
     @Override
-    public synchronized String[] getEnabledCipherSuites() {
-        return enabledCipherSuites.toStringArray();
+    public synchronized void setWantClientAuth(boolean want) {
+        conContext.sslConfig.clientAuthType =
+                (want ? ClientAuthType.CLIENT_AUTH_REQUESTED :
+                        ClientAuthType.CLIENT_AUTH_NONE);
     }
 
-
-    /**
-     * Returns the protocols that are supported by this implementation.
-     * A subset of the supported protocols may be enabled for this connection
-     * @return an array of protocol names.
-     */
     @Override
-    public String[] getSupportedProtocols() {
-        return sslContext.getSuportedProtocolList().toStringArray();
+    public synchronized boolean getWantClientAuth() {
+        return (conContext.sslConfig.clientAuthType ==
+                        ClientAuthType.CLIENT_AUTH_REQUESTED);
     }
 
-    /**
-     * Controls which protocols are enabled for use on
-     * this connection.  The protocols must have been listed by
-     * getSupportedProtocols() as being supported.
-     *
-     * @param protocols protocols to enable.
-     * @exception IllegalArgumentException when one of the protocols
-     *  named by the parameter is not supported.
-     */
     @Override
-    public synchronized void setEnabledProtocols(String[] protocols) {
-        enabledProtocols = new ProtocolList(protocols);
-        if ((handshaker != null) && !handshaker.activated()) {
-            handshaker.setEnabledProtocols(enabledProtocols);
-        }
+    public synchronized void setEnableSessionCreation(boolean flag) {
+        conContext.sslConfig.enableSessionCreation = flag;
     }
 
     @Override
-    public synchronized String[] getEnabledProtocols() {
-        return enabledProtocols.toStringArray();
+    public synchronized boolean getEnableSessionCreation() {
+        return conContext.sslConfig.enableSessionCreation;
     }
 
-    /**
-     * Returns the SSLParameters in effect for this SSLEngine.
-     */
     @Override
     public synchronized SSLParameters getSSLParameters() {
-        SSLParameters params = super.getSSLParameters();
-
-        // the super implementation does not handle the following parameters
-        params.setEndpointIdentificationAlgorithm(identificationProtocol);
-        params.setAlgorithmConstraints(algorithmConstraints);
-        params.setSNIMatchers(sniMatchers);
-        params.setServerNames(serverNames);
-        params.setUseCipherSuitesOrder(preferLocalCipherSuites);
-        params.setEnableRetransmissions(enableRetransmissions);
-        params.setMaximumPacketSize(maximumPacketSize);
-        params.setApplicationProtocols(applicationProtocols);
-
-        return params;
+        return conContext.sslConfig.getSSLParameters();
     }
 
-    /**
-     * Applies SSLParameters to this engine.
-     */
     @Override
     public synchronized void setSSLParameters(SSLParameters params) {
-        super.setSSLParameters(params);
-
-        // the super implementation does not handle the following parameters
-        identificationProtocol = params.getEndpointIdentificationAlgorithm();
-        algorithmConstraints = params.getAlgorithmConstraints();
-        preferLocalCipherSuites = params.getUseCipherSuitesOrder();
-        enableRetransmissions = params.getEnableRetransmissions();
-        maximumPacketSize = params.getMaximumPacketSize();
-
-        if (maximumPacketSize != 0) {
-            outputRecord.changePacketSize(maximumPacketSize);
-        } else {
-            // use the implicit maximum packet size.
-            maximumPacketSize = outputRecord.getMaxPacketSize();
-        }
-
-        List<SNIServerName> sniNames = params.getServerNames();
-        if (sniNames != null) {
-            serverNames = sniNames;
-        }
+        conContext.sslConfig.setSSLParameters(params);
 
-        Collection<SNIMatcher> matchers = params.getSNIMatchers();
-        if (matchers != null) {
-            sniMatchers = matchers;
-        }
-        applicationProtocols = params.getApplicationProtocols();
-
-        if ((handshaker != null) && !handshaker.activated()) {
-            handshaker.setIdentificationProtocol(identificationProtocol);
-            handshaker.setAlgorithmConstraints(algorithmConstraints);
-            handshaker.setMaximumPacketSize(maximumPacketSize);
-            handshaker.setApplicationProtocols(applicationProtocols);
-            if (roleIsServer) {
-                handshaker.setSNIMatchers(sniMatchers);
-                handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
-            } else {
-                handshaker.setSNIServerNames(serverNames);
-            }
+        if (conContext.sslConfig.maximumPacketSize != 0) {
+            conContext.outputRecord.changePacketSize(
+                    conContext.sslConfig.maximumPacketSize);
         }
     }
 
     @Override
     public synchronized String getApplicationProtocol() {
-        return applicationProtocol;
+        return conContext.applicationProtocol;
     }
 
     @Override
     public synchronized String getHandshakeApplicationProtocol() {
-        if ((handshaker != null) && handshaker.started()) {
-            return handshaker.getHandshakeApplicationProtocol();
-        }
-        return null;
+        return conContext.handshakeContext == null ?
+                null : conContext.handshakeContext.applicationProtocol;
     }
 
     @Override
     public synchronized void setHandshakeApplicationProtocolSelector(
-        BiFunction<SSLEngine, List<String>, String> selector) {
-        applicationProtocolSelector = selector;
-        if ((handshaker != null) && !handshaker.activated()) {
-            handshaker.setApplicationProtocolSelectorSSLEngine(selector);
-        }
+            BiFunction<SSLEngine, List<String>, String> selector) {
+        conContext.sslConfig.engineAPSelector = selector;
     }
 
     @Override
     public synchronized BiFunction<SSLEngine, List<String>, String>
-        getHandshakeApplicationProtocolSelector() {
-        return this.applicationProtocolSelector;
+            getHandshakeApplicationProtocolSelector() {
+        return conContext.sslConfig.engineAPSelector;
+    }
+
+    @Override
+    public boolean useDelegatedTask() {
+        return true;
+    }
+
+    private synchronized void checkTaskThrown() throws SSLException {
+        HandshakeContext hc = conContext.handshakeContext;
+        if (hc != null && hc.delegatedThrown != null) {
+            try {
+                throw getTaskThrown(hc.delegatedThrown);
+            } finally {
+                hc.delegatedThrown = null;
+            }
+        }
+
+        if (conContext.isBroken && conContext.closeReason != null) {
+            throw getTaskThrown(conContext.closeReason);
+        }
+    }
+
+    private static SSLException getTaskThrown(Exception taskThrown) {
+        String msg = taskThrown.getMessage();
+
+        if (msg == null) {
+            msg = "Delegated task threw Exception or Error";
+        }
+
+        if (taskThrown instanceof RuntimeException) {
+            throw new RuntimeException(msg, taskThrown);
+        } else if (taskThrown instanceof SSLHandshakeException) {
+            return (SSLHandshakeException)
+                new SSLHandshakeException(msg).initCause(taskThrown);
+        } else if (taskThrown instanceof SSLKeyException) {
+            return (SSLKeyException)
+                new SSLKeyException(msg).initCause(taskThrown);
+        } else if (taskThrown instanceof SSLPeerUnverifiedException) {
+            return (SSLPeerUnverifiedException)
+                new SSLPeerUnverifiedException(msg).initCause(taskThrown);
+        } else if (taskThrown instanceof SSLProtocolException) {
+            return (SSLProtocolException)
+                new SSLProtocolException(msg).initCause(taskThrown);
+        } else if (taskThrown instanceof SSLException) {
+            return (SSLException)taskThrown;
+        } else {
+            return new SSLException(msg, taskThrown);
+        }
     }
 
     /**
-     * Returns a printable representation of this end of the connection.
+     * Implement a simple task delegator.
      */
-    @Override
-    public String toString() {
-        StringBuilder retval = new StringBuilder(80);
+    private static class DelegatedTask implements Runnable {
+        private final SSLEngineImpl engine;
+
+        DelegatedTask(SSLEngineImpl engineInstance) {
+            this.engine = engineInstance;
+        }
 
-        retval.append(Integer.toHexString(hashCode()));
-        retval.append("[");
-        retval.append("SSLEngine[hostname=");
-        String host = getPeerHost();
-        retval.append((host == null) ? "null" : host);
-        retval.append(" port=");
-        retval.append(Integer.toString(getPeerPort()));
-        retval.append(" role=" + (roleIsServer ? "Server" : "Client"));
-        retval.append("] ");
-        retval.append(getSession().getCipherSuite());
-        retval.append("]");
+        @Override
+        public void run() {
+            synchronized (engine) {
+                HandshakeContext hc = engine.conContext.handshakeContext;
+                if (hc == null || hc.delegatedActions.isEmpty()) {
+                    return;
+                }
+
+                try {
+                    AccessController.doPrivileged(
+                            new DelegatedAction(hc), engine.conContext.acc);
+                } catch (PrivilegedActionException pae) {
+                    // Get the handshake context again in case the
+                    // handshaking has completed.
+                    hc = engine.conContext.handshakeContext;
+                    if (hc != null) {
+                        hc.delegatedThrown = pae.getException();
+                    } else if (engine.conContext.closeReason != null) {
+                        engine.conContext.closeReason =
+                                getTaskThrown(pae.getException());
+                    }
+                } catch (RuntimeException rte) {
+                    // Get the handshake context again in case the
+                    // handshaking has completed.
+                    hc = engine.conContext.handshakeContext;
+                    if (hc != null) {
+                        hc.delegatedThrown = rte;
+                    } else if (engine.conContext.closeReason != null) {
+                        engine.conContext.closeReason = rte;
+                    }
+                }
+
+                // Get the handshake context again in case the
+                // handshaking has completed.
+                hc = engine.conContext.handshakeContext;
+                if (hc != null) {
+                    hc.taskDelegated = false;
+                }
+            }
+        }
+
+        private static class DelegatedAction
+                implements PrivilegedExceptionAction<Void> {
+            final HandshakeContext context;
+            DelegatedAction(HandshakeContext context) {
+                this.context = context;
+            }
+
+            @Override
+            public Void run() throws Exception {
+                while (!context.delegatedActions.isEmpty()) {
+                    // Report back the task SSLException
+                    if (context.delegatedThrown != null) {
+                        Exception delegatedThrown = context.delegatedThrown;
+                        context.delegatedThrown = null;
+                        throw getTaskThrown(delegatedThrown);
+                    }
 
-        return retval.toString();
+                    Map.Entry<Byte, ByteBuffer> me =
+                            context.delegatedActions.poll();
+                    if (me != null) {
+                        context.dispatch(me.getKey(), me.getValue());
+                    }
+                }
+                return null;
+            }
+        }
     }
 }
--- old/src/java.base/share/classes/sun/security/ssl/SSLEngineInputRecord.java	2018-05-11 15:05:49.014390000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLEngineInputRecord.java	2018-05-11 15:05:48.304695700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,13 +27,11 @@
 
 import java.io.*;
 import java.nio.*;
-
+import java.security.GeneralSecurityException;
+import java.util.ArrayList;
 import javax.crypto.BadPaddingException;
-
 import javax.net.ssl.*;
-
-import sun.security.util.HexDumpEncoder;
-
+import sun.security.ssl.SSLCipher.SSLReadCipher;
 
 /**
  * {@code InputRecord} implementation for {@code SSLEngine}.
@@ -46,27 +44,30 @@
 
     private boolean formatVerified = false;     // SSLv2 ruled out?
 
-    SSLEngineInputRecord() {
-        this.readAuthenticator = MAC.TLS_NULL;
+    // Cache for incomplete handshake messages.
+    private ByteBuffer handshakeBuffer = null;
+
+    SSLEngineInputRecord(HandshakeHash handshakeHash) {
+        super(handshakeHash, SSLReadCipher.nullTlsReadCipher());
     }
 
     @Override
     int estimateFragmentSize(int packetSize) {
-        int macLen = 0;
-        if (readAuthenticator instanceof MAC) {
-            macLen = ((MAC)readAuthenticator).MAClen();
-        }
-
         if (packetSize > 0) {
-            return readCipher.estimateFragmentSize(
-                    packetSize, macLen, headerSize);
+            return readCipher.estimateFragmentSize(packetSize, headerSize);
         } else {
             return Record.maxDataSize;
         }
     }
 
     @Override
-    int bytesInCompletePacket(ByteBuffer packet) throws SSLException {
+    int bytesInCompletePacket(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength) throws IOException {
+
+        return bytesInCompletePacket(srcs[srcsOffset]);
+    }
+
+    private int bytesInCompletePacket(ByteBuffer packet) throws SSLException {
         /*
          * SSLv2 length field is in bytes 0/1
          * SSLv3/TLS length field is in bytes 3/4
@@ -87,15 +88,19 @@
          * see if it's SSL/TLS.
          */
         if (formatVerified ||
-                (byteZero == ct_handshake) || (byteZero == ct_alert)) {
+                (byteZero == ContentType.HANDSHAKE.id) ||
+                (byteZero == ContentType.ALERT.id)) {
             /*
              * Last sanity check that it's not a wild record
              */
-            ProtocolVersion recordVersion = ProtocolVersion.valueOf(
-                                    packet.get(pos + 1), packet.get(pos + 2));
-
-            // check the record version
-            checkRecordVersion(recordVersion, false);
+            byte majorVersion = packet.get(pos + 1);
+            byte minorVersion = packet.get(pos + 2);
+            if (!ProtocolVersion.isNegotiable(
+                    majorVersion, minorVersion, false, false)) {
+                throw new SSLException("Unrecognized record version " +
+                        ProtocolVersion.nameOf(majorVersion, minorVersion) +
+                        " , plaintext connection?");
+            }
 
             /*
              * Reasonably sure this is a V3, disable further checks.
@@ -123,11 +128,14 @@
             if (isShort &&
                     ((packet.get(pos + 2) == 1) || packet.get(pos + 2) == 4)) {
 
-                ProtocolVersion recordVersion = ProtocolVersion.valueOf(
-                                    packet.get(pos + 3), packet.get(pos + 4));
-
-                // check the record version
-                checkRecordVersion(recordVersion, true);
+                byte majorVersion = packet.get(pos + 3);
+                byte minorVersion = packet.get(pos + 4);
+                if (!ProtocolVersion.isNegotiable(
+                        majorVersion, minorVersion, false, false)) {
+                    throw new SSLException("Unrecognized record version " +
+                            ProtocolVersion.nameOf(majorVersion, minorVersion) +
+                            " , plaintext connection?");
+                }
 
                 /*
                  * Client or Server Hello
@@ -147,37 +155,29 @@
     }
 
     @Override
-    void checkRecordVersion(ProtocolVersion recordVersion,
-            boolean allowSSL20Hello) throws SSLException {
-
-        if (recordVersion.maybeDTLSProtocol()) {
-            throw new SSLException(
-                    "Unrecognized record version " + recordVersion +
-                    " , DTLS packet?");
-        }
+    Plaintext[] decode(ByteBuffer[] srcs, int srcsOffset,
+            int srcsLength) throws IOException, BadPaddingException {
+        if (srcs == null || srcs.length == 0 || srcsLength == 0) {
+            return new Plaintext[0];
+        } else if (srcsLength == 1) {
+            return decode(srcs[srcsOffset]);
+        } else {
+            ByteBuffer packet = extract(srcs,
+                    srcsOffset, srcsLength, SSLRecord.headerSize);
 
-        // Check if the record version is too old.
-        if ((recordVersion.v < ProtocolVersion.MIN.v)) {
-            // if it's not SSLv2, we're out of here.
-            if (!allowSSL20Hello ||
-                    (recordVersion.v != ProtocolVersion.SSL20Hello.v)) {
-                throw new SSLException(
-                    "Unsupported record version " + recordVersion);
-            }
+            return decode(packet);
         }
     }
 
-    @Override
-    Plaintext decode(ByteBuffer packet)
+    private Plaintext[] decode(ByteBuffer packet)
             throws IOException, BadPaddingException {
 
         if (isClosed) {
             return null;
         }
 
-        if (debug != null && Debug.isOn("packet")) {
-             Debug.printHex(
-                    "[Raw read]: length = " + packet.remaining(), packet);
+        if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+            SSLLogger.fine("Raw read", packet);
         }
 
         // The caller should have validated the record.
@@ -191,7 +191,8 @@
              */
             int pos = packet.position();
             byte byteZero = packet.get(pos);
-            if (byteZero != ct_handshake && byteZero != ct_alert) {
+            if (byteZero != ContentType.HANDSHAKE.id &&
+                    byteZero != ContentType.ALERT.id) {
                 return handleUnknownRecord(packet);
             }
         }
@@ -199,27 +200,24 @@
         return decodeInputRecord(packet);
     }
 
-    private Plaintext decodeInputRecord(ByteBuffer packet)
+    private Plaintext[] decodeInputRecord(ByteBuffer packet)
             throws IOException, BadPaddingException {
-
         //
         // The packet should be a complete record, or more.
         //
-
         int srcPos = packet.position();
         int srcLim = packet.limit();
 
         byte contentType = packet.get();                   // pos: 0
         byte majorVersion = packet.get();                  // pos: 1
         byte minorVersion = packet.get();                  // pos: 2
-        int contentLen = ((packet.get() & 0xFF) << 8) +
-                          (packet.get() & 0xFF);           // pos: 3, 4
+        int contentLen = Record.getInt16(packet);          // pos: 3, 4
 
-        if (debug != null && Debug.isOn("record")) {
-             System.out.println(Thread.currentThread().getName() +
-                    ", READ: " +
-                    ProtocolVersion.valueOf(majorVersion, minorVersion) +
-                    " " + Record.contentName(contentType) + ", length = " +
+        if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+            SSLLogger.fine(
+                    "READ: " +
+                    ProtocolVersion.nameOf(majorVersion, minorVersion) +
+                    " " + ContentType.nameOf(contentType) + ", length = " +
                     contentLen);
         }
 
@@ -235,7 +233,7 @@
         //
         // check for handshake fragment
         //
-        if ((contentType != ct_handshake) && (hsMsgOff != hsMsgLen)) {
+        if (contentType != ContentType.HANDSHAKE.id && hsMsgOff != hsMsgLen) {
             throw new SSLProtocolException(
                     "Expected to get a handshake fragment");
         }
@@ -247,10 +245,17 @@
         packet.limit(recLim);
         packet.position(srcPos + SSLRecord.headerSize);
 
-        ByteBuffer plaintext;
+        ByteBuffer fragment;
         try {
-            plaintext =
-                decrypt(readAuthenticator, readCipher, contentType, packet);
+            Plaintext plaintext =
+                    readCipher.decrypt(contentType, packet, null);
+            fragment = plaintext.fragment;
+            contentType = plaintext.contentType;
+        } catch (BadPaddingException bpe) {
+            throw bpe;
+        } catch (GeneralSecurityException gse) {
+            throw (SSLProtocolException)(new SSLProtocolException(
+                    "Unexpected exception")).initCause(gse);
         } finally {
             // comsume a complete record
             packet.limit(srcLim);
@@ -258,81 +263,83 @@
         }
 
         //
-        // handshake hashing
+        // parse handshake messages
         //
-        if (contentType == ct_handshake) {
-            int pltPos = plaintext.position();
-            int pltLim = plaintext.limit();
-            int frgPos = pltPos;
-            for (int remains = plaintext.remaining(); remains > 0;) {
-                int howmuch;
-                byte handshakeType;
-                if (hsMsgOff < hsMsgLen) {
-                    // a fragment of the handshake message
-                    howmuch = Math.min((hsMsgLen - hsMsgOff), remains);
-                    handshakeType = prevType;
-
-                    hsMsgOff += howmuch;
-                    if (hsMsgOff == hsMsgLen) {
-                        // Now is a complete handshake message.
-                        hsMsgOff = 0;
-                        hsMsgLen = 0;
-                    }
-                } else {    // hsMsgOff == hsMsgLen, a new handshake message
-                    handshakeType = plaintext.get();
-                    int handshakeLen = ((plaintext.get() & 0xFF) << 16) |
-                                       ((plaintext.get() & 0xFF) << 8) |
-                                        (plaintext.get() & 0xFF);
-                    plaintext.position(frgPos);
-                    if (remains < (handshakeLen + 4)) { // 4: handshake header
-                        // This handshake message is fragmented.
-                        prevType = handshakeType;
-                        hsMsgOff = remains - 4;         // 4: handshake header
-                        hsMsgLen = handshakeLen;
-                    }
+        if (contentType == ContentType.HANDSHAKE.id) {
+            ByteBuffer handshakeFrag = fragment;
+            if ((handshakeBuffer != null) &&
+                    (handshakeBuffer.remaining() != 0)) {
+                ByteBuffer bb = ByteBuffer.wrap(new byte[
+                        handshakeBuffer.remaining() + fragment.remaining()]);
+                bb.put(handshakeBuffer);
+                bb.put(fragment);
+                handshakeFrag = bb.rewind();
+                handshakeBuffer = null;
+            }
 
-                    howmuch = Math.min(handshakeLen + 4, remains);
+            ArrayList<Plaintext> plaintexts = new ArrayList<>(5);
+            while (handshakeFrag.hasRemaining()) {
+                int remaining = handshakeFrag.remaining();
+                if (remaining < handshakeHeaderSize) {
+                    handshakeBuffer = ByteBuffer.wrap(new byte[remaining]);
+                    handshakeBuffer.put(handshakeFrag);
+                    handshakeBuffer.rewind();
+                    break;
                 }
 
-                plaintext.limit(frgPos + howmuch);
-
-                if (handshakeType == HandshakeMessage.ht_hello_request) {
-                    // omitted from handshake hash computation
-                } else if ((handshakeType != HandshakeMessage.ht_finished) &&
-                    (handshakeType != HandshakeMessage.ht_certificate_verify)) {
-
-                    if (handshakeHash == null) {
-                        // used for cache only
-                        handshakeHash = new HandshakeHash(false);
+                handshakeFrag.mark();
+                // skip the first byte: handshake type
+                byte handshakeType = handshakeFrag.get();
+                int handshakeBodyLen = Record.getInt24(handshakeFrag);
+                handshakeFrag.reset();
+                int handshakeMessageLen =
+                        handshakeHeaderSize + handshakeBodyLen;
+                if (remaining < handshakeMessageLen) {
+                    handshakeBuffer = ByteBuffer.wrap(new byte[remaining]);
+                    handshakeBuffer.put(handshakeFrag);
+                    handshakeBuffer.rewind();
+                    break;
+                } if (remaining == handshakeMessageLen) {
+                    if (handshakeHash.isHashable(handshakeType)) {
+                        handshakeHash.receive(handshakeFrag);
                     }
-                    handshakeHash.update(plaintext);
+
+                    plaintexts.add(
+                        new Plaintext(contentType,
+                            majorVersion, minorVersion, -1, -1L, handshakeFrag)
+                    );
+                    break;
                 } else {
-                    // Reserve until this handshake message has been processed.
-                    if (handshakeHash == null) {
-                        // used for cache only
-                        handshakeHash = new HandshakeHash(false);
+                    int fragPos = handshakeFrag.position();
+                    int fragLim = handshakeFrag.limit();
+                    int nextPos = fragPos + handshakeMessageLen;
+                    handshakeFrag.limit(nextPos);
+
+                    if (handshakeHash.isHashable(handshakeType)) {
+                        handshakeHash.receive(handshakeFrag);
                     }
-                    handshakeHash.reserve(plaintext);
-                }
 
-                plaintext.position(frgPos + howmuch);
-                plaintext.limit(pltLim);
+                    plaintexts.add(
+                        new Plaintext(contentType, majorVersion, minorVersion,
+                            -1, -1L, handshakeFrag.slice())
+                    );
 
-                frgPos += howmuch;
-                remains -= howmuch;
+                    handshakeFrag.position(nextPos);
+                    handshakeFrag.limit(fragLim);
+                }
             }
 
-            plaintext.position(pltPos);
+            return plaintexts.toArray(new Plaintext[0]);
         }
 
-        return new Plaintext(contentType,
-                majorVersion, minorVersion, -1, -1L, plaintext);
-                // recordEpoch, recordSeq, plaintext);
+        return new Plaintext[] {
+            new Plaintext(contentType,
+                majorVersion, minorVersion, -1, -1L, fragment)
+        };
     }
 
-    private Plaintext handleUnknownRecord(ByteBuffer packet)
+    private Plaintext[] handleUnknownRecord(ByteBuffer packet)
             throws IOException, BadPaddingException {
-
         //
         // The packet should be a complete record.
         //
@@ -363,8 +370,8 @@
                  * error message, one that's treated as fatal by
                  * clients (Otherwise we'll hang.)
                  */
-                if (debug != null && Debug.isOn("record")) {
-                     System.out.println(Thread.currentThread().getName() +
+                if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+                   SSLLogger.fine(
                             "Requested to negotiate unsupported SSLv2!");
                 }
 
@@ -380,23 +387,20 @@
              * V3 ClientHello message, and pass it up.
              */
             packet.position(srcPos + 2);        // exclude the header
-
-            if (handshakeHash == null) {
-                // used for cache only
-                handshakeHash = new HandshakeHash(false);
-            }
-            handshakeHash.update(packet);
+            handshakeHash.receive(packet);
             packet.position(srcPos);
 
             ByteBuffer converted = convertToClientHello(packet);
 
-            if (debug != null && Debug.isOn("packet")) {
-                 Debug.printHex(
+            if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+                SSLLogger.fine(
                         "[Converted] ClientHello", converted);
             }
 
-            return new Plaintext(ct_handshake,
-                majorVersion, minorVersion, -1, -1L, converted);
+            return new Plaintext[] {
+                    new Plaintext(ContentType.HANDSHAKE.id,
+                    majorVersion, minorVersion, -1, -1L, converted)
+                };
         } else {
             if (((firstByte & 0x80) != 0) && (thirdByte == 4)) {
                 throw new SSLException("SSL V2.0 servers are not supported.");
@@ -405,5 +409,4 @@
             throw new SSLException("Unsupported or unrecognized SSL message");
         }
     }
-
 }
--- old/src/java.base/share/classes/sun/security/ssl/SSLEngineOutputRecord.java	2018-05-11 15:05:51.452560100 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLEngineOutputRecord.java	2018-05-11 15:05:50.697361900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,14 +25,13 @@
 
 package sun.security.ssl;
 
-import java.io.*;
-import java.nio.*;
-import java.util.*;
-
-import javax.net.ssl.SSLException;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.LinkedList;
 import javax.net.ssl.SSLHandshakeException;
-import sun.security.util.HexDumpEncoder;
-import static sun.security.ssl.Ciphertext.RecordType;
+
+import sun.security.ssl.SSLCipher.SSLWriteCipher;
+import sun.security.ssl.KeyUpdate.KeyUpdateMessage;
 
 /**
  * {@code OutputRecord} implementation for {@code SSLEngine}.
@@ -40,23 +39,22 @@
 final class SSLEngineOutputRecord extends OutputRecord implements SSLRecord {
 
     private HandshakeFragment fragmenter = null;
-    private LinkedList<RecordMemo> alertMemos = new LinkedList<>();
     private boolean isTalkingToV2 = false;      // SSLv2Hello
     private ByteBuffer v2ClientHello = null;    // SSLv2Hello
 
     private boolean isCloseWaiting = false;
 
-    SSLEngineOutputRecord() {
-        this.writeAuthenticator = MAC.TLS_NULL;
+    SSLEngineOutputRecord(HandshakeHash handshakeHash) {
+        super(handshakeHash, SSLWriteCipher.nullTlsWriteCipher());
 
         this.packetSize = SSLRecord.maxRecordSize;
-        this.protocolVersion = ProtocolVersion.DEFAULT_TLS;
+        this.protocolVersion = ProtocolVersion.NONE;
     }
 
     @Override
     public synchronized void close() throws IOException {
         if (!isClosed) {
-            if (alertMemos != null && !alertMemos.isEmpty()) {
+            if (fragmenter != null && fragmenter.hasAlert()) {
                 isCloseWaiting = true;
             } else {
                 super.close();
@@ -66,19 +64,11 @@
 
     @Override
     void encodeAlert(byte level, byte description) throws IOException {
-        RecordMemo memo = new RecordMemo();
-
-        memo.contentType = Record.ct_alert;
-        memo.majorVersion = protocolVersion.major;
-        memo.minorVersion = protocolVersion.minor;
-        memo.encodeCipher = writeCipher;
-        memo.encodeAuthenticator = writeAuthenticator;
-
-        memo.fragment = new byte[2];
-        memo.fragment[0] = level;
-        memo.fragment[1] = description;
+        if (fragmenter == null) {
+           fragmenter = new HandshakeFragment();
+        }
 
-        alertMemos.add(memo);
+        fragmenter.queueUpAlert(level, description);
     }
 
     @Override
@@ -93,7 +83,7 @@
             firstMessage = false;
 
             if ((helloVersion == ProtocolVersion.SSL20Hello) &&
-                (source[offset] == HandshakeMessage.ht_client_hello) &&
+                (source[offset] == SSLHandshake.CLIENT_HELLO.id) &&
                                             //  5: recode header size
                 (source[offset + 4 + 2 + 32] == 0)) {
                                             // V3 session ID is empty
@@ -106,7 +96,7 @@
                         source, (offset + 4), (length - 4));
 
                 v2ClientHello.position(2);     // exclude the header
-                handshakeHash.update(v2ClientHello);
+                handshakeHash.deliver(v2ClientHello);
                 v2ClientHello.position(0);
 
                 return;
@@ -114,8 +104,8 @@
         }
 
         byte handshakeType = source[offset];
-        if (handshakeType != HandshakeMessage.ht_hello_request) {
-            handshakeHash.update(source, offset, length);
+        if (handshakeHash.isHashable(handshakeType)) {
+            handshakeHash.deliver(source, offset, length);
         }
 
         fragmenter.queueUpFragment(source, offset, length);
@@ -135,22 +125,43 @@
     }
 
     @Override
-    Ciphertext encode(ByteBuffer[] sources, int offset, int length,
+    Ciphertext encode(
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength,
+        ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
+        return encode(srcs, srcsOffset, srcsLength, dsts[0]);
+    }
+
+    private Ciphertext encode(ByteBuffer[] sources, int offset, int length,
             ByteBuffer destination) throws IOException {
 
-        if (writeAuthenticator.seqNumOverflow()) {
-            if (debug != null && Debug.isOn("ssl")) {
-                System.out.println(Thread.currentThread().getName() +
-                    ", sequence number extremely close to overflow " +
+        if (writeCipher.authenticator.seqNumOverflow()) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.fine(
+                    "sequence number extremely close to overflow " +
                     "(2^64-1 packets). Closing connection.");
             }
 
             throw new SSLHandshakeException("sequence number overflow");
         }
 
-        int macLen = 0;
-        if (writeAuthenticator instanceof MAC) {
-            macLen = ((MAC)writeAuthenticator).MAClen();
+        // Don't process the incoming record until all of the
+        // buffered records get handled.
+        Ciphertext ct = acquireCiphertext(destination);
+        if (ct != null) {
+            return ct;
+        }
+
+        if (sources == null || sources.length == 0) {
+            return null;
+        }
+
+        int srcsRemains = 0;
+        for (int i = offset; i < offset + length; i++) {
+            srcsRemains += sources[i].remaining();
+        }
+
+        if (srcsRemains == 0) {
+            return null;
         }
 
         int dstLim = destination.limit();
@@ -169,8 +180,8 @@
                 needMorePayload = false;
 
                 if (packetLeftSize > 0) {
-                    fragLen = writeCipher.calculateFragmentSize(
-                            packetLeftSize, macLen, headerSize);
+                    fragLen =writeCipher.calculateFragmentSize(
+                            packetLeftSize, headerSize);
 
                     fragLen = Math.min(fragLen, Record.maxDataSize);
                 } else {
@@ -208,26 +219,24 @@
             destination.limit(destination.position());
             destination.position(dstContent);
 
-            if ((debug != null) && Debug.isOn("record")) {
-                System.out.println(Thread.currentThread().getName() +
-                        ", WRITE: " + protocolVersion + " " +
-                        Record.contentName(Record.ct_application_data) +
+            if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+                SSLLogger.fine(
+                        "WRITE: " + protocolVersion + " " +
+                        ContentType.APPLICATION_DATA.name +
                         ", length = " + destination.remaining());
             }
 
             // Encrypt the fragment and wrap up a record.
-            recordSN = encrypt(writeAuthenticator, writeCipher,
-                    Record.ct_application_data, destination,
+            recordSN = encrypt(writeCipher,
+                    ContentType.APPLICATION_DATA.id, destination,
                     dstPos, dstLim, headerSize,
-                    protocolVersion, false);
+                    protocolVersion);
 
-            if ((debug != null) && Debug.isOn("packet")) {
+            if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
                 ByteBuffer temporary = destination.duplicate();
                 temporary.limit(temporary.position());
                 temporary.position(dstPos);
-                Debug.printHex(
-                        "[Raw write]: length = " + temporary.remaining(),
-                        temporary);
+                SSLLogger.fine("Raw write", temporary);
             }
 
             packetLeftSize -= destination.position() - dstPos;
@@ -238,103 +247,60 @@
             if (isFirstAppOutputRecord) {
                 isFirstAppOutputRecord = false;
             }
+
+            if (writeCipher.atKeyLimit()) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.fine("KeyUpdate: triggered");
+                }
+
+                PostHandshakeContext p = new PostHandshakeContext(tc);
+                KeyUpdate.handshakeProducer.produce(p,
+                        new KeyUpdateMessage(p, KeyUpdateMessage.REQUSTED));
+            }
         }
 
-        return new Ciphertext(RecordType.RECORD_APPLICATION_DATA, recordSN);
+        return new Ciphertext(ContentType.APPLICATION_DATA.id,
+                SSLHandshake.NOT_APPLICABLE.id, recordSN);
     }
 
-    @Override
-    Ciphertext acquireCiphertext(ByteBuffer destination) throws IOException {
+    private Ciphertext acquireCiphertext(ByteBuffer destination) throws IOException {
         if (isTalkingToV2) {              // SSLv2Hello
             // We don't support SSLv2.  Send an SSLv2 error message
             // so that the connection can be closed gracefully.
             //
             // Please don't change the limit of the destination buffer.
             destination.put(SSLRecord.v2NoCipher);
-            if (debug != null && Debug.isOn("packet")) {
-                Debug.printHex(
-                        "[Raw write]: length = " + SSLRecord.v2NoCipher.length,
-                        SSLRecord.v2NoCipher);
+            if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+                SSLLogger.fine("Raw write", SSLRecord.v2NoCipher);
             }
 
             isTalkingToV2 = false;
 
-            return new Ciphertext(RecordType.RECORD_ALERT, -1L);
+            return new Ciphertext(ContentType.ALERT.id,
+                    SSLHandshake.NOT_APPLICABLE.id, -1L);
         }
 
         if (v2ClientHello != null) {
             // deliver the SSLv2 format ClientHello message
             //
             // Please don't change the limit of the destination buffer.
-            if (debug != null) {
-                if (Debug.isOn("record")) {
-                     System.out.println(Thread.currentThread().getName() +
+            if (SSLLogger.isOn) {
+                if (SSLLogger.isOn("record")) {
+                     SSLLogger.fine(Thread.currentThread().getName() +
                             ", WRITE: SSLv2 ClientHello message" +
                             ", length = " + v2ClientHello.remaining());
                 }
 
-                if (Debug.isOn("packet")) {
-                    Debug.printHex(
-                        "[Raw write]: length = " + v2ClientHello.remaining(),
-                        v2ClientHello);
+                if (SSLLogger.isOn("packet")) {
+                    SSLLogger.fine("Raw write", v2ClientHello);
                 }
             }
 
             destination.put(v2ClientHello);
             v2ClientHello = null;
 
-            return new Ciphertext(RecordType.RECORD_CLIENT_HELLO, -1L);
-        }
-
-        if (alertMemos != null && !alertMemos.isEmpty()) {
-            RecordMemo memo = alertMemos.pop();
-
-            int macLen = 0;
-            if (memo.encodeAuthenticator instanceof MAC) {
-                macLen = ((MAC)memo.encodeAuthenticator).MAClen();
-            }
-
-            int dstPos = destination.position();
-            int dstLim = destination.limit();
-            int dstContent = dstPos + headerSize +
-                                writeCipher.getExplicitNonceSize();
-            destination.position(dstContent);
-
-            destination.put(memo.fragment);
-
-            destination.limit(destination.position());
-            destination.position(dstContent);
-
-            if ((debug != null) && Debug.isOn("record")) {
-                System.out.println(Thread.currentThread().getName() +
-                        ", WRITE: " + protocolVersion + " " +
-                        Record.contentName(Record.ct_alert) +
-                        ", length = " + destination.remaining());
-            }
-
-            // Encrypt the fragment and wrap up a record.
-            long recordSN = encrypt(memo.encodeAuthenticator, memo.encodeCipher,
-                    Record.ct_alert, destination, dstPos, dstLim, headerSize,
-                    ProtocolVersion.valueOf(memo.majorVersion,
-                            memo.minorVersion), false);
-
-            if ((debug != null) && Debug.isOn("packet")) {
-                ByteBuffer temporary = destination.duplicate();
-                temporary.limit(temporary.position());
-                temporary.position(dstPos);
-                Debug.printHex(
-                        "[Raw write]: length = " + temporary.remaining(),
-                        temporary);
-            }
-
-            // remain the limit unchanged
-            destination.limit(dstLim);
-
-            if (isCloseWaiting && (memo.contentType == Record.ct_alert)) {
-                isCloseWaiting = true;
-                close();
-            }
-            return new Ciphertext(RecordType.RECORD_ALERT, recordSN);
+            return new Ciphertext(ContentType.HANDSHAKE.id,
+                   SSLHandshake.CLIENT_HELLO.id, -1L);
         }
 
         if (fragmenter != null) {
@@ -347,8 +313,7 @@
     @Override
     boolean isEmpty() {
         return (!isTalkingToV2) && (v2ClientHello == null) &&
-                ((fragmenter == null) || fragmenter.isEmpty()) &&
-                ((alertMemos == null) || alertMemos.isEmpty());
+                ((fragmenter == null) || fragmenter.isEmpty());
     }
 
     // buffered record fragment
@@ -356,8 +321,7 @@
         byte            contentType;
         byte            majorVersion;
         byte            minorVersion;
-        CipherBox       encodeCipher;
-        Authenticator   encodeAuthenticator;
+        SSLWriteCipher  encodeCipher;
 
         byte[]          fragment;
     }
@@ -372,14 +336,12 @@
 
         void queueUpFragment(byte[] source,
                 int offset, int length) throws IOException {
-
             HandshakeMemo memo = new HandshakeMemo();
 
-            memo.contentType = Record.ct_handshake;
+            memo.contentType = ContentType.HANDSHAKE.id;
             memo.majorVersion = protocolVersion.major;  // kick start version?
             memo.minorVersion = protocolVersion.minor;
             memo.encodeCipher = writeCipher;
-            memo.encodeAuthenticator = writeAuthenticator;
 
             memo.handshakeType = source[offset];
             memo.acquireOffset = 0;
@@ -394,11 +356,10 @@
         void queueUpChangeCipherSpec() {
             RecordMemo memo = new RecordMemo();
 
-            memo.contentType = Record.ct_change_cipher_spec;
+            memo.contentType = ContentType.CHANGE_CIPHER_SPEC.id;
             memo.majorVersion = protocolVersion.major;
             memo.minorVersion = protocolVersion.minor;
             memo.encodeCipher = writeCipher;
-            memo.encodeAuthenticator = writeAuthenticator;
 
             memo.fragment = new byte[1];
             memo.fragment[0] = 1;
@@ -406,6 +367,21 @@
             handshakeMemos.add(memo);
         }
 
+        void queueUpAlert(byte level, byte description) {
+            RecordMemo memo = new RecordMemo();
+
+            memo.contentType = ContentType.ALERT.id;
+            memo.majorVersion = protocolVersion.major;
+            memo.minorVersion = protocolVersion.minor;
+            memo.encodeCipher = writeCipher;
+
+            memo.fragment = new byte[2];
+            memo.fragment[0] = level;
+            memo.fragment[1] = description;
+
+            handshakeMemos.add(memo);
+        }
+
         Ciphertext acquireCiphertext(ByteBuffer dstBuf) throws IOException {
             if (isEmpty()) {
                 return null;
@@ -413,22 +389,17 @@
 
             RecordMemo memo = handshakeMemos.getFirst();
             HandshakeMemo hsMemo = null;
-            if (memo.contentType == Record.ct_handshake) {
+            if (memo.contentType == ContentType.HANDSHAKE.id) {
                 hsMemo = (HandshakeMemo)memo;
             }
 
-            int macLen = 0;
-            if (memo.encodeAuthenticator instanceof MAC) {
-                macLen = ((MAC)memo.encodeAuthenticator).MAClen();
-            }
-
             // ChangeCipherSpec message is pretty small.  Don't worry about
             // the fragmentation of ChangeCipherSpec record.
             int fragLen;
             if (packetSize > 0) {
                 fragLen = Math.min(maxRecordSize, packetSize);
                 fragLen = memo.encodeCipher.calculateFragmentSize(
-                        fragLen, macLen, headerSize);
+                        fragLen, headerSize);
             } else {
                 fragLen = Record.maxDataSize;
             }
@@ -474,11 +445,12 @@
                                  !handshakeMemos.isEmpty()) {
 
                             // look for the next buffered record fragment
-                            RecordMemo reMemo = handshakeMemos.getFirst();
-                            if (reMemo.contentType == Record.ct_handshake) {
-                                hsMemo = (HandshakeMemo)reMemo;
+                            RecordMemo rm = handshakeMemos.getFirst();
+                            if (rm.contentType == ContentType.HANDSHAKE.id &&
+                                    rm.encodeCipher == hsMemo.encodeCipher) {
+                                hsMemo = (HandshakeMemo)rm;
                             } else {
-                                // not handshake message, break the loop
+                                // not of the flight, break the loop
                                 break;
                             }
                         }
@@ -498,27 +470,26 @@
             dstBuf.limit(dstBuf.position());
             dstBuf.position(dstContent);
 
-            if ((debug != null) && Debug.isOn("record")) {
-                System.out.println(Thread.currentThread().getName() +
-                        ", WRITE: " + protocolVersion + " " +
-                        Record.contentName(memo.contentType) +
+            if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+                SSLLogger.fine(
+                        "WRITE: " + protocolVersion + " " +
+                        ContentType.nameOf(memo.contentType) +
                         ", length = " + dstBuf.remaining());
             }
 
             // Encrypt the fragment and wrap up a record.
-            long recordSN = encrypt(memo.encodeAuthenticator, memo.encodeCipher,
+            long recordSN = encrypt(
+                    memo.encodeCipher,
                     memo.contentType, dstBuf,
                     dstPos, dstLim, headerSize,
                     ProtocolVersion.valueOf(memo.majorVersion,
-                            memo.minorVersion), false);
+                            memo.minorVersion));
 
-            if ((debug != null) && Debug.isOn("packet")) {
+            if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
                 ByteBuffer temporary = dstBuf.duplicate();
                 temporary.limit(temporary.position());
                 temporary.position(dstPos);
-                Debug.printHex(
-                        "[Raw write]: length = " + temporary.remaining(),
-                        temporary);
+                SSLLogger.fine("Raw write", temporary);
             }
 
             // remain the limit unchanged
@@ -526,17 +497,32 @@
 
             // Reset the fragmentation offset.
             if (hsMemo != null) {
-                return new Ciphertext(RecordType.valueOf(
-                        hsMemo.contentType, hsMemo.handshakeType), recordSN);
+                return new Ciphertext(hsMemo.contentType,
+                        hsMemo.handshakeType, recordSN);
             } else {
-                return new Ciphertext(
-                        RecordType.RECORD_CHANGE_CIPHER_SPEC, recordSN);
+                if (isCloseWaiting &&
+                        memo.contentType == ContentType.ALERT.id) {
+                    close();
+                }
+
+                return new Ciphertext(memo.contentType,
+                        SSLHandshake.NOT_APPLICABLE.id, recordSN);
             }
         }
 
         boolean isEmpty() {
             return handshakeMemos.isEmpty();
         }
+
+        boolean hasAlert() {
+            for (RecordMemo memo : handshakeMemos) {
+                if (memo.contentType ==  ContentType.ALERT.id) {
+                    return true;
+                }
+            }
+
+            return false;
+        }
     }
 
     /*
--- old/src/java.base/share/classes/sun/security/ssl/SSLRecord.java	2018-05-11 15:05:53.314198000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLRecord.java	2018-05-11 15:05:52.740714400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,7 +32,8 @@
  */
 interface SSLRecord extends Record {
 
-    static final int    headerSize = 5;         // SSLv3 record header
+    static final int    headerSize = 5;             // SSLv3 record header
+    static final int    handshakeHeaderSize = 4;    // SSLv3 handshake header
 
     /*
      * The size of the header plus the max IV length
--- old/src/java.base/share/classes/sun/security/ssl/SSLServerSocketFactoryImpl.java	2018-05-11 15:05:55.216884100 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLServerSocketFactoryImpl.java	2018-05-11 15:05:54.593216400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,7 +28,6 @@
 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.ServerSocket;
-
 import javax.net.ssl.SSLServerSocketFactory;
 
 /**
@@ -36,9 +35,8 @@
  *
  * @author David Brownell
  */
-final
-public class SSLServerSocketFactoryImpl extends SSLServerSocketFactory
-{
+final public
+        class SSLServerSocketFactoryImpl extends SSLServerSocketFactory {
     private static final int DEFAULT_BACKLOG = 50;
     private SSLContextImpl context;
 
@@ -55,8 +53,7 @@
     /**
      * Called from SSLContextImpl's getSSLServerSocketFactory().
      */
-    SSLServerSocketFactoryImpl (SSLContextImpl context)
-    {
+    SSLServerSocketFactoryImpl(SSLContextImpl context) {
         this.context = context;
     }
 
@@ -73,26 +70,23 @@
     }
 
     @Override
-    public ServerSocket createServerSocket (int port)
-    throws IOException
-    {
-        return new SSLServerSocketImpl (port, DEFAULT_BACKLOG, context);
+    public ServerSocket createServerSocket(
+            int port) throws IOException {
+        return new SSLServerSocketImpl (context, port, DEFAULT_BACKLOG);
     }
 
 
     @Override
-    public ServerSocket createServerSocket (int port, int backlog)
-    throws IOException
-    {
-        return new SSLServerSocketImpl (port, backlog, context);
+    public ServerSocket createServerSocket (
+            int port, int backlog) throws IOException {
+        return new SSLServerSocketImpl (context, port, backlog);
     }
 
     @Override
     public ServerSocket
-    createServerSocket (int port, int backlog, InetAddress ifAddress)
-    throws IOException
-    {
-        return new SSLServerSocketImpl (port, backlog, ifAddress, context);
+    createServerSocket (int port,
+            int backlog, InetAddress ifAddress) throws IOException {
+        return new SSLServerSocketImpl (context, port, backlog, ifAddress);
     }
 
     /**
@@ -104,7 +98,7 @@
      */
     @Override
     public String[] getDefaultCipherSuites() {
-        return context.getDefaultCipherSuiteList(true).toStringArray();
+        return CipherSuite.namesOf(context.getDefaultCipherSuites(true));
     }
 
     /**
@@ -119,7 +113,6 @@
      */
     @Override
     public String[] getSupportedCipherSuites() {
-        return context.getSupportedCipherSuiteList().toStringArray();
+        return CipherSuite.namesOf(context.getSupportedCipherSuites());
     }
-
 }
--- old/src/java.base/share/classes/sun/security/ssl/SSLServerSocketImpl.java	2018-05-11 15:05:57.359224800 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLServerSocketImpl.java	2018-05-11 15:05:56.755325700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,22 +23,13 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
 import java.io.IOException;
 import java.net.InetAddress;
 import java.net.Socket;
-
-import java.security.AlgorithmConstraints;
-
-import java.util.*;
-
-import javax.net.ssl.SSLException;
-import javax.net.ssl.SSLServerSocket;
 import javax.net.ssl.SSLParameters;
-import javax.net.ssl.SNIMatcher;
-
+import javax.net.ssl.SSLServerSocket;
 
 /**
  * This class provides a simple way for servers to support conventional
@@ -62,301 +53,161 @@
  *
  * @author David Brownell
  */
-final
-class SSLServerSocketImpl extends SSLServerSocket
-{
-    private SSLContextImpl      sslContext;
-
-    /* Do newly accepted connections require clients to authenticate? */
-    private ClientAuthType    clientAuthType = ClientAuthType.CLIENT_AUTH_NONE;
-
-    /* Do new connections created here use the "server" mode of SSL? */
-    private boolean             useServerMode = true;
-
-    /* Can new connections created establish new sessions? */
-    private boolean             enableSessionCreation = true;
-
-    /* what cipher suites to use by default */
-    private CipherSuiteList     enabledCipherSuites = null;
-
-    /* which protocol to use by default */
-    private ProtocolList        enabledProtocols = null;
-
-    // the endpoint identification protocol to use by default
-    private String              identificationProtocol = null;
-
-    // The cryptographic algorithm constraints
-    private AlgorithmConstraints    algorithmConstraints = null;
-
-    // The server name indication
-    Collection<SNIMatcher>      sniMatchers =
-                                    Collections.<SNIMatcher>emptyList();
-
-    // Configured application protocol values
-    String[] applicationProtocols = new String[0];
-
-    /*
-     * Whether local cipher suites preference in server side should be
-     * honored during handshaking?
-     */
-    private boolean             preferLocalCipherSuites = false;
-
-    /**
-     * Create an SSL server socket on a port, using a non-default
-     * authentication context and a specified connection backlog.
-     *
-     * @param port the port on which to listen
-     * @param backlog how many connections may be pending before
-     *          the system should start rejecting new requests
-     * @param context authentication context for this server
-     */
-    SSLServerSocketImpl(int port, int backlog, SSLContextImpl context)
-    throws IOException, SSLException
-    {
-        super(port, backlog);
-        initServer(context);
-    }
+final class SSLServerSocketImpl extends SSLServerSocket {
+    private final SSLContextImpl        sslContext;
+    private final SSLConfiguration      sslConfig;
 
+    SSLServerSocketImpl(SSLContextImpl sslContext) throws IOException {
 
-    /**
-     * Create an SSL server socket on a port, using a specified
-     * authentication context and a specified backlog of connections
-     * as well as a particular specified network interface.  This
-     * constructor is used on multihomed hosts, such as those used
-     * for firewalls or as routers, to control through which interface
-     * a network service is provided.
-     *
-     * @param port the port on which to listen
-     * @param backlog how many connections may be pending before
-     *          the system should start rejecting new requests
-     * @param address the address of the network interface through
-     *          which connections will be accepted
-     * @param context authentication context for this server
-     */
-    SSLServerSocketImpl(
-        int             port,
-        int             backlog,
-        InetAddress     address,
-        SSLContextImpl  context)
-        throws IOException
-    {
-        super(port, backlog, address);
-        initServer(context);
+        super();
+        this.sslContext = sslContext;
+        this.sslConfig = new SSLConfiguration(sslContext, false);
+        this.sslConfig.isClientMode = false;
     }
 
+    SSLServerSocketImpl(SSLContextImpl sslContext,
+            int port, int backlog) throws IOException {
 
-    /**
-     * Creates an unbound server socket.
-     */
-    SSLServerSocketImpl(SSLContextImpl context) throws IOException {
-        super();
-        initServer(context);
+        super(port, backlog);
+        this.sslContext = sslContext;
+        this.sslConfig = new SSLConfiguration(sslContext, false);
+        this.sslConfig.isClientMode = false;
     }
 
+    SSLServerSocketImpl(SSLContextImpl sslContext,
+            int port, int backlog, InetAddress address) throws IOException {
 
-    /**
-     * Initializes the server socket.
-     */
-    private void initServer(SSLContextImpl context) throws SSLException {
-        if (context == null) {
-            throw new SSLException("No Authentication context given");
-        }
-        sslContext = context;
-        enabledCipherSuites = sslContext.getDefaultCipherSuiteList(true);
-        enabledProtocols = sslContext.getDefaultProtocolList(true);
+        super(port, backlog, address);
+        this.sslContext = sslContext;
+        this.sslConfig = new SSLConfiguration(sslContext, false);
+        this.sslConfig.isClientMode = false;
     }
 
-    /**
-     * Returns the names of the cipher suites which could be enabled for use
-     * on an SSL connection.  Normally, only a subset of these will actually
-     * be enabled by default, since this list may include cipher suites which
-     * do not support the mutual authentication of servers and clients, or
-     * which do not protect data confidentiality.  Servers may also need
-     * certain kinds of certificates to use certain cipher suites.
-     *
-     * @return an array of cipher suite names
-     */
     @Override
-    public String[] getSupportedCipherSuites() {
-        return sslContext.getSupportedCipherSuiteList().toStringArray();
+    public synchronized String[] getEnabledCipherSuites() {
+        return CipherSuite.namesOf(sslConfig.enabledCipherSuites);
     }
 
-    /**
-     * Returns the list of cipher suites which are currently enabled
-     * for use by newly accepted connections.  A null return indicates
-     * that the system defaults are in effect.
-     */
     @Override
-    public synchronized String[] getEnabledCipherSuites() {
-        return enabledCipherSuites.toStringArray();
+    public synchronized void setEnabledCipherSuites(String[] suites) {
+        if (suites == null) {
+            throw new IllegalArgumentException("CipherSuites cannot be null");
+        }
+
+        sslConfig.enabledCipherSuites =
+                CipherSuite.validValuesOf(suites);
     }
 
-    /**
-     * Controls which particular SSL cipher suites are enabled for use
-     * by accepted connections.
-     *
-     * @param suites Names of all the cipher suites to enable; null
-     *  means to accept system defaults.
-     */
     @Override
-    public synchronized void setEnabledCipherSuites(String[] suites) {
-        enabledCipherSuites = new CipherSuiteList(suites);
+    public String[] getSupportedCipherSuites() {
+        return CipherSuite.namesOf(sslContext.getSupportedCipherSuites());
     }
 
     @Override
     public String[] getSupportedProtocols() {
-        return sslContext.getSuportedProtocolList().toStringArray();
+        return ProtocolVersion.toStringArray(
+                sslContext.getSuportedProtocolVersions());
     }
 
-    /**
-     * Controls which protocols are enabled for use.
-     * The protocols must have been listed by
-     * getSupportedProtocols() as being supported.
-     *
-     * @param protocols protocols to enable.
-     * @exception IllegalArgumentException when one of the protocols
-     *  named by the parameter is not supported.
-     */
     @Override
-    public synchronized void setEnabledProtocols(String[] protocols) {
-        enabledProtocols = new ProtocolList(protocols);
+    public synchronized String[] getEnabledProtocols() {
+        return ProtocolVersion.toStringArray(sslConfig.enabledProtocols);
     }
 
     @Override
-    public synchronized String[] getEnabledProtocols() {
-        return enabledProtocols.toStringArray();
+    public synchronized void setEnabledProtocols(String[] protocols) {
+        if (protocols == null) {
+            throw new IllegalArgumentException("Protocols cannot be null");
+        }
+
+        sslConfig.enabledProtocols = ProtocolVersion.namesOf(protocols);
     }
 
-    /**
-     * Controls whether the connections which are accepted must include
-     * client authentication.
-     */
     @Override
-    public void setNeedClientAuth(boolean flag) {
-        clientAuthType = (flag ? ClientAuthType.CLIENT_AUTH_REQUIRED :
-                ClientAuthType.CLIENT_AUTH_NONE);
+    public synchronized void setNeedClientAuth(boolean need) {
+        sslConfig.clientAuthType =
+                (need ? ClientAuthType.CLIENT_AUTH_REQUIRED :
+                        ClientAuthType.CLIENT_AUTH_NONE);
     }
 
     @Override
-    public boolean getNeedClientAuth() {
-        return (clientAuthType == ClientAuthType.CLIENT_AUTH_REQUIRED);
+    public synchronized boolean getNeedClientAuth() {
+        return (sslConfig.clientAuthType ==
+                        ClientAuthType.CLIENT_AUTH_REQUIRED);
     }
 
-    /**
-     * Controls whether the connections which are accepted should request
-     * client authentication.
-     */
     @Override
-    public void setWantClientAuth(boolean flag) {
-        clientAuthType = (flag ? ClientAuthType.CLIENT_AUTH_REQUESTED :
-                ClientAuthType.CLIENT_AUTH_NONE);
+    public synchronized void setWantClientAuth(boolean want) {
+        sslConfig.clientAuthType =
+                (want ? ClientAuthType.CLIENT_AUTH_REQUESTED :
+                        ClientAuthType.CLIENT_AUTH_NONE);
     }
 
     @Override
-    public boolean getWantClientAuth() {
-        return (clientAuthType == ClientAuthType.CLIENT_AUTH_REQUESTED);
+    public synchronized boolean getWantClientAuth() {
+        return (sslConfig.clientAuthType ==
+                        ClientAuthType.CLIENT_AUTH_REQUESTED);
     }
 
-    /**
-     * Makes the returned sockets act in SSL "client" mode, not the usual
-     * server mode.  The canonical example of why this is needed is for
-     * FTP clients, which accept connections from servers and should be
-     * rejoining the already-negotiated SSL connection.
-     */
     @Override
-    public void setUseClientMode(boolean flag) {
+    public synchronized void setUseClientMode(boolean useClientMode) {
         /*
-         * If we need to change the socket mode and the enabled
-         * protocols haven't specifically been set by the user,
-         * change them to the corresponding default ones.
+         * If we need to change the client mode and the enabled
+         * protocols and cipher suites haven't specifically been
+         * set by the user, change them to the corresponding
+         * default ones.
          */
-        if (useServerMode != (!flag) &&
-                sslContext.isDefaultProtocolList(enabledProtocols)) {
-            enabledProtocols = sslContext.getDefaultProtocolList(!flag);
-        }
+        if (sslConfig.isClientMode != useClientMode) {
+            if (sslContext.isDefaultProtocolVesions(
+                    sslConfig.enabledProtocols)) {
+                sslConfig.enabledProtocols =
+                        sslContext.getDefaultProtocolVersions(!useClientMode);
+            }
+
+            if (sslContext.isDefaultCipherSuiteList(
+                    sslConfig.enabledCipherSuites)) {
+                sslConfig.enabledCipherSuites =
+                        sslContext.getDefaultCipherSuites(!useClientMode);
+            }
 
-        useServerMode = !flag;
+            sslConfig.isClientMode = useClientMode;
+        }
     }
 
     @Override
-    public boolean getUseClientMode() {
-        return !useServerMode;
+    public synchronized boolean getUseClientMode() {
+        return sslConfig.isClientMode;
     }
 
-
-    /**
-     * Controls whether new connections may cause creation of new SSL
-     * sessions.
-     */
     @Override
-    public void setEnableSessionCreation(boolean flag) {
-        enableSessionCreation = flag;
+    public synchronized void setEnableSessionCreation(boolean flag) {
+        sslConfig.enableSessionCreation = flag;
     }
 
-    /**
-     * Returns true if new connections may cause creation of new SSL
-     * sessions.
-     */
     @Override
-    public boolean getEnableSessionCreation() {
-        return enableSessionCreation;
+    public synchronized boolean getEnableSessionCreation() {
+        return sslConfig.enableSessionCreation;
     }
 
-    /**
-     * Returns the SSLParameters in effect for newly accepted connections.
-     */
     @Override
     public synchronized SSLParameters getSSLParameters() {
-        SSLParameters params = super.getSSLParameters();
-
-        // the super implementation does not handle the following parameters
-        params.setEndpointIdentificationAlgorithm(identificationProtocol);
-        params.setAlgorithmConstraints(algorithmConstraints);
-        params.setSNIMatchers(sniMatchers);
-        params.setUseCipherSuitesOrder(preferLocalCipherSuites);
-        params.setApplicationProtocols(applicationProtocols);
-
-        return params;
+        return sslConfig.getSSLParameters();
     }
 
-    /**
-     * Applies SSLParameters to newly accepted connections.
-     */
     @Override
     public synchronized void setSSLParameters(SSLParameters params) {
-        super.setSSLParameters(params);
-
-        // the super implementation does not handle the following parameters
-        identificationProtocol = params.getEndpointIdentificationAlgorithm();
-        algorithmConstraints = params.getAlgorithmConstraints();
-        preferLocalCipherSuites = params.getUseCipherSuitesOrder();
-        Collection<SNIMatcher> matchers = params.getSNIMatchers();
-        if (matchers != null) {
-            sniMatchers = params.getSNIMatchers();
-        }
-        applicationProtocols = params.getApplicationProtocols();
+        sslConfig.setSSLParameters(params);
     }
 
-    /**
-     * Accept a new SSL connection.  This server identifies itself with
-     * information provided in the authentication context which was
-     * presented during construction.
-     */
     @Override
     public Socket accept() throws IOException {
-        SSLSocketImpl s = new SSLSocketImpl(sslContext, useServerMode,
-            enabledCipherSuites, clientAuthType, enableSessionCreation,
-            enabledProtocols, identificationProtocol, algorithmConstraints,
-            sniMatchers, preferLocalCipherSuites, applicationProtocols);
+        SSLSocketImpl s = new SSLSocketImpl(sslContext, sslConfig);
 
         implAccept(s);
         s.doneConnect();
         return s;
     }
 
-    /**
-     * Provides a brief description of this SSL socket.
-     */
     @Override
     public String toString() {
         return "[SSL: "+ super.toString() + "]";
--- old/src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java	2018-05-11 15:05:58.955980600 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLSessionContextImpl.java	2018-05-11 15:05:58.442730400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,16 +23,13 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
 import java.util.Enumeration;
-import java.util.Vector;
 import java.util.Locale;
-
+import java.util.Vector;
 import javax.net.ssl.SSLSession;
 import javax.net.ssl.SSLSessionContext;
-
 import sun.security.util.Cache;
 
 
@@ -250,5 +247,4 @@
                                   new Vector<byte[]>().elements();
         }
     }
-
 }
--- old/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java	2018-05-11 15:06:00.572570200 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java	2018-05-11 15:06:00.041284300 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -22,36 +22,30 @@
  * or visit www.oracle.com if you need additional information or have any
  * questions.
  */
-
-
 package sun.security.ssl;
 
-import java.net.*;
-import java.util.Enumeration;
-import java.util.Hashtable;
-import java.util.Vector;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.List;
-import java.util.ArrayList;
-
+import java.math.BigInteger;
+import java.net.InetAddress;
 import java.security.Principal;
 import java.security.PrivateKey;
-import java.security.SecureRandom;
-import java.security.cert.X509Certificate;
 import java.security.cert.CertificateEncodingException;
-
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.List;
+import java.util.Vector;
+import java.util.Optional;
 import javax.crypto.SecretKey;
-
-import javax.net.ssl.SSLSessionContext;
-import javax.net.ssl.SSLSessionBindingListener;
-import javax.net.ssl.SSLSessionBindingEvent;
-import javax.net.ssl.SSLPeerUnverifiedException;
-import javax.net.ssl.SSLPermission;
 import javax.net.ssl.ExtendedSSLSession;
 import javax.net.ssl.SNIServerName;
-
-import static sun.security.ssl.CipherSuite.KeyExchange.*;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLPermission;
+import javax.net.ssl.SSLSessionBindingEvent;
+import javax.net.ssl.SSLSessionBindingListener;
+import javax.net.ssl.SSLSessionContext;
 
 /**
  * Implements the SSL session interface, and exposes the session context
@@ -91,13 +85,18 @@
     private byte                compressionMethod;
     private CipherSuite         cipherSuite;
     private SecretKey           masterSecret;
-    private final boolean       useExtendedMasterSecret;
+    final boolean               useExtendedMasterSecret;
+    private SecretKey           resumptionMasterSecret;
+    private SecretKey           preSharedKey;
+    private byte[]              pskIdentity;
+    private final long          ticketCreationTime = System.currentTimeMillis();
+    private int                 ticketAgeAdd;
 
     /*
      * Information not part of the SSLv3 protocol spec, but used
      * to support session management policies.
      */
-    private final long          creationTime = System.currentTimeMillis();
+    private final long          creationTime;
     private long                lastUsedTime = 0;
     private final String        host;
     private final int           port;
@@ -106,9 +105,8 @@
     private boolean             invalidated;
     private X509Certificate[]   localCerts;
     private PrivateKey          localPrivateKey;
-    private String[]            localSupportedSignAlgs;
+    private final String[]      localSupportedSignAlgs;
     private String[]            peerSupportedSignAlgs;
-    private List<SNIServerName>    requestedServerNames;
     private List<byte[]>        statusResponses;
 
     private int                 negotiatedMaxFragLen;
@@ -138,8 +136,12 @@
      */
     private static boolean      defaultRejoinable = true;
 
-    /* Class and subclass dynamic debugging support */
-    private static final Debug debug = Debug.getInstance("ssl");
+    // server name indication
+    final SNIServerName         serverNameIndication;
+    private final List<SNIServerName>    requestedServerNames;
+
+    // Counter used to create unique nonces in NewSessionTicket
+    private BigInteger ticketNonceCounter = BigInteger.ONE;
 
     /*
      * Create a new non-rejoinable session, using the default (null)
@@ -148,8 +150,16 @@
      * first opened and before handshaking begins.
      */
     private SSLSessionImpl() {
-        this(ProtocolVersion.NONE, CipherSuite.C_NULL, null,
-            new SessionId(false, null), null, -1, false);
+        this.protocolVersion = ProtocolVersion.NONE;
+        this.cipherSuite = CipherSuite.C_NULL;
+        this.sessionId = new SessionId(false, null);
+        this.host = null;
+        this.port = -1;
+        this.localSupportedSignAlgs = new String[0];
+        this.serverNameIndication = null;
+        this.requestedServerNames = Collections.<SNIServerName>emptyList();
+        this.useExtendedMasterSecret = false;
+        this.creationTime = System.currentTimeMillis();
     }
 
     /*
@@ -157,39 +167,55 @@
      * be rejoinable if session caching is enabled; the constructor
      * is intended mostly for use by serves.
      */
-    SSLSessionImpl(ProtocolVersion protocolVersion, CipherSuite cipherSuite,
-            Collection<SignatureAndHashAlgorithm> algorithms,
-            SecureRandom generator, String host, int port,
-            boolean useExtendedMasterSecret) {
-        this(protocolVersion, cipherSuite, algorithms,
-             new SessionId(defaultRejoinable, generator), host, port,
-             useExtendedMasterSecret);
+    SSLSessionImpl(HandshakeContext hc, CipherSuite cipherSuite) {
+        this(hc, cipherSuite,
+            new SessionId(defaultRejoinable, hc.sslContext.getSecureRandom()));
     }
 
     /*
      * Record a new session, using a given cipher spec and session ID.
      */
-    SSLSessionImpl(ProtocolVersion protocolVersion, CipherSuite cipherSuite,
-            Collection<SignatureAndHashAlgorithm> algorithms,
-            SessionId id, String host, int port,
-            boolean useExtendedMasterSecret) {
-        this.protocolVersion = protocolVersion;
-        sessionId = id;
+    SSLSessionImpl(HandshakeContext hc, CipherSuite cipherSuite, SessionId id) {
+        this(hc, cipherSuite, id, System.currentTimeMillis());
+    }
+
+    /*
+     * Record a new session, using a given cipher spec, session ID,
+     * and creation time
+     */
+    SSLSessionImpl(HandshakeContext hc, CipherSuite cipherSuite, SessionId id, long creationTime) {
+        this.creationTime = creationTime;
+        this.protocolVersion = hc.negotiatedProtocol;
+        this.sessionId = id;
         peerCerts = null;
         compressionMethod = compression_null;
         this.cipherSuite = cipherSuite;
         masterSecret = null;
-        this.host = host;
-        this.port = port;
+        this.host = hc.conContext.transport.getPeerHost();
+        this.port = hc.conContext.transport.getPeerPort();
         sessionCount = ++counter;
-        localSupportedSignAlgs =
-            SignatureAndHashAlgorithm.getAlgorithmNames(algorithms);
+        this.localSupportedSignAlgs =
+            SignatureScheme.getAlgorithmNames(hc.localSupportedSignAlgs);
         negotiatedMaxFragLen = -1;
         statusResponses = null;
-        this.useExtendedMasterSecret = useExtendedMasterSecret;
+        this.requestedServerNames =
+                Collections.unmodifiableList(hc.requestedServerNames);
+        this.serverNameIndication = hc.negotiatedServerName;
+        if (hc.sslConfig.isClientMode) {
+            this.useExtendedMasterSecret =
+                (hc.handshakeExtensions.get(
+                        SSLExtension.CH_EXTENDED_MASTER_SECRET) != null) &&
+                (hc.handshakeExtensions.get(
+                        SSLExtension.SH_EXTENDED_MASTER_SECRET) != null);
+        } else {
+            this.useExtendedMasterSecret =
+                (hc.handshakeExtensions.get(
+                        SSLExtension.CH_EXTENDED_MASTER_SECRET) != null) &&
+                (!hc.negotiatedProtocol.useTLS13PlusSpec());
+        }
 
-        if (debug != null && Debug.isOn("session")) {
-            System.out.println("%% Initialized:  " + this);
+        if (SSLLogger.isOn && SSLLogger.isOn("session")) {
+             SSLLogger.finest("Session initialized:  " + this);
         }
     }
 
@@ -201,6 +227,40 @@
         }
     }
 
+    void setResumptionMasterSecret(SecretKey secret) {
+        if (resumptionMasterSecret == null) {
+            resumptionMasterSecret = secret;
+        } else {
+            throw new RuntimeException("setResumptionMasterSecret() error");
+        }
+    }
+
+    void setPreSharedKey(SecretKey key) {
+        if (preSharedKey == null) {
+            preSharedKey = key;
+        } else {
+            throw new RuntimeException("setPreSharedKey() error");
+        }
+    }
+
+    void setTicketAgeAdd(int ticketAgeAdd) {
+        this.ticketAgeAdd = ticketAgeAdd;
+    }
+
+    void setPskIdentity(byte[] pskIdentity) {
+        if (this.pskIdentity == null) {
+            this.pskIdentity = pskIdentity;
+        } else {
+            throw new RuntimeException("setPskIdentity() error");
+        }
+    }
+
+    BigInteger incrTicketNonceCounter() {
+        BigInteger result = ticketNonceCounter;
+        ticketNonceCounter = ticketNonceCounter.add(BigInteger.valueOf(1));
+        return result;
+    }
+
     /**
      * Returns the master secret ... treat with extreme caution!
      */
@@ -208,8 +268,39 @@
         return masterSecret;
     }
 
-    boolean getUseExtendedMasterSecret() {
-        return useExtendedMasterSecret;
+    Optional<SecretKey> getResumptionMasterSecret() {
+        return Optional.ofNullable(resumptionMasterSecret);
+    }
+
+    synchronized Optional<SecretKey> getPreSharedKey() {
+        return Optional.ofNullable(preSharedKey);
+    }
+
+    synchronized Optional<SecretKey> consumePreSharedKey() {
+        Optional<SecretKey> result = Optional.ofNullable(preSharedKey);
+        preSharedKey = null;
+        return result;
+    }
+
+    int getTicketAgeAdd() {
+        return ticketAgeAdd;
+    }
+
+    /*
+     * Get the PSK identity. Take care not to use it in multiple connections.
+     */
+    synchronized Optional<byte[]> getPskIdentity() {
+        return Optional.ofNullable(pskIdentity);
+    }
+
+    /* PSK identities created from new_session_ticket messages should only
+     * be used once. This method will return the identity and then clear it
+     * so it cannot be used again.
+     */
+    synchronized Optional<byte[]> consumePskIdentity() {
+        Optional<byte[]> result = Optional.ofNullable(pskIdentity);
+        pskIdentity = null;
+        return result;
     }
 
     void setPeerCertificates(X509Certificate[] peer) {
@@ -227,13 +318,9 @@
     }
 
     void setPeerSupportedSignatureAlgorithms(
-            Collection<SignatureAndHashAlgorithm> algorithms) {
+            Collection<SignatureScheme> signatureSchemes) {
         peerSupportedSignAlgs =
-            SignatureAndHashAlgorithm.getAlgorithmNames(algorithms);
-    }
-
-    void setRequestedServerNames(List<SNIServerName> requestedServerNames) {
-        this.requestedServerNames = new ArrayList<>(requestedServerNames);
+            SignatureScheme.getAlgorithmNames(signatureSchemes);
     }
 
     /**
@@ -286,7 +373,7 @@
      * Check if the authentication used when establishing this session
      * is still valid. Returns true if no authentication was used
      */
-    boolean isLocalAuthenticationValid() {
+    private boolean isLocalAuthenticationValid() {
         if (localPrivateKey != null) {
             try {
                 // if the private key is no longer valid, getAlgorithm()
@@ -298,6 +385,7 @@
                 return false;
             }
         }
+
         return true;
     }
 
@@ -354,8 +442,8 @@
     void setSuite(CipherSuite suite) {
        cipherSuite = suite;
 
-       if (debug != null && Debug.isOn("session")) {
-           System.out.println("%% Negotiating:  " + this);
+        if (SSLLogger.isOn && SSLLogger.isOn("session")) {
+             SSLLogger.finest("Negotiating session:  " + this);
        }
     }
 
@@ -410,7 +498,6 @@
         return sessionId.hashCode();
     }
 
-
     /**
      * Returns true if sessions have same ids, false otherwise.
      */
@@ -449,10 +536,6 @@
         // change record of peer identity even by accident, much
         // less do it intentionally.
         //
-        if (ClientKeyExchangeService.find(cipherSuite.keyExchange.name) != null) {
-            throw new SSLPeerUnverifiedException("no certificates expected"
-                        + " for " + cipherSuite.keyExchange + " cipher suites");
-        }
         if (peerCerts == null) {
             throw new SSLPeerUnverifiedException("peer not authenticated");
         }
@@ -504,10 +587,6 @@
         // change record of peer identity even by accident, much
         // less do it intentionally.
         //
-        if (ClientKeyExchangeService.find(cipherSuite.keyExchange.name) != null) {
-            throw new SSLPeerUnverifiedException("no certificates expected"
-                        + " for " + cipherSuite.keyExchange + " cipher suites");
-        }
         if (peerCerts == null) {
             throw new SSLPeerUnverifiedException("peer not authenticated");
         }
@@ -544,10 +623,6 @@
          * change record of peer identity even by accident, much
          * less do it intentionally.
          */
-        if (ClientKeyExchangeService.find(cipherSuite.keyExchange.name) != null) {
-            throw new SSLPeerUnverifiedException("no certificates expected"
-                        + " for " + cipherSuite.keyExchange + " cipher suites");
-        }
         if (peerCerts != null) {
             return peerCerts.clone();
         } else {
@@ -594,13 +669,6 @@
     public Principal getPeerPrincipal()
                 throws SSLPeerUnverifiedException
     {
-        if (ClientKeyExchangeService.find(cipherSuite.keyExchange.name) != null) {
-            if (peerPrincipal == null) {
-                throw new SSLPeerUnverifiedException("peer not authenticated");
-            } else {
-                return peerPrincipal;
-            }
-        }
         if (peerCerts == null) {
             throw new SSLPeerUnverifiedException("peer not authenticated");
         }
@@ -617,14 +685,17 @@
      */
     @Override
     public Principal getLocalPrincipal() {
-
-        if (ClientKeyExchangeService.find(cipherSuite.keyExchange.name) != null) {
-                return (localPrincipal == null ? null : localPrincipal);
-        }
-        return (localCerts == null ? null :
+        return ((localCerts == null && localCerts.length != 0) ? null :
                 localCerts[0].getSubjectX500Principal());
     }
 
+    /*
+     * Return the time the ticket for this session was created.
+     */
+    public long getTicketCreationTime() {
+        return ticketCreationTime;
+    }
+
     /**
      * Returns the time this session was created.
      */
@@ -696,8 +767,8 @@
             return;
         }
         invalidated = true;
-        if (debug != null && Debug.isOn("session")) {
-            System.out.println("%% Invalidated:  " + this);
+        if (SSLLogger.isOn && SSLLogger.isOn("session")) {
+             SSLLogger.finest("Invalidated session:  " + this);
         }
         if (context != null) {
             context.remove(sessionId);
@@ -739,7 +810,6 @@
         }
     }
 
-
     /**
      * Returns the specified session value.
      */
@@ -813,7 +883,8 @@
      * to "true".
      */
     private boolean acceptLargeFragments =
-        Debug.getBooleanProperty("jsse.SSLEngine.acceptLargeFragments", false);
+            Utilities.getBooleanProperty(
+                    "jsse.SSLEngine.acceptLargeFragments", false);
 
     /**
      * Expand the buffer size of both SSL/TLS network packet and
@@ -835,7 +906,7 @@
         if (negotiatedMaxFragLen > 0) {
             packetSize = cipherSuite.calculatePacketSize(
                     negotiatedMaxFragLen, protocolVersion,
-                    protocolVersion.isDTLSProtocol());
+                    protocolVersion.isDTLS);
         }
 
         if (maximumPacketSize > 0) {
@@ -847,7 +918,7 @@
            return packetSize;
         }
 
-        if (protocolVersion.isDTLSProtocol()) {
+        if (protocolVersion.isDTLS) {
             return DTLSRecord.maxRecordSize;
         } else {
             return acceptLargeFragments ?
@@ -867,7 +938,7 @@
         if (maximumPacketSize > 0) {
             fragmentSize = cipherSuite.calculateFragSize(
                     maximumPacketSize, protocolVersion,
-                    protocolVersion.isDTLSProtocol());
+                    protocolVersion.isDTLS);
         }
 
         if (negotiatedMaxFragLen > 0) {
@@ -879,7 +950,7 @@
             return fragmentSize;
         }
 
-        if (protocolVersion.isDTLSProtocol()) {
+        if (protocolVersion.isDTLS) {
             return Record.maxDataSize;
         } else {
             int maxPacketSize = acceptLargeFragments ?
@@ -968,7 +1039,6 @@
             + ", " + getCipherSuite()
             + "]";
     }
-
 }
 
 
@@ -978,8 +1048,8 @@
  */
 class SecureKey {
     private static Object       nullObject = new Object();
-    private Object        appKey;
-    private Object      securityCtx;
+    private Object        	appKey;
+    private Object      	securityCtx;
 
     static Object getCurrentSecurityContext() {
         SecurityManager sm = System.getSecurityManager();
--- old/src/java.base/share/classes/sun/security/ssl/SSLSocketFactoryImpl.java	2018-05-11 15:06:02.271947400 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLSocketFactoryImpl.java	2018-05-11 15:06:01.738280800 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,7 +43,7 @@
  */
 public final class SSLSocketFactoryImpl extends SSLSocketFactory {
 
-    private SSLContextImpl context;
+    private final SSLContextImpl context;
 
     /**
      * Constructor used to instantiate the default factory. This method is
@@ -180,7 +180,7 @@
      */
     @Override
     public String[] getDefaultCipherSuites() {
-        return context.getDefaultCipherSuiteList(false).toStringArray();
+        return CipherSuite.namesOf(context.getDefaultCipherSuites(false));
     }
 
     /**
@@ -193,6 +193,6 @@
      */
     @Override
     public String[] getSupportedCipherSuites() {
-        return context.getSupportedCipherSuiteList().toStringArray();
+        return CipherSuite.namesOf(context.getSupportedCipherSuites());
     }
 }
--- old/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java	2018-05-11 15:06:03.986287500 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java	2018-05-11 15:06:03.434691400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,35 +23,40 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
-import java.io.*;
-import java.nio.*;
-import java.net.*;
-import java.security.GeneralSecurityException;
-import java.security.AccessController;
-import java.security.AccessControlContext;
-import java.security.PrivilegedAction;
-import java.security.AlgorithmConstraints;
-import java.util.*;
-import java.util.concurrent.TimeUnit;
-import java.util.concurrent.locks.ReentrantLock;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InterruptedIOException;
+import java.io.OutputStream;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.Socket;
+import java.net.SocketAddress;
+import java.net.SocketException;
+import java.net.UnknownHostException;
+import java.nio.ByteBuffer;
+import java.util.List;
 import java.util.function.BiFunction;
-
-import javax.crypto.BadPaddingException;
-import javax.net.ssl.*;
-
+import javax.net.ssl.HandshakeCompletedListener;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLProtocolException;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
 import jdk.internal.misc.JavaNetInetAddressAccess;
 import jdk.internal.misc.SharedSecrets;
 
 /**
- * Implementation of an SSL socket.  This is a normal connection type
- * socket, implementing SSL over some lower level socket, such as TCP.
- * Because it is layered over some lower level socket, it MUST override
- * all default socket methods.
- *
- * <P> This API offers a non-traditional option for establishing SSL
+ * Implementation of an SSL socket.
+ * <P>
+ * This is a normal connection type socket, implementing SSL over some lower
+ * level socket, such as TCP.  Because it is layered over some lower level
+ * socket, it MUST override all default socket methods.
+ * <P>
+ * This API offers a non-traditional option for establishing SSL
  * connections.  You may first establish the connection directly, then pass
  * that connection to the SSL socket constructor with a flag saying which
  * role should be taken in the handshake protocol.  (The two ends of the
@@ -64,328 +69,19 @@
  *
  * @author David Brownell
  */
-public final class SSLSocketImpl extends BaseSSLSocketImpl {
-
-    /*
-     * ERROR HANDLING GUIDELINES
-     * (which exceptions to throw and catch and which not to throw and catch)
-     *
-     * . if there is an IOException (SocketException) when accessing the
-     *   underlying Socket, pass it through
-     *
-     * . do not throw IOExceptions, throw SSLExceptions (or a subclass)
-     *
-     * . for internal errors (things that indicate a bug in JSSE or a
-     *   grossly misconfigured J2RE), throw either an SSLException or
-     *   a RuntimeException at your convenience.
-     *
-     * . handshaking code (Handshaker or HandshakeMessage) should generally
-     *   pass through exceptions, but can handle them if they know what to
-     *   do.
-     *
-     * . exception chaining should be used for all new code. If you happen
-     *   to touch old code that does not use chaining, you should change it.
-     *
-     * . there is a top level exception handler that sits at all entry
-     *   points from application code to SSLSocket read/write code. It
-     *   makes sure that all errors are handled (see handleException()).
-     *
-     * . JSSE internal code should generally not call close(), call
-     *   closeInternal().
-     */
-
-    /*
-     * There's a state machine associated with each connection, which
-     * among other roles serves to negotiate session changes.
-     *
-     * - START with constructor, until the TCP connection's around.
-     * - HANDSHAKE picks session parameters before allowing traffic.
-     *          There are many substates due to sequencing requirements
-     *          for handshake messages.
-     * - DATA may be transmitted.
-     * - RENEGOTIATE state allows concurrent data and handshaking
-     *          traffic ("same" substates as HANDSHAKE), and terminates
-     *          in selection of new session (and connection) parameters
-     * - ERROR state immediately precedes abortive disconnect.
-     * - SENT_CLOSE sent a close_notify to the peer. For layered,
-     *          non-autoclose socket, must now read close_notify
-     *          from peer before closing the connection. For nonlayered or
-     *          non-autoclose socket, close connection and go onto
-     *          cs_CLOSED state.
-     * - CLOSED after sending close_notify alert, & socket is closed.
-     *          SSL connection objects are not reused.
-     * - APP_CLOSED once the application calls close(). Then it behaves like
-     *          a closed socket, e.g.. getInputStream() throws an Exception.
-     *
-     * State affects what SSL record types may legally be sent:
-     *
-     * - Handshake ... only in HANDSHAKE and RENEGOTIATE states
-     * - App Data ... only in DATA and RENEGOTIATE states
-     * - Alert ... in HANDSHAKE, DATA, RENEGOTIATE
-     *
-     * Re what may be received:  same as what may be sent, except that
-     * HandshakeRequest handshaking messages can come from servers even
-     * in the application data state, to request entry to RENEGOTIATE.
-     *
-     * The state machine within HANDSHAKE and RENEGOTIATE states controls
-     * the pending session, not the connection state, until the change
-     * cipher spec and "Finished" handshake messages are processed and
-     * make the "new" session become the current one.
-     *
-     * NOTE: details of the SMs always need to be nailed down better.
-     * The text above illustrates the core ideas.
-     *
-     *                +---->-------+------>--------->-------+
-     *                |            |                        |
-     *     <-----<    ^            ^  <-----<               v
-     *START>----->HANDSHAKE>----->DATA>----->RENEGOTIATE  SENT_CLOSE
-     *                v            v               v        |   |
-     *                |            |               |        |   v
-     *                +------------+---------------+        v ERROR
-     *                |                                     |   |
-     *                v                                     |   |
-     *               ERROR>------>----->CLOSED<--------<----+-- +
-     *                                     |
-     *                                     v
-     *                                 APP_CLOSED
-     *
-     * ALSO, note that the purpose of handshaking (renegotiation is
-     * included) is to assign a different, and perhaps new, session to
-     * the connection.  The SSLv3 spec is a bit confusing on that new
-     * protocol feature.
-     */
-    private static final int    cs_START = 0;
-    private static final int    cs_HANDSHAKE = 1;
-    private static final int    cs_DATA = 2;
-    private static final int    cs_RENEGOTIATE = 3;
-    private static final int    cs_ERROR = 4;
-    private static final int    cs_SENT_CLOSE = 5;
-    private static final int    cs_CLOSED = 6;
-    private static final int    cs_APP_CLOSED = 7;
-
-    /*
-     * Drives the protocol state machine.
-     */
-    private volatile int        connectionState;
-
-    /*
-     * Flag indicating if the next record we receive MUST be a Finished
-     * message. Temporarily set during the handshake to ensure that
-     * a change cipher spec message is followed by a finished message.
-     */
-    private boolean             expectingFinished;
-
-    /*
-     * For improved diagnostics, we detail connection closure
-     * If the socket is closed (connectionState >= cs_ERROR),
-     * closeReason != null indicates if the socket was closed
-     * because of an error or because or normal shutdown.
-     */
-    private SSLException        closeReason;
-
-    /*
-     * Per-connection private state that doesn't change when the
-     * session is changed.
-     */
-    private ClientAuthType      doClientAuth =
-                                        ClientAuthType.CLIENT_AUTH_NONE;
-    private boolean             roleIsServer;
-    private boolean             enableSessionCreation = true;
-    private String              host;
-    private boolean             autoClose = true;
-    private AccessControlContext acc;
-
-    // The cipher suites enabled for use on this connection.
-    private CipherSuiteList     enabledCipherSuites;
-
-    // The endpoint identification protocol
-    private String              identificationProtocol = null;
-
-    // The cryptographic algorithm constraints
-    private AlgorithmConstraints    algorithmConstraints = null;
-
-    // The server name indication and matchers
-    List<SNIServerName>         serverNames =
-                                    Collections.<SNIServerName>emptyList();
-    Collection<SNIMatcher>      sniMatchers =
-                                    Collections.<SNIMatcher>emptyList();
-
-    // Is the serverNames set to empty with SSLParameters.setServerNames()?
-    private boolean             noSniExtension = false;
-
-    // Is the sniMatchers set to empty with SSLParameters.setSNIMatchers()?
-    private boolean             noSniMatcher = false;
-
-    // Configured application protocol values
-    String[] applicationProtocols = new String[0];
-
-    // Negotiated application protocol value.
-    //
-    // The value under negotiation will be obtained from handshaker.
-    String applicationProtocol = null;
-
-    // Callback function that selects the application protocol value during
-    // the SSL/TLS handshake.
-    BiFunction<SSLSocket, List<String>, String> applicationProtocolSelector;
-
-    /*
-     * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
-     * IMPORTANT STUFF TO UNDERSTANDING THE SYNCHRONIZATION ISSUES.
-     * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
-     *
-     * There are several locks here.
-     *
-     * The primary lock is the per-instance lock used by
-     * synchronized(this) and the synchronized methods.  It controls all
-     * access to things such as the connection state and variables which
-     * affect handshaking.  If we are inside a synchronized method, we
-     * can access the state directly, otherwise, we must use the
-     * synchronized equivalents.
-     *
-     * The handshakeLock is used to ensure that only one thread performs
-     * the *complete initial* handshake.  If someone is handshaking, any
-     * stray application or startHandshake() requests who find the
-     * connection state is cs_HANDSHAKE will stall on handshakeLock
-     * until handshaking is done.  Once the handshake is done, we either
-     * succeeded or failed, but we can never go back to the cs_HANDSHAKE
-     * or cs_START state again.
-     *
-     * Note that the read/write() calls here in SSLSocketImpl are not
-     * obviously synchronized.  In fact, it's very nonintuitive, and
-     * requires careful examination of code paths.  Grab some coffee,
-     * and be careful with any code changes.
-     *
-     * There can be only three threads active at a time in the I/O
-     * subsection of this class.
-     *    1.  startHandshake
-     *    2.  AppInputStream
-     *    3.  AppOutputStream
-     * One thread could call startHandshake().
-     * AppInputStream/AppOutputStream read() and write() calls are each
-     * synchronized on 'this' in their respective classes, so only one
-     * app. thread will be doing a SSLSocketImpl.read() or .write()'s at
-     * a time.
-     *
-     * If handshaking is required (state cs_HANDSHAKE), and
-     * getConnectionState() for some/all threads returns cs_HANDSHAKE,
-     * only one can grab the handshakeLock, and the rest will stall
-     * either on getConnectionState(), or on the handshakeLock if they
-     * happen to successfully race through the getConnectionState().
-     *
-     * If a writer is doing the initial handshaking, it must create a
-     * temporary reader to read the responses from the other side.  As a
-     * side-effect, the writer's reader will have priority over any
-     * other reader.  However, the writer's reader is not allowed to
-     * consume any application data.  When handshakeLock is finally
-     * released, we either have a cs_DATA connection, or a
-     * cs_CLOSED/cs_ERROR socket.
-     *
-     * The writeLock is held while writing on a socket connection and
-     * also to protect the MAC and cipher for their direction.  The
-     * writeLock is package private for Handshaker which holds it while
-     * writing the ChangeCipherSpec message.
-     *
-     * To avoid the problem of a thread trying to change operational
-     * modes on a socket while handshaking is going on, we synchronize
-     * on 'this'.  If handshaking has not started yet, we tell the
-     * handshaker to change its mode.  If handshaking has started,
-     * we simply store that request until the next pending session
-     * is created, at which time the new handshaker's state is set.
-     *
-     * The readLock is held during readRecord(), which is responsible
-     * for reading an SSLInputRecord, decrypting it, and processing it.
-     * The readLock ensures that these three steps are done atomically
-     * and that once started, no other thread can block on SSLInputRecord.read.
-     * This is necessary so that processing of close_notify alerts
-     * from the peer are handled properly.
-     */
-    private final Object        handshakeLock = new Object();
-    final ReentrantLock         writeLock = new ReentrantLock();
-    private final Object        readLock = new Object();
-
-    InputRecord                 inputRecord;
-    OutputRecord                outputRecord;
-
-    /*
-     * security parameters for secure renegotiation.
-     */
-    private boolean             secureRenegotiation;
-    private byte[]              clientVerifyData;
-    private byte[]              serverVerifyData;
-
-    /*
-     * The authentication context holds all information used to establish
-     * who this end of the connection is (certificate chains, private keys,
-     * etc) and who is trusted (e.g. as CAs or websites).
-     */
-    private SSLContextImpl      sslContext;
-
-
-    /*
-     * This connection is one of (potentially) many associated with
-     * any given session.  The output of the handshake protocol is a
-     * new session ... although all the protocol description talks
-     * about changing the cipher spec (and it does change), in fact
-     * that's incidental since it's done by changing everything that
-     * is associated with a session at the same time.  (TLS/IETF may
-     * change that to add client authentication w/o new key exchg.)
-     */
-    private Handshaker                  handshaker;
-    private SSLSessionImpl              sess;
-    private volatile SSLSessionImpl     handshakeSession;
-
-
-    /*
-     * If anyone wants to get notified about handshake completions,
-     * they'll show up on this list.
-     */
-    private HashMap<HandshakeCompletedListener, AccessControlContext>
-                                                        handshakeListeners;
-
-    /*
-     * Reuse the same internal input/output streams.
-     */
-    private InputStream         sockInput;
-    private OutputStream        sockOutput;
-
-
-    /*
-     * These input and output streams block their data in SSL records,
-     * and usually arrange integrity and privacy protection for those
-     * records.  The guts of the SSL protocol are wrapped up in these
-     * streams, and in the handshaking that establishes the details of
-     * that integrity and privacy protection.
-     */
-    private AppInputStream      input;
-    private AppOutputStream     output;
-
-    /*
-     * The protocol versions enabled for use on this connection.
-     *
-     * Note: we support a pseudo protocol called SSLv2Hello which when
-     * set will result in an SSL v2 Hello being sent with SSL (version 3.0)
-     * or TLS (version 3.1, 3.2, etc.) version info.
-     */
-    private ProtocolList enabledProtocols;
-
-    /*
-     * The SSL version associated with this connection.
-     */
-    private ProtocolVersion     protocolVersion = ProtocolVersion.DEFAULT_TLS;
+public final class SSLSocketImpl
+        extends BaseSSLSocketImpl implements SSLTransport {
 
-    /* Class and subclass dynamic debugging support */
-    private static final Debug debug = Debug.getInstance("ssl");
+    final SSLContextImpl            sslContext;
+    final TransportContext          conContext;
 
-    /*
-     * Whether local cipher suites preference in server side should be
-     * honored during handshaking?
-     */
-    private boolean preferLocalCipherSuites = false;
+    private final AppInputStream    appInput = new AppInputStream();
+    private final AppOutputStream   appOutput = new AppOutputStream();
 
-    /*
-     * The maximum expected network packet size for SSL/TLS/DTLS records.
-     */
-    private int maximumPacketSize = 0;
+    private String                  peerHost;
+    private boolean                 autoClose;
+    private boolean                 isConnected = false;
+    private boolean                 tlsIsClosed = false;
 
     /*
      * Is the local name service trustworthy?
@@ -394,176 +90,126 @@
      * resolution should not be performed for endpoint identification.
      */
     static final boolean trustNameService =
-            Debug.getBooleanProperty("jdk.tls.trustNameService", false);
-
-    //
-    // CONSTRUCTORS AND INITIALIZATION CODE
-    //
+            Utilities.getBooleanProperty("jdk.tls.trustNameService", false);
 
     /**
-     * Constructs an SSL connection to a named host at a specified port,
-     * using the authentication context provided.  This endpoint acts as
-     * the client, and may rejoin an existing SSL session if appropriate.
+     * Package-private constructor used to instantiate an unconnected
+     * socket.
      *
-     * @param context authentication context to use
-     * @param host name of the host with which to connect
-     * @param port number of the server's port
+     * This instance is meant to set handshake state to use "client mode".
      */
-    SSLSocketImpl(SSLContextImpl context, String host, int port)
-            throws IOException, UnknownHostException {
+    SSLSocketImpl(SSLContextImpl sslContext) {
         super();
-        this.host = host;
-        this.serverNames =
-            Utilities.addToSNIServerNameList(this.serverNames, this.host);
-        init(context, false);
-        SocketAddress socketAddress =
-               host != null ? new InetSocketAddress(host, port) :
-               new InetSocketAddress(InetAddress.getByName(null), port);
-        connect(socketAddress, 0);
+        this.sslContext = sslContext;
+        HandshakeHash handshakeHash = new HandshakeHash();
+        this.conContext = new TransportContext(sslContext, this,
+                new SSLSocketInputRecord(handshakeHash),
+                new SSLSocketOutputRecord(handshakeHash), true);
     }
 
-
     /**
-     * Constructs an SSL connection to a server at a specified address.
-     * and TCP port, using the authentication context provided.  This
-     * endpoint acts as the client, and may rejoin an existing SSL session
-     * if appropriate.
+     * Package-private constructor used to instantiate a server socket.
      *
-     * @param context authentication context to use
-     * @param address the server's host
-     * @param port its port
+     * This instance is meant to set handshake state to use "server mode".
      */
-    SSLSocketImpl(SSLContextImpl context, InetAddress host, int port)
-            throws IOException {
+    SSLSocketImpl(SSLContextImpl sslContext, SSLConfiguration sslConfig) {
         super();
-        init(context, false);
-        SocketAddress socketAddress = new InetSocketAddress(host, port);
-        connect(socketAddress, 0);
+        this.sslContext = sslContext;
+        HandshakeHash handshakeHash = new HandshakeHash();
+        this.conContext = new TransportContext(sslContext, this, sslConfig,
+                new SSLSocketInputRecord(handshakeHash),
+                new SSLSocketOutputRecord(handshakeHash));
     }
 
     /**
-     * Constructs an SSL connection to a named host at a specified port,
-     * using the authentication context provided.  This endpoint acts as
-     * the client, and may rejoin an existing SSL session if appropriate.
+     * Constructs an SSL connection to a named host at a specified
+     * port, using the authentication context provided.
      *
-     * @param context authentication context to use
-     * @param host name of the host with which to connect
-     * @param port number of the server's port
-     * @param localAddr the local address the socket is bound to
-     * @param localPort the local port the socket is bound to
+     * This endpoint acts as the client, and may rejoin an existing SSL session
+     * if appropriate.
      */
-    SSLSocketImpl(SSLContextImpl context, String host, int port,
-            InetAddress localAddr, int localPort)
-            throws IOException, UnknownHostException {
+    SSLSocketImpl(SSLContextImpl sslContext, String peerHost,
+            int peerPort) throws IOException, UnknownHostException {
         super();
-        this.host = host;
-        this.serverNames =
-            Utilities.addToSNIServerNameList(this.serverNames, this.host);
-        init(context, false);
-        bind(new InetSocketAddress(localAddr, localPort));
+        this.sslContext = sslContext;
+        HandshakeHash handshakeHash = new HandshakeHash();
+        this.conContext = new TransportContext(sslContext, this,
+                new SSLSocketInputRecord(handshakeHash),
+                new SSLSocketOutputRecord(handshakeHash), true);
+        this.peerHost = peerHost;
         SocketAddress socketAddress =
-               host != null ? new InetSocketAddress(host, port) :
-               new InetSocketAddress(InetAddress.getByName(null), port);
+               peerHost != null ? new InetSocketAddress(peerHost, peerPort) :
+               new InetSocketAddress(InetAddress.getByName(null), peerPort);
         connect(socketAddress, 0);
     }
 
-
     /**
-     * Constructs an SSL connection to a server at a specified address.
-     * and TCP port, using the authentication context provided.  This
-     * endpoint acts as the client, and may rejoin an existing SSL session
-     * if appropriate.
+     * Constructs an SSL connection to a server at a specified
+     * address, and TCP port, using the authentication context
+     * provided.
      *
-     * @param context authentication context to use
-     * @param address the server's host
-     * @param port its port
-     * @param localAddr the local address the socket is bound to
-     * @param localPort the local port the socket is bound to
+     * This endpoint acts as the client, and may rejoin an existing SSL
+     * session if appropriate.
      */
-    SSLSocketImpl(SSLContextImpl context, InetAddress host, int port,
-            InetAddress localAddr, int localPort)
-            throws IOException {
+    SSLSocketImpl(SSLContextImpl sslContext,
+            InetAddress address, int peerPort) throws IOException {
         super();
-        init(context, false);
-        bind(new InetSocketAddress(localAddr, localPort));
-        SocketAddress socketAddress = new InetSocketAddress(host, port);
+        this.sslContext = sslContext;
+        HandshakeHash handshakeHash = new HandshakeHash();
+        this.conContext = new TransportContext(sslContext, this,
+                new SSLSocketInputRecord(handshakeHash),
+                new SSLSocketOutputRecord(handshakeHash), true);
+
+        SocketAddress socketAddress = new InetSocketAddress(address, peerPort);
         connect(socketAddress, 0);
     }
 
-    /*
-     * Package-private constructor used ONLY by SSLServerSocket.  The
-     * java.net package accepts the TCP connection after this call is
-     * made.  This just initializes handshake state to use "server mode",
-     * giving control over the use of SSL client authentication.
+    /**
+     * Constructs an SSL connection to a named host at a specified
+     * port, using the authentication context provided.
+     *
+     * This endpoint acts as the client, and may rejoin an existing SSL
+     * session if appropriate.
      */
-    SSLSocketImpl(SSLContextImpl context, boolean serverMode,
-            CipherSuiteList suites, ClientAuthType clientAuth,
-            boolean sessionCreation, ProtocolList protocols,
-            String identificationProtocol,
-            AlgorithmConstraints algorithmConstraints,
-            Collection<SNIMatcher> sniMatchers,
-            boolean preferLocalCipherSuites,
-            String[] applicationProtocols) throws IOException {
-
+    SSLSocketImpl(SSLContextImpl sslContext,
+            String peerHost, int peerPort, InetAddress localAddr,
+            int localPort) throws IOException, UnknownHostException {
         super();
-        doClientAuth = clientAuth;
-        enableSessionCreation = sessionCreation;
-        this.identificationProtocol = identificationProtocol;
-        this.algorithmConstraints = algorithmConstraints;
-        this.sniMatchers = sniMatchers;
-        this.preferLocalCipherSuites = preferLocalCipherSuites;
-        this.applicationProtocols = applicationProtocols;
-        init(context, serverMode);
+        this.sslContext = sslContext;
+        HandshakeHash handshakeHash = new HandshakeHash();
+        this.conContext = new TransportContext(sslContext, this,
+                new SSLSocketInputRecord(handshakeHash),
+                new SSLSocketOutputRecord(handshakeHash), true);
+        this.peerHost = peerHost;
 
-        /*
-         * Override what was picked out for us.
-         */
-        enabledCipherSuites = suites;
-        enabledProtocols = protocols;
+        bind(new InetSocketAddress(localAddr, localPort));
+        SocketAddress socketAddress =
+               peerHost != null ? new InetSocketAddress(peerHost, peerPort) :
+               new InetSocketAddress(InetAddress.getByName(null), peerPort);
+        connect(socketAddress, 0);
     }
 
-
     /**
-     * Package-private constructor used to instantiate an unconnected
-     * socket. The java.net package will connect it, either when the
-     * connect() call is made by the application.  This instance is
-     * meant to set handshake state to use "client mode".
-     */
-    SSLSocketImpl(SSLContextImpl context) {
+     * Constructs an SSL connection to a server at a specified
+     * address, and TCP port, using the authentication context
+     * provided.
+     *
+     * This endpoint acts as the client, and may rejoin an existing SSL
+     * session if appropriate.
+     */
+    SSLSocketImpl(SSLContextImpl sslContext,
+            InetAddress peerAddr, int peerPort,
+            InetAddress localAddr, int localPort) throws IOException {
         super();
-        init(context, false);
-    }
+        this.sslContext = sslContext;
+        HandshakeHash handshakeHash = new HandshakeHash();
+        this.conContext = new TransportContext(sslContext, this,
+                new SSLSocketInputRecord(handshakeHash),
+                new SSLSocketOutputRecord(handshakeHash), true);
 
-
-    /**
-     * Layer SSL traffic over an existing connection, rather than creating
-     * a new connection.  The existing connection may be used only for SSL
-     * traffic (using this SSLSocket) until the SSLSocket.close() call
-     * returns. However, if a protocol error is detected, that existing
-     * connection is automatically closed.
-     *
-     * <P> This particular constructor always uses the socket in the
-     * role of an SSL client. It may be useful in cases which start
-     * using SSL after some initial data transfers, for example in some
-     * SSL tunneling applications or as part of some kinds of application
-     * protocols which negotiate use of a SSL based security.
-     *
-     * @param sock the existing connection
-     * @param context the authentication context to use
-     */
-    SSLSocketImpl(SSLContextImpl context, Socket sock, String host,
-            int port, boolean autoClose) throws IOException {
-        super(sock);
-        // We always layer over a connected socket
-        if (!sock.isConnected()) {
-            throw new SocketException("Underlying socket is not connected");
-        }
-        this.host = host;
-        this.serverNames =
-            Utilities.addToSNIServerNameList(this.serverNames, this.host);
-        init(context, false);
-        this.autoClose = autoClose;
-        doneConnect();
+        bind(new InetSocketAddress(localAddr, localPort));
+        SocketAddress socketAddress = new InetSocketAddress(peerAddr, peerPort);
+        connect(socketAddress, 0);
     }
 
     /**
@@ -572,78 +218,60 @@
      * already been consumed/removed from the {@link Socket}'s
      * underlying {@link InputStream}.
      */
-    SSLSocketImpl(SSLContextImpl context, Socket sock,
+    SSLSocketImpl(SSLContextImpl sslContext, Socket sock,
             InputStream consumed, boolean autoClose) throws IOException {
+
         super(sock, consumed);
         // We always layer over a connected socket
         if (!sock.isConnected()) {
             throw new SocketException("Underlying socket is not connected");
         }
 
-        // In server mode, it is not necessary to set host and serverNames.
-        // Otherwise, would require a reverse DNS lookup to get the hostname.
-
-        init(context, true);
+        this.sslContext = sslContext;
+        HandshakeHash handshakeHash = new HandshakeHash();
+        this.conContext = new TransportContext(sslContext, this,
+                new SSLSocketInputRecord(handshakeHash),
+                new SSLSocketOutputRecord(handshakeHash), false);
         this.autoClose = autoClose;
         doneConnect();
     }
 
     /**
-     * Initializes the client socket.
+     * Layer SSL traffic over an existing connection, rather than
+     * creating a new connection.
+     *
+     * The existing connection may be used only for SSL traffic (using this
+     * SSLSocket) until the SSLSocket.close() call returns. However, if a
+     * protocol error is detected, that existing connection is automatically
+     * closed.
+     * <p>
+     * This particular constructor always uses the socket in the
+     * role of an SSL client. It may be useful in cases which start
+     * using SSL after some initial data transfers, for example in some
+     * SSL tunneling applications or as part of some kinds of application
+     * protocols which negotiate use of a SSL based security.
      */
-    private void init(SSLContextImpl context, boolean isServer) {
-        sslContext = context;
-        sess = SSLSessionImpl.nullSession;
-        handshakeSession = null;
-
-        /*
-         * role is as specified, state is START until after
-         * the low level connection's established.
-         */
-        roleIsServer = isServer;
-        connectionState = cs_START;
-
-        // initial security parameters for secure renegotiation
-        secureRenegotiation = false;
-        clientVerifyData = new byte[0];
-        serverVerifyData = new byte[0];
-
-        enabledCipherSuites =
-                sslContext.getDefaultCipherSuiteList(roleIsServer);
-        enabledProtocols =
-                sslContext.getDefaultProtocolList(roleIsServer);
-
-        inputRecord = new SSLSocketInputRecord();;
-        outputRecord = new SSLSocketOutputRecord();
-
-        maximumPacketSize = outputRecord.getMaxPacketSize();
-
-        // save the acc
-        acc = AccessController.getContext();
+    SSLSocketImpl(SSLContextImpl sslContext, Socket sock,
+            String peerHost, int port, boolean autoClose) throws IOException {
+        super(sock);
+        // We always layer over a connected socket
+        if (!sock.isConnected()) {
+            throw new SocketException("Underlying socket is not connected");
+        }
 
-        input = new AppInputStream(this);
-        output = new AppOutputStream(this);
+        this.sslContext = sslContext;
+        HandshakeHash handshakeHash = new HandshakeHash();
+        this.conContext = new TransportContext(sslContext, this,
+                new SSLSocketInputRecord(handshakeHash),
+                new SSLSocketOutputRecord(handshakeHash), true);
+        this.peerHost = peerHost;
+        this.autoClose = autoClose;
+        doneConnect();
     }
 
-    /**
-     * Connects this socket to the server with a specified timeout
-     * value.
-     *
-     * This method is either called on an unconnected SSLSocketImpl by the
-     * application, or it is called in the constructor of a regular
-     * SSLSocketImpl. If we are layering on top on another socket, then
-     * this method should not be called, because we assume that the
-     * underlying socket is already connected by the time it is passed to
-     * us.
-     *
-     * @param   endpoint the <code>SocketAddress</code>
-     * @param   timeout  the timeout value to be used, 0 is no timeout
-     * @throws  IOException if an error occurs during the connection
-     * @throws  SocketTimeoutException if timeout expires before connecting
-     */
     @Override
-    public void connect(SocketAddress endpoint, int timeout)
-            throws IOException {
+    public void connect(SocketAddress endpoint,
+            int timeout) throws IOException {
 
         if (isLayered()) {
             throw new SocketException("Already connected");
@@ -651,2093 +279,844 @@
 
         if (!(endpoint instanceof InetSocketAddress)) {
             throw new SocketException(
-                                  "Cannot handle non-Inet socket addresses.");
+                    "Cannot handle non-Inet socket addresses.");
         }
 
         super.connect(endpoint, timeout);
-
-        if (host == null || host.length() == 0) {
-            useImplicitHost(false);
-        }
-
         doneConnect();
     }
 
-    /**
-     * Initialize the handshaker and socket streams.
-     *
-     * Called by connect, the layered constructor, and SSLServerSocket.
-     */
-    void doneConnect() throws IOException {
-        /*
-         * Save the input and output streams.  May be done only after
-         * java.net actually connects using the socket "self", else
-         * we get some pretty bizarre failure modes.
-         */
-        sockInput = super.getInputStream();
-        sockOutput = super.getOutputStream();
-
-        inputRecord.setDeliverStream(sockOutput);
-        outputRecord.setDeliverStream(sockOutput);
+    @Override
+    public String[] getSupportedCipherSuites() {
+        return CipherSuite.namesOf(sslContext.getSupportedCipherSuites());
+    }
 
-        /*
-         * Move to handshaking state, with pending session initialized
-         * to defaults and the appropriate kind of handshaker set up.
-         */
-        initHandshaker();
+    @Override
+    public synchronized String[] getEnabledCipherSuites() {
+        return CipherSuite.namesOf(conContext.sslConfig.enabledCipherSuites);
     }
 
-    private synchronized int getConnectionState() {
-        return connectionState;
+    @Override
+    public synchronized void setEnabledCipherSuites(String[] suites) {
+        if (suites == null) {
+            throw new IllegalArgumentException("CipherSuites cannot be null");
+        }
+
+        conContext.sslConfig.enabledCipherSuites =
+                CipherSuite.validValuesOf(suites);
     }
 
-    private synchronized void setConnectionState(int state) {
-        connectionState = state;
+    @Override
+    public String[] getSupportedProtocols() {
+        return ProtocolVersion.toStringArray(
+                sslContext.getSuportedProtocolVersions());
     }
 
-    AccessControlContext getAcc() {
-        return acc;
+    @Override
+    public synchronized String[] getEnabledProtocols() {
+        return ProtocolVersion.toStringArray(
+                conContext.sslConfig.enabledProtocols);
     }
 
-    //
-    // READING AND WRITING RECORDS
-    //
+    @Override
+    public synchronized void setEnabledProtocols(String[] protocols) {
+        if (protocols == null) {
+            throw new IllegalArgumentException("Protocols cannot be null");
+        }
 
-    /*
-     * Application data record output.
-     *
-     * Application data can't be sent until the first handshake establishes
-     * a session.
-     */
-    void writeRecord(byte[] source, int offset, int length) throws IOException {
-        /*
-         * The loop is in case of HANDSHAKE --> ERROR transitions, etc
-         */
-        // Don't bother to check the emptiness of source applicatoin data
-        // before the security connection established.
-        for (boolean readyForApp = false; !readyForApp;) {
-            /*
-             * Not all states support passing application data.  We
-             * synchronize access to the connection state, so that
-             * synchronous handshakes can complete cleanly.
-             */
-            switch (getConnectionState()) {
+        conContext.sslConfig.enabledProtocols =
+                ProtocolVersion.namesOf(protocols);
+    }
 
-                /*
-                 * We've deferred the initial handshaking till just now,
-                 * when presumably a thread's decided it's OK to block for
-                 * longish periods of time for I/O purposes (as well as
-                 * configured the cipher suites it wants to use).
-                 */
-                case cs_HANDSHAKE:
-                    performInitialHandshake();
-                    break;
+    @Override
+    public synchronized SSLSession getSession() {
+        try {
+            // start handshaking, if failed, the connection will be closed.
+            ensureNegotiated();
+        } catch (IOException ioe) {
+            if (SSLLogger.isOn && SSLLogger.isOn("handshake")) {
+                SSLLogger.severe("handshake failed", ioe);
+            }
 
-                case cs_DATA:
-                case cs_RENEGOTIATE:
-                    readyForApp = true;
-                    break;
+            return SSLSessionImpl.nullSession;
+        }
 
-                case cs_ERROR:
-                    fatal(Alerts.alert_close_notify,
-                            "error while writing to socket");
-                    break; // dummy
-
-                case cs_SENT_CLOSE:
-                case cs_CLOSED:
-                case cs_APP_CLOSED:
-                    // we should never get here (check in AppOutputStream)
-                    // this is just a fallback
-                    if (closeReason != null) {
-                        throw closeReason;
-                    } else {
-                        throw new SocketException("Socket closed");
-                    }
+        return conContext.conSession;
+    }
 
-                /*
-                 * Else something's goofy in this state machine's use.
-                 */
-                default:
-                    throw new SSLProtocolException(
-                            "State error, send app data");
-            }
+    @Override
+    public synchronized SSLSession getHandshakeSession() {
+        if (conContext.handshakeContext != null) {
+            return conContext.handshakeContext.handshakeSession;
         }
 
-        //
-        // Don't bother to really write empty records.  We went this
-        // far to drive the handshake machinery, for correctness; not
-        // writing empty records improves performance by cutting CPU
-        // time and network resource usage.  However, some protocol
-        // implementations are fragile and don't like to see empty
-        // records, so this also increases robustness.
-        //
-        if (length > 0) {
-            IOException ioe = null;
-            byte description = 0;    // 0: never used, make the compiler happy
-            writeLock.lock();
-            try {
-                outputRecord.deliver(source, offset, length);
-            } catch (SSLHandshakeException she) {
-                // may be record sequence number overflow
-                description = Alerts.alert_handshake_failure;
-                ioe = she;
-            } catch (IOException e) {
-                description = Alerts.alert_unexpected_message;
-                ioe = e;
-            } finally {
-                writeLock.unlock();
-            }
+        return null;
+    }
 
-            // Be care of deadlock. Please don't place the call to fatal()
-            // into the writeLock locked block.
-            if (ioe != null) {
-                fatal(description, ioe);
-            }
+    @Override
+    public synchronized void addHandshakeCompletedListener(
+            HandshakeCompletedListener listener) {
+        if (listener == null) {
+            throw new IllegalArgumentException("listener is null");
         }
 
-        /*
-         * Check the sequence number state
-         *
-         * Note that in order to maintain the connection I/O
-         * properly, we check the sequence number after the last
-         * record writing process. As we request renegotiation
-         * or close the connection for wrapped sequence number
-         * when there is enough sequence number space left to
-         * handle a few more records, so the sequence number
-         * of the last record cannot be wrapped.
-         *
-         * Don't bother to kickstart the renegotiation when the
-         * local is asking for it.
-         */
-        if ((connectionState == cs_DATA) && outputRecord.seqNumIsHuge()) {
-            /*
-             * Ask for renegotiation when need to renew sequence number.
-             *
-             * Don't bother to kickstart the renegotiation when the local is
-             * asking for it.
-             */
-            if (debug != null && Debug.isOn("ssl")) {
-                System.out.println(Thread.currentThread().getName() +
-                        ", request renegotiation " +
-                        "to avoid sequence number overflow");
-            }
+        conContext.sslConfig.addHandshakeCompletedListener(listener);
+    }
 
-            startHandshake();
+    @Override
+    public synchronized void removeHandshakeCompletedListener(
+            HandshakeCompletedListener listener) {
+        if (listener == null) {
+            throw new IllegalArgumentException("listener is null");
         }
+
+        conContext.sslConfig.removeHandshakeCompletedListener(listener);
     }
 
-    /*
-     * Alert record output.
-     */
-    void writeAlert(byte level, byte description) throws IOException {
+    @Override
+    public synchronized void startHandshake() throws IOException {
+        checkWrite();
+        try {
+            conContext.kickstart();
 
-        // If the record is a close notify alert, we need to honor
-        // socket option SO_LINGER. Note that we will try to send
-        // the close notify even if the SO_LINGER set to zero.
-        if ((description == Alerts.alert_close_notify) && getSoLinger() >= 0) {
+            // All initial handshaking goes through this operation until we
+            // have a valid SSL connection.
+            //
+            // Handle handshake messages only, need no application data.
+            if (!conContext.isNegotiated) {
+                readRecord();
+            }
+        } catch (IOException ioe) {
+            conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                "Couldn't kickstart handshaking", ioe);
+        } catch (Exception oe) {    // including RuntimeException
+            handleException(oe);
+        }
+    }
 
-            // keep and clear the current thread interruption status.
-            boolean interrupted = Thread.interrupted();
-            try {
-                if (writeLock.tryLock(getSoLinger(), TimeUnit.SECONDS)) {
-                    try {
-                        outputRecord.encodeAlert(level, description);
-                    } finally {
-                        writeLock.unlock();
-                    }
-                } else {
-                    SSLException ssle = new SSLException(
-                            "SO_LINGER timeout," +
-                            " close_notify message cannot be sent.");
-
-
-                    // For layered, non-autoclose sockets, we are not
-                    // able to bring them into a usable state, so we
-                    // treat it as fatal error.
-                    if (isLayered() && !autoClose) {
-                        // Note that the alert description is
-                        // specified as -1, so no message will be send
-                        // to peer anymore.
-                        fatal((byte)(-1), ssle);
-                    } else if ((debug != null) && Debug.isOn("ssl")) {
-                        System.out.println(
-                            Thread.currentThread().getName() +
-                            ", received Exception: " + ssle);
-                    }
-
-                    // RFC2246 requires that the session becomes
-                    // unresumable if any connection is terminated
-                    // without proper close_notify messages with
-                    // level equal to warning.
-                    //
-                    // RFC4346 no longer requires that a session not be
-                    // resumed if failure to properly close a connection.
-                    //
-                    // We choose to make the session unresumable if
-                    // failed to send the close_notify message.
-                    //
-                    sess.invalidate();
-                }
-            } catch (InterruptedException ie) {
-                // keep interrupted status
-                interrupted = true;
-            }
-
-            // restore the interrupted status
-            if (interrupted) {
-                Thread.currentThread().interrupt();
-            }
-        } else {
-            writeLock.lock();
-            try {
-                outputRecord.encodeAlert(level, description);
-            } finally {
-                writeLock.unlock();
-            }
-        }
-
-        // Don't bother to check sequence number overlap here.  If sequence
-        // number is huge, there should be enough sequence number space to
-        // request renegotiation in next application data read and write.
-    }
-
-
-    int bytesInCompletePacket() throws IOException {
-        if (getConnectionState() == cs_HANDSHAKE) {
-            performInitialHandshake();
-        }
-
-        synchronized (readLock) {
-            int state = getConnectionState();
-            if ((state == cs_CLOSED) ||
-                    (state == cs_ERROR) || (state == cs_APP_CLOSED)) {
-                return -1;
-            }
-
-            try {
-                return inputRecord.bytesInCompletePacket(sockInput);
-            } catch (EOFException eofe) {
-                boolean handshaking = (connectionState <= cs_HANDSHAKE);
-                boolean rethrow = requireCloseNotify || handshaking;
-                if ((debug != null) && Debug.isOn("ssl")) {
-                    System.out.println(Thread.currentThread().getName() +
-                        ", received EOFException: "
-                        + (rethrow ? "error" : "ignored"));
-                }
-
-                if (!rethrow) {
-                    // treat as if we had received a close_notify
-                    closeInternal(false);
-                } else {
-                    SSLException e;
-                    if (handshaking) {
-                        e = new SSLHandshakeException(
-                            "Remote host terminated the handshake");
-                    } else {
-                        e = new SSLProtocolException(
-                            "Remote host terminated the handshake");
-                    }
-                    e.initCause(eofe);
-                    throw e;
-                }
-            }
-
-            return -1;
-        }
-    }
-
-    // the caller have synchronized readLock
-    void expectingFinishFlight() {
-        inputRecord.expectingFinishFlight();
-    }
-
-    /*
-     * Read an application data record.
-     *
-     * Alerts and handshake messages are internally handled directly.
-     */
-    int readRecord(ByteBuffer buffer) throws IOException {
-        if (getConnectionState() == cs_HANDSHAKE) {
-            performInitialHandshake();
-        }
-
-        return readRecord(buffer, true);
-    }
-
-    /*
-     * Read a record, no application data input required.
-     *
-     * Alerts and handshake messages are internally handled directly.
-     */
-    int readRecord(boolean needAppData) throws IOException {
-        return readRecord(null, needAppData);
-    }
-
-    /*
-     * Clear the pipeline of records from the peer, optionally returning
-     * application data.   Caller is responsible for knowing that it's
-     * possible to do this kind of clearing, if they don't want app
-     * data -- e.g. since it's the initial SSL handshake.
-     *
-     * Don't synchronize (this) during a blocking read() since it
-     * protects data which is accessed on the write side as well.
-     */
-    private int readRecord(ByteBuffer buffer, boolean needAppData)
-            throws IOException {
-        int state;
-
-        // readLock protects reading and processing of an SSLInputRecord.
-        // It keeps the reading from sockInput and processing of the record
-        // atomic so that no two threads can be blocked on the
-        // read from the same input stream at the same time.
-        // This is required for example when a reader thread is
-        // blocked on the read and another thread is trying to
-        // close the socket. For a non-autoclose, layered socket,
-        // the thread performing the close needs to read the close_notify.
-        //
-        // Use readLock instead of 'this' for locking because
-        // 'this' also protects data accessed during writing.
-        synchronized (readLock) {
-            /*
-             * Read and handle records ... return application data
-             * ONLY if it's needed.
-             */
-            Plaintext plainText = null;
-            while (((state = getConnectionState()) != cs_CLOSED) &&
-                    (state != cs_ERROR) && (state != cs_APP_CLOSED)) {
-
-                /*
-                 * clean the buffer and check if it is too small, e.g. because
-                 * the AppInputStream did not have the chance to see the
-                 * current packet length but rather something like that of the
-                 * handshake before. In that case we return 0 at this point to
-                 * give the caller the chance to adjust the buffer.
-                 */
-                if (buffer != null) {
-                    buffer.clear();
-
-                    if (buffer.remaining() <
-                            inputRecord.bytesInCompletePacket(sockInput)) {
-                        return 0;
-                    }
-                }
-
-                /*
-                 * Read a record ... maybe emitting an alert if we get a
-                 * comprehensible but unsupported "hello" message during
-                 * format checking (e.g. V2).
-                 */
-                try {
-                    plainText = inputRecord.decode(sockInput, buffer);
-                } catch (BadPaddingException bpe) {
-                    byte alertType = (state != cs_DATA) ?
-                            Alerts.alert_handshake_failure :
-                            Alerts.alert_bad_record_mac;
-                    fatal(alertType, bpe.getMessage(), bpe);
-                } catch (SSLProtocolException spe) {
-                    try {
-                        fatal(Alerts.alert_unexpected_message, spe);
-                    } catch (IOException x) {
-                        // discard this exception, throw the original exception
-                    }
-                    throw spe;
-                } catch (SSLHandshakeException she) {
-                    // may be record sequence number overflow
-                    fatal(Alerts.alert_handshake_failure, she);
-                } catch (EOFException eof) {
-                    boolean handshaking = (connectionState <= cs_HANDSHAKE);
-                    boolean rethrow = requireCloseNotify || handshaking;
-                    if ((debug != null) && Debug.isOn("ssl")) {
-                        System.out.println(Thread.currentThread().getName() +
-                            ", received EOFException: "
-                            + (rethrow ? "error" : "ignored"));
-                    }
-                    if (rethrow) {
-                        SSLException e;
-                        if (handshaking) {
-                            e = new SSLHandshakeException(
-                                    "Remote host terminated the handshake");
-                        } else {
-                            e = new SSLProtocolException(
-                                    "Remote host terminated the connection");
-                        }
-                        e.initCause(eof);
-                        throw e;
-                    } else {
-                        // treat as if we had received a close_notify
-                        closeInternal(false);
-                        continue;
-                    }
-                }
-
-                // PlainText should never be null. Process input record.
-                int volume = processInputRecord(plainText, needAppData);
-
-                if (plainText.contentType == Record.ct_application_data) {
-                    return volume;
-                }
-
-                if (plainText.contentType == Record.ct_handshake) {
-                    if (!needAppData && connectionState == cs_DATA) {
-                        return volume;
-                    }   // otherwise, need to read more for app data.
-                }
-
-                // continue to read more net data
-            }   // while
-
-            //
-            // couldn't read, due to some kind of error
-            //
-            return -1;
-        }  // readLock synchronization
-    }
-
-    /*
-     * Process the plainText input record.
-     */
-    private synchronized int processInputRecord(
-            Plaintext plainText, boolean needAppData) throws IOException {
-
-        /*
-         * Process the record.
-         */
-        int volume = 0;    // no application data
-        switch (plainText.contentType) {
-            case Record.ct_handshake:
-                /*
-                 * Handshake messages always go to a pending session
-                 * handshaker ... if there isn't one, create one.  This
-                 * must work asynchronously, for renegotiation.
-                 *
-                 * NOTE that handshaking will either resume a session
-                 * which was in the cache (and which might have other
-                 * connections in it already), or else will start a new
-                 * session (new keys exchanged) with just this connection
-                 * in it.
-                 */
-                initHandshaker();
-                if (!handshaker.activated()) {
-                    // prior to handshaking, activate the handshake
-                    if (connectionState == cs_RENEGOTIATE) {
-                        // don't use SSLv2Hello when renegotiating
-                        handshaker.activate(protocolVersion);
-                    } else {
-                        handshaker.activate(null);
-                    }
-                }
-
-                /*
-                 * process the handshake record ... may contain just
-                 * a partial handshake message or multiple messages.
-                 *
-                 * The handshaker state machine will ensure that it's
-                 * a finished message.
-                 */
-                handshaker.processRecord(plainText.fragment, expectingFinished);
-                expectingFinished = false;
-
-                if (handshaker.invalidated) {
-                    handshaker = null;
-                    inputRecord.setHandshakeHash(null);
-                    outputRecord.setHandshakeHash(null);
-
-                    // if state is cs_RENEGOTIATE, revert it to cs_DATA
-                    if (connectionState == cs_RENEGOTIATE) {
-                        connectionState = cs_DATA;
-                    }
-                } else if (handshaker.isDone()) {
-                    // reset the parameters for secure renegotiation.
-                    secureRenegotiation =
-                                    handshaker.isSecureRenegotiation();
-                    clientVerifyData = handshaker.getClientVerifyData();
-                    serverVerifyData = handshaker.getServerVerifyData();
-                    // set connection ALPN value
-                    applicationProtocol =
-                        handshaker.getHandshakeApplicationProtocol();
-
-                    sess = handshaker.getSession();
-                    handshakeSession = null;
-                    handshaker = null;
-                    inputRecord.setHandshakeHash(null);
-                    outputRecord.setHandshakeHash(null);
-                    connectionState = cs_DATA;
-
-                    //
-                    // Tell folk about handshake completion, but do
-                    // it in a separate thread.
-                    //
-                    if (handshakeListeners != null) {
-                        HandshakeCompletedEvent event =
-                            new HandshakeCompletedEvent(this, sess);
-
-                        Thread thread = new Thread(
-                            null,
-                            new NotifyHandshake(
-                                handshakeListeners.entrySet(), event),
-                            "HandshakeCompletedNotify-Thread",
-                            0,
-                            false);
-                        thread.start();
-                    }
-                }
-
-                break;
-
-            case Record.ct_application_data:
-                if (connectionState != cs_DATA
-                        && connectionState != cs_RENEGOTIATE
-                        && connectionState != cs_SENT_CLOSE) {
-                    throw new SSLProtocolException(
-                        "Data received in non-data state: " +
-                        connectionState);
-                }
-                if (expectingFinished) {
-                    throw new SSLProtocolException
-                            ("Expecting finished message, received data");
-                }
-                if (!needAppData) {
-                    throw new SSLException("Discarding app data");
-                }
-
-                volume = plainText.fragment.remaining();
-                break;
-
-            case Record.ct_alert:
-                recvAlert(plainText.fragment);
-                break;
-
-            case Record.ct_change_cipher_spec:
-                if ((connectionState != cs_HANDSHAKE
-                        && connectionState != cs_RENEGOTIATE)) {
-                    // For the CCS message arriving in the wrong state
-                    fatal(Alerts.alert_unexpected_message,
-                            "illegal change cipher spec msg, conn state = "
-                            + connectionState);
-                } else if (plainText.fragment.remaining() != 1
-                        || plainText.fragment.get() != 1) {
-                    // For structural/content issues with the CCS
-                    fatal(Alerts.alert_unexpected_message,
-                            "Malformed change cipher spec msg");
-                }
-
-                //
-                // The first message after a change_cipher_spec
-                // record MUST be a "Finished" handshake record,
-                // else it's a protocol violation.  We force this
-                // to be checked by a minor tweak to the state
-                // machine.
-                //
-                handshaker.receiveChangeCipherSpec();
-
-                CipherBox readCipher;
-                Authenticator readAuthenticator;
-                try {
-                    readCipher = handshaker.newReadCipher();
-                    readAuthenticator = handshaker.newReadAuthenticator();
-                } catch (GeneralSecurityException e) {
-                    // can't happen
-                    throw new SSLException("Algorithm missing:  ", e);
-                }
-                inputRecord.changeReadCiphers(readAuthenticator, readCipher);
-
-                // next message MUST be a finished message
-                expectingFinished = true;
-
-                break;
-
-            default:
-                //
-                // TLS requires that unrecognized records be ignored.
-                //
-                if (debug != null && Debug.isOn("ssl")) {
-                    System.out.println(Thread.currentThread().getName() +
-                        ", Received record type: " + plainText.contentType);
-                }
-                break;
-        }
-
-        /*
-         * Check the sequence number state
-         *
-         * Note that in order to maintain the connection I/O
-         * properly, we check the sequence number after the last
-         * record reading process. As we request renegotiation
-         * or close the connection for wrapped sequence number
-         * when there is enough sequence number space left to
-         * handle a few more records, so the sequence number
-         * of the last record cannot be wrapped.
-         *
-         * Don't bother to kickstart the renegotiation when the
-         * local is asking for it.
-         */
-        if ((connectionState == cs_DATA) && inputRecord.seqNumIsHuge()) {
-            /*
-             * Ask for renegotiation when need to renew sequence number.
-             *
-             * Don't bother to kickstart the renegotiation when the local is
-             * asking for it.
-             */
-            if (debug != null && Debug.isOn("ssl")) {
-                System.out.println(Thread.currentThread().getName() +
-                        ", request renegotiation " +
-                        "to avoid sequence number overflow");
-            }
-
-            startHandshake();
-        }
-
-        return volume;
-    }
-
-
-    //
-    // HANDSHAKE RELATED CODE
-    //
-
-    /**
-     * Return the AppInputStream. For use by Handshaker only.
-     */
-    AppInputStream getAppInputStream() {
-        return input;
-    }
-
-    /**
-     * Return the AppOutputStream. For use by Handshaker only.
-     */
-    AppOutputStream getAppOutputStream() {
-        return output;
-    }
-
-    /**
-     * Initialize the handshaker object. This means:
-     *
-     *  . if a handshake is already in progress (state is cs_HANDSHAKE
-     *    or cs_RENEGOTIATE), do nothing and return
-     *
-     *  . if the socket is already closed, throw an Exception (internal error)
-     *
-     *  . otherwise (cs_START or cs_DATA), create the appropriate handshaker
-     *    object, and advance the connection state (to cs_HANDSHAKE or
-     *    cs_RENEGOTIATE, respectively).
-     *
-     * This method is called right after a new socket is created, when
-     * starting renegotiation, or when changing client/ server mode of the
-     * socket.
-     */
-    private void initHandshaker() {
-        switch (connectionState) {
-
-        //
-        // Starting a new handshake.
-        //
-        case cs_START:
-        case cs_DATA:
-            break;
-
-        //
-        // We're already in the middle of a handshake.
-        //
-        case cs_HANDSHAKE:
-        case cs_RENEGOTIATE:
-            return;
-
-        //
-        // Anyone allowed to call this routine is required to
-        // do so ONLY if the connection state is reasonable...
-        //
-        default:
-            throw new IllegalStateException("Internal error");
-        }
-
-        // state is either cs_START or cs_DATA
-        if (connectionState == cs_START) {
-            connectionState = cs_HANDSHAKE;
-        } else { // cs_DATA
-            connectionState = cs_RENEGOTIATE;
-        }
-
-        if (roleIsServer) {
-            handshaker = new ServerHandshaker(this, sslContext,
-                    enabledProtocols, doClientAuth,
-                    protocolVersion, connectionState == cs_HANDSHAKE,
-                    secureRenegotiation, clientVerifyData, serverVerifyData);
-            handshaker.setSNIMatchers(sniMatchers);
-            handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
-        } else {
-            handshaker = new ClientHandshaker(this, sslContext,
-                    enabledProtocols,
-                    protocolVersion, connectionState == cs_HANDSHAKE,
-                    secureRenegotiation, clientVerifyData, serverVerifyData);
-            handshaker.setSNIServerNames(serverNames);
-        }
-        handshaker.setMaximumPacketSize(maximumPacketSize);
-        handshaker.setEnabledCipherSuites(enabledCipherSuites);
-        handshaker.setEnableSessionCreation(enableSessionCreation);
-        handshaker.setApplicationProtocols(applicationProtocols);
-        handshaker.setApplicationProtocolSelectorSSLSocket(
-            applicationProtocolSelector);
-    }
-
-    /**
-     * Synchronously perform the initial handshake.
-     *
-     * If the handshake is already in progress, this method blocks until it
-     * is completed. If the initial handshake has already been completed,
-     * it returns immediately.
-     */
-    private void performInitialHandshake() throws IOException {
-        // use handshakeLock and the state check to make sure only
-        // one thread performs the handshake
-        synchronized (handshakeLock) {
-            if (getConnectionState() == cs_HANDSHAKE) {
-                kickstartHandshake();
-
-                /*
-                 * All initial handshaking goes through this operation
-                 * until we have a valid SSL connection.
-                 *
-                 * Handle handshake messages only, need no application data.
-                 */
-                readRecord(false);
-            }
-        }
+    @Override
+    public synchronized void setUseClientMode(boolean mode) {
+        conContext.setUseClientMode(mode);
     }
 
-    /**
-     * Starts an SSL handshake on this connection.
-     */
     @Override
-    public void startHandshake() throws IOException {
-        // start an ssl handshake that could be resumed from timeout exception
-        startHandshake(true);
+    public synchronized boolean getUseClientMode() {
+        return conContext.sslConfig.isClientMode;
     }
 
-    /**
-     * Starts an ssl handshake on this connection.
-     *
-     * @param resumable indicates the handshake process is resumable from a
-     *          certain exception. If <code>resumable</code>, the socket will
-     *          be reserved for exceptions like timeout; otherwise, the socket
-     *          will be closed, no further communications could be done.
-     */
-    private void startHandshake(boolean resumable) throws IOException {
-        checkWrite();
-        try {
-            if (getConnectionState() == cs_HANDSHAKE) {
-                // do initial handshake
-                performInitialHandshake();
-            } else {
-                // start renegotiation
-                kickstartHandshake();
-            }
-        } catch (Exception e) {
-            // shutdown and rethrow (wrapped) exception as appropriate
-            handleException(e, resumable);
-        }
+    @Override
+    public synchronized void setNeedClientAuth(boolean need) {
+        conContext.sslConfig.clientAuthType =
+                (need ? ClientAuthType.CLIENT_AUTH_REQUIRED :
+                        ClientAuthType.CLIENT_AUTH_NONE);
     }
 
-    /**
-     * Kickstart the handshake if it is not already in progress.
-     * This means:
-     *
-     *  . if handshaking is already underway, do nothing and return
-     *
-     *  . if the socket is not connected or already closed, throw an
-     *    Exception.
-     *
-     *  . otherwise, call initHandshake() to initialize the handshaker
-     *    object and progress the state. Then, send the initial
-     *    handshaking message if appropriate (always on clients and
-     *    on servers when renegotiating).
-     */
-    private synchronized void kickstartHandshake() throws IOException {
-
-        switch (connectionState) {
-
-        case cs_HANDSHAKE:
-            // handshaker already setup, proceed
-            break;
-
-        case cs_DATA:
-            if (!secureRenegotiation && !Handshaker.allowUnsafeRenegotiation) {
-                throw new SSLHandshakeException(
-                        "Insecure renegotiation is not allowed");
-            }
-
-            if (!secureRenegotiation) {
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println(
-                        "Warning: Using insecure renegotiation");
-                }
-            }
-
-            // initialize the handshaker, move to cs_RENEGOTIATE
-            initHandshaker();
-            break;
-
-        case cs_RENEGOTIATE:
-            // handshaking already in progress, return
-            return;
-
-        /*
-         * The only way to get a socket in the state is when
-         * you have an unconnected socket.
-         */
-        case cs_START:
-            throw new SocketException(
-                "handshaking attempted on unconnected socket");
-
-        default:
-            throw new SocketException("connection is closed");
-        }
-
-        //
-        // Kickstart handshake state machine if we need to ...
-        //
-        // Note that handshaker.kickstart() writes the message
-        // to its HandshakeOutStream, which calls back into
-        // SSLSocketImpl.writeRecord() to send it.
-        //
-        if (!handshaker.activated()) {
-             // prior to handshaking, activate the handshake
-            if (connectionState == cs_RENEGOTIATE) {
-                // don't use SSLv2Hello when renegotiating
-                handshaker.activate(protocolVersion);
-            } else {
-                handshaker.activate(null);
-            }
-
-            if (handshaker instanceof ClientHandshaker) {
-                // send client hello
-                handshaker.kickstart();
-            } else {
-                if (connectionState == cs_HANDSHAKE) {
-                    // initial handshake, no kickstart message to send
-                } else {
-                    // we want to renegotiate, send hello request
-                    handshaker.kickstart();
-                }
-            }
-        }
+    @Override
+    public synchronized boolean getNeedClientAuth() {
+        return (conContext.sslConfig.clientAuthType ==
+                        ClientAuthType.CLIENT_AUTH_REQUIRED);
     }
 
-    //
-    // CLOSURE RELATED CALLS
-    //
-
-    /**
-     * Return whether the socket has been explicitly closed by the application.
-     */
     @Override
-    public boolean isClosed() {
-        return connectionState == cs_APP_CLOSED;
+    public synchronized void setWantClientAuth(boolean want) {
+        conContext.sslConfig.clientAuthType =
+                (want ? ClientAuthType.CLIENT_AUTH_REQUESTED :
+                        ClientAuthType.CLIENT_AUTH_NONE);
     }
 
-    /**
-     * Return whether we have reached end-of-file.
-     *
-     * If the socket is not connected, has been shutdown because of an error
-     * or has been closed, throw an Exception.
-     */
-    boolean checkEOF() throws IOException {
-        switch (getConnectionState()) {
-        case cs_START:
-            throw new SocketException("Socket is not connected");
-
-        case cs_HANDSHAKE:
-        case cs_DATA:
-        case cs_RENEGOTIATE:
-        case cs_SENT_CLOSE:
-            return false;
-
-        case cs_APP_CLOSED:
-            throw new SocketException("Socket is closed");
-
-        case cs_ERROR:
-        case cs_CLOSED:
-        default:
-            // either closed because of error, or normal EOF
-            if (closeReason == null) {
-                return true;
-            }
-            IOException e = new SSLException
-                        ("Connection has been shutdown: " + closeReason);
-            e.initCause(closeReason);
-            throw e;
-
-        }
+    @Override
+    public synchronized boolean getWantClientAuth() {
+        return (conContext.sslConfig.clientAuthType ==
+                        ClientAuthType.CLIENT_AUTH_REQUESTED);
     }
 
-    /**
-     * Check if we can write data to this socket. If not, throw an IOException.
-     */
-    void checkWrite() throws IOException {
-        if (checkEOF() || (getConnectionState() == cs_SENT_CLOSE)) {
-            // we are at EOF, write must throw Exception
-            throw new SocketException("Connection closed by remote host");
-        }
+    @Override
+    public synchronized void setEnableSessionCreation(boolean flag) {
+        conContext.sslConfig.enableSessionCreation = flag;
     }
 
-    private void closeSocket() throws IOException {
-
-        if ((debug != null) && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName() +
-                                                ", called closeSocket()");
-        }
-
-        super.close();
+    @Override
+    public synchronized boolean getEnableSessionCreation() {
+        return conContext.sslConfig.enableSessionCreation;
     }
 
-    private void closeSocket(boolean selfInitiated) throws IOException {
-        if ((debug != null) && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName() +
-                ", called closeSocket(" + selfInitiated + ")");
-        }
-        if (!isLayered() || autoClose) {
-            super.close();
-        } else if (selfInitiated) {
-            // layered && non-autoclose
-            // read close_notify alert to clear input stream
-            waitForClose(false);
-        }
+    @Override
+    public synchronized boolean isClosed() {
+        return tlsIsClosed && conContext.isClosed();
     }
 
-    /*
-     * Closing the connection is tricky ... we can't officially close the
-     * connection until we know the other end is ready to go away too,
-     * and if ever the connection gets aborted we must forget session
-     * state (it becomes invalid).
-     */
-
-    /**
-     * Closes the SSL connection.  SSL includes an application level
-     * shutdown handshake; you should close SSL sockets explicitly
-     * rather than leaving it for finalization, so that your remote
-     * peer does not experience a protocol error.
-     */
     @Override
-    public void close() throws IOException {
-        if ((debug != null) && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName() +
-                                                    ", called close()");
-        }
-        closeInternal(true);  // caller is initiating close
-
-        // Clearup the resources.
+    public synchronized void close() throws IOException {
         try {
-            synchronized (readLock) {
-                inputRecord.close();
-            }
-
-            writeLock.lock();
-            try {
-                outputRecord.close();
-            } finally {
-                writeLock.unlock();
-            }
+            conContext.close();
         } catch (IOException ioe) {
-           // ignore
-        }
-
-        setConnectionState(cs_APP_CLOSED);
-    }
-
-    /**
-     * Don't synchronize the whole method because waitForClose()
-     * (which calls readRecord()) might be called.
-     *
-     * @param selfInitiated Indicates which party initiated the close.
-     * If selfInitiated, this side is initiating a close; for layered and
-     * non-autoclose socket, wait for close_notify response.
-     * If !selfInitiated, peer sent close_notify; we reciprocate but
-     * no need to wait for response.
-     */
-    private void closeInternal(boolean selfInitiated) throws IOException {
-        if ((debug != null) && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName() +
-                        ", called closeInternal(" + selfInitiated + ")");
-        }
-
-        int state = getConnectionState();
-        boolean closeSocketCalled = false;
-        Throwable cachedThrowable = null;
-        try {
-            switch (state) {
-            case cs_START:
-                // unconnected socket or handshaking has not been initialized
-                closeSocket(selfInitiated);
-                break;
-
-            /*
-             * If we're closing down due to error, we already sent (or else
-             * received) the fatal alert ... no niceties, blow the connection
-             * away as quickly as possible (even if we didn't allocate the
-             * socket ourselves; it's unusable, regardless).
-             */
-            case cs_ERROR:
-                closeSocket();
-                break;
-
-            /*
-             * Sometimes close() gets called more than once.
-             */
-            case cs_CLOSED:
-            case cs_APP_CLOSED:
-                 break;
-
-            /*
-             * Otherwise we indicate clean termination.
-             */
-            // case cs_HANDSHAKE:
-            // case cs_DATA:
-            // case cs_RENEGOTIATE:
-            // case cs_SENT_CLOSE:
-            default:
-                synchronized (this) {
-                    if (((state = getConnectionState()) == cs_CLOSED) ||
-                       (state == cs_ERROR) || (state == cs_APP_CLOSED)) {
-                        return;  // connection was closed while we waited
-                    }
-                    if (state != cs_SENT_CLOSE) {
-                        try {
-                            warning(Alerts.alert_close_notify);
-                            connectionState = cs_SENT_CLOSE;
-                        } catch (Throwable th) {
-                            // we need to ensure socket is closed out
-                            // if we encounter any errors.
-                            connectionState = cs_ERROR;
-                            // cache this for later use
-                            cachedThrowable = th;
-                            closeSocketCalled = true;
-                            closeSocket(selfInitiated);
-                        }
-                    }
-                }
-                // If state was cs_SENT_CLOSE before, we don't do the actual
-                // closing since it is already in progress.
-                if (state == cs_SENT_CLOSE) {
-                    if (debug != null && Debug.isOn("ssl")) {
-                        System.out.println(Thread.currentThread().getName() +
-                            ", close invoked again; state = " +
-                            getConnectionState());
-                    }
-                    if (selfInitiated == false) {
-                        // We were called because a close_notify message was
-                        // received. This may be due to another thread calling
-                        // read() or due to our call to waitForClose() below.
-                        // In either case, just return.
-                        return;
-                    }
-                    // Another thread explicitly called close(). We need to
-                    // wait for the closing to complete before returning.
-                    synchronized (this) {
-                        while (connectionState < cs_CLOSED) {
-                            try {
-                                this.wait();
-                            } catch (InterruptedException e) {
-                                // ignore
-                            }
-                        }
-                    }
-                    if ((debug != null) && Debug.isOn("ssl")) {
-                        System.out.println(Thread.currentThread().getName() +
-                            ", after primary close; state = " +
-                            getConnectionState());
-                    }
-                    return;
-                }
-
-                if (!closeSocketCalled)  {
-                    closeSocketCalled = true;
-                    closeSocket(selfInitiated);
-                }
-
-                break;
+            // ignore the exception
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.warning("connection context closure failed", ioe);
             }
         } finally {
-            synchronized (this) {
-                // Upon exit from this method, the state is always >= cs_CLOSED
-                connectionState = (connectionState == cs_APP_CLOSED)
-                                ? cs_APP_CLOSED : cs_CLOSED;
-                // notify any threads waiting for the closing to finish
-                this.notifyAll();
-            }
-
-            if (cachedThrowable != null) {
-               /*
-                * Rethrow the error to the calling method
-                * The Throwable caught can only be an Error or RuntimeException
-                */
-                if (cachedThrowable instanceof Error) {
-                    throw (Error)cachedThrowable;
-                } else if (cachedThrowable instanceof RuntimeException) {
-                    throw (RuntimeException)cachedThrowable;
-                }   // Otherwise, unlikely
-            }
+            tlsIsClosed = true;
         }
     }
 
-    /**
-     * Reads a close_notify or a fatal alert from the input stream.
-     * Keep reading records until we get a close_notify or until
-     * the connection is otherwise closed.  The close_notify or alert
-     * might be read by another reader,
-     * which will then process the close and set the connection state.
-     */
-    void waitForClose(boolean rethrow) throws IOException {
-        if (debug != null && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName() +
-                ", waiting for close_notify or alert: state "
-                + getConnectionState());
+    @Override
+    public synchronized InputStream getInputStream() throws IOException {
+        if (isClosed() || conContext.isInboundDone()) {
+            throw new SocketException("Socket or inbound is closed");
         }
 
-        try {
-            int state;
-
-            while (((state = getConnectionState()) != cs_CLOSED) &&
-                   (state != cs_ERROR) && (state != cs_APP_CLOSED)) {
-
-                // Ask for app data and then throw it away
-                try {
-                    readRecord(true);
-                } catch (SocketTimeoutException e) {
-                    if ((debug != null) && Debug.isOn("ssl")) {
-                        System.out.println(
-                            Thread.currentThread().getName() +
-                            ", received Exception: " + e);
-                    }
-                    fatal((byte)(-1), "Did not receive close_notify from peer", e);
-                }
-            }
-        } catch (IOException e) {
-            if (debug != null && Debug.isOn("ssl")) {
-                System.out.println(Thread.currentThread().getName() +
-                    ", Exception while waiting for close " +e);
-            }
-            if (rethrow) {
-                throw e; // pass exception up
-            }
+        if (!isConnected) {
+            throw new SocketException("Socket is not connected");
         }
-    }
-
-    //
-    // EXCEPTION AND ALERT HANDLING
-    //
 
-    /**
-     * Handle an exception. This method is called by top level exception
-     * handlers (in read(), write()) to make sure we always shutdown the
-     * connection correctly and do not pass runtime exception to the
-     * application.
-     */
-    void handleException(Exception e) throws IOException {
-        handleException(e, true);
+        return appInput;
     }
 
-    /**
-     * Handle an exception. This method is called by top level exception
-     * handlers (in read(), write(), startHandshake()) to make sure we
-     * always shutdown the connection correctly and do not pass runtime
-     * exception to the application.
-     *
-     * This method never returns normally, it always throws an IOException.
-     *
-     * We first check if the socket has already been shutdown because of an
-     * error. If so, we just rethrow the exception. If the socket has not
-     * been shutdown, we sent a fatal alert and remember the exception.
-     *
-     * @param e the Exception
-     * @param resumable indicates the caller process is resumable from the
-     *          exception. If <code>resumable</code>, the socket will be
-     *          reserved for exceptions like timeout; otherwise, the socket
-     *          will be closed, no further communications could be done.
-     */
-    private synchronized void handleException(Exception e, boolean resumable)
-        throws IOException {
-        if ((debug != null) && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName() +
-                        ", handling exception: " + e.toString());
-        }
-
-        // don't close the Socket in case of timeouts or interrupts if
-        // the process is resumable.
-        if (e instanceof InterruptedIOException && resumable) {
-            throw (IOException)e;
-        }
-
-        // if we've already shutdown because of an error,
-        // there is nothing to do except rethrow the exception
-        if (closeReason != null) {
-            if (e instanceof IOException) { // includes SSLException
-                throw (IOException)e;
-            } else {
-                // this is odd, not an IOException.
-                // normally, this should not happen
-                // if closeReason has been already been set
-                throw Alerts.getSSLException(Alerts.alert_internal_error, e,
-                                      "Unexpected exception");
-            }
-        }
-
-        // need to perform error shutdown
-        boolean isSSLException = (e instanceof SSLException);
-        if ((!isSSLException) && (e instanceof IOException)) {
-            // IOException from the socket
-            // this means the TCP connection is already dead
-            // we call fatal just to set the error status
-            try {
-                fatal(Alerts.alert_unexpected_message, e);
-            } catch (IOException ee) {
-                // ignore (IOException wrapped in SSLException)
-            }
-            // rethrow original IOException
-            throw (IOException)e;
-        }
-
-        // must be SSLException or RuntimeException
-        byte alertType;
-        if (isSSLException) {
-            if (e instanceof SSLHandshakeException) {
-                alertType = Alerts.alert_handshake_failure;
-            } else {
-                alertType = Alerts.alert_unexpected_message;
-            }
-        } else {
-            alertType = Alerts.alert_internal_error;
+    private synchronized void ensureNegotiated() throws IOException {
+        if (conContext.isNegotiated || conContext.isClosed()) {
+            return;
         }
-        fatal(alertType, e);
-    }
 
-    /*
-     * Send a warning alert.
-     */
-    void warning(byte description) {
-        sendAlert(Alerts.alert_warning, description);
+        startHandshake();
     }
 
-    synchronized void fatal(byte description, String diagnostic)
-            throws IOException {
-        fatal(description, diagnostic, null);
-    }
+    private class AppInputStream extends InputStream {
+        // One element array used to implement the single byte read() method
+        private final byte[] oneByte = new byte[1];
 
-    synchronized void fatal(byte description, Throwable cause)
-            throws IOException {
-        fatal(description, null, cause);
-    }
+        // the temporary buffer used to read network
+        private ByteBuffer buffer;
 
-    /*
-     * Send a fatal alert, and throw an exception so that callers will
-     * need to stand on their heads to accidentally continue processing.
-     */
-    synchronized void fatal(byte description, String diagnostic,
-            Throwable cause) throws IOException {
-
-        // Be care of deadlock. Please don't synchronize readLock.
-        try {
-            inputRecord.close();
-        } catch (IOException ioe) {
-            // ignore
-        }
+        // Is application data available in the stream?
+        private boolean appDataIsAvailable;
 
-        sess.invalidate();
-        if (handshakeSession != null) {
-            handshakeSession.invalidate();
+        AppInputStream() {
+            this.appDataIsAvailable = false;
+            this.buffer = ByteBuffer.allocate(4096);
         }
 
-        int oldState = connectionState;
-        if (connectionState < cs_ERROR) {
-            connectionState = cs_ERROR;
-        }
-
-        /*
-         * Has there been an error received yet?  If not, remember it.
-         * By RFC 2246, we don't bother waiting for a response.
-         * Fatal errors require immediate shutdown.
+        /**
+         * Return the minimum number of bytes that can be read
+         * without blocking.
          */
-        if (closeReason == null) {
-            /*
-             * Try to clear the kernel buffer to avoid TCP connection resets.
-             */
-            if (oldState == cs_HANDSHAKE) {
-                sockInput.skip(sockInput.available());
+        @Override
+        public int available() throws IOException {
+            // Currently not synchronized.
+            if ((!appDataIsAvailable) || checkEOF()) {
+                return 0;
             }
 
-            // If the description equals -1, the alert won't be sent to peer.
-            if (description != -1) {
-                sendAlert(Alerts.alert_fatal, description);
-            }
-            if (cause instanceof SSLException) { // only true if != null
-                closeReason = (SSLException)cause;
-            } else {
-                closeReason =
-                    Alerts.getSSLException(description, cause, diagnostic);
-            }
+            return buffer.remaining();
         }
 
-        /*
-         * Clean up our side.
+        /**
+         * Read a single byte, returning -1 on non-fault EOF status.
          */
-        closeSocket();
-
-        // Be care of deadlock. Please don't synchronize writeLock.
-        try {
-            outputRecord.close();
-        } catch (IOException ioe) {
-            // ignore
-        }
-
-        throw closeReason;
-    }
-
-
-    /*
-     * Process an incoming alert ... caller must already have synchronized
-     * access to "this".
-     */
-    private void recvAlert(ByteBuffer fragment) throws IOException {
-        byte level = fragment.get();
-        byte description = fragment.get();
-
-        if (description == -1) { // check for short message
-            fatal(Alerts.alert_illegal_parameter, "Short alert message");
-        }
-
-        if (debug != null && (Debug.isOn("record") ||
-                Debug.isOn("handshake"))) {
-            synchronized (System.out) {
-                System.out.print(Thread.currentThread().getName());
-                System.out.print(", RECV " + protocolVersion + " ALERT:  ");
-                if (level == Alerts.alert_fatal) {
-                    System.out.print("fatal, ");
-                } else if (level == Alerts.alert_warning) {
-                    System.out.print("warning, ");
-                } else {
-                    System.out.print("<level " + (0x0ff & level) + ">, ");
-                }
-                System.out.println(Alerts.alertDescription(description));
-            }
-        }
-
-        if (level == Alerts.alert_warning) {
-            if (description == Alerts.alert_close_notify) {
-                if (connectionState == cs_HANDSHAKE) {
-                    fatal(Alerts.alert_unexpected_message,
-                                "Received close_notify during handshake");
-                } else {
-                    closeInternal(false);  // reply to close
-                }
-            } else {
-
-                //
-                // The other legal warnings relate to certificates,
-                // e.g. no_certificate, bad_certificate, etc; these
-                // are important to the handshaking code, which can
-                // also handle illegal protocol alerts if needed.
-                //
-                if (handshaker != null) {
-                    handshaker.handshakeAlert(description);
-                }
-            }
-        } else { // fatal or unknown level
-            String reason = "Received fatal alert: "
-                + Alerts.alertDescription(description);
-            if (closeReason == null) {
-                closeReason = Alerts.getSSLException(description, reason);
+        @Override
+        public synchronized int read() throws IOException {
+            int n = read(oneByte, 0, 1);
+            if (n <= 0) {   // EOF
+                return -1;
             }
-            fatal(Alerts.alert_unexpected_message, reason);
-        }
-    }
-
 
-    /*
-     * Emit alerts.  Caller must have synchronized with "this".
-     */
-    private void sendAlert(byte level, byte description) {
-        // the connectionState cannot be cs_START
-        if (connectionState >= cs_SENT_CLOSE) {
-            return;
-        }
-
-        // For initial handshaking, don't send alert message to peer if
-        // handshaker has not started.
-        //
-        // Shall we send an fatal alter to terminate the connection gracefully?
-        if (connectionState <= cs_HANDSHAKE &&
-                (handshaker == null || !handshaker.started() ||
-                        !handshaker.activated())) {
-            return;
+            return oneByte[0] & 0xFF;
         }
 
-        boolean useDebug = debug != null && Debug.isOn("ssl");
-        if (useDebug) {
-            synchronized (System.out) {
-                System.out.print(Thread.currentThread().getName());
-                System.out.print(", SEND " + protocolVersion + " ALERT:  ");
-                if (level == Alerts.alert_fatal) {
-                    System.out.print("fatal, ");
-                } else if (level == Alerts.alert_warning) {
-                    System.out.print("warning, ");
-                } else {
-                    System.out.print("<level = " + (0x0ff & level) + ">, ");
-                }
-                System.out.println("description = "
-                        + Alerts.alertDescription(description));
+        /**
+         * Reads up to {@code len} bytes of data from the input stream
+         * into an array of bytes.
+         *
+         * An attempt is made to read as many as {@code len} bytes, but a
+         * smaller number may be read. The number of bytes actually read
+         * is returned as an integer.
+         *
+         * If the layer above needs more data, it asks for more, so we
+         * are responsible only for blocking to fill at most one buffer,
+         * and returning "-1" on non-fault EOF status.
+         */
+        @Override
+        public synchronized int read(byte[] b, int off, int len)
+                throws IOException {
+            if (b == null) {
+                throw new NullPointerException("the target buffer is null");
+            } else if (off < 0 || len < 0 || len > b.length - off) {
+                throw new IndexOutOfBoundsException(
+                        "buffer length: " + b.length + ", offset; " + off +
+                        ", bytes to read:" + len);
+            } else if (len == 0) {
+                return 0;
             }
-        }
 
-        try {
-            writeAlert(level, description);
-        } catch (IOException e) {
-            if (useDebug) {
-                System.out.println(Thread.currentThread().getName() +
-                    ", Exception sending alert: " + e);
+            if (checkEOF()) {
+                return -1;
             }
-        }
-    }
-
-    //
-    // VARIOUS OTHER METHODS
-    //
 
-    // used by Handshaker
-    void changeWriteCiphers() throws IOException {
-        Authenticator writeAuthenticator;
-        CipherBox writeCipher;
-        try {
-            writeCipher = handshaker.newWriteCipher();
-            writeAuthenticator = handshaker.newWriteAuthenticator();
-        } catch (GeneralSecurityException e) {
-            // "can't happen"
-            throw new SSLException("Algorithm missing:  ", e);
-        }
-        outputRecord.changeWriteCiphers(writeAuthenticator, writeCipher);
-    }
+            // start handshaking if the connection has not been negotiated.
+            if (!conContext.isNegotiated && !conContext.isClosed()) {
+                ensureNegotiated();
+            }
 
-    /*
-     * Updates the SSL version associated with this connection.
-     * Called from Handshaker once it has determined the negotiated version.
-     */
-    synchronized void setVersion(ProtocolVersion protocolVersion) {
-        this.protocolVersion = protocolVersion;
-        outputRecord.setVersion(protocolVersion);
-    }
+            // Read the available bytes at first.
+            int remains = available();
+            if (remains > 0) {
+                int howmany = Math.min(remains, len);
+                buffer.get(b, off, howmany);
 
-    //
-    // ONLY used by ClientHandshaker for the server hostname during handshaking
-    //
-    synchronized String getHost() {
-        // Note that the host may be null or empty for localhost.
-        if (host == null || host.length() == 0) {
-            useImplicitHost(true);
-        }
+                return howmany;
+            }
 
-        return host;
-    }
+            appDataIsAvailable = false;
+            int volume = 0;
+            try {
+                while (volume == 0) {
+                    // Clear the buffer for a new record reading.
+                    buffer.clear();
 
-    /*
-     * Try to set and use the implicit specified hostname
-     */
-    private synchronized void useImplicitHost(boolean noSniUpdate) {
+                    // grow the buffer if needed
+                    int inLen = conContext.inputRecord.bytesInCompletePacket();
+                    if (inLen < 0) {    // EOF
+                        // treat like receiving a close_notify warning message.
+                        conContext.isInputCloseNotified = true;
+                        conContext.closeInbound();
+                        return -1;
+                    }
+
+                    // Is this packet bigger than SSL/TLS normally allows?
+                    if (inLen > SSLRecord.maxLargeRecordSize) {
+                        throw new SSLProtocolException(
+                                "Illegal packet size: " + inLen);
+                    }
+
+                    if (inLen > buffer.remaining()) {
+                        buffer = ByteBuffer.allocate(inLen);
+                    }
+
+                    volume = readRecord(buffer);
+                    buffer.flip();
+                    if (volume < 0) {   // EOF
+                        // treat like receiving a close_notify warning message.
+                        conContext.isInputCloseNotified = true;
+                        conContext.closeInbound();
+                        return -1;
+                    } else if (volume > 0) {
+                        appDataIsAvailable = true;
+                        break;
+                    }
+                }
 
-        // Note: If the local name service is not trustworthy, reverse
-        // host name resolution should not be performed for endpoint
-        // identification.  Use the application original specified
-        // hostname or IP address instead.
+                // file the destination buffer
+                int howmany = Math.min(len, volume);
+                buffer.get(b, off, howmany);
+                return howmany;
+            } catch (Exception e) {   // including RuntimeException
+                // shutdown and rethrow (wrapped) exception as appropriate
+                handleException(e);
 
-        // Get the original hostname via jdk.internal.misc.SharedSecrets
-        InetAddress inetAddress = getInetAddress();
-        if (inetAddress == null) {      // not connected
-            return;
+                // dummy for compiler
+                return -1;
+            }
         }
 
-        JavaNetInetAddressAccess jna =
-                SharedSecrets.getJavaNetInetAddressAccess();
-        String originalHostname = jna.getOriginalHostName(inetAddress);
-        if ((originalHostname != null) &&
-                (originalHostname.length() != 0)) {
-
-            host = originalHostname;
-            if (!noSniUpdate && serverNames.isEmpty() && !noSniExtension) {
-                serverNames =
-                        Utilities.addToSNIServerNameList(serverNames, host);
-
-                if (!roleIsServer &&
-                        (handshaker != null) && !handshaker.activated()) {
-                    handshaker.setSNIServerNames(serverNames);
+        /**
+         * Skip n bytes.
+         *
+         * This implementation is somewhat less efficient than possible, but
+         * not badly so (redundant copy).  We reuse the read() code to keep
+         * things simpler. Note that SKIP_ARRAY is static and may garbled by
+         * concurrent use, but we are not interested in the data anyway.
+         */
+        @Override
+        public synchronized long skip(long n) throws IOException {
+            // dummy array used to implement skip()
+            byte[] skipArray = new byte[256];
+
+            long skipped = 0;
+            while (n > 0) {
+                int len = (int)Math.min(n, skipArray.length);
+                int r = read(skipArray, 0, len);
+                if (r <= 0) {
+                    break;
                 }
+                n -= r;
+                skipped += r;
             }
 
-            return;
+            return skipped;
         }
 
-        // No explicitly specified hostname, no server name indication.
-        if (!trustNameService) {
-            // The local name service is not trustworthy, use IP address.
-            host = inetAddress.getHostAddress();
-        } else {
-            // Use the underlying reverse host name resolution service.
-            host = getInetAddress().getHostName();
-        }
-    }
-
-    // ONLY used by HttpsClient to setup the URI specified hostname
-    //
-    // Please NOTE that this method MUST be called before calling to
-    // SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter
-    // may override SNIHostName in the customized server name indication.
-    public synchronized void setHost(String host) {
-        this.host = host;
-        this.serverNames =
-            Utilities.addToSNIServerNameList(this.serverNames, this.host);
-
-        if (!roleIsServer && (handshaker != null) && !handshaker.activated()) {
-            handshaker.setSNIServerNames(serverNames);
+        @Override
+        public void close() throws IOException {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.finest("Closing input stream");
+            }
+
+            conContext.closeInbound();
         }
     }
 
-    /**
-     * Gets an input stream to read from the peer on the other side.
-     * Data read from this stream was always integrity protected in
-     * transit, and will usually have been confidentiality protected.
-     */
     @Override
-    public synchronized InputStream getInputStream() throws IOException {
-        if (isClosed()) {
-            throw new SocketException("Socket is closed");
+    public synchronized OutputStream getOutputStream() throws IOException {
+        if (isClosed() || conContext.isOutboundDone()) {
+            throw new SocketException("Socket or outbound is closed");
         }
 
-        /*
-         * Can't call isConnected() here, because the Handshakers
-         * do some initialization before we actually connect.
-         */
-        if (connectionState == cs_START) {
+        if (!isConnected) {
             throw new SocketException("Socket is not connected");
         }
 
-        return input;
+        return appOutput;
     }
 
-    /**
-     * Gets an output stream to write to the peer on the other side.
-     * Data written on this stream is always integrity protected, and
-     * will usually be confidentiality protected.
-     */
-    @Override
-    public synchronized OutputStream getOutputStream() throws IOException {
-        if (isClosed()) {
-            throw new SocketException("Socket is closed");
-        }
+    private class AppOutputStream extends OutputStream {
+        // One element array used to implement the write(byte) method
+        private final byte[] oneByte = new byte[1];
 
-        /*
-         * Can't call isConnected() here, because the Handshakers
-         * do some initialization before we actually connect.
-         */
-        if (connectionState == cs_START) {
-            throw new SocketException("Socket is not connected");
+        @Override
+        public void write(int i) throws IOException {
+            oneByte[0] = (byte)i;
+            write(oneByte, 0, 1);
         }
 
-        return output;
-    }
+        @Override
+        public synchronized void write(byte[] b,
+                int off, int len) throws IOException {
+            if (b == null) {
+                throw new NullPointerException("the source buffer is null");
+            } else if (off < 0 || len < 0 || len > b.length - off) {
+                throw new IndexOutOfBoundsException(
+                        "buffer length: " + b.length + ", offset; " + off +
+                        ", bytes to read:" + len);
+            } else if (len == 0) {
+                return;
+            }
+
+            // start handshaking if the connection has not been negotiated.
+            if (!conContext.isNegotiated && !conContext.isClosed()) {
+                ensureNegotiated();
+            }
 
-    /**
-     * Returns the SSL Session in use by this connection.  These can
-     * be long lived, and frequently correspond to an entire login session
-     * for some user.
-     */
-    @Override
-    public SSLSession getSession() {
-        /*
-         * Force a synchronous handshake, if appropriate.
-         */
-        if (getConnectionState() == cs_HANDSHAKE) {
+            // check if the Socket is invalid (error or closed)
+            checkWrite();
+
+            // Delegate the writing to the underlying socket.
             try {
-                // start handshaking, if failed, the connection will be closed.
-                startHandshake(false);
-            } catch (IOException e) {
-                // handshake failed. log and return a nullSession
-                if (debug != null && Debug.isOn("handshake")) {
-                      System.out.println(Thread.currentThread().getName() +
-                          ", IOException in getSession():  " + e);
-                }
+                writeRecord(b, off, len);
+                checkWrite();
+            } catch (IOException ioe) {
+                // shutdown and rethrow (wrapped) exception as appropriate
+                handleException(ioe);
             }
         }
-        synchronized (this) {
-            return sess;
+
+        @Override
+        public void close() throws IOException {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.finest("Closing output stream");
+            }
+
+            conContext.closeOutbound();
         }
     }
 
     @Override
-    public synchronized SSLSession getHandshakeSession() {
-        return handshakeSession;
-    }
-
-    synchronized void setHandshakeSession(SSLSessionImpl session) {
-        // update the fragment size, which may be negotiated during handshaking
-        inputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
-        outputRecord.changeFragmentSize(session.getNegotiatedMaxFragSize());
-
-        handshakeSession = session;
+    public synchronized SSLParameters getSSLParameters() {
+        return conContext.sslConfig.getSSLParameters();
     }
 
-    /**
-     * Controls whether new connections may cause creation of new SSL
-     * sessions.
-     *
-     * As long as handshaking has not started, we can change
-     * whether we enable session creations.  Otherwise,
-     * we will need to wait for the next handshake.
-     */
     @Override
-    public synchronized void setEnableSessionCreation(boolean flag) {
-        enableSessionCreation = flag;
+    public synchronized void setSSLParameters(SSLParameters params) {
+        conContext.sslConfig.setSSLParameters(params);
 
-        if ((handshaker != null) && !handshaker.activated()) {
-            handshaker.setEnableSessionCreation(enableSessionCreation);
+        if (conContext.sslConfig.maximumPacketSize != 0) {
+            conContext.outputRecord.changePacketSize(
+                    conContext.sslConfig.maximumPacketSize);
         }
     }
 
-    /**
-     * Returns true if new connections may cause creation of new SSL
-     * sessions.
-     */
     @Override
-    public synchronized boolean getEnableSessionCreation() {
-        return enableSessionCreation;
+    public synchronized String getApplicationProtocol() {
+        return conContext.applicationProtocol;
     }
 
-
-    /**
-     * Sets the flag controlling whether a server mode socket
-     * *REQUIRES* SSL client authentication.
-     *
-     * As long as handshaking has not started, we can change
-     * whether client authentication is needed.  Otherwise,
-     * we will need to wait for the next handshake.
-     */
     @Override
-    public synchronized void setNeedClientAuth(boolean flag) {
-        doClientAuth = (flag ? ClientAuthType.CLIENT_AUTH_REQUIRED :
-                ClientAuthType.CLIENT_AUTH_NONE);
-
-        if ((handshaker != null) &&
-                (handshaker instanceof ServerHandshaker) &&
-                !handshaker.activated()) {
-            ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
+    public synchronized String getHandshakeApplicationProtocol() {
+        if (conContext.handshakeContext != null) {
+            return conContext.handshakeContext.applicationProtocol;
         }
-    }
 
-    @Override
-    public synchronized boolean getNeedClientAuth() {
-        return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED);
+        return null;
     }
 
-    /**
-     * Sets the flag controlling whether a server mode socket
-     * *REQUESTS* SSL client authentication.
-     *
-     * As long as handshaking has not started, we can change
-     * whether client authentication is requested.  Otherwise,
-     * we will need to wait for the next handshake.
-     */
     @Override
-    public synchronized void setWantClientAuth(boolean flag) {
-        doClientAuth = (flag ? ClientAuthType.CLIENT_AUTH_REQUESTED :
-                ClientAuthType.CLIENT_AUTH_NONE);
-
-        if ((handshaker != null) &&
-                (handshaker instanceof ServerHandshaker) &&
-                !handshaker.activated()) {
-            ((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
-        }
+    public synchronized void setHandshakeApplicationProtocolSelector(
+            BiFunction<SSLSocket, List<String>, String> selector) {
+        conContext.sslConfig.socketAPSelector = selector;
     }
 
     @Override
-    public synchronized boolean getWantClientAuth() {
-        return (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED);
+    public synchronized BiFunction<SSLSocket, List<String>, String>
+            getHandshakeApplicationProtocolSelector() {
+        return conContext.sslConfig.socketAPSelector;
     }
 
+    private synchronized void writeRecord(byte[] source,
+            int offset, int length) throws IOException {
+        if (conContext.isOutboundDone()) {
+            throw new SocketException("Socket or outbound closed");
+        }
 
-    /**
-     * Sets the flag controlling whether the socket is in SSL
-     * client or server mode.  Must be called before any SSL
-     * traffic has started.
-     */
-    @Override
-    @SuppressWarnings("fallthrough")
-    public synchronized void setUseClientMode(boolean flag) {
-        switch (connectionState) {
+        //
+        // Don't bother to really write empty records.  We went this
+        // far to drive the handshake machinery, for correctness; not
+        // writing empty records improves performance by cutting CPU
+        // time and network resource usage.  However, some protocol
+        // implementations are fragile and don't like to see empty
+        // records, so this also increases robustness.
+        //
+        if (length > 0) {
+            try {
+                conContext.outputRecord.deliver(source, offset, length);
+            } catch (SSLHandshakeException she) {
+                // may be record sequence number overflow
+                conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
+            } catch (IOException e) {
+                conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
+            }
+        }
 
-        case cs_START:
-            /*
-             * If we need to change the socket mode and the enabled
-             * protocols and cipher suites haven't specifically been
-             * set by the user, change them to the corresponding
-             * default ones.
-             */
-            if (roleIsServer != (!flag)) {
-                if (sslContext.isDefaultProtocolList(enabledProtocols)) {
-                    enabledProtocols =
-                            sslContext.getDefaultProtocolList(!flag);
-                }
+        // Is the sequence number is nearly overflow?
+        if (conContext.outputRecord.seqNumIsHuge()) {
+            tryKeyUpdate();
+        }
+    }
 
-                if (sslContext.isDefaultCipherSuiteList(enabledCipherSuites)) {
-                    enabledCipherSuites =
-                            sslContext.getDefaultCipherSuiteList(!flag);
+    private synchronized int readRecord() throws IOException {
+        while (!conContext.isInboundDone()) {
+            try {
+                Plaintext plainText = decode(null);
+                if ((plainText.contentType == ContentType.HANDSHAKE.id) &&
+                        conContext.isNegotiated) {
+                    return 0;
                 }
+            } catch (SSLException ssle) {
+                throw ssle;
+            } catch (IOException ioe) {
+                throw new SSLException("readRecord", ioe);
             }
+        }
 
-            roleIsServer = !flag;
-            break;
+        return -1;
+    }
 
-        case cs_HANDSHAKE:
+    private synchronized int readRecord(ByteBuffer buffer) throws IOException {
+        while (!conContext.isInboundDone()) {
             /*
-             * If we have a handshaker, but haven't started
-             * SSL traffic, we can throw away our current
-             * handshaker, and start from scratch.  Don't
-             * need to call doneConnect() again, we already
-             * have the streams.
+             * clean the buffer and check if it is too small, e.g. because
+             * the AppInputStream did not have the chance to see the
+             * current packet length but rather something like that of the
+             * handshake before. In that case we return 0 at this point to
+             * give the caller the chance to adjust the buffer.
              */
-            assert(handshaker != null);
-            if (!handshaker.activated()) {
-                /*
-                 * If we need to change the socket mode and the enabled
-                 * protocols and cipher suites haven't specifically been
-                 * set by the user, change them to the corresponding
-                 * default ones.
-                 */
-                if (roleIsServer != (!flag)) {
-                    if (sslContext.isDefaultProtocolList(enabledProtocols)) {
-                        enabledProtocols =
-                                sslContext.getDefaultProtocolList(!flag);
-                    }
+            buffer.clear();
+            int inLen = conContext.inputRecord.bytesInCompletePacket();
+            if (inLen < 0) {    // EOF
+                return -1;
+            }
 
-                    if (sslContext.isDefaultCipherSuiteList(
-                                                    enabledCipherSuites)) {
-                        enabledCipherSuites =
-                            sslContext.getDefaultCipherSuiteList(!flag);
-                    }
-                }
+            if (buffer.remaining() < inLen) {
+                return 0;
+            }
 
-                roleIsServer = !flag;
-                connectionState = cs_START;
-                initHandshaker();
-                break;
-            }
-
-            // If handshake has started, that's an error.  Fall through...
-
-        default:
-            if (debug != null && Debug.isOn("ssl")) {
-                System.out.println(Thread.currentThread().getName() +
-                    ", setUseClientMode() invoked in state = " +
-                    connectionState);
+            try {
+                Plaintext plainText = decode(buffer);
+                if (plainText.contentType == ContentType.APPLICATION_DATA.id) {
+                    return buffer.position();
+                }
+            } catch (SSLException ssle) {
+                throw ssle;
+            } catch (IOException ioe) {
+                throw new SSLException("readRecord", ioe);
             }
-            throw new IllegalArgumentException(
-                "Cannot change mode after SSL traffic has started");
         }
-    }
 
-    @Override
-    public synchronized boolean getUseClientMode() {
-        return !roleIsServer;
+        //
+        // couldn't read, due to some kind of error
+        //
+        return -1;
     }
 
+    private Plaintext decode(ByteBuffer destination) throws IOException {
+        Plaintext plainText;
+        if (destination == null) {
+            plainText = SSLTransport.decode(conContext,
+                    null, 0, 0, null, 0, 0);
+        } else {
+            plainText = SSLTransport.decode(conContext,
+                    null, 0, 0, new ByteBuffer[]{destination}, 0, 1);
+        }
 
-    /**
-     * Returns the names of the cipher suites which could be enabled for use
-     * on an SSL connection.  Normally, only a subset of these will actually
-     * be enabled by default, since this list may include cipher suites which
-     * do not support the mutual authentication of servers and clients, or
-     * which do not protect data confidentiality.  Servers may also need
-     * certain kinds of certificates to use certain cipher suites.
-     *
-     * @return an array of cipher suite names
-     */
-    @Override
-    public String[] getSupportedCipherSuites() {
-        return sslContext.getSupportedCipherSuiteList().toStringArray();
+        // Is the sequence number is nearly overflow?
+        if (plainText != Plaintext.PLAINTEXT_NULL &&
+                conContext.inputRecord.seqNumIsHuge()) {
+            tryKeyUpdate();
+        }
+
+        return plainText;
     }
 
     /**
-     * Controls which particular cipher suites are enabled for use on
-     * this connection.  The cipher suites must have been listed by
-     * getCipherSuites() as being supported.  Even if a suite has been
-     * enabled, it might never be used if no peer supports it or the
-     * requisite certificates (and private keys) are not available.
+     * Try renegotiation or key update for sequence number wrap.
      *
-     * @param suites Names of all the cipher suites to enable.
+     * Note that in order to maintain the handshake status properly, we check
+     * the sequence number after the last record reading/writing process.  As
+     * we request renegotiation or close the connection for wrapped sequence
+     * number when there is enough sequence number space left to handle a few
+     * more records, so the sequence number of the last record cannot be
+     * wrapped.
      */
-    @Override
-    public synchronized void setEnabledCipherSuites(String[] suites) {
-        enabledCipherSuites = new CipherSuiteList(suites);
-        if ((handshaker != null) && !handshaker.activated()) {
-            handshaker.setEnabledCipherSuites(enabledCipherSuites);
+    private void tryKeyUpdate() throws IOException {
+        // Don't bother to kickstart the renegotiation or key update when the
+        // local is asking for it.
+        if ((conContext.handshakeContext == null) &&
+                !conContext.isClosed() && !conContext.isBroken) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.finest("key update to wrap sequence number");
+            }
+            conContext.keyUpdate();
         }
     }
 
-    /**
-     * Returns the names of the SSL cipher suites which are currently enabled
-     * for use on this connection.  When an SSL socket is first created,
-     * all enabled cipher suites <em>(a)</em> protect data confidentiality,
-     * by traffic encryption, and <em>(b)</em> can mutually authenticate
-     * both clients and servers.  Thus, in some environments, this value
-     * might be empty.
-     *
-     * @return an array of cipher suite names
-     */
-    @Override
-    public synchronized String[] getEnabledCipherSuites() {
-        return enabledCipherSuites.toStringArray();
+    private void closeSocket(boolean selfInitiated) throws IOException {
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+            SSLLogger.fine("close the ssl connection " +
+                (selfInitiated ? "(initiative)" : "(passive)"));
+        }
+
+        if (autoClose || !isLayered()) {
+            super.close();
+        } else if (selfInitiated) {
+            // wait for close_notify alert to clear input stream.
+            waitForClose();
+        }
     }
 
+   /**
+    * Wait for close_notify alert for a graceful closure.
+    *
+    * [RFC 5246] If the application protocol using TLS provides that any
+    * data may be carried over the underlying transport after the TLS
+    * connection is closed, the TLS implementation must receive the responding
+    * close_notify alert before indicating to the application layer that
+    * the TLS connection has ended.  If the application protocol will not
+    * transfer any additional data, but will only close the underlying
+    * transport connection, then the implementation MAY choose to close the
+    * transport without waiting for the responding close_notify.
+    */
+    private void waitForClose() throws IOException {
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+            SSLLogger.fine("wait for close_notify or alert");
+        }
 
-    /**
-     * Returns the protocols that are supported by this implementation.
-     * A subset of the supported protocols may be enabled for this connection
-     * @return an array of protocol names.
-     */
-    @Override
-    public String[] getSupportedProtocols() {
-        return sslContext.getSuportedProtocolList().toStringArray();
+        while (!conContext.isInboundDone()) {
+            try {
+                Plaintext plainText = decode(null);
+                // discard and continue
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.finest(
+                        "discard plaintext while waiting for close", plainText);
+                }
+            } catch (Exception e) {   // including RuntimeException
+                handleException(e);
+            }
+        }
     }
 
     /**
-     * Controls which protocols are enabled for use on
-     * this connection.  The protocols must have been listed by
-     * getSupportedProtocols() as being supported.
+     * Initialize the handshaker and socket streams.
      *
-     * @param protocols protocols to enable.
-     * @exception IllegalArgumentException when one of the protocols
-     *  named by the parameter is not supported.
+     * Called by connect, the layered constructor, and SSLServerSocket.
      */
-    @Override
-    public synchronized void setEnabledProtocols(String[] protocols) {
-        enabledProtocols = new ProtocolList(protocols);
-        if ((handshaker != null) && !handshaker.activated()) {
-            handshaker.setEnabledProtocols(enabledProtocols);
+    synchronized void doneConnect() throws IOException {
+        // In server mode, it is not necessary to set host and serverNames.
+        // Otherwise, would require a reverse DNS lookup to get the hostname.
+        if ((peerHost == null) || (peerHost.length() == 0)) {
+            boolean useNameService =
+                    trustNameService && conContext.sslConfig.isClientMode;
+            useImplicitHost(useNameService);
+        } else {
+            conContext.sslConfig.serverNames =
+                    Utilities.addToSNIServerNameList(
+                            conContext.sslConfig.serverNames, peerHost);
         }
-    }
 
-    @Override
-    public synchronized String[] getEnabledProtocols() {
-        return enabledProtocols.toStringArray();
+        InputStream sockInput = super.getInputStream();
+        conContext.inputRecord.setReceiverStream(sockInput);
+
+        OutputStream sockOutput = super.getOutputStream();
+        conContext.inputRecord.setDeliverStream(sockOutput);
+        conContext.outputRecord.setDeliverStream(sockOutput);
+
+        this.isConnected = true;
     }
 
-    /**
-     * Assigns the socket timeout.
-     * @see java.net.Socket#setSoTimeout
-     */
-    @Override
-    public void setSoTimeout(int timeout) throws SocketException {
-        if ((debug != null) && Debug.isOn("ssl")) {
-            System.out.println(Thread.currentThread().getName() +
-                ", setSoTimeout(" + timeout + ") called");
+    private void useImplicitHost(boolean useNameService) {
+        // Note: If the local name service is not trustworthy, reverse
+        // host name resolution should not be performed for endpoint
+        // identification.  Use the application original specified
+        // hostname or IP address instead.
+
+        // Get the original hostname via jdk.internal.misc.SharedSecrets
+        InetAddress inetAddress = getInetAddress();
+        if (inetAddress == null) {      // not connected
+            return;
         }
 
-        super.setSoTimeout(timeout);
-    }
+        JavaNetInetAddressAccess jna =
+                SharedSecrets.getJavaNetInetAddressAccess();
+        String originalHostname = jna.getOriginalHostName(inetAddress);
+        if ((originalHostname != null) &&
+                (originalHostname.length() != 0)) {
 
-    /**
-     * Registers an event listener to receive notifications that an
-     * SSL handshake has completed on this connection.
-     */
-    @Override
-    public synchronized void addHandshakeCompletedListener(
-            HandshakeCompletedListener listener) {
-        if (listener == null) {
-            throw new IllegalArgumentException("listener is null");
+            this.peerHost = originalHostname;
+            if (conContext.sslConfig.serverNames.isEmpty() &&
+                    !conContext.sslConfig.noSniExtension) {
+                conContext.sslConfig.serverNames =
+                        Utilities.addToSNIServerNameList(
+                                conContext.sslConfig.serverNames, peerHost);
+            }
+
+            return;
         }
-        if (handshakeListeners == null) {
-            handshakeListeners = new
-                HashMap<HandshakeCompletedListener, AccessControlContext>(4);
+
+        // No explicitly specified hostname, no server name indication.
+        if (!useNameService) {
+            // The local name service is not trustworthy, use IP address.
+            this.peerHost = inetAddress.getHostAddress();
+        } else {
+            // Use the underlying reverse host name resolution service.
+            this.peerHost = getInetAddress().getHostName();
         }
-        handshakeListeners.put(listener, AccessController.getContext());
     }
 
+    // ONLY used by HttpsClient to setup the URI specified hostname
+    //
+    // Please NOTE that this method MUST be called before calling to
+    // SSLSocket.setSSLParameters(). Otherwise, the {@code host} parameter
+    // may override SNIHostName in the customized server name indication.
+    public synchronized void setHost(String host) {
+        this.peerHost = host;
+        this.conContext.sslConfig.serverNames =
+                Utilities.addToSNIServerNameList(
+                        conContext.sslConfig.serverNames, host);
+    }
 
     /**
-     * Removes a previously registered handshake completion listener.
+     * Return whether we have reached end-of-file.
+     *
+     * If the socket is not connected, has been shutdown because of an error
+     * or has been closed, throw an Exception.
      */
-    @Override
-    public synchronized void removeHandshakeCompletedListener(
-            HandshakeCompletedListener listener) {
-        if (handshakeListeners == null) {
-            throw new IllegalArgumentException("no listeners");
-        }
-        if (handshakeListeners.remove(listener) == null) {
-            throw new IllegalArgumentException("listener not registered");
-        }
-        if (handshakeListeners.isEmpty()) {
-            handshakeListeners = null;
+    synchronized boolean checkEOF() throws IOException {
+        if (conContext.isClosed()) {
+            throw new SocketException("Socket is closed");
+        } else if (conContext.isInputCloseNotified || conContext.isBroken) {
+            if (conContext.closeReason == null) {
+                return true;
+            } else {
+                throw new SSLException(
+                    "Connection has been shutdown: " + conContext.closeReason,
+                    conContext.closeReason);
+            }
         }
+
+        return false;
     }
 
     /**
-     * Returns the SSLParameters in effect for this SSLSocket.
+     * Check if we can write data to this socket.
      */
-    @Override
-    public synchronized SSLParameters getSSLParameters() {
-        SSLParameters params = super.getSSLParameters();
-
-        // the super implementation does not handle the following parameters
-        params.setEndpointIdentificationAlgorithm(identificationProtocol);
-        params.setAlgorithmConstraints(algorithmConstraints);
-
-        if (sniMatchers.isEmpty() && !noSniMatcher) {
-            // 'null' indicates none has been set
-            params.setSNIMatchers(null);
-        } else {
-            params.setSNIMatchers(sniMatchers);
+    synchronized void checkWrite() throws IOException {
+        if (checkEOF() || conContext.isOutboundDone()) {
+            // we are at EOF, write must throw Exception
+            throw new SocketException("Connection closed");
         }
-
-        if (serverNames.isEmpty() && !noSniExtension) {
-            // 'null' indicates none has been set
-            params.setServerNames(null);
-        } else {
-            params.setServerNames(serverNames);
+        if (!isConnected) {
+            throw new SocketException("Socket is not connected");
         }
-
-        params.setUseCipherSuitesOrder(preferLocalCipherSuites);
-        params.setMaximumPacketSize(maximumPacketSize);
-        params.setApplicationProtocols(applicationProtocols);
-
-        // DTLS handshake retransmissions parameter does not apply here.
-
-        return params;
     }
 
     /**
-     * Applies SSLParameters to this socket.
+     * Handle an exception.
+     *
+     * This method is called by top level exception handlers (in read(),
+     * write()) to make sure we always shutdown the connection correctly
+     * and do not pass runtime exception to the application.
+     *
+     * This method never returns normally, it always throws an IOException.
      */
-    @Override
-    public synchronized void setSSLParameters(SSLParameters params) {
-        super.setSSLParameters(params);
-
-        // the super implementation does not handle the following parameters
-        identificationProtocol = params.getEndpointIdentificationAlgorithm();
-        algorithmConstraints = params.getAlgorithmConstraints();
-        preferLocalCipherSuites = params.getUseCipherSuitesOrder();
-        maximumPacketSize = params.getMaximumPacketSize();
-
-        // DTLS handshake retransmissions parameter does not apply here.
-
-        if (maximumPacketSize != 0) {
-            outputRecord.changePacketSize(maximumPacketSize);
-        } else {
-            // use the implicit maximum packet size.
-            maximumPacketSize = outputRecord.getMaxPacketSize();
-        }
-
-        List<SNIServerName> sniNames = params.getServerNames();
-        if (sniNames != null) {
-            noSniExtension = sniNames.isEmpty();
-            serverNames = sniNames;
+    private void handleException(Exception cause) throws IOException {
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+            SSLLogger.warning("handling exception", cause);
         }
 
-        Collection<SNIMatcher> matchers = params.getSNIMatchers();
-        if (matchers != null) {
-            noSniMatcher = matchers.isEmpty();
-            sniMatchers = matchers;
+        // Don't close the Socket in case of timeouts or interrupts.
+        if (cause instanceof InterruptedIOException) {
+            throw (IOException)cause;
         }
 
-        applicationProtocols = params.getApplicationProtocols();
-
-        if ((handshaker != null) && !handshaker.activated()) {
-            handshaker.setIdentificationProtocol(identificationProtocol);
-            handshaker.setAlgorithmConstraints(algorithmConstraints);
-            handshaker.setMaximumPacketSize(maximumPacketSize);
-            handshaker.setApplicationProtocols(applicationProtocols);
-            if (roleIsServer) {
-                handshaker.setSNIMatchers(sniMatchers);
-                handshaker.setUseCipherSuitesOrder(preferLocalCipherSuites);
+        // need to perform error shutdown
+        boolean isSSLException = (cause instanceof SSLException);
+        Alert alert;
+        if (isSSLException) {
+            if (cause instanceof SSLHandshakeException) {
+                alert = Alert.HANDSHAKE_FAILURE;
             } else {
-                handshaker.setSNIServerNames(serverNames);
+                alert = Alert.UNEXPECTED_MESSAGE;
+            }
+        } else {
+            if (cause instanceof IOException) {
+                alert = Alert.UNEXPECTED_MESSAGE;
+            } else {
+                // RuntimeException
+                alert = Alert.INTERNAL_ERROR;
             }
         }
+        conContext.fatal(alert, cause);
     }
 
     @Override
-    public synchronized String getApplicationProtocol() {
-        return applicationProtocol;
+    public String getPeerHost() {
+        return peerHost;
     }
 
     @Override
-    public synchronized String getHandshakeApplicationProtocol() {
-        if ((handshaker != null) && handshaker.started()) {
-            return handshaker.getHandshakeApplicationProtocol();
-        }
-        return null;
+    public int getPeerPort() {
+        return getPort();
     }
 
     @Override
-    public synchronized void setHandshakeApplicationProtocolSelector(
-        BiFunction<SSLSocket, List<String>, String> selector) {
-        applicationProtocolSelector = selector;
-        if ((handshaker != null) && !handshaker.activated()) {
-            handshaker.setApplicationProtocolSelectorSSLSocket(selector);
-        }
+    public boolean useDelegatedTask() {
+        return false;
     }
 
     @Override
-    public synchronized BiFunction<SSLSocket, List<String>, String>
-        getHandshakeApplicationProtocolSelector() {
-        return this.applicationProtocolSelector;
-    }
-
-    //
-    // We allocate a separate thread to deliver handshake completion
-    // events.  This ensures that the notifications don't block the
-    // protocol state machine.
-    //
-    private static class NotifyHandshake implements Runnable {
-
-        private Set<Map.Entry<HandshakeCompletedListener,AccessControlContext>>
-                targets;        // who gets notified
-        private HandshakeCompletedEvent event;          // the notification
-
-        NotifyHandshake(
-            Set<Map.Entry<HandshakeCompletedListener,AccessControlContext>>
-            entrySet, HandshakeCompletedEvent e) {
-
-            targets = new HashSet<>(entrySet);          // clone the entry set
-            event = e;
-        }
+    public void shutdown() throws IOException {
+        if (!isClosed()) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.fine("close the underlying socket");
+            }
 
-        @Override
-        public void run() {
-            // Don't need to synchronize, as it only runs in one thread.
-            for (Map.Entry<HandshakeCompletedListener,AccessControlContext>
-                entry : targets) {
-
-                final HandshakeCompletedListener l = entry.getKey();
-                AccessControlContext acc = entry.getValue();
-                AccessController.doPrivileged(new PrivilegedAction<Void>() {
-                    @Override
-                    public Void run() {
-                        l.handshakeCompleted(event);
-                        return null;
-                    }
-                }, acc);
+            try {
+                if (conContext.isInputCloseNotified) {
+                    // Close the connection, no wait for more peer response.
+                    closeSocket(false);
+                } else {
+                    // Close the connection, may wait for peer close_notify.
+                    closeSocket(true);
+                }
+            } finally {
+                tlsIsClosed = true;
             }
         }
     }
-
-    /**
-     * Returns a printable representation of this end of the connection.
-     */
-    @Override
-    public String toString() {
-        StringBuilder retval = new StringBuilder(80);
-
-        retval.append(Integer.toHexString(hashCode()));
-        retval.append("[");
-        retval.append(sess.getCipherSuite());
-        retval.append(": ");
-
-        retval.append(super.toString());
-        retval.append("]");
-
-        return retval.toString();
-    }
 }
--- old/src/java.base/share/classes/sun/security/ssl/SSLSocketInputRecord.java	2018-05-11 15:06:05.777490200 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLSocketInputRecord.java	2018-05-11 15:06:05.281723400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,13 +27,11 @@
 
 import java.io.*;
 import java.nio.*;
-
+import java.security.GeneralSecurityException;
+import java.util.ArrayList;
 import javax.crypto.BadPaddingException;
-
 import javax.net.ssl.*;
-
-import sun.security.util.HexDumpEncoder;
-
+import sun.security.ssl.SSLCipher.SSLReadCipher;
 
 /**
  * {@code InputRecord} implementation for {@code SSLSocket}.
@@ -41,8 +39,9 @@
  * @author David Brownell
  */
 final class SSLSocketInputRecord extends InputRecord implements SSLRecord {
-    private OutputStream deliverStream = null;
-    private byte[] temporary = new byte[1024];
+    private InputStream is = null;
+    private OutputStream os = null;
+    private final byte[] temporary = new byte[1024];
 
     // used by handshake hash computation for handshake fragment
     private byte prevType = -1;
@@ -51,20 +50,24 @@
 
     private boolean formatVerified = false;     // SSLv2 ruled out?
 
+    // Cache for incomplete handshake messages.
+    private ByteBuffer handshakeBuffer = null;
+
     private boolean hasHeader = false;          // Had read the record header
 
-    SSLSocketInputRecord() {
-        this.readAuthenticator = MAC.TLS_NULL;
+    SSLSocketInputRecord(HandshakeHash handshakeHash) {
+        super(handshakeHash, SSLReadCipher.nullTlsReadCipher());
     }
 
     @Override
-    int bytesInCompletePacket(InputStream is) throws IOException {
+    int bytesInCompletePacket() throws IOException {
 
         if (!hasHeader) {
             // read exactly one record
             int really = read(is, temporary, 0, headerSize);
             if (really < 0) {
-                throw new EOFException("SSL peer shut down incorrectly");
+                // EOF: peer shut down incorrectly
+                return -1;
             }
             hasHeader = true;
         }
@@ -79,15 +82,17 @@
          * see if it's SSL/TLS.
          */
         if (formatVerified ||
-                (byteZero == ct_handshake) || (byteZero == ct_alert)) {
+                (byteZero == ContentType.HANDSHAKE.id) ||
+                (byteZero == ContentType.ALERT.id)) {
             /*
              * Last sanity check that it's not a wild record
              */
-            ProtocolVersion recordVersion =
-                    ProtocolVersion.valueOf(temporary[1], temporary[2]);
-
-            // check the record version
-            checkRecordVersion(recordVersion, false);
+            if (!ProtocolVersion.isNegotiable(
+                    temporary[1], temporary[2], false, false)) {
+                throw new SSLException("Unrecognized record version " +
+                        ProtocolVersion.nameOf(temporary[1], temporary[2]) +
+                        " , plaintext connection?");
+            }
 
             /*
              * Reasonably sure this is a V3, disable further checks.
@@ -112,11 +117,12 @@
             boolean isShort = ((byteZero & 0x80) != 0);
 
             if (isShort && ((temporary[2] == 1) || (temporary[2] == 4))) {
-                ProtocolVersion recordVersion =
-                        ProtocolVersion.valueOf(temporary[3], temporary[4]);
-
-                // check the record version
-                checkRecordVersion(recordVersion, true);
+                if (!ProtocolVersion.isNegotiable(
+                        temporary[3], temporary[4], false, false)) {
+                    throw new SSLException("Unrecognized record version " +
+                            ProtocolVersion.nameOf(temporary[3], temporary[4]) +
+                            " , plaintext connection?");
+                }
 
                 /*
                  * Client or Server Hello
@@ -140,10 +146,10 @@
         return len;
     }
 
-    // destination.position() is zero.
+    // Note that the input arguments are not used actually.
     @Override
-    Plaintext decode(InputStream is, ByteBuffer destination)
-            throws IOException, BadPaddingException {
+    Plaintext[] decode(ByteBuffer[] srcs, int srcsOffset,
+            int srcsLength) throws IOException, BadPaddingException {
 
         if (isClosed) {
             return null;
@@ -167,36 +173,44 @@
              * alert message. If it's not, it is either invalid or an
              * SSLv2 message.
              */
-            if ((temporary[0] != ct_handshake) &&
-                (temporary[0] != ct_alert)) {
-
-                plaintext = handleUnknownRecord(is, temporary, destination);
+            if ((temporary[0] != ContentType.HANDSHAKE.id) &&
+                (temporary[0] != ContentType.ALERT.id)) {
+                hasHeader = false;
+                return handleUnknownRecord(temporary);
             }
         }
 
-        if (plaintext == null) {
-            plaintext = decodeInputRecord(is, temporary, destination);
-        }
-
         // The record header should has comsumed.
         hasHeader = false;
+        return decodeInputRecord(temporary);
+    }
 
-        return plaintext;
+    @Override
+    void setReceiverStream(InputStream inputStream) {
+        this.is = inputStream;
     }
 
     @Override
     void setDeliverStream(OutputStream outputStream) {
-        this.deliverStream = outputStream;
+        this.os = outputStream;
     }
 
     // Note that destination may be null
-    private Plaintext decodeInputRecord(InputStream is, byte[] header,
-            ByteBuffer destination) throws IOException, BadPaddingException {
-
-        byte contentType = header[0];
-        byte majorVersion = header[1];
-        byte minorVersion = header[2];
-        int contentLen = ((header[3] & 0xFF) << 8) + (header[4] & 0xFF);
+    private Plaintext[] decodeInputRecord(
+            byte[] header) throws IOException, BadPaddingException {
+        byte contentType = header[0];                   // pos: 0
+        byte majorVersion = header[1];                  // pos: 1
+        byte minorVersion = header[2];                  // pos: 2
+        int contentLen = ((header[3] & 0xFF) << 8) +
+                           (header[4] & 0xFF);          // pos: 3, 4
+
+        if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+            SSLLogger.fine(
+                    "READ: " +
+                    ProtocolVersion.nameOf(majorVersion, minorVersion) +
+                    " " + ContentType.nameOf(contentType) + ", length = " +
+                    contentLen);
+        }
 
         //
         // Check for upper bound.
@@ -210,10 +224,7 @@
         //
         // Read a complete record.
         //
-        if (destination == null) {
-            destination = ByteBuffer.allocate(headerSize + contentLen);
-        }  // Otherwise, the destination buffer should have enough room.
-
+        ByteBuffer destination = ByteBuffer.allocate(headerSize + contentLen);
         int dstPos = destination.position();
         destination.put(temporary, 0, headerSize);
         while (contentLen > 0) {
@@ -229,100 +240,113 @@
         destination.flip();
         destination.position(dstPos + headerSize);
 
-        if (debug != null && Debug.isOn("record")) {
-             System.out.println(Thread.currentThread().getName() +
-                    ", READ: " +
-                    ProtocolVersion.valueOf(majorVersion, minorVersion) +
-                    " " + Record.contentName(contentType) + ", length = " +
+        if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+            SSLLogger.fine(
+                    "READ: " +
+                    ProtocolVersion.nameOf(majorVersion, minorVersion) +
+                    " " + ContentType.nameOf(contentType) + ", length = " +
                     destination.remaining());
         }
 
         //
         // Decrypt the fragment
         //
-        ByteBuffer plaintext =
-            decrypt(readAuthenticator, readCipher, contentType, destination);
-
-        if ((contentType != ct_handshake) && (hsMsgOff != hsMsgLen)) {
+        ByteBuffer fragment;
+        try {
+            Plaintext plaintext =
+                    readCipher.decrypt(contentType, destination, null);
+            fragment = plaintext.fragment;
+            contentType = plaintext.contentType;
+        } catch (BadPaddingException bpe) {
+            throw bpe;
+        } catch (GeneralSecurityException gse) {
+            throw (SSLProtocolException)(new SSLProtocolException(
+                    "Unexpected exception")).initCause(gse);
+        }
+        if (contentType != ContentType.HANDSHAKE.id && hsMsgOff != hsMsgLen) {
             throw new SSLProtocolException(
                     "Expected to get a handshake fragment");
         }
 
         //
-        // handshake hashing
+        // parse handshake messages
         //
-        if (contentType == ct_handshake) {
-            int pltPos = plaintext.position();
-            int pltLim = plaintext.limit();
-            int frgPos = pltPos;
-            for (int remains = plaintext.remaining(); remains > 0;) {
-                int howmuch;
-                byte handshakeType;
-                if (hsMsgOff < hsMsgLen) {
-                    // a fragment of the handshake message
-                    howmuch = Math.min((hsMsgLen - hsMsgOff), remains);
-                    handshakeType = prevType;
-
-                    hsMsgOff += howmuch;
-                    if (hsMsgOff == hsMsgLen) {
-                        // Now is a complete handshake message.
-                        hsMsgOff = 0;
-                        hsMsgLen = 0;
-                    }
-                } else {    // hsMsgOff == hsMsgLen, a new handshake message
-                    handshakeType = plaintext.get();
-                    int handshakeLen = ((plaintext.get() & 0xFF) << 16) |
-                                       ((plaintext.get() & 0xFF) << 8) |
-                                        (plaintext.get() & 0xFF);
-                    plaintext.position(frgPos);
-                    if (remains < (handshakeLen + 1)) { // 1: handshake type
-                        // This handshake message is fragmented.
-                        prevType = handshakeType;
-                        hsMsgOff = remains - 4;         // 4: handshake header
-                        hsMsgLen = handshakeLen;
-                    }
-
-                    howmuch = Math.min(handshakeLen + 4, remains);
+        if (contentType == ContentType.HANDSHAKE.id) {
+            ByteBuffer handshakeFrag = fragment;
+            if ((handshakeBuffer != null) &&
+                    (handshakeBuffer.remaining() != 0)) {
+                ByteBuffer bb = ByteBuffer.wrap(new byte[
+                        handshakeBuffer.remaining() + fragment.remaining()]);
+                bb.put(handshakeBuffer);
+                bb.put(fragment);
+                handshakeFrag = bb.rewind();
+                handshakeBuffer = null;
+            }
+
+            ArrayList<Plaintext> plaintexts = new ArrayList<>(5);
+            while (handshakeFrag.hasRemaining()) {
+                int remaining = handshakeFrag.remaining();
+                if (remaining < handshakeHeaderSize) {
+                    handshakeBuffer = ByteBuffer.wrap(new byte[remaining]);
+                    handshakeBuffer.put(handshakeFrag);
+                    handshakeBuffer.rewind();
+                    break;
                 }
 
-                plaintext.limit(frgPos + howmuch);
-
-                if (handshakeType == HandshakeMessage.ht_hello_request) {
-                    // omitted from handshake hash computation
-                } else if ((handshakeType != HandshakeMessage.ht_finished) &&
-                    (handshakeType != HandshakeMessage.ht_certificate_verify)) {
-
-                    if (handshakeHash == null) {
-                        // used for cache only
-                        handshakeHash = new HandshakeHash(false);
+                handshakeFrag.mark();
+                // skip the first byte: handshake type
+                byte handshakeType = handshakeFrag.get();
+                int handshakeBodyLen = Record.getInt24(handshakeFrag);
+                handshakeFrag.reset();
+                int handshakeMessageLen =
+                        handshakeHeaderSize + handshakeBodyLen;
+                if (remaining < handshakeMessageLen) {
+                    handshakeBuffer = ByteBuffer.wrap(new byte[remaining]);
+                    handshakeBuffer.put(handshakeFrag);
+                    handshakeBuffer.rewind();
+                    break;
+                } if (remaining == handshakeMessageLen) {
+                    if (handshakeHash.isHashable(handshakeType)) {
+                        handshakeHash.receive(handshakeFrag);
                     }
-                    handshakeHash.update(plaintext);
+
+                    plaintexts.add(
+                        new Plaintext(contentType,
+                            majorVersion, minorVersion, -1, -1L, handshakeFrag)
+                    );
+                    break;
                 } else {
-                    // Reserve until this handshake message has been processed.
-                    if (handshakeHash == null) {
-                        // used for cache only
-                        handshakeHash = new HandshakeHash(false);
+                    int fragPos = handshakeFrag.position();
+                    int fragLim = handshakeFrag.limit();
+                    int nextPos = fragPos + handshakeMessageLen;
+                    handshakeFrag.limit(nextPos);
+
+                    if (handshakeHash.isHashable(handshakeType)) {
+                        handshakeHash.receive(handshakeFrag);
                     }
-                    handshakeHash.reserve(plaintext);
-                }
 
-                plaintext.position(frgPos + howmuch);
-                plaintext.limit(pltLim);
+                    plaintexts.add(
+                        new Plaintext(contentType, majorVersion, minorVersion,
+                            -1, -1L, handshakeFrag.slice())
+                    );
 
-                frgPos += howmuch;
-                remains -= howmuch;
+                    handshakeFrag.position(nextPos);
+                    handshakeFrag.limit(fragLim);
+                }
             }
-            plaintext.position(pltPos);
+
+            return plaintexts.toArray(new Plaintext[0]);
         }
 
-        return new Plaintext(contentType,
-                majorVersion, minorVersion, -1, -1L, plaintext);
-                // recordEpoch, recordSeq, plaintext);
+        return new Plaintext[] {
+                new Plaintext(contentType,
+                    majorVersion, minorVersion, -1, -1L, fragment)
+                    // recordEpoch, recordSeq, plaintext);
+            };
     }
 
-    private Plaintext handleUnknownRecord(InputStream is, byte[] header,
-            ByteBuffer destination) throws IOException, BadPaddingException {
-
+    private Plaintext[] handleUnknownRecord(
+            byte[] header) throws IOException, BadPaddingException {
         byte firstByte = header[0];
         byte thirdByte = header[2];
 
@@ -347,19 +371,16 @@
                  * error message, one that's treated as fatal by
                  * clients (Otherwise we'll hang.)
                  */
-                deliverStream.write(SSLRecord.v2NoCipher);      // SSLv2Hello
+                os.write(SSLRecord.v2NoCipher);      // SSLv2Hello
 
-                if (debug != null) {
-                    if (Debug.isOn("record")) {
-                         System.out.println(Thread.currentThread().getName() +
+                if (SSLLogger.isOn) {
+                    if (SSLLogger.isOn("record")) {
+                         SSLLogger.fine(
                                 "Requested to negotiate unsupported SSLv2!");
                     }
 
-                    if (Debug.isOn("packet")) {
-                        Debug.printHex(
-                                "[Raw write]: length = " +
-                                SSLRecord.v2NoCipher.length,
-                                SSLRecord.v2NoCipher);
+                    if (SSLLogger.isOn("packet")) {
+                        SSLLogger.fine("Raw write", SSLRecord.v2NoCipher);
                     }
                 }
 
@@ -368,9 +389,7 @@
 
             int msgLen = ((header[0] & 0x7F) << 8) | (header[1] & 0xFF);
 
-            if (destination == null) {
-                destination = ByteBuffer.allocate(headerSize + msgLen);
-            }
+            ByteBuffer destination = ByteBuffer.allocate(headerSize + msgLen);
             destination.put(temporary, 0, headerSize);
             msgLen -= 3;            // had read 3 bytes of content as header
             while (msgLen > 0) {
@@ -391,23 +410,20 @@
              * V3 ClientHello message, and pass it up.
              */
             destination.position(2);     // exclude the header
-
-            if (handshakeHash == null) {
-                // used for cache only
-                handshakeHash = new HandshakeHash(false);
-            }
-            handshakeHash.update(destination);
+            handshakeHash.receive(destination);
             destination.position(0);
 
             ByteBuffer converted = convertToClientHello(destination);
 
-            if (debug != null && Debug.isOn("packet")) {
-                 Debug.printHex(
+            if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+                SSLLogger.fine(
                         "[Converted] ClientHello", converted);
             }
 
-            return new Plaintext(ct_handshake,
-                majorVersion, minorVersion, -1, -1L, converted);
+            return new Plaintext[] {
+                    new Plaintext(ContentType.HANDSHAKE.id,
+                    majorVersion, minorVersion, -1, -1L, converted)
+                };
         } else {
             if (((firstByte & 0x80) != 0) && (thirdByte == 4)) {
                 throw new SSLException("SSL V2.0 servers are not supported.");
@@ -424,13 +440,15 @@
         while (n < len) {
             int readLen = is.read(buffer, offset + n, len - n);
             if (readLen < 0) {
+                if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+                    SSLLogger.fine("Raw read: EOF");
+                }
                 return -1;
             }
 
-            if (debug != null && Debug.isOn("packet")) {
-                 Debug.printHex(
-                        "[Raw read]: length = " + readLen,
-                        buffer, offset + n, readLen);
+            if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+                ByteBuffer bb = ByteBuffer.wrap(buffer, offset + n, readLen);
+                SSLLogger.fine("Raw read", bb);
             }
 
             n += readLen;
--- old/src/java.base/share/classes/sun/security/ssl/SSLSocketOutputRecord.java	2018-05-11 15:06:07.382769400 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLSocketOutputRecord.java	2018-05-11 15:06:06.885606100 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,14 +25,13 @@
 
 package sun.security.ssl;
 
-import java.io.*;
-import java.nio.*;
-import java.util.Arrays;
-
-import javax.net.ssl.SSLException;
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+import java.nio.ByteBuffer;
 import javax.net.ssl.SSLHandshakeException;
-import sun.security.util.HexDumpEncoder;
 
+import sun.security.ssl.KeyUpdate.KeyUpdateMessage;
 
 /**
  * {@code OutputRecord} implementation for {@code SSLSocket}.
@@ -40,11 +39,16 @@
 final class SSLSocketOutputRecord extends OutputRecord implements SSLRecord {
     private OutputStream deliverStream = null;
 
-    SSLSocketOutputRecord() {
-        this.writeAuthenticator = MAC.TLS_NULL;
+    SSLSocketOutputRecord(HandshakeHash handshakeHash) {
+        this(handshakeHash, null);
+    }
 
+    SSLSocketOutputRecord(HandshakeHash handshakeHash,
+            TransportContext tc) {
+        super(handshakeHash, SSLCipher.SSLWriteCipher.nullTlsWriteCipher());
+        this.tc = tc;
         this.packetSize = SSLRecord.maxRecordSize;
-        this.protocolVersion = ProtocolVersion.DEFAULT_TLS;
+        this.protocolVersion = ProtocolVersion.NONE;
     }
 
     @Override
@@ -55,25 +59,22 @@
 
         write(level);
         write(description);
-
-        if (debug != null && Debug.isOn("record")) {
-            System.out.println(Thread.currentThread().getName() +
-                    ", WRITE: " + protocolVersion +
-                    " " + Record.contentName(Record.ct_alert) +
+        if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+            SSLLogger.fine("WRITE: " + protocolVersion +
+                    " " + ContentType.ALERT.name +
                     ", length = " + (count - headerSize));
         }
 
         // Encrypt the fragment and wrap up a record.
-        encrypt(writeAuthenticator, writeCipher,
-                Record.ct_alert, headerSize);
+        encrypt(writeCipher, ContentType.ALERT.id, headerSize);
 
         // deliver this message
         deliverStream.write(buf, 0, count);    // may throw IOException
         deliverStream.flush();                 // may throw IOException
 
-        if (debug != null && Debug.isOn("packet")) {
-             Debug.printHex(
-                    "[Raw write]: length = " + count, buf, 0, count);
+        if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+            SSLLogger.fine("Raw write",
+                    (new ByteArrayInputStream(buf, 0, count)));
         }
 
         // reset the internal buffer
@@ -83,12 +84,11 @@
     @Override
     void encodeHandshake(byte[] source,
             int offset, int length) throws IOException {
-
         if (firstMessage) {
             firstMessage = false;
 
             if ((helloVersion == ProtocolVersion.SSL20Hello) &&
-                (source[offset] == HandshakeMessage.ht_client_hello) &&
+                (source[offset] == SSLHandshake.CLIENT_HELLO.id) &&
                                             //  5: recode header size
                 (source[offset + 4 + 2 + 32] == 0)) {
                                             // V3 session ID is empty
@@ -101,12 +101,12 @@
 
                 byte[] record = v2ClientHello.array();  // array offset is zero
                 int limit = v2ClientHello.limit();
-                handshakeHash.update(record, 2, (limit - 2));
+                handshakeHash.deliver(record, 2, (limit - 2));
 
-                if (debug != null && Debug.isOn("record")) {
-                     System.out.println(Thread.currentThread().getName() +
-                        ", WRITE: SSLv2 ClientHello message" +
-                        ", length = " + limit);
+                if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+                    SSLLogger.fine(
+                            "WRITE: SSLv2 ClientHello message" +
+                            ", length = " + limit);
                 }
 
                 // deliver this message
@@ -117,9 +117,9 @@
                 deliverStream.write(record, 0, limit);
                 deliverStream.flush();
 
-                if (debug != null && Debug.isOn("packet")) {
-                     Debug.printHex(
-                            "[Raw write]: length = " + count, record, 0, limit);
+                if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+                    SSLLogger.fine("Raw write",
+                            (new ByteArrayInputStream(record, 0, limit)));
                 }
 
                 return;
@@ -127,8 +127,8 @@
         }
 
         byte handshakeType = source[0];
-        if (handshakeType != HandshakeMessage.ht_hello_request) {
-            handshakeHash.update(source, offset, length);
+        if (handshakeHash.isHashable(handshakeType)) {
+            handshakeHash.deliver(source, offset, length);
         }
 
         int fragLimit = getFragLimit();
@@ -153,24 +153,23 @@
                 return;
             }
 
-            if (debug != null && Debug.isOn("record")) {
-                System.out.println(Thread.currentThread().getName() +
-                        ", WRITE: " + protocolVersion +
-                        " " + Record.contentName(Record.ct_handshake) +
+            if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+                SSLLogger.fine(
+                        "WRITE: " + protocolVersion +
+                        " " + ContentType.HANDSHAKE.name +
                         ", length = " + (count - headerSize));
             }
 
             // Encrypt the fragment and wrap up a record.
-            encrypt(writeAuthenticator, writeCipher,
-                    Record.ct_handshake, headerSize);
+            encrypt(writeCipher, ContentType.HANDSHAKE.id, headerSize);
 
             // deliver this message
             deliverStream.write(buf, 0, count);    // may throw IOException
             deliverStream.flush();                 // may throw IOException
 
-            if (debug != null && Debug.isOn("packet")) {
-                 Debug.printHex(
-                        "[Raw write]: length = " + count, buf, 0, count);
+            if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+                SSLLogger.fine("Raw write",
+                        (new ByteArrayInputStream(buf, 0, count)));
             }
 
             // reset the offset
@@ -190,24 +189,16 @@
 
         write((byte)1);         // byte 1: change_cipher_spec(
 
-        if (debug != null && Debug.isOn("record")) {
-            System.out.println(Thread.currentThread().getName() +
-                    ", WRITE: " + protocolVersion +
-                    " " + Record.contentName(Record.ct_change_cipher_spec) +
-                    ", length = " + (count - headerSize));
-        }
-
         // Encrypt the fragment and wrap up a record.
-        encrypt(writeAuthenticator, writeCipher,
-                Record.ct_change_cipher_spec, headerSize);
+        encrypt(writeCipher, ContentType.CHANGE_CIPHER_SPEC.id, headerSize);
 
         // deliver this message
         deliverStream.write(buf, 0, count);        // may throw IOException
         // deliverStream.flush();                  // flush in Finished
 
-        if (debug != null && Debug.isOn("packet")) {
-             Debug.printHex(
-                    "[Raw write]: length = " + count, buf, 0, count);
+        if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+            SSLLogger.fine("Raw write",
+                    (new ByteArrayInputStream(buf, 0, count)));
         }
 
         // reset the internal buffer
@@ -221,24 +212,23 @@
             return;
         }
 
-        if (debug != null && Debug.isOn("record")) {
-            System.out.println(Thread.currentThread().getName() +
-                    ", WRITE: " + protocolVersion +
-                    " " + Record.contentName(Record.ct_handshake) +
+        if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+            SSLLogger.fine(
+                    "WRITE: " + protocolVersion +
+                    " " + ContentType.HANDSHAKE.name +
                     ", length = " + (count - headerSize));
         }
 
         // Encrypt the fragment and wrap up a record.
-        encrypt(writeAuthenticator, writeCipher,
-                    Record.ct_handshake, headerSize);
+        encrypt(writeCipher, ContentType.HANDSHAKE.id, headerSize);
 
         // deliver this message
         deliverStream.write(buf, 0, count);    // may throw IOException
         deliverStream.flush();                 // may throw IOException
 
-        if (debug != null && Debug.isOn("packet")) {
-             Debug.printHex(
-                    "[Raw write]: length = " + count, buf, 0, count);
+        if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+            SSLLogger.fine("Raw write",
+                    (new ByteArrayInputStream(buf, 0, count)));
         }
 
         // reset the internal buffer
@@ -247,11 +237,10 @@
 
     @Override
     void deliver(byte[] source, int offset, int length) throws IOException {
-
-        if (writeAuthenticator.seqNumOverflow()) {
-            if (debug != null && Debug.isOn("ssl")) {
-                System.out.println(Thread.currentThread().getName() +
-                    ", sequence number extremely close to overflow " +
+        if (writeCipher.authenticator.seqNumOverflow()) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.fine(
+                    "sequence number extremely close to overflow " +
                     "(2^64-1 packets). Closing connection.");
             }
 
@@ -260,16 +249,11 @@
 
         boolean isFirstRecordOfThePayload = true;
         for (int limit = (offset + length); offset < limit;) {
-            int macLen = 0;
-            if (writeAuthenticator instanceof MAC) {
-                macLen = ((MAC)writeAuthenticator).MAClen();
-            }
-
             int fragLen;
             if (packetSize > 0) {
                 fragLen = Math.min(maxRecordSize, packetSize);
-                fragLen = writeCipher.calculateFragmentSize(
-                        fragLen, macLen, headerSize);
+                fragLen =
+                        writeCipher.calculateFragmentSize(fragLen, headerSize);
 
                 fragLen = Math.min(fragLen, Record.maxDataSize);
             } else {
@@ -292,24 +276,23 @@
             count = position;
             write(source, offset, fragLen);
 
-            if (debug != null && Debug.isOn("record")) {
-                System.out.println(Thread.currentThread().getName() +
-                        ", WRITE: " + protocolVersion +
-                        " " + Record.contentName(Record.ct_application_data) +
-                        ", length = " + (count - headerSize));
+            if (SSLLogger.isOn && SSLLogger.isOn("record")) {
+                SSLLogger.fine(
+                        "WRITE: " + protocolVersion +
+                        " " + ContentType.APPLICATION_DATA.name +
+                        ", length = " + (count - position));
             }
 
             // Encrypt the fragment and wrap up a record.
-            encrypt(writeAuthenticator, writeCipher,
-                    Record.ct_application_data, headerSize);
+            encrypt(writeCipher, ContentType.APPLICATION_DATA.id, headerSize);
 
             // deliver this message
             deliverStream.write(buf, 0, count);    // may throw IOException
             deliverStream.flush();                 // may throw IOException
 
-            if (debug != null && Debug.isOn("packet")) {
-                 Debug.printHex(
-                        "[Raw write]: length = " + count, buf, 0, count);
+            if (SSLLogger.isOn && SSLLogger.isOn("packet")) {
+                SSLLogger.fine("Raw write",
+                        (new ByteArrayInputStream(buf, 0, count)));
             }
 
             // reset the internal buffer
@@ -320,6 +303,16 @@
             }
 
             offset += fragLen;
+
+            if (writeCipher.atKeyLimit()) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.fine("KeyUpdate: triggered");
+                }
+
+                PostHandshakeContext p = new PostHandshakeContext(tc);
+                KeyUpdate.handshakeProducer.produce(p,
+                        new KeyUpdateMessage(p, KeyUpdateMessage.REQUSTED));
+            }
         }
     }
 
@@ -358,16 +351,11 @@
     }
 
     private int getFragLimit() {
-        int macLen = 0;
-        if (writeAuthenticator instanceof MAC) {
-            macLen = ((MAC)writeAuthenticator).MAClen();
-        }
-
         int fragLimit;
         if (packetSize > 0) {
             fragLimit = Math.min(maxRecordSize, packetSize);
-            fragLimit = writeCipher.calculateFragmentSize(
-                    fragLimit, macLen, headerSize);
+            fragLimit =
+                    writeCipher.calculateFragmentSize(fragLimit, headerSize);
 
             fragLimit = Math.min(fragLimit, Record.maxDataSize);
         } else {
--- old/src/java.base/share/classes/sun/security/ssl/ServerNameExtension.java	2018-05-11 15:06:08.985004200 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ServerNameExtension.java	2018-05-11 15:06:08.493135200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,258 +26,561 @@
 package sun.security.ssl;
 
 import java.io.IOException;
+import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Collections;
-import java.util.List;
 import java.util.LinkedHashMap;
+import java.util.List;
 import java.util.Map;
-
+import java.util.Objects;
 import javax.net.ssl.SNIHostName;
 import javax.net.ssl.SNIMatcher;
 import javax.net.ssl.SNIServerName;
 import javax.net.ssl.SSLProtocolException;
 import javax.net.ssl.StandardConstants;
+import static sun.security.ssl.SSLExtension.CH_SERVER_NAME;
+import static sun.security.ssl.SSLExtension.EE_SERVER_NAME;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import static sun.security.ssl.SSLExtension.SH_SERVER_NAME;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
 
-/*
- * [RFC 4366/6066] To facilitate secure connections to servers that host
- * multiple 'virtual' servers at a single underlying network address, clients
- * MAY include an extension of type "server_name" in the (extended) client
- * hello.  The "extension_data" field of this extension SHALL contain
- * "ServerNameList" where:
- *
- *     struct {
- *         NameType name_type;
- *         select (name_type) {
- *             case host_name: HostName;
- *         } name;
- *     } ServerName;
- *
- *     enum {
- *         host_name(0), (255)
- *     } NameType;
- *
- *     opaque HostName<1..2^16-1>;
- *
- *     struct {
- *         ServerName server_name_list<1..2^16-1>
- *     } ServerNameList;
+/**
+ * Pack of the "server_name" extensions [RFC 4366/6066].
  */
-final class ServerNameExtension extends HelloExtension {
-
-    // For backward compatibility, all future data structures associated with
-    // new NameTypes MUST begin with a 16-bit length field.
-    static final int NAME_HEADER_LENGTH = 3;    // NameType: 1 byte
-                                                // Name length: 2 bytes
-    private Map<Integer, SNIServerName> sniMap;
-    private int listLength;     // ServerNameList length
-
-    // constructor for ServerHello
-    ServerNameExtension() throws IOException {
-        super(ExtensionType.EXT_SERVER_NAME);
-
-        listLength = 0;
-        sniMap = Collections.<Integer, SNIServerName>emptyMap();
-    }
+final class ServerNameExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHServerNameProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHServerNameConsumer();
+    static final SSLStringize chStringize =
+            new CHServerNamesStringize();
+
+    static final HandshakeProducer shNetworkProducer =
+            new SHServerNameProducer();
+    static final ExtensionConsumer shOnLoadConcumer =
+            new SHServerNameConsumer();
+    static final SSLStringize shStringize =
+            new SHServerNamesStringize();
+
+    static final HandshakeProducer eeNetworkProducer =
+            new EEServerNameProducer();
+    static final ExtensionConsumer eeOnLoadConcumer =
+            new EEServerNameConsumer();
 
-    // constructor for ClientHello
-    ServerNameExtension(List<SNIServerName> serverNames)
-            throws IOException {
-        super(ExtensionType.EXT_SERVER_NAME);
-
-        listLength = 0;
-        sniMap = new LinkedHashMap<>();
-        for (SNIServerName serverName : serverNames) {
-            // check for duplicated server name type
-            if (sniMap.put(serverName.getType(), serverName) != null) {
-                // unlikely to happen, but in case ...
-                throw new RuntimeException(
-                    "Duplicated server name of type " + serverName.getType());
-            }
-
-            listLength += serverName.getEncoded().length + NAME_HEADER_LENGTH;
-        }
-
-        // This constructor is used for ClientHello only.  Empty list is
-        // not allowed in client mode.
-        if (listLength == 0) {
-            throw new RuntimeException("The ServerNameList cannot be empty");
+    /**
+     * The "server_name" extension.
+     *
+     * See RFC 4366/6066 for the specification of the extension.
+     */
+    static final class CHServerNamesSpec implements SSLExtensionSpec {
+        // For backward compatibility, all future data structures associated
+        // with new NameTypes MUST begin with a 16-bit length field.
+        static final int NAME_HEADER_LENGTH = 3;    //  1: NameType
+                                                    // +2: Name length
+        final List<SNIServerName> serverNames;
+
+        private CHServerNamesSpec(List<SNIServerName> serverNames) {
+            this.serverNames =
+                    Collections.<SNIServerName>unmodifiableList(serverNames);
         }
-    }
 
-    // constructor for ServerHello for parsing SNI extension
-    ServerNameExtension(HandshakeInStream s, int len)
-            throws IOException {
-        super(ExtensionType.EXT_SERVER_NAME);
-
-        int remains = len;
-        if (len >= 2) {    // "server_name" extension in ClientHello
-            listLength = s.getInt16();     // ServerNameList length
-            if (listLength == 0 || listLength + 2 != len) {
+        private CHServerNamesSpec(ByteBuffer buffer) throws IOException {
+            if (buffer.remaining() < 2) {
                 throw new SSLProtocolException(
-                        "Invalid " + type + " extension");
+                    "Invalid server_name extension: insufficient data");
             }
 
-            remains -= 2;
-            sniMap = new LinkedHashMap<>();
-            while (remains > 0) {
-                int code = s.getInt8();       // NameType
+            int sniLen = Record.getInt16(buffer);
+            if ((sniLen == 0) || sniLen != buffer.remaining()) {
+                throw new SSLProtocolException(
+                    "Invalid server_name extension: incomplete data");
+            }
 
-                // HostName (length read in getBytes16);
-                byte[] encoded = s.getBytes16();
+            Map<Integer, SNIServerName> sniMap = new LinkedHashMap<>();
+            while (buffer.hasRemaining()) {
+                int nameType = Record.getInt8(buffer);
                 SNIServerName serverName;
-                switch (code) {
-                    case StandardConstants.SNI_HOST_NAME:
-                        if (encoded.length == 0) {
-                            throw new SSLProtocolException(
-                                "Empty HostName in server name indication");
-                        }
-                        try {
-                            serverName = new SNIHostName(encoded);
-                        } catch (IllegalArgumentException iae) {
-                            SSLProtocolException spe = new SSLProtocolException(
-                                "Illegal server name, type=host_name(" +
-                                code + "), name=" +
-                                (new String(encoded, StandardCharsets.UTF_8)) +
-                                ", value=" + Debug.toString(encoded));
-                            spe.initCause(iae);
-                            throw spe;
-                        }
-                        break;
-                    default:
-                        try {
-                            serverName = new UnknownServerName(code, encoded);
-                        } catch (IllegalArgumentException iae) {
-                            SSLProtocolException spe = new SSLProtocolException(
-                                "Illegal server name, type=(" + code +
-                                "), value=" + Debug.toString(encoded));
-                            spe.initCause(iae);
-                            throw spe;
-                        }
+
+                // HostName (length read in getBytes16);
+                //
+                // [RFC 6066] The data structure associated with the host_name
+                // NameType is a variable-length vector that begins with a
+                // 16-bit length.  For backward compatibility, all future data
+                // structures associated with new NameTypes MUST begin with a
+                // 16-bit length field.  TLS MAY treat provided server names as
+                // opaque data and pass the names and types to the application.
+                byte[] encoded = Record.getBytes16(buffer);
+                if (nameType == StandardConstants.SNI_HOST_NAME) {
+                    if (encoded.length == 0) {
+                        throw new SSLProtocolException(
+                            "Empty HostName in server_name extension");
+                    }
+
+                    try {
+                        serverName = new SNIHostName(encoded);
+                    } catch (IllegalArgumentException iae) {
+                        SSLProtocolException spe = new SSLProtocolException(
+                            "Illegal server name, type=host_name(" +
+                            nameType + "), name=" +
+                            (new String(encoded, StandardCharsets.UTF_8)) +
+                            ", value={" +
+                            Utilities.toHexString(encoded) + "}");
+                        throw (SSLProtocolException)spe.initCause(iae);
+                    }
+                } else {
+                    try {
+                        serverName = new UnknownServerName(nameType, encoded);
+                    } catch (IllegalArgumentException iae) {
+                        SSLProtocolException spe = new SSLProtocolException(
+                            "Illegal server name, type=(" + nameType +
+                            "), value={" +
+                            Utilities.toHexString(encoded) + "}");
+                        throw (SSLProtocolException)spe.initCause(iae);
+                    }
                 }
+
                 // check for duplicated server name type
                 if (sniMap.put(serverName.getType(), serverName) != null) {
                     throw new SSLProtocolException(
                             "Duplicated server name of type " +
                             serverName.getType());
                 }
+            }
+
+            this.serverNames = new ArrayList<>(sniMap.values());
+        }
+
+        @Override
+        public String toString() {
+            if (serverNames == null || serverNames.isEmpty()) {
+                return "<no server name indicator specified>";
+            } else {
+                StringBuilder builder = new StringBuilder(512);
+                for (SNIServerName sn : serverNames) {
+                    builder.append(sn.toString());
+                    builder.append("\n");
+                }
 
-                remains -= encoded.length + NAME_HEADER_LENGTH;
+                return builder.toString();
             }
-        } else if (len == 0) {     // "server_name" extension in ServerHello
-            listLength = 0;
-            sniMap = Collections.<Integer, SNIServerName>emptyMap();
         }
 
-        if (remains != 0) {
-            throw new SSLProtocolException("Invalid server_name extension");
+        private static class UnknownServerName extends SNIServerName {
+            UnknownServerName(int code, byte[] encoded) {
+                super(code, encoded);
+            }
         }
     }
 
-    List<SNIServerName> getServerNames() {
-        if (sniMap != null && !sniMap.isEmpty()) {
-            return Collections.<SNIServerName>unmodifiableList(
-                                        new ArrayList<>(sniMap.values()));
+    private static final class CHServerNamesStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new CHServerNamesSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
         }
+    }
+
+    /**
+     * Network data producer of a "server_name" extension in the
+     * ClientHello handshake message.
+     */
+    private static final
+            class CHServerNameProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHServerNameProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(CH_SERVER_NAME)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                        "Ignore unavailable server_name extension");
+                }
+                return null;
+            }
+
+            // Produce the extension.
+            List<SNIServerName> serverNames;
+            if (chc.isResumption && (chc.resumingSession != null)) {
+                serverNames =
+                        chc.resumingSession.getRequestedServerNames();
+            } else {
+                serverNames = chc.sslConfig.serverNames;
+            }   // Shall we use host too?
+
+            // Empty server name list is not allowed in client mode.
+            if ((serverNames != null) && !serverNames.isEmpty()) {
+                int sniLen = 0;
+                for (SNIServerName sniName : serverNames) {
+                    // For backward compatibility, all future data structures
+                    // associated with new NameTypes MUST begin with a 16-bit
+                    // length field.  The header length of server name is 3
+                    // bytes, including 1 byte NameType, and 2 bytes length
+                    // of the name.
+                    sniLen += CHServerNamesSpec.NAME_HEADER_LENGTH;
+                    sniLen += sniName.getEncoded().length;
+                }
+
+                byte[] extData = new byte[sniLen + 2];
+                ByteBuffer m = ByteBuffer.wrap(extData);
+                Record.putInt16(m, sniLen);
+                for (SNIServerName sniName : serverNames) {
+                    Record.putInt8(m, sniName.getType());
+                    Record.putBytes16(m, sniName.getEncoded());
+                }
+
+                // Update the context.
+                chc.requestedServerNames = serverNames;
+                chc.handshakeExtensions.put(CH_SERVER_NAME,
+                        new CHServerNamesSpec(serverNames));
 
-        return Collections.<SNIServerName>emptyList();
+                return extData;
+            }
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.warning("Unable to indicate server name");
+            }
+            return null;
+        }
     }
 
-    /*
-     * Is the extension recognized by the corresponding matcher?
-     *
-     * This method is used to check whether the server name indication can
-     * be recognized by the server name matchers.
-     *
-     * Per RFC 6066, if the server understood the ClientHello extension but
-     * does not recognize the server name, the server SHOULD take one of two
-     * actions: either abort the handshake by sending a fatal-level
-     * unrecognized_name(112) alert or continue the handshake.
-     *
-     * If there is an instance of SNIMatcher defined for a particular name
-     * type, it must be used to perform match operations on the server name.
+    /**
+     * Network data consumer of a "server_name" extension in the
+     * ClientHello handshake message.
      */
-    boolean isMatched(Collection<SNIMatcher> matchers) {
-        if (sniMap != null && !sniMap.isEmpty()) {
-            for (SNIMatcher matcher : matchers) {
-                SNIServerName sniName = sniMap.get(matcher.getType());
-                if (sniName != null && (!matcher.matches(sniName))) {
-                    return false;
+    private static final
+            class CHServerNameConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHServerNameConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(CH_SERVER_NAME)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable extension: " + CH_SERVER_NAME.name);
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            CHServerNamesSpec spec;
+            try {
+                spec = new CHServerNamesSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Update the context.
+            shc.handshakeExtensions.put(CH_SERVER_NAME, spec);
+
+            // Does the server match the server name request?
+            SNIServerName sni = null;
+            if (!shc.sslConfig.sniMatchers.isEmpty()) {
+                sni = chooseSni(shc.sslConfig.sniMatchers, spec.serverNames);
+                if (sni != null) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                                "server name indication (" +
+                                sni + ") is accepted");
+                    }
+                } else {
+                    // We do not reject client without SNI extension currently.
+                    shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
+                            "Unrecognized server name indication");
+                }
+            } else {
+                // Note: Servers MAY require clients to send a valid
+                // "server_name" extension and respond to a ClientHello
+                // lacking a "server_name" extension by terminating the
+                // connection with a "missing_extension" alert.
+                //
+                // We do not reject client without SNI extension currently.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "no server name matchers, " +
+                            "ignore server name indication");
                 }
             }
+
+            // Impact on session resumption.
+            //
+            // Does the resuming session have the same principal?
+            if (shc.isResumption && shc.resumingSession != null) {
+                // A server that implements this extension MUST NOT accept
+                // the request to resume the session if the server_name
+                // extension contains a different name.
+                //
+                // May only need to check that the session SNI is one of
+                // the requested server names.
+                if (!Objects.equals(
+                        sni, shc.resumingSession.serverNameIndication)) {
+                    shc.isResumption = false;
+                    shc.resumingSession = null;
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                                "abort session resumption, " +
+                                "different server name indication used");
+                    }
+                }
+            }
+
+            shc.requestedServerNames = spec.serverNames;
+            shc.negotiatedServerName = sni;
         }
 
-        return true;
+        private static SNIServerName chooseSni(Collection<SNIMatcher> matchers,
+                List<SNIServerName> sniNames) {
+            if (sniNames != null && !sniNames.isEmpty()) {
+                for (SNIMatcher matcher : matchers) {
+                    int matcherType = matcher.getType();
+                    for (SNIServerName sniName : sniNames) {
+                        if (sniName.getType() == matcherType) {
+                            if (matcher.matches(sniName)) {
+                                return sniName;
+                            }
+
+                            // no duplicated entry in the server names list.
+                            break;
+                        }
+                    }
+                }
+            }
+
+            return null;
+        }
     }
 
-    /*
-     * Is the extension is identical to a server name list?
-     *
-     * This method is used to check the server name indication during session
-     * resumption.
+    /**
+     * The "server_name" extension in the ServerHello handshake message.
      *
-     * Per RFC 6066, when the server is deciding whether or not to accept a
-     * request to resume a session, the contents of a server_name extension
-     * MAY be used in the lookup of the session in the session cache.  The
-     * client SHOULD include the same server_name extension in the session
-     * resumption request as it did in the full handshake that established
-     * the session.  A server that implements this extension MUST NOT accept
-     * the request to resume the session if the server_name extension contains
-     * a different name.  Instead, it proceeds with a full handshake to
-     * establish a new session.  When resuming a session, the server MUST NOT
-     * include a server_name extension in the server hello.
+     * The "extension_data" field of this extension shall be empty.
      */
-    boolean isIdentical(List<SNIServerName> other) {
-        if (other.size() == sniMap.size()) {
-            for(SNIServerName sniInOther : other) {
-                SNIServerName sniName = sniMap.get(sniInOther.getType());
-                if (sniName == null || !sniInOther.equals(sniName)) {
-                    return false;
-                }
-            }
+    static final class SHServerNamesSpec implements SSLExtensionSpec {
+        static final SHServerNamesSpec DEFAULT = new SHServerNamesSpec();
 
-            return true;
+        private SHServerNamesSpec() {
+            // blank
         }
 
-        return false;
+        private SHServerNamesSpec(ByteBuffer buffer) throws IOException {
+            if (buffer.remaining() != 0) {
+                throw new SSLProtocolException(
+                    "Invalid ServerHello server_name extension: not empty");
+            }
+        }
+
+        @Override
+        public String toString() {
+            return "<empty extension_data field>";
+        }
     }
 
-    @Override
-    int length() {
-        return listLength == 0 ? 4 : 6 + listLength;
+    private static final class SHServerNamesStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new SHServerNamesSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
     }
 
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(type.id);
-        if (listLength == 0) {
-            s.putInt16(listLength);     // in ServerHello, empty extension_data
-        } else {
-            s.putInt16(listLength + 2); // length of extension_data
-            s.putInt16(listLength);     // length of ServerNameList
-
-            for (SNIServerName sniName : sniMap.values()) {
-                s.putInt8(sniName.getType());         // server name type
-                s.putBytes16(sniName.getEncoded());   // server name value
+    /**
+     * Network data producer of a "server_name" extension in the
+     * ServerHello handshake message.
+     */
+    private static final
+            class SHServerNameProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private SHServerNameProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // In response to "server_name" extension request only
+            CHServerNamesSpec spec = (CHServerNamesSpec)
+                    shc.handshakeExtensions.get(CH_SERVER_NAME);
+            if (spec == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "Ignore unavailable extension: " + SH_SERVER_NAME.name);
+                }
+                return null;        // ignore the extension
+            }
+
+            // When resuming a session, the server MUST NOT include a
+            // server_name extension in the server hello.
+            if (shc.isResumption || shc.negotiatedServerName == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "No expected server name indication response");
+                }
+                return null;        // ignore the extension
             }
+
+            // Produce the extension and update the context.
+            shc.handshakeExtensions.put(
+                    SH_SERVER_NAME, SHServerNamesSpec.DEFAULT);
+
+            return (new byte[0]);   // the empty extension_data
         }
     }
 
-    @Override
-    public String toString() {
-        StringBuilder sb = new StringBuilder();
-        for (SNIServerName sniName : sniMap.values()) {
-            sb.append("[" + sniName + "]");
+    /**
+     * Network data consumer of a "server_name" extension in the
+     * ServerHello handshake message.
+     */
+    private static final
+            class SHServerNameConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHServerNameConsumer() {
+            // blank
         }
 
-        return "Extension " + type + ", server_name: " + sb;
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to "server_name" extension request only
+            CHServerNamesSpec spec = (CHServerNamesSpec)
+                    chc.handshakeExtensions.get(CH_SERVER_NAME);
+            if (spec == null) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Unexpected ServerHello server_name extension");
+            }
+
+            // Parse the extension.
+            if (buffer.remaining() != 0) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Invalid ServerHello server_name extension");
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                    SH_SERVER_NAME, SHServerNamesSpec.DEFAULT);
+            // The negotiated server name is unknown in client side. Just
+            // use the first request name as the value is not actually used
+            // in the current implementation.
+            chc.negotiatedServerName = spec.serverNames.get(0);
+        }
     }
 
-    private static class UnknownServerName extends SNIServerName {
-        UnknownServerName(int code, byte[] encoded) {
-            super(code, encoded);
+    /**
+     * Network data producer of a "server_name" extension in the
+     * EncryptedExtensions handshake message.
+     */
+    private static final
+            class EEServerNameProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private EEServerNameProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // In response to "server_name" extension request only
+            CHServerNamesSpec spec = (CHServerNamesSpec)
+                    shc.handshakeExtensions.get(CH_SERVER_NAME);
+            if (spec == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "Ignore unavailable extension: " + EE_SERVER_NAME.name);
+                }
+                return null;        // ignore the extension
+            }
+
+            // When resuming a session, the server MUST NOT include a
+            // server_name extension in the server hello.
+            if (shc.isResumption || shc.negotiatedServerName == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "No expected server name indication response");
+                }
+                return null;        // ignore the extension
+            }
+
+            // Produce the extension and update the context.
+            shc.handshakeExtensions.put(
+                    EE_SERVER_NAME, SHServerNamesSpec.DEFAULT);
+
+            return (new byte[0]);   // the empty extension_data
         }
     }
 
+    /**
+     * Network data consumer of a "server_name" extension in the
+     * EncryptedExtensions handshake message.
+     */
+    private static final
+            class EEServerNameConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private EEServerNameConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to "server_name" extension request only
+            CHServerNamesSpec spec = (CHServerNamesSpec)
+                    chc.handshakeExtensions.get(CH_SERVER_NAME);
+            if (spec == null) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Unexpected EncryptedExtensions server_name extension");
+            }
+
+            // Parse the extension.
+            if (buffer.remaining() != 0) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Invalid EncryptedExtensions server_name extension");
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                    EE_SERVER_NAME, SHServerNamesSpec.DEFAULT);
+            // The negotiated server name is unknown in client side. Just
+            // use the first request name as the value is not actually used
+            // in the current implementation.
+            chc.negotiatedServerName = spec.serverNames.get(0);
+        }
+    }
 }
--- old/src/java.base/share/classes/sun/security/ssl/SessionId.java	2018-05-11 15:06:10.587362000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SessionId.java	2018-05-11 15:06:10.106630300 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,105 +23,83 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
 import java.security.SecureRandom;
+import java.util.Arrays;
 import javax.net.ssl.SSLProtocolException;
 
 /**
- * Encapsulates an SSL session ID.  SSL Session IDs are not reused by
- * servers during the lifetime of any sessions it created.  Sessions may
- * be used by many connections, either concurrently (for example, two
- * connections to a web server at the same time) or sequentially (over as
- * long a time period as is allowed by a given server).
+ * Encapsulates an SSL session ID.
  *
  * @author Satish Dharmaraj
  * @author David Brownell
  */
-final
-class SessionId
-{
-    static int MAX_LENGTH = 32;
-    private byte[] sessionId;          // max 32 bytes
-
-    /** Constructs a new session ID ... perhaps for a rejoinable session */
-    SessionId (boolean isRejoinable, SecureRandom generator)
-    {
-        if (isRejoinable)
-            // this will be unique, it's a timestamp plus much randomness
-            sessionId = new RandomCookie (generator).random_bytes;
-        else
-            sessionId = new byte [0];
-    }
-
-    /** Constructs a session ID from a byte array (max size 32 bytes) */
-    SessionId (byte[] sessionId)
-        { this.sessionId = sessionId; }
-
-    /** Returns the length of the ID, in bytes */
-    int length ()
-        { return sessionId.length; }
-
-    /** Returns the bytes in the ID.  May be an empty array.  */
-    byte[] getId ()
-    {
-        return sessionId.clone ();
+final class SessionId {
+    private static final int MAX_LENGTH = 32;
+    private final byte[] sessionId;          // max 32 bytes
+
+    // Constructs a new session ID ... perhaps for a rejoinable session
+    SessionId(boolean isRejoinable, SecureRandom generator) {
+        if (isRejoinable && (generator != null)) {
+            sessionId = new RandomCookie(generator).randomBytes;
+        } else {
+            sessionId = new byte[0];
+        }
+    }
+
+    // Constructs a session ID from a byte array (max size 32 bytes)
+    SessionId(byte[] sessionId) {
+        this.sessionId = sessionId.clone();
+    }
+
+    // Returns the length of the ID, in bytes
+    int length() {
+        return sessionId.length;
+    }
+
+    // Returns the bytes in the ID.  May be an empty array.
+    byte[] getId() {
+        return sessionId.clone();
     }
 
-    /** Returns the ID as a string */
+    // Returns the ID as a string
     @Override
-    public String toString ()
-    {
-        int             len = sessionId.length;
-        StringBuilder    sb = new StringBuilder (10 + 2 * len);
-
-        sb.append("{");
-        for (int i = 0; i < len; i++) {
-            sb.append(0x0ff & sessionId[i]);
-            if (i != (len - 1))
-                sb.append (", ");
+    public String toString() {
+        if (sessionId.length == 0) {
+            return "";
         }
-        sb.append("}");
-        return sb.toString ();
+
+        return Utilities.toHexString(sessionId);
     }
 
 
-    /** Returns a value which is the same for session IDs which are equal */
+    // Returns a value which is the same for session IDs which are equal
     @Override
-    public int hashCode ()
-    {
-        int     retval = 0;
-
-        for (int i = 0; i < sessionId.length; i++)
-            retval += sessionId [i];
-        return retval;
+    public int hashCode() {
+        return Arrays.hashCode(sessionId);
     }
 
-    /** Returns true if the parameter is the same session ID */
+    // Returns true if the parameter is the same session ID
     @Override
-    public boolean equals (Object obj)
-    {
-        if (!(obj instanceof SessionId))
-            return false;
-
-        SessionId s = (SessionId) obj;
-        byte[] b = s.getId ();
-
-        if (b.length != sessionId.length)
-            return false;
-        for (int i = 0; i < sessionId.length; i++) {
-            if (b [i] != sessionId [i])
-                return false;
+    public boolean equals (Object obj) {
+        if (obj == this) {
+            return true;
         }
-        return true;
+
+        if (obj instanceof SessionId) {
+            SessionId that = (SessionId)obj;
+            return Arrays.equals(this.sessionId, that.sessionId);
+        }
+
+        return false;
     }
 
     /**
      * Checks the length of the session ID to make sure it sits within
      * the range called out in the specification
      */
-    void checkLength(ProtocolVersion pv) throws SSLProtocolException {
+    void checkLength(int protocolVersion) throws SSLProtocolException {
         // As of today all versions of TLS have a 32-byte maximum length.
         // In the future we can do more here to support protocol versions
         // that may have longer max lengths.
@@ -130,5 +108,4 @@
                     sessionId.length + " bytes)");
         }
     }
-
 }
--- old/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java	2018-05-11 15:06:12.128171200 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java	2018-05-11 15:06:11.659690500 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,110 +26,484 @@
 package sun.security.ssl;
 
 import java.io.IOException;
-import java.util.ArrayList;
-import java.util.Collection;
-
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
 import javax.net.ssl.SSLProtocolException;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
 
-/*
- * [RFC5246] The client uses the "signature_algorithms" extension to
- * indicate to the server which signature/hash algorithm pairs may be
- * used in digital signatures.  The "extension_data" field of this
- * extension contains a "supported_signature_algorithms" value.
- *
- *     enum {
- *         none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
- *         sha512(6), (255)
- *     } HashAlgorithm;
- *
- *     enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
- *       SignatureAlgorithm;
- *
- *     struct {
- *           HashAlgorithm hash;
- *           SignatureAlgorithm signature;
- *     } SignatureAndHashAlgorithm;
- *
- *     SignatureAndHashAlgorithm
- *       supported_signature_algorithms<2..2^16-2>;
+/**
+ * Pack of the "signature_algorithms" extensions [RFC 5246].
  */
-final class SignatureAlgorithmsExtension extends HelloExtension {
+final class SignatureAlgorithmsExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHSignatureSchemesProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHSignatureSchemesConsumer();
+    static final HandshakeAbsence chOnLoadAbsence =
+            new CHSignatureSchemesAbsence();
+    static final HandshakeConsumer chOnTradeConsumer =
+            new CHSignatureSchemesUpdate();
+
+    static final HandshakeProducer crNetworkProducer =
+            new CRSignatureSchemesProducer();
+    static final ExtensionConsumer crOnLoadConcumer =
+            new CRSignatureSchemesConsumer();
+    static final HandshakeAbsence crOnLoadAbsence =
+            new CRSignatureSchemesAbsence();
+    static final HandshakeConsumer crOnTradeConsumer =
+            new CRSignatureSchemesUpdate();
+
+    static final SSLStringize ssStringize =
+            new SignatureSchemesStringize();
+
+    /**
+     * The "signature_algorithms" extension.
+     */
+    static final class SignatureSchemesSpec implements SSLExtensionSpec {
+        final int[] signatureSchemes;
+
+        SignatureSchemesSpec(List<SignatureScheme> schemes) {
+            if (schemes != null) {
+                signatureSchemes = new int[schemes.size()];
+                int i = 0;
+                for (SignatureScheme scheme : schemes) {
+                    signatureSchemes[i++] = scheme.id;
+                }
+            } else {
+                this.signatureSchemes = new int[0];
+            }
+        }
 
-    private Collection<SignatureAndHashAlgorithm> algorithms;
-    private int algorithmsLen;  // length of supported_signature_algorithms
+        SignatureSchemesSpec(ByteBuffer buffer) throws IOException {
+            if (buffer.remaining() < 2) {      // 2: the length of the list
+                throw new SSLProtocolException(
+                    "Invalid signature_algorithms: insufficient data");
+            }
 
-    SignatureAlgorithmsExtension(
-            Collection<SignatureAndHashAlgorithm> signAlgs) {
+            byte[] algs = Record.getBytes16(buffer);
+            if (buffer.hasRemaining()) {
+                throw new SSLProtocolException(
+                    "Invalid signature_algorithms: unknown extra data");
+            }
+
+            if (algs == null || algs.length == 0 || (algs.length & 0x01) != 0) {
+                throw new SSLProtocolException(
+                    "Invalid signature_algorithms: incomplete data");
+            }
+
+            int[] schemes = new int[algs.length / 2];
+            for (int i = 0, j = 0; i < algs.length;) {
+                byte hash = algs[i++];
+                byte sign = algs[i++];
+                schemes[j++] = ((hash & 0xFF) << 8) | (sign & 0xFF);
+            }
+
+            this.signatureSchemes = schemes;
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"signature schemes\": '['{0}']'", Locale.ENGLISH);
+
+            if (signatureSchemes == null || signatureSchemes.length == 0) {
+                Object[] messageFields = {
+                        "<no supported signature schemes specified>"
+                    };
+                return messageFormat.format(messageFields);
+            } else {
+                StringBuilder builder = new StringBuilder(512);
+                boolean isFirst = true;
+                for (int pv : signatureSchemes) {
+                    if (isFirst) {
+                        isFirst = false;
+                    } else {
+                        builder.append(", ");
+                    }
+
+                    builder.append(SignatureScheme.nameOf(pv));
+                }
+
+                Object[] messageFields = {
+                        builder.toString()
+                    };
 
-        super(ExtensionType.EXT_SIGNATURE_ALGORITHMS);
+                return messageFormat.format(messageFields);
+            }
+        }
+    }
 
-        algorithms = new ArrayList<SignatureAndHashAlgorithm>(signAlgs);
-        algorithmsLen =
-            SignatureAndHashAlgorithm.sizeInRecord() * algorithms.size();
+    private static final
+            class SignatureSchemesStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new SignatureSchemesSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
     }
 
-    SignatureAlgorithmsExtension(HandshakeInStream s, int len)
-                throws IOException {
-        super(ExtensionType.EXT_SIGNATURE_ALGORITHMS);
+    /**
+     * Network data producer of a "signature_algorithms" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHSignatureSchemesProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHSignatureSchemesProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(
+                    SSLExtension.CH_SIGNATURE_ALGORITHMS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable signature_algorithms extension");
+                }
+                return null;
+            }
+
+            // Produce the extension.
+            if (chc.localSupportedSignAlgs == null) {
+                chc.localSupportedSignAlgs =
+                    SignatureScheme.getSupportedAlgorithms(
+                            chc.algorithmConstraints, chc.activeProtocols);
+            }
 
-        algorithmsLen = s.getInt16();
-        if (algorithmsLen == 0 || algorithmsLen + 2 != len) {
-            throw new SSLProtocolException("Invalid " + type + " extension");
+            int vectorLen = SignatureScheme.sizeInRecord() *
+                    chc.localSupportedSignAlgs.size();
+            byte[] extData = new byte[vectorLen + 2];
+            ByteBuffer m = ByteBuffer.wrap(extData);
+            Record.putInt16(m, vectorLen);
+            for (SignatureScheme ss : chc.localSupportedSignAlgs) {
+                Record.putInt16(m, ss.id);
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                    SSLExtension.CH_SIGNATURE_ALGORITHMS,
+                    new SignatureSchemesSpec(chc.localSupportedSignAlgs));
+
+            return extData;
         }
+    }
+
+    /**
+     * Network data consumer of a "signature_algorithms" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHSignatureSchemesConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHSignatureSchemesConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(
+                    SSLExtension.CH_SIGNATURE_ALGORITHMS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable signature_algorithms extension");
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            SignatureSchemesSpec spec;
+            try {
+                spec = new SignatureSchemesSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
 
-        algorithms = new ArrayList<SignatureAndHashAlgorithm>();
-        int remains = algorithmsLen;
-        int sequence = 0;
-        while (remains > 1) {   // needs at least two bytes
-            int hash = s.getInt8();         // hash algorithm
-            int signature = s.getInt8();    // signature algorithm
+            // Update the context.
+            shc.handshakeExtensions.put(
+                    SSLExtension.CH_SIGNATURE_ALGORITHMS, spec);
 
-            SignatureAndHashAlgorithm algorithm =
-                SignatureAndHashAlgorithm.valueOf(hash, signature, ++sequence);
-            algorithms.add(algorithm);
-            remains -= 2;  // one byte for hash, one byte for signature
+            // No impact on session resumption.
         }
+    }
+
+    /**
+     * After session creation consuming of a "signature_algorithms"
+     * extension in the ClientHello handshake message.
+     */
+    private static final class CHSignatureSchemesUpdate
+            implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private CHSignatureSchemesUpdate() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            SignatureSchemesSpec spec =
+                    (SignatureSchemesSpec)shc.handshakeExtensions.get(
+                            SSLExtension.CH_SIGNATURE_ALGORITHMS);
+            if (spec == null) {
+                // Ignore, no "signature_algorithms" extension requested.
+                return;
+            }
+
+            // update the context
+            List<SignatureScheme> shemes =
+                    SignatureScheme.getSupportedAlgorithms(
+                            shc.algorithmConstraints, shc.negotiatedProtocol,
+                            spec.signatureSchemes);
+            shc.peerRequestedSignatureSchemes = shemes;
+
+            // If no "signature_algorithms_cert" extension is present, then
+            // the "signature_algorithms" extension also applies to
+            // signatures appearing in certificates.
+            SignatureSchemesSpec certSpec =
+                    (SignatureSchemesSpec)shc.handshakeExtensions.get(
+                            SSLExtension.CH_SIGNATURE_ALGORITHMS_CERT);
+            if (certSpec == null) {
+                shc.peerRequestedCertSignSchemes = shemes;
+            }
 
-        if (remains != 0) {
-            throw new SSLProtocolException("Invalid server_name extension");
+            shc.handshakeSession.setPeerSupportedSignatureAlgorithms(shemes);
+
+            if (!shc.isResumption && shc.negotiatedProtocol.useTLS13PlusSpec()) {
+                if (shc.sslConfig.clientAuthType !=
+                        ClientAuthType.CLIENT_AUTH_NONE) {
+                    shc.handshakeProducers.putIfAbsent(
+                            SSLHandshake.CERTIFICATE_REQUEST.id,
+                            SSLHandshake.CERTIFICATE_REQUEST);
+                }
+                shc.handshakeProducers.put(
+                        SSLHandshake.CERTIFICATE.id,
+                        SSLHandshake.CERTIFICATE);
+                shc.handshakeProducers.putIfAbsent(
+                        SSLHandshake.CERTIFICATE_VERIFY.id,
+                        SSLHandshake.CERTIFICATE_VERIFY);
+            }
         }
     }
 
-    Collection<SignatureAndHashAlgorithm> getSignAlgorithms() {
-        return algorithms;
+    /**
+     * The absence processing if a "signature_algorithms" extension is
+     * not present in the ClientHello handshake message.
+     */
+    private static final
+            class CHSignatureSchemesAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // This is a mandatory extension for certificate authentication
+            // in TLS 1.3.
+            //
+            // We may support the server authentication other than X.509
+            // certificate later.
+            if (shc.negotiatedProtocol.useTLS13PlusSpec()) {
+                shc.conContext.fatal(Alert.MISSING_EXTENSION,
+                    "No mandatory signature_algorithms extension in the " +
+                    "received CertificateRequest handshake message");
+            }
+        }
     }
 
-    @Override
-    int length() {
-        return 6 + algorithmsLen;
+    /**
+     * Network data producer of a "signature_algorithms" extension in
+     * the CertificateRequest handshake message.
+     */
+    private static final
+            class CRSignatureSchemesProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CRSignatureSchemesProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            //
+            // Note that this is a mandatory extension for CertificateRequest
+            // handshake message in TLS 1.3.
+            if (!shc.sslConfig.isAvailable(
+                    SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
+                shc.conContext.fatal(Alert.MISSING_EXTENSION,
+                        "No available signature_algorithms extension " +
+                        "for client certificate authentication");
+                return null;    // make the compiler happy
+            }
+
+            // Produce the extension.
+            if (shc.localSupportedSignAlgs == null) {
+                shc.localSupportedSignAlgs =
+                    SignatureScheme.getSupportedAlgorithms(
+                            shc.algorithmConstraints, shc.activeProtocols);
+            }
+
+            int vectorLen = SignatureScheme.sizeInRecord() *
+                    shc.localSupportedSignAlgs.size();
+            byte[] extData = new byte[vectorLen + 2];
+            ByteBuffer m = ByteBuffer.wrap(extData);
+            Record.putInt16(m, vectorLen);
+            for (SignatureScheme ss : shc.localSupportedSignAlgs) {
+                Record.putInt16(m, ss.id);
+            }
+
+            // Update the context.
+            shc.handshakeExtensions.put(
+                    SSLExtension.CR_SIGNATURE_ALGORITHMS,
+                    new SignatureSchemesSpec(shc.localSupportedSignAlgs));
+
+            return extData;
+        }
     }
 
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(type.id);
-        s.putInt16(algorithmsLen + 2);
-        s.putInt16(algorithmsLen);
+    /**
+     * Network data consumer of a "signature_algorithms" extension in
+     * the CertificateRequest handshake message.
+     */
+    private static final
+            class CRSignatureSchemesConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CRSignatureSchemesConsumer() {
+            // blank
+        }
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            //
+            // Note that this is a mandatory extension for CertificateRequest
+            // handshake message in TLS 1.3.
+            if (!chc.sslConfig.isAvailable(
+                    SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "No available signature_algorithms extension " +
+                        "for client certificate authentication");
+                return;     // make the compiler happy
+            }
+
+            // Parse the extension.
+            SignatureSchemesSpec spec;
+            try {
+                spec = new SignatureSchemesSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            List<SignatureScheme> knownSignatureSchemes = new LinkedList<>();
+            for (int id : spec.signatureSchemes) {
+                SignatureScheme ss = SignatureScheme.valueOf(id);
+                if (ss != null) {
+                    knownSignatureSchemes.add(ss);
+                }
+            }
+
+            // Update the context.
+            // chc.peerRequestedSignatureSchemes = knownSignatureSchemes;
+            chc.handshakeExtensions.put(
+                    SSLExtension.CR_SIGNATURE_ALGORITHMS, spec);
 
-        for (SignatureAndHashAlgorithm algorithm : algorithms) {
-            s.putInt8(algorithm.getHashValue());      // HashAlgorithm
-            s.putInt8(algorithm.getSignatureValue()); // SignatureAlgorithm
+            // No impact on session resumption.
         }
     }
 
-    @Override
-    public String toString() {
-        StringBuilder sb = new StringBuilder();
-        boolean opened = false;
-        for (SignatureAndHashAlgorithm signAlg : algorithms) {
-            if (opened) {
-                sb.append(", " + signAlg.getAlgorithmName());
-            } else {
-                sb.append(signAlg.getAlgorithmName());
-                opened = true;
+    /**
+     * After session creation consuming of a "signature_algorithms"
+     * extension in the CertificateRequest handshake message.
+     */
+    private static final class CRSignatureSchemesUpdate
+            implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private CRSignatureSchemesUpdate() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            SignatureSchemesSpec spec =
+                    (SignatureSchemesSpec)chc.handshakeExtensions.get(
+                            SSLExtension.CR_SIGNATURE_ALGORITHMS);
+            if (spec == null) {
+                // Ignore, no "signature_algorithms" extension requested.
+                return;
+            }
+
+            // update the context
+            List<SignatureScheme> shemes =
+                    SignatureScheme.getSupportedAlgorithms(
+                            chc.algorithmConstraints, chc.negotiatedProtocol,
+                            spec.signatureSchemes);
+            chc.peerRequestedSignatureSchemes = shemes;
+
+            // If no "signature_algorithms_cert" extension is present, then
+            // the "signature_algorithms" extension also applies to
+            // signatures appearing in certificates.
+            SignatureSchemesSpec certSpec =
+                    (SignatureSchemesSpec)chc.handshakeExtensions.get(
+                            SSLExtension.CH_SIGNATURE_ALGORITHMS_CERT);
+            if (certSpec == null) {
+                chc.peerRequestedCertSignSchemes = shemes;
             }
+
+            chc.handshakeSession.setPeerSupportedSignatureAlgorithms(shemes);
         }
+    }
 
-        return "Extension " + type + ", signature_algorithms: " + sb;
+    /**
+     * The absence processing if a "signature_algorithms" extension is
+     * not present in the CertificateRequest handshake message.
+     */
+    private static final
+            class CRSignatureSchemesAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // This is a mandatory extension for CertificateRequest handshake
+            // message in TLS 1.3.
+            chc.conContext.fatal(Alert.MISSING_EXTENSION,
+                    "No mandatory signature_algorithms extension in the " +
+                    "received CertificateRequest handshake message");
+        }
     }
 }
-
--- old/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java	2018-05-11 15:06:13.718077700 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/StatusResponseManager.java	2018-05-11 15:06:13.236915700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -22,18 +22,32 @@
  * or visit www.oracle.com if you need additional information or have any
  * questions.
  */
-
 package sun.security.ssl;
 
 import java.io.IOException;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.security.AccessController;
-import java.security.cert.X509Certificate;
 import java.security.cert.Extension;
-import java.util.*;
-import java.util.concurrent.*;
-
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Objects;
+import java.util.concurrent.Callable;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.Executors;
+import java.util.concurrent.Future;
+import java.util.concurrent.ScheduledThreadPoolExecutor;
+import java.util.concurrent.ThreadFactory;
+import java.util.concurrent.ThreadPoolExecutor;
+import java.util.concurrent.TimeUnit;
+import sun.security.action.GetBooleanAction;
+import sun.security.action.GetIntegerAction;
+import sun.security.action.GetPropertyAction;
 import sun.security.provider.certpath.CertId;
 import sun.security.provider.certpath.OCSP;
 import sun.security.provider.certpath.OCSPResponse;
@@ -41,15 +55,13 @@
 import sun.security.util.Cache;
 import sun.security.x509.PKIXExtensions;
 import sun.security.x509.SerialNumber;
-import sun.security.action.GetBooleanAction;
-import sun.security.action.GetIntegerAction;
-import sun.security.action.GetPropertyAction;
+import sun.security.ssl.X509Authentication.X509Possession;
+import static sun.security.ssl.CertStatusExtension.*;
 
 final class StatusResponseManager {
     private static final int DEFAULT_CORE_THREADS = 8;
     private static final int DEFAULT_CACHE_SIZE = 256;
-    private static final int DEFAULT_CACHE_LIFETIME = 3600;         // seconds
-    private static final Debug debug = Debug.getInstance("ssl");
+    private static final int DEFAULT_CACHE_LIFETIME = 3600;     // seconds
 
     private final ScheduledThreadPoolExecutor threadMgr;
     private final Cache<CertId, ResponseCacheEntry> responseCache;
@@ -99,10 +111,12 @@
             }
         }, new ThreadPoolExecutor.DiscardPolicy());
         threadMgr.setExecuteExistingDelayedTasksAfterShutdownPolicy(false);
-        threadMgr.setContinueExistingPeriodicTasksAfterShutdownPolicy(false);
+        threadMgr.setContinueExistingPeriodicTasksAfterShutdownPolicy(
+                false);
         threadMgr.setKeepAliveTime(5000, TimeUnit.MILLISECONDS);
         threadMgr.allowCoreThreadTimeOut(true);
-        responseCache = Cache.newSoftMemoryCache(cacheCapacity, cacheLifetime);
+        responseCache = Cache.newSoftMemoryCache(
+                cacheCapacity, cacheLifetime);
     }
 
     /**
@@ -147,8 +161,8 @@
      * Get the ignore extensions setting.
      *
      * @return {@code true} if the {@code StatusResponseManager} will not
-     * pass OCSP Extensions in the TLS {@code status_request[_v2]} extensions,
-     * {@code false} if extensions will be passed (the default).
+     * pass OCSP Extensions in the TLS {@code status_request[_v2]}
+     * extensions, {@code false} if extensions will be passed (the default).
      */
     boolean getIgnoreExtensions() {
         return ignoreExtensions;
@@ -158,7 +172,9 @@
      * Clear the status response cache
      */
     void clear() {
-        debugLog("Clearing response cache");
+        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+            SSLLogger.fine("Clearing response cache");
+        }
         responseCache.clear();
     }
 
@@ -172,16 +188,18 @@
     }
 
     /**
-     * Obtain the URI use by the {@code StatusResponseManager} during lookups.
+     * Obtain the URI use by the {@code StatusResponseManager} during
+     * lookups.
+     *
      * This method takes into account not only the AIA extension from a
      * certificate to be checked, but also any default URI and possible
      * override settings for the response manager.
      *
      * @param cert the subject to get the responder URI from
      *
-     * @return a {@code URI} containing the address to the OCSP responder, or
-     *      {@code null} if no AIA extension exists in the certificate and no
-     *      default responder has been configured.
+     * @return a {@code URI} containing the address to the OCSP responder,
+     *      or {@code null} if no AIA extension exists in the certificate
+     *      and no default responder has been configured.
      *
      * @throws NullPointerException if {@code cert} is {@code null}.
      */
@@ -190,10 +208,16 @@
 
         if (cert.getExtensionValue(
                 PKIXExtensions.OCSPNoCheck_Id.toString()) != null) {
-            debugLog("OCSP NoCheck extension found.  OCSP will be skipped");
+            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                SSLLogger.fine(
+                    "OCSP NoCheck extension found.  OCSP will be skipped");
+            }
             return null;
         } else if (defaultResponder != null && respOverride) {
-            debugLog("Responder override: URI is " + defaultResponder);
+            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+              SSLLogger.fine(
+                    "Responder override: URI is " + defaultResponder);
+            }
             return defaultResponder;
         } else {
             URI certURI = OCSP.getResponderURI(cert);
@@ -205,25 +229,29 @@
      * Shutdown the thread pool
      */
     void shutdown() {
-        debugLog("Shutting down " + threadMgr.getActiveCount() +
-                " active threads");
+        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+            SSLLogger.fine("Shutting down " + threadMgr.getActiveCount() +
+                    " active threads");
+        }
         threadMgr.shutdown();
     }
 
     /**
      * Get a list of responses for a chain of certificates.
-     * This will find OCSP responses from the cache, or failing that, directly
-     * contact the OCSP responder.  It is assumed that the certificates in
-     * the provided chain are in their proper order (from end-entity to
-     * trust anchor).
+     *
+     * This will find OCSP responses from the cache, or failing that,
+     * directly contact the OCSP responder.  It is assumed that the
+     * certificates in the provided chain are in their proper order
+     * (from end-entity to trust anchor).
      *
      * @param type the type of request being made of the
      *      {@code StatusResponseManager}
-     * @param request the {@code StatusRequest} from the status_request or
-     *      status_request_v2 ClientHello extension.  A value of {@code null}
-     *      is interpreted as providing no responder IDs or extensions.
-     * @param chain an array of 2 or more certificates.  Each certificate must
-     *      be issued by the next certificate in the chain.
+     * @param request the {@code CertStatusRequest} from the
+     *      status_request or status_request_v2 ClientHello extension.
+     *      A value of {@code null} is interpreted as providing no
+     *      responder IDs or extensions.
+     * @param chain an array of 2 or more certificates.  Each certificate
+     *      must be issued by the next certificate in the chain.
      * @param delay the number of time units to delay before returning
      *      responses.
      * @param unit the unit of time applied to the {@code delay} parameter
@@ -231,17 +259,20 @@
      * @return an unmodifiable {@code Map} containing the certificate and
      *      its usually
      *
-     * @throws SSLHandshakeException if an unsupported {@code StatusRequest}
-     *      is provided.
+     * @throws SSLHandshakeException if an unsupported
+     *      {@code CertStatusRequest} is provided.
      */
-    Map<X509Certificate, byte[]> get(StatusRequestType type,
-            StatusRequest request, X509Certificate[] chain, long delay,
+    Map<X509Certificate, byte[]> get(CertStatusRequestType type,
+            CertStatusRequest request, X509Certificate[] chain, long delay,
             TimeUnit unit) {
         Map<X509Certificate, byte[]> responseMap = new HashMap<>();
         List<OCSPFetchCall> requestList = new ArrayList<>();
 
-        debugLog("Beginning check: Type = " + type + ", Chain length = " +
+        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+            SSLLogger.fine(
+                "Beginning check: Type = " + type + ", Chain length = " +
                 chain.length);
+        }
 
         // It is assumed that the caller has ordered the certs in the chain
         // in the proper order (each certificate is issued by the next entry
@@ -250,7 +281,7 @@
             return Collections.emptyMap();
         }
 
-        if (type == StatusRequestType.OCSP) {
+        if (type == CertStatusRequestType.OCSP) {
             try {
                 // For type OCSP, we only check the end-entity certificate
                 OCSPStatusRequest ocspReq = (OCSPStatusRequest)request;
@@ -264,22 +295,26 @@
                     requestList.add(new OCSPFetchCall(sInfo, ocspReq));
                 }
             } catch (IOException exc) {
-                debugLog("Exception during CertId creation: " + exc);
+                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                    SSLLogger.fine(
+                        "Exception during CertId creation: ", exc);
+                }
             }
-        } else if (type == StatusRequestType.OCSP_MULTI) {
+        } else if (type == CertStatusRequestType.OCSP_MULTI) {
             // For type OCSP_MULTI, we check every cert in the chain that
-            // has a direct issuer at the next index.  We won't have an issuer
-            // certificate for the last certificate in the chain and will
-            // not be able to create a CertId because of that.
+            // has a direct issuer at the next index.  We won't have an
+            // issuer certificate for the last certificate in the chain
+            // and will not be able to create a CertId because of that.
             OCSPStatusRequest ocspReq = (OCSPStatusRequest)request;
             int ctr;
             for (ctr = 0; ctr < chain.length - 1; ctr++) {
                 try {
-                    // The cert at "ctr" is the subject cert, "ctr + 1" is the
-                    // issuer certificate.
+                    // The cert at "ctr" is the subject cert, "ctr + 1"
+                    // is the issuer certificate.
                     CertId cid = new CertId(chain[ctr + 1],
-                            new SerialNumber(chain[ctr].getSerialNumber()));
-                    ResponseCacheEntry cacheEntry = getFromCache(cid, ocspReq);
+                        new SerialNumber(chain[ctr].getSerialNumber()));
+                    ResponseCacheEntry cacheEntry =
+                        getFromCache(cid, ocspReq);
                     if (cacheEntry != null) {
                         responseMap.put(chain[ctr], cacheEntry.ocspBytes);
                     } else {
@@ -287,17 +322,22 @@
                         requestList.add(new OCSPFetchCall(sInfo, ocspReq));
                     }
                 } catch (IOException exc) {
-                    debugLog("Exception during CertId creation: " + exc);
+                    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                        SSLLogger.fine(
+                            "Exception during CertId creation: ", exc);
+                    }
                 }
             }
         } else {
-            debugLog("Unsupported status request type: " + type);
+            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                SSLLogger.fine("Unsupported status request type: " + type);
+            }
         }
 
         // If we were able to create one or more Fetches, go and run all
         // of them in separate threads.  For all the threads that completed
-        // in the allotted time, put those status responses into the returned
-        // Map.
+        // in the allotted time, put those status responses into the
+        // returned Map.
         if (!requestList.isEmpty()) {
             try {
                 // Set a bunch of threads to go do the fetching
@@ -307,23 +347,31 @@
                 // Go through the Futures and from any non-cancelled task,
                 // get the bytes and attach them to the responseMap.
                 for (Future<StatusInfo> task : resultList) {
-                    if (task.isDone()) {
-                        if (!task.isCancelled()) {
-                            StatusInfo info = task.get();
-                            if (info != null && info.responseData != null) {
-                                responseMap.put(info.cert,
-                                        info.responseData.ocspBytes);
-                            } else {
-                                debugLog("Completed task had no response data");
-                            }
-                        } else {
-                            debugLog("Found cancelled task");
+                    if (!task.isDone()) {
+                        continue;
+                    }
+
+                    if (!task.isCancelled()) {
+                        StatusInfo info = task.get();
+                        if (info != null && info.responseData != null) {
+                            responseMap.put(info.cert,
+                                    info.responseData.ocspBytes);
+                        } else if (SSLLogger.isOn &&
+                                SSLLogger.isOn("respmgr")) {
+                            SSLLogger.fine(
+                                "Completed task had no response data");
+                        }
+                    } else {
+                        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                            SSLLogger.fine("Found cancelled task");
                         }
                     }
                 }
             } catch (InterruptedException | ExecutionException exc) {
                 // Not sure what else to do here
-                debugLog("Exception when getting data: " + exc);
+                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                    SSLLogger.fine("Exception when getting data: ", exc);
+                }
             }
         }
 
@@ -345,9 +393,13 @@
             OCSPStatusRequest ocspRequest) {
         // Determine if the nonce extension is present in the request.  If
         // so, then do not attempt to retrieve the response from the cache.
-        for (Extension ext : ocspRequest.getExtensions()) {
-            if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
-                debugLog("Nonce extension found, skipping cache check");
+        for (Extension ext : ocspRequest.extensions) {
+            if (ext.getId().equals(
+                    PKIXExtensions.OCSPNonce_Id.toString())) {
+                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                    SSLLogger.fine(
+                            "Nonce extension found, skipping cache check");
+                }
                 return null;
             }
         }
@@ -359,12 +411,18 @@
         // and do not return it as a cache hit.
         if (respEntry != null && respEntry.nextUpdate != null &&
                 respEntry.nextUpdate.before(new Date())) {
-            debugLog("nextUpdate threshold exceeded, purging from cache");
+            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                SSLLogger.fine(
+                    "nextUpdate threshold exceeded, purging from cache");
+            }
             respEntry = null;
         }
 
-        debugLog("Check cache for SN" + cid.getSerialNumber() + ": " +
-                (respEntry != null ? "HIT" : "MISS"));
+        if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+            SSLLogger.fine(
+                    "Check cache for SN" + cid.getSerialNumber() + ": " +
+                    (respEntry != null ? "HIT" : "MISS"));
+        }
         return respEntry;
     }
 
@@ -398,20 +456,6 @@
     }
 
     /**
-     * Log messages through the SSL Debug facility.
-     *
-     * @param message the message to be displayed
-     */
-    static void debugLog(String message) {
-        if (debug != null && Debug.isOn("respmgr")) {
-            StringBuilder sb = new StringBuilder();
-            sb.append("[").append(Thread.currentThread().getName());
-            sb.append("] ").append(message);
-            System.out.println(sb.toString());
-        }
-    }
-
-    /**
      * Inner class used to group request and response data.
      */
     class StatusInfo {
@@ -426,7 +470,7 @@
          * @param subjectCert the certificate to be checked for revocation
          * @param issuerCert the issuer of the {@code subjectCert}
          *
-         * @throws IOException if CertId creation from the certificates fails
+         * @throws IOException if CertId creation from the certificate fails
          */
         StatusInfo(X509Certificate subjectCert, X509Certificate issuerCert)
                 throws IOException {
@@ -471,11 +515,14 @@
         @Override
         public String toString() {
             StringBuilder sb = new StringBuilder("StatusInfo:");
-            sb.append("\n\tCert: ").append(this.cert.getSubjectX500Principal());
+            sb.append("\n\tCert: ").append(
+                    this.cert.getSubjectX500Principal());
             sb.append("\n\tSerial: ").append(this.cert.getSerialNumber());
             sb.append("\n\tResponder: ").append(this.responder);
-            sb.append("\n\tResponse data: ").append(this.responseData != null ?
-                    (this.responseData.ocspBytes.length + " bytes") : "<NULL>");
+            sb.append("\n\tResponse data: ").append(
+                    this.responseData != null ?
+                        (this.responseData.ocspBytes.length + " bytes") :
+                        "<NULL>");
             return sb.toString();
         }
     }
@@ -483,7 +530,7 @@
     /**
      * Static nested class used as the data kept in the response cache.
      */
-    static class ResponseCacheEntry {
+    class ResponseCacheEntry {
         final OCSPResponse.ResponseStatus status;
         final byte[] ocspBytes;
         final Date nextUpdate;
@@ -495,8 +542,8 @@
          *
          * @param responseBytes the DER encoding for the OCSP response
          *
-         * @throws IOException if an {@code OCSPResponse} cannot be created from
-         *      the encoded bytes.
+         * @throws IOException if an {@code OCSPResponse} cannot be
+         *         created from the encoded bytes.
          */
         ResponseCacheEntry(byte[] responseBytes, CertId cid)
                 throws IOException {
@@ -515,8 +562,9 @@
                     // Date is cloned.
                     nextUpdate = singleResp.getNextUpdate();
                 } else {
-                    throw new IOException("Unable to find SingleResponse for " +
-                            "SN " + cid.getSerialNumber());
+                    throw new IOException(
+                            "Unable to find SingleResponse for SN " +
+                            cid.getSerialNumber());
                 }
             } else {
                 nextUpdate = null;
@@ -537,7 +585,8 @@
 
         /**
          * A constructor that builds the OCSPFetchCall from the provided
-         * StatusInfo and information from the status_request[_v2] extension.
+         * StatusInfo and information from the status_request[_v2]
+         * extension.
          *
          * @param info the {@code StatusInfo} containing the subject
          * certificate, CertId, and other supplemental info.
@@ -549,37 +598,54 @@
                     "Null StatusInfo not allowed");
             ocspRequest = Objects.requireNonNull(request,
                     "Null OCSPStatusRequest not allowed");
-            extensions = ocspRequest.getExtensions();
-            responderIds = ocspRequest.getResponderIds();
+            extensions = ocspRequest.extensions;
+            responderIds = ocspRequest.responderIds;
         }
 
         /**
          * Get an OCSP response, either from the cache or from a responder.
          *
-         * @return The StatusInfo object passed into the {@code OCSPFetchCall}
-         * constructor, with the {@code responseData} field filled in with the
-         * response or {@code null} if no response can be obtained.
+         * @return The StatusInfo object passed into the
+         *         {@code OCSPFetchCall} constructor, with the
+         *         {@code responseData} field filled in with the response
+         *         or {@code null} if no response can be obtained.
          */
         @Override
         public StatusInfo call() {
-            debugLog("Starting fetch for SN " + statInfo.cid.getSerialNumber());
+            if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                SSLLogger.fine(
+                    "Starting fetch for SN " +
+                    statInfo.cid.getSerialNumber());
+            }
             try {
                 ResponseCacheEntry cacheEntry;
                 List<Extension> extsToSend;
 
                 if (statInfo.responder == null) {
-                    // If we have no URI then there's nothing to do but return
-                    debugLog("Null URI detected, OCSP fetch aborted.");
+                    // If we have no URI then there's nothing to do
+                    // but return.
+                    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                        SSLLogger.fine(
+                            "Null URI detected, OCSP fetch aborted");
+                    }
                     return statInfo;
                 } else {
-                    debugLog("Attempting fetch from " + statInfo.responder);
+                    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                        SSLLogger.fine(
+                            "Attempting fetch from " + statInfo.responder);
+                    }
                 }
 
                 // If the StatusResponseManager has been configured to not
-                // forward extensions, then set extensions to an empty list.
-                // We will forward the extensions unless one of two conditions
-                // occur: (1) The jdk.tls.stapling.ignoreExtensions property is
-                // true or (2) There is a non-empty ResponderId list.
+                // forward extensions, then set extensions to an empty
+                // list.
+                //
+                // We will forward the extensions unless one of two
+                // conditions occur:
+                // (1) The jdk.tls.stapling.ignoreExtensions property is
+                //     true, or
+                // (2) There is a non-empty ResponderId list.
+                //
                 // ResponderId selection is a feature that will be
                 // supported in the future.
                 extsToSend = (ignoreExtensions || !responderIds.isEmpty()) ?
@@ -595,8 +661,10 @@
                             statInfo.cid);
 
                     // Get the response status and act on it appropriately
-                    debugLog("OCSP Status: " + cacheEntry.status +
+                    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                        SSLLogger.fine("OCSP Status: " + cacheEntry.status +
                             " (" + respBytes.length + " bytes)");
+                    }
                     if (cacheEntry.status ==
                             OCSPResponse.ResponseStatus.SUCCESSFUL) {
                         // Set the response in the returned StatusInfo
@@ -606,10 +674,15 @@
                         addToCache(statInfo.cid, cacheEntry);
                     }
                 } else {
-                    debugLog("No data returned from OCSP Responder");
+                    if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                        SSLLogger.fine(
+                            "No data returned from OCSP Responder");
+                    }
                 }
             } catch (IOException ioe) {
-                debugLog("Caught exception: " + ioe);
+                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                    SSLLogger.fine("Caught exception: ", ioe);
+                }
             }
 
             return statInfo;
@@ -626,22 +699,28 @@
             // If no cache lifetime has been set on entries then
             // don't cache this response if there is no nextUpdate field
             if (entry.nextUpdate == null && cacheLifetime == 0) {
-                debugLog("Not caching this OCSP response");
+                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                    SSLLogger.fine("Not caching this OCSP response");
+                }
             } else {
                 responseCache.put(certId, entry);
-                debugLog("Added response for SN " + certId.getSerialNumber() +
+                if (SSLLogger.isOn && SSLLogger.isOn("respmgr")) {
+                    SSLLogger.fine(
+                        "Added response for SN " +
+                        certId.getSerialNumber() +
                         " to cache");
+                }
             }
         }
 
         /**
          * Determine the delay to use when scheduling the task that will
          * update the OCSP response.  This is the shorter time between the
-         * cache lifetime and the nextUpdate.  If no nextUpdate is present in
-         * the response, then only the cache lifetime is used.
+         * cache lifetime and the nextUpdate.  If no nextUpdate is present
+         * in the response, then only the cache lifetime is used.
          * If cache timeouts are disabled (a zero value) and there's no
-         * nextUpdate, then the entry is not cached and no rescheduling will
-         * take place.
+         * nextUpdate, then the entry is not cached and no rescheduling
+         * will take place.
          *
          * @param nextUpdate a {@code Date} object corresponding to the
          *      next update time from a SingleResponse.
@@ -667,4 +746,218 @@
             return delaySec;
         }
     }
+
+    static final StaplingParameters processStapling(
+            ServerHandshakeContext shc) {
+        StaplingParameters params = null;
+        SSLExtension ext = null;
+        CertStatusRequestType type = null;
+        CertStatusRequest req = null;
+        Map<X509Certificate, byte[]> responses;
+
+        // If this feature has not been enabled, then no more processing
+        // is necessary.  Also we will only staple if we're doing a full
+        // handshake.
+        if (!shc.sslContext.isStaplingEnabled(false) || shc.isResumption) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Staping disabled or is a resumed session");
+            }
+            return null;
+        }
+
+        // Check if the client has asserted the status_request[_v2] extension(s)
+        Map<SSLExtension, SSLExtension.SSLExtensionSpec> exts =
+                shc.handshakeExtensions;
+        CertStatusRequestSpec statReq = (CertStatusRequestSpec)exts.get(
+                SSLExtension.CH_STATUS_REQUEST);
+        CertStatusRequestV2Spec statReqV2 = (CertStatusRequestV2Spec)
+                exts.get(SSLExtension.CH_STATUS_REQUEST_V2);
+
+        // Determine which type of stapling we are doing and assert the
+        // proper extension in the server hello.
+        // Favor status_request_v2 over status_request and ocsp_multi
+        // over ocsp.
+        // If multiple ocsp or ocsp_multi types exist, select the first
+        // instance of a given type.  Also since we don't support ResponderId
+        // selection yet, only accept a request if the ResponderId field
+        // is empty.  Finally, we'll only do this in (D)TLS 1.2 or earlier.
+        if (statReqV2 != null && !shc.negotiatedProtocol.useTLS13PlusSpec()) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
+                SSLLogger.fine("SH Processing status_request_v2 extension");
+            }
+            // RFC 6961 stapling
+            ext = SSLExtension.CH_STATUS_REQUEST_V2;
+            int ocspIdx = -1;
+            int ocspMultiIdx = -1;
+            CertStatusRequest[] reqItems = statReqV2.certStatusRequests;
+            for (int pos = 0; (pos < reqItems.length &&
+                    (ocspIdx == -1 || ocspMultiIdx == -1)); pos++) {
+                CertStatusRequest item = reqItems[pos];
+                CertStatusRequestType curType =
+                        CertStatusRequestType.valueOf(item.statusType);
+                if (ocspIdx < 0 && curType == CertStatusRequestType.OCSP) {
+                    OCSPStatusRequest ocspReq = (OCSPStatusRequest)item;
+                    // We currently only accept empty responder ID lists
+                    // but may support them in the future
+                    if (ocspReq.responderIds.isEmpty()) {
+                        ocspIdx = pos;
+                    }
+                } else if (ocspMultiIdx < 0 &&
+                        curType == CertStatusRequestType.OCSP_MULTI) {
+                    OCSPStatusRequest ocspReq = (OCSPStatusRequest)item;
+                    // We currently only accept empty responder ID lists
+                    // but may support them in the future
+                    if (ocspReq.responderIds.isEmpty()) {
+                        ocspMultiIdx = pos;
+                    }
+                }
+            }
+            if (ocspMultiIdx >= 0) {
+                req = reqItems[ocspMultiIdx];
+                type = CertStatusRequestType.valueOf(req.statusType);
+            } else if (ocspIdx >= 0) {
+                req = reqItems[ocspIdx];
+                type = CertStatusRequestType.valueOf(req.statusType);
+            } else {
+                if (SSLLogger.isOn &&
+                        SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest("Warning: No suitable request " +
+                            "found in the status_request_v2 extension.");
+                }
+            }
+        }
+
+        // Only attempt to process a status_request extension if:
+        // * The status_request extension is set AND
+        // * either the status_request_v2 extension is not present OR
+        // * none of the underlying OCSPStatusRequest structures is
+        // suitable for stapling.
+        // If either of the latter two bullet items is true the ext,
+        // type and req variables should all be null.  If any are null
+        // we will try processing an asserted status_request.
+        if ((statReq != null) &&
+                (ext == null || type == null || req == null)) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
+                SSLLogger.fine("SH Processing status_request extension");
+            }
+            ext = SSLExtension.CH_STATUS_REQUEST;
+            type = CertStatusRequestType.valueOf(
+                    statReq.statusRequest.statusType);
+            if (type == CertStatusRequestType.OCSP) {
+                // If the type is OCSP, then the request is guaranteed
+                // to be OCSPStatusRequest
+                OCSPStatusRequest ocspReq =
+                        (OCSPStatusRequest)statReq.statusRequest;
+                if (ocspReq.responderIds.isEmpty()) {
+                    req = ocspReq;
+                } else {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.finest("Warning: No suitable request " +
+                            "found in the status_request extension.");
+                    }
+                }
+            }
+        }
+
+        // If, after walking through the extensions we were unable to
+        // find a suitable StatusRequest, then stapling is disabled.
+        // The ext, type and req variables must have been set to continue.
+        if (type == null || req == null || ext == null) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("No suitable status_request or " +
+                        "status_request_v2, stapling is disabled");
+            }
+            return null;
+        }
+
+        // Get the cert chain since we'll need it for OCSP checking
+        X509Possession x509Possession = null;
+        for (SSLPossession possession : shc.handshakePossessions) {
+            if (possession instanceof X509Possession) {
+                x509Possession = (X509Possession)possession;
+                break;
+            }
+        }
+
+        if (x509Possession == null) {       // unlikely
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.finest("Warning: no X.509 certificates found.  " +
+                        "Stapling is disabled.");
+            }
+            return null;
+        }
+
+        // Get the OCSP responses from the StatusResponseManager
+        X509Certificate[] certs = x509Possession.popCerts;
+        StatusResponseManager statRespMgr =
+                shc.sslContext.getStatusResponseManager();
+        if (statRespMgr != null) {
+            // For the purposes of the fetch from the SRM, override the
+            // type when it is TLS 1.3 so it always gets responses for
+            // all certs it can.  This should not change the type field
+            // in the StaplingParameters though.
+            CertStatusRequestType fetchType =
+                    shc.negotiatedProtocol.useTLS13PlusSpec() ?
+                    CertStatusRequestType.OCSP_MULTI : type;
+            responses = statRespMgr.get(fetchType, req, certs,
+                    shc.statusRespTimeout, TimeUnit.MILLISECONDS);
+            if (!responses.isEmpty()) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest("Response manager returned " +
+                            responses.size() + " entries.");
+                }
+                // If this RFC 6066-style stapling (SSL cert only) then the
+                // response cannot be zero length
+                if (type == CertStatusRequestType.OCSP) {
+                    byte[] respDER = responses.get(certs[0]);
+                    if (respDER == null || respDER.length <= 0) {
+                        if (SSLLogger.isOn &&
+                                SSLLogger.isOn("ssl,handshake")) {
+                            SSLLogger.finest("Warning: Null or zero-length " +
+                                    "response found for leaf certificate. " +
+                                    "Stapling is disabled.");
+                        }
+                        return null;
+                    }
+                }
+                params = new StaplingParameters(ext, type, req, responses);
+            } else {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest("Warning: no OCSP responses obtained.  " +
+                            "Stapling is disabled.");
+                }
+            }
+        } else {
+            // This should not happen, but if lazy initialization of the
+            // StatusResponseManager doesn't occur we should turn off stapling.
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.finest("Warning: lazy initialization " +
+                        "of the StatusResponseManager failed.  " +
+                        "Stapling is disabled.");
+            }
+            params = null;
+        }
+
+        return params;
+    }
+
+    /**
+     * Inner class used to hold stapling parameters needed by the handshaker
+     * when stapling is active.
+     */
+    static final class StaplingParameters {
+        final SSLExtension statusRespExt;
+        final CertStatusRequestType statReqType;
+        final CertStatusRequest statReqData;
+        final Map<X509Certificate, byte[]> responseMap;
+
+        StaplingParameters(SSLExtension ext, CertStatusRequestType type,
+                CertStatusRequest req, Map<X509Certificate, byte[]> responses) {
+            statusRespExt = ext;
+            statReqType = type;
+            statReqData = req;
+            responseMap = responses;
+        }
+    }
 }
+
--- old/src/java.base/share/classes/sun/security/ssl/SunJSSE.java	2018-05-11 15:06:15.314971800 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SunJSSE.java	2018-05-11 15:06:14.840716400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,6 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
 import java.security.*;
@@ -62,7 +61,7 @@
 
     private static String info = "Sun JSSE provider" +
         "(PKCS12, SunX509/PKIX key/trust factories, " +
-        "SSLv3/TLSv1/TLSv1.1/TLSv1.2/DTLSv1.0/DTLSv1.2)";
+        "SSLv3/TLSv1/TLSv1.1/TLSv1.2/TLSv1.3/DTLSv1.0/DTLSv1.2)";
 
     private static String fipsInfo =
         "Sun JSSE provider (FIPS mode, crypto provider ";
@@ -149,7 +148,7 @@
     }
 
     private void registerAlgorithms(final boolean isfips) {
-        AccessController.doPrivileged(new PrivilegedAction<>() {
+        AccessController.doPrivileged(new PrivilegedAction<Object>() {
             @Override
             public Object run() {
                 doRegister(isfips);
@@ -161,12 +160,12 @@
     private void doRegister(boolean isfips) {
         if (isfips == false) {
             put("KeyFactory.RSA",
-                "sun.security.rsa.RSAKeyFactory");
+                "sun.security.rsa.RSAKeyFactory$Legacy");
             put("Alg.Alias.KeyFactory.1.2.840.113549.1.1", "RSA");
             put("Alg.Alias.KeyFactory.OID.1.2.840.113549.1.1", "RSA");
 
             put("KeyPairGenerator.RSA",
-                "sun.security.rsa.RSAKeyPairGenerator");
+                "sun.security.rsa.RSAKeyPairGenerator$Legacy");
             put("Alg.Alias.KeyPairGenerator.1.2.840.113549.1.1", "RSA");
             put("Alg.Alias.KeyPairGenerator.OID.1.2.840.113549.1.1", "RSA");
 
@@ -214,6 +213,8 @@
             "sun.security.ssl.SSLContextImpl$TLS11Context");
         put("SSLContext.TLSv1.2",
             "sun.security.ssl.SSLContextImpl$TLS12Context");
+        put("SSLContext.TLSv1.3",
+            "sun.security.ssl.SSLContextImpl$TLS13Context");
         put("SSLContext.TLS",
             "sun.security.ssl.SSLContextImpl$TLSContext");
         if (isfips == false) {
--- old/src/java.base/share/classes/sun/security/ssl/SunX509KeyManagerImpl.java	2018-05-11 15:06:16.884173500 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SunX509KeyManagerImpl.java	2018-05-11 15:06:16.394344800 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,13 +25,27 @@
 
 package sun.security.ssl;
 
-import javax.net.ssl.*;
-import java.security.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-import java.util.*;
 import java.net.Socket;
-
+import java.security.Key;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.UnrecoverableKeyException;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedKeyManager;
 import javax.security.auth.x500.X500Principal;
 
 
@@ -67,8 +81,6 @@
  */
 final class SunX509KeyManagerImpl extends X509ExtendedKeyManager {
 
-    private static final Debug debug = Debug.getInstance("ssl");
-
     private static final String[] STRING0 = new String[0];
 
     /*
@@ -148,14 +160,8 @@
             X509Credentials cred = new X509Credentials((PrivateKey)key,
                 (X509Certificate[])certs);
             credentialsMap.put(alias, cred);
-            if (debug != null && Debug.isOn("keymanager")) {
-                System.out.println("***");
-                System.out.println("found key for : " + alias);
-                for (int i = 0; i < certs.length; i++) {
-                    System.out.println("chain [" + i + "] = "
-                    + certs[i]);
-                }
-                System.out.println("***");
+            if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+                SSLLogger.fine("found key for : " + alias, (Object[])certs);
             }
         }
     }
@@ -382,8 +388,8 @@
             if (issuers.length == 0) {
                 // no issuer specified, match all
                 aliases.add(alias);
-                if (debug != null && Debug.isOn("keymanager")) {
-                    System.out.println("matching alias: " + alias);
+                if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+                    SSLLogger.fine("matching alias: " + alias);
                 }
             } else {
                 Set<X500Principal> certIssuers =
@@ -391,8 +397,8 @@
                 for (int i = 0; i < x500Issuers.length; i++) {
                     if (certIssuers.contains(issuers[i])) {
                         aliases.add(alias);
-                        if (debug != null && Debug.isOn("keymanager")) {
-                            System.out.println("matching alias: " + alias);
+                        if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+                            SSLLogger.fine("matching alias: " + alias);
                         }
                         break;
                     }
--- old/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java	2018-05-11 15:06:18.451047500 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java	2018-05-11 15:06:17.975273700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,466 +26,1012 @@
 package sun.security.ssl;
 
 import java.io.IOException;
-import java.security.spec.ECGenParameterSpec;
-import java.security.spec.InvalidParameterSpecException;
-import java.security.AlgorithmParameters;
+import java.nio.ByteBuffer;
+import java.security.AccessController;
 import java.security.AlgorithmConstraints;
+import java.security.AlgorithmParameters;
 import java.security.CryptoPrimitive;
-import java.security.AccessController;
+import java.security.NoSuchAlgorithmException;
 import java.security.spec.AlgorithmParameterSpec;
-import javax.crypto.spec.DHParameterSpec;
+import java.security.spec.ECGenParameterSpec;
+import java.security.spec.ECParameterSpec;
+import java.security.spec.InvalidParameterSpecException;
+import java.text.MessageFormat;
+import java.util.ArrayList;
+import java.util.Collections;
 import java.util.EnumSet;
 import java.util.HashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
 import java.util.Map;
-import java.util.ArrayList;
+import javax.crypto.spec.DHParameterSpec;
 import javax.net.ssl.SSLProtocolException;
-
 import sun.security.action.GetPropertyAction;
+import static sun.security.ssl.SSLExtension.CH_SUPPORTED_GROUPS;
+import static sun.security.ssl.SSLExtension.EE_SUPPORTED_GROUPS;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
 
-//
-// Note: Since RFC 7919, the extension's semantics are expanded from
-// "Supported Elliptic Curves" to "Supported Groups".  The enum datatype
-// used in the extension has been renamed from NamedCurve to NamedGroup.
-// Its semantics are likewise expanded from "named curve" to "named group".
-//
-final class SupportedGroupsExtension extends HelloExtension {
-
-    /* Class and subclass dynamic debugging support */
-    private static final Debug debug = Debug.getInstance("ssl");
-
-    private static final int ARBITRARY_PRIME = 0xff01;
-    private static final int ARBITRARY_CHAR2 = 0xff02;
-
-    // cache to speed up the parameters construction
-    private static final Map<NamedGroup,
-                AlgorithmParameters> namedGroupParams = new HashMap<>();
-
-    // the supported named groups
-    private static final NamedGroup[] supportedNamedGroups;
-
-    // the named group presented in the extension
-    private final int[] requestedNamedGroupIds;
+/**
+ * Pack of the "supported_groups" extensions [RFC 4492/7919].
+ */
+final class SupportedGroupsExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHSupportedGroupsProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHSupportedGroupsConsumer();
+    static final SSLStringize sgsStringize =
+            new SupportedGroupsStringize();
+
+    static final HandshakeProducer eeNetworkProducer =
+            new EESupportedGroupsProducer();
+    static final ExtensionConsumer eeOnLoadConcumer =
+            new EESupportedGroupsConsumer();
+
+    /**
+     * The "supported_groups" extension.
+     */
+    static final class SupportedGroupsSpec implements SSLExtensionSpec {
+        final int[] namedGroupsIds;
 
-    static {
-        boolean requireFips = SunJSSE.isFIPS();
+        private SupportedGroupsSpec(int[] namedGroupsIds) {
+            this.namedGroupsIds = namedGroupsIds;
+        }
 
-        // The value of the System Property defines a list of enabled named
-        // groups in preference order, separated with comma.  For example:
-        //
-        //      jdk.tls.namedGroups="secp521r1, secp256r1, ffdhe2048"
-        //
-        // If the System Property is not defined or the value is empty, the
-        // default groups and preferences will be used.
-        String property = AccessController.doPrivileged(
-                    new GetPropertyAction("jdk.tls.namedGroups"));
-        if (property != null && property.length() != 0) {
-            // remove double quote marks from beginning/end of the property
-            if (property.length() > 1 && property.charAt(0) == '"' &&
-                    property.charAt(property.length() - 1) == '"') {
-                property = property.substring(1, property.length() - 1);
+        private SupportedGroupsSpec(List<NamedGroup> namedGroups) {
+            this.namedGroupsIds = new int[namedGroups.size()];
+            int i = 0;
+            for (NamedGroup ng : namedGroups) {
+                namedGroupsIds[i++] = ng.id;
             }
         }
 
-        ArrayList<NamedGroup> groupList;
-        if (property != null && property.length() != 0) {   // customized groups
-            String[] groups = property.split(",");
-            groupList = new ArrayList<>(groups.length);
-            for (String group : groups) {
-                group = group.trim();
-                if (!group.isEmpty()) {
-                    NamedGroup namedGroup = NamedGroup.nameOf(group);
-                    if (namedGroup != null &&
-                            (!requireFips || namedGroup.isFips)) {
-                        if (isAvailableGroup(namedGroup)) {
-                            groupList.add(namedGroup);
-                        }
-                    }   // ignore unknown groups
-                }
+        private SupportedGroupsSpec(ByteBuffer m) throws IOException  {
+            if (m.remaining() < 2) {      // 2: the length of the list
+                throw new SSLProtocolException(
+                    "Invalid supported_groups extension: insufficient data");
+            }
+
+            byte[] ngs = Record.getBytes16(m);
+            if (m.hasRemaining()) {
+                throw new SSLProtocolException(
+                    "Invalid supported_groups extension: unknown extra data");
+            }
+
+            if ((ngs == null) || (ngs.length == 0) || (ngs.length % 2 != 0)) {
+                throw new SSLProtocolException(
+                    "Invalid supported_groups extension: incomplete data");
             }
 
-            if (groupList.isEmpty() && JsseJce.isEcAvailable()) {
-                throw new IllegalArgumentException(
-                    "System property jdk.tls.namedGroups(" + property + ") " +
-                    "contains no supported elliptic curves");
-            }
-        } else {        // default groups
-            NamedGroup[] groups;
-            if (requireFips) {
-                groups = new NamedGroup[] {
-                    // only NIST curves in FIPS mode
-                    NamedGroup.SECP256_R1,
-                    NamedGroup.SECP384_R1,
-                    NamedGroup.SECP521_R1,
-                    NamedGroup.SECT283_K1,
-                    NamedGroup.SECT283_R1,
-                    NamedGroup.SECT409_K1,
-                    NamedGroup.SECT409_R1,
-                    NamedGroup.SECT571_K1,
-                    NamedGroup.SECT571_R1,
-
-                    // FFDHE 2048
-                    NamedGroup.FFDHE_2048,
-                    NamedGroup.FFDHE_3072,
-                    NamedGroup.FFDHE_4096,
-                    NamedGroup.FFDHE_6144,
-                    NamedGroup.FFDHE_8192,
-                };
+            int[] ids = new int[ngs.length / 2];
+            for (int i = 0, j = 0; i < ngs.length;) {
+                ids[j++] = ((ngs[i++] & 0xFF) << 8) | (ngs[i++] & 0xFF);
+            }
+
+            this.namedGroupsIds = ids;
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"versions\": '['{0}']'", Locale.ENGLISH);
+
+            if (namedGroupsIds == null || namedGroupsIds.length == 0) {
+                Object[] messageFields = {
+                        "<no supported named group specified>"
+                    };
+                return messageFormat.format(messageFields);
             } else {
-                groups = new NamedGroup[] {
-                    // NIST curves first
-                    NamedGroup.SECP256_R1,
-                    NamedGroup.SECP384_R1,
-                    NamedGroup.SECP521_R1,
-                    NamedGroup.SECT283_K1,
-                    NamedGroup.SECT283_R1,
-                    NamedGroup.SECT409_K1,
-                    NamedGroup.SECT409_R1,
-                    NamedGroup.SECT571_K1,
-                    NamedGroup.SECT571_R1,
-
-                    // non-NIST curves
-                    NamedGroup.SECP256_K1,
-
-                    // FFDHE 2048
-                    NamedGroup.FFDHE_2048,
-                    NamedGroup.FFDHE_3072,
-                    NamedGroup.FFDHE_4096,
-                    NamedGroup.FFDHE_6144,
-                    NamedGroup.FFDHE_8192,
-                };
-            }
-
-            groupList = new ArrayList<>(groups.length);
-            for (NamedGroup group : groups) {
-                if (isAvailableGroup(group)) {
-                    groupList.add(group);
+                StringBuilder builder = new StringBuilder(512);
+                boolean isFirst = true;
+                for (int ngid : namedGroupsIds) {
+                    if (isFirst) {
+                        isFirst = false;
+                    } else {
+                        builder.append(", ");
+                    }
+
+                    builder.append(NamedGroup.nameOf(ngid));
                 }
+
+                Object[] messageFields = {
+                        builder.toString()
+                    };
+
+                return messageFormat.format(messageFields);
             }
         }
+    }
 
-        if (debug != null && groupList.isEmpty()) {
-            Debug.log(
-                "Initialized [jdk.tls.namedGroups|default] list contains " +
-                "no available elliptic curves. " +
-                (property != null ? "(" + property + ")" : "[Default]"));
-        }
-
-        supportedNamedGroups = new NamedGroup[groupList.size()];
-        int i = 0;
-        for (NamedGroup namedGroup : groupList) {
-            supportedNamedGroups[i++] = namedGroup;
+    private static final
+            class SupportedGroupsStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new SupportedGroupsSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
         }
     }
 
-    // check whether the group is supported by the underlying providers
-    private static boolean isAvailableGroup(NamedGroup namedGroup) {
-        AlgorithmParameters params = null;
-        AlgorithmParameterSpec spec = null;
-        if ("EC".equals(namedGroup.algorithm)) {
-            if (namedGroup.oid != null) {
-                try {
-                    params = JsseJce.getAlgorithmParameters("EC");
-                    spec = new ECGenParameterSpec(namedGroup.oid);
-                } catch (Exception e) {
-                    return false;
+    static enum NamedGroupType {
+        NAMED_GROUP_ECDHE,          // Elliptic Curve Groups (ECDHE)
+        NAMED_GROUP_FFDHE,          // Finite Field Groups (DHE)
+        NAMED_GROUP_XDH,            // Finite Field Groups (XDH)
+        NAMED_GROUP_ARBITRARY,      // arbitrary prime and curves (ECDHE)
+        NAMED_GROUP_NONE;           // Not predefined named group
+
+        boolean isSupported(List<CipherSuite> cipherSuites) {
+            for (CipherSuite cs : cipherSuites) {
+                if (cs.keyExchange == null || cs.keyExchange.groupType == this) {
+                    return true;
                 }
             }
-        } else if ("DiffieHellman".equals(namedGroup.algorithm)) {
-            try {
-                params = JsseJce.getAlgorithmParameters("DiffieHellman");
-                spec = getFFDHEDHParameterSpec(namedGroup);
-            } catch (Exception e) {
-                return false;
-            }
+
+            return false;
         }
+    }
 
-        if ((params != null) && (spec != null)) {
-            try {
-                params.init(spec);
-            } catch (Exception e) {
-                return false;
-            }
+    static enum NamedGroup {
+        // Elliptic Curves (RFC 4492)
+        //
+        // See sun.security.util.CurveDB for the OIDs
+        // NIST K-163
+        SECT163_K1  (0x0001, "sect163k1", "1.3.132.0.1", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECT163_R1  (0x0002, "sect163r1", "1.3.132.0.2", false,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST B-163
+        SECT163_R2  (0x0003, "sect163r2", "1.3.132.0.15", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECT193_R1  (0x0004, "sect193r1", "1.3.132.0.24", false,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECT193_R2  (0x0005, "sect193r2", "1.3.132.0.25", false,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST K-233
+        SECT233_K1  (0x0006, "sect233k1", "1.3.132.0.26", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST B-233
+        SECT233_R1  (0x0007, "sect233r1", "1.3.132.0.27", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECT239_K1  (0x0008, "sect239k1", "1.3.132.0.3", false,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST K-283
+        SECT283_K1  (0x0009, "sect283k1", "1.3.132.0.16", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST B-283
+        SECT283_R1  (0x000A, "sect283r1", "1.3.132.0.17", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST K-409
+        SECT409_K1  (0x000B, "sect409k1", "1.3.132.0.36", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST B-409
+        SECT409_R1  (0x000C, "sect409r1", "1.3.132.0.37", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST K-571
+        SECT571_K1  (0x000D, "sect571k1", "1.3.132.0.38", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST B-571
+        SECT571_R1  (0x000E, "sect571r1", "1.3.132.0.39", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP160_K1  (0x000F, "secp160k1", "1.3.132.0.9", false,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP160_R1  (0x0010, "secp160r1", "1.3.132.0.8", false,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP160_R2  (0x0011, "secp160r2", "1.3.132.0.30", false,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP192_K1  (0x0012, "secp192k1", "1.3.132.0.31", false,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST P-192
+        SECP192_R1  (0x0013, "secp192r1", "1.2.840.10045.3.1.1", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP224_K1  (0x0014, "secp224k1", "1.3.132.0.32", false,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        // NIST P-224
+        SECP224_R1  (0x0015, "secp224r1", "1.3.132.0.33", true,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        SECP256_K1  (0x0016, "secp256k1", "1.3.132.0.10", false,
+                            ProtocolVersion.PROTOCOLS_TO_12),
+
+        // NIST P-256
+        SECP256_R1  (0x0017, "secp256r1", "1.2.840.10045.3.1.7", true,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+
+        // NIST P-384
+        SECP384_R1  (0x0018, "secp384r1", "1.3.132.0.34", true,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+
+        // NIST P-521
+        SECP521_R1  (0x0019, "secp521r1", "1.3.132.0.35", true,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+
+        // x25519 and x448
+        X25519      (0x001D, "x25519", true, "x25519",
+                            ProtocolVersion.PROTOCOLS_TO_13),
+        X448        (0x001E, "x448", true, "x448",
+                            ProtocolVersion.PROTOCOLS_TO_13),
+
+        // Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919)
+        FFDHE_2048  (0x0100, "ffdhe2048",  true,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+        FFDHE_3072  (0x0101, "ffdhe3072",  true,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+        FFDHE_4096  (0x0102, "ffdhe4096",  true,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+        FFDHE_6144  (0x0103, "ffdhe6144",  true,
+                            ProtocolVersion.PROTOCOLS_TO_13),
+        FFDHE_8192  (0x0104, "ffdhe8192",  true,
+                            ProtocolVersion.PROTOCOLS_TO_13),
 
-            // cache the parameters
-            namedGroupParams.put(namedGroup, params);
+        // Elliptic Curves (RFC 4492)
+        //
+        // arbitrary prime and characteristic-2 curves
+        ARBITRARY_PRIME  (0xFF01, "arbitrary_explicit_prime_curves",
+                            ProtocolVersion.PROTOCOLS_TO_12),
+        ARBITRARY_CHAR2  (0xFF02, "arbitrary_explicit_char2_curves",
+                            ProtocolVersion.PROTOCOLS_TO_12);
+
+        final int id;               // hash + signature
+        final NamedGroupType type;  // group type
+        final String name;          // literal name
+        final String oid;           // object identifier of the named group
+        final String algorithm;     // signature algorithm
+        final boolean isFips;       // can be used in FIPS mode?
+        final ProtocolVersion[] supportedProtocols;
+
+        // Constructor used for Elliptic Curve Groups (ECDHE)
+        private NamedGroup(int id, String name, String oid, boolean isFips,
+                ProtocolVersion[] supportedProtocols) {
+            this.id = id;
+            this.type = NamedGroupType.NAMED_GROUP_ECDHE;
+            this.name = name;
+            this.oid = oid;
+            this.algorithm = "EC";
+            this.isFips = isFips;
+            this.supportedProtocols = supportedProtocols;
+        }
+
+        // Constructor used for Elliptic Curve Groups (XDH)
+        private NamedGroup(int id, String name,
+                boolean isFips, String algorithm,
+                ProtocolVersion[] supportedProtocols) {
+            this.id = id;
+            this.type = NamedGroupType.NAMED_GROUP_XDH;
+            this.name = name;
+            this.oid = null;
+            this.algorithm = algorithm;
+            this.isFips = isFips;
+            this.supportedProtocols = supportedProtocols;
+        }
+
+        // Constructor used for Finite Field Diffie-Hellman Groups (FFDHE)
+        private NamedGroup(int id, String name, boolean isFips,
+                ProtocolVersion[] supportedProtocols) {
+            this.id = id;
+            this.type = NamedGroupType.NAMED_GROUP_FFDHE;
+            this.name = name;
+            this.oid = null;
+            this.algorithm = "DiffieHellman";
+            this.isFips = isFips;
+            this.supportedProtocols = supportedProtocols;
+        }
+
+        // Constructor used for arbitrary prime and curves (ECDHE)
+        private NamedGroup(int id, String name,
+                ProtocolVersion[] supportedProtocols) {
+            this.id = id;
+            this.type = NamedGroupType.NAMED_GROUP_ARBITRARY;
+            this.name = name;
+            this.oid = null;
+            this.algorithm = "EC";
+            this.isFips = false;
+            this.supportedProtocols = supportedProtocols;
+        }
+
+        static NamedGroup valueOf(int id) {
+            for (NamedGroup group : NamedGroup.values()) {
+                if (group.id == id) {
+                    return group;
+                }
+            }
 
-            return true;
+            return null;
         }
 
-        return false;
-    }
+        static NamedGroup valueOf(ECParameterSpec params) {
+            String oid = JsseJce.getNamedCurveOid(params);
+            if ((oid != null) && (!oid.isEmpty())) {
+                for (NamedGroup group : NamedGroup.values()) {
+                    if ((group.type == NamedGroupType.NAMED_GROUP_ECDHE) &&
+                            oid.equals(group.oid)) {
+                        return group;
+                    }
+                }
+            }
 
-    private static DHParameterSpec getFFDHEDHParameterSpec(
-            NamedGroup namedGroup) {
-        DHParameterSpec spec = null;
-        switch (namedGroup) {
-            case FFDHE_2048:
-                spec = PredefinedDHParameterSpecs.ffdheParams.get(2048);
-                break;
-            case FFDHE_3072:
-                spec = PredefinedDHParameterSpecs.ffdheParams.get(3072);
-                break;
-            case FFDHE_4096:
-                spec = PredefinedDHParameterSpecs.ffdheParams.get(4096);
-                break;
-            case FFDHE_6144:
-                spec = PredefinedDHParameterSpecs.ffdheParams.get(6144);
-                break;
-            case FFDHE_8192:
-                spec = PredefinedDHParameterSpecs.ffdheParams.get(8192);
+            return null;
         }
 
-        return spec;
-    }
+        static NamedGroup valueOf(DHParameterSpec params) {
+            for (Map.Entry<NamedGroup, AlgorithmParameters> me :
+                    SupportedGroups.namedGroupParams.entrySet()) {
+                NamedGroup ng = me.getKey();
+                if (ng.type != NamedGroupType.NAMED_GROUP_FFDHE) {
+                    continue;
+                }
 
-    private static DHParameterSpec getPredefinedDHParameterSpec(
-            NamedGroup namedGroup) {
-        DHParameterSpec spec = null;
-        switch (namedGroup) {
-            case FFDHE_2048:
-                spec = PredefinedDHParameterSpecs.definedParams.get(2048);
-                break;
-            case FFDHE_3072:
-                spec = PredefinedDHParameterSpecs.definedParams.get(3072);
-                break;
-            case FFDHE_4096:
-                spec = PredefinedDHParameterSpecs.definedParams.get(4096);
-                break;
-            case FFDHE_6144:
-                spec = PredefinedDHParameterSpecs.definedParams.get(6144);
-                break;
-            case FFDHE_8192:
-                spec = PredefinedDHParameterSpecs.definedParams.get(8192);
-        }
+                DHParameterSpec ngParams = null;
+                AlgorithmParameters aps = me.getValue();
+                try {
+                    ngParams = aps.getParameterSpec(DHParameterSpec.class);
+                } catch (InvalidParameterSpecException ipse) {
+                    // should be unlikely
+                }
 
-        return spec;
-    }
+                if (ngParams == null) {
+                    continue;
+                }
 
-    private SupportedGroupsExtension(int[] requestedNamedGroupIds) {
-        super(ExtensionType.EXT_SUPPORTED_GROUPS);
+                if (ngParams.getP().equals(params.getP()) &&
+                        ngParams.getG().equals(params.getG())) {
+                    return ng;
+                }
+            }
 
-        this.requestedNamedGroupIds = requestedNamedGroupIds;
-    }
+            return null;
+        }
 
-    SupportedGroupsExtension(HandshakeInStream s, int len) throws IOException {
-        super(ExtensionType.EXT_SUPPORTED_GROUPS);
+        static NamedGroup nameOf(String name) {
+            for (NamedGroup group : NamedGroup.values()) {
+                if (group.name.equals(name)) {
+                    return group;
+                }
+            }
 
-        int k = s.getInt16();
-        if (((len & 1) != 0) || (k == 0) || (k + 2 != len)) {
-            throw new SSLProtocolException("Invalid " + type + " extension");
+            return null;
         }
 
-        // Note: unknown named group will be ignored later.
-        requestedNamedGroupIds = new int[k >> 1];
-        for (int i = 0; i < requestedNamedGroupIds.length; i++) {
-            requestedNamedGroupIds[i] = s.getInt16();
+        static String nameOf(int id) {
+            for (NamedGroup group : NamedGroup.values()) {
+                if (group.id == id) {
+                    return group.name;
+                }
+            }
+
+            return "UNDEFINED-NAMED-GROUP(" + id + ")";
         }
-    }
 
-    // Get a local preferred supported ECDHE group permitted by the constraints.
-    static NamedGroup getPreferredECGroup(AlgorithmConstraints constraints) {
-        for (NamedGroup namedGroup : supportedNamedGroups) {
-            if ((namedGroup.type == NamedGroupType.NAMED_GROUP_ECDHE) &&
-                constraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
-                    namedGroup.algorithm, namedGroupParams.get(namedGroup))) {
+        boolean isAvailable(List<ProtocolVersion> protocolVersions) {
+            for (ProtocolVersion pv : supportedProtocols) {
+                if (protocolVersions.contains(pv)) {
+                    return true;
+                }
+            }
+            return false;
+        }
+
+        boolean isAvailable(ProtocolVersion protocolVersion) {
+            for (ProtocolVersion pv : supportedProtocols) {
+                if (protocolVersion == pv) {
+                    return true;
+                }
+            }
+            return false;
+        }
 
-                return namedGroup;
+        boolean isSupported(List<CipherSuite> cipherSuites) {
+            for (CipherSuite cs : cipherSuites) {
+                boolean isMatch = isAvailable(cs.supportedProtocols);
+                if (isMatch && (cs.keyExchange == null ||
+                        cs.keyExchange.groupType == type)) {
+                    return true;
+                }
             }
+            return false;
         }
 
-        return null;
+        // lazy loading of parameters
+        AlgorithmParameters getParameters() {
+            return SupportedGroups.namedGroupParams.get(this);
+        }
+
+        AlgorithmParameterSpec getParameterSpec() {
+            if (this.type == NamedGroupType.NAMED_GROUP_ECDHE) {
+                return SupportedGroups.getECGenParamSpec(this);
+            } else if (this.type == NamedGroupType.NAMED_GROUP_FFDHE) {
+                return SupportedGroups.getDHParameterSpec(this);
+            }
+
+            return null;
+        }
     }
 
-    // Is there any supported group permitted by the constraints?
-    static boolean isActivatable(
-            AlgorithmConstraints constraints, NamedGroupType type) {
-
-        boolean hasFFDHEGroups = false;
-        for (NamedGroup namedGroup : supportedNamedGroups) {
-            if (namedGroup.type == type) {
-                if (constraints.permits(
-                        EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
-                        namedGroup.algorithm,
-                        namedGroupParams.get(namedGroup))) {
+    static class SupportedGroups {
+        // To switch off the supported_groups extension for DHE cipher suite.
+        static final boolean enableFFDHE =
+                Utilities.getBooleanProperty("jsse.enableFFDHE", true);
+
+        // cache to speed up the parameters construction
+        static final Map<NamedGroup,
+                    AlgorithmParameters> namedGroupParams = new HashMap<>();
+
+        // the supported named groups
+        static final NamedGroup[] supportedNamedGroups;
+
+        static {
+            boolean requireFips = SunJSSE.isFIPS();
+
+            // The value of the System Property defines a list of enabled named
+            // groups in preference order, separated with comma.  For example:
+            //
+            //      jdk.tls.namedGroups="secp521r1, secp256r1, ffdhe2048"
+            //
+            // If the System Property is not defined or the value is empty, the
+            // default groups and preferences will be used.
+            String property = AccessController.doPrivileged(
+                        new GetPropertyAction("jdk.tls.namedGroups"));
+            if (property != null && property.length() != 0) {
+                // remove double quote marks from beginning/end of the property
+                if (property.length() > 1 && property.charAt(0) == '"' &&
+                        property.charAt(property.length() - 1) == '"') {
+                    property = property.substring(1, property.length() - 1);
+                }
+            }
 
-                    return true;
+            ArrayList<NamedGroup> groupList;
+            if (property != null && property.length() != 0) {
+                String[] groups = property.split(",");
+                groupList = new ArrayList<>(groups.length);
+                for (String group : groups) {
+                    group = group.trim();
+                    if (!group.isEmpty()) {
+                        NamedGroup namedGroup = NamedGroup.nameOf(group);
+                        if (namedGroup != null &&
+                                (!requireFips || namedGroup.isFips)) {
+                            if (isAvailableGroup(namedGroup)) {
+                                groupList.add(namedGroup);
+                            }
+                        }   // ignore unknown groups
+                    }
                 }
 
-                if (!hasFFDHEGroups &&
-                        (type == NamedGroupType.NAMED_GROUP_FFDHE)) {
+                if (groupList.isEmpty()) {
+                    throw new IllegalArgumentException(
+                            "System property jdk.tls.namedGroups(" +
+                            property + ") contains no supported named groups");
+                }
+            } else {        // default groups
+                NamedGroup[] groups;
+                if (requireFips) {
+                    groups = new NamedGroup[] {
+                        // only NIST curves in FIPS mode
+                        NamedGroup.SECP256_R1,
+                        NamedGroup.SECP384_R1,
+                        NamedGroup.SECP521_R1,
+                        NamedGroup.SECT283_K1,
+                        NamedGroup.SECT283_R1,
+                        NamedGroup.SECT409_K1,
+                        NamedGroup.SECT409_R1,
+                        NamedGroup.SECT571_K1,
+                        NamedGroup.SECT571_R1,
+
+                        // FFDHE 2048
+                        NamedGroup.FFDHE_2048,
+                        NamedGroup.FFDHE_3072,
+                        NamedGroup.FFDHE_4096,
+                        NamedGroup.FFDHE_6144,
+                        NamedGroup.FFDHE_8192,
+                    };
+                } else {
+                    groups = new NamedGroup[] {
+                        // NIST curves first
+                        NamedGroup.SECP256_R1,
+                        NamedGroup.SECP384_R1,
+                        NamedGroup.SECP521_R1,
+                        NamedGroup.SECT283_K1,
+                        NamedGroup.SECT283_R1,
+                        NamedGroup.SECT409_K1,
+                        NamedGroup.SECT409_R1,
+                        NamedGroup.SECT571_K1,
+                        NamedGroup.SECT571_R1,
+
+                        // non-NIST curves
+                        NamedGroup.SECP256_K1,
+
+                        // FFDHE 2048
+                        NamedGroup.FFDHE_2048,
+                        NamedGroup.FFDHE_3072,
+                        NamedGroup.FFDHE_4096,
+                        NamedGroup.FFDHE_6144,
+                        NamedGroup.FFDHE_8192,
+                    };
+                }
+
+                groupList = new ArrayList<>(groups.length);
+                for (NamedGroup group : groups) {
+                    if (isAvailableGroup(group)) {
+                        groupList.add(group);
+                    }
+                }
 
-                    hasFFDHEGroups = true;
+                if (groupList.isEmpty() &&
+                        SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.warning("No default named groups");
                 }
             }
-        }
 
-        // For compatibility, if no FFDHE groups are defined, the non-FFDHE
-        // compatible mode (using DHE cipher suite without FFDHE extension)
-        // is allowed.
-        //
-        // Note that the constraints checking on DHE parameters will be
-        // performed during key exchanging in a handshake.
-        if (!hasFFDHEGroups && (type == NamedGroupType.NAMED_GROUP_FFDHE)) {
-            return true;
+            supportedNamedGroups = new NamedGroup[groupList.size()];
+            int i = 0;
+            for (NamedGroup namedGroup : groupList) {
+                supportedNamedGroups[i++] = namedGroup;
+            }
         }
 
-        return false;
-    }
+        // check whether the group is supported by the underlying providers
+        private static boolean isAvailableGroup(NamedGroup namedGroup) {
+            AlgorithmParameters params = null;
+            AlgorithmParameterSpec spec = null;
+            if (namedGroup.type == NamedGroupType.NAMED_GROUP_ECDHE) {
+                if (namedGroup.oid != null) {
+                    try {
+                        params = JsseJce.getAlgorithmParameters("EC");
+                        spec = new ECGenParameterSpec(namedGroup.oid);
+                    } catch (NoSuchAlgorithmException e) {
+                        return false;
+                    }
+                }
+            } else if (namedGroup.type == NamedGroupType.NAMED_GROUP_FFDHE) {
+                try {
+                    params = JsseJce.getAlgorithmParameters("DiffieHellman");
+                    spec = getFFDHEDHParameterSpec(namedGroup);
+                } catch (NoSuchAlgorithmException e) {
+                    return false;
+                }
+            }   // Otherwise, unsupported.
+
+            if ((params != null) && (spec != null)) {
+                try {
+                    params.init(spec);
+                } catch (InvalidParameterSpecException e) {
+                    return false;
+                }
 
-    // Create the default supported groups extension.
-    static SupportedGroupsExtension createExtension(
-            AlgorithmConstraints constraints,
-            CipherSuiteList cipherSuites, boolean enableFFDHE) {
+                // cache the parameters
+                namedGroupParams.put(namedGroup, params);
 
-        ArrayList<Integer> groupList =
-                new ArrayList<>(supportedNamedGroups.length);
-        for (NamedGroup namedGroup : supportedNamedGroups) {
-            if ((!enableFFDHE) &&
-                (namedGroup.type == NamedGroupType.NAMED_GROUP_FFDHE)) {
-                continue;
+                return true;
             }
 
-            if (cipherSuites.contains(namedGroup.type) &&
-                constraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
-                    namedGroup.algorithm, namedGroupParams.get(namedGroup))) {
+            return false;
+        }
 
-                groupList.add(namedGroup.id);
+        private static DHParameterSpec getFFDHEDHParameterSpec(
+                NamedGroup namedGroup) {
+            DHParameterSpec spec = null;
+            switch (namedGroup) {
+                case FFDHE_2048:
+                    spec = PredefinedDHParameterSpecs.ffdheParams.get(2048);
+                    break;
+                case FFDHE_3072:
+                    spec = PredefinedDHParameterSpecs.ffdheParams.get(3072);
+                    break;
+                case FFDHE_4096:
+                    spec = PredefinedDHParameterSpecs.ffdheParams.get(4096);
+                    break;
+                case FFDHE_6144:
+                    spec = PredefinedDHParameterSpecs.ffdheParams.get(6144);
+                    break;
+                case FFDHE_8192:
+                    spec = PredefinedDHParameterSpecs.ffdheParams.get(8192);
             }
+
+            return spec;
         }
 
-        if (!groupList.isEmpty()) {
-            int[] ids = new int[groupList.size()];
-            int i = 0;
-            for (Integer id : groupList) {
-                ids[i++] = id;
+        private static DHParameterSpec getPredefinedDHParameterSpec(
+                NamedGroup namedGroup) {
+            DHParameterSpec spec = null;
+            switch (namedGroup) {
+                case FFDHE_2048:
+                    spec = PredefinedDHParameterSpecs.definedParams.get(2048);
+                    break;
+                case FFDHE_3072:
+                    spec = PredefinedDHParameterSpecs.definedParams.get(3072);
+                    break;
+                case FFDHE_4096:
+                    spec = PredefinedDHParameterSpecs.definedParams.get(4096);
+                    break;
+                case FFDHE_6144:
+                    spec = PredefinedDHParameterSpecs.definedParams.get(6144);
+                    break;
+                case FFDHE_8192:
+                    spec = PredefinedDHParameterSpecs.definedParams.get(8192);
             }
 
-            return new SupportedGroupsExtension(ids);
+            return spec;
         }
 
-        return null;
-    }
+        static ECGenParameterSpec getECGenParamSpec(NamedGroup namedGroup) {
+            if (namedGroup.type != NamedGroupType.NAMED_GROUP_ECDHE) {
+                throw new RuntimeException(
+                        "Not a named EC group: " + namedGroup);
+            }
 
-    // get the preferred activated named group
-    NamedGroup getPreferredGroup(
-            AlgorithmConstraints constraints, NamedGroupType type) {
+            AlgorithmParameters params = namedGroupParams.get(namedGroup);
+            try {
+                return params.getParameterSpec(ECGenParameterSpec.class);
+            } catch (InvalidParameterSpecException ipse) {
+                // should be unlikely
+                return new ECGenParameterSpec(namedGroup.oid);
+            }
+        }
 
-        for (int groupId : requestedNamedGroupIds) {
-            NamedGroup namedGroup = NamedGroup.valueOf(groupId);
-            if ((namedGroup != null) && (namedGroup.type == type) &&
-                SupportedGroupsExtension.supports(namedGroup) &&
-                constraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
-                    namedGroup.algorithm, namedGroupParams.get(namedGroup))) {
+        static DHParameterSpec getDHParameterSpec(NamedGroup namedGroup) {
+            if (namedGroup.type != NamedGroupType.NAMED_GROUP_FFDHE) {
+                throw new RuntimeException(
+                        "Not a named DH group: " + namedGroup);
+            }
 
-                return namedGroup;
+            AlgorithmParameters params = namedGroupParams.get(namedGroup);
+            try {
+                return params.getParameterSpec(DHParameterSpec.class);
+            } catch (InvalidParameterSpecException ipse) {
+                // should be unlikely
+                return getPredefinedDHParameterSpec(namedGroup);
             }
         }
 
-        return null;
-    }
+        // Is there any supported group permitted by the constraints?
+        static boolean isActivatable(
+                AlgorithmConstraints constraints, NamedGroupType type) {
+
+            boolean hasFFDHEGroups = false;
+            for (NamedGroup namedGroup : supportedNamedGroups) {
+                if (namedGroup.type == type) {
+                    if (constraints.permits(
+                            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                            namedGroup.algorithm,
+                            namedGroupParams.get(namedGroup))) {
+
+                        return true;
+                    }
+
+                    if (!hasFFDHEGroups &&
+                            (type == NamedGroupType.NAMED_GROUP_FFDHE)) {
+                        hasFFDHEGroups = true;
+                    }
+                }
+            }
 
-    boolean hasFFDHEGroup() {
-        for (int groupId : requestedNamedGroupIds) {
-            /*
-             * [RFC 7919] Codepoints in the "Supported Groups Registry"
-             * with a high byte of 0x01 (that is, between 256 and 511,
-             * inclusive) are set aside for FFDHE groups.
-             */
-            if ((groupId >= 256) && (groupId <= 511)) {
-                return true;
+            // For compatibility, if no FFDHE groups are defined, the non-FFDHE
+            // compatible mode (using DHE cipher suite without FFDHE extension)
+            // is allowed.
+            //
+            // Note that the constraints checking on DHE parameters will be
+            // performed during key exchanging in a handshake.
+            return !hasFFDHEGroups && type == NamedGroupType.NAMED_GROUP_FFDHE;
+        }
+
+        // Is the named group permitted by the constraints?
+        static boolean isActivatable(
+                AlgorithmConstraints constraints, NamedGroup namedGroup) {
+            if (!isSupported(namedGroup)) {
+                return false;
             }
+
+            return constraints.permits(
+                            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                            namedGroup.algorithm,
+                            namedGroupParams.get(namedGroup));
         }
 
-        return false;
-    }
+        // Is there any supported group permitted by the constraints?
+        static boolean isSupported(NamedGroup namedGroup) {
+            for (NamedGroup group : supportedNamedGroups) {
+                if (namedGroup.id == group.id) {
+                    return true;
+                }
+            }
 
-    boolean contains(int index) {
-        for (int groupId : requestedNamedGroupIds) {
-            if (index == groupId) {
-                return true;
+            return false;
+        }
+
+        static NamedGroup getPreferredGroup(
+                ProtocolVersion negotiatedProtocol,
+                AlgorithmConstraints constraints, NamedGroupType type,
+                List<NamedGroup> requestedNamedGroups) {
+            for (NamedGroup namedGroup : requestedNamedGroups) {
+                if ((namedGroup.type == type) &&
+                        namedGroup.isAvailable(negotiatedProtocol) &&
+                        constraints.permits(
+                                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                                namedGroup.algorithm,
+                                namedGroupParams.get(namedGroup))) {
+                    return namedGroup;
+                }
             }
+
+            return null;
         }
-        return false;
-    }
 
-    @Override
-    int length() {
-        return 6 + (requestedNamedGroupIds.length << 1);
-    }
+        static NamedGroup getPreferredGroup(
+                ProtocolVersion negotiatedProtocol,
+                AlgorithmConstraints constraints, NamedGroupType type) {
+            for (NamedGroup namedGroup : supportedNamedGroups) {
+                if ((namedGroup.type == type) &&
+                        namedGroup.isAvailable(negotiatedProtocol) &&
+                        constraints.permits(
+                                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                                namedGroup.algorithm,
+                                namedGroupParams.get(namedGroup))) {
+                    return namedGroup;
+                }
+            }
 
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(type.id);
-        int k = requestedNamedGroupIds.length << 1;
-        s.putInt16(k + 2);
-        s.putInt16(k);
-        for (int groupId : requestedNamedGroupIds) {
-            s.putInt16(groupId);
+            return null;
         }
     }
 
-    @Override
-    public String toString() {
-        StringBuilder sb = new StringBuilder();
-        sb.append("Extension " + type + ", group names: {");
-        boolean first = true;
-        for (int groupId : requestedNamedGroupIds) {
-            if (first) {
-                first = false;
-            } else {
-                sb.append(", ");
+    /**
+     * Network data producer of a "supported_groups" extension in
+     * the ClientHello handshake message.
+     */
+    private static final class CHSupportedGroupsProducer
+            extends SupportedGroups implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHSupportedGroupsProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(CH_SUPPORTED_GROUPS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable supported_groups extension");
+                }
+                return null;
             }
-            // first check if it is a known named group, then try other cases.
-            NamedGroup namedGroup = NamedGroup.valueOf(groupId);
-            if (namedGroup != null) {
-                sb.append(namedGroup.name);
-            } else if (groupId == ARBITRARY_PRIME) {
-                sb.append("arbitrary_explicit_prime_curves");
-            } else if (groupId == ARBITRARY_CHAR2) {
-                sb.append("arbitrary_explicit_char2_curves");
-            } else {
-                sb.append("unknown named group " + groupId);
+
+            // Produce the extension.
+            ArrayList<NamedGroup> namedGroups =
+                new ArrayList<>(SupportedGroups.supportedNamedGroups.length);
+            for (NamedGroup ng : SupportedGroups.supportedNamedGroups) {
+                if ((!SupportedGroups.enableFFDHE) &&
+                    (ng.type == NamedGroupType.NAMED_GROUP_FFDHE)) {
+                    continue;
+                }
+
+                if (ng.isAvailable(chc.activeProtocols) &&
+                        ng.isSupported(chc.activeCipherSuites) &&
+                        chc.algorithmConstraints.permits(
+                            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                            ng.algorithm, namedGroupParams.get(ng))) {
+                    namedGroups.add(ng);
+                } else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore inactive or disabled named group: " + ng.name);
+                }
+            }
+
+            if (namedGroups.isEmpty()) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("no available named group");
+                }
+
+                return null;
+            }
+
+            int vectorLen = namedGroups.size() << 1;
+            byte[] extData = new byte[vectorLen + 2];
+            ByteBuffer m = ByteBuffer.wrap(extData);
+            Record.putInt16(m, vectorLen);
+            for (NamedGroup namedGroup : namedGroups) {
+                    Record.putInt16(m, namedGroup.id);
             }
+
+            // Update the context.
+            chc.clientRequestedNamedGroups =
+                    Collections.<NamedGroup>unmodifiableList(namedGroups);
+            chc.handshakeExtensions.put(CH_SUPPORTED_GROUPS,
+                    new SupportedGroupsSpec(namedGroups));
+
+            return extData;
         }
-        sb.append("}");
-        return sb.toString();
     }
 
-    static boolean supports(NamedGroup namedGroup) {
-        for (NamedGroup group : supportedNamedGroups) {
-            if (namedGroup.id == group.id) {
-                return true;
+    /**
+     * Network data producer of a "supported_groups" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHSupportedGroupsConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHSupportedGroupsConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(CH_SUPPORTED_GROUPS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable supported_groups extension");
+                }
+                return;     // ignore the extension
             }
-        }
 
-        return false;
-    }
+            // Parse the extension.
+            SupportedGroupsSpec spec;
+            try {
+                spec = new SupportedGroupsSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
 
-    static ECGenParameterSpec getECGenParamSpec(NamedGroup namedGroup) {
-        if (namedGroup.type != NamedGroupType.NAMED_GROUP_ECDHE) {
-            throw new RuntimeException("Not a named EC group: " + namedGroup);
-        }
+            // Update the context.
+            List<NamedGroup> knownNamedGroups = new LinkedList<>();
+            for (int id : spec.namedGroupsIds) {
+                NamedGroup ng = NamedGroup.valueOf(id);
+                if (ng != null) {
+                    knownNamedGroups.add(ng);
+                }
+            }
+
+            shc.clientRequestedNamedGroups = knownNamedGroups;
+            shc.handshakeExtensions.put(CH_SUPPORTED_GROUPS, spec);
 
-        AlgorithmParameters params = namedGroupParams.get(namedGroup);
-        try {
-            return params.getParameterSpec(ECGenParameterSpec.class);
-        } catch (InvalidParameterSpecException ipse) {
-            // should be unlikely
-            return new ECGenParameterSpec(namedGroup.oid);
+            // No impact on session resumption.
         }
     }
 
-    static DHParameterSpec getDHParameterSpec(NamedGroup namedGroup) {
-        if (namedGroup.type != NamedGroupType.NAMED_GROUP_FFDHE) {
-            throw new RuntimeException("Not a named DH group: " + namedGroup);
+    /**
+     * Network data producer of a "supported_groups" extension in
+     * the EncryptedExtensions handshake message.
+     */
+    private static final class EESupportedGroupsProducer
+            extends SupportedGroups implements HandshakeProducer {
+
+        // Prevent instantiation of this class.
+        private EESupportedGroupsProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(EE_SUPPORTED_GROUPS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable supported_groups extension");
+                }
+                return null;
+            }
+
+            // Produce the extension.
+            //
+            // Contains all groups the server supports, regardless of whether
+            // they are currently supported by the client.
+            ArrayList<NamedGroup> namedGroups = new ArrayList<>(
+                    SupportedGroups.supportedNamedGroups.length);
+            for (NamedGroup ng : SupportedGroups.supportedNamedGroups) {
+                if ((!SupportedGroups.enableFFDHE) &&
+                    (ng.type == NamedGroupType.NAMED_GROUP_FFDHE)) {
+                    continue;
+                }
+
+                if (ng.isAvailable(shc.activeProtocols) &&
+                        ng.isSupported(shc.activeCipherSuites) &&
+                        shc.algorithmConstraints.permits(
+                            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                            ng.algorithm, namedGroupParams.get(ng))) {
+                    namedGroups.add(ng);
+                } else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore inactive or disabled named group: " + ng.name);
+                }
+            }
+
+            if (namedGroups.isEmpty()) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("no available named group");
+                }
+
+                return null;
+            }
+
+            int vectorLen = namedGroups.size() << 1;
+            byte[] extData = new byte[vectorLen + 2];
+            ByteBuffer m = ByteBuffer.wrap(extData);
+            Record.putInt16(m, vectorLen);
+            for (NamedGroup namedGroup : namedGroups) {
+                    Record.putInt16(m, namedGroup.id);
+            }
+
+            // Update the context.
+            shc.conContext.serverRequestedNamedGroups =
+                    Collections.<NamedGroup>unmodifiableList(namedGroups);
+            SupportedGroupsSpec spec = new SupportedGroupsSpec(namedGroups);
+            shc.handshakeExtensions.put(EE_SUPPORTED_GROUPS, spec);
+
+            return extData;
         }
+    }
+
+    private static final
+            class EESupportedGroupsConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private EESupportedGroupsConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(EE_SUPPORTED_GROUPS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable supported_groups extension");
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            SupportedGroupsSpec spec;
+            try {
+                spec = new SupportedGroupsSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Update the context.
+            List<NamedGroup> knownNamedGroups =
+                    new ArrayList<>(spec.namedGroupsIds.length);
+            for (int id : spec.namedGroupsIds) {
+                NamedGroup ng = NamedGroup.valueOf(id);
+                if (ng != null) {
+                    knownNamedGroups.add(ng);
+                }
+            }
+
+            chc.conContext.serverRequestedNamedGroups = knownNamedGroups;
+            chc.handshakeExtensions.put(EE_SUPPORTED_GROUPS, spec);
 
-        AlgorithmParameters params = namedGroupParams.get(namedGroup);
-        try {
-            return params.getParameterSpec(DHParameterSpec.class);
-        } catch (InvalidParameterSpecException ipse) {
-            // should be unlikely
-            return getPredefinedDHParameterSpec(namedGroup);
+            // No impact on session resumption.
         }
     }
 }
--- old/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java	2018-05-11 15:06:20.070320600 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java	2018-05-11 15:06:19.600335900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,18 +25,16 @@
 
 package sun.security.ssl;
 
-import java.util.*;
 import java.io.*;
 import java.security.*;
 import java.security.cert.*;
+import java.util.*;
 import javax.net.ssl.*;
-
-import sun.security.validator.Validator;
 import sun.security.validator.TrustStoreUtil;
+import sun.security.validator.Validator;
 
 abstract class TrustManagerFactoryImpl extends TrustManagerFactorySpi {
 
-    private static final Debug debug = Debug.getInstance("ssl");
     private X509TrustManager trustManager = null;
     private boolean isInitialized = false;
 
@@ -51,26 +49,26 @@
                 trustManager = getInstance(TrustStoreManager.getTrustedCerts());
             } catch (SecurityException se) {
                 // eat security exceptions but report other throwables
-                if (debug != null && Debug.isOn("trustmanager")) {
-                    System.out.println(
-                        "SunX509: skip default keystore: " + se);
+                if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                    SSLLogger.fine(
+                            "SunX509: skip default keystore", se);
                 }
             } catch (Error err) {
-                if (debug != null && Debug.isOn("trustmanager")) {
-                    System.out.println(
-                        "SunX509: skip default keystore: " + err);
+                if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                    SSLLogger.fine(
+                        "SunX509: skip default keystore", err);
                 }
                 throw err;
             } catch (RuntimeException re) {
-                if (debug != null && Debug.isOn("trustmanager")) {
-                    System.out.println(
-                        "SunX509: skip default keystore: " + re);
+                if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                    SSLLogger.fine(
+                        "SunX509: skip default keystor", re);
                 }
                 throw re;
             } catch (Exception e) {
-                if (debug != null && Debug.isOn("trustmanager")) {
-                    System.out.println(
-                        "SunX509: skip default keystore: " + e);
+                if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                    SSLLogger.fine(
+                        "SunX509: skip default keystore", e);
                 }
                 throw new KeyStoreException(
                     "problem accessing trust store", e);
--- old/src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java	2018-05-11 15:06:21.604552500 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/TrustStoreManager.java	2018-05-11 15:06:21.135620200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,14 +25,11 @@
 
 package sun.security.ssl;
 
-import java.lang.ref.WeakReference;
 import java.io.*;
-import java.util.*;
-
+import java.lang.ref.WeakReference;
 import java.security.*;
 import java.security.cert.*;
-import java.security.cert.Certificate;
-
+import java.util.*;
 import sun.security.action.*;
 import sun.security.validator.TrustStoreUtil;
 
@@ -41,7 +38,6 @@
  * effectively.
  */
 final class TrustStoreManager {
-    private static final Debug debug = Debug.getInstance("ssl");
 
     // A singleton service to manage the default trusted KeyStores effectively.
     private static final TrustAnchorManager tam = new TrustAnchorManager();
@@ -112,8 +108,8 @@
             this.storeFile = storeFile;
             this.lastModified = lastModified;
 
-            if (debug != null && Debug.isOn("trustmanager")) {
-                System.out.println(
+            if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                SSLLogger.fine(
                     "trustStore is: " + storeName + "\n" +
                     "trustStore type is: " + storeType + "\n" +
                     "trustStore provider is: " + storeProvider + "\n" +
@@ -125,8 +121,10 @@
          * Create an instance of TrustStoreDescriptor for the default
          * trusted KeyStore.
          */
+        @SuppressWarnings("Convert2Lambda")
         static TrustStoreDescriptor createInstance() {
-             return AccessController.doPrivileged(new PrivilegedAction<>() {
+             return AccessController.doPrivileged(
+                    new PrivilegedAction<TrustStoreDescriptor>() {
 
                 @Override
                 public TrustStoreDescriptor run() {
@@ -158,11 +156,11 @@
                             }
 
                             // Not break, the file is inaccessible.
-                            if (debug != null &&
-                                    Debug.isOn("trustmanager")) {
-                                System.out.println(
-                                    "Inaccessible trust store: " +
-                                    storePropName);
+                            if (SSLLogger.isOn &&
+                                    SSLLogger.isOn("trustmanager")) {
+                                SSLLogger.fine(
+                                        "Inaccessible trust store: " +
+                                        storePropName);
                             }
                         }
                     } else {
@@ -267,8 +265,8 @@
             }
 
             // Reload a new key store.
-            if ((debug != null) && Debug.isOn("trustmanager")) {
-                System.out.println("Reload the trust store");
+            if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                SSLLogger.fine("Reload the trust store");
             }
 
             ks = loadKeyStore(descriptor);
@@ -309,20 +307,20 @@
 
             // Reload the trust store if needed.
             if (ks == null) {
-                if ((debug != null) && Debug.isOn("trustmanager")) {
-                    System.out.println("Reload the trust store");
+                if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                    SSLLogger.fine("Reload the trust store");
                 }
                 ks = loadKeyStore(descriptor);
             }
 
             // Reload trust certs from the key store.
-            if ((debug != null) && Debug.isOn("trustmanager")) {
-                System.out.println("Reload trust certs");
+            if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                SSLLogger.fine("Reload trust certs");
             }
 
             certs = loadTrustedCerts(ks);
-            if ((debug != null) && Debug.isOn("trustmanager")) {
-                System.out.println("Reloaded " + certs.size() + " trust certs");
+            if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                SSLLogger.fine("Reloaded " + certs.size() + " trust certs");
             }
 
             // Note that as ks is a local variable, it is not
@@ -333,7 +331,7 @@
         }
 
         /**
-         * Load the KeyStore as described in the specified descriptor.
+         * Load the the KeyStore as described in the specified descriptor.
          */
         private static KeyStore loadKeyStore(
                 TrustStoreDescriptor descriptor) throws Exception {
@@ -341,8 +339,8 @@
                     descriptor.storeFile == null) {
 
                 // No file available, no KeyStore available.
-                if (debug != null && Debug.isOn("trustmanager")) {
-                    System.out.println("No available key store");
+                if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                    SSLLogger.fine("No available key store");
                 }
 
                 return null;
@@ -367,8 +365,8 @@
                     ks.load(fis, password);
                 } catch (FileNotFoundException fnfe) {
                     // No file available, no KeyStore available.
-                    if (debug != null && Debug.isOn("trustmanager")) {
-                        System.out.println(
+                    if (SSLLogger.isOn && SSLLogger.isOn("trustmanager")) {
+                        SSLLogger.fine(
                             "Not available key store: " + descriptor.storeName);
                     }
 
--- old/src/java.base/share/classes/sun/security/ssl/Utilities.java	2018-05-11 15:06:23.184201100 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/Utilities.java	2018-05-11 15:06:22.705759000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,18 +25,21 @@
 
 package sun.security.ssl;
 
-import javax.net.ssl.*;
+import java.math.BigInteger;
 import java.util.*;
+import java.util.regex.Pattern;
+import javax.net.ssl.*;
 import sun.net.util.IPAddressUtil;
+import sun.security.action.GetPropertyAction;
 
 /**
  * A utility class to share the static methods.
  */
 final class Utilities {
-    /**
-     * hex digits
-     */
     static final char[] hexDigits = "0123456789ABCDEF".toCharArray();
+    private static final String indent = "  ";
+    private static final Pattern lineBreakPatern =
+                Pattern.compile("\\r\\n|\\n|\\r");
 
     /**
      * Puts {@code hostname} into the {@code serverNames} list.
@@ -66,9 +69,9 @@
             SNIServerName serverName = sniList.get(i);
             if (serverName.getType() == StandardConstants.SNI_HOST_NAME) {
                 sniList.set(i, sniHostName);
-                if (Debug.isOn("ssl")) {
-                    System.out.println(Thread.currentThread().getName() +
-                        ", the previous server name in SNI (" + serverName +
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                     SSLLogger.fine(
+                        "the previous server name in SNI (" + serverName +
                         ") was replaced with (" + sniHostName + ")");
                 }
                 reset = true;
@@ -107,9 +110,8 @@
                 sniHostName = new SNIHostName(hostname);
             } catch (IllegalArgumentException iae) {
                 // don't bother to handle illegal host_name
-                if (Debug.isOn("ssl")) {
-                    System.out.println(Thread.currentThread().getName() +
-                        ", \"" + hostname + "\" " +
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                     SSLLogger.fine(hostname + "\" " +
                         "is not a legal HostName for  server name indication");
                 }
             }
@@ -117,4 +119,117 @@
 
         return sniHostName;
     }
+
+    /**
+     * Return the value of the boolean System property propName.
+     *
+     * Note use of privileged action. Do NOT make accessible to applications.
+     */
+    static boolean getBooleanProperty(String propName, boolean defaultValue) {
+        // if set, require value of either true or false
+        String b = GetPropertyAction.privilegedGetProperty(propName);
+        if (b == null) {
+            return defaultValue;
+        } else if (b.equalsIgnoreCase("false")) {
+            return false;
+        } else if (b.equalsIgnoreCase("true")) {
+            return true;
+        } else {
+            throw new RuntimeException("Value of " + propName
+                + " must either be 'true' or 'false'");
+        }
+    }
+
+    static String indent(String source) {
+        return Utilities.indent(source, indent);
+    }
+
+    static String indent(String source, String prefix) {
+        StringBuilder builder = new StringBuilder();
+        if (source == null) {
+             builder.append("\n" + prefix + "<blank message>");
+        } else {
+            String[] lines = lineBreakPatern.split(source);
+            boolean isFirst = true;
+            for (String line : lines) {
+                if (isFirst) {
+                    isFirst = false;
+                } else {
+                    builder.append("\n");
+                }
+                builder.append(prefix).append(line);
+            }
+        }
+
+        return builder.toString();
+    }
+
+    static String toHexString(byte b) {
+        return String.valueOf(hexDigits[(b >> 4) & 0x0F]) +
+                String.valueOf(hexDigits[b & 0x0F]);
+    }
+
+    static String byte16HexString(int id) {
+        return "0x" +
+                hexDigits[(id >> 12) & 0x0F] + hexDigits[(id >> 8) & 0x0F] +
+                hexDigits[(id >> 4) & 0x0F] + hexDigits[id & 0x0F];
+    }
+
+    static String toHexString(byte[] bytes) {
+        if (bytes == null || bytes.length == 0) {
+            return "";
+        }
+
+        StringBuilder builder = new StringBuilder(bytes.length * 3);
+        boolean isFirst = true;
+        for (byte b : bytes) {
+            if (isFirst) {
+                isFirst = false;
+            } else {
+                builder.append(' ');
+            }
+
+            builder.append(hexDigits[(b >> 4) & 0x0F]);
+            builder.append(hexDigits[b & 0x0F]);
+        }
+        return builder.toString();
+    }
+
+    static String toHexString(long lv) {
+        StringBuilder builder = new StringBuilder(128);
+
+        boolean isFirst = true;
+        do {
+            if (isFirst) {
+                isFirst = false;
+            } else {
+                builder.append(' ');
+            }
+
+            builder.append(hexDigits[(int)(lv & 0x0F)]);
+            lv >>>= 4;
+            builder.append(hexDigits[(int)(lv & 0x0F)]);
+            lv >>>= 4;
+        } while (lv != 0);
+        builder.reverse();
+
+        return builder.toString();
+    }
+
+    /**
+     * Utility method to convert a BigInteger to a byte array in unsigned
+     * format as needed in the handshake messages. BigInteger uses
+     * 2's complement format, i.e. it prepends an extra zero if the MSB
+     * is set. We remove that.
+     */
+    static byte[] toByteArray(BigInteger bi) {
+        byte[] b = bi.toByteArray();
+        if ((b.length > 1) && (b[0] == 0)) {
+            int n = b.length - 1;
+            byte[] newarray = new byte[n];
+            System.arraycopy(b, 1, newarray, 0, n);
+            b = newarray;
+        }
+        return b;
+    }
 }
--- old/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java	2018-05-11 15:06:24.723988300 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java	2018-05-11 15:06:24.247657000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,18 +26,22 @@
 package sun.security.ssl;
 
 import java.lang.ref.*;
+import java.net.Socket;
+import java.security.AlgorithmConstraints;
+import java.security.KeyStore;
+import java.security.KeyStore.Builder;
+import java.security.KeyStore.Entry;
+import java.security.KeyStore.PrivateKeyEntry;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
 import java.util.*;
 import static java.util.Locale.ENGLISH;
 import java.util.concurrent.atomic.AtomicLong;
-import java.net.Socket;
-
-import java.security.*;
-import java.security.KeyStore.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-
 import javax.net.ssl.*;
-
 import sun.security.provider.certpath.AlgorithmChecker;
 import sun.security.validator.Validator;
 
@@ -61,11 +65,6 @@
 final class X509KeyManagerImpl extends X509ExtendedKeyManager
         implements X509KeyManager {
 
-    private static final Debug debug = Debug.getInstance("ssl");
-
-    private static final boolean useDebug =
-                            (debug != null) && Debug.isOn("keymanager");
-
     // for unit testing only, set via privileged reflection
     private static Date verificationDate;
 
@@ -189,9 +188,7 @@
             SSLSession session = sslSocket.getHandshakeSession();
 
             if (session != null) {
-                ProtocolVersion protocolVersion =
-                    ProtocolVersion.valueOf(session.getProtocol());
-                if (protocolVersion.useTLS12PlusSpec()) {
+                if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
                     String[] peerSupportedSignAlgs = null;
 
                     if (session instanceof ExtendedSSLSession) {
@@ -217,9 +214,7 @@
         if (engine != null) {
             SSLSession session = engine.getHandshakeSession();
             if (session != null) {
-                ProtocolVersion protocolVersion =
-                    ProtocolVersion.valueOf(session.getProtocol());
-                if (protocolVersion.useTLS12PlusSpec()) {
+                if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
                     String[] peerSupportedSignAlgs = null;
 
                     if (session instanceof ExtendedSSLSession) {
@@ -388,8 +383,8 @@
                     // if it's a perfect match, return immediately
                     EntryStatus status = results.get(0);
                     if (status.checkResult == CheckResult.OK) {
-                        if (useDebug) {
-                            debug.println("KeyMgr: choosing key: " + status);
+                        if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+                            SSLLogger.fine("KeyMgr: choosing key: " + status);
                         }
                         return makeAlias(status);
                     }
@@ -403,16 +398,16 @@
             }
         }
         if (allResults == null) {
-            if (useDebug) {
-                debug.println("KeyMgr: no matching key found");
+            if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+                SSLLogger.fine("KeyMgr: no matching key found");
             }
             return null;
         }
         Collections.sort(allResults);
-        if (useDebug) {
-            debug.println("KeyMgr: no good matching key found, "
-                        + "returning best match out of:");
-            debug.println(allResults.toString());
+        if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+            SSLLogger.fine(
+                    "KeyMgr: no good matching key found, "
+                    + "returning best match out of", allResults);
         }
         return makeAlias(allResults.get(0));
     }
@@ -448,14 +443,14 @@
             }
         }
         if (allResults == null || allResults.isEmpty()) {
-            if (useDebug) {
-                debug.println("KeyMgr: no matching alias found");
+            if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+                SSLLogger.fine("KeyMgr: no matching alias found");
             }
             return null;
         }
         Collections.sort(allResults);
-        if (useDebug) {
-            debug.println("KeyMgr: getting aliases: " + allResults);
+        if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+            SSLLogger.fine("KeyMgr: getting aliases", allResults);
         }
         return toAliases(allResults);
     }
@@ -576,7 +571,7 @@
                             // require either signature bit
                             // or if server also allow key encipherment bit
                             if (kuSignature == false) {
-                                if ((this == CLIENT) || (getBit(ku, 2) == false)) {
+                                if (this == CLIENT || getBit(ku, 2) == false) {
                                     return CheckResult.EXTENSION_MISMATCH;
                                 }
                             }
@@ -631,8 +626,9 @@
                                     new SNIHostName(serverName.getEncoded());
                             } catch (IllegalArgumentException iae) {
                                 // unlikely to happen, just in case ...
-                                if (useDebug) {
-                                    debug.println(
+                                if (SSLLogger.isOn &&
+                                        SSLLogger.isOn("keymanager")) {
+                                    SSLLogger.fine(
                                        "Illegal server name: " + serverName);
                                 }
 
@@ -646,11 +642,12 @@
                             X509TrustManagerImpl.checkIdentity(hostname,
                                                         cert, idAlgorithm);
                         } catch (CertificateException e) {
-                            if (useDebug) {
-                                debug.println(
-                                   "Certificate identity does not match " +
-                                   "Server Name Inidication (SNI): " +
-                                   hostname);
+                            if (SSLLogger.isOn &&
+                                    SSLLogger.isOn("keymanager")) {
+                                SSLLogger.fine(
+                                    "Certificate identity does not match " +
+                                    "Server Name Inidication (SNI): " +
+                                    hostname);
                             }
                             return CheckResult.INSENSITIVE;
                         }
@@ -724,7 +721,7 @@
         for (Enumeration<String> e = ks.aliases(); e.hasMoreElements(); ) {
             String alias = e.nextElement();
             // check if it is a key entry (private key or secret key)
-            if (ks.isKeyEntry(alias) == false) {
+            if (!ks.isKeyEntry(alias)) {
                 continue;
             }
 
@@ -757,8 +754,8 @@
                 j++;
             }
             if (keyIndex == -1) {
-                if (useDebug) {
-                    debug.println("Ignoring alias " + alias
+                if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+                    SSLLogger.fine("Ignore alias " + alias
                                 + ": key algorithm does not match");
                 }
                 continue;
@@ -774,9 +771,10 @@
                     }
                 }
                 if (found == false) {
-                    if (useDebug) {
-                        debug.println("Ignoring alias " + alias
-                                    + ": issuers do not match");
+                    if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+                        SSLLogger.fine(
+                                "Ignore alias " + alias
+                                + ": issuers do not match");
                     }
                     continue;
                 }
@@ -787,8 +785,8 @@
                     !conformsToAlgorithmConstraints(constraints, chain,
                             checkType.getValidator())) {
 
-                if (useDebug) {
-                    debug.println("Ignoring alias " + alias +
+                if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+                    SSLLogger.fine("Ignore alias " + alias +
                             ": certificate list does not conform to " +
                             "algorithm constraints");
                 }
@@ -825,14 +823,15 @@
             AlgorithmConstraints constraints, Certificate[] chain,
             String variant) {
 
-        AlgorithmChecker checker = new AlgorithmChecker(constraints, null, variant);
+        AlgorithmChecker checker =
+                new AlgorithmChecker(constraints, null, variant);
         try {
             checker.init(false);
         } catch (CertPathValidatorException cpve) {
             // unlikely to happen
-            if (useDebug) {
-                debug.println(
-                    "Cannot initialize algorithm constraints checker: " + cpve);
+            if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+                SSLLogger.fine(
+                    "Cannot initialize algorithm constraints checker", cpve);
             }
 
             return false;
@@ -845,9 +844,9 @@
                 // We don't care about the unresolved critical extensions.
                 checker.check(cert, Collections.<String>emptySet());
             } catch (CertPathValidatorException cpve) {
-                if (useDebug) {
-                    debug.println("Certificate (" + cert +
-                        ") does not conform to algorithm constraints: " + cpve);
+                if (SSLLogger.isOn && SSLLogger.isOn("keymanager")) {
+                    SSLLogger.fine("Certificate does not conform to " +
+                            "algorithm constraints", cert, cpve);
                 }
 
                 return false;
@@ -856,5 +855,4 @@
 
         return true;
     }
-
 }
--- old/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java	2018-05-11 15:06:26.311501800 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/X509TrustManagerImpl.java	2018-05-11 15:06:25.842166600 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,20 +23,16 @@
  * questions.
  */
 
-
 package sun.security.ssl;
 
 import java.net.Socket;
-import javax.net.ssl.SSLSession;
-
-import java.util.*;
 import java.security.*;
 import java.security.cert.*;
+import java.util.*;
 import javax.net.ssl.*;
-
-import sun.security.validator.*;
 import sun.security.util.AnchorCertificates;
 import sun.security.util.HostnameChecker;
+import sun.security.validator.*;
 
 /**
  * This class implements the SunJSSE X.509 trust manager using the internal
@@ -67,8 +63,6 @@
     // the different extension checks. They are initialized lazily on demand.
     private volatile Validator clientValidator, serverValidator;
 
-    private static final Debug debug = Debug.getInstance("ssl");
-
     X509TrustManagerImpl(String validatorType,
             Collection<X509Certificate> trustedCerts) {
 
@@ -81,8 +75,9 @@
 
         this.trustedCerts = trustedCerts;
 
-        if (debug != null && Debug.isOn("trustmanager")) {
-            showTrustedCerts();
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
+            SSLLogger.fine("adding as trusted certificates",
+                    (Object[])trustedCerts.toArray(new X509Certificate[0]));
         }
     }
 
@@ -97,8 +92,9 @@
         trustedCerts = v.getTrustedCertificates();
         serverValidator = v;
 
-        if (debug != null && Debug.isOn("trustmanager")) {
-            showTrustedCerts();
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
+            SSLLogger.fine("adding as trusted certificates",
+                    (Object[])trustedCerts.toArray(new X509Certificate[0]));
         }
     }
 
@@ -202,11 +198,10 @@
             }
 
             // create the algorithm constraints
-            ProtocolVersion protocolVersion =
-                ProtocolVersion.valueOf(session.getProtocol());
             boolean isExtSession = (session instanceof ExtendedSSLSession);
-            AlgorithmConstraints constraints = null;
-            if (protocolVersion.v >= ProtocolVersion.TLS12.v && isExtSession) {
+            AlgorithmConstraints constraints;
+            if (isExtSession &&
+                    ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
                 ExtendedSSLSession extSession = (ExtendedSSLSession)session;
                 String[] localSupportedSignAlgs =
                         extSession.getLocalSupportedSignatureAlgorithms();
@@ -228,8 +223,8 @@
 
             // check if EE certificate chains to a public root CA (as
             // pre-installed in cacerts)
-            boolean chainsToPublicCA =
-                AnchorCertificates.contains(trustedChain[trustedChain.length-1]);
+            boolean chainsToPublicCA = AnchorCertificates.contains(
+                    trustedChain[trustedChain.length-1]);
 
             // check endpoint identity
             String identityAlg = sslSocket.getSSLParameters().
@@ -242,9 +237,10 @@
             trustedChain = validate(v, chain, Collections.emptyList(),
                     null, isClient ? null : authType);
         }
-        if (debug != null && Debug.isOn("trustmanager")) {
-            System.out.println("Found trusted certificate:");
-            System.out.println(trustedChain[trustedChain.length - 1]);
+
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
+            SSLLogger.fine("Found trusted certificate",
+                    trustedChain[trustedChain.length - 1]);
         }
     }
 
@@ -260,11 +256,10 @@
             }
 
             // create the algorithm constraints
-            ProtocolVersion protocolVersion =
-                ProtocolVersion.valueOf(session.getProtocol());
             boolean isExtSession = (session instanceof ExtendedSSLSession);
-            AlgorithmConstraints constraints = null;
-            if (protocolVersion.v >= ProtocolVersion.TLS12.v && isExtSession) {
+            AlgorithmConstraints constraints;
+            if (isExtSession &&
+                    ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
                 ExtendedSSLSession extSession = (ExtendedSSLSession)session;
                 String[] localSupportedSignAlgs =
                         extSession.getLocalSupportedSignatureAlgorithms();
@@ -286,8 +281,8 @@
 
             // check if EE certificate chains to a public root CA (as
             // pre-installed in cacerts)
-            boolean chainsToPublicCA =
-                AnchorCertificates.contains(trustedChain[trustedChain.length-1]);
+            boolean chainsToPublicCA = AnchorCertificates.contains(
+                    trustedChain[trustedChain.length-1]);
 
             // check endpoint identity
             String identityAlg = engine.getSSLParameters().
@@ -300,27 +295,10 @@
             trustedChain = validate(v, chain, Collections.emptyList(),
                     null, isClient ? null : authType);
         }
-        if (debug != null && Debug.isOn("trustmanager")) {
-            System.out.println("Found trusted certificate:");
-            System.out.println(trustedChain[trustedChain.length - 1]);
-        }
-    }
 
-    private void showTrustedCerts() {
-        for (X509Certificate cert : trustedCerts) {
-            System.out.println("adding as trusted cert:");
-            System.out.println("  Subject: "
-                                    + cert.getSubjectX500Principal());
-            System.out.println("  Issuer:  "
-                                    + cert.getIssuerX500Principal());
-            System.out.println("  Algorithm: "
-                                    + cert.getPublicKey().getAlgorithm()
-                                    + "; Serial number: 0x"
-                                    + cert.getSerialNumber().toString(16));
-            System.out.println("  Valid from "
-                                    + cert.getNotBefore() + " until "
-                                    + cert.getNotAfter());
-            System.out.println();
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
+            SSLLogger.fine("Found trusted certificate",
+                    trustedChain[trustedChain.length - 1]);
         }
     }
 
@@ -364,8 +342,8 @@
                     hostname = new SNIHostName(sniName.getEncoded());
                 } catch (IllegalArgumentException iae) {
                     // unlikely to happen, just in case ...
-                    if ((debug != null) && Debug.isOn("trustmanager")) {
-                        System.out.println("Illegal server name: " + sniName);
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,trustmanager")) {
+                        SSLLogger.fine("Illegal server name: " + sniName);
                     }
                 }
             }
@@ -491,3 +469,4 @@
         }
     }
 }
+
--- old/src/java.base/share/classes/sun/security/util/HostnameChecker.java	2018-05-11 15:06:27.856859900 -0700
+++ new/src/java.base/share/classes/sun/security/util/HostnameChecker.java	2018-05-11 15:06:27.374804300 -0700
@@ -35,9 +35,8 @@
 import javax.net.ssl.SNIHostName;
 
 import sun.net.util.IPAddressUtil;
-import sun.security.ssl.ClientKeyExchangeService;
-import sun.security.ssl.Debug;
 import sun.security.x509.X500Name;
+import sun.security.ssl.SSLLogger;
 
 /**
  * Class to check hostnames against the names specified in a certificate as
@@ -60,8 +59,6 @@
     private static final int ALTNAME_DNS = 2;
     private static final int ALTNAME_IP  = 7;
 
-    private static final Debug debug = Debug.getInstance("ssl");
-
     // the algorithm to follow to perform the check. Currently unused.
     private final byte checkType;
 
@@ -118,12 +115,15 @@
      * Return the Server name from Kerberos principal.
      */
     public static String getServerName(Principal principal) {
+/*
         ClientKeyExchangeService p =
                 ClientKeyExchangeService.find("KRB5");
         if (p == null) {
             throw new AssertionError("Kerberos should have been available");
         }
         return p.getServiceHostName(principal);
+*/
+        return null;
     }
 
     /**
@@ -316,9 +316,10 @@
                                               boolean chainsToPublicCA) {
         // not ok if it is a single wildcard character or "*."
         if (template.equals("*") || template.equals("*.")) {
-            if (debug != null) {
-                debug.println("Certificate domain name has illegal single " +
-                              "wildcard character: " + template);
+            if (SSLLogger.isOn) {
+                SSLLogger.fine(
+                    "Certificate domain name has illegal single " +
+                      "wildcard character: " + template);
             }
             return true;
         }
@@ -335,9 +336,10 @@
 
         // not ok if there is no dot after wildcard (ex: "*com")
         if (firstDotIndex == -1) {
-            if (debug != null) {
-                debug.println("Certificate domain name has illegal wildcard, " +
-                              "no dot after wildcard character: " + template);
+            if (SSLLogger.isOn) {
+                SSLLogger.fine(
+                    "Certificate domain name has illegal wildcard, " +
+                    "no dot after wildcard character: " + template);
             }
             return true;
         }
@@ -354,9 +356,10 @@
         if (rd.isPresent()) {
             String wDomain = afterWildcard.substring(firstDotIndex + 1);
             if (rd.get().publicSuffix().equalsIgnoreCase(wDomain)) {
-                if (debug != null) {
-                    debug.println("Certificate domain name has illegal " +
-                                  "wildcard for public suffix: " + template);
+                if (SSLLogger.isOn) {
+                    SSLLogger.fine(
+                        "Certificate domain name has illegal " +
+                        "wildcard for public suffix: " + template);
                 }
                 return true;
             }
--- old/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java	2018-05-11 15:06:29.410822300 -0700
+++ new/src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java	2018-05-11 15:06:28.926735500 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2017, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -56,6 +56,7 @@
 
     public static final int DEF_DSA_KEY_SIZE;
     public static final int DEF_RSA_KEY_SIZE;
+    public static final int DEF_RSASSA_PSS_KEY_SIZE;
     public static final int DEF_DH_KEY_SIZE;
     public static final int DEF_EC_KEY_SIZE;
 
@@ -66,6 +67,7 @@
             (KEY_LENGTH_PROP);
         int dsaKeySize = 2048;
         int rsaKeySize = 2048;
+        int rsaSsaPssKeySize = rsaKeySize; // default to same value as RSA
         int dhKeySize = 2048;
         int ecKeySize = 256;
 
@@ -98,6 +100,8 @@
                         dsaKeySize = value;
                     } else if (algoName.equals("RSA")) {
                         rsaKeySize = value;
+                    } else if (algoName.equals("RSASSA-PSS")) {
+                        rsaSsaPssKeySize = value;
                     } else if (algoName.equals("DH")) {
                         dhKeySize = value;
                     } else if (algoName.equals("EC")) {
@@ -125,6 +129,7 @@
         }
         DEF_DSA_KEY_SIZE = dsaKeySize;
         DEF_RSA_KEY_SIZE = rsaKeySize;
+        DEF_RSASSA_PSS_KEY_SIZE = rsaSsaPssKeySize;
         DEF_DH_KEY_SIZE = dhKeySize;
         DEF_EC_KEY_SIZE = ecKeySize;
     }
--- old/src/java.base/share/classes/sun/security/x509/AlgorithmId.java	2018-05-11 15:06:31.016408900 -0700
+++ new/src/java.base/share/classes/sun/security/x509/AlgorithmId.java	2018-05-11 15:06:30.521742800 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -182,6 +182,8 @@
                 algid.equals((Object)SHA256_oid) ||
                 algid.equals((Object)SHA384_oid) ||
                 algid.equals((Object)SHA512_oid) ||
+                algid.equals((Object)SHA512_224_oid) ||
+                algid.equals((Object)SHA512_256_oid) ||
                 algid.equals((Object)DSA_oid) ||
                 algid.equals((Object)sha1WithDSA_oid)) {
                 ; // no parameter part encoded
@@ -483,11 +485,24 @@
             name.equalsIgnoreCase("SHA224")) {
             return AlgorithmId.SHA224_oid;
         }
-
+        if (name.equalsIgnoreCase("SHA-512/224") ||
+            name.equalsIgnoreCase("SHA512/224")) {
+            return AlgorithmId.SHA512_224_oid;
+        }
+        if (name.equalsIgnoreCase("SHA-512/256") ||
+            name.equalsIgnoreCase("SHA512/256")) {
+            return AlgorithmId.SHA512_256_oid;
+        }
         // Various public key algorithms
         if (name.equalsIgnoreCase("RSA")) {
             return AlgorithmId.RSAEncryption_oid;
         }
+        if (name.equalsIgnoreCase("RSASSA-PSS")) {
+            return AlgorithmId.RSASSA_PSS_oid;
+        }
+        if (name.equalsIgnoreCase("RSAES-OAEP")) {
+            return AlgorithmId.RSAES_OAEP_oid;
+        }
         if (name.equalsIgnoreCase("Diffie-Hellman")
             || name.equalsIgnoreCase("DH")) {
             return AlgorithmId.DH_oid;
@@ -648,6 +663,12 @@
     public static final ObjectIdentifier SHA512_oid =
     ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 3});
 
+    public static final ObjectIdentifier SHA512_224_oid =
+    ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 5});
+
+    public static final ObjectIdentifier SHA512_256_oid =
+    ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 6});
+
     /*
      * COMMON PUBLIC KEY TYPES
      */
@@ -656,8 +677,6 @@
     private static final int[] DSA_OIW_data = { 1, 3, 14, 3, 2, 12 };
     private static final int[] DSA_PKIX_data = { 1, 2, 840, 10040, 4, 1 };
     private static final int[] RSA_data = { 2, 5, 8, 1, 1 };
-    private static final int[] RSAEncryption_data =
-                                 { 1, 2, 840, 113549, 1, 1, 1 };
 
     public static final ObjectIdentifier DH_oid;
     public static final ObjectIdentifier DH_PKIX_oid;
@@ -666,7 +685,12 @@
     public static final ObjectIdentifier EC_oid = oid(1, 2, 840, 10045, 2, 1);
     public static final ObjectIdentifier ECDH_oid = oid(1, 3, 132, 1, 12);
     public static final ObjectIdentifier RSA_oid;
-    public static final ObjectIdentifier RSAEncryption_oid;
+    public static final ObjectIdentifier RSAEncryption_oid =
+                                            oid(1, 2, 840, 113549, 1, 1, 1);
+    public static final ObjectIdentifier RSAES_OAEP_oid =
+                                            oid(1, 2, 840, 113549, 1, 1, 7);
+    public static final ObjectIdentifier RSASSA_PSS_oid =
+                                            oid(1, 2, 840, 113549, 1, 1, 10);
 
     /*
      * COMMON SECRET KEY TYPES
@@ -693,6 +717,7 @@
                                        { 1, 2, 840, 113549, 1, 1, 12 };
     private static final int[] sha512WithRSAEncryption_data =
                                        { 1, 2, 840, 113549, 1, 1, 13 };
+
     private static final int[] shaWithDSA_OIW_data =
                                        { 1, 3, 14, 3, 2, 13 };
     private static final int[] sha1WithDSA_OIW_data =
@@ -708,6 +733,11 @@
     public static final ObjectIdentifier sha256WithRSAEncryption_oid;
     public static final ObjectIdentifier sha384WithRSAEncryption_oid;
     public static final ObjectIdentifier sha512WithRSAEncryption_oid;
+    public static final ObjectIdentifier sha512_224WithRSAEncryption_oid =
+                                            oid(1, 2, 840, 113549, 1, 1, 15);
+    public static final ObjectIdentifier sha512_256WithRSAEncryption_oid =
+                                            oid(1, 2, 840, 113549, 1, 1, 16);;
+
     public static final ObjectIdentifier shaWithDSA_OIW_oid;
     public static final ObjectIdentifier sha1WithDSA_OIW_oid;
     public static final ObjectIdentifier sha1WithDSA_oid;
@@ -797,13 +827,6 @@
         RSA_oid = ObjectIdentifier.newInternal(RSA_data);
 
     /**
-     * Algorithm ID for RSA keys used with RSA encryption, as defined
-     * in PKCS #1.  There are no parameters associated with this algorithm.
-     * OID = 1.2.840.113549.1.1.1
-     */
-        RSAEncryption_oid = ObjectIdentifier.newInternal(RSAEncryption_data);
-
-    /**
      * Identifies a signing algorithm where an MD2 digest is encrypted
      * using an RSA private key; defined in PKCS #1.  Use of this
      * signing algorithm is discouraged due to MD2 vulnerabilities.
@@ -898,6 +921,8 @@
         nameTable.put(SHA256_oid, "SHA-256");
         nameTable.put(SHA384_oid, "SHA-384");
         nameTable.put(SHA512_oid, "SHA-512");
+        nameTable.put(SHA512_224_oid, "SHA-512/224");
+        nameTable.put(SHA512_256_oid, "SHA-512/256");
         nameTable.put(RSAEncryption_oid, "RSA");
         nameTable.put(RSA_oid, "RSA");
         nameTable.put(DH_oid, "Diffie-Hellman");
@@ -927,6 +952,11 @@
         nameTable.put(sha256WithRSAEncryption_oid, "SHA256withRSA");
         nameTable.put(sha384WithRSAEncryption_oid, "SHA384withRSA");
         nameTable.put(sha512WithRSAEncryption_oid, "SHA512withRSA");
+        nameTable.put(sha512_224WithRSAEncryption_oid, "SHA512/224withRSA");
+        nameTable.put(sha512_256WithRSAEncryption_oid, "SHA512/256withRSA");
+        nameTable.put(RSASSA_PSS_oid, "RSASSA-PSS");
+        nameTable.put(RSAES_OAEP_oid, "RSAES-OAEP");
+
         nameTable.put(pbeWithMD5AndDES_oid, "PBEWithMD5AndDES");
         nameTable.put(pbeWithMD5AndRC2_oid, "PBEWithMD5AndRC2");
         nameTable.put(pbeWithSHA1AndDES_oid, "PBEWithSHA1AndDES");
--- old/src/java.base/share/classes/sun/security/x509/X509CRLImpl.java	2018-05-11 15:06:32.657192500 -0700
+++ new/src/java.base/share/classes/sun/security/x509/X509CRLImpl.java	2018-05-11 15:06:32.167216900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -29,27 +29,18 @@
 import java.io.OutputStream;
 import java.io.IOException;
 import java.math.BigInteger;
-import java.security.Principal;
-import java.security.PublicKey;
-import java.security.PrivateKey;
-import java.security.Provider;
-import java.security.Signature;
-import java.security.NoSuchAlgorithmException;
-import java.security.InvalidKeyException;
-import java.security.NoSuchProviderException;
-import java.security.SignatureException;
 import java.security.cert.Certificate;
 import java.security.cert.X509CRL;
 import java.security.cert.X509Certificate;
 import java.security.cert.X509CRLEntry;
 import java.security.cert.CRLException;
+import java.security.*;
 import java.util.*;
 
 import javax.security.auth.x500.X500Principal;
 
 import sun.security.provider.X509Factory;
 import sun.security.util.*;
-import sun.security.util.HexDumpEncoder;
 
 /**
  * <p>
@@ -384,8 +375,19 @@
         } else {
             sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
         }
+
         sigVerf.initVerify(key);
 
+        // set parameters after Signature.initSign/initVerify call,
+        // so the deferred provider selection happens when key is set
+        try {
+            SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
+        } catch (ProviderException e) {
+            throw new CRLException(e.getMessage(), e.getCause());
+        } catch (InvalidAlgorithmParameterException e) {
+            throw new CRLException(e);
+        }
+
         if (tbsCertList == null) {
             throw new CRLException("Uninitialized CRL");
         }
@@ -428,8 +430,19 @@
         } else {
             sigVerf = Signature.getInstance(sigAlgId.getName(), sigProvider);
         }
+
         sigVerf.initVerify(key);
 
+        // set parameters after Signature.initSign/initVerify call,
+        // so the deferred provider selection happens when key is set
+        try {
+            SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
+        } catch (ProviderException e) {
+            throw new CRLException(e.getMessage(), e.getCause());
+        } catch (InvalidAlgorithmParameterException e) {
+            throw new CRLException(e);
+        }
+
         if (tbsCertList == null) {
             throw new CRLException("Uninitialized CRL");
         }
--- old/src/java.base/share/classes/sun/security/x509/X509CertImpl.java	2018-05-11 15:06:34.277670100 -0700
+++ new/src/java.base/share/classes/sun/security/x509/X509CertImpl.java	2018-05-11 15:06:33.786250800 -0700
@@ -34,6 +34,7 @@
 import java.io.OutputStream;
 import java.math.BigInteger;
 import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
 import java.security.cert.*;
 import java.security.cert.Certificate;
 import java.util.*;
@@ -41,7 +42,6 @@
 
 import javax.security.auth.x500.X500Principal;
 
-import sun.security.util.HexDumpEncoder;
 import java.util.Base64;
 import sun.security.util.*;
 import sun.security.provider.X509Factory;
@@ -388,7 +388,6 @@
     public void verify(PublicKey key)
     throws CertificateException, NoSuchAlgorithmException,
         InvalidKeyException, NoSuchProviderException, SignatureException {
-
         verify(key, "");
     }
 
@@ -435,8 +434,19 @@
         } else {
             sigVerf = Signature.getInstance(algId.getName(), sigProvider);
         }
+
         sigVerf.initVerify(key);
 
+        // set parameters after Signature.initSign/initVerify call,
+        // so the deferred provider selection happens when key is set
+        try {
+            SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
+        } catch (ProviderException e) {
+            throw new CertificateException(e.getMessage(), e.getCause());
+        } catch (InvalidAlgorithmParameterException e) {
+            throw new CertificateException(e);
+        }
+
         byte[] rawCert = info.getEncodedInfo();
         sigVerf.update(rawCert, 0, rawCert.length);
 
@@ -480,8 +490,19 @@
         } else {
             sigVerf = Signature.getInstance(algId.getName(), sigProvider);
         }
+
         sigVerf.initVerify(key);
 
+        // set parameters after Signature.initSign/initVerify call,
+        // so the deferred provider selection happens when key is set
+        try {
+            SignatureUtil.specialSetParameter(sigVerf, getSigAlgParams());
+        } catch (ProviderException e) {
+            throw new CertificateException(e.getMessage(), e.getCause());
+        } catch (InvalidAlgorithmParameterException e) {
+            throw new CertificateException(e);
+        }
+
         byte[] rawCert = info.getEncodedInfo();
         sigVerf.update(rawCert, 0, rawCert.length);
 
@@ -537,6 +558,42 @@
     throws CertificateException, NoSuchAlgorithmException,
         InvalidKeyException, NoSuchProviderException, SignatureException {
         try {
+            sign(key, null, algorithm, provider);
+        } catch (InvalidAlgorithmParameterException e) {
+            // should not happen; re-throw just in case
+            throw new SignatureException(e);
+        }
+    }
+
+    /**
+     * Creates an X.509 certificate, and signs it using the given key
+     * (associating a signature algorithm and an X.500 name), signature
+     * parameters, and security provider. If the given provider name
+     * is null or empty, the implementation look up will be based on
+     * provider configurations.
+     * This operation is used to implement the certificate generation
+     * functionality of a certificate authority.
+     *
+     * @param key the private key used for signing
+     * @param signingParams the parameters used for signing
+     * @param algorithm the name of the signature algorithm used
+     * @param provider the name of the provider, may be null
+     *
+     * @exception NoSuchAlgorithmException on unsupported signature
+     *            algorithms
+     * @exception InvalidKeyException on incorrect key
+     * @exception InvalidAlgorithmParameterException on invalid signature
+     *            parameters
+     * @exception NoSuchProviderException on incorrect provider
+     * @exception SignatureException on signature errors
+     * @exception CertificateException on encoding errors
+     */
+    public void sign(PrivateKey key, AlgorithmParameterSpec signingParams,
+            String algorithm, String provider)
+            throws CertificateException, NoSuchAlgorithmException,
+            InvalidKeyException, InvalidAlgorithmParameterException,
+            NoSuchProviderException, SignatureException {
+        try {
             if (readOnly)
                 throw new CertificateEncodingException(
                               "cannot over-write existing certificate");
@@ -548,9 +605,22 @@
 
             sigEngine.initSign(key);
 
-                                // in case the name is reset
-            algId = AlgorithmId.get(sigEngine.getAlgorithm());
+            // set parameters after Signature.initSign/initVerify call, so
+            // the deferred provider selection happens when the key is set
+            try {
+                sigEngine.setParameter(signingParams);
+            } catch (UnsupportedOperationException e) {
+                // for backward compatibility, only re-throw when
+                // parameters is not null
+                if (signingParams != null) throw e;
+            }
 
+            // in case the name is reset
+            if (signingParams != null) {
+                algId = AlgorithmId.get(sigEngine.getParameters());
+            } else {
+                algId = AlgorithmId.get(algorithm);
+            }
             DerOutputStream out = new DerOutputStream();
             DerOutputStream tmp = new DerOutputStream();
 
--- old/src/java.base/share/conf/security/java.security	2018-05-11 15:06:35.934749900 -0700
+++ new/src/java.base/share/conf/security/java.security	2018-05-11 15:06:35.449226800 -0700
@@ -800,6 +800,40 @@
 #       FFFFFFFF FFFFFFFF, 2}
 
 #
+# TLS key limits on symmetric cryptographic algorithms
+#
+# This security property sets limits on algorithms key usage in TLS 1.3.
+# When the amount of data encrypted exceeds the algorithm value listed below,
+# a KeyUpdate message will trigger a key change.  This is for symmetric ciphers
+# with TLS 1.3 only.
+#
+# The syntax for the property is described below:
+#   KeyLimits:
+#       " KeyLimit { , KeyLimit } "
+#
+#   WeakKeyLimit:
+#       AlgorithmName Action Length
+#
+#   AlgorithmName:
+#       A full algorithm transformation.
+#
+#   Action:
+#       KeyUpdate
+#
+#   Length:
+#       The amount of encrypted data in a session before the Action occurs
+#       This value may be an integer value in bytes, or as a power of two, 2^29.
+#
+#   KeyUpdate:
+#       The TLS 1.3 KeyUpdate handshake process begins when the Length amount
+#       is fulfilled.
+#
+# Note: This property is currently used by OpenJDK's JSSE implementation. It
+# is not guaranteed to be examined and used by other implementations.
+#
+jdk.tls.keyLimits=AES/GCM/NoPadding KeyUpdate 2^37
+
+#
 # Cryptographic Jurisdiction Policy defaults
 #
 # Import and export control rules on cryptographic software vary from
--- old/src/java.security.jgss/share/classes/module-info.java	2018-05-11 15:06:37.807244800 -0700
+++ new/src/java.security.jgss/share/classes/module-info.java	2018-05-11 15:06:37.192751200 -0700
@@ -55,7 +55,5 @@
 
     provides java.security.Provider with
         sun.security.jgss.SunProvider;
-    provides sun.security.ssl.ClientKeyExchangeService with
-        sun.security.krb5.internal.ssl.Krb5KeyExchangeService;
 }
 
--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java	2018-05-11 15:06:39.484316000 -0700
+++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java	2018-05-11 15:06:38.964136100 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -38,7 +38,9 @@
 import javax.crypto.interfaces.*;
 import javax.crypto.spec.*;
 
+import sun.security.rsa.RSAUtil.KeyType;
 import sun.security.rsa.RSAPublicKeyImpl;
+import sun.security.rsa.RSAPrivateCrtKeyImpl;
 
 import sun.security.internal.interfaces.TlsMasterSecret;
 
@@ -525,11 +527,8 @@
             if (encoded == null) {
                 fetchValues();
                 try {
-                    // XXX make constructor in SunRsaSign provider public
-                    // and call it directly
-                    KeyFactory factory = KeyFactory.getInstance
-                        ("RSA", P11Util.getSunRsaSignProvider());
-                    Key newKey = factory.translateKey(this);
+                    Key newKey = RSAPrivateCrtKeyImpl.newKey
+                        (KeyType.RSA, null, n, e, d, p, q, pe, qe, coeff);
                     encoded = newKey.getEncoded();
                 } catch (GeneralSecurityException e) {
                     throw new ProviderException(e);
@@ -623,7 +622,6 @@
     private static final class P11RSAPublicKey extends P11Key
                                                 implements RSAPublicKey {
         private static final long serialVersionUID = -826726289023854455L;
-
         private BigInteger n, e;
         private byte[] encoded;
         P11RSAPublicKey(Session session, long keyID, String algorithm,
@@ -652,7 +650,8 @@
             if (encoded == null) {
                 fetchValues();
                 try {
-                    encoded = new RSAPublicKeyImpl(n, e).getEncoded();
+                    encoded = RSAPublicKeyImpl.newKey
+                        (KeyType.RSA, null, n, e).getEncoded();
                 } catch (InvalidKeyException e) {
                     throw new ProviderException(e);
                 }
--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSAKeyFactory.java	2018-05-11 15:06:41.071281400 -0700
+++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSAKeyFactory.java	2018-05-11 15:06:40.594632600 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,6 +31,7 @@
 import java.security.interfaces.*;
 import java.security.spec.*;
 
+import sun.security.rsa.RSAPublicKeyImpl;
 import static sun.security.pkcs11.TemplateManager.*;
 import sun.security.pkcs11.wrapper.*;
 import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
@@ -60,7 +61,7 @@
             } else if ("X.509".equals(key.getFormat())) {
                 // let SunRsaSign provider parse for us, then recurse
                 byte[] encoded = key.getEncoded();
-                key = new sun.security.rsa.RSAPublicKeyImpl(encoded);
+                key = RSAPublicKeyImpl.newKey(encoded);
                 return implTranslatePublicKey(key);
             } else {
                 throw new InvalidKeyException("PublicKey must be instance "
@@ -113,7 +114,7 @@
         if (keySpec instanceof X509EncodedKeySpec) {
             try {
                 byte[] encoded = ((X509EncodedKeySpec)keySpec).getEncoded();
-                PublicKey key = new sun.security.rsa.RSAPublicKeyImpl(encoded);
+                PublicKey key = RSAPublicKeyImpl.newKey(encoded);
                 return implTranslatePublicKey(key);
             } catch (InvalidKeyException e) {
                 throw new InvalidKeySpecException
--- old/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java	2018-05-11 15:06:42.658319000 -0700
+++ new/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java	2018-05-11 15:06:42.184859500 -0700
@@ -31,6 +31,7 @@
 
 import java.security.*;
 import java.security.interfaces.*;
+import java.security.spec.AlgorithmParameterSpec;
 import sun.nio.ch.DirectBuffer;
 
 import sun.security.util.*;
@@ -434,6 +435,7 @@
     }
 
     // see JCA spec
+    @Override
     protected void engineInitVerify(PublicKey publicKey)
             throws InvalidKeyException {
         if (publicKey == null) {
@@ -450,6 +452,7 @@
     }
 
     // see JCA spec
+    @Override
     protected void engineInitSign(PrivateKey privateKey)
             throws InvalidKeyException {
         if (privateKey == null) {
@@ -466,6 +469,7 @@
     }
 
     // see JCA spec
+    @Override
     protected void engineUpdate(byte b) throws SignatureException {
         ensureInitialized();
         switch (type) {
@@ -490,6 +494,7 @@
     }
 
     // see JCA spec
+    @Override
     protected void engineUpdate(byte[] b, int ofs, int len)
             throws SignatureException {
         ensureInitialized();
@@ -527,6 +532,7 @@
     }
 
     // see JCA spec
+    @Override
     protected void engineUpdate(ByteBuffer byteBuffer) {
         ensureInitialized();
         int len = byteBuffer.remaining();
@@ -574,6 +580,7 @@
     }
 
     // see JCA spec
+    @Override
     protected byte[] engineSign() throws SignatureException {
         ensureInitialized();
         try {
@@ -633,6 +640,7 @@
     }
 
     // see JCA spec
+    @Override
     protected boolean engineVerify(byte[] signature) throws SignatureException {
         ensureInitialized();
         try {
@@ -824,15 +832,32 @@
 
     // see JCA spec
     @SuppressWarnings("deprecation")
+    @Override
     protected void engineSetParameter(String param, Object value)
             throws InvalidParameterException {
         throw new UnsupportedOperationException("setParameter() not supported");
     }
 
     // see JCA spec
+    @Override
+    protected void engineSetParameter(AlgorithmParameterSpec params)
+            throws InvalidAlgorithmParameterException {
+        if (params != null) {
+            throw new InvalidAlgorithmParameterException("No parameter accepted");
+        }
+    }
+
+    // see JCA spec
     @SuppressWarnings("deprecation")
+    @Override
     protected Object engineGetParameter(String param)
             throws InvalidParameterException {
         throw new UnsupportedOperationException("getParameter() not supported");
     }
+
+    // see JCA spec
+    @Override
+    protected AlgorithmParameters engineGetParameters() {
+        return null;
+    }
 }
--- old/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java	2018-05-11 15:06:44.315598200 -0700
+++ new/src/jdk.crypto.ec/share/classes/sun/security/ec/ECDSASignature.java	2018-05-11 15:06:43.836379900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -427,6 +427,14 @@
         throw new UnsupportedOperationException("setParameter() not supported");
     }
 
+    @Override
+    protected void engineSetParameter(AlgorithmParameterSpec params)
+            throws InvalidAlgorithmParameterException {
+        if (params != null) {
+            throw new InvalidAlgorithmParameterException("No parameter accepted");
+        }
+    }
+
     // get parameter, not supported. See JCA doc
     @Override
     @Deprecated
@@ -435,6 +443,11 @@
         throw new UnsupportedOperationException("getParameter() not supported");
     }
 
+    @Override
+    protected AlgorithmParameters engineGetParameters() {
+        return null;
+    }
+
     // Convert the concatenation of R and S into their DER encoding
     private byte[] encodeSignature(byte[] signature) throws SignatureException {
 
--- old/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAPublicKey.java	2018-05-11 15:06:45.925472800 -0700
+++ new/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSAPublicKey.java	2018-05-11 15:06:45.448291000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@
 import java.security.KeyRep;
 import java.security.ProviderException;
 
+import sun.security.rsa.RSAUtil.KeyType;
 import sun.security.rsa.RSAPublicKeyImpl;
 
 /**
@@ -165,8 +166,8 @@
         if (encoding == null) {
 
             try {
-                encoding = new RSAPublicKeyImpl(getModulus(),
-                    getPublicExponent()).getEncoded();
+                encoding = RSAPublicKeyImpl.newKey(KeyType.RSA, null,
+                    getModulus(), getPublicExponent()).getEncoded();
 
             } catch (KeyException e) {
                 // ignore
--- old/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSASignature.java	2018-05-11 15:06:47.780060800 -0700
+++ new/src/jdk.crypto.mscapi/windows/classes/sun/security/mscapi/RSASignature.java	2018-05-11 15:06:47.002684200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,15 +26,8 @@
 package sun.security.mscapi;
 
 import java.nio.ByteBuffer;
-import java.security.PublicKey;
-import java.security.PrivateKey;
-import java.security.InvalidKeyException;
-import java.security.InvalidParameterException;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.ProviderException;
-import java.security.MessageDigest;
-import java.security.SignatureException;
+import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
 import java.math.BigInteger;
 
 import sun.security.rsa.RSAKeyFactory;
@@ -230,6 +223,7 @@
     }
 
     // initialize for signing. See JCA doc
+    @Override
     protected void engineInitVerify(PublicKey key)
         throws InvalidKeyException
     {
@@ -280,6 +274,7 @@
     }
 
     // initialize for signing. See JCA doc
+    @Override
     protected void engineInitSign(PrivateKey key) throws InvalidKeyException
     {
         // This signature accepts only RSAPrivateKey
@@ -326,6 +321,7 @@
      * @exception SignatureException if the engine is not initialized
      * properly.
      */
+    @Override
     protected void engineUpdate(byte b) throws SignatureException
     {
         messageDigest.update(b);
@@ -343,6 +339,7 @@
      * @exception SignatureException if the engine is not initialized
      * properly
      */
+    @Override
     protected void engineUpdate(byte[] b, int off, int len)
         throws SignatureException
     {
@@ -356,6 +353,7 @@
      *
      * @param input the ByteBuffer
      */
+    @Override
     protected void engineUpdate(ByteBuffer input)
     {
         messageDigest.update(input);
@@ -374,6 +372,7 @@
      * initialized properly or if this signature algorithm is unable to
      * process the input data provided.
      */
+    @Override
     protected byte[] engineSign() throws SignatureException {
 
         byte[] hash = getDigestValue();
@@ -435,6 +434,7 @@
      * encoded or of the wrong type, if this signature algorithm is unable to
      * process the input data provided, etc.
      */
+    @Override
     protected boolean engineVerify(byte[] sigBytes)
         throws SignatureException
     {
@@ -470,6 +470,7 @@
      * #engineSetParameter(java.security.spec.AlgorithmParameterSpec)
      * engineSetParameter}.
      */
+    @Override
     @Deprecated
     protected void engineSetParameter(String param, Object value)
         throws InvalidParameterException
@@ -477,6 +478,22 @@
         throw new InvalidParameterException("Parameter not supported");
     }
 
+    /**
+     * Sets this signature engine with the specified algorithm parameter.
+     *
+     * @param params the parameters
+     *
+     * @exception InvalidAlgorithmParameterException if the given
+     * parameter is invalid
+     */
+    @Override
+    protected void engineSetParameter(AlgorithmParameterSpec params)
+        throws InvalidAlgorithmParameterException
+    {
+        if (params != null) {
+            throw new InvalidAlgorithmParameterException("No parameter accepted");
+        }
+    }
 
     /**
      * Gets the value of the specified algorithm parameter.
@@ -500,6 +517,7 @@
      *
      * @deprecated
      */
+    @Override
     @Deprecated
     protected Object engineGetParameter(String param)
         throws InvalidParameterException
@@ -508,6 +526,16 @@
     }
 
     /**
+     * Gets the algorithm parameter from this signature engine.
+     *
+     * @return the parameter, or null if no parameter is used.
+     */
+    @Override
+    protected AlgorithmParameters engineGetParameters() {
+        return null;
+    }
+
+    /**
      * Generates a public-key BLOB from a key's components.
      */
     // used by RSACipher
--- old/src/jdk.crypto.ucrypto/solaris/classes/com/oracle/security/ucrypto/NativeRSASignature.java	2018-05-11 15:06:49.452072700 -0700
+++ new/src/jdk.crypto.ucrypto/solaris/classes/com/oracle/security/ucrypto/NativeRSASignature.java	2018-05-11 15:06:48.986340400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -176,12 +176,18 @@
     }
 
     // deprecated but abstract
+    @Override
     @SuppressWarnings("deprecation")
     protected Object engineGetParameter(String param) throws InvalidParameterException {
         throw new UnsupportedOperationException("getParameter() not supported");
     }
 
     @Override
+    protected AlgorithmParameters engineGetParameters() {
+        return null;
+    }
+
+    @Override
     protected synchronized void engineInitSign(PrivateKey privateKey)
             throws InvalidKeyException {
         if (privateKey == null) {
@@ -251,12 +257,21 @@
     }
 
     // deprecated but abstract
+    @Override
     @SuppressWarnings("deprecation")
     protected void engineSetParameter(String param, Object value) throws InvalidParameterException {
         throw new UnsupportedOperationException("setParameter() not supported");
     }
 
     @Override
+    protected void engineSetParameter(AlgorithmParameterSpec params)
+            throws InvalidAlgorithmParameterException {
+        if (params != null) {
+            throw new InvalidAlgorithmParameterException("No parameter accepted");
+        }
+    }
+
+    @Override
     protected synchronized byte[] engineSign() throws SignatureException {
         try {
             byte[] sig = new byte[sigLength];
--- old/test/jdk/com/sun/crypto/provider/Cipher/RSA/TestOAEP.java	2018-05-11 15:06:51.404139300 -0700
+++ new/test/jdk/com/sun/crypto/provider/Cipher/RSA/TestOAEP.java	2018-05-11 15:06:50.903715300 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 4894151
+ * @bug 4894151 8146293
  * @summary encryption/decryption test for OAEP
  * @author Andreas Sterbenz
  * @key randomness
@@ -63,6 +63,8 @@
         Cipher.getInstance("RSA/ECB/OAEPwithSHA-256andMGF1Padding");
         Cipher.getInstance("RSA/ECB/OAEPwithSHA-384andMGF1Padding");
         Cipher.getInstance("RSA/ECB/OAEPwithSHA-512andMGF1Padding");
+        Cipher.getInstance("RSA/ECB/OAEPwithSHA-512/224andMGF1Padding");
+        Cipher.getInstance("RSA/ECB/OAEPwithSHA-512/256andMGF1Padding");
 
         // basic test using MD5
         testEncryptDecrypt("MD5", 0);
@@ -90,28 +92,32 @@
         // tests alias works
         testEncryptDecrypt("SHA-1", 16);
 
-        // basic test using SHA-224
-        testEncryptDecrypt("SHA-224", 0);
-        testEncryptDecrypt("SHA-224", 16);
-        testEncryptDecrypt("SHA-224", 38);
-        try {
-            testEncryptDecrypt("SHA-224", 39);
-            throw new Exception("Unexpectedly completed call");
-        } catch (IllegalBlockSizeException e) {
-            // ok
-            System.out.println(e);
+        String[] HASH_ALG_224 = { "SHA-224", "SHA-512/224" };
+        for (String ha : HASH_ALG_224) {
+            testEncryptDecrypt(ha, 0);
+            testEncryptDecrypt(ha, 16);
+            testEncryptDecrypt(ha, 38);
+            try {
+                testEncryptDecrypt(ha, 39);
+                throw new Exception("Unexpectedly completed call");
+            } catch (IllegalBlockSizeException e) {
+                // ok
+                System.out.println(e);
+            }
         }
 
-        // basic test using SHA-256
-        testEncryptDecrypt("SHA-256", 0);
-        testEncryptDecrypt("SHA-256", 16);
-        testEncryptDecrypt("SHA-256", 30);
-        try {
-            testEncryptDecrypt("SHA-256", 31);
-            throw new Exception("Unexpectedly completed call");
-        } catch (IllegalBlockSizeException e) {
-            // ok
-            System.out.println(e);
+        String[] HASH_ALG_256 = { "SHA-256", "SHA-512/256" };
+        for (String ha : HASH_ALG_256) {
+            testEncryptDecrypt(ha, 0);
+            testEncryptDecrypt(ha, 16);
+            testEncryptDecrypt(ha, 30);
+            try {
+                testEncryptDecrypt(ha, 31);
+                throw new Exception("Unexpectedly completed call");
+            } catch (IllegalBlockSizeException e) {
+                // ok
+                System.out.println(e);
+            }
         }
 
         // 768 bit key too short for OAEP with 64 byte digest
--- old/test/jdk/com/sun/crypto/provider/Cipher/RSA/TestOAEPPadding.java	2018-05-11 15:06:53.009830000 -0700
+++ new/test/jdk/com/sun/crypto/provider/Cipher/RSA/TestOAEPPadding.java	2018-05-11 15:06:52.508107900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -130,6 +130,16 @@
                 MGF1ParameterSpec.SHA384, PSource.PSpecified.DEFAULT));
         test(new OAEPParameterSpec("SHA-512", "MGF1",
                 MGF1ParameterSpec.SHA512, PSource.PSpecified.DEFAULT));
+        // SHA-512/224 and SHA-512/256
+        test(new OAEPParameterSpec("SHA-512/224", "MGF1",
+                MGF1ParameterSpec.SHA224, PSource.PSpecified.DEFAULT));
+        test(new OAEPParameterSpec("SHA-512/224", "MGF1",
+                MGF1ParameterSpec.SHA512_224, PSource.PSpecified.DEFAULT));
+        test(new OAEPParameterSpec("SHA-512/256", "MGF1",
+                MGF1ParameterSpec.SHA384, PSource.PSpecified.DEFAULT));
+        test(new OAEPParameterSpec("SHA-512/256", "MGF1",
+                MGF1ParameterSpec.SHA512, PSource.PSpecified.DEFAULT));
+
         if (failed) {
             throw new Exception("Test failed");
         }
@@ -154,9 +164,9 @@
                 dlen = 16;
             } else if (algo.equals("SHA1")) {
                 dlen = 20;
-            } else if (algo.equals("SHA-224")) {
+            } else if (algo.equals("SHA-224") || algo.equals("SHA-512/224")) {
                 dlen = 28;
-            } else if (algo.equals("SHA-256")) {
+            } else if (algo.equals("SHA-256") || algo.equals("SHA-512/256")) {
                 dlen = 32;
             } else if (algo.equals("SHA-384")) {
                 dlen = 48;
--- old/test/jdk/com/sun/crypto/provider/Cipher/RSA/TestOAEPParameterSpec.java	2018-05-11 15:06:54.625967100 -0700
+++ new/test/jdk/com/sun/crypto/provider/Cipher/RSA/TestOAEPParameterSpec.java	2018-05-11 15:06:54.143305900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
 
 /*
  * @test
- * @bug 4923484
+ * @bug 4923484 8146293
  * @summary test ASN.1 encoding generation/parsing for the OAEPParameters
  * implementation in SunJCE provider.
  * @author Valerie Peng
@@ -125,6 +125,8 @@
         status &= runTest("SHA-256", MGF1ParameterSpec.SHA256, p);
         status &= runTest("SHA-384", MGF1ParameterSpec.SHA384, p);
         status &= runTest("SHA-512", MGF1ParameterSpec.SHA512, p);
+        status &= runTest("SHA-512/224", MGF1ParameterSpec.SHA512_224, p);
+        status &= runTest("SHA-512/256", MGF1ParameterSpec.SHA512_256, p);
         status &= runTest("SHA", MGF1ParameterSpec.SHA1, new byte[0]);
         status &= runTest("SHA-1", MGF1ParameterSpec.SHA1, new byte[0]);
         status &= runTest("SHA1", MGF1ParameterSpec.SHA1, new byte[0]);
--- old/test/jdk/com/sun/crypto/provider/Cipher/RSA/TestOAEPWithParams.java	2018-05-11 15:06:56.226457400 -0700
+++ new/test/jdk/com/sun/crypto/provider/Cipher/RSA/TestOAEPWithParams.java	2018-05-11 15:06:55.733464800 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -47,10 +47,10 @@
     private static Random random = new Random();
 
     private static String MD[] = {
-        "MD5", "SHA1", "SHA-224", "SHA-256"
+        "MD5", "SHA1", "SHA-224", "SHA-256", "SHA-512/224", "SHA-512/256"
     };
     private static int DATA_LENGTH[] = {
-        62, 54, 34, 30
+        62, 54, 34, 30, 34, 30
     };
     public static void main(String[] args) throws Exception {
         long start = System.currentTimeMillis();
--- old/test/jdk/java/net/httpclient/http2/ErrorTest.java	2018-05-11 15:06:57.906450400 -0700
+++ new/test/jdk/java/net/httpclient/http2/ErrorTest.java	2018-05-11 15:06:57.402779300 -0700
@@ -58,7 +58,7 @@
  */
 public class ErrorTest {
 
-    static final String[] CIPHER_SUITES = new String[]{ "TLS_KRB5_WITH_3DES_EDE_CBC_SHA" };
+    static final String[] CIPHER_SUITES = new String[]{ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" };
 
     static final String SIMPLE_STRING = "Hello world Goodbye world";
 
--- old/test/jdk/java/net/httpclient/http2/TLSConnection.java	2018-05-11 15:06:59.740670100 -0700
+++ new/test/jdk/java/net/httpclient/http2/TLSConnection.java	2018-05-11 15:06:59.265599900 -0700
@@ -92,7 +92,7 @@
                     "---\nTest #2: default SSL parameters, "
                             + "expect successful connection",
                     () -> connect(uriString, USE_DEFAULT_SSL_PARAMETERS));
-            success &= checkProtocol(handler.getSSLSession(), "TLSv1.2");
+            success &= checkProtocol(handler.getSSLSession(), "TLSv1.3");
 
             // set SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA cipher suite
             // which has less priority in default cipher suite list
--- old/test/jdk/java/security/Signature/Offsets.java	2018-05-11 15:07:01.544252300 -0700
+++ new/test/jdk/java/security/Signature/Offsets.java	2018-05-11 15:07:01.064257000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,20 +21,13 @@
  * questions.
  */
 
-import java.security.InvalidKeyException;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.Signature;
-import java.security.SignatureException;
+import java.security.*;
+import java.security.spec.*;
 import jdk.test.lib.RandomFactory;
 
 /*
  * @test
- * @bug 8050374 8181048
+ * @bug 8050374 8181048 8146293
  * @key randomness
  * @summary This test validates signature verification
  *          Signature.verify(byte[], int, int). The test uses RandomFactory to
@@ -47,6 +40,9 @@
  * @run main Offsets SUN SHA1withDSA
  * @run main Offsets SUN SHA224withDSA
  * @run main Offsets SUN SHA256withDSA
+ * @run main Offsets SunRsaSign SHA512withRSA
+ * @run main Offsets SunRsaSign SHA512/224withRSA
+ * @run main Offsets SunRsaSign SHA512/256withRSA
  */
 public class Offsets {
 
@@ -59,11 +55,13 @@
     private Offsets(Signature signature, PublicKey pubkey, PrivateKey privkey,
             int size, byte[] cleartext) throws InvalidKeyException,
                 SignatureException {
+        System.out.println("Testing signature " + signature.getAlgorithm()); 
         this.pubkey = pubkey;
         this.signature = signature;
         this.size = size;
         this.cleartext = cleartext;
 
+        String sigAlg = signature.getAlgorithm();
         signature.initSign(privkey);
         signature.update(cleartext, 0, size);
         signed = signature.sign();
@@ -86,7 +84,7 @@
 
     boolean verifySignature(byte[] sigData, int sigOffset, int sigLength,
             int updateOffset, int updateLength)
-                throws InvalidKeyException, SignatureException {
+            throws InvalidKeyException, SignatureException {
         signature.initVerify(pubkey);
         signature.update(cleartext, updateOffset, updateLength);
         return signature.verify(sigData, sigOffset, sigLength);
--- old/test/jdk/java/security/SignedObject/Chain.java	2018-05-11 15:07:03.058056400 -0700
+++ new/test/jdk/java/security/SignedObject/Chain.java	2018-05-11 15:07:02.578363400 -0700
@@ -1,5 +1,5 @@
-/*
- * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+/**
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,12 +28,18 @@
 import java.security.NoSuchProviderException;
 import java.security.PrivateKey;
 import java.security.PublicKey;
-import java.util.Arrays;
+import java.security.spec.*;
+import java.util.*;
+import jdk.test.lib.SigTestUtil;
+import static jdk.test.lib.SigTestUtil.SignatureType;
 
 /*
  * @test
- * @bug 8050374 8181048
+ * @bug 8050374 8181048 8146293
  * @summary Verify a chain of signed objects
+ * @library /test/lib
+ * @build jdk.test.lib.SigTestUtil
+ * @run main Chain
  */
 public class Chain {
 
@@ -77,6 +83,8 @@
         SHA256withRSA("SHA256withRSA"),
         SHA384withRSA("SHA384withRSA"),
         SHA512withRSA("SHA512withRSA"),
+        SHA512_224withRSA("SHA512/224withRSA"),
+        SHA512_256withRSA("SHA512/256withRSA"),
 
         SHA1withECDSA("SHA1withECDSA"),
         SHA256withECDSA("SHA256withECDSA"),
@@ -84,7 +92,9 @@
         SHA384withECDSA("SHA384withECDSA"),
         SHA512withECDSA("SHA512withECDSA"),
 
-        MD5andSHA1withRSA("MD5andSHA1withRSA");
+        MD5andSHA1withRSA("MD5andSHA1withRSA"),
+
+        RSASSA_PSS("RSASSA-PSS");
 
         final String name;
 
@@ -98,16 +108,44 @@
         final KeyAlg keyAlg;
         final SigAlg sigAlg;
         final int keySize;
+        final AlgorithmParameterSpec sigParams;
 
         Test(SigAlg sigAlg, KeyAlg keyAlg, Provider provider) {
-            this(sigAlg, keyAlg, provider, -1);
+            this(sigAlg, keyAlg, provider, -1, null);
         }
 
         Test(SigAlg sigAlg, KeyAlg keyAlg, Provider provider, int keySize) {
+            this(sigAlg, keyAlg, provider, keySize, null);
+        }
+
+        Test(SigAlg sigAlg, KeyAlg keyAlg, Provider provider, int keySize,
+                AlgorithmParameterSpec sigParams) {
             this.provider = provider;
             this.keyAlg = keyAlg;
             this.sigAlg = sigAlg;
             this.keySize = keySize;
+            this.sigParams = sigParams;
+        }
+
+        private static String formatParams(AlgorithmParameterSpec aps) {
+            if (aps == null) return "null";
+            if (aps instanceof PSSParameterSpec) {
+                PSSParameterSpec p = (PSSParameterSpec) aps;
+                return String.format("PSSParameterSpec (%s, %s, %s, %s)",
+                    p.getDigestAlgorithm(), formatParams(p.getMGFParameters()),
+                    p.getSaltLength(), p.getTrailerField());
+            } else if (aps instanceof MGF1ParameterSpec) {
+                return "MGF1" +
+                    ((MGF1ParameterSpec)aps).getDigestAlgorithm();
+            } else {
+                return aps.toString();
+            }
+        }
+
+        public String toString() {
+            return String.format("Test: provider = %s, signature alg = %s, "
+                + " w/ %s, key alg = %s", provider, sigAlg,
+                formatParams(sigParams), keyAlg);
         }
     }
 
@@ -126,17 +164,29 @@
 
     public static void main(String argv[]) {
         boolean result = Arrays.stream(tests).allMatch((test) -> runTest(test));
-        if(result) {
+        result &= runTestPSS(2048);
+        if (result) {
             System.out.println("All tests passed");
         } else {
             throw new RuntimeException("Some tests failed");
         }
     }
 
+    private static boolean runTestPSS(int keysize) {
+        boolean result = true;
+        SigAlg pss = SigAlg.RSASSA_PSS;
+        Iterator<String> mdAlgs = SigTestUtil.getDigestAlgorithms
+            (SignatureType.RSASSA_PSS, keysize).iterator();
+        while (mdAlgs.hasNext()) {
+            result &= runTest(new Test(pss, KeyAlg.RSA, Provider.SunRsaSign,
+                keysize, SigTestUtil.generateDefaultParameter
+                    (SignatureType.RSASSA_PSS, mdAlgs.next())));
+        }
+        return result;
+    }
+
     static boolean runTest(Test test) {
-        System.out.format("Test: provider = %s, signature algorithm = %s, "
-                + "key algorithm = %s\n",
-                test.provider, test.sigAlg, test.keyAlg);
+        System.out.println(test);
         try {
             // Generate all private/public key pairs
             PrivateKey[] privKeys = new PrivateKey[N];
@@ -153,6 +203,9 @@
                 signature = Signature.getInstance(test.sigAlg.name);
                 kpg = KeyPairGenerator.getInstance(test.keyAlg.name);
             }
+
+            signature.setParameter(test.sigParams);
+
             for (int j=0; j < N; j++) {
                 if (test.keySize != -1) {
                     kpg.initialize(test.keySize);
@@ -187,7 +240,6 @@
                     System.out.println("Failed: verification failed, n = " + n);
                     return false;
                 }
-
                 if (object.verify(anotherPubKeys[n], signature)) {
                     System.out.println("Failed: verification should not "
                             + "succeed with wrong public key, n = " + n);
--- old/test/jdk/javax/net/ssl/SSLEngine/CheckStatus.java	2018-05-11 15:07:04.634420000 -0700
+++ new/test/jdk/javax/net/ssl/SSLEngine/CheckStatus.java	2018-05-11 15:07:04.158114100 -0700
@@ -25,15 +25,16 @@
  * @test
  * @bug 4948079
  * @summary SSLEngineResult needs updating [none yet]
- *
- * This is a simple hack to test a bunch of conditions and check
- * their return codes.
- *
+ * @ignore the dependent implementation details are changed
  * @run main/othervm -Djsse.enableCBCProtection=false CheckStatus
  *
  * @author Brad Wetmore
  */
 
+/*
+ * This is a simple hack to test a bunch of conditions and check
+ * their return codes.
+ */
 import javax.net.ssl.*;
 import javax.net.ssl.SSLEngineResult.*;
 import java.io.*;
--- old/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java	2018-05-11 15:07:06.172881700 -0700
+++ new/test/jdk/javax/net/ssl/SSLEngine/ConnectionTest.java	2018-05-11 15:07:05.698420700 -0700
@@ -26,17 +26,18 @@
  * @bug 4495742
  * @summary Add non-blocking SSL/TLS functionality, usable with any
  *      I/O abstraction
+ * @ignore the dependent implementation details are changed
+ * @author Brad Wetmore
  *
+ * @run main/othervm ConnectionTest
+ */
+
+/*
  * This is a bit hacky, meant to test various conditions.  The main
  * thing I wanted to do with this was to do buffer reads/writes
  * when buffers were not empty.  (buffer.position() = 10)
  * The code could certainly be tightened up a lot.
- *
- * @author Brad Wetmore
- *
- * @run main/othervm ConnectionTest
  */
-
 import javax.net.ssl.*;
 import javax.net.ssl.SSLEngineResult.*;
 import java.io.*;
--- old/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java	2018-05-11 15:07:07.753816400 -0700
+++ new/test/jdk/javax/net/ssl/SSLEngine/EngineCloseOnAlert.java	2018-05-11 15:07:07.270780200 -0700
@@ -25,7 +25,8 @@
  * @test
  * @bug 8133632
  * @summary javax.net.ssl.SSLEngine does not properly handle received
- * SSL fatal alerts
+ *      SSL fatal alerts
+ * @ignore the dependent implementation details are changed
  * @run main/othervm EngineCloseOnAlert
  */
 
--- old/test/jdk/javax/net/ssl/SSLEngine/IllegalHandshakeMessage.java	2018-05-11 15:07:09.314975100 -0700
+++ new/test/jdk/javax/net/ssl/SSLEngine/IllegalHandshakeMessage.java	2018-05-11 15:07:08.841648900 -0700
@@ -30,7 +30,7 @@
  * @test
  * @bug 8180643
  * @summary Illegal handshake message
- *
+ * @ignore the dependent implementation details are changed
  * @run main/othervm IllegalHandshakeMessage
  */
 
--- old/test/jdk/javax/net/ssl/SSLEngine/IllegalRecordVersion.java	2018-05-11 15:07:10.876951000 -0700
+++ new/test/jdk/javax/net/ssl/SSLEngine/IllegalRecordVersion.java	2018-05-11 15:07:10.399452500 -0700
@@ -28,7 +28,7 @@
  * @test
  * @bug 8042449
  * @summary Issue for negative byte major record version
- *
+ * @ignore the dependent implementation details are changed
  * @run main/othervm IllegalRecordVersion
  */
 
--- old/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java	2018-05-11 15:07:12.455816700 -0700
+++ new/test/jdk/javax/net/ssl/SSLEngine/LargeBufs.java	2018-05-11 15:07:11.978612800 -0700
@@ -45,7 +45,7 @@
 
 public class LargeBufs {
 
-    private static boolean debug = false;
+    private static boolean debug = true;
 
     private SSLContext sslc;
     static private SSLEngine ssle1;     // client
@@ -297,6 +297,11 @@
         } else {
             log("Data transferred cleanly");
         }
+
+        a.position(a.limit());
+        b.position(b.limit());
+        a.limit(a.capacity());
+        b.limit(b.capacity());
     }
 
     private static void log(String str) {
--- old/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java	2018-05-11 15:07:13.976338800 -0700
+++ new/test/jdk/javax/net/ssl/SSLEngine/NoAuthClientAuth.java	2018-05-11 15:07:13.501707100 -0700
@@ -94,7 +94,7 @@
      * including specific handshake messages, and might be best examined
      * after gaining some familiarity with this application.
      */
-    private static boolean debug = false;
+    private static boolean debug = true;
 
     private SSLContext sslc;
 
@@ -243,8 +243,8 @@
                     for (java.security.cert.Certificate c : certs) {
                         System.out.println(c);
                     }
-                    log("Closing server.");
-                    serverEngine.closeOutbound();
+//                    log("Closing server.");
+//                    serverEngine.closeOutbound();
                 } // nothing.
             }
 
@@ -253,18 +253,30 @@
 
             log("----");
 
-            clientResult = clientEngine.unwrap(sTOc, clientIn);
-            log("client unwrap: ", clientResult);
-            runDelegatedTasks(clientResult, clientEngine);
-            clientIn.clear();
+            if (!clientEngine.isInboundDone()) {
+                clientResult = clientEngine.unwrap(sTOc, clientIn);
+                log("client unwrap: ", clientResult);
+                runDelegatedTasks(clientResult, clientEngine);
+                clientIn.clear();
+                sTOc.compact();
+            } else {
+                sTOc.clear();
+            }
 
-            serverResult = serverEngine.unwrap(cTOs, serverIn);
-            log("server unwrap: ", serverResult);
-            runDelegatedTasks(serverResult, serverEngine);
-            serverIn.clear();
+            if (!serverEngine.isInboundDone()) {
+                serverResult = serverEngine.unwrap(cTOs, serverIn);
+                log("server unwrap: ", serverResult);
+                runDelegatedTasks(serverResult, serverEngine);
+                serverIn.clear();
+                cTOs.compact();
+            } else {
+                cTOs.clear();
+            }
 
-            cTOs.compact();
-            sTOc.compact();
+            if (hsCompleted == 2) {
+                  log("Closing server.");
+                  serverEngine.closeOutbound();
+            }
         }
     }
 
--- old/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java	2018-05-11 15:07:15.536731100 -0700
+++ new/test/jdk/javax/net/ssl/SSLSession/TestEnabledProtocols.java	2018-05-11 15:07:15.061500500 -0700
@@ -234,6 +234,10 @@
                 } catch (java.lang.InterruptedException ie) {
                     // must have been interrupted, no harm
                     break;
+                } catch (SSLException ssle) {
+                    // The client side may have closed the socket.
+                    System.out.println("Server SSLException:");
+                    ssle.printStackTrace(System.out);
                 } catch (Exception e) {
                     System.out.println("Server exception:");
                     e.printStackTrace(System.out);
--- old/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java	2018-05-11 15:07:17.059817600 -0700
+++ new/test/jdk/javax/net/ssl/ServerName/SSLSocketExplorerFailure.java	2018-05-11 15:07:16.570357300 -0700
@@ -45,6 +45,7 @@
 import java.util.*;
 import java.net.*;
 import javax.net.ssl.*;
+import java.security.Security;
 
 public class SSLSocketExplorerFailure {
 
@@ -232,6 +233,9 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
+        Security.setProperty("jdk.tls.disabledAlgorithms", "");
+        Security.setProperty("jdk.certpath.disabledAlgorithms", "");
+
         String keyFilename =
             System.getProperty("test.src", ".") + "/" + pathToStores +
                 "/" + keyStoreFile;
--- old/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java	2018-05-11 15:07:18.639145700 -0700
+++ new/test/jdk/javax/net/ssl/ServerName/SSLSocketSNISensitive.java	2018-05-11 15:07:18.153160300 -0700
@@ -54,7 +54,8 @@
 import java.security.interfaces.*;
 import java.util.Base64;
 
-
+// Note: this test case works only on TLS 1.2 and prior versions because of
+// the use of MD5withRSA signed certificate.
 public class SSLSocketSNISensitive {
 
     /*
@@ -415,7 +416,7 @@
         TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm);
         tmf.init(ks);
 
-        SSLContext ctx = SSLContext.getInstance("TLS");
+        SSLContext ctx = SSLContext.getInstance("TLSv1.2");
         KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509");
         kmf.init(ks, passphrase);
 
--- old/test/jdk/javax/net/ssl/Stapling/HttpsUrlConnClient.java	2018-05-11 15:07:20.193769500 -0700
+++ new/test/jdk/javax/net/ssl/Stapling/HttpsUrlConnClient.java	2018-05-11 15:07:19.710677100 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -194,7 +194,7 @@
         // because of the client alert
         if (tr.serverExc instanceof SSLHandshakeException) {
             if (!tr.serverExc.getMessage().contains(
-                    "alert: bad_certificate_status_response")) {
+                    "bad_certificate_status_response")) {
                 throw tr.serverExc;
             }
         }
@@ -234,7 +234,7 @@
         TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
         tmf.init(trustStore);
 
-        SSLContext sslc = SSLContext.getInstance("TLS");
+        SSLContext sslc = SSLContext.getInstance("TLSv1.2");
         sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
 
         SSLServerSocketFactory sslssf = sslc.getServerSocketFactory();
@@ -333,7 +333,8 @@
             if (contentLength == -1) {
                 contentLength = Integer.MAX_VALUE;
             }
-            byte[] response = new byte[contentLength > 2048 ? 2048 : contentLength];
+            byte[] response = new byte[contentLength > 2048 ? 2048 :
+                contentLength];
             int total = 0;
             while (total < contentLength) {
                 int count = in.read(response, total, response.length - total);
@@ -391,8 +392,8 @@
     /**
      * Checks a validation failure to see if it failed for the reason we think
      * it should.  This comes in as an SSLException of some sort, but it
-     * encapsulates a ValidatorException which in turn encapsulates the
-     * CertPathValidatorException we are interested in.
+     * encapsulates a CertPathValidatorException at some point in the
+     * exception stack.
      *
      * @param e the exception thrown at the top level
      * @param reason the underlying CertPathValidatorException BasicReason
@@ -404,19 +405,31 @@
             BasicReason reason) {
         boolean result = false;
 
-        if (e instanceof SSLException) {
-            Throwable valExc = e.getCause();
-            if (valExc instanceof sun.security.validator.ValidatorException) {
-                Throwable cause = valExc.getCause();
-                if (cause instanceof CertPathValidatorException) {
-                    CertPathValidatorException cpve =
-                            (CertPathValidatorException)cause;
-                    if (cpve.getReason() == reason) {
-                        result = true;
-                    }
-                }
+        // Locate the CertPathValidatorException.  If one
+        // Does not exist, then it's an automatic failure of
+        // the test.
+        Throwable curExc = e;
+        CertPathValidatorException cpve = null;
+        while (curExc != null) {
+            if (curExc instanceof CertPathValidatorException) {
+                cpve = (CertPathValidatorException)curExc;
+            }
+            curExc = curExc.getCause();
+        }
+
+        // If we get through the loop and cpve is null then we
+        // we didn't find CPVE and this is a failure
+        if (cpve != null) {
+            if (cpve.getReason() == reason) {
+                result = true;
+            } else {
+                System.out.println("CPVE Reason Mismatch: Expected = " +
+                        reason + ", Actual = " + cpve.getReason());
             }
+        } else {
+            System.out.println("Failed to find an expected CPVE");
         }
+
         return result;
     }
 
@@ -717,10 +730,19 @@
     static class TestResult {
         Exception serverExc = null;
         Exception clientExc = null;
+
+        @Override
+        public String toString() {
+            StringBuilder sb = new StringBuilder();
+            sb.append("Test Result:\n").
+                append("\tServer Exc = ").append(serverExc).append("\n").
+                append("\tClient Exc = ").append(clientExc).append("\n");
+            return sb.toString();
+        }
     }
 
     static class HtucSSLSocketFactory extends SSLSocketFactory {
-        SSLContext sslc = SSLContext.getInstance("TLS");
+        SSLContext sslc = SSLContext.getInstance("TLSv1.2");
 
         HtucSSLSocketFactory(ClientParameters cliParams)
                 throws GeneralSecurityException {
--- old/test/jdk/javax/net/ssl/Stapling/SSLEngineWithStapling.java	2018-05-11 15:07:21.768077700 -0700
+++ new/test/jdk/javax/net/ssl/Stapling/SSLEngineWithStapling.java	2018-05-11 15:07:21.281147000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -309,10 +309,10 @@
         cliTmf.init(mfp);
 
         // Create the SSLContexts from the factories
-        SSLContext servCtx = SSLContext.getInstance("TLS");
+        SSLContext servCtx = SSLContext.getInstance("TLSv1.2");
         servCtx.init(servKmf.getKeyManagers(), servTmf.getTrustManagers(),
                 null);
-        SSLContext cliCtx = SSLContext.getInstance("TLS");
+        SSLContext cliCtx = SSLContext.getInstance("TLSv1.2");
         cliCtx.init(null, cliTmf.getTrustManagers(), null);
 
 
@@ -637,8 +637,8 @@
     /**
      * Checks a validation failure to see if it failed for the reason we think
      * it should.  This comes in as an SSLException of some sort, but it
-     * encapsulates a ValidatorException which in turn encapsulates the
-     * CertPathValidatorException we are interested in.
+     * encapsulates a CertPathValidatorException at some point in the
+     * exception stack.
      *
      * @param e the exception thrown at the top level
      * @param reason the underlying CertPathValidatorException BasicReason
@@ -650,22 +650,31 @@
             CertPathValidatorException.BasicReason reason) {
         boolean result = false;
 
-        if (e instanceof SSLException) {
-            Throwable sslhe = e.getCause();
-            if (sslhe instanceof SSLHandshakeException) {
-                Throwable valExc = sslhe.getCause();
-                if (valExc instanceof sun.security.validator.ValidatorException) {
-                    Throwable cause = valExc.getCause();
-                    if (cause instanceof CertPathValidatorException) {
-                        CertPathValidatorException cpve =
-                                (CertPathValidatorException)cause;
-                        if (cpve.getReason() == reason) {
-                            result = true;
-                        }
-                    }
-                }
+        // Locate the CertPathValidatorException.  If one
+        // Does not exist, then it's an automatic failure of
+        // the test.
+        Throwable curExc = e;
+        CertPathValidatorException cpve = null;
+        while (curExc != null) {
+            if (curExc instanceof CertPathValidatorException) {
+                cpve = (CertPathValidatorException)curExc;
             }
+            curExc = curExc.getCause();
         }
+
+        // If we get through the loop and cpve is null then we
+        // we didn't find CPVE and this is a failure
+        if (cpve != null) {
+            if (cpve.getReason() == reason) {
+                result = true;
+            } else {
+                System.out.println("CPVE Reason Mismatch: Expected = " +
+                        reason + ", Actual = " + cpve.getReason());
+            }
+        } else {
+            System.out.println("Failed to find an expected CPVE");
+        }
+
         return result;
     }
 }
--- old/test/jdk/javax/net/ssl/Stapling/SSLSocketWithStapling.java	2018-05-11 15:07:23.384483500 -0700
+++ new/test/jdk/javax/net/ssl/Stapling/SSLSocketWithStapling.java	2018-05-11 15:07:22.899970800 -0700
@@ -242,9 +242,9 @@
                         fiveMinsAgo));
         intOcsp.updateStatusDb(revInfo);
 
-        System.out.println("=======================================");
-        System.out.println("Stapling enabled, default configuration");
-        System.out.println("=======================================");
+        System.out.println("============================================");
+        System.out.println("Stapling enabled, detect revoked certificate");
+        System.out.println("============================================");
 
         cliParams.pkixParams = new PKIXBuilderParameters(trustStore,
                 new X509CertSelector());
@@ -381,7 +381,8 @@
         rootOcsp.acceptConnections();
 
         // Wait 5 seconds for server ready
-        for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || !rootOcsp.isServerReady())); i++) {
+        for (int i = 0; (i < 100 && (!intOcsp.isServerReady() ||
+                        !rootOcsp.isServerReady())); i++) {
             Thread.sleep(50);
         }
         if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) {
@@ -411,7 +412,8 @@
         Thread.sleep(1000);
 
         // Wait 5 seconds for server ready
-        for (int i = 0; (i < 100 && (!intOcsp.isServerReady() || !rootOcsp.isServerReady())); i++) {
+        for (int i = 0; (i < 100 && (!intOcsp.isServerReady() ||
+                        !rootOcsp.isServerReady())); i++) {
             Thread.sleep(50);
         }
         if (!intOcsp.isServerReady() || !rootOcsp.isServerReady()) {
@@ -501,7 +503,7 @@
         TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
         tmf.init(trustStore);
 
-        SSLContext sslc = SSLContext.getInstance("TLS");
+        SSLContext sslc = SSLContext.getInstance("TLSv1.2");
         sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
 
         SSLServerSocketFactory sslssf = sslc.getServerSocketFactory();
@@ -567,7 +569,7 @@
             tmf.init(trustStore);
         }
 
-        SSLContext sslc = SSLContext.getInstance("TLS");
+        SSLContext sslc = SSLContext.getInstance("TLSv1.2");
         sslc.init(null, tmf.getTrustManagers(), null);
 
         SSLSocketFactory sslsf = sslc.getSocketFactory();
--- old/test/jdk/javax/net/ssl/Stapling/StapleEnableProps.java	2018-05-11 15:07:24.967181400 -0700
+++ new/test/jdk/javax/net/ssl/Stapling/StapleEnableProps.java	2018-05-11 15:07:24.469359300 -0700
@@ -132,7 +132,9 @@
 
         System.setProperty("jdk.tls.client.enableStatusRequestExtension",
                 "true");
-        SSLContext ctxStaple = SSLContext.getInstance("TLS");
+System.out.println("*** TEST 1 BEFORE: " + System.getProperty("jdk.tls.client.enableStatusRequestExtension"));
+        SSLContext ctxStaple = SSLContext.getInstance("TLSv1.2");
+System.out.println("*** TEST 1 AFTER: " + System.getProperty("jdk.tls.client.enableStatusRequestExtension"));
         ctxStaple.init(null, tmf.getTrustManagers(), null);
         SSLEngine engine = ctxStaple.createSSLEngine();
         engine.setUseClientMode(true);
@@ -161,7 +163,9 @@
 
         System.setProperty("jdk.tls.client.enableStatusRequestExtension",
                 "false");
-        SSLContext ctxNoStaple = SSLContext.getInstance("TLS");
+System.out.println("*** TEST 2 BEFORE: " + System.getProperty("jdk.tls.client.enableStatusRequestExtension"));
+        SSLContext ctxNoStaple = SSLContext.getInstance("TLSv1.2");
+System.out.println("*** TEST 2 AFTER: " + System.getProperty("jdk.tls.client.enableStatusRequestExtension"));
         ctxNoStaple.init(null, tmf.getTrustManagers(), null);
         engine = ctxNoStaple.createSSLEngine();
         engine.setUseClientMode(true);
@@ -193,7 +197,7 @@
 
         System.setProperty("jdk.tls.server.enableStatusRequestExtension",
                 "true");
-        SSLContext ctxStaple = SSLContext.getInstance("TLS");
+        SSLContext ctxStaple = SSLContext.getInstance("TLSv1.2");
         ctxStaple.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
         SSLEngine engine = ctxStaple.createSSLEngine();
         engine.setUseClientMode(false);
@@ -244,7 +248,7 @@
 
         System.setProperty("jdk.tls.server.enableStatusRequestExtension",
                 "false");
-        SSLContext ctxNoStaple = SSLContext.getInstance("TLS");
+        SSLContext ctxNoStaple = SSLContext.getInstance("TLSv1.2");
         ctxNoStaple.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
         engine = ctxNoStaple.createSSLEngine();
         engine.setUseClientMode(false);
--- old/test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java	2018-05-11 15:07:26.515088400 -0700
+++ new/test/jdk/javax/net/ssl/TLSCommon/SSLEngineTestCase.java	2018-05-11 15:07:26.039237100 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -85,6 +85,12 @@
                 SSLEngineTestCase.ENABLED_NON_KRB_NOT_ANON_CIPHERS,
                 "Enabled by default non kerberos not anonymous"),
         /**
+         * Ciphers supported by TLS 1.3 only.
+         */
+        TLS13_CIPHERS(
+                SSLEngineTestCase.TLS13_CIPHERS,
+                "Supported by TLS 1.3 only"),
+        /**
          * Ciphers unsupported by the tested SSLEngine.
          */
         UNSUPPORTED_CIPHERS(SSLEngineTestCase.UNSUPPORTED_CIPHERS,
@@ -174,6 +180,11 @@
     private static final String SERVER_NAME = "service.localhost";
     private static final String SNI_PATTERN = ".*";
 
+    private static final String[] TLS13_CIPHERS = {
+            "TLS_AES_256_GCM_SHA384",
+            "TLS_AES_128_GCM_SHA256"
+    };
+
     private static final String[] SUPPORTED_NON_KRB_CIPHERS;
 
     static {
@@ -183,8 +194,8 @@
             List<String> supportedCiphersList = new LinkedList<>();
             for (String cipher : allSupportedCiphers) {
                 if (!cipher.contains("KRB5")
-                    && !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
-
+                        && !isTLS13Cipher(cipher)
+                        && !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
                     supportedCiphersList.add(cipher);
                 }
             }
@@ -204,6 +215,7 @@
             List<String> supportedCiphersList = new LinkedList<>();
             for (String cipher : allSupportedCiphers) {
                 if (!cipher.contains("KRB5")
+                        && !isTLS13Cipher(cipher)
                         && !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")
                         && !cipher.endsWith("_SHA256")
                         && !cipher.endsWith("_SHA384")) {
@@ -226,7 +238,8 @@
             List<String> supportedCiphersList = new LinkedList<>();
             for (String cipher : allSupportedCiphers) {
                 if (cipher.contains("KRB5")
-                    && !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
+                        && !isTLS13Cipher(cipher)
+                        && !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
                     supportedCiphersList.add(cipher);
                 }
             }
@@ -246,7 +259,8 @@
             List<String> enabledCiphersList = new LinkedList<>();
             for (String cipher : enabledCiphers) {
                 if (!cipher.contains("anon") && !cipher.contains("KRB5")
-                    && !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
+                        && !isTLS13Cipher(cipher)
+                        && !cipher.contains("TLS_EMPTY_RENEGOTIATION_INFO_SCSV")) {
                     enabledCiphersList.add(cipher);
                 }
             }
@@ -303,6 +317,16 @@
         this.maxPacketSize = 0;
     }
 
+    private static boolean isTLS13Cipher(String cipher) {
+        for (String cipherSuite : TLS13_CIPHERS) {
+            if (cipherSuite.equals(cipher)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Wraps data with the specified engine.
      *
@@ -713,8 +737,13 @@
                     case "TLSv1.1":
                         runTests(Ciphers.SUPPORTED_NON_KRB_NON_SHA_CIPHERS);
                         break;
-                    default:
+                    case "DTLSv1.1":
+                    case "TLSv1.2":
                         runTests(Ciphers.SUPPORTED_NON_KRB_CIPHERS);
+                        break;
+                    case "TLSv1.3":
+                        runTests(Ciphers.TLS13_CIPHERS);
+                        break;
                 }
                 break;
             case "krb":
--- old/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java	2018-05-11 15:07:28.047102200 -0700
+++ new/test/jdk/javax/net/ssl/TLSv12/DisabledShortDSAKeys.java	2018-05-11 15:07:27.576349100 -0700
@@ -289,8 +289,14 @@
     volatile Exception clientException = null;
 
     public static void main(String[] args) throws Exception {
-        if (debug)
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "DSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "DSA keySize < 1024");
+
+        if (debug) {
             System.setProperty("javax.net.debug", "all");
+        }
 
         /*
          * Get the customized arguments.
--- old/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java	2018-05-11 15:07:29.564176800 -0700
+++ new/test/jdk/javax/net/ssl/TLSv12/DisabledShortRSAKeys.java	2018-05-11 15:07:29.084218000 -0700
@@ -238,8 +238,14 @@
     }
 
     public static void main(String[] args) throws Exception {
-        if (debug)
+        Security.setProperty("jdk.certpath.disabledAlgorithms",
+                "RSA keySize < 1024");
+        Security.setProperty("jdk.tls.disabledAlgorithms",
+                "RSA keySize < 1024");
+
+        if (debug) {
             System.setProperty("javax.net.debug", "all");
+        }
 
         /*
          * Get the customized arguments.
--- old/test/jdk/javax/net/ssl/etc/README	2018-05-11 15:07:31.096047700 -0700
+++ new/test/jdk/javax/net/ssl/etc/README	2018-05-11 15:07:30.613254900 -0700
@@ -80,11 +80,34 @@
   -dname "CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US" \
   -validity 3652 -keypass passphrase -keystore keystore -storepass passphrase
 
+Alias name: dummyecrsa
+--------------------
+Creation date: Apr 13, 2018
+Entry type: PrivateKeyEntry
+Certificate chain length: 2
+Certificate[1]:
+Owner: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Issuer: CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US
+Serial number: 6f2d1faa
+Valid from: Fri Apr 13 16:20:55 CST 2018 until: Wed Apr 12 16:20:55 CST 2028
+Version: 3
+
+This can be generated by using keytool command:
+% keytool -genkeypair -alias dummyecrsa -keyalg EC -keysize 256 \
+  -keypass passphrase -storepass passphrase -keystore keystore \
+  -dname "CN=dummy.example.com, OU=Dummy, O=Dummy, L=Cupertino, ST=CA, C=US"
+% keytool -certreq -alias dummyecrsa -storepass passphrase -keystore keystore \
+  -file ecrsa.csr
+% keytool -gencert -alias dummy -storepass passphrase -keystore keystore \
+  -validity 3652 -infile ecrsa.csr -outfile ecrsa.cer
+% keytool -importcert -alias dummyecrsa -storepass passphrase -keystore keystore \
+  -file ecrsa.cer
+
 
 truststore entries
 ==================
-This key store contains only trusted certificate entries.  The same
-certificates are used in both keystore and truststore.
+This key store contains only trusted certificate entries. The same
+certificates, except dummyecrsa, are used in both keystore and truststore.
 
 
 unknown_keystore
Binary files old/test/jdk/javax/net/ssl/etc/keystore and new/test/jdk/javax/net/ssl/etc/keystore differ
Binary files old/test/jdk/javax/net/ssl/etc/truststore and new/test/jdk/javax/net/ssl/etc/truststore differ
--- old/test/jdk/javax/net/ssl/sanity/ciphersuites/CipherSuitesInOrder.java	2018-05-11 15:07:35.679239600 -0700
+++ new/test/jdk/javax/net/ssl/sanity/ciphersuites/CipherSuitesInOrder.java	2018-05-11 15:07:35.201641900 -0700
@@ -30,6 +30,7 @@
  * @test
  * @bug 7174244
  * @summary NPE in Krb5ProxyImpl.getServerKeys()
+ * @ignore the dependent implementation details are changed
  * @run main/othervm CipherSuitesInOrder
  */
 
--- old/test/jdk/javax/net/ssl/sanity/interop/CipherTest.java	2018-05-11 15:07:37.480080100 -0700
+++ new/test/jdk/javax/net/ssl/sanity/interop/CipherTest.java	2018-05-11 15:07:36.877225400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,7 +21,6 @@
  * questions.
  */
 
-
 import java.io.*;
 import java.net.*;
 import java.util.*;
@@ -29,7 +28,6 @@
 
 import java.security.*;
 import java.security.cert.*;
-import java.security.cert.Certificate;
 
 import javax.net.ssl.*;
 
@@ -103,11 +101,11 @@
 
     public static class TestParameters {
 
-        String cipherSuite;
-        String protocol;
+        CipherSuite cipherSuite;
+        Protocol protocol;
         String clientAuth;
 
-        TestParameters(String cipherSuite, String protocol,
+        TestParameters(CipherSuite cipherSuite, Protocol protocol,
                 String clientAuth) {
             this.cipherSuite = cipherSuite;
             this.protocol = protocol;
@@ -115,7 +113,7 @@
         }
 
         boolean isEnabled() {
-            return TLSCipherStatus.isEnabled(cipherSuite, protocol);
+            return cipherSuite.supportedByProtocol(protocol);
         }
 
         public String toString() {
@@ -125,134 +123,6 @@
             }
             return s;
         }
-
-        static enum TLSCipherStatus {
-            // cipher suites supported since TLS 1.2
-            CS_01("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
-            CS_02("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",   0x0303, 0xFFFF),
-            CS_03("TLS_RSA_WITH_AES_256_CBC_SHA256",         0x0303, 0xFFFF),
-            CS_04("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",  0x0303, 0xFFFF),
-            CS_05("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",    0x0303, 0xFFFF),
-            CS_06("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_07("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",     0x0303, 0xFFFF),
-
-            CS_08("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
-            CS_09("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",   0x0303, 0xFFFF),
-            CS_10("TLS_RSA_WITH_AES_128_CBC_SHA256",         0x0303, 0xFFFF),
-            CS_11("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",  0x0303, 0xFFFF),
-            CS_12("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",    0x0303, 0xFFFF),
-            CS_13("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_14("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",     0x0303, 0xFFFF),
-
-            CS_15("TLS_DH_anon_WITH_AES_256_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_16("TLS_DH_anon_WITH_AES_128_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_17("TLS_RSA_WITH_NULL_SHA256",                0x0303, 0xFFFF),
-
-            CS_20("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
-            CS_21("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
-            CS_22("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",   0x0303, 0xFFFF),
-            CS_23("TLS_RSA_WITH_AES_256_GCM_SHA384",         0x0303, 0xFFFF),
-            CS_24("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",  0x0303, 0xFFFF),
-            CS_25("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",    0x0303, 0xFFFF),
-            CS_26("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",     0x0303, 0xFFFF),
-            CS_27("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",     0x0303, 0xFFFF),
-
-            CS_28("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",   0x0303, 0xFFFF),
-            CS_29("TLS_RSA_WITH_AES_128_GCM_SHA256",         0x0303, 0xFFFF),
-            CS_30("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",  0x0303, 0xFFFF),
-            CS_31("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",    0x0303, 0xFFFF),
-            CS_32("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",     0x0303, 0xFFFF),
-            CS_33("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",     0x0303, 0xFFFF),
-
-            CS_34("TLS_DH_anon_WITH_AES_256_GCM_SHA384",     0x0303, 0xFFFF),
-            CS_35("TLS_DH_anon_WITH_AES_128_GCM_SHA256",     0x0303, 0xFFFF),
-
-            // cipher suites obsoleted since TLS 1.2
-            CS_50("SSL_RSA_WITH_DES_CBC_SHA",                0x0000, 0x0303),
-            CS_51("SSL_DHE_RSA_WITH_DES_CBC_SHA",            0x0000, 0x0303),
-            CS_52("SSL_DHE_DSS_WITH_DES_CBC_SHA",            0x0000, 0x0303),
-            CS_53("SSL_DH_anon_WITH_DES_CBC_SHA",            0x0000, 0x0303),
-            CS_54("TLS_KRB5_WITH_DES_CBC_SHA",               0x0000, 0x0303),
-            CS_55("TLS_KRB5_WITH_DES_CBC_MD5",               0x0000, 0x0303),
-
-            // cipher suites obsoleted since TLS 1.1
-            CS_60("SSL_RSA_EXPORT_WITH_RC4_40_MD5",          0x0000, 0x0302),
-            CS_61("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",      0x0000, 0x0302),
-            CS_62("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",       0x0000, 0x0302),
-            CS_63("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",   0x0000, 0x0302),
-            CS_64("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",   0x0000, 0x0302),
-            CS_65("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",   0x0000, 0x0302),
-            CS_66("TLS_KRB5_EXPORT_WITH_RC4_40_SHA",         0x0000, 0x0302),
-            CS_67("TLS_KRB5_EXPORT_WITH_RC4_40_MD5",         0x0000, 0x0302),
-            CS_68("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",     0x0000, 0x0302),
-            CS_69("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",     0x0000, 0x0302),
-
-            // ignore TLS_EMPTY_RENEGOTIATION_INFO_SCSV always
-            CS_99("TLS_EMPTY_RENEGOTIATION_INFO_SCSV",       0xFFFF, 0x0000);
-
-            // the cipher suite name
-            final String cipherSuite;
-
-            // supported since protocol version
-            final int supportedSince;
-
-            // obsoleted since protocol version
-            final int obsoletedSince;
-
-            TLSCipherStatus(String cipherSuite,
-                    int supportedSince, int obsoletedSince) {
-                this.cipherSuite = cipherSuite;
-                this.supportedSince = supportedSince;
-                this.obsoletedSince = obsoletedSince;
-            }
-
-            static boolean isEnabled(String cipherSuite, String protocol) {
-                int versionNumber = toVersionNumber(protocol);
-
-                if (versionNumber < 0) {
-                    return true;  // unlikely to happen
-                }
-
-                for (TLSCipherStatus status : TLSCipherStatus.values()) {
-                    if (cipherSuite.equals(status.cipherSuite)) {
-                        if ((versionNumber < status.supportedSince) ||
-                            (versionNumber >= status.obsoletedSince)) {
-                            return false;
-                        }
-
-                        return true;
-                    }
-                }
-
-                return true;
-            }
-
-            private static int toVersionNumber(String protocol) {
-                int versionNumber = -1;
-
-                switch (protocol) {
-                    case "SSLv2Hello":
-                        versionNumber = 0x0002;
-                        break;
-                    case "SSLv3":
-                        versionNumber = 0x0300;
-                        break;
-                    case "TLSv1":
-                        versionNumber = 0x0301;
-                        break;
-                    case "TLSv1.1":
-                        versionNumber = 0x0302;
-                        break;
-                    case "TLSv1.2":
-                        versionNumber = 0x0303;
-                        break;
-                    default:
-                        // unlikely to happen
-                }
-
-                return versionNumber;
-            }
-        }
     }
 
     private List<TestParameters> tests;
@@ -269,11 +139,23 @@
         String[] clientAuths = {null, "RSA", "DSA"};
         tests = new ArrayList<TestParameters>(
             cipherSuites.length * protocols.length * clientAuths.length);
-        for (int i = 0; i < cipherSuites.length; i++) {
-            String cipherSuite = cipherSuites[i];
+        for (int j = 0; j < protocols.length; j++) {
+            String protocol = protocols[j];
+            if (protocol.equals(Protocol.SSLV2HELLO.name)) {
+                System.out.println("Skipping SSLv2Hello protocol");
+                continue;
+            }
 
-            for (int j = 0; j < protocols.length; j++) {
-                String protocol = protocols[j];
+            for (int i = 0; i < cipherSuites.length; i++) {
+                String cipherSuite = cipherSuites[i];
+
+                // skip kerberos cipher suites and TLS_EMPTY_RENEGOTIATION_INFO_SCSV
+                if (cipherSuite.startsWith("TLS_KRB5") || cipherSuite.equals(
+                        CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV.name())) {
+                    System.out.println("Skipping unsupported test for " +
+                                        cipherSuite + " of " + protocol);
+                    continue;
+                }
 
                 if (!peerFactory.isSupported(cipherSuite, protocol)) {
                     continue;
@@ -281,13 +163,16 @@
 
                 for (int k = 0; k < clientAuths.length; k++) {
                     String clientAuth = clientAuths[k];
-                    if ((clientAuth != null) &&
-                            (cipherSuite.indexOf("DH_anon") != -1)) {
-                        // no client with anonymous ciphersuites
+                    // no client with anonymous cipher suites;
+                    // TLS 1.3 doesn't support DSA
+                    if ((clientAuth != null && cipherSuite.contains("DH_anon"))
+                            || ("DSA".equals(clientAuth) && "TLSv1.3".equals(protocol))) {
                         continue;
                     }
-                    tests.add(new TestParameters(cipherSuite, protocol,
-                        clientAuth));
+                    tests.add(new TestParameters(
+                            CipherSuite.cipherSuite(cipherSuite),
+                            Protocol.protocol(protocol),
+                            clientAuth));
                 }
             }
         }
@@ -356,7 +241,7 @@
                     // no more tests
                     break;
                 }
-                if (params.isEnabled() == false) {
+                if (!params.isEnabled()) {
                     System.out.println("Skipping disabled test " + params);
                     continue;
                 }
@@ -422,7 +307,7 @@
         }
         PATH = new File(System.getProperty("test.src", "."), relPath);
         CipherTest.peerFactory = peerFactory;
-        System.out.print(
+        System.out.println(
             "Initializing test '" + peerFactory.getName() + "'...");
         secureRandom = new SecureRandom();
         secureRandom.nextInt();
@@ -455,27 +340,12 @@
         abstract Server newServer(CipherTest cipherTest) throws Exception;
 
         boolean isSupported(String cipherSuite, String protocol) {
-            // skip kerberos cipher suites
-            if (cipherSuite.startsWith("TLS_KRB5")) {
-                System.out.println("Skipping unsupported test for " +
-                                    cipherSuite + " of " + protocol);
-                return false;
-            }
-
-            // skip SSLv2Hello protocol
-            if (protocol.equals("SSLv2Hello")) {
-                System.out.println("Skipping unsupported test for " +
-                                    cipherSuite + " of " + protocol);
-                return false;
-            }
-
             // ignore exportable cipher suite for TLSv1.1
-            if (protocol.equals("TLSv1.1")) {
-                if (cipherSuite.indexOf("_EXPORT_WITH") != -1) {
+            if (protocol.equals("TLSv1.1")
+                    && (cipherSuite.indexOf("_EXPORT_WITH") != -1)) {
                     System.out.println("Skipping obsoleted test for " +
                                         cipherSuite + " of " + protocol);
                     return false;
-                }
             }
 
             // ignore obsoleted cipher suite for the specified protocol
--- old/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java	2018-05-11 15:07:39.075989500 -0700
+++ new/test/jdk/javax/net/ssl/sanity/interop/ClientJSSEServerJSSE.java	2018-05-11 15:07:38.570759400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
  * @bug 4496785
  * @summary Verify that all ciphersuites work in all configurations
  * @author Andreas Sterbenz
+ * @library ../../TLSCommon
  * @run main/othervm/timeout=300 ClientJSSEServerJSSE
  */
 import java.security.Security;
--- old/test/jdk/javax/net/ssl/sanity/interop/JSSEClient.java	2018-05-11 15:07:40.714017800 -0700
+++ new/test/jdk/javax/net/ssl/sanity/interop/JSSEClient.java	2018-05-11 15:07:40.207681200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,16 +21,16 @@
  * questions.
  */
 
-
-import java.io.*;
-import java.net.*;
-import java.util.*;
-
-import java.security.*;
-import java.security.cert.*;
+import java.io.InputStream;
+import java.io.OutputStream;
 import java.security.cert.Certificate;
 
-import javax.net.ssl.*;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManager;
 
 class JSSEClient extends CipherTest.Client {
 
@@ -47,12 +47,15 @@
         SSLSocket socket = null;
         try {
             keyManager.setAuthType(params.clientAuth);
-            sslContext.init(new KeyManager[] {keyManager}, new TrustManager[] {cipherTest.trustManager}, cipherTest.secureRandom);
+            sslContext.init(
+                    new KeyManager[] { keyManager },
+                    new TrustManager[] { CipherTest.trustManager },
+                    CipherTest.secureRandom);
             SSLSocketFactory factory = (SSLSocketFactory)sslContext.getSocketFactory();
-            socket = (SSLSocket)factory.createSocket("127.0.0.1", cipherTest.serverPort);
-            socket.setSoTimeout(cipherTest.TIMEOUT);
-            socket.setEnabledCipherSuites(new String[] {params.cipherSuite});
-            socket.setEnabledProtocols(new String[] {params.protocol});
+            socket = (SSLSocket)factory.createSocket("127.0.0.1", CipherTest.serverPort);
+            socket.setSoTimeout(CipherTest.TIMEOUT);
+            socket.setEnabledCipherSuites(new String[] { params.cipherSuite.name() });
+            socket.setEnabledProtocols(new String[] { params.protocol.name });
             InputStream in = socket.getInputStream();
             OutputStream out = socket.getOutputStream();
             sendRequest(in, out);
@@ -60,12 +63,14 @@
             SSLSession session = socket.getSession();
             session.invalidate();
             String cipherSuite = session.getCipherSuite();
-            if (params.cipherSuite.equals(cipherSuite) == false) {
-                throw new Exception("Negotiated ciphersuite mismatch: " + cipherSuite + " != " + params.cipherSuite);
+            if (!params.cipherSuite.name().equals(cipherSuite)) {
+                throw new Exception("Negotiated ciphersuite mismatch: "
+                        + cipherSuite + " != " + params.cipherSuite);
             }
             String protocol = session.getProtocol();
-            if (params.protocol.equals(protocol) == false) {
-                throw new Exception("Negotiated protocol mismatch: " + protocol + " != " + params.protocol);
+            if (!params.protocol.name.equals(protocol)) {
+                throw new Exception("Negotiated protocol mismatch: " + protocol
+                        + " != " + params.protocol);
             }
             if (cipherSuite.indexOf("DH_anon") == -1) {
                 session.getPeerCertificates();
--- old/test/jdk/javax/net/ssl/sanity/interop/JSSEServer.java	2018-05-11 15:07:42.273819800 -0700
+++ new/test/jdk/javax/net/ssl/sanity/interop/JSSEServer.java	2018-05-11 15:07:41.785936500 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,17 +21,18 @@
  * questions.
  */
 
-
-import java.io.*;
-import java.net.*;
-import java.util.*;
-import java.util.concurrent.*;
-
-import java.security.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-
-import javax.net.ssl.*;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.util.concurrent.Executor;
+import java.util.concurrent.Executors;
+
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
 
 class JSSEServer extends CipherTest.Server {
 
@@ -40,23 +41,28 @@
     JSSEServer(CipherTest cipherTest) throws Exception {
         super(cipherTest);
         SSLContext serverContext = SSLContext.getInstance("TLS");
-        serverContext.init(new KeyManager[] {cipherTest.keyManager}, new TrustManager[] {cipherTest.trustManager}, cipherTest.secureRandom);
-
-        SSLServerSocketFactory factory = (SSLServerSocketFactory)serverContext.getServerSocketFactory();
-        serverSocket = (SSLServerSocket)factory.createServerSocket(cipherTest.serverPort);
-        cipherTest.serverPort = serverSocket.getLocalPort();
+        serverContext.init(
+                new KeyManager[] { CipherTest.keyManager },
+                new TrustManager[] { CipherTest.trustManager },
+                CipherTest.secureRandom);
+
+        SSLServerSocketFactory factory
+                = (SSLServerSocketFactory) serverContext.getServerSocketFactory();
+        serverSocket
+                = (SSLServerSocket) factory.createServerSocket(CipherTest.serverPort);
+        CipherTest.serverPort = serverSocket.getLocalPort();
         serverSocket.setEnabledCipherSuites(factory.getSupportedCipherSuites());
         serverSocket.setWantClientAuth(true);
     }
 
     public void run() {
-        System.out.println("JSSE Server listening on port " + cipherTest.serverPort);
+        System.out.println("JSSE Server listening on port " + CipherTest.serverPort);
         Executor exec = Executors.newFixedThreadPool
                             (cipherTest.THREADS, DaemonThreadFactory.INSTANCE);
         try {
             while (true) {
                 final SSLSocket socket = (SSLSocket)serverSocket.accept();
-                socket.setSoTimeout(cipherTest.TIMEOUT);
+                socket.setSoTimeout(CipherTest.TIMEOUT);
                 Runnable r = new Runnable() {
                     public void run() {
                         try {
--- old/test/jdk/javax/net/ssl/templates/SSLEngineTemplate.java	2018-05-11 15:07:43.870946100 -0700
+++ new/test/jdk/javax/net/ssl/templates/SSLEngineTemplate.java	2018-05-11 15:07:43.319079300 -0700
@@ -245,6 +245,8 @@
                 log("\tClosing clientEngine's *OUTBOUND*...");
                 clientEngine.closeOutbound();
                 dataDone = true;
+                log("\tClosing serverEngine's *OUTBOUND*...");
+                serverEngine.closeOutbound();
             }
         }
     }
--- old/test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java	2018-05-11 15:07:45.680318600 -0700
+++ new/test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java	2018-05-11 15:07:44.990888900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2016, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -133,6 +133,7 @@
     protected SSLContext createClientSSLContext() throws Exception {
         return createSSLContext(trustedCertStrs,
                 endEntityCertStrs, endEntityPrivateKeys,
+                endEntityPrivateKeyAlgs,
                 endEntityPrivateKeyNames,
                 getClientContextParameters());
     }
@@ -143,6 +144,7 @@
     protected SSLContext createServerSSLContext() throws Exception {
         return createSSLContext(trustedCertStrs,
                 endEntityCertStrs, endEntityPrivateKeys,
+                endEntityPrivateKeyAlgs,
                 endEntityPrivateKeyNames,
                 getServerContextParameters());
     }
@@ -378,31 +380,29 @@
 
         // SHA256withRSA, 2048 bits
         // Validity
-        //     Not Before: Nov 25 04:20:02 2016 GMT
-        //     Not After : Nov  5 04:20:02 2037 GMT
+        //     Not Before: Apr 12 06:51:49 2018 GMT
+        //     Not After : Apr  7 06:51:49 2038 GMT
         // Subject Key Identifier:
-        //     A2:DC:55:38:E4:47:7C:8B:D3:E0:CA:FA:AD:3A:C8:4A:DD:12:A0:8E
+        //     14:AE:A5:A9:2C:0F:E3:25:BA:1B:AD:B6:A7:DB:07:F0:4D:14:49:97
         "-----BEGIN CERTIFICATE-----\n" +
-        "MIIDpzCCAo+gAwIBAgIJAO586A+hYNXaMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNV\n" +
-        "BAYTAlVTMQ0wCwYDVQQKEwRKYXZhMR0wGwYDVQQLExRTdW5KU1NFIFRlc3QgU2Vy\n" +
-        "aXZjZTAeFw0xNjExMjUwNDIwMDJaFw0zNzExMDUwNDIwMDJaMDsxCzAJBgNVBAYT\n" +
-        "AlVTMQ0wCwYDVQQKEwRKYXZhMR0wGwYDVQQLExRTdW5KU1NFIFRlc3QgU2VyaXZj\n" +
-        "ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMm3veDSU4zKXO0aAHos\n" +
-        "cFRXGLBTe+MUJXAtlkNyx7VKaMZNt5wrUuqzyi/r0LFUdRfNCzZf3X8s8HPHQVii\n" +
-        "29tK0y/yeTn4sJTATSmGaAysMJQpKQcfAQ79ItcEGQ721TFQZ3kOBdgp3t/yUYAP\n" +
-        "K2tFze/QbIw72LE52SBnPPPTzyimNw7Ai2MLl4eQlyMkTs7JS07zIiAO5QYbS8s+\n" +
-        "1NW0A3Y+d0B0q8wYEoHGq7QVjOKlSAksfO0tzi4l0Zu6Uf+J5kMAyZ4ZFgEJvGvw\n" +
-        "y/OKJ+soRFH/5cy1SL8B6AWD1y7WXugeeHTHRW1eOjTxqfG1rZqTVd2lfOMER8y1\n" +
-        "bXcCAwEAAaOBrTCBqjAdBgNVHQ4EFgQUotxVOORHfIvT4Mr6rTrISt0SoI4wawYD\n" +
-        "VR0jBGQwYoAUotxVOORHfIvT4Mr6rTrISt0SoI6hP6Q9MDsxCzAJBgNVBAYTAlVT\n" +
-        "MQ0wCwYDVQQKEwRKYXZhMR0wGwYDVQQLExRTdW5KU1NFIFRlc3QgU2VyaXZjZYIJ\n" +
-        "AO586A+hYNXaMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMA0GCSqGSIb3\n" +
-        "DQEBCwUAA4IBAQAtNZJSFeFU6Yid0WSCs2qLAVaTyHsUNSUPUFIIhFAKxdP4DFS0\n" +
-        "+aeOFwdqizAU3kReAYULsfwEBgO51lPBSpB+9coUNQwu7cc8Q5Xqw/llRB0PrINS\n" +
-        "pZl7PW6Ur2ExTBocnUT9A/nhm8iO4PFD/Ly11sf5OdZihhX69NJ2h3a3gcrLjIpO\n" +
-        "L/ewTOgSi5xs+AGGQa+huN3YVL7dh+/rCUvMZVSBX5PloxWS5MMJi0Ui6YjwCFGO\n" +
-        "J4G9m7pI+gJs/x1UG0AgplMF2UCFfiY1SAeE2nKAeOOXAXEwEjFy0ToVTmqXx7fg\n" +
-        "m9YjhuePxlBrd2DF/YW0pc8gmLnrtm4rKPLz\n" +
+        "MIIDTDCCAjSgAwIBAgIJALzz9cKBmONRMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNV\n" +
+        "BAYTAlVTMQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2Vy\n" +
+        "aXZjZTAeFw0xODA0MTIwNjUxNDlaFw0zODA0MDcwNjUxNDlaMDsxCzAJBgNVBAYT\n" +
+        "AlVTMQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2VyaXZj\n" +
+        "ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANPfPtImftkV2UAB+QPa\n" +
+        "R9udeRxApNphb+70T1p3GFql8sUG6/Rbao5H1QllzZ22+J6xoLVftaDp1S3QibTn\n" +
+        "3hv0KPuzsA7zi83GRp8STSHcwOU5zq5yzkFEPQrQxOYfaRzLrv7+sznXpaWCPb/6\n" +
+        "wGktZrHBXZE0eT1wid7h3DoiOCu1BBLPAImiSk5SVadvQkk6uua4W3M78dzbrE8s\n" +
+        "k6O40Nxyi3gVURU0U/IIm8ur89rYUThzlEdTKRdUfG38oyUvqFclwCbp+3F9BxIa\n" +
+        "5WWmj0avrSFCAuwAoCY762Iah0bRv1SKTE9RzO1P07GNyyIuOZ2J6TlXVBWfzE9V\n" +
+        "DmcCAwEAAaNTMFEwHQYDVR0OBBYEFBSupaksD+MluhuttqfbB/BNFEmXMB8GA1Ud\n" +
+        "IwQYMBaAFBSupaksD+MluhuttqfbB/BNFEmXMA8GA1UdEwEB/wQFMAMBAf8wDQYJ\n" +
+        "KoZIhvcNAQELBQADggEBALXVlY46/qvk7aVrDbJ/u/jmA+gGnEF7PZWg6tuwzME/\n" +
+        "GDd28xwALHw+MgH6sFkKnCCfGnzuLPUMezMNLQxj+uosJvDHkBJ7hReDfowMcTz2\n" +
+        "j0IR+RljNfGcd8lyfq9Jc6t8tTlPLG1ek/ObIMU/NLeK3faqGFLmoJ+xiDGVWhk3\n" +
+        "uPhvc1l1riWaIP67PxpHOuBbOwwFyrkQ7jC0ymi0bdwG4m6BQ1KbWNXoWBnVSTNN\n" +
+        "94C+FOEN6WnxwdX0BA2CPObs3YiUjctzXYaSixG952Lh6lwasrhqd1h6fogtTS4M\n" +
+        "7dfJ99aNjmiQroC7xIe7OIRmGM/UbwA/K5zfQSayuNQ=\n" +
         "-----END CERTIFICATE-----",
 
         // SHA256withDSA, 2048 bits
@@ -465,30 +465,50 @@
 
         // SHA256withRSA, 2048 bits
         // Validity
-        //     Not Before: Nov 25 04:20:02 2016 GMT
-        //     Not After : Aug 12 04:20:02 2036 GMT
+        //     Not Before: Apr 12 06:52:29 2018 GMT
+        //     Not After : Apr  7 06:52:29 2038 GMT
         // Authority Key Identifier:
-        //     A2:DC:55:38:E4:47:7C:8B:D3:E0:CA:FA:AD:3A:C8:4A:DD:12:A0:8E
+        //     14:AE:A5:A9:2C:0F:E3:25:BA:1B:AD:B6:A7:DB:07:F0:4D:14:49:97
         "-----BEGIN CERTIFICATE-----\n" +
-        "MIIDdjCCAl6gAwIBAgIJAJDcIGOlAmBmMA0GCSqGSIb3DQEBCwUAMDsxCzAJBgNV\n" +
-        "BAYTAlVTMQ0wCwYDVQQKEwRKYXZhMR0wGwYDVQQLExRTdW5KU1NFIFRlc3QgU2Vy\n" +
-        "aXZjZTAeFw0xNjExMjUwNDIwMDJaFw0zNjA4MTIwNDIwMDJaMFUxCzAJBgNVBAYT\n" +
-        "AlVTMQ0wCwYDVQQKDARKYXZhMR0wGwYDVQQLDBRTdW5KU1NFIFRlc3QgU2VyaXZj\n" +
-        "ZTEYMBYGA1UEAwwPUmVncmVzc2lvbiBUZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOC\n" +
-        "AQ8AMIIBCgKCAQEAp0dHrifTg2aY0sH03f2JjK2fW4DL6gLDKq0YirsNE07z54LF\n" +
-        "IeeDio49XwPjB7OpbUTC1hf/YKZ7XiRWyPa1rYozZ88emhZt+cpkyKz+nmW4avlA\n" +
-        "WnrV+gx4+bU9T+WuBWdAraBcq27Y1I26yfCEtC8k3+O0sdlHbhasF+BUDmX/n4+n\n" +
-        "ifJdbNm5eSDx8eFYHFTdjhAud3An2X6QD9WWSoJpPdDi4utHhFAlxW6osjJxsAPv\n" +
-        "zo8YsqmpCMjZcEks4ZsqiZKKiWUWUAjCcbMerDPDX29fyeo348uztvJsmNRzfcwl\n" +
-        "FtwxpYdxuZqwHi2QoNaQTGXjjbZFmjn7qEkjXwIDAQABo2MwYTALBgNVHQ8EBAMC\n" +
-        "A+gwHQYDVR0OBBYEFP+henfufE6Znr60lRkmayadVdxnMB8GA1UdIwQYMBaAFKLc\n" +
-        "VTjkR3yL0+DK+q06yErdEqCOMBIGA1UdEQEB/wQIMAaHBH8AAAEwDQYJKoZIhvcN\n" +
-        "AQELBQADggEBAK56pV2XoAIkrHFTCkWtYX518nuvkzN6a6BqPKALQlmlbJnq/lhV\n" +
-        "tPQx79b0j7tow28l2ze/3M0hRb5Ft/d/7mITZNMR+0owk4U51AU2NacRt7fpoxu5\n" +
-        "wX3hTa4VgX2+BAXeoWF+Yzy6Jj5gAVmSLzBnkTUH0d+EyL1pp+DFE3QdvZqf3+nP\n" +
-        "zkxz15h3iW8FwI+7/19MX2j2XB/sG8mJpqoszWw8lM4qCa2eWyCbqSHhPi+/+rGg\n" +
-        "dDG5uzZeOC845GEH2T3tHDA+F3WwcZG/W+4RR6ZaaHlqPKKMcwFL73YbsqdCiKBv\n" +
-        "p6sXrhIiP0oXImRBRLDlidj5TIOLfAtNM9A=\n" +
+        "MIIDDDCCAfQCCQDd9PfUCpKn0DANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJV\n" +
+        "UzENMAsGA1UECgwESmF2YTEdMBsGA1UECwwUU3VuSlNTRSBUZXN0IFNlcml2Y2Uw\n" +
+        "HhcNMTgwNDEyMDY1MjI5WhcNMzgwNDA3MDY1MjI5WjBVMQswCQYDVQQGEwJVUzEN\n" +
+        "MAsGA1UECgwESmF2YTEdMBsGA1UECwwUU3VuSlNTRSBUZXN0IFNlcml2Y2UxGDAW\n" +
+        "BgNVBAMMD1JlZ3Jlc3Npb24gVGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC\n" +
+        "AQoCggEBAJWFd+AEAZWRBbua9ax4CJgyXoU3Nx9zwkxbxz2DGZ5sJb/64b/mKBz4\n" +
+        "mgT6cknJPrCv3vLg9v6WzlpIqISzEP6ARxmMDTomt8ppRFqDq31uGJ3cKWvhpwG1\n" +
+        "92HwJUxvbjZYvqszXA5piOtFWa+uBavKSF/dXXrMXijDl6LbL3GU4pZLmeUP8PRy\n" +
+        "UfwWhcy3HikBIx7fGCcNB+dHXtB5DTgxdR8ypTCB5xFfhgL9EqO8X0pin+bubfpF\n" +
+        "5IY68p5B4ob7EdNmBCTUyFAN3Mh9r49ZzwpYIvi9shNmddwMakJOB9YaMsRmc3Ea\n" +
+        "mUVpdR0fR8bY5RtgZwEhtaizp2DkS0ECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA\n" +
+        "pUqCPnpeUITq9tfDdB9rolb5dV3fIhRtj0rsjimKbcMAeYAkb3qHvlZOLZ/PMD3v\n" +
+        "y8J9TJ88YPGGOUXCsAqJ88Ous883xqLkOjZYEiY/0gdU2/v6uQ35lgHtJynmzO3E\n" +
+        "YUbwleJETUNA66sOtiW7om9vcAVPu3mmea5bZkkdwxydn/IZvVYp5JLu4MuJpfh1\n" +
+        "lWpC3z2U7DgZrt4ZQGzok+DRnGiKIOo+G2JvLVIKz/rbsIbjDBqQTdt7TKLu8wbV\n" +
+        "UdN8SOF7qZhBpiwQHZCmiw8KhQ5R/aNDQxCVfMOXcAGqmiFpdHPqWgxCob778mjc\n" +
+        "Na2CGaztVh+f9MSz3j/Hmg==\n" +
+        "-----END CERTIFICATE-----",
+
+        // SHA256withRSA, curv prime256v1
+        // Validity
+        //     Not Before: Apr 12 06:54:43 2018 GMT
+        //     Not After : Apr  7 06:54:43 2038 GMT
+        // Authority Key Identifier:
+        //     14:AE:A5:A9:2C:0F:E3:25:BA:1B:AD:B6:A7:DB:07:F0:4D:14:49:97
+        "-----BEGIN CERTIFICATE-----\n" +
+        "MIICQTCCASkCCQDd9PfUCpKn0TANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJV\n" +
+        "UzENMAsGA1UECgwESmF2YTEdMBsGA1UECwwUU3VuSlNTRSBUZXN0IFNlcml2Y2Uw\n" +
+        "HhcNMTgwNDEyMDY1NDQzWhcNMzgwNDA3MDY1NDQzWjBVMQswCQYDVQQGEwJVUzEN\n" +
+        "MAsGA1UECgwESmF2YTEdMBsGA1UECwwUU3VuSlNTRSBUZXN0IFNlcml2Y2UxGDAW\n" +
+        "BgNVBAMMD1JlZ3Jlc3Npb24gVGVzdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IA\n" +
+        "BOlOthBVzSCU0TPRiW+O4mhOn0ZHE338wLhy4HYiMnuBVWzl2L7krSpCXKM/b//a\n" +
+        "/0YPobAEXKbShh0oFxo51IIwDQYJKoZIhvcNAQELBQADggEBAD/a7z31ODFCSdyf\n" +
+        "AUq5vYsVZIV4s2J2tJh5piYoipP0BKRcthw1RtvqbNZFjB5DLyWVq39Tk6gCJvKo\n" +
+        "csaV3O/VRaQWRyLD1Ak7T0oG5eZDlpYWwjzyMMR32NjOyRG6clWWQx5O7Pc2uxvz\n" +
+        "GL8Pf+YgKU5QLqcghN+104e3+GMzmNccmK5nBmr2Lz1Hy54JxGRXUEKI85VoiUgk\n" +
+        "ArF0RLeUQxBFFBrYBsqLY6DI+Rgvhxk9ri9Udoa3sn8pYfNqxe1beyazbn4ChM6z\n" +
+        "y/7/we+wAnPaPSReugkDO4w/XqUGKa26EiPrQ/9s0QGhKyqeNg/CRY+FEH0sEjuK\n" +
+        "ycLgJK0=\n" +
         "-----END CERTIFICATE-----",
 
         // SHA256withDSA, 2048 bits
@@ -539,35 +559,42 @@
         //
         // RSA private key related to cert endEntityCertStrs[1].
         //
-        "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCnR0euJ9ODZpjS\n" +
-        "wfTd/YmMrZ9bgMvqAsMqrRiKuw0TTvPngsUh54OKjj1fA+MHs6ltRMLWF/9gpnte\n" +
-        "JFbI9rWtijNnzx6aFm35ymTIrP6eZbhq+UBaetX6DHj5tT1P5a4FZ0CtoFyrbtjU\n" +
-        "jbrJ8IS0LyTf47Sx2UduFqwX4FQOZf+fj6eJ8l1s2bl5IPHx4VgcVN2OEC53cCfZ\n" +
-        "fpAP1ZZKgmk90OLi60eEUCXFbqiyMnGwA+/OjxiyqakIyNlwSSzhmyqJkoqJZRZQ\n" +
-        "CMJxsx6sM8Nfb1/J6jfjy7O28myY1HN9zCUW3DGlh3G5mrAeLZCg1pBMZeONtkWa\n" +
-        "OfuoSSNfAgMBAAECggEAWnAHKPkPObN2XDvQj1RL0WrtBSOVG2dy7Ne4tQh8ATxm\n" +
-        "UXw56CKq03YjaANJ8xgHObQ7QlSnFTHs8PDkmrIHd1OIh09LVDNcMfhilLwyzKBi\n" +
-        "HDO1vzU6Cn5DyX1bMJ8UfodcSIKyl1zOjdwyaItIs8HpRcJuJtk57SME18PIrh9H\n" +
-        "EWchWSxTvPvKDY2bhb4vBMgVPfTQO3yc8gY/1J5vKPqDpyEuCGjV13zd/AoL/u5A\n" +
-        "sG10hQ2veJ9KAn1xwPwEoAkCdNLL8vPB1rCbeMZNamqHZRihfoOgDnnJIf3FtUFF\n" +
-        "8bS2FM2kGQR+05SZdhBmJl0obPrbBWil/2vxqeFrgQKBgQDZl1yQsFss2BKK2VAh\n" +
-        "9PKc8tU1v6RpHQZhJEDSct2slHQS5DF6bWl5kJiPevXSvcnjgoPamZf7Joii+Rds\n" +
-        "3xtPQmRw2vQmXBQzQS1YoRuh4hUlkdFWCjUNNg1kvipue6FO4PVg3ViP7llN8PXK\n" +
-        "rSpVxn0a36UiN9jN2zMOUs6tJwKBgQDEzlqa7DghMli7TUdL44uvD2/ceiHqHMMw\n" +
-        "5eLsEHeRVn/EVU99beKw/dAOGwRssTpCd9h7fwzQ2503/Qb/Goe0nKE7+xvt3/sE\n" +
-        "n2Y8Qfv1W1+hGb2qU2jhQaR5bZrLZp0+BgRuQ4ttpYvzopYe4FLZWhDBA0zsGyu0\n" +
-        "nCi7lUSrCQKBgGeGYW8hyS9r2l6fiEWvsiLEUnbRKFsuiRN82S6HojpzI0q9sWDL\n" +
-        "X6yMBFn3qa/LxpttRGikPTAsJERN+Tw+ZlLuhrU/J3x8wMumDfomJOx/kYofd5bV\n" +
-        "ImqXtgWhiLSqM5RA6d5dUb6hK3Iu2/LDMuo+ltVLZNkD8y32RbNh6J1vAoGAbLqQ\n" +
-        "pgyhSf3Vtc0Q+aVB87p0k3tKJ1wynl4zSzYhyMLgHakAHIzL8/qVqmVUwXP8euJZ\n" +
-        "UIk1nGHobxk0d1XB6Y+rKEcn+/iFZt1ljx7pQ3ly0L824NXqGKC6bHeYUI1li/Gp\n" +
-        "Gv3oFvCh7D1D8NUAEKLIpMndAohUUhkAC/qAkHkCgYEAzSIarDNquayV+umC1SXm\n" +
-        "Zo6XLuzWjudLxPd2lyCfwR2aRKlrb+5OFYErX+RSLyCJmaqVZMyXP09PBIvNXu2Z\n" +
-        "+gbx5WUC+kA+6zdKEPXowei6i6EHMXYT2AL7395ZbPajZjsCduE3WuUztuHrhtMm\n" +
-        "JI+k1o4rCnSLlX4gWdN1oTs=",
+        "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCVhXfgBAGVkQW7\n" +
+        "mvWseAiYMl6FNzcfc8JMW8c9gxmebCW/+uG/5igc+JoE+nJJyT6wr97y4Pb+ls5a\n" +
+        "SKiEsxD+gEcZjA06JrfKaURag6t9bhid3Clr4acBtfdh8CVMb242WL6rM1wOaYjr\n" +
+        "RVmvrgWrykhf3V16zF4ow5ei2y9xlOKWS5nlD/D0clH8FoXMtx4pASMe3xgnDQfn\n" +
+        "R17QeQ04MXUfMqUwgecRX4YC/RKjvF9KYp/m7m36ReSGOvKeQeKG+xHTZgQk1MhQ\n" +
+        "DdzIfa+PWc8KWCL4vbITZnXcDGpCTgfWGjLEZnNxGplFaXUdH0fG2OUbYGcBIbWo\n" +
+        "s6dg5EtBAgMBAAECggEBAI5toQ8HQesTRf67UaKEhMtVz6veOOgBAOhz1IrHwzOh\n" +
+        "mSQS+9AskbFnLm/nkc6voMP2A84gdad2SALAi6Y8XMfRsein/EGUeCabt7zxB/5n\n" +
+        "TZOyENLvFIMQryHf++efjcC/MIEsX1hrNz3FxfUPM9+8xMxstYsv+dGi32MGn171\n" +
+        "G1AKFOqs/n0X16Sh1kLtkHq1xaqZJUYQyrBasFtCPDwCFhhkwsxGQZ2Dcy3gFDxy\n" +
+        "5O5IMSxFtaoiTLrnA/X4MxM3OyA57EG+KWtrokahTMmhPwysodlIS8kw3ROtCYBx\n" +
+        "7FLclf49LDtiUtjLoyF+I8WCr44/zp7c13HlBijoNAECgYEAxdSLeCkWSuopZmjP\n" +
+        "j0Cj00pME3W3gsy/1QQxRM+FfRQ6U1evNLp4JKakJUlZ+/xtsd1H9a6FAEzrgcbJ\n" +
+        "xY8W++3IFUNLYop9c9/VXaaKLG2QyfoqBNAHROKyRxoKihDdPgNFwxcwI2tWJEnE\n" +
+        "kBDZ+Kn4dAcxO3j/nVzD/Gvg5PECgYEAwXyGSo7Xzf0zwej1uVx5kSOKfn5dRUbr\n" +
+        "2DDUleMFm7pnOIDriQ+pz6euROJNieoesX1Bo/PaML2095ljb19DI9U1OWMXFhTL\n" +
+        "lKH/yOuDAdUTswp085ohPOCr48+QWLL6Awicd08L6tjg7Fm4j+VXaaNBbXuXOfjG\n" +
+        "KeK+FOU9i1ECgYA4NNcbYLEQv87bZdPy426oTWen774fz4SBRRuqbTuD+gdIPpVs\n" +
+        "6b3Qy/e/EEQcr++KpVAYoWjwWOpgiNYy5yCkmz5JrEDy0l4qWeIJJZQEY2zLtePS\n" +
+        "Ujh+fdohEWkFKR1yzQM5FpF6vrhOvxa1x9PmLoSEkraOKyaU0xJr2UqgQQKBgGG1\n" +
+        "yPuN912HKMQcKTtaf+nT0PTgS6nYjvG2dyTaaNKj58yZDllBF7hOLauLvSyQlr97\n" +
+        "SdLKKr3Cj8kaJSTxLq7B1QcOC3KTPdvpk4qbpKUgPbqE5Vq/01ky/JsnDvY8LBWs\n" +
+        "G5gEyzfmHnA9Pv8sCmDGmRv49f3IrAoq/2L+AX6BAoGBAJ1Wf2Qg8ox75ir0e1kH\n" +
+        "8r+Lmr3gsoxKfh/0fTPV5mbH7PBOSzXwg5fiDUngy9aMDkqCAum5y2Jg0aHhx1Df\n" +
+        "0dTiKsMBCEmPI3/2/O6gJ+HJ0xX6LxmwU9m21xM055IuS5oDXJhonJa2fWusQS1s\n" +
+        "oqd5EGtoPFy0ccqHzYCv3F5A",
 
         //
-        // DSA private key related to cert endEntityCertStrs[2].
+        // EC private key related to cert endEntityCertStrs[2].
+        //
+        "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgomzbfLMRU6+4FNsa\n" +
+        "KQ+qutNxLGgKmRcXWGbFKt71RzqhRANCAATpTrYQVc0glNEz0YlvjuJoTp9GRxN9\n" +
+        "/MC4cuB2IjJ7gVVs5di+5K0qQlyjP2//2v9GD6GwBFym0oYdKBcaOdSC",
+
+        //
+        // DSA private key related to cert endEntityCertStrs[3].
         //
         "MIICZAIBADCCAjkGByqGSM44BAEwggIsAoIBAQCWte2WHSAob+cnmLjyt818YFBB\n" +
         "hrHVAwM30FMbTK8grXN2jYFi8bDdf0GL6fb/oYeLcJxttFXpghB/UJcdOj8YO+A8\n" +
@@ -584,13 +611,22 @@
         "/cSxWAQiAiAKHYbYwEy0XS9J0MeKQmqPswn0nCJKvH+esfMKkZvV3w=="
         };
 
-    // Private key names of endEntityPrivateKeys.
-    private final static String[] endEntityPrivateKeyNames = {
+    // Private key algorithm of endEntityPrivateKeys.
+    private final static String[] endEntityPrivateKeyAlgs = {
         "EC",
         "RSA",
+        "EC",
         "DSA",
         };
 
+    // Private key names of endEntityPrivateKeys.
+    private final static String[] endEntityPrivateKeyNames = {
+        "ecdsa",
+        "rsa",
+        "ec-rsa",
+        "dsa",
+        };
+
     /*
      * Create an instance of SSLContext with the specified trust/key materials.
      */
@@ -599,6 +635,7 @@
             String[] keyMaterialCerts,
             String[] keyMaterialKeys,
             String[] keyMaterialKeyAlgs,
+            String[] keyMaterialKeyNames,
             ContextParameters params) throws Exception {
 
         KeyStore ts = null;     // trust store
@@ -665,7 +702,7 @@
                 Certificate[] chain = new Certificate[] { keyCert };
 
                 // import the key entry.
-                ks.setKeyEntry("cert-" + keyMaterialKeyAlgs[i],
+                ks.setKeyEntry("cert-" + keyMaterialKeyNames[i],
                         priKey, passphrase, chain);
             }
         }
@@ -842,3 +879,4 @@
         cause.printStackTrace(System.out);
     }
 }
+
--- old/test/jdk/sun/security/ec/SignedObjectChain.java	2018-05-11 15:07:47.438387000 -0700
+++ new/test/jdk/sun/security/ec/SignedObjectChain.java	2018-05-11 15:07:46.963129700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,8 +23,10 @@
 
 /*
  * @test
- * @bug 8050374
+ * @bug 8050374 8146293
  * @summary Verify a chain of signed objects
+ * @library /test/lib
+ * @build jdk.test.lib.SigTestUtil
  * @compile ../../../java/security/SignedObject/Chain.java
  * @run main SignedObjectChain
  */
--- old/test/jdk/sun/security/ec/TestEC.java	2018-05-11 15:07:49.032758400 -0700
+++ new/test/jdk/sun/security/ec/TestEC.java	2018-05-11 15:07:48.552616200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,6 +34,7 @@
  * @library ../pkcs11/ec
  * @library ../pkcs11/sslecc
  * @library ../../../java/security/testlibrary
+ * @library ../../../javax/net/ssl/TLSCommon
  * @modules jdk.crypto.cryptoki/sun.security.pkcs11.wrapper
  * @run main/othervm -Djdk.tls.namedGroups="secp256r1,sect193r1" TestEC
  * @run main/othervm/java.security.policy=TestEC.policy -Djdk.tls.namedGroups="secp256r1,sect193r1" TestEC
--- old/test/jdk/sun/security/mscapi/SignedObjectChain.java	2018-05-11 15:07:50.576580900 -0700
+++ new/test/jdk/sun/security/mscapi/SignedObjectChain.java	2018-05-11 15:07:50.103603800 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,8 +23,10 @@
 
 /*
  * @test
- * @bug 8050374
+ * @bug 8050374 8146293
  * @summary Verify a chain of signed objects
+ * @library /test/lib
+ * @build jdk.test.lib.SigTestUtil
  * @compile ../../../java/security/SignedObject/Chain.java
  * @requires os.family == "windows"
  * @run main SignedObjectChain
--- old/test/jdk/sun/security/pkcs11/sslecc/CipherTest.java	2018-05-11 15:07:52.157614000 -0700
+++ new/test/jdk/sun/security/pkcs11/sslecc/CipherTest.java	2018-05-11 15:07:51.677156800 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -105,11 +105,11 @@
 
     public static class TestParameters {
 
-        String cipherSuite;
-        String protocol;
+        CipherSuite cipherSuite;
+        Protocol protocol;
         String clientAuth;
 
-        TestParameters(String cipherSuite, String protocol,
+        TestParameters(CipherSuite cipherSuite, Protocol protocol,
                 String clientAuth) {
             this.cipherSuite = cipherSuite;
             this.protocol = protocol;
@@ -117,7 +117,7 @@
         }
 
         boolean isEnabled() {
-            return TLSCipherStatus.isEnabled(cipherSuite, protocol);
+            return cipherSuite.supportedByProtocol(protocol);
         }
 
         @Override
@@ -128,134 +128,6 @@
             }
             return s;
         }
-
-        static enum TLSCipherStatus {
-            // cipher suites supported since TLS 1.2
-            CS_01("TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 0x0303, 0xFFFF),
-            CS_02("TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",   0x0303, 0xFFFF),
-            CS_03("TLS_RSA_WITH_AES_256_CBC_SHA256",         0x0303, 0xFFFF),
-            CS_04("TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",  0x0303, 0xFFFF),
-            CS_05("TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",    0x0303, 0xFFFF),
-            CS_06("TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_07("TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",     0x0303, 0xFFFF),
-
-            CS_08("TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 0x0303, 0xFFFF),
-            CS_09("TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",   0x0303, 0xFFFF),
-            CS_10("TLS_RSA_WITH_AES_128_CBC_SHA256",         0x0303, 0xFFFF),
-            CS_11("TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",  0x0303, 0xFFFF),
-            CS_12("TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",    0x0303, 0xFFFF),
-            CS_13("TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_14("TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",     0x0303, 0xFFFF),
-
-            CS_15("TLS_DH_anon_WITH_AES_256_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_16("TLS_DH_anon_WITH_AES_128_CBC_SHA256",     0x0303, 0xFFFF),
-            CS_17("TLS_RSA_WITH_NULL_SHA256",                0x0303, 0xFFFF),
-
-            CS_20("TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", 0x0303, 0xFFFF),
-            CS_21("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", 0x0303, 0xFFFF),
-            CS_22("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",   0x0303, 0xFFFF),
-            CS_23("TLS_RSA_WITH_AES_256_GCM_SHA384",         0x0303, 0xFFFF),
-            CS_24("TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",  0x0303, 0xFFFF),
-            CS_25("TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",    0x0303, 0xFFFF),
-            CS_26("TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",     0x0303, 0xFFFF),
-            CS_27("TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",     0x0303, 0xFFFF),
-
-            CS_28("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",   0x0303, 0xFFFF),
-            CS_29("TLS_RSA_WITH_AES_128_GCM_SHA256",         0x0303, 0xFFFF),
-            CS_30("TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",  0x0303, 0xFFFF),
-            CS_31("TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",    0x0303, 0xFFFF),
-            CS_32("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",     0x0303, 0xFFFF),
-            CS_33("TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",     0x0303, 0xFFFF),
-
-            CS_34("TLS_DH_anon_WITH_AES_256_GCM_SHA384",     0x0303, 0xFFFF),
-            CS_35("TLS_DH_anon_WITH_AES_128_GCM_SHA256",     0x0303, 0xFFFF),
-
-            // cipher suites obsoleted since TLS 1.2
-            CS_50("SSL_RSA_WITH_DES_CBC_SHA",                0x0000, 0x0303),
-            CS_51("SSL_DHE_RSA_WITH_DES_CBC_SHA",            0x0000, 0x0303),
-            CS_52("SSL_DHE_DSS_WITH_DES_CBC_SHA",            0x0000, 0x0303),
-            CS_53("SSL_DH_anon_WITH_DES_CBC_SHA",            0x0000, 0x0303),
-            CS_54("TLS_KRB5_WITH_DES_CBC_SHA",               0x0000, 0x0303),
-            CS_55("TLS_KRB5_WITH_DES_CBC_MD5",               0x0000, 0x0303),
-
-            // cipher suites obsoleted since TLS 1.1
-            CS_60("SSL_RSA_EXPORT_WITH_RC4_40_MD5",          0x0000, 0x0302),
-            CS_61("SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",      0x0000, 0x0302),
-            CS_62("SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",       0x0000, 0x0302),
-            CS_63("SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",   0x0000, 0x0302),
-            CS_64("SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",   0x0000, 0x0302),
-            CS_65("SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",   0x0000, 0x0302),
-            CS_66("TLS_KRB5_EXPORT_WITH_RC4_40_SHA",         0x0000, 0x0302),
-            CS_67("TLS_KRB5_EXPORT_WITH_RC4_40_MD5",         0x0000, 0x0302),
-            CS_68("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",     0x0000, 0x0302),
-            CS_69("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",     0x0000, 0x0302),
-
-            // ignore TLS_EMPTY_RENEGOTIATION_INFO_SCSV always
-            CS_99("TLS_EMPTY_RENEGOTIATION_INFO_SCSV",       0xFFFF, 0x0000);
-
-            // the cipher suite name
-            final String cipherSuite;
-
-            // supported since protocol version
-            final int supportedSince;
-
-            // obsoleted since protocol version
-            final int obsoletedSince;
-
-            TLSCipherStatus(String cipherSuite,
-                    int supportedSince, int obsoletedSince) {
-                this.cipherSuite = cipherSuite;
-                this.supportedSince = supportedSince;
-                this.obsoletedSince = obsoletedSince;
-            }
-
-            static boolean isEnabled(String cipherSuite, String protocol) {
-                int versionNumber = toVersionNumber(protocol);
-
-                if (versionNumber < 0) {
-                    return true;  // unlikely to happen
-                }
-
-                for (TLSCipherStatus status : TLSCipherStatus.values()) {
-                    if (cipherSuite.equals(status.cipherSuite)) {
-                        if ((versionNumber < status.supportedSince) ||
-                            (versionNumber >= status.obsoletedSince)) {
-                            return false;
-                        }
-
-                        return true;
-                    }
-                }
-
-                return true;
-            }
-
-            private static int toVersionNumber(String protocol) {
-                int versionNumber = -1;
-
-                switch (protocol) {
-                    case "SSLv2Hello":
-                        versionNumber = 0x0002;
-                        break;
-                    case "SSLv3":
-                        versionNumber = 0x0300;
-                        break;
-                    case "TLSv1":
-                        versionNumber = 0x0301;
-                        break;
-                    case "TLSv1.1":
-                        versionNumber = 0x0302;
-                        break;
-                    case "TLSv1.2":
-                        versionNumber = 0x0303;
-                        break;
-                    default:
-                        // unlikely to happen
-                }
-
-                return versionNumber;
-            }
-        }
     }
 
     private List<TestParameters> tests;
@@ -283,14 +155,21 @@
 
                 for (int k = 0; k < clientAuths.length; k++) {
                     String clientAuth = clientAuths[k];
-                    if ((clientAuth != null) &&
-                            (cipherSuite.indexOf("DH_anon") != -1)) {
-                        // no client with anonymous ciphersuites
+                    // no client with anonymous cipher suites.
+                    // TLS_EMPTY_RENEGOTIATION_INFO_SCSV always be skipped.
+                    // TLS 1.3 is skipped due to the signature algorithm,
+                    // exactly MD5withRSA, in the certificates is not allowed.
+                    if ((clientAuth != null && cipherSuite.contains("DH_anon")
+                            || cipherSuite.equals(
+                                    CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV.name())
+                            || "TLSv1.3".equals(protocol))) {
                         continue;
                     }
 
-                    tests.add(new TestParameters(cipherSuite, protocol,
-                        clientAuth));
+                    tests.add(new TestParameters(
+                            CipherSuite.cipherSuite(cipherSuite),
+                            Protocol.protocol(protocol),
+                            clientAuth));
                 }
             }
         }
--- old/test/jdk/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	2018-05-11 15:07:53.770360700 -0700
+++ new/test/jdk/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java	2018-05-11 15:07:53.292535700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,7 +31,7 @@
  * @bug 6405536
  * @summary Verify that all ciphersuites work (incl. ECC using NSS crypto)
  * @author Andreas Sterbenz
- * @library ..
+ * @library .. ../../../../javax/net/ssl/TLSCommon
  * @library ../../../../java/security/testlibrary
  * @modules jdk.crypto.cryptoki
  * @run main/othervm -Djdk.tls.namedGroups="secp256r1,sect193r1"
--- old/test/jdk/sun/security/pkcs11/sslecc/JSSEClient.java	2018-05-11 15:07:55.317501000 -0700
+++ new/test/jdk/sun/security/pkcs11/sslecc/JSSEClient.java	2018-05-11 15:07:54.823525800 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -67,8 +67,8 @@
             }
 
             socket.setSoTimeout(CipherTest.TIMEOUT);
-            socket.setEnabledCipherSuites(new String[] {params.cipherSuite});
-            socket.setEnabledProtocols(new String[] {params.protocol});
+            socket.setEnabledCipherSuites(new String[] {params.cipherSuite.name()});
+            socket.setEnabledProtocols(new String[] {params.protocol.name});
             InputStream in = socket.getInputStream();
             OutputStream out = socket.getOutputStream();
             sendRequest(in, out);
@@ -76,11 +76,11 @@
             SSLSession session = socket.getSession();
             session.invalidate();
             String cipherSuite = session.getCipherSuite();
-            if (params.cipherSuite.equals(cipherSuite) == false) {
+            if (!params.cipherSuite.name().equals(cipherSuite)) {
                 throw new Exception("Negotiated ciphersuite mismatch: " + cipherSuite + " != " + params.cipherSuite);
             }
             String protocol = session.getProtocol();
-            if (params.protocol.equals(protocol) == false) {
+            if (!params.protocol.name.equals(protocol)) {
                 throw new Exception("Negotiated protocol mismatch: " + protocol + " != " + params.protocol);
             }
             if (cipherSuite.indexOf("DH_anon") == -1) {
--- old/test/jdk/sun/security/rsa/SignatureOffsets.java	2018-05-11 15:07:56.890002000 -0700
+++ new/test/jdk/sun/security/rsa/SignatureOffsets.java	2018-05-11 15:07:56.404453100 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,7 +27,7 @@
 
 /*
  * @test
- * @bug 8050374
+ * @bug 8050374 8146293
  * @key randomness
  * @summary This test validates signature verification
  *          Signature.verify(byte[], int, int). The test uses RandomFactory to
@@ -44,6 +44,8 @@
  * @run main SignatureOffsets SunRsaSign SHA256withRSA
  * @run main SignatureOffsets SunRsaSign SHA384withRSA
  * @run main SignatureOffsets SunRsaSign SHA512withRSA
+ * @run main SignatureOffsets SunRsaSign SHA512/224withRSA
+ * @run main SignatureOffsets SunRsaSign SHA512/256withRSA
  */
 public class SignatureOffsets {
 
--- old/test/jdk/sun/security/rsa/SignatureTest.java	2018-05-11 15:07:58.450231900 -0700
+++ new/test/jdk/sun/security/rsa/SignatureTest.java	2018-05-11 15:07:57.958012200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -20,42 +20,33 @@
  * or visit www.oracle.com if you need additional information or have any
  * questions.
  */
-import java.security.InvalidKeyException;
-import java.security.Key;
-import java.security.KeyFactory;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.PrivateKey;
-import java.security.PublicKey;
-import java.security.Signature;
-import java.security.SignatureException;
+import java.security.*;
 import java.security.interfaces.RSAPrivateKey;
 import java.security.interfaces.RSAPublicKey;
-import java.security.spec.InvalidKeySpecException;
-import java.security.spec.PKCS8EncodedKeySpec;
-import java.security.spec.RSAPrivateKeySpec;
-import java.security.spec.RSAPublicKeySpec;
-import java.security.spec.X509EncodedKeySpec;
-import java.util.Arrays;
+import java.security.spec.*;
+import java.util.*;
 import java.util.stream.IntStream;
 import static javax.crypto.Cipher.PRIVATE_KEY;
 import static javax.crypto.Cipher.PUBLIC_KEY;
 
+import jdk.test.lib.SigTestUtil;
+import static jdk.test.lib.SigTestUtil.SignatureType;
+
 /**
  * @test
- * @bug 8044199
+ * @bug 8044199 8146293
  * @summary Create a signature for RSA and get its signed data. re-initiate
  *          the signature with the public key. The signature can be verified
  *          by acquired signed data.
+ * @library /test/lib
+ * @build jdk.test.lib.SigTestUtil
  * @run main SignatureTest 512
  * @run main SignatureTest 768
  * @run main SignatureTest 1024
  * @run main SignatureTest 2048
  * @run main/timeout=240 SignatureTest 4096
  * @run main/timeout=240 SignatureTest 5120
- * @run main/timeout=240 SignatureTest 6144
+ * @run main/timeout=480 SignatureTest 6144
  */
 public class SignatureTest {
     /**
@@ -78,14 +69,13 @@
      */
     private static final int UPDATE_TIMES_HUNDRED = 100;
 
-    /**
-     * Signature algorithms to test
-     */
-    private static final String[] SIGN_ALG = {"MD2withRSA", "MD5withRSA",
-        "SHA1withRSA", "SHA256withRSA"};
-
     public static void main(String[] args) throws Exception {
-        int testSize = Integer.parseInt(args[0]);
+        int keySize = Integer.parseInt(args[0]);
+        Iterable<String> md_alg_pkcs15 =
+            SigTestUtil.getDigestAlgorithms(SignatureType.RSA, keySize);
+
+        Iterable<String> md_alg_pss =
+            SigTestUtil.getDigestAlgorithms(SignatureType.RSASSA_PSS, keySize);
 
         byte[] data = new byte[100];
         IntStream.range(0, data.length).forEach(j -> {
@@ -93,24 +83,34 @@
         });
 
         // create a key pair
-        KeyPair kpair = generateKeys(KEYALG, testSize);
+        KeyPair kpair = generateKeys(KEYALG, keySize);
         Key[] privs = manipulateKey(PRIVATE_KEY, kpair.getPrivate());
         Key[] pubs = manipulateKey(PUBLIC_KEY, kpair.getPublic());
-        // For signature algorithm, create and verify a signature
 
+        test(SignatureType.RSA, md_alg_pkcs15, privs, pubs, data);
+        test(SignatureType.RSASSA_PSS, md_alg_pss, privs, pubs, data);
+    }
+
+    private static void test(SignatureType type, Iterable<String> digestAlgs,
+            Key[] privs, Key[] pubs, byte[] data) throws RuntimeException {
+
+        // For signature algorithm, create and verify a signature
         Arrays.stream(privs).forEach(priv
                 -> Arrays.stream(pubs).forEach(pub
-                -> Arrays.stream(SIGN_ALG).forEach(testAlg -> {
+                -> digestAlgs.forEach(digestAlg -> {
             try {
+                AlgorithmParameterSpec sigParams =
+                    SigTestUtil.generateDefaultParameter(type, digestAlg);
+                String sigAlg = SigTestUtil.generateSigAlg(type, digestAlg);
                 checkSignature(data, (PublicKey) pub, (PrivateKey) priv,
-                        testAlg);
+                        sigAlg, sigParams);
             } catch (NoSuchAlgorithmException | InvalidKeyException |
-                    SignatureException | NoSuchProviderException ex) {
+                    SignatureException | NoSuchProviderException |
+                    InvalidAlgorithmParameterException ex) {
                 throw new RuntimeException(ex);
             }
         }
         )));
-
     }
 
     private static KeyPair generateKeys(String keyalg, int size)
@@ -160,9 +160,14 @@
     }
 
     private static void checkSignature(byte[] data, PublicKey pub,
-            PrivateKey priv, String sigalg) throws NoSuchAlgorithmException,
-            InvalidKeyException, SignatureException, NoSuchProviderException {
-        Signature sig = Signature.getInstance(sigalg, PROVIDER);
+            PrivateKey priv, String sigAlg, AlgorithmParameterSpec sigParams)
+            throws NoSuchAlgorithmException, InvalidKeyException,
+            SignatureException, NoSuchProviderException,
+            InvalidAlgorithmParameterException {
+        System.out.println("Testing " + sigAlg);
+        Signature sig = Signature.getInstance(sigAlg, PROVIDER);
+        sig.setParameter(sigParams);
+
         sig.initSign(priv);
         for (int i = 0; i < UPDATE_TIMES_HUNDRED; i++) {
             sig.update(data);
@@ -170,12 +175,13 @@
         byte[] signedData = sig.sign();
 
         // Make sure signature verifies with original data
+        sig.setParameter(sigParams);
         sig.initVerify(pub);
         for (int i = 0; i < UPDATE_TIMES_HUNDRED; i++) {
             sig.update(data);
         }
         if (!sig.verify(signedData)) {
-            throw new RuntimeException("Failed to verify " + sigalg
+            throw new RuntimeException("Failed to verify " + sigAlg
                     + " signature");
         }
 
@@ -187,7 +193,7 @@
         }
 
         if (sig.verify(signedData)) {
-            throw new RuntimeException("Failed to detect bad " + sigalg
+            throw new RuntimeException("Failed to detect bad " + sigAlg
                     + " signature");
         }
     }
--- old/test/jdk/sun/security/rsa/SignedObjectChain.java	2018-05-11 15:08:00.008864700 -0700
+++ new/test/jdk/sun/security/rsa/SignedObjectChain.java	2018-05-11 15:07:59.525638200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,10 +23,12 @@
 
 /*
  * @test
- * @bug 8050374
- * @summary Verify a chain of signed objects
+ * @bug 8050374 8146293
+ * @library /test/lib
+ * @build jdk.test.lib.SigTestUtil
  * @compile ../../../java/security/SignedObject/Chain.java
  * @run main SignedObjectChain
+ * @summary Verify a chain of signed objects
  */
 public class SignedObjectChain {
 
@@ -45,6 +47,8 @@
         new Test(Chain.SigAlg.SHA256withRSA),
         new Test(Chain.SigAlg.SHA384withRSA),
         new Test(Chain.SigAlg.SHA512withRSA),
+        new Test(Chain.SigAlg.SHA512_224withRSA),
+        new Test(Chain.SigAlg.SHA512_256withRSA),
     };
 
     public static void main(String argv[]) {
--- old/test/jdk/sun/security/rsa/TestKeyPairGenerator.java	2018-05-11 15:08:01.583627900 -0700
+++ new/test/jdk/sun/security/rsa/TestKeyPairGenerator.java	2018-05-11 15:08:01.105473000 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,8 +23,11 @@
 
 /**
  * @test
- * @bug 4853305 4865198 4888410 4963723
+ * @bug 4853305 4865198 4888410 4963723 8146293
  * @summary Verify that the RSA KeyPairGenerator works
+ * @library /test/lib
+ * @build jdk.test.lib.SigTestUtil
+ * @run main TestKeyPairGenerator
  * @author Andreas Sterbenz
  * @key randomness
  */
@@ -37,15 +40,21 @@
 import java.security.interfaces.*;
 import java.security.spec.*;
 
+import jdk.test.lib.SigTestUtil;
+import static jdk.test.lib.SigTestUtil.SignatureType;
+
 public class TestKeyPairGenerator {
 
     private static Provider provider;
 
     private static byte[] data;
 
-    private static void testSignature(String algorithm, PrivateKey privateKey, PublicKey publicKey) throws Exception {
-        System.out.println("Testing " + algorithm + "...");
-        Signature s = Signature.getInstance(algorithm, provider);
+    private static void testSignature(SignatureType type, String mdAlg,
+            PrivateKey privateKey, PublicKey publicKey) throws
+            NoSuchAlgorithmException, InvalidKeyException, SignatureException {
+        System.out.println("Testing against " + mdAlg + "...");
+        String sigAlg = SigTestUtil.generateSigAlg(type, mdAlg);
+        Signature s = Signature.getInstance(sigAlg, provider);
         s.initSign(privateKey);
         s.update(data);
         byte[] sig = s.sign();
@@ -53,22 +62,26 @@
         s.update(data);
         boolean result = s.verify(sig);
         if (result == false) {
-            throw new Exception("Verification failed");
+            throw new RuntimeException("Verification failed");
         }
     }
 
     private static void test(PrivateKey privateKey, PublicKey publicKey) throws Exception {
-        testSignature("MD2withRSA", privateKey, publicKey);
-        testSignature("MD5withRSA", privateKey, publicKey);
-        testSignature("SHA1withRSA", privateKey, publicKey);
-        testSignature("SHA224withRSA", privateKey, publicKey);
-        testSignature("SHA256withRSA", privateKey, publicKey);
-        RSAPublicKey rsaKey = (RSAPublicKey)publicKey;
-        if (rsaKey.getModulus().bitLength() > 512) {
-            // for SHA384 and SHA512 the data is too long for 512 bit keys
-            testSignature("SHA384withRSA", privateKey, publicKey);
-            testSignature("SHA512withRSA", privateKey, publicKey);
+
+        int testSize = ((RSAPublicKey)publicKey).getModulus().bitLength();
+        System.out.println("modulus size = " + testSize);
+
+        Iterable<String> md_alg_pkcs15 =
+            SigTestUtil.getDigestAlgorithms(SignatureType.RSA, testSize);
+        md_alg_pkcs15.forEach(mdAlg -> {
+            try {
+                testSignature(SignatureType.RSA, mdAlg, privateKey, publicKey);
+            } catch (NoSuchAlgorithmException | InvalidKeyException |
+                     SignatureException ex) {
+                throw new RuntimeException(ex);
+            }
         }
+        );
     }
 
     // regression test for 4865198
--- old/test/jdk/sun/security/rsa/TestSignatures.java	2018-05-11 15:08:03.130309000 -0700
+++ new/test/jdk/sun/security/rsa/TestSignatures.java	2018-05-11 15:08:02.642480700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,8 +23,11 @@
 
 /**
  * @test
- * @bug 4853305 4963723
+ * @bug 4853305 4963723 8146293
  * @summary Test signing/verifying using all the signature algorithms
+ * @library /test/lib
+ * @build jdk.test.lib.SigTestUtil
+ * @run main TestSignatures
  * @author Andreas Sterbenz
  * @key randomness
  */
@@ -35,6 +38,9 @@
 import java.security.*;
 import java.security.interfaces.*;
 
+import jdk.test.lib.SigTestUtil;
+import static jdk.test.lib.SigTestUtil.SignatureType;
+
 public class TestSignatures {
 
     private final static String BASE = System.getProperty("test.src", ".");
@@ -53,9 +59,12 @@
         return ks;
     }
 
-    private static void testSignature(String algorithm, PrivateKey privateKey, PublicKey publicKey) throws Exception {
-        System.out.println("Testing " + algorithm + "...");
-        Signature s = Signature.getInstance(algorithm, provider);
+    private static void testSignature(String mdAlg, PrivateKey privateKey,
+            PublicKey publicKey) throws NoSuchAlgorithmException,
+            InvalidKeyException, SignatureException {
+        System.out.println("Testing against " + mdAlg + "...");
+        String sigAlg = SigTestUtil.generateSigAlg(SignatureType.RSA, mdAlg);
+        Signature s = Signature.getInstance(sigAlg, provider);
         s.initSign(privateKey);
         s.update(data);
         byte[] sig = s.sign();
@@ -64,31 +73,40 @@
         boolean result;
         result = s.verify(sig);
         if (result == false) {
-            throw new Exception("Verification 1 failed");
+            throw new RuntimeException("Verification 1 failed");
         }
         s.update(data);
         result = s.verify(sig);
         if (result == false) {
-            throw new Exception("Verification 2 failed");
+            throw new RuntimeException("Verification 2 failed");
         }
         result = s.verify(sig);
         if (result == true) {
-            throw new Exception("Verification 3 succeeded");
+            throw new RuntimeException("Verification 3 succeeded");
         }
     }
 
-    private static void test(PrivateKey privateKey, PublicKey publicKey) throws Exception {
-        testSignature("MD2withRSA", privateKey, publicKey);
-        testSignature("MD5withRSA", privateKey, publicKey);
-        testSignature("SHA1withRSA", privateKey, publicKey);
-        testSignature("SHA224withRSA", privateKey, publicKey);
-        testSignature("SHA256withRSA", privateKey, publicKey);
-        RSAPublicKey rsaKey = (RSAPublicKey)publicKey;
-        if (rsaKey.getModulus().bitLength() > 512) {
-            // for SHA384 and SHA512 the data is too long for 512 bit keys
-            testSignature("SHA384withRSA", privateKey, publicKey);
-            testSignature("SHA512withRSA", privateKey, publicKey);
+    private static void test(PrivateKey privateKey, PublicKey publicKey)
+            throws Exception {
+
+        int testSize = ((RSAPublicKey)publicKey).getModulus().bitLength();
+        System.out.println("modulus size = " + testSize);
+        // work around a corner case where the key size is one bit short
+        if ((testSize & 0x07) != 0) {
+            testSize += (8 - (testSize & 0x07));
+            System.out.println("adjusted modulus size = " + testSize);
+        }
+        Iterable<String> sign_alg_pkcs15 =
+            SigTestUtil.getDigestAlgorithms(SignatureType.RSA, testSize);
+        sign_alg_pkcs15.forEach(testAlg -> {
+            try {
+                testSignature(testAlg, privateKey, publicKey);
+            } catch (NoSuchAlgorithmException | InvalidKeyException |
+                     SignatureException ex) {
+                throw new RuntimeException(ex);
+            }
         }
+        );
     }
 
     public static void main(String[] args) throws Exception {
--- old/test/jdk/sun/security/ssl/CipherSuite/SSL_NULL.java	2018-05-11 15:08:04.714076500 -0700
+++ new/test/jdk/sun/security/ssl/CipherSuite/SSL_NULL.java	2018-05-11 15:08:04.233344000 -0700
@@ -24,7 +24,8 @@
 /**
  * @test
  * @bug 4854838
- * @summary Verify that SSL_NULL_WITH_NULL_NULL is returned as ciphersuite if the handshake fails
+ * @summary Verify that SSL_NULL_WITH_NULL_NULL is returned as ciphersuite
+ *      if the handshake fails
  * @author Andreas Sterbenz
  */
 
@@ -34,7 +35,6 @@
 import javax.net.ssl.*;
 
 public class SSL_NULL {
-
     private static volatile Boolean result;
 
     public static void main(String[] args) throws Exception {
@@ -71,15 +71,18 @@
             SSLSocketFactory.getDefault().createSocket(
                 "localhost", serverSocket.getLocalPort());
         socket.setEnabledCipherSuites(
-            new String[] { "SSL_RSA_WITH_RC4_128_MD5" });
+            new String[] { "TLS_DHE_RSA_WITH_AES_128_CBC_SHA" });
         try {
             OutputStream out = socket.getOutputStream();
             out.write(0);
             out.flush();
             throw new RuntimeException("No exception received");
         } catch (SSLHandshakeException e) {
+            System.out.println("Expected handshake exception: " + e);
         }
+
         System.out.println("client: " + socket.getSession().getCipherSuite());
+
         // wait for other thread to set result
         while (result == null) {
             Thread.sleep(50);
--- old/test/jdk/sun/security/ssl/ClientHandshaker/LengthCheckTest.java	2018-05-11 15:08:06.527387900 -0700
+++ new/test/jdk/sun/security/ssl/ClientHandshaker/LengthCheckTest.java	2018-05-11 15:08:06.055507100 -0700
@@ -74,7 +74,6 @@
 import java.nio.*;
 import java.util.List;
 import java.util.ArrayList;
-import sun.security.ssl.ProtocolVersion;
 
 public class LengthCheckTest {
 
@@ -155,6 +154,7 @@
     private static final int TLS_ALERT_UNEXPECTED_MSG = 0x0A;
     private static final int TLS_ALERT_HANDSHAKE_FAILURE = 0x28;
     private static final int TLS_ALERT_INTERNAL_ERROR = 0x50;
+    private static final int TLS_ALERT_ILLEGAL_PARAMETER = 0x2F;
 
     public interface HandshakeTest {
         void execTest() throws Exception;
@@ -268,24 +268,24 @@
                 runDelegatedTasks(serverResult, serverEngine);
                 sTOc.flip();
                 dumpByteBuffer("SERVER-TO-CLIENT", sTOc);
+    
+                // We expect to see the server generate an alert here
+                serverResult = serverEngine.wrap(serverOut, sTOc);
+                log("server wrap: ", serverResult);
+                runDelegatedTasks(serverResult, serverEngine);
+                sTOc.flip();
+                dumpByteBuffer("SERVER-TO-CLIENT", sTOc);
             } catch (SSLProtocolException ssle) {
                 log("Received expected SSLProtocolException: " + ssle);
                 gotException = true;
             }
 
-            // We expect to see the server generate an alert here
-            serverResult = serverEngine.wrap(serverOut, sTOc);
-            log("server wrap: ", serverResult);
-            runDelegatedTasks(serverResult, serverEngine);
-            sTOc.flip();
-            dumpByteBuffer("SERVER-TO-CLIENT", sTOc);
-
             // At this point we can verify that both an exception
             // was thrown and the proper action (a TLS alert) was
             // sent back to the client.
             if (gotException == false ||
                 !isTlsMessage(sTOc, TLS_RECTYPE_ALERT, TLS_ALERT_LVL_FATAL,
-                        TLS_ALERT_UNEXPECTED_MSG)) {
+                        TLS_ALERT_ILLEGAL_PARAMETER)) {
                 throw new SSLException(
                     "Server failed to throw Alert:fatal:internal_error");
             }
@@ -783,10 +783,9 @@
             int ver_major = Byte.toUnsignedInt(bBuf.get());
             int ver_minor = Byte.toUnsignedInt(bBuf.get());
             int recLen = Short.toUnsignedInt(bBuf.getShort());
-            ProtocolVersion pv = ProtocolVersion.valueOf(ver_major, ver_minor);
 
             log("===== " + header + " (" + tlsRecType(type) + " / " +
-                pv + " / " + bufLen + " bytes) =====");
+                ver_major + "." + ver_minor + " / " + bufLen + " bytes) =====");
             bBuf.reset();
             for (int i = 0; i < bufLen; i++) {
                 if (i != 0 && i % 16 == 0) {
--- old/test/jdk/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.sh	2018-05-11 15:08:08.664644400 -0700
+++ new/test/jdk/sun/security/ssl/EngineArgs/DebugReportsOneExtraByte.sh	2018-05-11 15:08:08.186796700 -0700
@@ -1,7 +1,7 @@
 #! /bin/sh
 
 #
-# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -54,7 +54,7 @@
 ${COMPILEJAVA}${FS}bin${FS}javac ${TESTJAVACOPTS} ${TESTTOOLVMOPTS} -d . \
     ${TESTSRC}${FS}DebugReportsOneExtraByte.java
 
-STRING='main, WRITE: TLSv1 Application Data, length = 8'
+STRING='WRITE: TLS10 application_data, length = 8'
 
 echo "Examining debug output for the string:"
 echo "${STRING}"
--- old/test/jdk/sun/security/ssl/SSLContextImpl/CustomizedDefaultProtocols.java	2018-05-11 15:08:10.493759700 -0700
+++ new/test/jdk/sun/security/ssl/SSLContextImpl/CustomizedDefaultProtocols.java	2018-05-11 15:08:10.015417700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,10 +32,20 @@
  *      CustomizedDefaultProtocols
  */
 
-import javax.net.*;
-import javax.net.ssl.*;
-import java.util.Arrays;
 import java.security.Security;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.net.SocketFactory;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
 
 public class CustomizedDefaultProtocols {
     static enum ContextVersion {
@@ -51,13 +61,15 @@
                 new String[] {"SSLv3", "TLSv1", "TLSv1.1"}),
         TLS_CV_06("TLSv1.2",
                 new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"}),
-        TLS_CV_07("Default",
+        TLS_CV_07("TLSv1.3",
+                new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"}),
+        TLS_CV_08("Default",
                 new String[] {"SSLv3", "TLSv1", "TLSv1.1"});
 
         final String contextVersion;
         final String[] enabledProtocols;
         final static String[] supportedProtocols = new String[] {
-                "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"};
+                "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"};
 
         ContextVersion(String contextVersion, String[] enabledProtocols) {
             this.contextVersion = contextVersion;
@@ -72,7 +84,7 @@
             success = false;
         }
 
-        if (!Arrays.equals(target, expected)) {
+        if (!protocolEquals(target, expected)) {
             System.out.println("\tError: Expected to get protocols " +
                     Arrays.toString(expected));
             System.out.println("\tError: The actual protocols " +
@@ -83,6 +95,23 @@
         return success;
     }
 
+    private static boolean protocolEquals(
+            String[] actualProtocols,
+            String[] expectedProtocols) {
+        if (actualProtocols.length != expectedProtocols.length) {
+            return false;
+        }
+
+        Set<String> set = new HashSet<>(Arrays.asList(expectedProtocols));
+        for (String actual : actualProtocols) {
+            if (set.add(actual)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
     private static boolean checkCipherSuites(String[] target) {
         boolean success = true;
         if (target.length == 0) {
--- old/test/jdk/sun/security/ssl/SSLContextImpl/DefaultEnabledProtocols.java	2018-05-11 15:08:12.054917500 -0700
+++ new/test/jdk/sun/security/ssl/SSLContextImpl/DefaultEnabledProtocols.java	2018-05-11 15:08:11.580815500 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,17 +31,27 @@
  * @run main/othervm DefaultEnabledProtocols
  */
 
-import javax.net.*;
-import javax.net.ssl.*;
-import java.util.Arrays;
 import java.security.Security;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.net.SocketFactory;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
 
 public class DefaultEnabledProtocols {
     static enum ContextVersion {
         TLS_CV_01("SSL",
-                new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"}),
+                new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"}),
         TLS_CV_02("TLS",
-                new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"}),
+                new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"}),
         TLS_CV_03("SSLv3",
                 new String[] {"SSLv3", "TLSv1"}),
         TLS_CV_04("TLSv1",
@@ -50,13 +60,15 @@
                 new String[] {"SSLv3", "TLSv1", "TLSv1.1"}),
         TLS_CV_06("TLSv1.2",
                 new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"}),
-        TLS_CV_07("Default",
-                new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"});
+        TLS_CV_07("TLSv1.3",
+                new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"}),
+        TLS_CV_08("Default",
+                new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"});
 
         final String contextVersion;
         final String[] enabledProtocols;
         final static String[] supportedProtocols = new String[] {
-                "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"};
+                "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"};
 
         ContextVersion(String contextVersion, String[] enabledProtocols) {
             this.contextVersion = contextVersion;
@@ -71,7 +83,7 @@
             success = false;
         }
 
-        if (!Arrays.equals(target, expected)) {
+        if (!protocolEquals(target, expected)) {
             System.out.println("\tError: Expected to get protocols " +
                     Arrays.toString(expected));
             System.out.println("\tError: The actual protocols " +
@@ -82,6 +94,23 @@
         return success;
     }
 
+    private static boolean protocolEquals(
+            String[] actualProtocols,
+            String[] expectedProtocols) {
+        if (actualProtocols.length != expectedProtocols.length) {
+            return false;
+        }
+
+        Set<String> set = new HashSet<>(Arrays.asList(expectedProtocols));
+        for (String actual : actualProtocols) {
+            if (set.add(actual)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
     private static boolean checkCipherSuites(String[] target) {
         boolean success = true;
         if (target.length == 0) {
--- old/test/jdk/sun/security/ssl/SSLContextImpl/NoOldVersionContext.java	2018-05-11 15:08:13.632076200 -0700
+++ new/test/jdk/sun/security/ssl/SSLContextImpl/NoOldVersionContext.java	2018-05-11 15:08:13.148512500 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,10 +32,20 @@
  *      NoOldVersionContext
  */
 
-import javax.net.*;
-import javax.net.ssl.*;
-import java.util.Arrays;
 import java.security.Security;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Set;
+
+import javax.net.SocketFactory;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
 
 public class NoOldVersionContext {
     static enum ContextVersion {
@@ -51,13 +61,15 @@
                 new String[] {"SSLv3", "TLSv1", "TLSv1.1"}),
         TLS_CV_06("TLSv1.2",
                 new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"}),
-        TLS_CV_07("Default",
+        TLS_CV_07("TLSv1.3",
+                new String[] {"SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"}),
+        TLS_CV_08("Default",
                 new String[] {"TLSv1", "TLSv1.1", "TLSv1.2"});
 
         final String contextVersion;
         final String[] enabledProtocols;
         final static String[] supportedProtocols = new String[] {
-                "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"};
+                "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"};
 
         ContextVersion(String contextVersion, String[] enabledProtocols) {
             this.contextVersion = contextVersion;
@@ -72,7 +84,7 @@
             success = false;
         }
 
-        if (!Arrays.equals(target, expected)) {
+        if (!protocolEquals(target, expected)) {
             System.out.println("\tError: Expected to get protocols " +
                     Arrays.toString(expected));
             System.out.println("\tError: The actual protocols " +
@@ -83,6 +95,23 @@
         return success;
     }
 
+    private static boolean protocolEquals(
+            String[] actualProtocols,
+            String[] expectedProtocols) {
+        if (actualProtocols.length != expectedProtocols.length) {
+            return false;
+        }
+
+        Set<String> set = new HashSet<>(Arrays.asList(expectedProtocols));
+        for (String actual : actualProtocols) {
+            if (set.add(actual)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
     private static boolean checkCipherSuites(String[] target) {
         boolean success = true;
         if (target.length == 0) {
--- old/test/jdk/sun/security/ssl/SSLContextImpl/TrustTrustedCert.java	2018-05-11 15:08:15.198810300 -0700
+++ new/test/jdk/sun/security/ssl/SSLContextImpl/TrustTrustedCert.java	2018-05-11 15:08:14.717052500 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -131,12 +131,10 @@
             sslIS.read();
             sslOS.write('A');
             sslOS.flush();
-        } catch (SSLHandshakeException e) {
-            if (expectFail && !e.toString().contains("certificate_unknown")) {
-                throw new RuntimeException(
-                        "Expected to see certificate_unknown in exception output",
-                        e);
-            }
+        } catch (SSLException ssle) {
+            if (!expectFail) {
+                throw ssle;
+            }   // Otherwise, ignore.
         }
     }
 
@@ -158,12 +156,15 @@
             sslOS.flush();
             sslIS.read();
         } catch (SSLHandshakeException e) {
+            if (expectFail) {
             // focus on the CertPathValidatorException
-            Throwable t = e.getCause().getCause();
-            if ((t == null)
-                    || (expectFail && !t.toString().contains("MD5withRSA"))) {
-                throw new RuntimeException(
+                Throwable t = e.getCause().getCause();
+                if (t == null || !t.toString().contains("MD5withRSA")) {
+                    throw new RuntimeException(
                         "Expected to see MD5withRSA in exception output", t);
+                }
+            } else {
+                throw e;
             }
         }
     }
--- old/test/jdk/sun/security/ssl/SSLEngineImpl/EngineEnforceUseClientMode.java	2018-05-11 15:08:16.776482200 -0700
+++ new/test/jdk/sun/security/ssl/SSLEngineImpl/EngineEnforceUseClientMode.java	2018-05-11 15:08:16.297195000 -0700
@@ -107,10 +107,9 @@
                 "wrap():  Didn't catch the exception properly");
         } catch (IllegalStateException e) {
             System.out.println("Caught the correct exception.");
-            ssle3.wrap(appOut1, oneToTwo);
             oneToTwo.flip();
             if (oneToTwo.hasRemaining()) {
-                throw new Exception("wrap1 generated data");
+                throw new Exception("wrap generated data");
             }
             oneToTwo.clear();
         }
@@ -122,12 +121,11 @@
                 "unwrap():  Didn't catch the exception properly");
         } catch (IllegalStateException e) {
             System.out.println("Caught the correct exception.");
-            ssle4.wrap(appOut1, oneToTwo);
-            oneToTwo.flip();
-            if (oneToTwo.hasRemaining()) {
-                throw new Exception("wrap2 generated data");
+            appIn1.flip();
+            if (appIn1.hasRemaining()) {
+                throw new Exception("unwrap generated data");
             }
-            oneToTwo.clear();
+            appIn1.clear();
         }
 
         try {
@@ -137,12 +135,6 @@
                 "unwrap():  Didn't catch the exception properly");
         } catch (IllegalStateException e) {
             System.out.println("Caught the correct exception.");
-            ssle5.wrap(appOut1, oneToTwo);
-            oneToTwo.flip();
-            if (oneToTwo.hasRemaining()) {
-                throw new Exception("wrap3 generated data");
-            }
-            oneToTwo.clear();
         }
 
         boolean dataDone = false;
@@ -200,7 +192,7 @@
 
                 System.out.println("Try changing modes...");
                 try {
-                    ssle2.setUseClientMode(false);
+                    ssle2.setUseClientMode(true);
                     throw new RuntimeException(
                         "setUseClientMode():  " +
                         "Didn't catch the exception properly");
@@ -311,8 +303,10 @@
             log("Data transferred cleanly");
         }
 
-        a.clear();
-        b.clear();
+        a.position(a.limit());
+        b.position(b.limit());
+        a.limit(a.capacity());
+        b.limit(b.capacity());
     }
 
     private static void log(String str) {
--- old/test/jdk/sun/security/ssl/SSLEngineImpl/RehandshakeFinished.java	2018-05-11 15:08:18.343429600 -0700
+++ new/test/jdk/sun/security/ssl/SSLEngineImpl/RehandshakeFinished.java	2018-05-11 15:08:17.871253300 -0700
@@ -160,7 +160,7 @@
                 TrustManagerFactory.getInstance("SunX509");
             tmf.init(ts);
 
-            SSLContext sslCtx = SSLContext.getInstance("TLS");
+            SSLContext sslCtx = SSLContext.getInstance("TLSv1.2");
             sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
             sslc = sslCtx;
         } catch (Exception e) {
--- old/test/jdk/sun/security/ssl/SSLSocketImpl/AsyncSSLSocketClose.java	2018-05-11 15:08:19.935216800 -0700
+++ new/test/jdk/sun/security/ssl/SSLSocketImpl/AsyncSSLSocketClose.java	2018-05-11 15:08:19.440215900 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,10 +25,6 @@
 // SunJSSE does not support dynamic system properties, no way to re-use
 // system properties in samevm/agentvm mode.
 //
-// The test may timeout occasionally on heavy loaded system because
-// there are lot of TLS transactions involved. Frequent timeout(s) should
-// be analyzed further.
-//
 
 /*
  * @test
@@ -40,19 +36,23 @@
 
 import javax.net.ssl.*;
 import java.io.*;
+import java.util.concurrent.locks.*;
+import java.util.concurrent.TimeUnit;
 
-public class AsyncSSLSocketClose implements Runnable
-{
+public class AsyncSSLSocketClose implements Runnable {
     SSLSocket socket;
     SSLServerSocket ss;
 
+    final Lock lock = new ReentrantLock();
+    final Condition isRunning = lock.newCondition(); 
+
     // Where do we find the keystores?
     static String pathToStores = "../../../../javax/net/ssl/etc";
     static String keyStoreFile = "keystore";
     static String trustStoreFile = "truststore";
     static String passwd = "passphrase";
 
-    public static void main(String[] args) {
+    public static void main(String[] args) throws Exception {
         String keyFilename =
             System.getProperty("test.src", "./") + "/" + pathToStores +
                 "/" + keyStoreFile;
@@ -68,58 +68,83 @@
         new AsyncSSLSocketClose();
     }
 
-    public AsyncSSLSocketClose() {
-        try {
-            SSLServerSocketFactory sslssf =
+    public AsyncSSLSocketClose() throws Exception {
+        SSLServerSocketFactory sslssf =
                 (SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
-            ss = (SSLServerSocket) sslssf.createServerSocket(0);
-
-            SSLSocketFactory sslsf =
-                (SSLSocketFactory)SSLSocketFactory.getDefault();
-            socket = (SSLSocket)sslsf.createSocket("localhost",
-                                                        ss.getLocalPort());
-            SSLSocket serverSoc = (SSLSocket) ss.accept();
-            ss.close();
-
-            (new Thread(this)).start();
-            serverSoc.startHandshake();
+        ss = (SSLServerSocket) sslssf.createServerSocket(0);
 
+        SSLSocketFactory sslsf =
+            (SSLSocketFactory)SSLSocketFactory.getDefault();
+        socket = (SSLSocket)sslsf.createSocket("localhost", ss.getLocalPort());
+        SSLSocket serverSoc = (SSLSocket)ss.accept();
+        ss.close();
+
+        (new Thread(this)).start();
+        serverSoc.startHandshake();
+        if (lock.tryLock() || lock.tryLock(5000, TimeUnit.MILLISECONDS)) {
+            boolean started = false;
             try {
-                Thread.sleep(5000);
-            } catch (Exception e) {
-                e.printStackTrace();
+                started = isRunning.await(5000, TimeUnit.MILLISECONDS);
+            } finally {
+                lock.unlock();
             }
-
-            socket.setSoLinger(true, 10);
-            System.out.println("Calling Socket.close");
-            socket.close();
-            System.out.println("ssl socket get closed");
-            System.out.flush();
-
-        } catch (IOException e) {
-            e.printStackTrace();
+            if (started) {
+                socket.setSoLinger(true, 10);
+                System.out.println("Calling Socket.close");
+                socket.close();
+                System.out.println("ssl socket get closed");
+                System.out.flush();
+            } else {
+                throw new Exception("Did not get the signal in main thread");
+            }
+        } else {
+            throw new Exception("Unable get the lock in main thread");
         }
-
     }
 
     // block in write
     public void run() {
-        try {
-            byte[] ba = new byte[1024];
-            for (int i=0; i<ba.length; i++)
-                ba[i] = 0x7A;
+        byte[] ba = new byte[1024];
+        for (int i = 0; i < ba.length; i++) {
+            ba[i] = 0x7A;
+        }
 
+        try {
             OutputStream os = socket.getOutputStream();
             int count = 0;
+
+            // 1st round write
+            count += ba.length;
+            System.out.println(count + " bytes to be written");
+            os.write(ba);
+            System.out.println(count + " bytes written");
+
+            if (lock.tryLock() || lock.tryLock(5000, TimeUnit.MILLISECONDS)) {
+                try {
+                    isRunning.signal();
+                } finally {
+                    lock.unlock();
+                }
+            } else {
+                throw new RuntimeException(
+                    "Unable get the lock in write thread");
+            }
+
+            // write more
             while (true) {
                 count += ba.length;
                 System.out.println(count + " bytes to be written");
                 os.write(ba);
                 System.out.println(count + " bytes written");
             }
-        } catch (IOException e) {
-            e.printStackTrace();
+        } catch (Exception e) {
+            if (socket.isClosed()) {
+                System.out.println("interrupted, the socket is closed");
+            } else {
+                throw new RuntimeException("interrupted?", e);
+            }
         }
     }
-
 }
+
+
--- old/test/jdk/sun/security/ssl/SSLSocketImpl/ClientTimeout.java	2018-05-11 15:08:21.483743700 -0700
+++ new/test/jdk/sun/security/ssl/SSLSocketImpl/ClientTimeout.java	2018-05-11 15:08:20.999895200 -0700
@@ -21,14 +21,15 @@
  * questions.
  */
 
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+
 /*
  * @test
  * @bug 4836493
+ * @ignore need further evaluation
  * @summary Socket timeouts for SSLSockets causes data corruption.
  * @run main/othervm ClientTimeout
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  */
 
 import java.io.*;
--- old/test/jdk/sun/security/ssl/SSLSocketImpl/SetClientMode.java	2018-05-11 15:08:23.051026200 -0700
+++ new/test/jdk/sun/security/ssl/SSLSocketImpl/SetClientMode.java	2018-05-11 15:08:22.571385400 -0700
@@ -21,15 +21,17 @@
  * questions.
  */
 
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+
 /*
  * @test
  * @bug 6223624
+ * @ignore this test does not grant to work.  The handshake may have completed
+ *        when getSession() return.  Please update or remove this test case.
  * @summary SSLSocket.setUseClientMode() fails to throw expected
  *        IllegalArgumentException
  * @run main/othervm SetClientMode
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  */
 
 /*
--- old/test/jdk/sun/security/ssl/X509TrustManagerImpl/BasicConstraints.java	2018-05-11 15:08:24.633010400 -0700
+++ new/test/jdk/sun/security/ssl/X509TrustManagerImpl/BasicConstraints.java	2018-05-11 15:08:24.161686600 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -357,6 +357,7 @@
 
         SSLSocket sslSocket =
             (SSLSocket)sslsf.createSocket("localhost", serverPort);
+        sslSocket.setEnabledProtocols(new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" });
         try {
             InputStream sslIS = sslSocket.getInputStream();
             OutputStream sslOS = sslSocket.getOutputStream();
--- old/test/jdk/sun/security/ssl/X509TrustManagerImpl/CertRequestOverflow.java	2018-05-11 15:08:26.198343800 -0700
+++ new/test/jdk/sun/security/ssl/X509TrustManagerImpl/CertRequestOverflow.java	2018-05-11 15:08:25.723154700 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -96,6 +96,9 @@
         SSLServerSocket sslServerSocket =
             (SSLServerSocket) sslssf.createServerSocket(serverPort);
         serverPort = sslServerSocket.getLocalPort();
+        if (debug) {
+            System.out.println("Server port is " + serverPort);
+        }
 
         // enable endpoint identification
         // ignore, we may test the feature when known how to parse client
@@ -153,6 +156,10 @@
         SSLSocketFactory sslsf = getContext(false).getSocketFactory();
         SSLSocket sslSocket = (SSLSocket)
             sslsf.createSocket("localhost", serverPort);
+        if (debug) {
+            System.out.println("Connected to: " +
+                    sslSocket.getRemoteSocketAddress());
+        }
 
         // enable endpoint identification
         SSLParameters params = sslSocket.getSSLParameters();
@@ -214,7 +221,7 @@
             tms = new TrustManager[] {clientTM};
         }
 
-        SSLContext ctx = SSLContext.getInstance("TLS");
+        SSLContext ctx = SSLContext.getInstance("TLSv1.2");
         ctx.init(kmf.getKeyManagers(), tms, null);
 
         return ctx;
@@ -243,17 +250,19 @@
             return serverChecked;
         }
 
-
+        @Override
         public void checkClientTrusted(X509Certificate chain[], String authType)
                 throws CertificateException {
             tm.checkClientTrusted(chain, authType);
         }
 
+        @Override
         public void checkServerTrusted(X509Certificate chain[], String authType)
                 throws CertificateException {
             tm.checkServerTrusted(chain, authType);
         }
 
+        @Override
         public X509Certificate[] getAcceptedIssuers() {
             // (hack code) increase the size of the returned array to make a
             // overflow CertificateRequest.
@@ -268,24 +277,28 @@
             return issuersList.toArray(issuers);
         }
 
+        @Override
         public void checkClientTrusted(X509Certificate[] chain, String authType,
                 Socket socket) throws CertificateException {
             clientChecked = true;
             tm.checkClientTrusted(chain, authType);
         }
 
+        @Override
         public void checkServerTrusted(X509Certificate[] chain, String authType,
                 Socket socket) throws CertificateException {
             serverChecked = true;
             tm.checkServerTrusted(chain, authType);
         }
 
+        @Override
         public void checkClientTrusted(X509Certificate[] chain, String authType,
             SSLEngine engine) throws CertificateException {
             clientChecked = true;
             tm.checkClientTrusted(chain, authType);
         }
 
+        @Override
         public void checkServerTrusted(X509Certificate[] chain, String authType,
             SSLEngine engine) throws CertificateException {
             serverChecked = true;
@@ -357,6 +370,7 @@
     void startServer(boolean newThread) throws Exception {
         if (newThread) {
             serverThread = new Thread() {
+                @Override
                 public void run() {
                     try {
                         doServerSide();
@@ -381,6 +395,7 @@
     void startClient(boolean newThread) throws Exception {
         if (newThread) {
             clientThread = new Thread() {
+                @Override
                 public void run() {
                     try {
                         doClientSide();
--- old/test/jdk/sun/security/ssl/X509TrustManagerImpl/SelfIssuedCert.java	2018-05-11 15:08:27.770717300 -0700
+++ new/test/jdk/sun/security/ssl/X509TrustManagerImpl/SelfIssuedCert.java	2018-05-11 15:08:27.283220400 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -209,6 +209,7 @@
 
         SSLSocket sslSocket =
             (SSLSocket)sslsf.createSocket("localhost", serverPort);
+        sslSocket.setEnabledProtocols(new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" });
 
         InputStream sslIS = sslSocket.getInputStream();
         OutputStream sslOS = sslSocket.getOutputStream();
--- old/test/jdk/sun/security/ssl/rsa/SignedObjectChain.java	2018-05-11 15:08:29.358803500 -0700
+++ new/test/jdk/sun/security/ssl/rsa/SignedObjectChain.java	2018-05-11 15:08:28.863423200 -0700
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,8 +23,10 @@
 
 /*
  * @test
- * @bug 8050374
+ * @bug 8050374 8146293
  * @summary Verify a chain of signed objects
+ * @library /test/lib
+ * @build jdk.test.lib.SigTestUtil
  * @compile ../../../../java/security/SignedObject/Chain.java
  * @run main SignedObjectChain
  */
--- old/test/jdk/sun/security/tools/keytool/PrintSSL.java	2018-05-11 15:08:30.898664600 -0700
+++ new/test/jdk/sun/security/tools/keytool/PrintSSL.java	2018-05-11 15:08:30.406254900 -0700
@@ -53,7 +53,7 @@
         // make sure that "-printcert" works with weak algorithms
         OutputAnalyzer out = SecurityTools.keytool("-genkeypair "
                 + "-keystore keystore -storepass passphrase "
-                + "-keypass passphrase -keyalg rsa -keysize 512 "
+                + "-keypass passphrase -keyalg rsa -keysize 1024 "
                 + "-sigalg MD5withRSA -alias rsa_alias -dname CN=Server");
         System.out.println(out.getOutput());
         out.shouldHaveExitValue(0);
@@ -92,7 +92,7 @@
             System.setProperty("javax.net.ssl.keyStorePassword", "passphrase");
             System.setProperty("javax.net.ssl.keyStore", "keystore");
             SSLServerSocketFactory sslssf =
-                    (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
+                (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
             try (ServerSocket server = sslssf.createServerSocket(0)) {
                 this.serverPort = server.getLocalPort();
                 System.out.printf("%nServer started on: %s%n", getServerPort());
@@ -110,5 +110,5 @@
         }
 
     }
-
 }
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/MGF1.java	2018-05-11 15:08:31.991476000 -0700
@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.rsa;
+
+import java.security.*;
+
+/**
+ * This class implements the MGF1 mask generation function defined in PKCS#1
+ * v2.2 B.2.1. A mask generation function takes an octet string of variable
+ * length and a desired output length as input and outputs an octet string of
+ * the desired length. MGF1 is a mask generation function based on a hash
+ * function, i.e. message digest algorithm.
+ *
+ * @since   11
+ */
+public final class MGF1 {
+
+    private final MessageDigest md;
+
+    /**
+     * Construct an instance of MGF1 based on the specified digest algorithm.
+     */
+    MGF1(String mdAlgo) throws NoSuchAlgorithmException {
+        this.md = MessageDigest.getInstance(mdAlgo);
+    }
+
+    /**
+     * Using the specified seed bytes, generate the mask, xor the mask
+     * with the specified output buffer and store the result into the
+     * output buffer (essentially replaced in place).
+     *
+     * @param seed the buffer holding the seed bytes
+     * @param seedOfs the index of the seed bytes
+     * @param seedLen the length of the seed bytes to be used by MGF1
+     * @param maskLen the intended length of the generated mask
+     * @param out the output buffer holding the mask
+     * @param outOfs the index of the output buffer for the mask
+     */
+    void generateAndXor(byte[] seed, int seedOfs, int seedLen, int maskLen,
+            byte[] out, int outOfs) throws RuntimeException {
+        byte[] C = new byte[4]; // 32 bit counter
+        byte[] digest = new byte[md.getDigestLength()];
+        while (maskLen > 0) {
+            md.update(seed, seedOfs, seedLen);
+            md.update(C);
+            try {
+                md.digest(digest, 0, digest.length);
+            } catch (DigestException e) {
+                // should never happen
+                throw new RuntimeException(e.toString());
+            }
+            for (int i = 0; (i < digest.length) && (maskLen > 0); maskLen--) {
+                out[outOfs++] ^= digest[i++];
+            }
+            if (maskLen > 0) {
+                // increment counter
+                for (int i = C.length - 1; (++C[i] == 0) && (i > 0); i--) {
+                    // empty
+                }
+            }
+        }
+    }
+
+    /**
+     * Returns the name of this MGF1 instance, i.e. "MGF1" followed by the
+     * digest algorithm it based on.
+     */
+    String getName() {
+        return "MGF1" + md.getAlgorithm();
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/PSSParameters.java	2018-05-11 15:08:33.588572300 -0700
@@ -0,0 +1,255 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.rsa;
+
+import java.io.*;
+import sun.security.util.*;
+import sun.security.x509.*;
+import java.security.AlgorithmParametersSpi;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.InvalidParameterSpecException;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.spec.PSSParameterSpec;
+import static java.security.spec.PSSParameterSpec.DEFAULT;
+
+/**
+ * This class implements the PSS parameters used with the RSA
+ * signatures in PSS padding. Here is its ASN.1 definition:
+ * RSASSA-PSS-params ::= SEQUENCE {
+ *   hashAlgorithm      [0] HashAlgorithm     DEFAULT sha1,
+ *   maskGenAlgorithm   [1] MaskGenAlgorithm  DEFAULT mgf1SHA1,
+ *   saltLength         [2] INTEGER           DEFAULT 20
+ *   trailerField       [3] TrailerField      DEFAULT trailerFieldBC
+ * }
+ *
+ * @author Valerie Peng
+ *
+ */
+
+public final class PSSParameters extends AlgorithmParametersSpi {
+
+    private String mdName;
+    private MGF1ParameterSpec mgfSpec;
+    private int saltLength;
+    private int trailerField;
+
+    private static final ObjectIdentifier OID_MGF1 =
+           ObjectIdentifier.newInternal(new int[] {1,2,840,113549,1,1,8});
+
+    public PSSParameters() {
+    }
+
+    @Override
+    protected void engineInit(AlgorithmParameterSpec paramSpec)
+            throws InvalidParameterSpecException {
+        if (!(paramSpec instanceof PSSParameterSpec)) {
+            throw new InvalidParameterSpecException
+                ("Inappropriate parameter specification");
+        }
+        PSSParameterSpec spec = (PSSParameterSpec) paramSpec;
+        this.mdName = spec.getDigestAlgorithm();
+        String mgfName = spec.getMGFAlgorithm();
+        if (!mgfName.equalsIgnoreCase("MGF1")) {
+            throw new InvalidParameterSpecException("Unsupported mgf " +
+                mgfName + "; MGF1 only");
+        }
+        AlgorithmParameterSpec mgfSpec = spec.getMGFParameters();
+        if (!(mgfSpec instanceof MGF1ParameterSpec)) {
+            throw new InvalidParameterSpecException("Inappropriate mgf " +
+                "parameters; non-null MGF1ParameterSpec only");
+        }
+        this.mgfSpec = (MGF1ParameterSpec) mgfSpec;
+        this.saltLength = spec.getSaltLength();
+        this.trailerField = spec.getTrailerField();
+    }
+
+    @Override
+    protected void engineInit(byte[] encoded) throws IOException {
+        // first initialize with the DEFAULT values before
+        // retrieving from the encoding bytes
+        this.mdName = DEFAULT.getDigestAlgorithm();
+        this.mgfSpec = (MGF1ParameterSpec) DEFAULT.getMGFParameters();
+        this.saltLength = DEFAULT.getSaltLength();
+        this.trailerField = DEFAULT.getTrailerField();
+
+        DerInputStream der = new DerInputStream(encoded);
+        DerValue[] datum = der.getSequence(4);
+        for (DerValue d : datum) {
+            if (d.isContextSpecific((byte) 0x00)) {
+                // hash algid
+                this.mdName = AlgorithmId.parse
+                    (d.data.getDerValue()).getName();
+            } else if (d.isContextSpecific((byte) 0x01)) {
+                // mgf algid
+                AlgorithmId val = AlgorithmId.parse(d.data.getDerValue());
+                if (!val.getOID().equals(OID_MGF1)) {
+                    throw new IOException("Only MGF1 mgf is supported");
+                }
+                AlgorithmId params = AlgorithmId.parse(
+                    new DerValue(val.getEncodedParams()));
+                String mgfDigestName = params.getName();
+                switch (mgfDigestName) {
+                case "SHA-1":
+                    this.mgfSpec = MGF1ParameterSpec.SHA1;
+                    break;
+                case "SHA-224":
+                    this.mgfSpec = MGF1ParameterSpec.SHA224;
+                    break;
+                case "SHA-256":
+                    this.mgfSpec = MGF1ParameterSpec.SHA256;
+                    break;
+                case "SHA-384":
+                    this.mgfSpec = MGF1ParameterSpec.SHA384;
+                    break;
+                case "SHA-512":
+                    this.mgfSpec = MGF1ParameterSpec.SHA512;
+                    break;
+                case "SHA-512/224":
+                    this.mgfSpec = MGF1ParameterSpec.SHA512_224;
+                    break;
+                case "SHA-512/256":
+                    this.mgfSpec = MGF1ParameterSpec.SHA512_256;
+                    break;
+                default:
+                    throw new IOException
+                        ("Unrecognized message digest algorithm " +
+                        mgfDigestName);
+                }
+            } else if (d.isContextSpecific((byte) 0x02)) {
+                // salt length
+                this.saltLength = d.data.getDerValue().getInteger();
+                if (this.saltLength < 0) {
+                    throw new IOException("Negative value for saltLength");
+                }
+            } else if (d.isContextSpecific((byte) 0x03)) {
+                // trailer field
+                this.trailerField = d.data.getDerValue().getInteger();
+                if (this.trailerField != 1) {
+                    throw new IOException("Unsupported trailerField value " +
+                    this.trailerField);
+                }
+            } else {
+                throw new IOException("Invalid encoded PSSParameters");
+            }
+        }
+    }
+
+    @Override
+    protected void engineInit(byte[] encoded, String decodingMethod)
+            throws IOException {
+        if ((decodingMethod != null) &&
+            (!decodingMethod.equalsIgnoreCase("ASN.1"))) {
+            throw new IllegalArgumentException("Only support ASN.1 format");
+        }
+        engineInit(encoded);
+    }
+
+    @Override
+    protected <T extends AlgorithmParameterSpec>
+            T engineGetParameterSpec(Class<T> paramSpec)
+            throws InvalidParameterSpecException {
+        if (PSSParameterSpec.class.isAssignableFrom(paramSpec)) {
+            return paramSpec.cast(
+                new PSSParameterSpec(mdName, "MGF1", mgfSpec,
+                                     saltLength, trailerField));
+        } else {
+            throw new InvalidParameterSpecException
+                ("Inappropriate parameter specification");
+        }
+    }
+
+    @Override
+    protected byte[] engineGetEncoded() throws IOException {
+        DerOutputStream tmp = new DerOutputStream();
+        DerOutputStream tmp2, tmp3;
+
+        // MD
+        AlgorithmId mdAlgId;
+        try {
+            mdAlgId = AlgorithmId.get(mdName);
+        } catch (NoSuchAlgorithmException nsae) {
+            throw new IOException("AlgorithmId " + mdName +
+                                  " impl not found");
+        }
+        tmp2 = new DerOutputStream();
+        mdAlgId.derEncode(tmp2);
+        tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)0),
+                      tmp2);
+
+        // MGF
+        tmp2 = new DerOutputStream();
+        tmp2.putOID(OID_MGF1);
+        AlgorithmId mgfDigestId;
+        try {
+            mgfDigestId = AlgorithmId.get(mgfSpec.getDigestAlgorithm());
+        } catch (NoSuchAlgorithmException nase) {
+            throw new IOException("AlgorithmId " +
+                    mgfSpec.getDigestAlgorithm() + " impl not found");
+        }
+        mgfDigestId.encode(tmp2);
+        tmp3 = new DerOutputStream();
+        tmp3.write(DerValue.tag_Sequence, tmp2);
+        tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)1),
+                  tmp3);
+
+        // SaltLength
+        tmp2 = new DerOutputStream();
+        tmp2.putInteger(saltLength);
+        tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)2),
+                  tmp2);
+
+        // TrailerField
+        tmp2 = new DerOutputStream();
+        tmp2.putInteger(trailerField);
+        tmp.write(DerValue.createTag(DerValue.TAG_CONTEXT, true, (byte)3),
+                  tmp2);
+
+        // Put all together under a SEQUENCE tag
+        DerOutputStream out = new DerOutputStream();
+        out.write(DerValue.tag_Sequence, tmp);
+        return out.toByteArray();
+    }
+
+    @Override
+    protected byte[] engineGetEncoded(String encMethod) throws IOException {
+        if ((encMethod != null) &&
+            (!encMethod.equalsIgnoreCase("ASN.1"))) {
+            throw new IllegalArgumentException("Only support ASN.1 format");
+        }
+        return engineGetEncoded();
+    }
+
+    @Override
+    protected String engineToString() {
+        StringBuilder sb = new StringBuilder();
+        sb.append("MD: " + mdName + "\n")
+            .append("MGF: MGF1" + mgfSpec.getDigestAlgorithm() + "\n")
+            .append("SaltLength: " + saltLength + "\n")
+            .append("TrailerField: " + trailerField + "\n");
+        return sb.toString();
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/RSAPSSSignature.java	2018-05-11 15:08:35.193153700 -0700
@@ -0,0 +1,618 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.rsa;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+
+import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.PSSParameterSpec;
+import java.security.spec.MGF1ParameterSpec;
+import java.security.interfaces.*;
+
+import java.util.Arrays;
+import java.util.Hashtable;
+
+import sun.security.util.*;
+import sun.security.jca.JCAUtil;
+
+
+/**
+ * PKCS#1 v2.2 RSASSA-PSS signatures with various message digest algorithms.
+ * RSASSA-PSS implementation takes the message digest algorithm, MGF algorithm,
+ * and salt length values through the required signature PSS parameters.
+ * We support SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, and
+ * SHA-512/256 message digest algorithms and MGF1 mask generation function.
+ *
+ * @since   11
+ */
+public class RSAPSSSignature extends SignatureSpi {
+
+    private static final boolean DEBUG = false;
+
+    // utility method for comparing digest algorithms
+    // NOTE that first argument is assumed to be standard digest name
+    private boolean isDigestEqual(String stdAlg, String givenAlg) {
+        if (stdAlg == null || givenAlg == null) return false;
+
+        if (givenAlg.indexOf("-") != -1) {
+            return stdAlg.equalsIgnoreCase(givenAlg);
+        } else {
+            if (stdAlg.equals("SHA-1")) {
+                return (givenAlg.equalsIgnoreCase("SHA")
+                        || givenAlg.equalsIgnoreCase("SHA1"));
+            } else {
+                StringBuilder sb = new StringBuilder(givenAlg);
+                // case-insensitive check
+                if (givenAlg.regionMatches(true, 0, "SHA", 0, 3)) {
+                    givenAlg = sb.insert(3, "-").toString();
+                    return stdAlg.equalsIgnoreCase(givenAlg);
+                } else {
+                    throw new ProviderException("Unsupported digest algorithm "
+                            + givenAlg);
+                }
+            }
+        }
+    }
+
+    private static final byte[] EIGHT_BYTES_OF_ZEROS = new byte[8];
+
+    private static final Hashtable<String, Integer> DIGEST_LENGTHS =
+        new Hashtable<String, Integer>();
+    static {
+        DIGEST_LENGTHS.put("SHA-1", 20);
+        DIGEST_LENGTHS.put("SHA", 20);
+        DIGEST_LENGTHS.put("SHA1", 20);
+        DIGEST_LENGTHS.put("SHA-224", 28);
+        DIGEST_LENGTHS.put("SHA224", 28);
+        DIGEST_LENGTHS.put("SHA-256", 32);
+        DIGEST_LENGTHS.put("SHA256", 32);
+        DIGEST_LENGTHS.put("SHA-384", 48);
+        DIGEST_LENGTHS.put("SHA384", 48);
+        DIGEST_LENGTHS.put("SHA-512", 64);
+        DIGEST_LENGTHS.put("SHA512", 64);
+        DIGEST_LENGTHS.put("SHA-512/224", 28);
+        DIGEST_LENGTHS.put("SHA512/224", 28);
+        DIGEST_LENGTHS.put("SHA-512/256", 32);
+        DIGEST_LENGTHS.put("SHA512/256", 32);
+    }
+
+    // message digest implementation we use for hashing the data
+    private MessageDigest md;
+    // flag indicating whether the digest is reset
+    private boolean digestReset = true;
+
+    // private key, if initialized for signing
+    private RSAPrivateKey privKey = null;
+    // public key, if initialized for verifying
+    private RSAPublicKey pubKey = null;
+    // PSS parameters from signatures and keys respectively
+    private PSSParameterSpec sigParams = null; // required for PSS signatures
+
+    // PRNG used to generate salt bytes if none given
+    private SecureRandom random;
+
+    /**
+     * Construct a new RSAPSSSignatur with arbitrary digest algorithm
+     */
+    public RSAPSSSignature() {
+        this.md = null;
+    }
+
+    // initialize for verification. See JCA doc
+    @Override
+    protected void engineInitVerify(PublicKey publicKey)
+            throws InvalidKeyException {
+        if (!(publicKey instanceof RSAPublicKey)) {
+            throw new InvalidKeyException("key must be RSAPublicKey");
+        }
+        this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey);
+        this.privKey = null;
+
+    }
+
+    // initialize for signing. See JCA doc
+    @Override
+    protected void engineInitSign(PrivateKey privateKey)
+            throws InvalidKeyException {
+        engineInitSign(privateKey, null);
+    }
+
+    // initialize for signing. See JCA doc
+    @Override
+    protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
+            throws InvalidKeyException {
+        if (!(privateKey instanceof RSAPrivateKey)) {
+            throw new InvalidKeyException("key must be RSAPrivateKey");
+        }
+        this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey);
+        this.pubKey = null;
+        this.random =
+            (random == null? JCAUtil.getSecureRandom() : random);
+    }
+
+    /**
+     * Utility method for checking the key PSS parameters against signature
+     * PSS parameters.
+     * Returns false if any of the digest/MGF algorithms and trailerField
+     * values does not match or if the salt length in key parameters is
+     * larger than the value in signature parameters.
+     */
+    private static boolean isCompatible(AlgorithmParameterSpec keyParams,
+            PSSParameterSpec sigParams) {
+        if (keyParams == null) {
+            // key with null PSS parameters means no restriction
+            return true;
+        }
+        if (!(keyParams instanceof PSSParameterSpec)) {
+            return false;
+        }
+        // nothing to compare yet, defer the check to when sigParams is set
+        if (sigParams == null) {
+            return true;
+        }
+        PSSParameterSpec pssKeyParams = (PSSParameterSpec) keyParams;
+        // first check the salt length requirement
+        if (pssKeyParams.getSaltLength() > sigParams.getSaltLength()) {
+            return false;
+        }
+
+        // compare equality of the rest of fields based on DER encoding
+        PSSParameterSpec keyParams2 =
+            new PSSParameterSpec(pssKeyParams.getDigestAlgorithm(),
+                    pssKeyParams.getMGFAlgorithm(),
+                    pssKeyParams.getMGFParameters(),
+                    sigParams.getSaltLength(),
+                    pssKeyParams.getTrailerField());
+        PSSParameters ap = new PSSParameters();
+        try {
+            ap.engineInit(keyParams2);
+            byte[] encoded = ap.engineGetEncoded();
+            ap.engineInit(sigParams);
+            byte[] encoded2 = ap.engineGetEncoded();
+            return Arrays.equals(encoded, encoded2);
+        } catch (Exception e) {
+            if (DEBUG) {
+                e.printStackTrace();
+            }
+            return false;
+        }
+    }
+
+    /**
+     * Validate the specified RSAKey and its associated parameters against
+     * internal signature parameters.
+     */
+    private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException {
+        try {
+            AlgorithmParameterSpec keyParams = rsaKey.getParams();
+            // validate key parameters
+            if (!isCompatible(rsaKey.getParams(), this.sigParams)) {
+                throw new InvalidKeyException
+                    ("Key contains incompatible PSS parameter values");
+            }
+            // validate key length
+            if (this.sigParams != null) {
+                Integer hLen =
+                    DIGEST_LENGTHS.get(this.sigParams.getDigestAlgorithm());
+                if (hLen == null) {
+                    throw new ProviderException("Unsupported digest algo: " +
+                        this.sigParams.getDigestAlgorithm());
+                }
+                checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength());
+            }
+            return rsaKey;
+        } catch (SignatureException e) {
+            throw new InvalidKeyException(e);
+        }
+    }
+
+    /**
+     * Validate the specified Signature PSS parameters.
+     */
+    private PSSParameterSpec validateSigParams(AlgorithmParameterSpec p)
+            throws InvalidAlgorithmParameterException {
+        if (p == null) {
+            throw new InvalidAlgorithmParameterException
+                ("Parameters cannot be null");
+        }
+        if (!(p instanceof PSSParameterSpec)) {
+            throw new InvalidAlgorithmParameterException
+                ("parameters must be type PSSParameterSpec");
+        }
+        // no need to validate again if same as current signature parameters
+        PSSParameterSpec params = (PSSParameterSpec) p;
+        if (params == this.sigParams) return params;
+
+        RSAKey key = (this.privKey == null? this.pubKey : this.privKey);
+        // check against keyParams if set
+        if (key != null) {
+            if (!isCompatible(key.getParams(), params)) {
+                throw new InvalidAlgorithmParameterException
+                    ("Signature parameters does not match key parameters");
+            }
+        }
+        // now sanity check the parameter values
+        if (!(params.getMGFAlgorithm().equalsIgnoreCase("MGF1"))) {
+            throw new InvalidAlgorithmParameterException("Only supports MGF1");
+
+        }
+        if (params.getTrailerField() != 1) {
+            throw new InvalidAlgorithmParameterException
+                ("Only supports TrailerFieldBC(1)");
+
+        }
+        String digestAlgo = params.getDigestAlgorithm();
+        // check key length again
+        if (key != null) {
+            try {
+                int hLen = DIGEST_LENGTHS.get(digestAlgo);
+                checkKeyLength(key, hLen, params.getSaltLength());
+            } catch (SignatureException e) {
+                throw new InvalidAlgorithmParameterException(e);
+            }
+        }
+        return params;
+    }
+
+    /**
+     * Ensure the object is initialized with key and parameters and
+     * reset digest
+     */
+    private void ensureInit() throws SignatureException {
+        RSAKey key = (this.privKey == null? this.pubKey : this.privKey);
+        if (key == null) {
+            throw new SignatureException("Missing key");
+        }
+        if (this.sigParams == null) {
+            // Parameters are required for signature verification
+            throw new SignatureException
+                ("Parameters required for RSASSA-PSS signatures");
+        }
+    }
+
+    /**
+     * Utility method for checking key length against digest length and
+     * salt length
+     */
+    private static void checkKeyLength(RSAKey key, int digestLen,
+            int saltLen) throws SignatureException {
+        if (key != null) {
+            int keyLength = getKeyLengthInBits(key) >> 3;
+            int minLength = Math.addExact(Math.addExact(digestLen, saltLen), 2);
+            if (keyLength < minLength) {
+                throw new SignatureException
+                    ("Key is too short, need min " + minLength);
+            }
+        }
+    }
+
+    /**
+     * Reset the message digest if it is not already reset.
+     */
+    private void resetDigest() {
+        if (digestReset == false) {
+            this.md.reset();
+            digestReset = true;
+        }
+    }
+
+    /**
+     * Return the message digest value.
+     */
+    private byte[] getDigestValue() {
+        digestReset = true;
+        return this.md.digest();
+    }
+
+    // update the signature with the plaintext data. See JCA doc
+    @Override
+    protected void engineUpdate(byte b) throws SignatureException {
+        ensureInit();
+        this.md.update(b);
+        digestReset = false;
+    }
+
+    // update the signature with the plaintext data. See JCA doc
+    @Override
+    protected void engineUpdate(byte[] b, int off, int len)
+            throws SignatureException {
+        ensureInit();
+        this.md.update(b, off, len);
+        digestReset = false;
+    }
+
+    // update the signature with the plaintext data. See JCA doc
+    @Override
+    protected void engineUpdate(ByteBuffer b) {
+        try {
+            ensureInit();
+        } catch (SignatureException se) {
+            // hack for working around API bug
+            throw new RuntimeException(se.getMessage());
+        }
+        this.md.update(b);
+        digestReset = false;
+    }
+
+    // sign the data and return the signature. See JCA doc
+    @Override
+    protected byte[] engineSign() throws SignatureException {
+        ensureInit();
+        byte[] mHash = getDigestValue();
+        try {
+            byte[] encoded = encodeSignature(mHash);
+            byte[] encrypted = RSACore.rsa(encoded, privKey, true);
+            return encrypted;
+        } catch (GeneralSecurityException e) {
+            throw new SignatureException("Could not sign data", e);
+        } catch (IOException e) {
+            throw new SignatureException("Could not encode data", e);
+        }
+    }
+
+    // verify the data and return the result. See JCA doc
+    // should be reset to the state after engineInitVerify call.
+    @Override
+    protected boolean engineVerify(byte[] sigBytes) throws SignatureException {
+        ensureInit();
+        try {
+            if (sigBytes.length != RSACore.getByteLength(this.pubKey)) {
+                throw new SignatureException
+                    ("Signature length not correct: got "
+                    + sigBytes.length + " but was expecting "
+                    + RSACore.getByteLength(this.pubKey));
+            }
+            byte[] mHash = getDigestValue();
+            byte[] decrypted = RSACore.rsa(sigBytes, this.pubKey);
+            return decodeSignature(mHash, decrypted);
+        } catch (javax.crypto.BadPaddingException e) {
+            // occurs if the app has used the wrong RSA public key
+            // or if sigBytes is invalid
+            // return false rather than propagating the exception for
+            // compatibility/ease of use
+            return false;
+        } catch (IOException e) {
+            throw new SignatureException("Signature encoding error", e);
+        } finally {
+            resetDigest();
+        }
+    }
+
+    // return the modulus length in bits
+    private static int getKeyLengthInBits(RSAKey k) {
+        if (k != null) {
+            return k.getModulus().bitLength();
+        }
+        return -1;
+    }
+
+    /**
+     * Encode the digest 'mHash', return the to-be-signed data.
+     * Also used by the PKCS#11 provider.
+     */
+    private byte[] encodeSignature(byte[] mHash)
+        throws IOException, DigestException {
+        AlgorithmParameterSpec mgfParams = this.sigParams.getMGFParameters();
+        String mgfDigestAlgo;
+        if (mgfParams != null) {
+            mgfDigestAlgo =
+                ((MGF1ParameterSpec) mgfParams).getDigestAlgorithm();
+        } else {
+            mgfDigestAlgo = this.md.getAlgorithm();
+        }
+        try {
+            int emBits = getKeyLengthInBits(this.privKey) - 1;
+            int emLen =(emBits + 7) >> 3;
+            int hLen = this.md.getDigestLength();
+            int dbLen = emLen - hLen - 1;
+            int sLen = this.sigParams.getSaltLength();
+
+            // maps DB into the corresponding region of EM and
+            // stores its bytes directly into EM
+            byte[] em = new byte[emLen];
+
+            // step7 and some of step8
+            em[dbLen - sLen - 1] = (byte) 1; // set DB's padding2 into EM
+            em[em.length - 1] = (byte) 0xBC; // set trailer field of EM
+
+            if (!digestReset) {
+                throw new ProviderException("Digest should be reset");
+            }
+            // step5: generates M' using padding1, mHash, and salt
+            this.md.update(EIGHT_BYTES_OF_ZEROS);
+            digestReset = false; // mark digest as it now has data
+            this.md.update(mHash);
+            if (sLen != 0) {
+                // step4: generate random salt
+                byte[] salt = new byte[sLen];
+                this.random.nextBytes(salt);
+                this.md.update(salt);
+
+                // step8: set DB's salt into EM
+                System.arraycopy(salt, 0, em, dbLen - sLen, sLen);
+            }
+            // step6: generate H using M'
+            this.md.digest(em, dbLen, hLen); // set H field of EM
+            digestReset = true;
+
+            // step7 and 8 are already covered by the code which setting up
+            // EM as above
+
+            // step9 and 10: feed H into MGF and xor with DB in EM
+            MGF1 mgf1 = new MGF1(mgfDigestAlgo);
+            mgf1.generateAndXor(em, dbLen, hLen, dbLen, em, 0);
+
+            // step11: set the leftmost (8emLen - emBits) bits of the leftmost
+            // octet to 0
+            int numZeroBits = (emLen << 3) - emBits;
+            if (numZeroBits != 0) {
+                byte MASK = (byte) (0xff >>> numZeroBits);
+                em[0] = (byte) (em[0] & MASK);
+            }
+
+            // step12: em should now holds maskedDB || hash h || 0xBC
+            return em;
+        } catch (NoSuchAlgorithmException e) {
+            throw new IOException(e.toString());
+        }
+    }
+
+    /**
+     * Decode the signature data. Verify that the object identifier matches
+     * and return the message digest.
+     */
+    private boolean decodeSignature(byte[] mHash, byte[] em)
+            throws IOException {
+        int hLen = mHash.length;
+        int sLen = this.sigParams.getSaltLength();
+        int emLen = em.length;
+        int emBits = getKeyLengthInBits(this.pubKey) - 1;
+
+        // step3
+        if (emLen < (hLen + sLen + 2)) {
+            return false;
+        }
+
+        // step4
+        if (em[emLen - 1] != (byte) 0xBC) {
+            return false;
+        }
+
+        // step6: check if the leftmost (8emLen - emBits) bits of the leftmost
+        // octet are 0
+        int numZeroBits = (emLen << 3) - emBits;
+        if (numZeroBits != 0) {
+            byte MASK = (byte) (0xff << (8 - numZeroBits));
+            if ((em[0] & MASK) != 0) {
+                return false;
+            }
+        }
+        String mgfDigestAlgo;
+        AlgorithmParameterSpec mgfParams = this.sigParams.getMGFParameters();
+        if (mgfParams != null) {
+            mgfDigestAlgo =
+                ((MGF1ParameterSpec) mgfParams).getDigestAlgorithm();
+        } else {
+            mgfDigestAlgo = this.md.getAlgorithm();
+        }
+        // step 7 and 8
+        int dbLen = emLen - hLen - 1;
+        try {
+            MGF1 mgf1 = new MGF1(mgfDigestAlgo);
+            mgf1.generateAndXor(em, dbLen, hLen, dbLen, em, 0);
+        } catch (NoSuchAlgorithmException nsae) {
+            throw new IOException(nsae.toString());
+        }
+
+        // step9: set the leftmost (8emLen - emBits) bits of the leftmost
+        //  octet to 0
+        if (numZeroBits != 0) {
+            byte MASK = (byte) (0xff >>> numZeroBits);
+            em[0] = (byte) (em[0] & MASK);
+        }
+
+        // step10
+        int i = 0;
+        for (; i < dbLen - sLen - 1; i++) {
+            if (em[i] != 0) {
+                return false;
+            }
+        }
+        if (em[i] != 0x01) {
+            return false;
+        }
+        // step12 and 13
+        this.md.update(EIGHT_BYTES_OF_ZEROS);
+        digestReset = false;
+        this.md.update(mHash);
+        if (sLen > 0) {
+            this.md.update(em, (dbLen - sLen), sLen);
+        }
+        byte[] digest2 = this.md.digest();
+        digestReset = true;
+
+        // step14
+        byte[] digestInEM = Arrays.copyOfRange(em, dbLen, emLen - 1);
+        return MessageDigest.isEqual(digest2, digestInEM);
+    }
+
+    // set parameter, not supported. See JCA doc
+    @Deprecated
+    @Override
+    protected void engineSetParameter(String param, Object value)
+            throws InvalidParameterException {
+        throw new UnsupportedOperationException("setParameter() not supported");
+    }
+
+    @Override
+    protected void engineSetParameter(AlgorithmParameterSpec params)
+            throws InvalidAlgorithmParameterException {
+        this.sigParams = validateSigParams(params);
+        // disallow changing parameters when digest has been used
+        if (!digestReset) {
+            throw new ProviderException
+                ("Cannot set parameters during operations");
+        }
+        String newHashAlg = this.sigParams.getDigestAlgorithm();
+        // re-allocate md if not yet assigned or algorithm changed
+        if ((this.md == null) ||
+            !(this.md.getAlgorithm().equalsIgnoreCase(newHashAlg))) {
+            try {
+                this.md = MessageDigest.getInstance(newHashAlg);
+            } catch (NoSuchAlgorithmException nsae) {
+                // should not happen as we pick default digest algorithm
+                throw new InvalidAlgorithmParameterException
+                    ("Unsupported digest algorithm " +
+                     newHashAlg, nsae);
+            }
+        }
+    }
+
+    // get parameter, not supported. See JCA doc
+    @Deprecated
+    @Override
+    protected Object engineGetParameter(String param)
+            throws InvalidParameterException {
+        throw new UnsupportedOperationException("getParameter() not supported");
+    }
+
+    @Override
+    protected AlgorithmParameters engineGetParameters() {
+        if (this.sigParams == null) {
+            throw new ProviderException("Missing required PSS parameters");
+        }
+        try {
+            AlgorithmParameters ap =
+                AlgorithmParameters.getInstance("RSASSA-PSS");
+            ap.init(this.sigParams);
+            return ap;
+        } catch (GeneralSecurityException gse) {
+            throw new ProviderException(gse.getMessage());
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/rsa/RSAUtil.java	2018-05-11 15:08:36.787722000 -0700
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.rsa;
+
+import java.io.IOException;
+import java.security.*;
+import java.security.spec.*;
+import sun.security.util.ObjectIdentifier;
+import sun.security.x509.AlgorithmId;
+
+/**
+ * Utility class for SunRsaSign provider.
+ * Currently used by RSAKeyPairGenerator and RSAKeyFactory.
+ *
+ * @since   11
+ */
+public class RSAUtil {
+
+    public enum KeyType {
+        RSA ("RSA"),
+        PSS ("RSASSA-PSS"),
+        ;
+
+        private final String algo;
+
+        KeyType(String keyAlgo) {
+            this.algo = keyAlgo;
+        }
+        public String keyAlgo() {
+            return algo;
+        }
+        public static KeyType lookup(String name) {
+            for (KeyType kt : KeyType.values()) {
+                if (kt.keyAlgo().equalsIgnoreCase(name)) {
+                    return kt;
+                }
+            }
+            // no match
+            throw new ProviderException("Unsupported algorithm " + name);
+        }
+    }
+
+    public static void checkParamsAgainstType(KeyType type,
+            AlgorithmParameterSpec paramSpec) throws ProviderException {
+        switch (type) {
+            case RSA:
+                if (paramSpec != null) {
+                    throw new ProviderException("null params expected for " +
+                        type.keyAlgo());
+                }
+                break;
+            case PSS:
+                if ((paramSpec != null) &&
+                    !(paramSpec instanceof PSSParameterSpec)) {
+                    throw new ProviderException
+                        ("PSSParmeterSpec expected for " + type.keyAlgo());
+                }
+                break;
+            default:
+                throw new ProviderException
+                    ("Unsupported RSA algorithm " + type);
+        }
+    }
+
+    public static AlgorithmId createAlgorithmId(KeyType type,
+            AlgorithmParameterSpec paramSpec) throws ProviderException {
+
+        checkParamsAgainstType(type, paramSpec);
+
+        ObjectIdentifier oid = null;
+        AlgorithmParameters params = null;
+        try {
+            switch (type) {
+                case RSA:
+                    oid = AlgorithmId.RSAEncryption_oid;
+                    break;
+                case PSS:
+                    if (paramSpec != null) {
+                        params = AlgorithmParameters.getInstance(type.keyAlgo());
+                        params.init(paramSpec);
+                    }
+                    oid = AlgorithmId.RSASSA_PSS_oid;
+                    break;
+                default:
+                    throw new ProviderException
+                        ("Unsupported RSA algorithm "  + type);
+            }
+            AlgorithmId result;
+            if (params == null) {
+                result = new AlgorithmId(oid);
+            } else {
+                result = new AlgorithmId(oid, params);
+            }
+            return result;
+        } catch (NoSuchAlgorithmException | InvalidParameterSpecException e) {
+            // should not happen
+            throw new ProviderException(e);
+        }
+    }
+
+    public static AlgorithmParameterSpec getParamSpec(AlgorithmId algid)
+            throws ProviderException {
+        if (algid == null) {
+            throw new ProviderException("AlgorithmId should not be null");
+        }
+        return getParamSpec(algid.getParameters());
+    }
+
+    public static AlgorithmParameterSpec getParamSpec(AlgorithmParameters params)
+            throws ProviderException {
+        if (params == null) return null;
+
+        String algName = params.getAlgorithm();
+        KeyType type = KeyType.lookup(algName);
+        Class<? extends AlgorithmParameterSpec> specCls;
+        switch (type) {
+            case RSA:
+                throw new ProviderException("No params accepted for " +
+                    type.keyAlgo());
+            case PSS:
+                specCls = PSSParameterSpec.class;
+                break;
+            default:
+                throw new ProviderException("Unsupported RSA algorithm: " + algName);
+        }
+        try {
+            return params.getParameterSpec(specCls);
+        } catch (Exception e) {
+            throw new ProviderException(e);
+        }
+    }
+}
--- old/src/java.base/share/classes/sun/security/ssl/Alerts.java	2018-05-11 15:08:39.112831300 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,223 +0,0 @@
-/*
- * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import javax.net.ssl.*;
-
-/*
- * A simple class to congregate alerts, their definitions, and common
- * support methods.
- */
-
-final class Alerts {
-
-    /*
-     * Alerts are always a fixed two byte format (level/description).
-     */
-
-    // warnings and fatal errors are package private facilities/constants
-
-    // Alert levels (enum AlertLevel)
-    static final byte           alert_warning = 1;
-    static final byte           alert_fatal = 2;
-
-    /*
-     * Alert descriptions (enum AlertDescription)
-     *
-     * We may not use them all in our processing, but if someone
-     * sends us one, we can at least convert it to a string for the
-     * user.
-     */
-    static final byte           alert_close_notify = 0;
-    static final byte           alert_unexpected_message = 10;
-    static final byte           alert_bad_record_mac = 20;
-    static final byte           alert_decryption_failed = 21;
-    static final byte           alert_record_overflow = 22;
-    static final byte           alert_decompression_failure = 30;
-    static final byte           alert_handshake_failure = 40;
-    static final byte           alert_no_certificate = 41;
-    static final byte           alert_bad_certificate = 42;
-    static final byte           alert_unsupported_certificate = 43;
-    static final byte           alert_certificate_revoked = 44;
-    static final byte           alert_certificate_expired = 45;
-    static final byte           alert_certificate_unknown = 46;
-    static final byte           alert_illegal_parameter = 47;
-    static final byte           alert_unknown_ca = 48;
-    static final byte           alert_access_denied = 49;
-    static final byte           alert_decode_error = 50;
-    static final byte           alert_decrypt_error = 51;
-    static final byte           alert_export_restriction = 60;
-    static final byte           alert_protocol_version = 70;
-    static final byte           alert_insufficient_security = 71;
-    static final byte           alert_internal_error = 80;
-    static final byte           alert_user_canceled = 90;
-    static final byte           alert_no_renegotiation = 100;
-
-    // from RFC 3546 (TLS Extensions)
-    static final byte           alert_unsupported_extension = 110;
-    static final byte           alert_certificate_unobtainable = 111;
-    static final byte           alert_unrecognized_name = 112;
-    static final byte           alert_bad_certificate_status_response = 113;
-    static final byte           alert_bad_certificate_hash_value = 114;
-
-    // from RFC 7301 (TLS ALPN Extension)
-    static final byte           alert_no_application_protocol = 120;
-
-    static String alertDescription(byte code) {
-        switch (code) {
-
-        case alert_close_notify:
-            return "close_notify";
-        case alert_unexpected_message:
-            return "unexpected_message";
-        case alert_bad_record_mac:
-            return "bad_record_mac";
-        case alert_decryption_failed:
-            return "decryption_failed";
-        case alert_record_overflow:
-            return "record_overflow";
-        case alert_decompression_failure:
-            return "decompression_failure";
-        case alert_handshake_failure:
-            return "handshake_failure";
-        case alert_no_certificate:
-            return "no_certificate";
-        case alert_bad_certificate:
-            return "bad_certificate";
-        case alert_unsupported_certificate:
-            return "unsupported_certificate";
-        case alert_certificate_revoked:
-            return "certificate_revoked";
-        case alert_certificate_expired:
-            return "certificate_expired";
-        case alert_certificate_unknown:
-            return "certificate_unknown";
-        case alert_illegal_parameter:
-            return "illegal_parameter";
-        case alert_unknown_ca:
-            return "unknown_ca";
-        case alert_access_denied:
-            return "access_denied";
-        case alert_decode_error:
-            return "decode_error";
-        case alert_decrypt_error:
-            return "decrypt_error";
-        case alert_export_restriction:
-            return "export_restriction";
-        case alert_protocol_version:
-            return "protocol_version";
-        case alert_insufficient_security:
-            return "insufficient_security";
-        case alert_internal_error:
-            return "internal_error";
-        case alert_user_canceled:
-            return "user_canceled";
-        case alert_no_renegotiation:
-            return "no_renegotiation";
-        case alert_unsupported_extension:
-            return "unsupported_extension";
-        case alert_certificate_unobtainable:
-            return "certificate_unobtainable";
-        case alert_unrecognized_name:
-            return "unrecognized_name";
-        case alert_bad_certificate_status_response:
-            return "bad_certificate_status_response";
-        case alert_bad_certificate_hash_value:
-            return "bad_certificate_hash_value";
-        case alert_no_application_protocol:
-            return "no_application_protocol";
-
-        default:
-            return "<UNKNOWN ALERT: " + (code & 0x0ff) + ">";
-        }
-    }
-
-    static SSLException getSSLException(byte description, String reason) {
-        return getSSLException(description, null, reason);
-    }
-
-    /*
-     * Try to be a little more specific in our choice of
-     * exceptions to throw.
-     */
-    static SSLException getSSLException(byte description, Throwable cause,
-            String reason) {
-
-        SSLException e;
-        // the SSLException classes do not have a no-args constructor
-        // make up a message if there is none
-        if (reason == null) {
-            if (cause != null) {
-                reason = cause.toString();
-            } else {
-                reason = "";
-            }
-        }
-        switch (description) {
-        case alert_handshake_failure:
-        case alert_no_certificate:
-        case alert_bad_certificate:
-        case alert_unsupported_certificate:
-        case alert_certificate_revoked:
-        case alert_certificate_expired:
-        case alert_certificate_unknown:
-        case alert_unknown_ca:
-        case alert_access_denied:
-        case alert_decrypt_error:
-        case alert_export_restriction:
-        case alert_insufficient_security:
-        case alert_unsupported_extension:
-        case alert_certificate_unobtainable:
-        case alert_unrecognized_name:
-        case alert_bad_certificate_status_response:
-        case alert_bad_certificate_hash_value:
-        case alert_no_application_protocol:
-            e = new SSLHandshakeException(reason);
-            break;
-
-        case alert_close_notify:
-        case alert_unexpected_message:
-        case alert_bad_record_mac:
-        case alert_decryption_failed:
-        case alert_record_overflow:
-        case alert_decompression_failure:
-        case alert_illegal_parameter:
-        case alert_decode_error:
-        case alert_protocol_version:
-        case alert_internal_error:
-        case alert_user_canceled:
-        case alert_no_renegotiation:
-        default:
-            e = new SSLException(reason);
-            break;
-        }
-
-        if (cause != null) {
-            e.initCause(cause);
-        }
-        return e;
-    }
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/Alert.java	2018-05-11 15:08:38.403193600 -0700
@@ -0,0 +1,269 @@
+/*
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.Locale;
+import javax.net.ssl.*;
+
+/**
+ * SSL/(D)TLS Alter description
+ */
+enum Alert {
+    // Please refer to TLS Alert Registry for the latest (D)TLS Alert values:
+    //     https://www.iana.org/assignments/tls-parameters/
+    CLOSE_NOTIFY            ((byte)0,   "close_notify", false),
+    UNEXPECTED_MESSAGE      ((byte)10,  "unexpected_message", false),
+    BAD_RECORD_MAC          ((byte)20,  "bad_record_mac", false),
+    DECRYPTION_FAILED       ((byte)21,  "decryption_failed", false),
+    RECORD_OVERFLOW         ((byte)22,  "record_overflow", false),
+    DECOMPRESSION_FAILURE   ((byte)30,  "decompression_failure", false),
+    HANDSHAKE_FAILURE       ((byte)40,  "handshake_failure", true),
+    NO_CERTIFICATE          ((byte)41,  "no_certificate", true),
+    BAD_CERTIFICATE         ((byte)42,  "bad_certificate", true),
+    UNSUPPORTED_CERTIFCATE  ((byte)43,  "unsupported_certificate", true),
+    CERTIFICATE_REVOKED     ((byte)44,  "certificate_revoked", true),
+    CERTIFICATE_EXPIRED     ((byte)45,  "certificate_expired", true),
+    CERTIFICATE_UNKNOWN     ((byte)46,  "certificate_unknown", true),
+    ILLEGAL_PARAMETER       ((byte)47,  "illegal_parameter", true),
+    UNKNOWN_CA              ((byte)48,  "unknown_ca", true),
+    ACCESS_DENIED           ((byte)49,  "access_denied", true),
+    DECODE_ERROR            ((byte)50,  "decode_error", true),
+    DECRYPT_ERROR           ((byte)51,  "decrypt_error", true),
+    EXPORT_RESTRICTION      ((byte)60,  "export_restriction", true),
+    PROTOCOL_VERSION        ((byte)70,  "protocol_version", true),
+    INSUFFICIENT_SECURITY   ((byte)71,  "insufficient_security", true),
+    INTERNAL_ERROR          ((byte)80,  "internal_error", false),
+    INAPPROPRIATE_FALLBACK  ((byte)86,  "inappropriate_fallback", false),
+    USER_CANCELED           ((byte)90,  "user_canceled", false),
+    NO_RENEGOTIATION        ((byte)100, "no_renegotiation", true),
+    MISSING_EXTENSION       ((byte)109, "missing_extension", true),
+    UNSUPPORTED_EXTENSION   ((byte)110, "unsupported_extension", true),
+    CERT_UNOBTAINABLE       ((byte)111, "certificate_unobtainable", true),
+    UNRECOGNIZED_NAME       ((byte)112, "unrecognized_name", true),
+    BAD_CERT_STATUS_RESPONSE((byte)113,
+                                    "bad_certificate_status_response", true),
+    BAD_CERT_HASH_VALUE     ((byte)114, "bad_certificate_hash_value", true),
+    UNKNOWN_PSK_IDENTITY    ((byte)115, "unknown_psk_identity", true),
+    CERTIFICATE_REQUIRED    ((byte)116, "certificate_required", true),
+    NO_APPLICATION_PROTOCOL ((byte)120, "no_application_protocol", true);
+
+    // ordinal value of the Alert
+    final byte id;
+
+    // description of the Alert
+    final String description;
+
+    // Does tha alert happen during handshake only?
+    final boolean handshakeOnly;
+
+    // Alert message consumer
+    static final SSLConsumer alertConsumer = new AlertConsumer();
+
+    private Alert(byte id, String description, boolean handshakeOnly) {
+        this.id = id;
+        this.description = description;
+        this.handshakeOnly = handshakeOnly;
+    }
+
+    static Alert valueOf(byte id) {
+        for (Alert al : Alert.values()) {
+            if (al.id == id) {
+                return al;
+            }
+        }
+
+        return null;
+    }
+
+    static String nameOf(byte id) {
+        for (Alert al : Alert.values()) {
+            if (al.id == id) {
+                return al.description;
+            }
+        }
+
+        return "UNKNOWN ALERT (" + (id & 0x0FF) + ")";
+    }
+
+    SSLException createSSLException(String reason) {
+        return createSSLException(reason, null);
+    }
+
+    SSLException createSSLException(String reason, Throwable cause) {
+        if (reason == null) {
+            reason = (cause != null) ? cause.getMessage() : "";
+        }
+
+        SSLException ssle = handshakeOnly ?
+                new SSLHandshakeException(reason) : new SSLException(reason);
+        if (cause != null) {
+            ssle.initCause(cause);
+        }
+
+        return ssle;
+    }
+
+    /**
+     * SSL/(D)TLS Alert level.
+     */
+    enum Level {
+        WARNING ((byte)1, "warning"),
+        FATAL   ((byte)2, "fatal");
+
+        // ordinal value of the Alert level
+        final byte level;
+
+        // description of the Alert level
+        final String description;
+
+        private Level(byte level, String description) {
+            this.level = level;
+            this.description = description;
+        }
+
+        static Level valueOf(byte level) {
+            for (Level lv : Level.values()) {
+                if (lv.level == level) {
+                    return lv;
+                }
+            }
+
+            return null;
+        }
+
+        static String nameOf(byte level) {
+            for (Level lv : Level.values()) {
+                if (lv.level == level) {
+                    return lv.description;
+                }
+            }
+
+            return "UNKNOWN ALERT LEVEL (" + (level & 0x0FF) + ")";
+        }
+    }
+
+    /**
+     * The Alert message.
+     */
+    private static final class AlertMessage {
+        private final byte level;       // level
+        private final byte id;          // description
+
+        AlertMessage(TransportContext context,
+                ByteBuffer m) throws IOException {
+            //  struct {
+            //      AlertLevel level;
+            //      AlertDescription description;
+            //  } Alert;
+            if (m.remaining() != 2) {
+                context.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Invalid Alert message: no sufficient data");
+            }
+
+            this.level = m.get();   // level
+            this.id = m.get();      // description
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                    "\"Alert\": '{'\n" +
+                    "  \"level\"      : \"{0}\",\n" +
+                    "  \"description\": \"{1}\"\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+            Object[] messageFields = {
+                Level.nameOf(level),
+                Alert.nameOf(id)
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * Consumer of alert messages
+     */
+    private static final class AlertConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private AlertConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer m) throws IOException {
+            TransportContext tc = (TransportContext)context;
+
+            AlertMessage am = new AlertMessage(tc, m);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.fine("Received alert message", am);
+            }
+
+            Level level = Level.valueOf(am.level);
+            Alert alert = Alert.valueOf(am.id);
+            if (alert == Alert.CLOSE_NOTIFY) {
+                if (tc.handshakeContext != null) {
+                    tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                            "Received close_notify during handshake");
+                }
+
+                tc.isInputCloseNotified = true;
+                tc.closeInbound();
+            } else if ((level == Level.WARNING) && (alert != null)) {
+                // Terminate the connection if an alert with a level of warning
+                // is received during handshaking, except the no_certificate
+                // warning.
+                if (alert.handshakeOnly && (tc.handshakeContext != null)) {
+                    // It's OK to get a no_certificate alert from a client of
+                    // which we requested client authentication.  However,
+                    // if we required it, then this is not acceptable.
+                     if (tc.sslConfig.isClientMode ||
+                            alert != Alert.NO_CERTIFICATE ||
+                            (tc.sslConfig.clientAuthType !=
+                                    ClientAuthType.CLIENT_AUTH_REQUESTED)) {
+                        tc.fatal(Alert.HANDSHAKE_FAILURE,
+                            "received handshake warning: " + alert.description);
+                    }  // Otherwise, ignore the warning
+                }   // Otherwise, ignore the warning.
+            } else {    // fatal or unknown
+                String diagnostic;
+                if (alert == null) {
+                    alert = Alert.UNEXPECTED_MESSAGE;
+                    diagnostic = "Unknown alert description (" + am.id + ")";
+                } else {
+                    diagnostic = "Received fatal alert: " + alert.description;
+                }
+
+                tc.fatal(alert, diagnostic, true, null);
+            }
+        }
+    }
+}
--- old/src/java.base/share/classes/sun/security/ssl/ALPNExtension.java	2018-05-11 15:08:40.955954800 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,168 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-import java.nio.charset.*;
-import java.util.*;
-
-import javax.net.ssl.*;
-
-/*
- * [RFC 7301]
- * This TLS extension facilitates the negotiation of application-layer protocols
- * within the TLS handshake. Clients MAY include an extension of type
- * "application_layer_protocol_negotiation" in the (extended) ClientHello
- * message. The "extension_data" field of this extension SHALL contain a
- * "ProtocolNameList" value:
- *
- *     enum {
- *         application_layer_protocol_negotiation(16), (65535)
- *     } ExtensionType;
- *
- *     opaque ProtocolName<1..2^8-1>;
- *
- *     struct {
- *         ProtocolName protocol_name_list<2..2^16-1>
- *     } ProtocolNameList;
- */
-final class ALPNExtension extends HelloExtension {
-
-    final static int ALPN_HEADER_LENGTH = 1;
-    final static int MAX_APPLICATION_PROTOCOL_LENGTH = 255;
-    final static int MAX_APPLICATION_PROTOCOL_LIST_LENGTH = 65535;
-    private int listLength = 0;     // ProtocolNameList length
-    private List<String> protocolNames = null;
-
-    // constructor for ServerHello
-    ALPNExtension(String protocolName) throws SSLException {
-        this(new String[]{ protocolName });
-    }
-
-    // constructor for ClientHello
-    ALPNExtension(String[] protocolNames) throws SSLException {
-        super(ExtensionType.EXT_ALPN);
-        if (protocolNames.length == 0) { // never null, never empty
-            throw new IllegalArgumentException(
-                "The list of application protocols cannot be empty");
-        }
-        this.protocolNames = Arrays.asList(protocolNames);
-        for (String p : protocolNames) {
-            int length = p.getBytes(StandardCharsets.UTF_8).length;
-            if (length == 0) {
-                throw new SSLProtocolException(
-                    "Application protocol name is empty");
-            }
-            if (length <= MAX_APPLICATION_PROTOCOL_LENGTH) {
-                listLength += length + ALPN_HEADER_LENGTH;
-            } else {
-                throw new SSLProtocolException(
-                    "Application protocol name is too long: " + p);
-            }
-            if (listLength > MAX_APPLICATION_PROTOCOL_LIST_LENGTH) {
-                throw new SSLProtocolException(
-                    "Application protocol name list is too long");
-            }
-        }
-    }
-
-    // constructor for ServerHello for parsing ALPN extension
-    ALPNExtension(HandshakeInStream s, int len) throws IOException {
-        super(ExtensionType.EXT_ALPN);
-
-        if (len >= 2) {
-            listLength = s.getInt16(); // list length
-            if (listLength < 2 || listLength + 2 != len) {
-                throw new SSLProtocolException(
-                    "Invalid " + type + " extension: incorrect list length " +
-                    "(length=" + listLength + ")");
-            }
-        } else {
-            throw new SSLProtocolException(
-                "Invalid " + type + " extension: insufficient data " +
-                "(length=" + len + ")");
-        }
-
-        int remaining = listLength;
-        this.protocolNames = new ArrayList<>();
-        while (remaining > 0) {
-            // opaque ProtocolName<1..2^8-1>; // RFC 7301
-            byte[] bytes = s.getBytes8();
-            if (bytes.length == 0) {
-                throw new SSLProtocolException("Invalid " + type +
-                    " extension: empty application protocol name");
-            }
-            String p =
-                new String(bytes, StandardCharsets.UTF_8); // app protocol
-            protocolNames.add(p);
-            remaining -= bytes.length + ALPN_HEADER_LENGTH;
-        }
-
-        if (remaining != 0) {
-            throw new SSLProtocolException(
-                "Invalid " + type + " extension: extra data " +
-                "(length=" + remaining + ")");
-        }
-    }
-
-    List<String> getPeerAPs() {
-        return protocolNames;
-    }
-
-    /*
-     * Return the length in bytes, including extension type and length fields.
-     */
-    @Override
-    int length() {
-        return 6 + listLength;
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(type.id);
-        s.putInt16(listLength + 2); // length of extension_data
-        s.putInt16(listLength);     // length of ProtocolNameList
-
-        for (String p : protocolNames) {
-            s.putBytes8(p.getBytes(StandardCharsets.UTF_8));
-        }
-    }
-
-    @Override
-    public String toString() {
-        StringBuilder sb = new StringBuilder();
-        if (protocolNames == null || protocolNames.isEmpty()) {
-            sb.append("<empty>");
-        } else {
-            for (String protocolName : protocolNames) {
-                sb.append("[" + protocolName + "]");
-            }
-        }
-
-        return "Extension " + type +
-            ", protocol names: " + sb;
-    }
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/AlpnExtension.java	2018-05-11 15:08:40.228823400 -0700
@@ -0,0 +1,496 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.nio.charset.StandardCharsets;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLProtocolException;
+import javax.net.ssl.SSLSocket;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the "application_layer_protocol_negotiation" extensions [RFC 7301].
+ */
+final class AlpnExtension {
+    static final HandshakeProducer chNetworkProducer = new CHAlpnProducer();
+    static final ExtensionConsumer chOnLoadConcumer = new CHAlpnConsumer();
+    static final HandshakeAbsence chOnLoadAbsence = new CHAlpnAbsence();
+
+    static final HandshakeProducer shNetworkProducer = new SHAlpnProducer();
+    static final ExtensionConsumer shOnLoadConcumer = new SHAlpnConsumer();
+    static final HandshakeAbsence shOnLoadAbsence = new SHAlpnAbsence();
+
+    // Note: we reuse ServerHello operations for EncryptedExtensions for now.
+    // Please be careful about any code or specification changes in the future.
+    static final HandshakeProducer eeNetworkProducer = new SHAlpnProducer();
+    static final ExtensionConsumer eeOnLoadConcumer = new SHAlpnConsumer();
+    static final HandshakeAbsence eeOnLoadAbsence = new SHAlpnAbsence();
+
+    static final SSLStringize alpnStringize = new AlpnStringize();
+
+    /**
+     * The "application_layer_protocol_negotiation" extension.
+     *
+     * See RFC 7301 for the specification of this extension.
+     */
+    static final class AlpnSpec implements SSLExtensionSpec {
+        final List<String> applicationProtocols;
+
+        private AlpnSpec(String[] applicationProtocols) {
+            this.applicationProtocols = Collections.unmodifiableList(
+                    Arrays.asList(applicationProtocols));
+        }
+
+        private AlpnSpec(ByteBuffer buffer) throws IOException {
+            // ProtocolName protocol_name_list<2..2^16-1>, RFC 7301.
+            if (buffer.remaining() < 2) {
+                throw new SSLProtocolException(
+                    "Invalid application_layer_protocol_negotiation: " +
+                    "insufficient data (length=" + buffer.remaining() + ")");
+            }
+
+            int listLen = Record.getInt16(buffer);
+            if (listLen < 2 || listLen != buffer.remaining()) {
+                throw new SSLProtocolException(
+                    "Invalid application_layer_protocol_negotiation: " +
+                    "incorrect list length (length=" + listLen + ")");
+            }
+
+            List<String> protocolNames = new LinkedList<>();
+            while (buffer.hasRemaining()) {
+                // opaque ProtocolName<1..2^8-1>, RFC 7301.
+                byte[] bytes = Record.getBytes8(buffer);
+                if (bytes.length == 0) {
+                    throw new SSLProtocolException(
+                        "Invalid application_layer_protocol_negotiation " +
+                        "extension: empty application protocol name");
+                }
+
+                String appProtocol = new String(bytes, StandardCharsets.UTF_8);
+                protocolNames.add(appProtocol);
+            }
+
+            this.applicationProtocols =
+                    Collections.unmodifiableList(protocolNames);
+        }
+
+        @Override
+        public String toString() {
+            return applicationProtocols.toString();
+        }
+    }
+
+    private static final class AlpnStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new AlpnSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    /**
+     * Network data producer of the extension in a ClientHello
+     * handshake message.
+     */
+    private static final class CHAlpnProducer implements HandshakeProducer {
+        static final int MAX_AP_LENGTH = 255;
+        static final int MAX_AP_LIST_LENGTH = 65535;
+
+        // Prevent instantiation of this class.
+        private CHAlpnProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(SSLExtension.CH_ALPN)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.info(
+                            "Ignore client unavailable extension: " +
+                            SSLExtension.CH_ALPN.name);
+                }
+                return null;
+            }
+
+            String[] laps = chc.sslConfig.applicationProtocols;
+            if ((laps == null) || (laps.length == 0)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.info(
+                            "No available application protocols");
+                }
+                return null;
+            }
+
+            // Produce the extension.
+            int listLength = 0;     // ProtocolNameList length
+            for (String ap : laps) {
+                int length = ap.getBytes(StandardCharsets.UTF_8).length;
+                if (length == 0) {
+                    // log the configuration problem
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.severe(
+                                "Application protocol name cannot be empty");
+                    }
+                    chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                            "Application protocol name cannot be empty");
+                }
+
+                if (length <= MAX_AP_LENGTH) {
+                    // opaque ProtocolName<1..2^8-1>, RFC 7301.
+                    listLength += (length + 1);
+                } else {
+                    // log the configuration problem
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.severe(
+                                "Application protocol name (" + ap +
+                                ") exceeds the size limit (" +
+                                MAX_AP_LENGTH + " bytes)");
+                    }
+                    chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                                "Application protocol name (" + ap +
+                                ") exceeds the size limit (" +
+                                MAX_AP_LENGTH + " bytes)");
+                }
+
+                if (listLength > MAX_AP_LIST_LENGTH) {
+                    // log the configuration problem
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.severe(
+                                "The configured application protocols (" +
+                                Arrays.toString(laps) +
+                                ") exceed the size limit (" +
+                                MAX_AP_LIST_LENGTH + " bytes)");
+                    }
+                    chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                                "The configured application protocols (" +
+                                Arrays.toString(laps) +
+                                ") exceed the size limit (" +
+                                MAX_AP_LIST_LENGTH + " bytes)");
+                }
+            }
+
+            // ProtocolName protocol_name_list<2..2^16-1>, RFC 7301.
+            byte[] extData = new byte[listLength + 2];
+            ByteBuffer m = ByteBuffer.wrap(extData);
+            Record.putInt16(m, listLength);
+            for (String ap : laps) {
+                Record.putBytes8(m, ap.getBytes(StandardCharsets.UTF_8));
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(SSLExtension.CH_ALPN,
+                    new AlpnSpec(chc.sslConfig.applicationProtocols));
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of the extension in a ClientHello
+     * handshake message.
+     */
+    private static final class CHAlpnConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHAlpnConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(SSLExtension.CH_ALPN)) {
+                shc.applicationProtocol = "";
+                shc.conContext.applicationProtocol = "";
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.info(
+                            "Ignore server unavailable extension: " +
+                            SSLExtension.CH_ALPN.name);
+                }
+                return;     // ignore the extension
+            }
+
+            // Is the extension enabled?
+            boolean noAPSelector;
+            if (shc.conContext.transport instanceof SSLEngine) {
+                noAPSelector = (shc.sslConfig.engineAPSelector == null);
+            } else {
+                noAPSelector = (shc.sslConfig.socketAPSelector == null);
+            }
+
+            boolean noAlpnProtocols =
+                    shc.sslConfig.applicationProtocols == null ||
+                    shc.sslConfig.applicationProtocols.length == 0;
+            if (noAPSelector && noAlpnProtocols) {
+                shc.applicationProtocol = "";
+                shc.conContext.applicationProtocol = "";
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore server unenabled extension: " +
+                            SSLExtension.CH_ALPN.name);
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            AlpnSpec spec;
+            try {
+                spec = new AlpnSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Update the context.
+            if (noAPSelector) {     // noAlpnProtocols is false
+                List<String> protocolNames = spec.applicationProtocols;
+                boolean matched = false;
+                // Use server application protocol preference order.
+                for (String ap : shc.sslConfig.applicationProtocols) {
+                    if (protocolNames.contains(ap)) {
+                        shc.applicationProtocol = ap;
+                        shc.conContext.applicationProtocol = ap;
+                        matched = true;
+                        break;
+                    }
+                }
+
+                if (!matched) {
+                    shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+                            "No matching application layer protocol values");
+                }
+            }   // Otherwise, applicationProtocol will be set by the
+                // application selector callback later.
+
+            shc.handshakeExtensions.put(SSLExtension.CH_ALPN, spec);
+
+            // No impact on session resumption.
+            //
+            // [RFC 7301] Unlike many other TLS extensions, this extension
+            // does not establish properties of the session, only of the
+            // connection.  When session resumption or session tickets are
+            // used, the previous contents of this extension are irrelevant,
+            // and only the values in the new handshake messages are
+            // considered.
+        }
+    }
+
+    /**
+     * The absence processing if the extension is not present in
+     * a ClientHello handshake message.
+     */
+    private static final class CHAlpnAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Please don't use the previous negotiated application protocol.
+            shc.applicationProtocol = "";
+            shc.conContext.applicationProtocol = "";
+        }
+    }
+
+    /**
+     * Network data producer of the extension in the ServerHello
+     * handshake message.
+     */
+    private static final class SHAlpnProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private SHAlpnProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // In response to ALPN request only
+            AlpnSpec requestedAlps =
+                    (AlpnSpec)shc.handshakeExtensions.get(SSLExtension.CH_ALPN);
+            if (requestedAlps == null) {
+                // Ignore, this extension was not requested and accepted.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable extension: " +
+                            SSLExtension.SH_ALPN.name);
+                }
+                return null;
+            }
+
+            List<String> alps = requestedAlps.applicationProtocols;
+            if (shc.conContext.transport instanceof SSLEngine) {
+                if (shc.sslConfig.engineAPSelector != null) {
+                    SSLEngine engine = (SSLEngine)shc.conContext.transport;
+                    shc.applicationProtocol =
+                        shc.sslConfig.engineAPSelector.apply(engine, alps);
+                    if ((shc.applicationProtocol == null) ||
+                            (!shc.applicationProtocol.isEmpty() &&
+                            !alps.contains(shc.applicationProtocol))) {
+                        shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+                            "No matching application layer protocol values");
+                    }
+                }
+            } else {
+                if (shc.sslConfig.socketAPSelector != null) {
+                    SSLSocket socket = (SSLSocket)shc.conContext.transport;
+                    shc.applicationProtocol =
+                        shc.sslConfig.socketAPSelector.apply(socket, alps);
+                    if ((shc.applicationProtocol == null) ||
+                            (!shc.applicationProtocol.isEmpty() &&
+                            !alps.contains(shc.applicationProtocol))) {
+                        shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
+                            "No matching application layer protocol values");
+                    }
+                }
+            }
+
+            if ((shc.applicationProtocol == null) ||
+                    (shc.applicationProtocol.isEmpty())) {
+                // Ignore, no negotiated application layer protocol.
+                shc.applicationProtocol = "";
+                shc.conContext.applicationProtocol = "";
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                        "Ignore, no negotiated application layer protocol");
+                }
+
+                return null;
+            }
+
+            // opaque ProtocolName<1..2^8-1>, RFC 7301.
+            int listLen = shc.applicationProtocol.length() + 1;
+                                                        // 1: length byte
+            // ProtocolName protocol_name_list<2..2^16-1>, RFC 7301.
+            byte[] extData = new byte[listLen + 2];     // 2: list length
+            ByteBuffer m = ByteBuffer.wrap(extData);
+            Record.putInt16(m, listLen);
+            Record.putBytes8(m,
+                    shc.applicationProtocol.getBytes(StandardCharsets.UTF_8));
+
+            // Update the context.
+            shc.conContext.applicationProtocol = shc.applicationProtocol;
+
+            // Clean or register the extension
+            //
+            // No further use of the request and respond extension any more.
+            shc.handshakeExtensions.remove(SSLExtension.CH_ALPN);
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of the extension in the ServerHello
+     * handshake message.
+     */
+    private static final class SHAlpnConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHAlpnConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to ALPN request only
+            AlpnSpec requestedAlps =
+                    (AlpnSpec)chc.handshakeExtensions.get(SSLExtension.CH_ALPN);
+            if (requestedAlps == null) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Unexpected " + SSLExtension.CH_ALPN.name + " extension");
+            }
+
+            // Parse the extension.
+            AlpnSpec spec;
+            try {
+                spec = new AlpnSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Only one application protocol is allowed.
+            if (spec.applicationProtocols.size() != 1) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Invalid " + SSLExtension.CH_ALPN.name + " extension: " +
+                    "Only one protocol name is allowed in ServerHello message");
+            }
+
+            // Update the context.
+            chc.applicationProtocol = spec.applicationProtocols.get(0);
+            chc.conContext.applicationProtocol = chc.applicationProtocol;
+
+            // Clean or register the extension
+            //
+            // No further use of the request and respond extension any more.
+            chc.handshakeExtensions.remove(SSLExtension.CH_ALPN);
+        }
+    }
+
+    /**
+     * The absence processing if the extension is not present in
+     * the ServerHello handshake message.
+     */
+    private static final class SHAlpnAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Please don't use the previous negotiated application protocol.
+            chc.applicationProtocol = "";
+            chc.conContext.applicationProtocol = "";
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java	2018-05-11 15:08:42.091756500 -0700
@@ -0,0 +1,346 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.List;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SignatureAlgorithmsExtension.SignatureSchemesSpec;
+
+/**
+ * Pack of the "signature_algorithms_cert" extensions.
+ */
+final class CertSignAlgsExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHCertSignatureSchemesProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHCertSignatureSchemesConsumer();
+    static final HandshakeConsumer chOnTradeConsumer =
+            new CHCertSignatureSchemesUpdate();
+
+    static final HandshakeProducer crNetworkProducer =
+            new CRCertSignatureSchemesProducer();
+    static final ExtensionConsumer crOnLoadConcumer =
+            new CRCertSignatureSchemesConsumer();
+    static final HandshakeConsumer crOnTradeConsumer =
+            new CRCertSignatureSchemesUpdate();
+
+    static final SSLStringize ssStringize =
+            new CertSignatureSchemesStringize();
+
+    private static final
+            class CertSignatureSchemesStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new SignatureSchemesSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    /**
+     * Network data producer of a "signature_algorithms_cert" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHCertSignatureSchemesProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHCertSignatureSchemesProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(
+                    SSLExtension.CH_SIGNATURE_ALGORITHMS_CERT)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable " +
+                            "signature_algorithms_cert extension");
+                }
+
+                return null;    // ignore the extension
+            }
+
+            // Produce the extension.
+            if (chc.localSupportedSignAlgs == null) {
+                chc.localSupportedSignAlgs =
+                    SignatureScheme.getSupportedAlgorithms(
+                            chc.algorithmConstraints, chc.activeProtocols);
+            }
+
+            int vectorLen = SignatureScheme.sizeInRecord() *
+                    chc.localSupportedSignAlgs.size();
+            byte[] extData = new byte[vectorLen + 2];
+            ByteBuffer m = ByteBuffer.wrap(extData);
+            Record.putInt16(m, vectorLen);
+            for (SignatureScheme ss : chc.localSupportedSignAlgs) {
+                Record.putInt16(m, ss.id);
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                    SSLExtension.CH_SIGNATURE_ALGORITHMS_CERT,
+                    new SignatureSchemesSpec(chc.localSupportedSignAlgs));
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of a "signature_algorithms_cert" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHCertSignatureSchemesConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHCertSignatureSchemesConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(
+                    SSLExtension.CH_SIGNATURE_ALGORITHMS_CERT)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable " +
+                            "signature_algorithms_cert extension");
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            SignatureSchemesSpec spec;
+            try {
+                spec = new SignatureSchemesSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Update the context.
+            shc.handshakeExtensions.put(
+                    SSLExtension.CH_SIGNATURE_ALGORITHMS_CERT, spec);
+
+            // No impact on session resumption.
+        }
+    }
+
+    /**
+     * After session creation consuming of a "signature_algorithms_cert"
+     * extension in the ClientHello handshake message.
+     */
+    private static final class CHCertSignatureSchemesUpdate
+            implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private CHCertSignatureSchemesUpdate() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            SignatureSchemesSpec spec = (SignatureSchemesSpec)
+                    shc.handshakeExtensions.get(
+                            SSLExtension.CH_SIGNATURE_ALGORITHMS_CERT);
+            if (spec == null) {
+                // Ignore, no signature_algorithms_cert extension requested.
+                return;
+            }
+
+            // update the context
+            List<SignatureScheme> shemes =
+                    SignatureScheme.getSupportedAlgorithms(
+                            shc.algorithmConstraints, shc.negotiatedProtocol,
+                            spec.signatureSchemes);
+            shc.peerRequestedCertSignSchemes = shemes;
+
+            if (!shc.isResumption && shc.negotiatedProtocol.useTLS13PlusSpec()) {
+                if (shc.sslConfig.clientAuthType !=
+                        ClientAuthType.CLIENT_AUTH_NONE) {
+                    shc.handshakeProducers.putIfAbsent(
+                            SSLHandshake.CERTIFICATE_REQUEST.id,
+                            SSLHandshake.CERTIFICATE_REQUEST);
+                }
+                shc.handshakeProducers.put(SSLHandshake.CERTIFICATE.id,
+                        SSLHandshake.CERTIFICATE);
+                shc.handshakeProducers.putIfAbsent(
+                        SSLHandshake.CERTIFICATE_VERIFY.id,
+                        SSLHandshake.CERTIFICATE_VERIFY);
+            }
+        }
+    }
+
+    /**
+     * Network data producer of a "signature_algorithms_cert" extension in
+     * the CertificateRequest handshake message.
+     */
+    private static final
+            class CRCertSignatureSchemesProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CRCertSignatureSchemesProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(
+                    SSLExtension.CH_SIGNATURE_ALGORITHMS_CERT)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable " +
+                            "signature_algorithms_cert extension");
+                }
+                return null;    // ignore the extension
+            }
+
+            // Produce the extension.
+            if (shc.localSupportedSignAlgs == null) {
+                shc.localSupportedSignAlgs =
+                    SignatureScheme.getSupportedAlgorithms(
+                            shc.algorithmConstraints, shc.activeProtocols);
+            }
+
+            int vectorLen = SignatureScheme.sizeInRecord() *
+                    shc.localSupportedSignAlgs.size();
+            byte[] extData = new byte[vectorLen + 2];
+            ByteBuffer m = ByteBuffer.wrap(extData);
+            Record.putInt16(m, vectorLen);
+            for (SignatureScheme ss : shc.localSupportedSignAlgs) {
+                Record.putInt16(m, ss.id);
+            }
+
+            // Update the context.
+            shc.handshakeExtensions.put(
+                    SSLExtension.CR_SIGNATURE_ALGORITHMS_CERT,
+                    new SignatureSchemesSpec(shc.localSupportedSignAlgs));
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of a "signature_algorithms_cert" extension in
+     * the CertificateRequest handshake message.
+     */
+    private static final
+            class CRCertSignatureSchemesConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CRCertSignatureSchemesConsumer() {
+            // blank
+        }
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(
+                    SSLExtension.CH_SIGNATURE_ALGORITHMS_CERT)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable " +
+                            "signature_algorithms_cert extension");
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            SignatureSchemesSpec spec;
+            try {
+                spec = new SignatureSchemesSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                    SSLExtension.CR_SIGNATURE_ALGORITHMS_CERT, spec);
+
+            // No impact on session resumption.
+        }
+    }
+
+    /**
+     * After session creation consuming of a "signature_algorithms_cert"
+     * extension in the CertificateRequest handshake message.
+     */
+    private static final class CRCertSignatureSchemesUpdate
+            implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private CRCertSignatureSchemesUpdate() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            SignatureSchemesSpec spec = (SignatureSchemesSpec)
+                    chc.handshakeExtensions.get(
+                            SSLExtension.CR_SIGNATURE_ALGORITHMS_CERT);
+            if (spec == null) {
+                // Ignore, no "signature_algorithms_cert" extension requested.
+                return;
+            }
+
+            // update the context
+            List<SignatureScheme> shemes =
+                    SignatureScheme.getSupportedAlgorithms(
+                            chc.algorithmConstraints, chc.negotiatedProtocol,
+                            spec.signatureSchemes);
+            chc.peerRequestedCertSignSchemes = shemes;
+        }
+    }
+}
--- old/src/java.base/share/classes/sun/security/ssl/CertStatusReqExtension.java	2018-05-11 15:08:44.401932100 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,205 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-import java.util.Objects;
-
-/*
- * RFC6066 defines the TLS extension,"status_request" (type 0x5),
- * which allows the client to request that the server perform OCSP
- * on the client's behalf.
- * The "extension data" field of this extension contains a
- * "CertificateStatusRequest" structure:
- *
- *      struct {
- *          CertificateStatusType status_type;
- *          select (status_type) {
- *              case ocsp: OCSPStatusRequest;
- *          } request;
- *      } CertificateStatusRequest;
- *
- *      enum { ocsp(1), (255) } CertificateStatusType;
- *
- *      struct {
- *          ResponderID responder_id_list<0..2^16-1>;
- *          Extensions  request_extensions;
- *      } OCSPStatusRequest;
- *
- *      opaque ResponderID<1..2^16-1>;
- *      opaque Extensions<0..2^16-1>;
- */
-
-final class CertStatusReqExtension extends HelloExtension {
-
-    private final StatusRequestType statReqType;
-    private final StatusRequest request;
-
-
-    /**
-     * Construct the default status request extension object.  The default
-     * object results in a status_request extension where the extension
-     * data segment is zero-length.  This is used primarily in ServerHello
-     * messages where the server asserts it can do RFC 6066 status stapling.
-     */
-    CertStatusReqExtension() {
-        super(ExtensionType.EXT_STATUS_REQUEST);
-        statReqType = null;
-        request = null;
-    }
-
-    /**
-     * Construct the status request extension object given a request type
-     *      and {@code StatusRequest} object.
-     *
-     * @param reqType a {@code StatusRequestExtType object correspoding
-     *      to the underlying {@code StatusRequest} object.  A value of
-     *      {@code null} is not allowed.
-     * @param statReq the {@code StatusRequest} object used to provide the
-     *      encoding for the TLS extension.  A value of {@code null} is not
-     *      allowed.
-     *
-     * @throws IllegalArgumentException if the provided {@code StatusRequest}
-     *      does not match the type.
-     * @throws NullPointerException if either the {@code reqType} or
-     *      {@code statReq} arguments are {@code null}.
-     */
-    CertStatusReqExtension(StatusRequestType reqType, StatusRequest statReq) {
-        super(ExtensionType.EXT_STATUS_REQUEST);
-
-        statReqType = Objects.requireNonNull(reqType,
-                "Unallowed null value for status_type");
-        request = Objects.requireNonNull(statReq,
-                "Unallowed null value for request");
-
-        // There is currently only one known status type (OCSP)
-        // We can add more clauses to cover other types in the future
-        if (statReqType == StatusRequestType.OCSP) {
-            if (!(statReq instanceof OCSPStatusRequest)) {
-                throw new IllegalArgumentException("StatusRequest not " +
-                        "of type OCSPStatusRequest");
-            }
-        }
-    }
-
-    /**
-     * Construct the {@code CertStatusReqExtension} object from data read from
-     *      a {@code HandshakeInputStream}
-     *
-     * @param s the {@code HandshakeInputStream} providing the encoded data
-     * @param len the length of the extension data
-     *
-     * @throws IOException if any decoding errors happen during object
-     *      construction.
-     */
-    CertStatusReqExtension(HandshakeInStream s, int len) throws IOException {
-        super(ExtensionType.EXT_STATUS_REQUEST);
-
-        if (len > 0) {
-            // Obtain the status type (first byte)
-            statReqType = StatusRequestType.get(s.getInt8());
-            if (statReqType == StatusRequestType.OCSP) {
-                request = new OCSPStatusRequest(s);
-            } else {
-                // This is a status_type we don't understand.  Create
-                // an UnknownStatusRequest in order to preserve the data
-                request = new UnknownStatusRequest(s, len - 1);
-            }
-        } else {
-            // Treat this as a zero-length extension (i.e. from a ServerHello
-            statReqType = null;
-            request = null;
-        }
-    }
-
-    /**
-     * Return the length of the encoded extension, including extension type,
-     *      extension length and status_type fields.
-     *
-     * @return the length in bytes, including the extension type and
-     *      length fields.
-     */
-    @Override
-    int length() {
-        return (statReqType != null ? 5 + request.length() : 4);
-    }
-
-    /**
-     * Send the encoded TLS extension through a {@code HandshakeOutputStream}
-     *
-     * @param s the {@code HandshakeOutputStream} used to send the encoded data
-     *
-     * @throws IOException tf any errors occur during the encoding process
-     */
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(type.id);
-        s.putInt16(this.length() - 4);
-
-        if (statReqType != null) {
-            s.putInt8(statReqType.id);
-            request.send(s);
-        }
-    }
-
-    /**
-     * Create a string representation of this {@code CertStatusReqExtension}
-     *
-     * @return the string representation of this {@code CertStatusReqExtension}
-     */
-    @Override
-    public String toString() {
-        StringBuilder sb = new StringBuilder("Extension ").append(type);
-        if (statReqType != null) {
-            sb.append(": ").append(statReqType).append(", ").append(request);
-        }
-
-        return sb.toString();
-    }
-
-    /**
-     * Return the type field for this {@code CertStatusReqExtension}
-     *
-     * @return the {@code StatusRequestType} for this extension.  {@code null}
-     *      will be returned if the default constructor is used to create
-     *      a zero length status_request extension (found in ServerHello
-     *      messages)
-     */
-    StatusRequestType getType() {
-        return statReqType;
-    }
-
-    /**
-     * Get the underlying {@code StatusRequest} for this
-     *      {@code CertStatusReqExtension}
-     *
-     * @return the {@code StatusRequest} or {@code null} if the default
-     * constructor was used to create this extension.
-     */
-    StatusRequest getRequest() {
-        return request;
-    }
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java	2018-05-11 15:08:43.694793300 -0700
@@ -0,0 +1,1218 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.io.ByteArrayInputStream;
+import java.nio.ByteBuffer;
+import java.security.cert.Extension;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.text.MessageFormat;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Locale;
+import javax.net.ssl.SSLProtocolException;
+import sun.security.provider.certpath.OCSPResponse;
+import sun.security.provider.certpath.ResponderId;
+import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST;
+import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST_V2;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST;
+import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST_V2;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.util.DerInputStream;
+import sun.security.util.DerValue;
+import sun.security.util.HexDumpEncoder;
+
+/**
+ * Pack of "status_request" and "status_request_v2" extensions.
+ */
+final class CertStatusExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHCertStatusReqProducer();
+    static final ExtensionConsumer chOnLoadConsumer =
+            new CHCertStatusReqConsumer();
+
+    static final HandshakeProducer shNetworkProducer =
+            new SHCertStatusReqProducer();
+    static final ExtensionConsumer shOnLoadConsumer =
+            new SHCertStatusReqConsumer();
+
+    static final HandshakeProducer ctNetworkProducer =
+            new CTCertStatusResponseProducer();
+    static final ExtensionConsumer ctOnLoadConsumer =
+            new CTCertStatusResponseConsumer();
+
+    static final SSLStringize certStatusReqStringize =
+            new CertStatusRequestStringize();
+
+    static final HandshakeProducer chV2NetworkProducer =
+            new CHCertStatusReqV2Producer();
+    static final ExtensionConsumer chV2OnLoadConsumer =
+            new CHCertStatusReqV2Consumer();
+
+    static final HandshakeProducer shV2NetworkProducer =
+            new SHCertStatusReqV2Producer();
+    static final ExtensionConsumer shV2OnLoadConsumer =
+            new SHCertStatusReqV2Consumer();
+
+    static final SSLStringize certStatusReqV2Stringize =
+            new CertStatusRequestsStringize();
+
+    static final SSLStringize certStatusRespStringize =
+            new CertStatusRespStringize();
+
+    /**
+     * The "status_request" extension.
+     *
+     * RFC6066 defines the TLS extension,"status_request" (type 0x5),
+     * which allows the client to request that the server perform OCSP
+     * on the client's behalf.
+     *
+     * The "extension data" field of this extension contains a
+     * "CertificateStatusRequest" structure:
+     *
+     *      struct {
+     *          CertificateStatusType status_type;
+     *          select (status_type) {
+     *              case ocsp: OCSPStatusRequest;
+     *          } request;
+     *      } CertificateStatusRequest;
+     *
+     *      enum { ocsp(1), (255) } CertificateStatusType;
+     *
+     *      struct {
+     *          ResponderID responder_id_list<0..2^16-1>;
+     *          Extensions  request_extensions;
+     *      } OCSPStatusRequest;
+     *
+     *      opaque ResponderID<1..2^16-1>;
+     *      opaque Extensions<0..2^16-1>;
+     */
+    static final class CertStatusRequestSpec implements SSLExtensionSpec {
+        static final CertStatusRequestSpec DEFAULT =
+                new CertStatusRequestSpec(OCSPStatusRequest.EMPTY_OCSP);
+
+        final CertStatusRequest statusRequest;
+
+        private CertStatusRequestSpec(CertStatusRequest statusRequest) {
+            this.statusRequest = statusRequest;
+        }
+
+        private CertStatusRequestSpec(ByteBuffer buffer) throws IOException {
+            // Is it a empty extension_data?
+            if (buffer.remaining() == 0) {
+                // server response
+                this.statusRequest = null;
+                return;
+            }
+
+            if (buffer.remaining() < 1) {
+                throw new SSLProtocolException(
+                    "Invalid status_request extension: insufficient data");
+            }
+
+            byte statusType = (byte)Record.getInt8(buffer);
+            byte[] encoded = new byte[buffer.remaining()];
+            if (encoded.length != 0) {
+                buffer.get(encoded);
+            }
+            if (statusType == CertStatusRequestType.OCSP.id) {
+                this.statusRequest = new OCSPStatusRequest(statusType, encoded);
+            } else {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.info(
+                        "Unknown certificate status request " +
+                        "(status type: " + statusType + ")");
+                }
+
+                this.statusRequest = new CertStatusRequest(statusType, encoded);
+            }
+        }
+
+        @Override
+        public String toString() {
+            return statusRequest == null ?
+                        "<empty>" : statusRequest.toString();
+        }
+    }
+
+    /**
+     * Defines the CertificateStatus response structure as outlined in
+     * RFC 6066.  This will contain a status response type, plus a single,
+     * non-empty OCSP response in DER-encoded form.
+     *
+     * struct {
+     *     CertificateStatusType status_type;
+     *     select (status_type) {
+     *         case ocsp: OCSPResponse;
+     *     } response;
+     * } CertificateStatus;
+     */
+    static final class CertStatusResponseSpec implements SSLExtensionSpec {
+        final CertStatusResponse statusResponse;
+
+        private CertStatusResponseSpec(CertStatusResponse resp) {
+            this.statusResponse = resp;
+        }
+
+        private CertStatusResponseSpec(ByteBuffer buffer) throws IOException {
+            if (buffer.remaining() < 2) {
+                throw new SSLProtocolException(
+                    "Invalid status_request extension: insufficient data");
+            }
+
+            // Get the status type (1 byte) and response data (vector)
+            byte type = (byte)Record.getInt8(buffer);
+            byte[] respData = Record.getBytes24(buffer);
+
+            // Create the CertStatusResponse based on the type
+            if (type == CertStatusRequestType.OCSP.id) {
+                this.statusResponse = new OCSPStatusResponse(type, respData);
+            } else {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.info(
+                        "Unknown certificate status response " +
+                        "(status type: " + type + ")");
+                }
+
+                this.statusResponse = new CertStatusResponse(type, respData);
+            }
+        }
+
+        @Override
+        public String toString() {
+            return statusResponse == null ?
+                        "<empty>" : statusResponse.toString();
+        }
+    }
+
+    private static final
+            class CertStatusRequestStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new CertStatusRequestSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    private static final
+            class CertStatusRespStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new CertStatusResponseSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                 // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    static enum CertStatusRequestType {
+        OCSP        ((byte)0x01,    "ocsp"),        // RFC 6066/6961
+        OCSP_MULTI  ((byte)0x02,    "ocsp_multi");  // RFC 6961
+
+        final byte id;
+        final String name;
+
+        private CertStatusRequestType(byte id, String name) {
+            this.id = id;
+            this.name = name;
+        }
+
+        /**
+         * Returns the enum constant of the specified id (see RFC 6066).
+         */
+        static CertStatusRequestType valueOf(byte id) {
+            for (CertStatusRequestType srt : CertStatusRequestType.values()) {
+                if (srt.id == id) {
+                    return srt;
+                }
+            }
+
+            return null;
+        }
+
+        static String nameOf(byte id) {
+            for (CertStatusRequestType srt : CertStatusRequestType.values()) {
+                if (srt.id == id) {
+                    return srt.name;
+                }
+            }
+
+            return "UNDEFINED-CERT-STATUS-TYPE(" + id + ")";
+        }
+    }
+
+    static class CertStatusRequest {
+        final byte statusType;
+        final byte[] encodedRequest;
+
+        protected CertStatusRequest(byte statusType, byte[] encodedRequest) {
+            this.statusType = statusType;
+            this.encodedRequest = encodedRequest;
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"certificate status type\": {0}\n" +
+                "\"encoded certificate status\": '{'\n" +
+                "{1}\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            String encoded = hexEncoder.encodeBuffer(encodedRequest);
+
+            Object[] messageFields = {
+                CertStatusRequestType.nameOf(statusType),
+                Utilities.indent(encoded)
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /*
+     * RFC6066 defines the TLS extension,"status_request" (type 0x5),
+     * which allows the client to request that the server perform OCSP
+     * on the client's behalf.
+     *
+     * The RFC defines an OCSPStatusRequest structure:
+     *
+     *      struct {
+     *          ResponderID responder_id_list<0..2^16-1>;
+     *          Extensions  request_extensions;
+     *      } OCSPStatusRequest;
+     */
+    static final class OCSPStatusRequest extends CertStatusRequest {
+        static final OCSPStatusRequest EMPTY_OCSP;
+        static final OCSPStatusRequest EMPTY_OCSP_MULTI;
+
+        final List<ResponderId> responderIds;
+        final List<Extension> extensions;
+        private final int encodedLen;
+        private final int ridListLen;
+        private final int extListLen;
+
+        static {
+            OCSPStatusRequest ocspReq = null;
+            OCSPStatusRequest multiReq = null;
+
+            try {
+                ocspReq = new OCSPStatusRequest(
+                        CertStatusRequestType.OCSP.id,
+                        new byte[] {0x00, 0x00, 0x00, 0x00});
+                multiReq = new OCSPStatusRequest(
+                    CertStatusRequestType.OCSP_MULTI.id,
+                    new byte[] {0x00, 0x00, 0x00, 0x00});
+            } catch (IOException ioe) {
+                // unlikely
+            }
+
+            EMPTY_OCSP = ocspReq;
+            EMPTY_OCSP_MULTI = multiReq;
+        }
+
+        private OCSPStatusRequest(byte statusType,
+                byte[] encoded) throws IOException {
+            super(statusType, encoded);
+
+            if (encoded == null || encoded.length < 4) {
+                                        //  2: length of responder_id_list
+                                        // +2: length of request_extensions
+                throw new SSLProtocolException(
+                        "Invalid OCSP status request: insufficient data");
+            }
+            this.encodedLen = encoded.length;
+
+            List<ResponderId> rids = new ArrayList<>();
+            List<Extension> exts = new ArrayList<>();
+            ByteBuffer m = ByteBuffer.wrap(encoded);
+
+            this.ridListLen = Record.getInt16(m);
+            if (m.remaining() < (ridListLen + 2)) {
+                throw new SSLProtocolException(
+                        "Invalid OCSP status request: insufficient data");
+            }
+
+            int ridListBytesRemaining = ridListLen;
+            while (ridListBytesRemaining >= 2) {    // 2: length of responder_id
+                byte[] ridBytes = Record.getBytes16(m);
+                try {
+                    rids.add(new ResponderId(ridBytes));
+                } catch (IOException ioe) {
+                    throw new SSLProtocolException(
+                        "Invalid OCSP status request: invalid responder ID");
+                }
+                ridListBytesRemaining -= ridBytes.length + 2;
+            }
+
+            if (ridListBytesRemaining != 0) {
+                    throw new SSLProtocolException(
+                        "Invalid OCSP status request: incomplete data");
+            }
+
+            byte[] extListBytes = Record.getBytes16(m);
+            this.extListLen = extListBytes.length;
+            if (extListLen > 0) {
+                try {
+                    DerInputStream dis = new DerInputStream(extListBytes);
+                    DerValue[] extSeqContents =
+                            dis.getSequence(extListBytes.length);
+                    for (DerValue extDerVal : extSeqContents) {
+                        exts.add(new sun.security.x509.Extension(extDerVal));
+                    }
+                } catch (IOException ioe) {
+                    throw new SSLProtocolException(
+                        "Invalid OCSP status request: invalid extension");
+                }
+            }
+
+            this.responderIds = rids;
+            this.extensions = exts;
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"certificate status type\": {0}\n" +
+                "\"OCSP status request\": '{'\n" +
+                "{1}\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            MessageFormat requestFormat = new MessageFormat(
+                "\"responder_id\": {0}\n" +
+                "\"request extensions\": '{'\n" +
+                "{1}\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            String ridStr = "<empty>";
+            if (!responderIds.isEmpty()) {
+                ridStr = responderIds.toString();
+
+            }
+
+            String extsStr = "<empty>";
+            if (!extensions.isEmpty()) {
+                StringBuilder extBuilder = new StringBuilder(512);
+                boolean isFirst = true;
+                for (Extension ext : this.extensions) {
+                    if (isFirst) {
+                        isFirst = false;
+                    } else {
+                        extBuilder.append(",\n");
+                    }
+                    extBuilder.append(
+                            "{\n" + Utilities.indent(ext.toString()) + "}");
+                }
+
+                extsStr = extBuilder.toString();
+            }
+
+            Object[] requestFields = {
+                    ridStr,
+                    Utilities.indent(extsStr)
+                };
+            String ocspStatusRequest = requestFormat.format(requestFields);
+
+            Object[] messageFields = {
+                    CertStatusRequestType.nameOf(statusType),
+                    Utilities.indent(ocspStatusRequest)
+                };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    static class CertStatusResponse {
+        final byte statusType;
+        final byte[] encodedResponse;
+
+        protected CertStatusResponse(byte statusType, byte[] respDer) {
+            this.statusType = statusType;
+            this.encodedResponse = respDer;
+        }
+
+        byte[] toByteArray() throws IOException {
+            // Create a byte array large enough to handle the status_type
+            // field (1) + OCSP length (3) + OCSP data (variable)
+            byte[] outData = new byte[encodedResponse.length + 4];
+            ByteBuffer buf = ByteBuffer.wrap(outData);
+            Record.putInt8(buf, statusType);
+            Record.putBytes24(buf, encodedResponse);
+            return buf.array();
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"certificate status response type\": {0}\n" +
+                "\"encoded certificate status\": '{'\n" +
+                "{1}\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            String encoded = hexEncoder.encodeBuffer(encodedResponse);
+
+            Object[] messageFields = {
+                CertStatusRequestType.nameOf(statusType),
+                Utilities.indent(encoded)
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    static final class OCSPStatusResponse extends CertStatusResponse {
+        final OCSPResponse ocspResponse;
+
+        private OCSPStatusResponse(byte statusType,
+                byte[] encoded) throws IOException {
+            super(statusType, encoded);
+
+            // The DER-encoded OCSP response must not be zero length
+            if (encoded == null || encoded.length < 1) {
+                throw new SSLProtocolException(
+                        "Invalid OCSP status response: insufficient data");
+            }
+
+            // Otherwise, make an OCSPResponse object from the data
+            ocspResponse = new OCSPResponse(encoded);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"certificate status response type\": {0}\n" +
+                "\"OCSP status response\": '{'\n" +
+                "{1}\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            Object[] messageFields = {
+                CertStatusRequestType.nameOf(statusType),
+                Utilities.indent(ocspResponse.toString())
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * Network data producer of a "status_request" extension in the
+     * ClientHello handshake message.
+     */
+    private static final
+            class CHCertStatusReqProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHCertStatusReqProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            if (!chc.sslContext.isStaplingEnabled(true)) {
+                return null;
+            }
+
+            if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable extension: " +
+                        CH_STATUS_REQUEST.name);
+                }
+                return null;
+            }
+
+            // Produce the extension.
+            //
+            // We are using empty OCSPStatusRequest at present. May extend to
+            // support specific responder or extensions later.
+            byte[] extData = new byte[] {0x01, 0x00, 0x00, 0x00, 0x00};
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                    CH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of a "status_request" extension in the
+     * ClientHello handshake message.
+     */
+    private static final
+            class CHCertStatusReqConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHCertStatusReqConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("Ignore unavailable extension: " +
+                        CH_STATUS_REQUEST.name);
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            CertStatusRequestSpec spec;
+            try {
+                spec = new CertStatusRequestSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Update the context.
+            shc.handshakeExtensions.put(CH_STATUS_REQUEST, spec);
+            if (!shc.negotiatedProtocol.useTLS13PlusSpec()) {
+                shc.handshakeProducers.put(SSLHandshake.CERTIFICATE_STATUS.id,
+                    SSLHandshake.CERTIFICATE_STATUS);
+            }   // Otherwise, the certificate status presents in server cert.
+
+            // No impact on session resumption.
+        }
+    }
+
+    /**
+     * Network data producer of a "status_request" extension in the
+     * ServerHello handshake message.
+     */
+    private static final
+            class SHCertStatusReqProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private SHCertStatusReqProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // The StaplingParameters in the ServerHandshakeContext will
+            // contain the info about what kind of stapling (if any) to
+            // perform and whether this status_request extension should be
+            // produced or the status_request_v2 (found in a different producer)
+            // No explicit check is required for isStaplingEnabled here.  If
+            // it is false then stapleParams will be null.  If it is true
+            // then stapleParams may or may not be false and the check below
+            // is sufficient.
+            if ((shc.stapleParams == null) ||
+                    (shc.stapleParams.statusRespExt !=
+                    SSLExtension.CH_STATUS_REQUEST)) {
+                return null;    // Do not produce status_request in ServerHello
+            }
+
+            // In response to "status_request" extension request only.
+            CertStatusRequestSpec spec = (CertStatusRequestSpec)
+                    shc.handshakeExtensions.get(CH_STATUS_REQUEST);
+            if (spec == null) {
+                // Ignore, no status_request extension requested.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "Ignore unavailable extension: " +
+                        CH_STATUS_REQUEST.name);
+                }
+
+                return null;        // ignore the extension
+            }
+
+            // Is it a session resuming?
+            if (shc.isResumption) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "No status_request response for session resuming");
+                }
+
+                return null;        // ignore the extension
+            }
+
+            // The "extension_data" in the extended ServerHello handshake
+            // message MUST be empty.
+            byte[] extData = new byte[0];
+
+            // Update the context.
+            shc.handshakeExtensions.put(
+                    SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of a "status_request" extension in the
+     * ServerHello handshake message.
+     */
+    private static final
+            class SHCertStatusReqConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHCertStatusReqConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to "status_request" extension request only.
+            CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
+                    chc.handshakeExtensions.get(CH_STATUS_REQUEST);
+            if (requestedCsr == null) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Unexpected status_request extension in ServerHello");
+            }
+
+            // Parse the extension.
+            if (buffer.hasRemaining()) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                  "Invalid status_request extension in ServerHello message: " +
+                  "the extension data must be empty");
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                    SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT);
+            chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id,
+                    SSLHandshake.CERTIFICATE_STATUS);
+
+            // Since we've received a legitimate status_request in the
+            // ServerHello, stapling is active if it's been enabled.
+            chc.staplingActive = chc.sslContext.isStaplingEnabled(true);
+
+            // No impact on session resumption.
+        }
+    }
+
+    /**
+     * The "status_request_v2" extension.
+     *
+     * RFC6961 defines the TLS extension,"status_request_v2" (type 0x5),
+     * which allows the client to request that the server perform OCSP
+     * on the client's behalf.
+     *
+     * The RFC defines an CertStatusReqItemV2 structure:
+     *
+     *      struct {
+     *          CertificateStatusType status_type;
+     *          uint16 request_length;
+     *          select (status_type) {
+     *              case ocsp: OCSPStatusRequest;
+     *              case ocsp_multi: OCSPStatusRequest;
+     *          } request;
+     *      } CertificateStatusRequestItemV2;
+     *
+     *      enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
+     *      struct {
+     *        ResponderID responder_id_list<0..2^16-1>;
+     *        Extensions request_extensions;
+     *      } OCSPStatusRequest;
+     *
+     *      opaque ResponderID<1..2^16-1>;
+     *      opaque Extensions<0..2^16-1>;
+     *
+     *      struct {
+     *        CertificateStatusRequestItemV2
+     *                         certificate_status_req_list<1..2^16-1>;
+     *      } CertificateStatusRequestListV2;
+     */
+    static final class CertStatusRequestV2Spec implements SSLExtensionSpec {
+        static final CertStatusRequestV2Spec DEFAULT =
+                new CertStatusRequestV2Spec(new CertStatusRequest[] {
+                        OCSPStatusRequest.EMPTY_OCSP_MULTI});
+
+        final CertStatusRequest[] certStatusRequests;
+
+        private CertStatusRequestV2Spec(CertStatusRequest[] certStatusRequests) {
+            this.certStatusRequests = certStatusRequests;
+        }
+
+        private CertStatusRequestV2Spec(ByteBuffer message) throws IOException {
+            // Is it a empty extension_data?
+            if (message.remaining() == 0) {
+                // server response
+                this.certStatusRequests = new CertStatusRequest[0];
+                return;
+            }
+
+            if (message.remaining() < 5) {  //  2: certificate_status_req_list
+                                            // +1: status_type
+                                            // +2: request_length
+                throw new SSLProtocolException(
+                    "Invalid status_request_v2 extension: insufficient data");
+            }
+
+            int listLen = Record.getInt16(message);
+            if (listLen <= 0) {
+                throw new SSLProtocolException(
+                    "certificate_status_req_list length must be positive " +
+                    "(received length: " + listLen + ")");
+            }
+
+            int remaining = listLen;
+            List<CertStatusRequest> statusRequests = new ArrayList<>();
+            while (remaining > 0) {
+                byte statusType = (byte)Record.getInt8(message);
+                int requestLen = Record.getInt16(message);
+
+                if (message.remaining() < requestLen) {
+                    throw new SSLProtocolException(
+                            "Invalid status_request_v2 extension: " +
+                            "insufficient data (request_length=" + requestLen +
+                            ", remining=" + message.remaining() + ")");
+                }
+
+                byte[] encoded = new byte[requestLen];
+                if (encoded.length != 0) {
+                    message.get(encoded);
+                }
+                remaining -= 3;     // 1(status type) + 2(request_length) bytes
+                remaining -= requestLen;
+
+                if (statusType == CertStatusRequestType.OCSP.id ||
+                        statusType == CertStatusRequestType.OCSP_MULTI.id) {
+                    if (encoded.length < 4) {
+                                        //  2: length of responder_id_list
+                                        // +2: length of request_extensions
+                        throw new SSLProtocolException(
+                            "Invalid status_request_v2 extension: " +
+                            "insufficient data");
+                    }
+                    statusRequests.add(
+                            new OCSPStatusRequest(statusType, encoded));
+                } else {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.info(
+                                "Unknown certificate status request " +
+                                "(status type: " + statusType + ")");
+                    }
+                    statusRequests.add(
+                            new CertStatusRequest(statusType, encoded));
+                }
+            }
+
+            certStatusRequests =
+                    statusRequests.toArray(new CertStatusRequest[0]);
+        }
+
+        @Override
+        public String toString() {
+            if (certStatusRequests == null || certStatusRequests.length == 0) {
+                return "<empty>";
+            } else {
+                MessageFormat messageFormat = new MessageFormat(
+                    "\"cert status request\": '{'\n{0}\n'}'", Locale.ENGLISH);
+
+                StringBuilder builder = new StringBuilder(512);
+                boolean isFirst = true;
+                for (CertStatusRequest csr : certStatusRequests) {
+                    if (isFirst) {
+                        isFirst = false;
+                    } else {
+                        builder.append(", ");
+                    }
+                    Object[] messageFields = {
+                            Utilities.indent(csr.toString())
+                        };
+                    builder.append(messageFormat.format(messageFields));
+                }
+
+                return builder.toString();
+            }
+        }
+    }
+
+    private static final
+            class CertStatusRequestsStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new CertStatusRequestV2Spec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    /**
+     * Network data producer of a "status_request_v2" extension in the
+     * ClientHello handshake message.
+     */
+    private static final
+            class CHCertStatusReqV2Producer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHCertStatusReqV2Producer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            if (!chc.sslContext.isStaplingEnabled(true)) {
+                return null;
+            }
+
+            if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "Ignore unavailable status_request_v2 extension");
+                }
+
+                return null;
+            }
+
+            // Produce the extension.
+            //
+            // We are using empty OCSPStatusRequest at present. May extend to
+            // support specific responder or extensions later.
+            byte[] extData = new byte[] {
+                0x00, 0x07, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00};
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                    CH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of a "status_request_v2" extension in the
+     * ClientHello handshake message.
+     */
+    private static final
+            class CHCertStatusReqV2Consumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHCertStatusReqV2Consumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "Ignore unavailable status_request_v2 extension");
+                }
+
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            CertStatusRequestV2Spec spec;
+            try {
+                spec = new CertStatusRequestV2Spec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Update the context.
+            shc.handshakeExtensions.put(CH_STATUS_REQUEST_V2, spec);
+            shc.handshakeProducers.putIfAbsent(
+                    SSLHandshake.CERTIFICATE_STATUS.id,
+                    SSLHandshake.CERTIFICATE_STATUS);
+            // No impact on session resumption.
+        }
+    }
+
+    /**
+     * Network data producer of a "status_request_v2" extension in the
+     * ServerHello handshake message.
+     */
+    private static final
+            class SHCertStatusReqV2Producer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private SHCertStatusReqV2Producer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            // The StaplingParameters in the ServerHandshakeContext will
+            // contain the info about what kind of stapling (if any) to
+            // perform and whether this status_request extension should be
+            // produced or the status_request_v2 (found in a different producer)
+            // No explicit check is required for isStaplingEnabled here.  If
+            // it is false then stapleParams will be null.  If it is true
+            // then stapleParams may or may not be false and the check below
+            // is sufficient.
+            if ((shc.stapleParams == null) ||
+                    (shc.stapleParams.statusRespExt !=
+                    SSLExtension.CH_STATUS_REQUEST_V2)) {
+                return null;    // Do not produce status_request_v2 in SH
+            }
+
+            // In response to "status_request_v2" extension request only
+            CertStatusRequestV2Spec spec = (CertStatusRequestV2Spec)
+                    shc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
+            if (spec == null) {
+                // Ignore, no status_request_v2 extension requested.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "Ignore unavailable status_request_v2 extension");
+                }
+
+                return null;        // ignore the extension
+            }
+
+            // Is it a session resuming?
+            if (shc.isResumption) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "No status_request_v2 response for session resumption");
+                }
+                return null;        // ignore the extension
+            }
+
+            // The "extension_data" in the extended ServerHello handshake
+            // message MUST be empty.
+            byte[] extData = new byte[0];
+
+            // Update the context.
+            shc.handshakeExtensions.put(
+                    SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of a "status_request_v2" extension in the
+     * ServerHello handshake message.
+     */
+    private static final
+            class SHCertStatusReqV2Consumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHCertStatusReqV2Consumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            // The consumption happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to "status_request" extension request only
+            CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
+                    chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
+            if (requestedCsr == null) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Unexpected status_request_v2 extension in ServerHello");
+            }
+
+            // Parse the extension.
+            if (buffer.hasRemaining()) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                  "Invalid status_request_v2 extension in ServerHello: " +
+                  "the extension data must be empty");
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                    SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT);
+            chc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_STATUS.id,
+                    SSLHandshake.CERTIFICATE_STATUS);
+
+            // Since we've received a legitimate status_request in the
+            // ServerHello, stapling is active if it's been enabled.
+            chc.staplingActive = chc.sslContext.isStaplingEnabled(true);
+
+            // No impact on session resumption.
+        }
+    }
+
+    private static final
+            class CTCertStatusResponseProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CTCertStatusResponseProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            byte[] producedData = null;
+
+            // Stapling needs to be active and have valid data to proceed
+            if (shc.stapleParams == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "Stapling is disabled for this connection");
+                }
+                return null;
+            }
+
+            // There needs to be a non-null CertificateEntry to proceed
+            if (shc.currentCertEntry == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest("Found null CertificateEntry in context");
+                }
+                return null;
+            }
+
+            // Pull the certificate from the CertificateEntry and find
+            // a response from the response map.  If one exists we will
+            // staple it.
+            try {
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                X509Certificate x509Cert =
+                        (X509Certificate)cf.generateCertificate(
+                                new ByteArrayInputStream(
+                                        shc.currentCertEntry.encoded));
+                byte[] respBytes = shc.stapleParams.responseMap.get(x509Cert);
+                if (respBytes == null) {
+                    // We're done with this entry.  Clear it from the context
+                    if (SSLLogger.isOn &&
+                            SSLLogger.isOn("ssl,handshake,verbose")) {
+                        SSLLogger.finest("No status response found for " +
+                                x509Cert.getSubjectX500Principal());
+                    }
+                    shc.currentCertEntry = null;
+                    return null;
+                }
+
+                // Build a proper response buffer from the stapling information
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
+                    SSLLogger.finest("Found status response for " +
+                            x509Cert.getSubjectX500Principal() +
+                            ", response length: " + respBytes.length);
+                }
+                CertStatusResponse certResp = (shc.stapleParams.statReqType ==
+                        CertStatusRequestType.OCSP) ?
+                        new OCSPStatusResponse(shc.stapleParams.statReqType.id,
+                                respBytes) :
+                        new CertStatusResponse(shc.stapleParams.statReqType.id,
+                                respBytes);
+                producedData = certResp.toByteArray();
+            } catch (CertificateException ce) {
+                shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                        "Failed to parse server certificates", ce);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
+                        "Failed to parse certificate status response", ioe);
+            }
+
+            // Clear the pinned CertificateEntry from the context
+            shc.currentCertEntry = null;
+            return producedData;
+        }
+    }
+
+    private static final
+        class CTCertStatusResponseConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CTCertStatusResponseConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The consumption happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Parse the extension.
+            CertStatusResponseSpec spec;
+            try {
+                spec = new CertStatusResponseSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            if (chc.sslContext.isStaplingEnabled(true)) {
+                // Activate stapling
+                chc.staplingActive = true;
+            } else {
+                // Do no further processing of stapled responses
+                return;
+            }
+
+            // Get response list from the session.  This is unmodifiable
+            // so we need to create a new list.  Then add this new response
+            // to the end and submit it back to the session object.
+            if ((chc.handshakeSession != null) && (!chc.isResumption)) {
+                List<byte[]> respList = new ArrayList<>(
+                        chc.handshakeSession.getStatusResponses());
+                respList.add(spec.statusResponse.encodedResponse);
+                chc.handshakeSession.setStatusResponses(respList);
+            } else {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
+                    SSLLogger.finest(
+                            "Ignoring stapled data on resumed session");
+                }
+            }
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/CertificateMessage.java	2018-05-11 15:08:45.561874400 -0700
@@ -0,0 +1,1393 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.PublicKey;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertPathValidatorException.BasicReason;
+import java.security.cert.CertPathValidatorException.Reason;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+import java.text.MessageFormat;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLProtocolException;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.X509ExtendedTrustManager;
+import javax.net.ssl.X509TrustManager;
+import javax.security.auth.x500.X500Principal;
+import sun.security.ssl.CertificateMessage.T12CertificateMessage;
+import static sun.security.ssl.ClientAuthType.CLIENT_AUTH_REQUIRED;
+import sun.security.ssl.ClientHello.ClientHelloMessage;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.X509Authentication.X509Credentials;
+import sun.security.ssl.X509Authentication.X509Possession;
+
+/**
+ * Pack of the CertificateMessage handshake message.
+ */
+final class CertificateMessage {
+    static final SSLConsumer t12HandshakeConsumer =
+        new T12CertificateConsumer();
+    static final HandshakeProducer t12HandshakeProducer =
+        new T12CertificateProducer();
+
+    static final SSLConsumer t13HandshakeConsumer =
+        new T13CertificateConsumer();
+    static final HandshakeProducer t13HandshakeProducer =
+        new T13CertificateProducer();
+
+    /**
+     * The Certificate handshake message for TLS 1.2 and previous
+     * SSL/TLS protocol versions.
+     *
+     * In server mode, the certificate handshake message is sent whenever the
+     * agreed-upon key exchange method uses certificates for authentication.
+     * In client mode, this message is only sent if the server requests a
+     * certificate for client authentication.
+     *
+     *       opaque ASN.1Cert<1..2^24-1>;
+     *
+     * SSL 3.0:
+     *       struct {
+     *           ASN.1Cert certificate_list<1..2^24-1>;
+     *       } Certificate;
+     * Note: For SSL 3.0 client authentication, if no suitable certificate
+     * is available, the client should send a no_certificate alert instead.
+     * This alert is only a warning; however, the server may respond with
+     * a fatal handshake failure alert if client authentication is required.
+     *
+     * TLS 1.0/1.1/1.2:
+     *       struct {
+     *           ASN.1Cert certificate_list<0..2^24-1>;
+     *       } Certificate;
+     */
+    static final class T12CertificateMessage extends HandshakeMessage {
+        final List<byte[]> encodedCertChain;
+
+        T12CertificateMessage(HandshakeContext handshakeContext,
+                X509Certificate[] certChain) throws SSLException {
+            super(handshakeContext);
+
+            List<byte[]> encodedCerts = new ArrayList<>(certChain.length);
+            for (X509Certificate cert : certChain) {
+                try {
+                    encodedCerts.add(cert.getEncoded());
+                } catch (CertificateEncodingException cee) {
+                    // unlikely
+                    handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Could not encode certificate (" +
+                            cert.getSubjectX500Principal() + ")", cee);
+                    break;      // make the complier happy
+                }
+            }
+
+            this.encodedCertChain = encodedCerts;
+        }
+
+        T12CertificateMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+
+            int listLen = Record.getInt24(m);
+            if (listLen > m.remaining()) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Error parsing certificate message:no sufficient data");
+            }
+            if (listLen > 0) {
+                List<byte[]> encodedCerts = new LinkedList<>();
+                while (listLen > 0) {
+                    byte[] encodedCert = Record.getBytes24(m);
+                    listLen -= (3 + encodedCert.length);
+                    encodedCerts.add(encodedCert);
+                }
+                this.encodedCertChain = encodedCerts;
+            } else {
+                this.encodedCertChain = Collections.emptyList();
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CERTIFICATE;
+        }
+
+        @Override
+        public int messageLength() {
+            int msgLen = 3;
+            for (byte[] encodedCert : encodedCertChain) {
+                msgLen += (encodedCert.length + 3);
+            }
+
+            return msgLen;
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            int listLen = 0;
+            for (byte[] encodedCert : encodedCertChain) {
+                listLen += (encodedCert.length + 3);
+            }
+
+            hos.putInt24(listLen);
+            for (byte[] encodedCert : encodedCertChain) {
+                hos.putBytes24(encodedCert);
+            }
+        }
+
+        @Override
+        public String toString() {
+            if (encodedCertChain.isEmpty()) {
+                return "\"Certificates\": <empty list>";
+            }
+
+            Object[] x509Certs = new Object[encodedCertChain.size()];
+            try {
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                int i = 0;
+                for (byte[] encodedCert : encodedCertChain) {
+                    Object obj;
+                    try {
+                        obj = (X509Certificate)cf.generateCertificate(
+                                    new ByteArrayInputStream(encodedCert));
+                    } catch (CertificateException ce) {
+                        obj = encodedCert;
+                    }
+                    x509Certs[i++] = obj;
+                }
+            } catch (CertificateException ce) {
+                // no X.509 certificate factory service
+                int i = 0;
+                for (byte[] encodedCert : encodedCertChain) {
+                    x509Certs[i++] = encodedCert;
+                }
+            }
+
+            MessageFormat messageFormat = new MessageFormat(
+                    "\"Certificates\": [\n" +
+                    "{0}\n" +
+                    "]",
+                    Locale.ENGLISH);
+            Object[] messageFields = {
+                SSLLogger.toString(x509Certs)
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The "Certificate" handshake message producer for TLS 1.2 and
+     * previous SSL/TLS protocol versions.
+     */
+    private static final
+            class T12CertificateProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T12CertificateProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in handshake context only.
+            HandshakeContext hc = (HandshakeContext)context;
+            if (hc.sslConfig.isClientMode) {
+                return onProduceCertificate(
+                        (ClientHandshakeContext)context, message);
+            } else {
+                return onProduceCertificate(
+                        (ServerHandshakeContext)context, message);
+            }
+        }
+
+        private byte[] onProduceCertificate(ServerHandshakeContext shc,
+                SSLHandshake.HandshakeMessage message) throws IOException {
+            X509Possession x509Possession = null;
+            for (SSLPossession possession : shc.handshakePossessions) {
+                if (possession instanceof X509Possession) {
+                    x509Possession = (X509Possession)possession;
+                    break;
+                }
+            }
+
+            if (x509Possession == null) {       // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "No expected X.509 certificate for server authentication");
+
+                return null;        // make the compiler happy
+            }
+
+            shc.handshakeSession.setLocalPrivateKey(
+                    x509Possession.popPrivateKey);
+            shc.handshakeSession.setLocalCertificates(x509Possession.popCerts);
+            T12CertificateMessage cm =
+                    new T12CertificateMessage(shc, x509Possession.popCerts);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced server Certificate handshake message", cm);
+            }
+
+            // Output the handshake message.
+            cm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+
+        private byte[] onProduceCertificate(ClientHandshakeContext chc,
+                SSLHandshake.HandshakeMessage message) throws IOException {
+            X509Possession x509Possession = null;
+            for (SSLPossession possession : chc.handshakePossessions) {
+                if (possession instanceof X509Possession) {
+                    x509Possession = (X509Possession)possession;
+                    break;
+                }
+            }
+
+            // Report to the server if no appropriate cert was found.  For
+            // SSL 3.0, send a no_certificate alert;  TLS 1.0/1.1/1.2 uses
+            // an empty cert chain instead.
+            if (x509Possession == null) {
+                if (chc.negotiatedProtocol.useTLS10PlusSpec()) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                            "No X.509 certificate for client authentication, " +
+                            "use empty Certificate message instead");
+                    }
+
+                    x509Possession =
+                            new X509Possession(null, new X509Certificate[0]);
+                } else {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                            "No X.509 certificate for client authentication, " +
+                            "send a no_certificate alert");
+                    }
+
+                    chc.conContext.warning(Alert.NO_CERTIFICATE);
+                    return null;
+                }
+            }
+
+            chc.handshakeSession.setLocalPrivateKey(
+                    x509Possession.popPrivateKey);
+            if (x509Possession.popCerts != null &&
+                    x509Possession.popCerts.length != 0) {
+                chc.handshakeSession.setLocalCertificates(
+                        x509Possession.popCerts);
+            } else {
+                chc.handshakeSession.setLocalCertificates(null);
+            }
+            T12CertificateMessage cm =
+                    new T12CertificateMessage(chc, x509Possession.popCerts);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced client Certificate handshake message", cm);
+            }
+
+            // Output the handshake message.
+            cm.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "Certificate" handshake message consumer for TLS 1.2 and
+     * previous SSL/TLS protocol versions.
+     */
+    static final
+            class T12CertificateConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T12CertificateConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in handshake context only.
+            HandshakeContext hc = (HandshakeContext)context;
+
+            // clean up this consumer
+            hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE.id);
+
+            T12CertificateMessage cm = new T12CertificateMessage(hc, message);
+            if (hc.sslConfig.isClientMode) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Consuming server Certificate handshake message", cm);
+                }
+                onCertificate((ClientHandshakeContext)context, cm);
+            } else {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Consuming client Certificate handshake message", cm);
+                }
+                onCertificate((ServerHandshakeContext)context, cm);
+            }
+        }
+
+        private void onCertificate(ServerHandshakeContext shc,
+                T12CertificateMessage certificateMessage )throws IOException {
+            List<byte[]> encodedCerts = certificateMessage.encodedCertChain;
+            if (encodedCerts == null || encodedCerts.isEmpty()) {
+                if (shc.sslConfig.clientAuthType !=
+                        ClientAuthType.CLIENT_AUTH_REQUESTED) {
+                    // unexpected or require client authentication
+                    shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                        "Empty server certificate chain");
+                } else {
+                    return;
+                }
+            }
+
+            X509Certificate[] x509Certs =
+                    new X509Certificate[encodedCerts.size()];
+            try {
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                int i = 0;
+                for (byte[] encodedCert : encodedCerts) {
+                    x509Certs[i++] = (X509Certificate)cf.generateCertificate(
+                                    new ByteArrayInputStream(encodedCert));
+                }
+            } catch (CertificateException ce) {
+                shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    "Failed to parse server certificates", ce);
+            }
+
+            checkClientCerts(shc, x509Certs);
+
+            //
+            // update
+            //
+            shc.handshakeCredentials.add(
+                new X509Credentials(x509Certs[0].getPublicKey(), x509Certs));
+            shc.handshakeSession.setPeerCertificates(x509Certs);
+        }
+
+        private void onCertificate(ClientHandshakeContext chc,
+                T12CertificateMessage certificateMessage) throws IOException {
+            List<byte[]> encodedCerts = certificateMessage.encodedCertChain;
+            if (encodedCerts == null || encodedCerts.isEmpty()) {
+                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    "Empty server certificate chain");
+            }
+
+            X509Certificate[] x509Certs =
+                    new X509Certificate[encodedCerts.size()];
+            try {
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                int i = 0;
+                for (byte[] encodedCert : encodedCerts) {
+                    x509Certs[i++] = (X509Certificate)cf.generateCertificate(
+                                    new ByteArrayInputStream(encodedCert));
+                }
+            } catch (CertificateException ce) {
+                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    "Failed to parse server certificates", ce);
+            }
+
+            // Allow server certificate change in client side during
+            // renegotiation after a session-resumption abbreviated
+            // initial handshake?
+            //
+            // DO NOT need to check allowUnsafeServerCertChange here. We only
+            // reserve server certificates when allowUnsafeServerCertChange is
+            // flase.
+            if (chc.reservedServerCerts != null) {
+                // It is not necessary to check the certificate update if
+                // endpoint identification is enabled.
+                String identityAlg = chc.sslConfig.identificationProtocol;
+                if ((identityAlg == null || identityAlg.length() == 0) &&
+                        !isIdentityEquivalent(x509Certs[0],
+                                chc.reservedServerCerts[0])) {
+                    chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                            "server certificate change is restricted " +
+                            "during renegotiation");
+                }
+            }
+
+            // ask the trust manager to verify the chain
+            if (chc.staplingActive) {
+                // Defer the certificate check until after we've received the
+                // CertificateStatus message.  If that message doesn't come in
+                // immediately following this message we will execute the
+                // check from CertificateStatus' absent handler.
+                chc.deferredCerts = x509Certs;
+            } else {
+                // We're not doing stapling, so perform the check right now
+                checkServerCerts(chc, x509Certs);
+            }
+
+            //
+            // update
+            //
+            chc.handshakeCredentials.add(
+                new X509Credentials(x509Certs[0].getPublicKey(), x509Certs));
+            chc.handshakeSession.setPeerCertificates(x509Certs);
+        }
+
+        /*
+         * Whether the certificates can represent the same identity?
+         *
+         * The certificates can be used to represent the same identity:
+         *     1. If the subject alternative names of IP address are present
+         *        in both certificates, they should be identical; otherwise,
+         *     2. if the subject alternative names of DNS name are present in
+         *        both certificates, they should be identical; otherwise,
+         *     3. if the subject fields are present in both certificates, the
+         *        certificate subjects and issuers should be identical.
+         */
+        private static boolean isIdentityEquivalent(X509Certificate thisCert,
+                X509Certificate prevCert) {
+            if (thisCert.equals(prevCert)) {
+                return true;
+            }
+
+            // check subject alternative names
+            Collection<List<?>> thisSubjectAltNames = null;
+            try {
+                thisSubjectAltNames = thisCert.getSubjectAlternativeNames();
+            } catch (CertificateParsingException cpe) {
+                if (SSLLogger.isOn && SSLLogger.isOn("handshake")) {
+                    SSLLogger.fine(
+                        "Attempt to obtain subjectAltNames extension failed!");
+                }
+            }
+
+            Collection<List<?>> prevSubjectAltNames = null;
+            try {
+                prevSubjectAltNames = prevCert.getSubjectAlternativeNames();
+            } catch (CertificateParsingException cpe) {
+                if (SSLLogger.isOn && SSLLogger.isOn("handshake")) {
+                    SSLLogger.fine(
+                        "Attempt to obtain subjectAltNames extension failed!");
+                }
+            }
+
+            if (thisSubjectAltNames != null && prevSubjectAltNames != null) {
+                // check the iPAddress field in subjectAltName extension
+                //
+                // 7: subject alternative name of type IP.
+                Collection<String> thisSubAltIPAddrs =
+                            getSubjectAltNames(thisSubjectAltNames, 7);
+                Collection<String> prevSubAltIPAddrs =
+                            getSubjectAltNames(prevSubjectAltNames, 7);
+                if (thisSubAltIPAddrs != null && prevSubAltIPAddrs != null &&
+                    isEquivalent(thisSubAltIPAddrs, prevSubAltIPAddrs)) {
+                    return true;
+                }
+
+                // check the dNSName field in subjectAltName extension
+                // 2: subject alternative name of type IP.
+                Collection<String> thisSubAltDnsNames =
+                            getSubjectAltNames(thisSubjectAltNames, 2);
+                Collection<String> prevSubAltDnsNames =
+                            getSubjectAltNames(prevSubjectAltNames, 2);
+                if (thisSubAltDnsNames != null && prevSubAltDnsNames != null &&
+                    isEquivalent(thisSubAltDnsNames, prevSubAltDnsNames)) {
+                    return true;
+                }
+            }
+
+            // check the certificate subject and issuer
+            X500Principal thisSubject = thisCert.getSubjectX500Principal();
+            X500Principal prevSubject = prevCert.getSubjectX500Principal();
+            X500Principal thisIssuer = thisCert.getIssuerX500Principal();
+            X500Principal prevIssuer = prevCert.getIssuerX500Principal();
+
+            return (!thisSubject.getName().isEmpty() &&
+                    !prevSubject.getName().isEmpty() &&
+                    thisSubject.equals(prevSubject) &&
+                    thisIssuer.equals(prevIssuer));
+        }
+
+        /*
+         * Returns the subject alternative name of the specified type in the
+         * subjectAltNames extension of a certificate.
+         *
+         * Note that only those subjectAltName types that use String data
+         * should be passed into this function.
+         */
+        private static Collection<String> getSubjectAltNames(
+                Collection<List<?>> subjectAltNames, int type) {
+            HashSet<String> subAltDnsNames = null;
+            for (List<?> subjectAltName : subjectAltNames) {
+                int subjectAltNameType = (Integer)subjectAltName.get(0);
+                if (subjectAltNameType == type) {
+                    String subAltDnsName = (String)subjectAltName.get(1);
+                    if ((subAltDnsName != null) && !subAltDnsName.isEmpty()) {
+                        if (subAltDnsNames == null) {
+                            subAltDnsNames =
+                                    new HashSet<>(subjectAltNames.size());
+                        }
+                        subAltDnsNames.add(subAltDnsName);
+                    }
+                }
+            }
+
+            return subAltDnsNames;
+        }
+
+        private static boolean isEquivalent(Collection<String> thisSubAltNames,
+                Collection<String> prevSubAltNames) {
+            for (String thisSubAltName : thisSubAltNames) {
+                for (String prevSubAltName : prevSubAltNames) {
+                    // Only allow the exactly match.  No wildcard character
+                    // checking.
+                    if (thisSubAltName.equalsIgnoreCase(prevSubAltName)) {
+                        return true;
+                    }
+                }
+            }
+
+            return false;
+        }
+
+        /**
+         * Perform client-side checking of server certificates.
+         *
+         * @param certs an array of {@code X509Certificate} objects presented
+         *      by the server in the ServerCertificate message.
+         *
+         * @throws IOException if a failure occurs during validation or
+         *      the trust manager associated with the {@code SSLContext} is not
+         *      an {@code X509ExtendedTrustManager}.
+         */
+        static void checkServerCerts(ClientHandshakeContext chc,
+                X509Certificate[] certs) throws IOException {
+
+            X509TrustManager tm = chc.sslContext.getX509TrustManager();
+
+            // find out the key exchange algorithm used
+            // use "RSA" for non-ephemeral "RSA_EXPORT"
+            String keyExchangeString;
+            if (chc.negotiatedCipherSuite.keyExchange ==
+                    CipherSuite.KeyExchange.K_RSA_EXPORT ||
+                    chc.negotiatedCipherSuite.keyExchange ==
+                CipherSuite.KeyExchange.K_DHE_RSA_EXPORT) {
+                keyExchangeString = CipherSuite.KeyExchange.K_RSA.name;
+            } else {
+                keyExchangeString = chc.negotiatedCipherSuite.keyExchange.name;
+            }
+
+            try {
+                if (tm instanceof X509ExtendedTrustManager) {
+                    if (chc.conContext.transport instanceof SSLEngine) {
+                        SSLEngine engine = (SSLEngine)chc.conContext.transport;
+                        ((X509ExtendedTrustManager)tm).checkServerTrusted(
+                            certs.clone(),
+                            keyExchangeString,
+                            engine);
+                    } else {
+                        SSLSocket socket = (SSLSocket)chc.conContext.transport;
+                        ((X509ExtendedTrustManager)tm).checkServerTrusted(
+                            certs.clone(),
+                            keyExchangeString,
+                            socket);
+                    }
+                } else {
+                    // Unlikely to happen, because we have wrapped the old
+                    // X509TrustManager with the new X509ExtendedTrustManager.
+                    throw new CertificateException(
+                            "Improper X509TrustManager implementation");
+                }
+
+                // Once the server certificate chain has been validated, set
+                // the certificate chain in the TLS session.
+                chc.handshakeSession.setPeerCertificates(certs);
+            } catch (CertificateException ce) {
+                chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
+            }
+        }
+
+        private static void checkClientCerts(ServerHandshakeContext shc,
+                X509Certificate[] certs) throws IOException {
+            X509TrustManager tm = shc.sslContext.getX509TrustManager();
+
+            // find out the types of client authentication used
+            PublicKey key = certs[0].getPublicKey();
+            String keyAlgorithm = key.getAlgorithm();
+            String authType;
+            if (keyAlgorithm.equals("RSA")) {
+                authType = "RSA";
+            } else if (keyAlgorithm.equals("DSA")) {
+                authType = "DSA";
+            } else if (keyAlgorithm.equals("EC")) {
+                authType = "EC";
+            } else {
+                // unknown public key type
+                authType = "UNKNOWN";
+            }
+
+            try {
+                if (tm instanceof X509ExtendedTrustManager) {
+                    if (shc.conContext.transport instanceof SSLEngine) {
+                        SSLEngine engine = (SSLEngine)shc.conContext.transport;
+                        ((X509ExtendedTrustManager)tm).checkClientTrusted(
+                            certs.clone(),
+                            authType,
+                            engine);
+                    } else {
+                        SSLSocket socket = (SSLSocket)shc.conContext.transport;
+                        ((X509ExtendedTrustManager)tm).checkClientTrusted(
+                            certs.clone(),
+                            authType,
+                            socket);
+                    }
+                } else {
+                    // Unlikely to happen, because we have wrapped the old
+                    // X509TrustManager with the new X509ExtendedTrustManager.
+                    throw new CertificateException(
+                            "Improper X509TrustManager implementation");
+                }
+            } catch (CertificateException ce) {
+                shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
+            }
+        }
+
+        /**
+         * When a failure happens during certificate checking from an
+         * {@link X509TrustManager}, determine what TLS alert description
+         * to use.
+         *
+         * @param cexc The exception thrown by the {@link X509TrustManager}
+         *
+         * @return A byte value corresponding to a TLS alert description number.
+         */
+        private static Alert getCertificateAlert(
+                ClientHandshakeContext chc, CertificateException cexc) {
+            // The specific reason for the failure will determine how to
+            // set the alert description value
+            Alert alert = Alert.CERTIFICATE_UNKNOWN;
+
+            Throwable baseCause = cexc.getCause();
+            if (baseCause instanceof CertPathValidatorException) {
+                CertPathValidatorException cpve =
+                        (CertPathValidatorException)baseCause;
+                Reason reason = cpve.getReason();
+                if (reason == BasicReason.REVOKED) {
+                    alert = chc.staplingActive ?
+                            Alert.BAD_CERT_STATUS_RESPONSE :
+                            Alert.CERTIFICATE_REVOKED;
+                } else if (
+                        reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
+                    alert = chc.staplingActive ?
+                            Alert.BAD_CERT_STATUS_RESPONSE :
+                            Alert.CERTIFICATE_UNKNOWN;
+                }
+            }
+
+            return alert;
+        }
+
+    }
+
+    /**
+     * The certificate entry used in Certificate handshake message for TLS 1.3.
+     */
+    static final class CertificateEntry {
+        final byte[] encoded;       // encoded cert or public key
+        private final SSLExtensions extensions;
+
+        CertificateEntry(byte[] encoded, SSLExtensions extensions) {
+            this.encoded = encoded;
+            this.extensions = extensions;
+        }
+
+        private int getEncodedSize() {
+            int extLen = extensions.length();
+            if (extLen == 0) {
+                extLen = 2;     // empty extensions
+            }
+            return 3 + encoded.length + extLen;
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\n'{'\n" +
+                "{0}\n" +                       // X.509 certificate
+                "  \"extensions\": '{'\n" +
+                "{1}\n" +
+                "  '}'\n" +
+                "'}',", Locale.ENGLISH);
+
+            Object x509Certs;
+            try {
+                // Don't support certificate type extension (RawPublicKey) yet.
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                x509Certs =
+                    cf.generateCertificate(new ByteArrayInputStream(encoded));
+            } catch (CertificateException ce) {
+                // no X.509 certificate factory service
+                x509Certs = encoded;
+            }
+
+            Object[] messageFields = {
+                SSLLogger.toString(x509Certs),
+                Utilities.indent(extensions.toString(), "    ")
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The Certificate handshake message for TLS 1.3.
+     */
+    static final class T13CertificateMessage extends HandshakeMessage {
+        private final byte[] requestContext;
+        private final List<CertificateEntry> certEntries;
+
+        T13CertificateMessage(HandshakeContext context,
+                byte[] requestContext, X509Certificate[] certificates)
+                throws SSLException, CertificateException  {
+            super(context);
+
+            this.requestContext = requestContext.clone();
+            this.certEntries = new LinkedList<>();
+            for (X509Certificate cert : certificates) {
+                // TODO: shall we use the Certificate for the session?
+                byte[] encoded = cert.getEncoded();
+                SSLExtensions extensions = new SSLExtensions(this);
+                certEntries.add(new CertificateEntry(encoded, extensions));
+            }
+        }
+
+        T13CertificateMessage(HandshakeContext handshakeContext,
+                byte[] requestContext, List<CertificateEntry> certificates) {
+            super(handshakeContext);
+
+            this.requestContext = requestContext.clone();
+            this.certEntries = certificates;
+        }
+
+        T13CertificateMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+
+            // struct {
+            //      opaque certificate_request_context<0..2^8-1>;
+            //      CertificateEntry certificate_list<0..2^24-1>;
+            //  } Certificate;
+            if (m.remaining() < 4) {
+                throw new SSLProtocolException(
+                        "Invalid Certificate message: " +
+                        "insufficient data (length=" + m.remaining() + ")");
+            }
+            this.requestContext = Record.getBytes8(m);
+
+            if (m.remaining() < 3) {
+                throw new SSLProtocolException(
+                        "Invalid Certificate message: " +
+                        "insufficient certificate entries data (length=" +
+                        m.remaining() + ")");
+            }
+
+            int listLen = Record.getInt24(m);
+            if (listLen != m.remaining()) {
+                throw new SSLProtocolException(
+                    "Invalid Certificate message: " +
+                    "incorrect list length (length=" + listLen + ")");
+            }
+
+            SSLExtension[] enabledExtensions =
+                handshakeContext.sslConfig.getEnabledExtensions(
+                        SSLHandshake.CERTIFICATE);
+            List<CertificateEntry> certList = new LinkedList<>();
+            while (m.hasRemaining()) {
+                // Note: support only X509 CertificateType right now.
+                byte[] encodedCert = Record.getBytes24(m);
+                if (encodedCert.length == 0) {
+                    throw new SSLProtocolException(
+                        "Invalid Certificate message: empty cert_data");
+                }
+
+                SSLExtensions extensions =
+                        new SSLExtensions(this, m, enabledExtensions);
+                certList.add(new CertificateEntry(encodedCert, extensions));
+            }
+
+            this.certEntries = Collections.unmodifiableList(certList);
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CERTIFICATE;
+        }
+
+        @Override
+        public int messageLength() {
+            int msgLen = 4 + requestContext.length;
+            for (CertificateEntry entry : certEntries) {
+                msgLen += entry.getEncodedSize();
+            }
+
+            return msgLen;
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            int entryListLen = 0;
+            for (CertificateEntry entry : certEntries) {
+                entryListLen += entry.getEncodedSize();
+            }
+
+            hos.putBytes8(requestContext);
+            hos.putInt24(entryListLen);
+            for (CertificateEntry entry : certEntries) {
+                hos.putBytes24(entry.encoded);
+                // Is it an empty extensions?
+                if (entry.extensions.length() == 0) {
+                    hos.putInt16(0);
+                } else {
+                    entry.extensions.send(hos);
+                }
+            }
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"Certificate\": '{'\n" +
+                "  \"certificate_request_context\": \"{0}\",\n" +
+                "  \"certificate_list\": [{1}\n]\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            StringBuilder builder = new StringBuilder(512);
+            for (CertificateEntry entry : certEntries) {
+                builder.append(entry.toString());
+            }
+
+            Object[] messageFields = {
+                Utilities.toHexString(requestContext),
+                Utilities.indent(builder.toString())
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The "Certificate" handshake message producer for TLS 1.3.
+     */
+    private static final
+            class T13CertificateProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T13CertificateProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in handshake context only.
+            HandshakeContext hc = (HandshakeContext)context;
+            if (hc.sslConfig.isClientMode) {
+                return onProduceCertificate(
+                        (ClientHandshakeContext)context, message);
+            } else {
+                return onProduceCertificate(
+                        (ServerHandshakeContext)context, message);
+            }
+        }
+
+        private byte[] onProduceCertificate(ServerHandshakeContext shc,
+                HandshakeMessage message) throws IOException {
+            ClientHelloMessage clientHello = (ClientHelloMessage)message;
+
+            SSLPossession pos = choosePossession(shc, clientHello);
+            if (pos == null) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "No available authentication scheme");
+                return null;    // make the complier happy
+            }
+
+            if (!(pos instanceof X509Possession)) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "No X.509 certificate for server authentication");
+            }
+
+            X509Possession x509Possession = (X509Possession)pos;
+            X509Certificate[] localCerts = x509Possession.popCerts;
+            if (localCerts == null || localCerts.length == 0) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "No X.509 certificate for server authentication");
+                return null;    // make the complier happy
+            }
+
+            // update the context
+            shc.handshakePossessions.add(x509Possession);
+            shc.handshakeSession.setLocalPrivateKey(
+                    x509Possession.popPrivateKey);
+            shc.handshakeSession.setLocalCertificates(localCerts);
+            T13CertificateMessage cm;
+            try {
+                cm = new T13CertificateMessage(shc, (new byte[0]), localCerts);
+            } catch (SSLException | CertificateException ce) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Failed to produce server Certificate message", ce);
+                return null;    // make the complier happy
+            }
+
+            // Check the OCSP stapling extensions and attempt
+            // to get responses.  If the resulting stapleParams is non
+            // null, it implies that stapling is enabled on the server side.
+            shc.stapleParams = StatusResponseManager.processStapling(shc);
+            shc.staplingActive = (shc.stapleParams != null);
+
+            // Process extensions for each CertificateEntry.
+            // Since there can be multiple CertificateEntries within a
+            // single CT message, we will pin a specific CertificateEntry
+            // into the ServerHandshakeContext so individual extension
+            // producers know which X509Certificate it is processing in
+            // each call.
+            SSLExtension[] enabledCTExts = shc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.CERTIFICATE,
+                    Arrays.asList(ProtocolVersion.PROTOCOLS_OF_13));
+            for (CertificateEntry certEnt : cm.certEntries) {
+                shc.currentCertEntry = certEnt;
+                certEnt.extensions.produce(shc, enabledCTExts);
+            }
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Produced server Certificate message", cm);
+            }
+
+            // Output the handshake message.
+            cm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+
+        private static SSLPossession choosePossession(
+                HandshakeContext hc,
+                ClientHelloMessage clientHello) throws IOException {
+            if (hc.peerRequestedCertSignSchemes == null ||
+                    hc.peerRequestedCertSignSchemes.isEmpty()) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "No signature_algorithms(_cert) in ClientHello");
+                }
+                return null;
+            }
+
+            Collection<String> checkedKeyTypes = new HashSet<>();
+            for (SignatureScheme ss : hc.peerRequestedCertSignSchemes) {
+                if (checkedKeyTypes.contains(ss.keyAlgorithm)) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning(
+                            "Unsupported authentication scheme: " + ss.name);
+                    }
+                    continue;
+                }
+
+                // Don't select a signature scheme unless we will be able to
+                // produce a CertificateVerify message later
+                if (SignatureScheme.getPreferableAlgorithm(
+                    hc.peerRequestedSignatureSchemes,
+                    ss, hc.negotiatedProtocol) == null) {
+
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning(
+                        "Unable to produce CertificateVerify for scheme: " + ss.name);
+                    }
+                    checkedKeyTypes.add(ss.keyAlgorithm);
+                    continue;
+                }
+
+                SSLAuthentication ka =
+                        X509Authentication.nameOf(ss.keyAlgorithm);
+                if (ka == null) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning(
+                            "Unsupported authentication scheme: " + ss.name);
+                    }
+                    checkedKeyTypes.add(ss.keyAlgorithm);
+                    continue;
+                }
+
+                SSLPossession pos = ka.createPossession(hc);
+                if (pos == null) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning(
+                            "Unavailable authentication scheme: " + ss.name);
+                    }
+                    continue;
+                }
+
+                return pos;
+            }
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.warning("No available authentication scheme");
+            }
+            return null;
+        }
+
+        private byte[] onProduceCertificate(ClientHandshakeContext chc,
+                HandshakeMessage message) throws IOException {
+            ClientHelloMessage clientHello = (ClientHelloMessage)message;
+            SSLPossession pos = choosePossession(chc, clientHello);
+            X509Certificate[] localCerts;
+            if (pos == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("No available client authentication scheme");
+                }
+                localCerts = new X509Certificate[0];
+            } else {
+                chc.handshakePossessions.add(pos);
+                if (!(pos instanceof X509Possession)) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                            "No X.509 certificate for client authentication");
+                    }
+                    localCerts = new X509Certificate[0];
+                } else {
+                    X509Possession x509Possession = (X509Possession)pos;
+                    localCerts = x509Possession.popCerts;
+                    chc.handshakeSession.setLocalPrivateKey(
+                            x509Possession.popPrivateKey);
+                }
+            }
+
+            if (localCerts != null && localCerts.length != 0) {
+                chc.handshakeSession.setLocalCertificates(localCerts);
+            } else {
+                chc.handshakeSession.setLocalCertificates(null);
+            }
+
+            T13CertificateMessage cm;
+            try {
+                cm = new T13CertificateMessage(
+                        chc, chc.certRequestContext, localCerts);
+            } catch (SSLException | CertificateException ce) {
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Failed to produce client Certificate message", ce);
+                return null;    // make the complier happy
+            }
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Produced client Certificate message", cm);
+            }
+
+            // Output the handshake message.
+            cm.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "Certificate" handshake message consumer for TLS 1.3.
+     */
+    private static final class T13CertificateConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T13CertificateConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in handshake context only.
+            HandshakeContext hc = (HandshakeContext)context;
+
+            // clean up this consumer
+            hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE.id);
+            T13CertificateMessage cm = new T13CertificateMessage(hc, message);
+            if (hc.sslConfig.isClientMode) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Consuming server Certificate handshake message", cm);
+                }
+                onConsumeCertificate((ClientHandshakeContext)context, cm);
+            } else {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Consuming client Certificate handshake message", cm);
+                }
+                onConsumeCertificate((ServerHandshakeContext)context, cm);
+            }
+        }
+
+        private void onConsumeCertificate(ServerHandshakeContext shc,
+                T13CertificateMessage certificateMessage )throws IOException {
+            if (certificateMessage.certEntries == null ||
+                    certificateMessage.certEntries.isEmpty()) {
+                if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) {
+                    shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                        "Empty client certificate chain");
+                } else {
+                    // optional client authentication
+                    return;
+                }
+            }
+
+            // check client certificate entries
+            X509Certificate[] cliCerts =
+                    checkClientCerts(shc, certificateMessage.certEntries);
+
+            //
+            // update
+            //
+            shc.handshakeCredentials.add(
+                new X509Credentials(cliCerts[0].getPublicKey(), cliCerts));
+            shc.handshakeSession.setPeerCertificates(cliCerts);
+        }
+
+        private void onConsumeCertificate(ClientHandshakeContext chc,
+                T13CertificateMessage certificateMessage )throws IOException {
+            if (certificateMessage.certEntries == null ||
+                    certificateMessage.certEntries.isEmpty()) {
+                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    "Empty server certificate chain");
+            }
+
+            // Each CertificateEntry will have its own set of extensions
+            // which must be consumed.
+            SSLExtension[] enabledExtensions =
+                chc.sslConfig.getEnabledExtensions(SSLHandshake.CERTIFICATE);
+            for (CertificateEntry certEnt : certificateMessage.certEntries) {
+                certEnt.extensions.consumeOnLoad(chc, enabledExtensions);
+            }
+
+            // check server certificate entries
+            X509Certificate[] srvCerts =
+                    checkServerCerts(chc, certificateMessage.certEntries);
+
+            //
+            // update
+            //
+            chc.handshakeCredentials.add(
+                new X509Credentials(srvCerts[0].getPublicKey(), srvCerts));
+            chc.handshakeSession.setPeerCertificates(srvCerts);
+        }
+
+        private static X509Certificate[] checkClientCerts(
+                ServerHandshakeContext shc,
+                List<CertificateEntry> certEntries) throws IOException {
+            X509Certificate[] certs =
+                    new X509Certificate[certEntries.size()];
+            try {
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                int i = 0;
+                for (CertificateEntry entry : certEntries) {
+                    certs[i++] = (X509Certificate)cf.generateCertificate(
+                                    new ByteArrayInputStream(entry.encoded));
+                    // TODO: check extensions
+                }
+            } catch (CertificateException ce) {
+                shc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    "Failed to parse server certificates", ce);
+            }
+
+            // find out the types of client authentication used
+            String keyAlgorithm = certs[0].getPublicKey().getAlgorithm();
+            String authType;
+            switch (keyAlgorithm) {
+                case "RSA":
+                    authType = "RSA";
+                    break;
+                case "DSA":
+                    authType = "DSA";
+                    break;
+                case "EC":
+                    authType = "EC";
+                    break;
+                default:
+                    // unknown public key type
+                    authType = "UNKNOWN";
+                    break;
+            }
+
+            try {
+                X509TrustManager tm = shc.sslContext.getX509TrustManager();
+                if (tm instanceof X509ExtendedTrustManager) {
+                    if (shc.conContext.transport instanceof SSLEngine) {
+                        SSLEngine engine = (SSLEngine)shc.conContext.transport;
+                        ((X509ExtendedTrustManager)tm).checkClientTrusted(
+                            certs.clone(),
+                            authType,
+                            engine);
+                    } else {
+                        SSLSocket socket = (SSLSocket)shc.conContext.transport;
+                        ((X509ExtendedTrustManager)tm).checkClientTrusted(
+                            certs.clone(),
+                            authType,
+                            socket);
+                    }
+                } else {
+                    // Unlikely to happen, because we have wrapped the old
+                    // X509TrustManager with the new X509ExtendedTrustManager.
+                    throw new CertificateException(
+                            "Improper X509TrustManager implementation");
+                }
+
+                // Once the client certificate chain has been validated, set
+                // the certificate chain in the TLS session.
+                shc.handshakeSession.setPeerCertificates(certs);
+            } catch (CertificateException ce) {
+                // TODO: A more precise alert should be used.
+                shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
+            }
+
+            return certs;
+        }
+
+        private static X509Certificate[] checkServerCerts(
+                ClientHandshakeContext chc,
+                List<CertificateEntry> certEntries) throws IOException {
+            X509Certificate[] certs =
+                    new X509Certificate[certEntries.size()];
+            try {
+                CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                int i = 0;
+                for (CertificateEntry entry : certEntries) {
+                    certs[i++] = (X509Certificate)cf.generateCertificate(
+                                    new ByteArrayInputStream(entry.encoded));
+                    // TODO: check extensions
+                }
+            } catch (CertificateException ce) {
+                chc.conContext.fatal(Alert.BAD_CERTIFICATE,
+                    "Failed to parse server certificates", ce);
+            }
+
+            // find out the types of client authentication used
+            /*
+            String keyAlgorithm = certs[0].getPublicKey().getAlgorithm();
+            String authType;
+            switch (keyAlgorithm) {
+                case "RSA":
+                    authType = "RSA";
+                    break;
+                case "DSA":
+                    authType = "DSA";
+                    break;
+                case "EC":
+                    authType = "EC";
+                    break;
+                default:
+                    // unknown public key type
+                    authType = "UNKNOWN";
+                    break;
+            }
+            */
+            String authType = "UNKNOWN";
+
+            try {
+                X509TrustManager tm = chc.sslContext.getX509TrustManager();
+                if (tm instanceof X509ExtendedTrustManager) {
+                    if (chc.conContext.transport instanceof SSLEngine) {
+                        SSLEngine engine = (SSLEngine)chc.conContext.transport;
+                        ((X509ExtendedTrustManager)tm).checkServerTrusted(
+                            certs.clone(),
+                            authType,
+                            engine);
+                    } else {
+                        SSLSocket socket = (SSLSocket)chc.conContext.transport;
+                        ((X509ExtendedTrustManager)tm).checkServerTrusted(
+                            certs.clone(),
+                            authType,
+                            socket);
+                    }
+                } else {
+                    // Unlikely to happen, because we have wrapped the old
+                    // X509TrustManager with the new X509ExtendedTrustManager.
+                    throw new CertificateException(
+                            "Improper X509TrustManager implementation");
+                }
+
+                // Once the server certificate chain has been validated, set
+                // the certificate chain in the TLS session.
+                chc.handshakeSession.setPeerCertificates(certs);
+            } catch (CertificateException ce) {
+                chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
+            }
+
+            return certs;
+        }
+
+        /**
+         * When a failure happens during certificate checking from an
+         * {@link X509TrustManager}, determine what TLS alert description
+         * to use.
+         *
+         * @param cexc The exception thrown by the {@link X509TrustManager}
+         *
+         * @return A byte value corresponding to a TLS alert description number.
+         */
+        private static Alert getCertificateAlert(
+                ClientHandshakeContext chc, CertificateException cexc) {
+            // The specific reason for the failure will determine how to
+            // set the alert description value
+            Alert alert = Alert.CERTIFICATE_UNKNOWN;
+
+            Throwable baseCause = cexc.getCause();
+            if (baseCause instanceof CertPathValidatorException) {
+                CertPathValidatorException cpve =
+                        (CertPathValidatorException)baseCause;
+                Reason reason = cpve.getReason();
+                if (reason == BasicReason.REVOKED) {
+                    alert = chc.staplingActive ?
+                            Alert.BAD_CERT_STATUS_RESPONSE :
+                            Alert.CERTIFICATE_REVOKED;
+                } else if (
+                        reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
+                    alert = chc.staplingActive ?
+                            Alert.BAD_CERT_STATUS_RESPONSE :
+                            Alert.CERTIFICATE_UNKNOWN;
+                }
+            }
+
+            return alert;
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java	2018-05-11 15:08:47.200375400 -0700
@@ -0,0 +1,890 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import java.text.MessageFormat;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.X509ExtendedKeyManager;
+import javax.security.auth.x500.X500Principal;
+import sun.security.ssl.CipherSuite.KeyExchange;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.X509Authentication.X509Possession;
+
+/**
+ * Pack of the CertificateRequest handshake message.
+ */
+final class CertificateRequest {
+    static final SSLConsumer t10HandshakeConsumer =
+        new T10CertificateRequestConsumer();
+    static final HandshakeProducer t10HandshakeProducer =
+        new T10CertificateRequestProducer();
+
+    static final SSLConsumer t12HandshakeConsumer =
+        new T12CertificateRequestConsumer();
+    static final HandshakeProducer t12HandshakeProducer =
+        new T12CertificateRequestProducer();
+
+    static final SSLConsumer t13HandshakeConsumer =
+        new T13CertificateRequestConsumer();
+    static final HandshakeProducer t13HandshakeProducer =
+        new T13CertificateRequestProducer();
+
+    // TLS 1.2 and prior versions
+    private static enum ClientCertificateType {
+        // RFC 2246
+        RSA_SIGN            ((byte)0x01, "rsa_sign", "RSA", true),
+        DSS_SIGN            ((byte)0x02, "dss_sign", "DSA", true),
+        RSA_FIXED_DH        ((byte)0x03, "rsa__fixed_dh"),
+        DSS_FIXED_DH        ((byte)0x04, "dss_fixed_dh"),
+
+        // RFC 4346
+        RSA_EPHEMERAL_DH    ((byte)0x05, "rsa_ephemeral_dh"),
+        DSS_EPHEMERAL_DH    ((byte)0x06, "dss_ephemeral_dh"),
+        FORTEZZA_DMS        ((byte)0x14, "fortezza_dms"),
+
+        // RFC 4492
+        ECDSA_SIGN          ((byte)0x40, "ecdsa_sign",
+                                             "EC", JsseJce.isEcAvailable()),
+        RSA_FIXED_ECDH      ((byte)0x41, "rsa_fixed_ecdh"),
+        ECDSA_FIXED_ECDH    ((byte)0x42, "ecdsa_fixed_ecdh");
+
+        private static final byte[] CERT_TYPES =
+                JsseJce.isEcAvailable() ?  new byte[] {
+                        RSA_SIGN.id,
+                        DSS_SIGN.id
+                    } :  new byte[] {
+                        ECDSA_SIGN.id,
+                        RSA_SIGN.id,
+                        DSS_SIGN.id
+                    };
+
+        final byte id;
+        final String name;
+        final String keyAlgorithm;
+        final boolean isAvailable;
+
+        private ClientCertificateType(byte id, String name) {
+            this(id, name, null, false);
+        }
+
+        private ClientCertificateType(byte id, String name,
+                String keyAlgorithm, boolean isAvailable) {
+            this.id = id;
+            this.name = name;
+            this.keyAlgorithm = keyAlgorithm;
+            this.isAvailable = isAvailable;
+        }
+
+        private static String nameOf(byte id) {
+            for (ClientCertificateType cct : ClientCertificateType.values()) {
+                if (cct.id == id) {
+                    return cct.name;
+                }
+            }
+            return "UNDEFINED-CLIENT-CERTIFICATE-TYPE(" + (int)id + ")";
+        }
+
+        private static ClientCertificateType valueOf(byte id) {
+            for (ClientCertificateType cct : ClientCertificateType.values()) {
+                if (cct.id == id) {
+                    return cct;
+                }
+            }
+
+            return null;
+        }
+
+        private static String[] getKeyTypes(byte[] ids) {
+            ArrayList<String> keyTypes = new ArrayList<>(3);
+            for (byte id : ids) {
+                ClientCertificateType cct = ClientCertificateType.valueOf(id);
+                if (cct.isAvailable) {
+                    keyTypes.add(cct.keyAlgorithm);
+                }
+            }
+
+            return keyTypes.toArray(new String[0]);
+        }
+    }
+
+    /**
+     * The "CertificateRequest" handshake message for SSL 3.0 and TLS 1.0/1.1.
+     */
+    static final class T10CertificateRequestMessage extends HandshakeMessage {
+        final byte[] types;                 // certificate types
+        final List<byte[]> authorities;     // certificate authorities
+
+        T10CertificateRequestMessage(HandshakeContext handshakeContext,
+                X509Certificate[] trustedCerts, KeyExchange keyExchange) {
+            super(handshakeContext);
+
+            this.authorities = new ArrayList<>(trustedCerts.length);
+            for (X509Certificate cert : trustedCerts) {
+                X500Principal x500Principal = cert.getSubjectX500Principal();
+                authorities.add(x500Principal.getEncoded());
+            }
+
+            this.types = ClientCertificateType.CERT_TYPES;
+        }
+
+        T10CertificateRequestMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+
+            // struct {
+            //     ClientCertificateType certificate_types<1..2^8-1>;
+            //     DistinguishedName certificate_authorities<0..2^16-1>;
+            // } CertificateRequest;
+            if (m.remaining() < 4) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Incorrect CertificateRequest message: no sufficient data");
+            }
+            this.types = Record.getBytes8(m);
+
+            int listLen = Record.getInt16(m);
+            if (listLen > m.remaining()) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Incorrect CertificateRequest message:no sufficient data");
+            }
+
+            if (listLen > 0) {
+                this.authorities = new LinkedList<>();
+                while (listLen > 0) {
+                    // opaque DistinguishedName<1..2^16-1>;
+                    byte[] encoded = Record.getBytes16(m);
+                    listLen -= (2 + encoded.length);
+                    authorities.add(encoded);
+                }
+            } else {
+                this.authorities = Collections.emptyList();
+            }
+        }
+
+        String[] getKeyTypes() {
+            return  ClientCertificateType.getKeyTypes(types);
+        }
+
+        X500Principal[] getAuthorities() {
+            List<X500Principal> principals =
+                    new ArrayList<>(authorities.size());
+            for (byte[] encoded : authorities) {
+                X500Principal principal = new X500Principal(encoded);
+                principals.add(principal);
+            }
+
+            return principals.toArray(new X500Principal[0]);
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CERTIFICATE_REQUEST;
+        }
+
+        @Override
+        public int messageLength() {
+            int len = 1 + types.length + 2;
+            for (byte[] encoded : authorities) {
+                len += encoded.length + 2;
+            }
+            return len;
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putBytes8(types);
+
+            int listLen = 0;
+            for (byte[] encoded : authorities) {
+                listLen += encoded.length + 2;
+            }
+
+            hos.putInt16(listLen);
+            for (byte[] encoded : authorities) {
+                hos.putBytes16(encoded);
+            }
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                    "\"CertificateRequest\": '{'\n" +
+                    "  \"certificate types\": {0}\n" +
+                    "  \"certificate authorities\": {1}\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+            List<String> typeNames = new ArrayList<>(types.length);
+            for (byte type : types) {
+                typeNames.add(ClientCertificateType.nameOf(type));
+            }
+
+            List<String> authorityNames = new ArrayList<>(authorities.size());
+            for (byte[] encoded : authorities) {
+                X500Principal principal = new X500Principal(encoded);
+                authorityNames.add(principal.toString());
+            }
+            Object[] messageFields = {
+                typeNames,
+                authorityNames
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The "CertificateRequest" handshake message producer for SSL 3.0 and
+     * TLS 1.0/1.1.
+     */
+    private static final
+            class T10CertificateRequestProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T10CertificateRequestProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            X509Certificate[] caCerts =
+                    shc.sslContext.getX509TrustManager().getAcceptedIssuers();
+            T10CertificateRequestMessage crm = new T10CertificateRequestMessage(
+                    shc, caCerts, shc.negotiatedCipherSuite.keyExchange);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced CertificateRequest handshake message", crm);
+            }
+
+            // Output the handshake message.
+            crm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            //
+            // update
+            //
+            shc.handshakeConsumers.put(SSLHandshake.CERTIFICATE.id,
+                    SSLHandshake.CERTIFICATE);
+            shc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_VERIFY.id,
+                    SSLHandshake.CERTIFICATE_VERIFY);
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "CertificateRequest" handshake message consumer for SSL 3.0 and
+     * TLS 1.0/1.1.
+     */
+    private static final
+            class T10CertificateRequestConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T10CertificateRequestConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // clean up this consumer
+            chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id);
+
+            T10CertificateRequestMessage crm =
+                    new T10CertificateRequestMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming CertificateRequest handshake message", crm);
+            }
+
+            //
+            // validate
+            //
+            // blank
+
+            //
+            // update
+            //
+
+            // An empty client Certificate handshake message may be allow.
+            chc.handshakeProducers.put(SSLHandshake.CERTIFICATE.id,
+                    SSLHandshake.CERTIFICATE);
+
+            X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager();
+            String clientAlias = null;
+            if (chc.conContext.transport instanceof SSLSocketImpl) {
+                clientAlias = km.chooseClientAlias(crm.getKeyTypes(),
+                    crm.getAuthorities(), (SSLSocket)chc.conContext.transport);
+            } else if (chc.conContext.transport instanceof SSLEngineImpl) {
+                clientAlias = km.chooseEngineClientAlias(crm.getKeyTypes(),
+                    crm.getAuthorities(), (SSLEngine)chc.conContext.transport);
+            }
+
+
+            if (clientAlias == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("No available client authentication");
+                }
+                return;
+            }
+
+            PrivateKey clientPrivateKey = km.getPrivateKey(clientAlias);
+            if (clientPrivateKey == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("No available client private key");
+                }
+                return;
+            }
+
+            X509Certificate[] clientCerts = km.getCertificateChain(clientAlias);
+            if ((clientCerts == null) || (clientCerts.length == 0)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("No available client certificate");
+                }
+                return;
+            }
+
+            chc.handshakePossessions.add(
+                    new X509Possession(clientPrivateKey, clientCerts));
+            chc.handshakeProducers.put(SSLHandshake.CERTIFICATE_VERIFY.id,
+                    SSLHandshake.CERTIFICATE_VERIFY);
+        }
+    }
+
+    /**
+     * The CertificateRequest handshake message for TLS 1.2.
+     */
+    static final class T12CertificateRequestMessage extends HandshakeMessage {
+        final byte[] types;                 // certificate types
+        final int[] algorithmIds;           // supported signature algorithms
+        final List<byte[]> authorities;     // certificate authorities
+
+        T12CertificateRequestMessage(HandshakeContext handshakeContext,
+                X509Certificate[] trustedCerts, KeyExchange keyExchange,
+                List<SignatureScheme> signatureSchemes) throws IOException {
+            super(handshakeContext);
+
+            this.types = ClientCertificateType.CERT_TYPES;
+
+            if (signatureSchemes == null || signatureSchemes.isEmpty()) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "No signature algorithms specified for " +
+                        "CertificateRequest hanshake message");
+            }
+            this.algorithmIds = new int[signatureSchemes.size()];
+            int i = 0;
+            for (SignatureScheme scheme : signatureSchemes) {
+                algorithmIds[i++] = scheme.id;
+            }
+
+            this.authorities = new ArrayList<>(trustedCerts.length);
+            for (X509Certificate cert : trustedCerts) {
+                X500Principal x500Principal = cert.getSubjectX500Principal();
+                authorities.add(x500Principal.getEncoded());
+            }
+        }
+
+        T12CertificateRequestMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+
+            // struct {
+            //     ClientCertificateType certificate_types<1..2^8-1>;
+            //     SignatureAndHashAlgorithm
+            //       supported_signature_algorithms<2..2^16-2>;
+            //     DistinguishedName certificate_authorities<0..2^16-1>;
+            // } CertificateRequest;
+
+            // certificate_authorities
+            if (m.remaining() < 8) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Invalid CertificateRequest handshake message: " +
+                        "no sufficient data");
+            }
+            this.types = Record.getBytes8(m);
+
+            // supported_signature_algorithms
+            if (m.remaining() < 6) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Invalid CertificateRequest handshake message: " +
+                        "no sufficient data");
+            }
+
+            byte[] algs = Record.getBytes16(m);
+            if (algs == null || algs.length == 0 || (algs.length & 0x01) != 0) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Invalid CertificateRequest handshake message: " +
+                        "incomplete signature algorithms");
+            }
+
+            this.algorithmIds = new int[(algs.length >> 1)];
+            for (int i = 0, j = 0; i < algs.length;) {
+                byte hash = algs[i++];
+                byte sign = algs[i++];
+                algorithmIds[j++] = ((hash & 0xFF) << 8) | (sign & 0xFF);
+            }
+
+            // certificate_authorities
+            if (m.remaining() < 2) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Invalid CertificateRequest handshake message: " +
+                        "no sufficient data");
+            }
+
+            int listLen = Record.getInt16(m);
+            if (listLen > m.remaining()) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Invalid CertificateRequest message: no sufficient data");
+            }
+
+            if (listLen > 0) {
+                this.authorities = new LinkedList<>();
+                while (listLen > 0) {
+                    // opaque DistinguishedName<1..2^16-1>;
+                    byte[] encoded = Record.getBytes16(m);
+                    listLen -= (2 + encoded.length);
+                    authorities.add(encoded);
+                }
+            } else {
+                this.authorities = Collections.emptyList();
+            }
+        }
+
+        String[] getKeyTypes() {
+            return ClientCertificateType.getKeyTypes(types);
+        }
+
+        X500Principal[] getAuthorities() {
+            List<X500Principal> principals =
+                    new ArrayList<>(authorities.size());
+            for (byte[] encoded : authorities) {
+                X500Principal principal = new X500Principal(encoded);
+                principals.add(principal);
+            }
+
+            return principals.toArray(new X500Principal[0]);
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CERTIFICATE_REQUEST;
+        }
+
+        @Override
+        public int messageLength() {
+            int len = 1 + types.length + 2 + (algorithmIds.length << 1) + 2;
+            for (byte[] encoded : authorities) {
+                len += encoded.length + 2;
+            }
+            return len;
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putBytes8(types);
+
+            int listLen = 0;
+            for (byte[] encoded : authorities) {
+                listLen += encoded.length + 2;
+            }
+
+            hos.putInt16(algorithmIds.length << 1);
+            for (int algorithmId : algorithmIds) {
+                hos.putInt16(algorithmId);
+            }
+
+            hos.putInt16(listLen);
+            for (byte[] encoded : authorities) {
+                hos.putBytes16(encoded);
+            }
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                    "\"CertificateRequest\": '{'\n" +
+                    "  \"certificate types\": {0}\n" +
+                    "  \"supported signature algorithms\": {1}\n" +
+                    "  \"certificate authorities\": {2}\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+            List<String> typeNames = new ArrayList<>(types.length);
+            for (byte type : types) {
+                typeNames.add(ClientCertificateType.nameOf(type));
+            }
+
+            List<String> algorithmNames = new ArrayList<>(algorithmIds.length);
+            for (int algorithmId : algorithmIds) {
+                algorithmNames.add(SignatureScheme.nameOf(algorithmId));
+            }
+
+            List<String> authorityNames = new ArrayList<>(authorities.size());
+            for (byte[] encoded : authorities) {
+                X500Principal principal = new X500Principal(encoded);
+                authorityNames.add(principal.toString());
+            }
+            Object[] messageFields = {
+                typeNames,
+                algorithmNames,
+                authorityNames
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The "CertificateRequest" handshake message producer for TLS 1.2.
+     */
+    private static final
+            class T12CertificateRequestProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T12CertificateRequestProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            if (shc.localSupportedSignAlgs == null) {
+                shc.localSupportedSignAlgs =
+                    SignatureScheme.getSupportedAlgorithms(
+                            shc.algorithmConstraints, shc.activeProtocols);
+            }
+
+            if (shc.localSupportedSignAlgs == null ||
+                    shc.localSupportedSignAlgs.isEmpty()) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No supported signature algorithm");
+            }
+
+            X509Certificate[] caCerts =
+                    shc.sslContext.getX509TrustManager().getAcceptedIssuers();
+            T12CertificateRequestMessage crm = new T12CertificateRequestMessage(
+                    shc, caCerts, shc.negotiatedCipherSuite.keyExchange,
+                    shc.localSupportedSignAlgs);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced CertificateRequest handshake message", crm);
+            }
+
+            // Output the handshake message.
+            crm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            //
+            // update
+            //
+            shc.handshakeConsumers.put(SSLHandshake.CERTIFICATE.id,
+                    SSLHandshake.CERTIFICATE);
+            shc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_VERIFY.id,
+                    SSLHandshake.CERTIFICATE_VERIFY);
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "CertificateRequest" handshake message consumer for TLS 1.2.
+     */
+    private static final
+            class T12CertificateRequestConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T12CertificateRequestConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // clean up this consumer
+            chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id);
+
+            T12CertificateRequestMessage crm =
+                    new T12CertificateRequestMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming CertificateRequest handshake message", crm);
+            }
+
+            //
+            // validate
+            //
+            // blank
+
+            //
+            // update
+            //
+
+            // An empty client Certificate handshake message may be allow.
+            chc.handshakeProducers.put(SSLHandshake.CERTIFICATE.id,
+                    SSLHandshake.CERTIFICATE);
+
+            List<SignatureScheme> sss = new LinkedList<>();
+            for (int id : crm.algorithmIds) {
+                SignatureScheme ss = SignatureScheme.valueOf(id);
+                if (ss != null) {
+                    sss.add(ss);
+                }
+            }
+            chc.peerRequestedSignatureSchemes = sss;
+            chc.handshakeSession.setPeerSupportedSignatureAlgorithms(sss);
+
+            X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager();
+            String clientAlias = null;
+            if (chc.conContext.transport instanceof SSLSocketImpl) {
+                clientAlias = km.chooseClientAlias(crm.getKeyTypes(),
+                    crm.getAuthorities(), (SSLSocket)chc.conContext.transport);
+            } else if (chc.conContext.transport instanceof SSLEngineImpl) {
+                clientAlias = km.chooseEngineClientAlias(crm.getKeyTypes(),
+                    crm.getAuthorities(), (SSLEngine)chc.conContext.transport);
+            }
+
+            if (clientAlias == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("No available client authentication");
+                }
+                return;
+            }
+
+            PrivateKey clientPrivateKey = km.getPrivateKey(clientAlias);
+            if (clientPrivateKey == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("No available client private key");
+                }
+                return;
+            }
+
+            X509Certificate[] clientCerts = km.getCertificateChain(clientAlias);
+            if ((clientCerts == null) || (clientCerts.length == 0)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("No available client certificate");
+                }
+                return;
+            }
+
+            chc.handshakePossessions.add(
+                    new X509Possession(clientPrivateKey, clientCerts));
+            chc.handshakeProducers.put(SSLHandshake.CERTIFICATE_VERIFY.id,
+                    SSLHandshake.CERTIFICATE_VERIFY);
+        }
+    }
+
+    /**
+     * The CertificateRequest handshake message for TLS 1.3.
+     */
+    static final class T13CertificateRequestMessage extends HandshakeMessage {
+        private final byte[] requestContext;
+        private final SSLExtensions extensions;
+
+        T13CertificateRequestMessage(
+                HandshakeContext handshakeContext) throws IOException {
+            super(handshakeContext);
+
+            // TODO: post-handshake authentication exchanges
+            this.requestContext = new byte[0];
+            this.extensions = new SSLExtensions(this);
+        }
+
+        T13CertificateRequestMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+
+            // struct {
+            //      opaque certificate_request_context<0..2^8-1>;
+            //      Extension extensions<2..2^16-1>;
+            //  } CertificateRequest;
+            if (m.remaining() < 5) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Invalid CertificateRequest handshake message: " +
+                        "no sufficient data");
+            }
+            this.requestContext = Record.getBytes8(m);
+
+            if (m.remaining() < 4) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Invalid CertificateRequest handshake message: " +
+                        "no sufficient extensions data");
+            }
+            SSLExtension[] enabledExtensions =
+                handshakeContext.sslConfig.getEnabledExtensions(
+                        SSLHandshake.CERTIFICATE_REQUEST);
+            this.extensions = new SSLExtensions(this, m, enabledExtensions);
+        }
+
+        @Override
+        SSLHandshake handshakeType() {
+            return SSLHandshake.CERTIFICATE_REQUEST;
+        }
+
+        @Override
+        int messageLength() {
+            // In TLS 1.3, use of certain extensions is mandatory.
+            return 1 + requestContext.length + extensions.length();
+        }
+
+        @Override
+        void send(HandshakeOutStream hos) throws IOException {
+            hos.putBytes8(requestContext);
+
+            // In TLS 1.3, use of certain extensions is mandatory.
+            extensions.send(hos);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"CertificateRequest\": '{'\n" +
+                "  \"certificate_request_context\": \"{0}\",\n" +
+                "  \"extensions\": [\n" +
+                "{1}\n" +
+                "  ]\n" +
+                "'}'",
+                Locale.ENGLISH);
+            Object[] messageFields = {
+                Utilities.toHexString(requestContext),
+                Utilities.indent(Utilities.indent(extensions.toString()))
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The "CertificateRequest" handshake message producer for TLS 1.3.
+     */
+    private static final
+            class T13CertificateRequestProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T13CertificateRequestProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            T13CertificateRequestMessage crm =
+                    new T13CertificateRequestMessage(shc);
+            // Produce extensions for CertificateRequest handshake message.
+            SSLExtension[] extTypes = shc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.CERTIFICATE_REQUEST, shc.negotiatedProtocol);
+            crm.extensions.produce(shc, extTypes);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Produced CertificateRequest message", crm);
+            }
+
+            // Output the handshake message.
+            crm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            //
+            // update
+            //
+            shc.certRequestContext = crm.requestContext.clone();
+            shc.handshakeConsumers.put(SSLHandshake.CERTIFICATE.id,
+                    SSLHandshake.CERTIFICATE);
+            shc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_VERIFY.id,
+                    SSLHandshake.CERTIFICATE_VERIFY);
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "CertificateRequest" handshake message consumer for TLS 1.3.
+     */
+    private static final
+            class T13CertificateRequestConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T13CertificateRequestConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // clean up this consumer
+            chc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE_REQUEST.id);
+
+            T13CertificateRequestMessage crm =
+                    new T13CertificateRequestMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming CertificateRequest handshake message", crm);
+            }
+
+            //
+            // validate
+            //
+            SSLExtension[] extTypes = chc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.CERTIFICATE_REQUEST);
+            crm.extensions.consumeOnLoad(chc, extTypes);
+
+            //
+            // update
+            //
+            crm.extensions.consumeOnTrade(chc, extTypes);
+
+            //
+            // produce
+            //
+            chc.certRequestContext = crm.requestContext.clone();
+            chc.handshakeProducers.put(SSLHandshake.CERTIFICATE.id,
+                    SSLHandshake.CERTIFICATE);
+            chc.handshakeProducers.put(SSLHandshake.CERTIFICATE_VERIFY.id,
+                    SSLHandshake.CERTIFICATE_VERIFY);
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/CertificateStatus.java	2018-05-11 15:08:48.815471700 -0700
@@ -0,0 +1,332 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Locale;
+import javax.net.ssl.SSLHandshakeException;
+import java.security.cert.X509Certificate;
+import sun.security.provider.certpath.OCSPResponse;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import static sun.security.ssl.CertStatusExtension.*;
+import static sun.security.ssl.CertificateMessage.*;
+
+/**
+ * Pack of the CertificateStatus handshake message.
+ */
+final class CertificateStatus {
+    static final SSLConsumer handshakeConsumer =
+            new CertificateStatusConsumer();
+    static final HandshakeProducer handshakeProducer =
+            new CertificateStatusProducer();
+    static final HandshakeAbsence handshakeAbsence =
+            new CertificateStatusAbsence();
+
+    /**
+     * The CertificateStatus handshake message.
+     */
+    static final class CertificateStatusMessage extends HandshakeMessage {
+
+        final CertStatusRequestType statusType;
+        int encodedResponsesLen = 0;
+        int messageLength = -1;
+        final List<byte[]> encodedResponses = new ArrayList<>();
+
+        CertificateStatusMessage(HandshakeContext handshakeContext) {
+            super(handshakeContext);
+
+            ServerHandshakeContext shc =
+                    (ServerHandshakeContext)handshakeContext;
+
+            // Get the Certificates from the SSLContextImpl amd the Stapling
+            // parameters
+            StatusResponseManager.StaplingParameters stapleParams =
+                    shc.stapleParams;
+            if (stapleParams == null) {
+                throw new IllegalArgumentException(
+                        "Unexpected null stapling parameters");
+            }
+
+            X509Certificate[] certChain =
+                (X509Certificate[])shc.handshakeSession.getLocalCertificates();
+            if (certChain == null) {
+                throw new IllegalArgumentException(
+                        "Unexpected null certificate chain");
+            }
+
+            // Walk the certificate list and add the correct encoded responses
+            // to the encoded responses list
+            statusType = stapleParams.statReqType;
+            if (statusType == CertStatusRequestType.OCSP) {
+                // Just worry about the first cert in the chain
+                byte[] resp = stapleParams.responseMap.get(certChain[0]);
+                if (resp == null) {
+                    // A not-found return status means we should include
+                    // a zero-length response in CertificateStatus.
+                    // This is highly unlikely to happen in practice.
+                    resp = new byte[0];
+                }
+                encodedResponses.add(resp);
+                encodedResponsesLen += resp.length + 3;
+            } else if (statusType == CertStatusRequestType.OCSP_MULTI) {
+                for (X509Certificate cert : certChain) {
+                    byte[] resp = stapleParams.responseMap.get(cert);
+                    if (resp == null) {
+                        resp = new byte[0];
+                    }
+                    encodedResponses.add(resp);
+                    encodedResponsesLen += resp.length + 3;
+                }
+            } else {
+                throw new IllegalArgumentException(
+                        "Unsupported StatusResponseType: " + statusType);
+            }
+
+            messageLength = messageLength();
+        }
+
+        CertificateStatusMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+
+            statusType = CertStatusRequestType.valueOf((byte)Record.getInt8(m));
+            if (statusType == CertStatusRequestType.OCSP) {
+                byte[] respDER = Record.getBytes24(m);
+                // Convert the incoming bytes to a OCSPResponse strucutre
+                if (respDER.length > 0) {
+                    encodedResponses.add(respDER);
+                    encodedResponsesLen = 3 + respDER.length;
+                } else {
+                    handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "Zero-length OCSP Response");
+                }
+            } else if (statusType == CertStatusRequestType.OCSP_MULTI) {
+                int respListLen = Record.getInt24(m);
+                encodedResponsesLen = respListLen;
+
+                // Add each OCSP reponse into the array list in the order
+                // we receive them off the wire.  A zero-length array is
+                // allowed for ocsp_multi, and means that a response for
+                // a given certificate is not available.
+                while (respListLen > 0) {
+                    byte[] respDER = Record.getBytes24(m);
+                    encodedResponses.add(respDER);
+                    respListLen -= (respDER.length + 3);
+                }
+
+                if (respListLen != 0) {
+                    handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Bad OCSP response list length");
+                }
+            } else {
+                handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Unsupported StatusResponseType: " + statusType);
+            }
+            messageLength = messageLength();
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CERTIFICATE_STATUS;
+        }
+
+        @Override
+        public int messageLength() {
+            int len = 1;
+
+            if (messageLength == -1) {
+                if (statusType == CertStatusRequestType.OCSP) {
+                    len += encodedResponsesLen;
+                } else if (statusType == CertStatusRequestType.OCSP_MULTI) {
+                    len += 3 + encodedResponsesLen;
+                }
+                messageLength = len;
+            }
+
+            return messageLength;
+        }
+
+        @Override
+        public void send(HandshakeOutStream s) throws IOException {
+            s.putInt8(statusType.id);
+            if (statusType == CertStatusRequestType.OCSP) {
+                s.putBytes24(encodedResponses.get(0));
+            } else if (statusType == CertStatusRequestType.OCSP_MULTI) {
+                s.putInt24(encodedResponsesLen);
+                for (byte[] respBytes : encodedResponses) {
+                    if (respBytes != null) {
+                        s.putBytes24(respBytes);
+                    } else {
+                        s.putBytes24(null);
+                    }
+                }
+            } else {
+                // It is highly unlikely that we will fall into this section
+                // of the code.
+                throw new SSLHandshakeException("Unsupported status_type: " +
+                        statusType.id);
+            }
+        }
+
+        @Override
+        public String toString() {
+            StringBuilder sb = new StringBuilder();
+
+            // Stringify the encoded OCSP response list
+            for (byte[] respDER : encodedResponses) {
+                if (respDER.length > 0) {
+                    try {
+                        OCSPResponse oResp = new OCSPResponse(respDER);
+                        sb.append(oResp.toString()).append("\n");
+                    } catch (IOException ioe) {
+                        sb.append("OCSP Response Exception: ").append(ioe)
+                                .append("\n");
+                    }
+                } else {
+                    sb.append("<Zero-length entry>\n");
+                }
+            }
+
+            MessageFormat messageFormat = new MessageFormat(
+                "\"CertificateStatus\": '{'\n" +
+                "  \"type\"                : \"{0}\",\n" +
+                "  \"responses \"          : [\n" + "{1}\n" + "  ]\n" +
+                "'}'",
+                Locale.ENGLISH);
+            Object[] messageFields = {
+                statusType.name,
+                Utilities.indent(Utilities.indent(sb.toString()))
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The CertificateStatus handshake message consumer.
+     */
+    private static final class CertificateStatusConsumer
+            implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private CertificateStatusConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            CertificateStatusMessage cst =
+                    new CertificateStatusMessage(chc, message);
+
+            // Log the message
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming server CertificateStatus handshake message",
+                        cst);
+            }
+
+            // Pin the received responses to the SSLSessionImpl.  It will
+            // be retrieved by the X509TrustManagerImpl during the certficicate
+            // checking phase.
+            chc.handshakeSession.setStatusResponses(cst.encodedResponses);
+
+            // Now perform the check
+            T12CertificateConsumer.checkServerCerts(chc, chc.deferredCerts);
+        }
+    }
+
+    /**
+     * The CertificateStatus handshake message consumer.
+     */
+    private static final class CertificateStatusProducer
+            implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CertificateStatusProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // Only the server-side should be a producer of this message
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // If stapling is not active, immediately return without producing
+            // a message or any further processing.
+            if (!shc.staplingActive) {
+                return null;
+            }
+
+            // Create the CertificateStatus message from info in the
+            CertificateStatusMessage csm = new CertificateStatusMessage(shc);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced server CertificateStatus handshake message", csm);
+            }
+
+            // Output the handshake message.
+            csm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    private static final class CertificateStatusAbsence
+            implements HandshakeAbsence {
+        // Prevent instantiation of this class
+        private CertificateStatusAbsence() {
+            // blank
+        }
+
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Processing should only continue if stapling is active
+            if (chc.staplingActive) {
+                // Because OCSP stapling is active, it means two things
+                // if we're here: 1) The server hello asserted the
+                // status_request[_v2] extension.  2) The CertificateStatus
+                // message was not sent.  This means that cert path checking
+                // was deferred, but must happen immediately.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("Server did not send CertificateStatus, " +
+                            "checking cert chain without status info.");
+                }
+                T12CertificateConsumer.checkServerCerts(chc, chc.deferredCerts);
+            }
+        }
+    }
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/CertificateVerify.java	2018-05-11 15:08:50.412298800 -0700
@@ -0,0 +1,1107 @@
+ /*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.*;
+import java.text.MessageFormat;
+import java.util.Arrays;
+import java.util.Locale;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.X509Authentication.X509Credentials;
+import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.HexDumpEncoder;
+
+/**
+ * Pack of the CertificateVerify handshake message.
+ */
+final class CertificateVerify {
+    static final SSLConsumer s30HandshakeConsumer =
+        new S30CertificateVerifyConsumer();
+    static final HandshakeProducer s30HandshakeProducer =
+        new S30CertificateVerifyProducer();
+
+    static final SSLConsumer t10HandshakeConsumer =
+        new T10CertificateVerifyConsumer();
+    static final HandshakeProducer t10HandshakeProducer =
+        new T10CertificateVerifyProducer();
+
+    static final SSLConsumer t12HandshakeConsumer =
+        new T12CertificateVerifyConsumer();
+    static final HandshakeProducer t12HandshakeProducer =
+        new T12CertificateVerifyProducer();
+
+    static final SSLConsumer t13HandshakeConsumer =
+        new T13CertificateVerifyConsumer();
+    static final HandshakeProducer t13HandshakeProducer =
+        new T13CertificateVerifyProducer();
+
+    /**
+     * The CertificateVerify handshake message (SSL 3.0).
+     */
+    static final class S30CertificateVerifyMessage extends HandshakeMessage {
+        // signature bytes
+        private final byte[] signature;
+
+        S30CertificateVerifyMessage(HandshakeContext context,
+                X509Possession x509Possession) throws IOException {
+            super(context);
+
+            // This happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            byte[] temproary = null;
+            String algorithm = x509Possession.popPrivateKey.getAlgorithm();
+            try {
+                Signature signer = getSignature(algorithm);
+                signer.initSign(x509Possession.popPrivateKey);
+                byte[] hashes = chc.handshakeHash.digest(algorithm,
+                        chc.handshakeSession.getMasterSecret());
+                signer.update(hashes);
+                temproary = signer.sign();
+            } catch (NoSuchAlgorithmException nsae) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Unsupported signature algorithm (" + algorithm +
+                        ") used in CertificateVerify handshake message", nsae);
+            } catch (GeneralSecurityException gse) {
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Cannot produce CertificateVerify signature", gse);
+            }
+
+            this.signature = temproary;
+        }
+
+        S30CertificateVerifyMessage(HandshakeContext context,
+                ByteBuffer m) throws IOException {
+            super(context);
+
+            // This happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            //  digitally-signed struct {
+            //    select(SignatureAlgorithm) {
+            //        case anonymous: struct { };
+            //        case rsa:
+            //            opaque md5_hash[16];
+            //            opaque sha_hash[20];
+            //        case dsa:
+            //            opaque sha_hash[20];
+            //    };
+            //  } Signature;
+            if (m.remaining() < 2) {
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Invalid CertificateVerify message: no sufficient data");
+            }
+
+            // read and verify the signature
+            this.signature = Record.getBytes16(m);
+            X509Credentials x509Credentials = null;
+            for (SSLCredentials cd : shc.handshakeCredentials) {
+                if (cd instanceof X509Credentials) {
+                    x509Credentials = (X509Credentials)cd;
+                    break;
+                }
+            }
+
+            if (x509Credentials == null) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No X509 credentials negotiated for CertificateVerify");
+            }
+
+            String algorithm = x509Credentials.popPublicKey.getAlgorithm();
+            try {
+                Signature signer = getSignature(algorithm);
+                signer.initVerify(x509Credentials.popPublicKey);
+                byte[] hashes = shc.handshakeHash.digest(algorithm,
+                        shc.handshakeSession.getMasterSecret());
+                signer.update(hashes);
+                if (!signer.verify(signature)) {
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid CertificateVerify message: invalid signature");
+                }
+            } catch (NoSuchAlgorithmException nsae) {
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Unsupported signature algorithm (" + algorithm +
+                        ") used in CertificateVerify handshake message", nsae);
+            } catch (GeneralSecurityException gse) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Cannot verify CertificateVerify signature", gse);
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CERTIFICATE_VERIFY;
+        }
+
+        @Override
+        public int messageLength() {
+            return 2 + signature.length;    //  2: length of signature
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putBytes16(signature);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                    "\"CertificateVerify\": '{'\n" +
+                    "  \"signature\": '{'\n" +
+                    "{0}\n" +
+                    "  '}'\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            Object[] messageFields = {
+                Utilities.indent(
+                        hexEncoder.encodeBuffer(signature), "    ")
+            };
+
+            return messageFormat.format(messageFields);
+        }
+
+        /*
+         * Get the Signature object appropriate for verification using the
+         * given signature algorithm.
+         */
+        private static Signature getSignature(
+                String algorithm) throws GeneralSecurityException {
+            switch (algorithm) {
+                case "RSA":
+                    return JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+                case "DSA":
+                    return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+                case "EC":
+                    return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+                default:
+                    throw new SignatureException("Unrecognized algorithm: "
+                        + algorithm);
+            }
+        }
+    }
+
+    /**
+     * The "CertificateVerify" handshake message producer.
+     */
+    private static final
+            class S30CertificateVerifyProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private S30CertificateVerifyProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            X509Possession x509Possession = null;
+            for (SSLPossession possession : chc.handshakePossessions) {
+                if (possession instanceof X509Possession) {
+                    x509Possession = (X509Possession)possession;
+                    break;
+                }
+            }
+
+            if (x509Possession == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "No X.509 credentials negotiated for CertificateVerify");
+                }
+
+                return null;
+            }
+
+            S30CertificateVerifyMessage cvm =
+                    new S30CertificateVerifyMessage(chc, x509Possession);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Produced CertificateVerify handshake message", cvm);
+            }
+
+            // Output the handshake message.
+            cvm.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "CertificateVerify" handshake message consumer.
+     */
+    private static final
+            class S30CertificateVerifyConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private S30CertificateVerifyConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            S30CertificateVerifyMessage cvm =
+                    new S30CertificateVerifyMessage(shc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Consuming CertificateVerify handshake message", cvm);
+            }
+
+            //
+            // update
+            //
+            // Need no additional validation.
+
+            //
+            // produce
+            //
+            // Need no new handshake message producers here.
+        }
+    }
+
+    /**
+     * The CertificateVerify handshake message (TLS 1.0/1.1).
+     */
+    static final class T10CertificateVerifyMessage extends HandshakeMessage {
+        // signature bytes
+        private final byte[] signature;
+
+        T10CertificateVerifyMessage(HandshakeContext context,
+                X509Possession x509Possession) throws IOException {
+            super(context);
+
+            // This happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            byte[] temproary = null;
+            String algorithm = x509Possession.popPrivateKey.getAlgorithm();
+            try {
+                Signature signer = getSignature(algorithm);
+                signer.initSign(x509Possession.popPrivateKey);
+                byte[] hashes = chc.handshakeHash.digest(algorithm);
+                signer.update(hashes);
+                temproary = signer.sign();
+            } catch (NoSuchAlgorithmException nsae) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Unsupported signature algorithm (" + algorithm +
+                        ") used in CertificateVerify handshake message", nsae);
+            } catch (GeneralSecurityException gse) {
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "Cannot produce CertificateVerify signature", gse);
+            }
+
+            this.signature = temproary;
+        }
+
+        T10CertificateVerifyMessage(HandshakeContext context,
+                ByteBuffer m) throws IOException {
+            super(context);
+
+            // This happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            //  digitally-signed struct {
+            //    select(SignatureAlgorithm) {
+            //        case anonymous: struct { };
+            //        case rsa:
+            //            opaque md5_hash[16];
+            //            opaque sha_hash[20];
+            //        case dsa:
+            //            opaque sha_hash[20];
+            //    };
+            //  } Signature;
+            if (m.remaining() < 2) {
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Invalid CertificateVerify message: no sufficient data");
+            }
+
+            // read and verify the signature
+            this.signature = Record.getBytes16(m);
+            X509Credentials x509Credentials = null;
+            for (SSLCredentials cd : shc.handshakeCredentials) {
+                if (cd instanceof X509Credentials) {
+                    x509Credentials = (X509Credentials)cd;
+                    break;
+                }
+            }
+
+            if (x509Credentials == null) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No X509 credentials negotiated for CertificateVerify");
+            }
+
+            String algorithm = x509Credentials.popPublicKey.getAlgorithm();
+            try {
+                Signature signer = getSignature(algorithm);
+                signer.initVerify(x509Credentials.popPublicKey);
+                byte[] hashes = shc.handshakeHash.digest(algorithm);
+                signer.update(hashes);
+                if (!signer.verify(signature)) {
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid CertificateVerify message: invalid signature");
+                }
+            } catch (NoSuchAlgorithmException nsae) {
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Unsupported signature algorithm (" + algorithm +
+                        ") used in CertificateVerify handshake message", nsae);
+            } catch (GeneralSecurityException gse) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Cannot verify CertificateVerify signature", gse);
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CERTIFICATE_VERIFY;
+        }
+
+        @Override
+        public int messageLength() {
+            return 2 + signature.length;    //  2: length of signature
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putBytes16(signature);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                    "\"CertificateVerify\": '{'\n" +
+                    "  \"signature\": '{'\n" +
+                    "{0}\n" +
+                    "  '}'\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            Object[] messageFields = {
+                Utilities.indent(
+                        hexEncoder.encodeBuffer(signature), "    ")
+            };
+
+            return messageFormat.format(messageFields);
+        }
+
+        /*
+         * Get the Signature object appropriate for verification using the
+         * given signature algorithm.
+         */
+        private static Signature getSignature(
+                String algorithm) throws GeneralSecurityException {
+            switch (algorithm) {
+                case "RSA":
+                    return JsseJce.getSignature(JsseJce.SIGNATURE_RAWRSA);
+                case "DSA":
+                    return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
+                case "EC":
+                    return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
+                default:
+                    throw new SignatureException("Unrecognized algorithm: "
+                        + algorithm);
+            }
+        }
+    }
+
+    /**
+     * The "CertificateVerify" handshake message producer.
+     */
+    private static final
+            class T10CertificateVerifyProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T10CertificateVerifyProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            X509Possession x509Possession = null;
+            for (SSLPossession possession : chc.handshakePossessions) {
+                if (possession instanceof X509Possession) {
+                    x509Possession = (X509Possession)possession;
+                    break;
+                }
+            }
+
+            if (x509Possession == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "No X.509 credentials negotiated for CertificateVerify");
+                }
+
+                return null;
+            }
+
+            T10CertificateVerifyMessage cvm =
+                    new T10CertificateVerifyMessage(chc, x509Possession);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Produced CertificateVerify handshake message", cvm);
+            }
+
+            // Output the handshake message.
+            cvm.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "CertificateVerify" handshake message consumer.
+     */
+    private static final
+            class T10CertificateVerifyConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T10CertificateVerifyConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            T10CertificateVerifyMessage cvm =
+                    new T10CertificateVerifyMessage(shc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming CertificateVerify handshake message", cvm);
+            }
+
+            //
+            // update
+            //
+            // Need no additional validation.
+
+            //
+            // produce
+            //
+            // Need no new handshake message producers here.        }
+        }
+    }
+
+    /**
+     * The CertificateVerify handshake message (TLS 1.2).
+     */
+    static final class T12CertificateVerifyMessage extends HandshakeMessage {
+        // the signature algorithm
+        private final SignatureScheme signatureScheme;
+
+        // signature bytes
+        private final byte[] signature;
+
+        T12CertificateVerifyMessage(HandshakeContext context,
+                X509Possession x509Possession) throws IOException {
+            super(context);
+
+            // This happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            this.signatureScheme = SignatureScheme.getPreferableAlgorithm(
+                    chc.peerRequestedSignatureSchemes,
+                    x509Possession.popPrivateKey,
+                    chc.negotiatedProtocol);
+            if (signatureScheme == null) {
+                // Unlikely, the credentials generator should have
+                // selected the preferable signature algorithm properly.
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "No preferred signature algorithm for CertificateVerify");
+            }
+
+            byte[] temproary = null;
+            try {
+                Signature signer = signatureScheme.getSignature();
+                signer.initSign(x509Possession.popPrivateKey);
+                signer.update(chc.handshakeHash.archived());
+                temproary = signer.sign();
+            } catch (NoSuchAlgorithmException |
+                    InvalidAlgorithmParameterException nsae) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Unsupported signature algorithm (" +
+                        signatureScheme.name +
+                        ") used in CertificateVerify handshake message", nsae);
+            } catch (InvalidKeyException | SignatureException ikse) {
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Cannot produce CertificateVerify signature", ikse);
+            }
+
+            this.signature = temproary;
+        }
+
+        T12CertificateVerifyMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+
+            // This happens in server side only.
+            ServerHandshakeContext shc =
+                    (ServerHandshakeContext)handshakeContext;
+
+            // struct {
+            //     SignatureAndHashAlgorithm algorithm;
+            //     opaque signature<0..2^16-1>;
+            // } DigitallySigned;
+            if (m.remaining() < 4) {
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Invalid CertificateVerify message: no sufficient data");
+            }
+
+            // SignatureAndHashAlgorithm algorithm
+            int ssid = Record.getInt16(m);
+            this.signatureScheme = SignatureScheme.valueOf(ssid);
+            if (signatureScheme == null) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid signature algorithm (" + ssid +
+                        ") used in CertificateVerify handshake message");
+            }
+
+            if (!shc.localSupportedSignAlgs.contains(signatureScheme)) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Unsupported signature algorithm (" +
+                        signatureScheme.name +
+                        ") used in CertificateVerify handshake message");
+            }
+
+            // read and verify the signature
+            X509Credentials x509Credentials = null;
+            for (SSLCredentials cd : shc.handshakeCredentials) {
+                if (cd instanceof X509Credentials) {
+                    x509Credentials = (X509Credentials)cd;
+                    break;
+                }
+            }
+
+            if (x509Credentials == null) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No X509 credentials negotiated for CertificateVerify");
+            }
+
+            // opaque signature<0..2^16-1>;
+            this.signature = Record.getBytes16(m);
+            try {
+                Signature signer = signatureScheme.getSignature();
+                signer.initVerify(x509Credentials.popPublicKey);
+                signer.update(shc.handshakeHash.archived());
+                if (!signer.verify(signature)) {
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid CertificateVerify signature");
+                }
+            } catch (NoSuchAlgorithmException |
+                    InvalidAlgorithmParameterException nsae) {
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Unsupported signature algorithm (" +
+                        signatureScheme.name +
+                        ") used in CertificateVerify handshake message", nsae);
+            } catch (InvalidKeyException | SignatureException ikse) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Cannot verify CertificateVerify signature", ikse);
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CERTIFICATE_VERIFY;
+        }
+
+        @Override
+        public int messageLength() {
+            return 4 + signature.length;    //  2: signature algorithm
+                                            // +2: length of signature
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putInt16(signatureScheme.id);
+            hos.putBytes16(signature);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                    "\"CertificateVerify\": '{'\n" +
+                    "  \"signature algorithm\": {0}\n" +
+                    "  \"signature\": '{'\n" +
+                    "{1}\n" +
+                    "  '}'\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            Object[] messageFields = {
+                signatureScheme.name,
+                Utilities.indent(
+                        hexEncoder.encodeBuffer(signature), "    ")
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The "CertificateVerify" handshake message producer.
+     */
+    private static final
+            class T12CertificateVerifyProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T12CertificateVerifyProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            X509Possession x509Possession = null;
+            for (SSLPossession possession : chc.handshakePossessions) {
+                if (possession instanceof X509Possession) {
+                    x509Possession = (X509Possession)possession;
+                    break;
+                }
+            }
+
+            if (x509Possession == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "No X.509 credentials negotiated for CertificateVerify");
+                }
+
+                return null;
+            }
+
+            T12CertificateVerifyMessage cvm =
+                    new T12CertificateVerifyMessage(chc, x509Possession);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Produced CertificateVerify handshake message", cvm);
+            }
+
+            // Output the handshake message.
+            cvm.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "CertificateVerify" handshake message consumer.
+     */
+    private static final
+            class T12CertificateVerifyConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T12CertificateVerifyConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            T12CertificateVerifyMessage cvm =
+                    new T12CertificateVerifyMessage(shc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming CertificateVerify handshake message", cvm);
+            }
+
+            //
+            // update
+            //
+            // Need no additional validation.
+
+            //
+            // produce
+            //
+            // Need no new handshake message producers here.
+        }
+    }
+
+    /**
+     * The CertificateVerify handshake message (TLS 1.3).
+     */
+    static final class T13CertificateVerifyMessage extends HandshakeMessage {
+        private static final byte[] serverSignHead = new byte[] {
+            // repeated 0x20 for 64 times
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+
+            // "TLS 1.3, server CertificateVerify" + 0x00
+            (byte)0x54, (byte)0x4c, (byte)0x53, (byte)0x20,
+            (byte)0x31, (byte)0x2e, (byte)0x33, (byte)0x2c,
+            (byte)0x20, (byte)0x73, (byte)0x65, (byte)0x72,
+            (byte)0x76, (byte)0x65, (byte)0x72, (byte)0x20,
+            (byte)0x43, (byte)0x65, (byte)0x72, (byte)0x74,
+            (byte)0x69, (byte)0x66, (byte)0x69, (byte)0x63,
+            (byte)0x61, (byte)0x74, (byte)0x65, (byte)0x56,
+            (byte)0x65, (byte)0x72, (byte)0x69, (byte)0x66,
+            (byte)0x79, (byte)0x00
+        };
+
+        private static final byte[] clientSignHead = new byte[] {
+            // repeated 0x20 for 64 times
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+            (byte)0x20, (byte)0x20, (byte)0x20, (byte)0x20,
+
+            // "TLS 1.3, client CertificateVerify" + 0x00
+            (byte)0x54, (byte)0x4c, (byte)0x53, (byte)0x20,
+            (byte)0x31, (byte)0x2e, (byte)0x33, (byte)0x2c,
+            (byte)0x20, (byte)0x63, (byte)0x6c, (byte)0x69,
+            (byte)0x65, (byte)0x6e, (byte)0x74, (byte)0x20,
+            (byte)0x43, (byte)0x65, (byte)0x72, (byte)0x74,
+            (byte)0x69, (byte)0x66, (byte)0x69, (byte)0x63,
+            (byte)0x61, (byte)0x74, (byte)0x65, (byte)0x56,
+            (byte)0x65, (byte)0x72, (byte)0x69, (byte)0x66,
+            (byte)0x79, (byte)0x00
+        };
+
+
+        // the signature algorithm
+        private final SignatureScheme signatureScheme;
+
+        // signature bytes
+        private final byte[] signature;
+
+        T13CertificateVerifyMessage(HandshakeContext context,
+                X509Possession x509Possession) throws IOException {
+            super(context);
+
+            this.signatureScheme = SignatureScheme.getPreferableAlgorithm(
+                    context.peerRequestedSignatureSchemes,
+                    x509Possession.popPrivateKey,
+                    context.negotiatedProtocol);
+            if (signatureScheme == null) {
+                // Unlikely, the credentials generator should have
+                // selected the preferable signature algorithm properly.
+                context.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "No preferred signature algorithm for CertificateVerify");
+            }
+
+            byte[] hashValue = context.handshakeHash.digest();
+            byte[] contentCovered;
+            if (context.sslConfig.isClientMode) {
+                contentCovered = Arrays.copyOf(clientSignHead,
+                        clientSignHead.length + hashValue.length);
+                System.arraycopy(hashValue, 0, contentCovered,
+                        clientSignHead.length, hashValue.length);
+            } else {
+                contentCovered = Arrays.copyOf(serverSignHead,
+                        serverSignHead.length + hashValue.length);
+                System.arraycopy(hashValue, 0, contentCovered,
+                        serverSignHead.length, hashValue.length);
+            }
+
+            byte[] temproary = null;
+            try {
+                Signature signer = signatureScheme.getSignature();
+                signer.initSign(x509Possession.popPrivateKey);
+                signer.update(contentCovered);
+                temproary = signer.sign();
+            } catch (NoSuchAlgorithmException |
+                    InvalidAlgorithmParameterException nsae) {
+                context.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Unsupported signature algorithm (" +
+                        signatureScheme.name +
+                        ") used in CertificateVerify handshake message", nsae);
+            } catch (InvalidKeyException | SignatureException ikse) {
+                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Cannot produce CertificateVerify signature", ikse);
+            }
+
+            this.signature = temproary;
+        }
+
+        T13CertificateVerifyMessage(HandshakeContext context,
+                ByteBuffer m) throws IOException {
+             super(context);
+
+            // struct {
+            //     SignatureAndHashAlgorithm algorithm;
+            //     opaque signature<0..2^16-1>;
+            // } DigitallySigned;
+            if (m.remaining() < 4) {
+                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Invalid CertificateVerify message: no sufficient data");
+            }
+
+            // SignatureAndHashAlgorithm algorithm
+            int ssid = Record.getInt16(m);
+            this.signatureScheme = SignatureScheme.valueOf(ssid);
+            if (signatureScheme == null) {
+                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid signature algorithm (" + ssid +
+                        ") used in CertificateVerify handshake message");
+            }
+
+            if (!context.localSupportedSignAlgs.contains(signatureScheme)) {
+                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Unsupported signature algorithm (" +
+                        signatureScheme.name +
+                        ") used in CertificateVerify handshake message");
+            }
+
+            // read and verify the signature
+            X509Credentials x509Credentials = null;
+            for (SSLCredentials cd : context.handshakeCredentials) {
+                if (cd instanceof X509Credentials) {
+                    x509Credentials = (X509Credentials)cd;
+                    break;
+                }
+            }
+
+            if (x509Credentials == null) {
+                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No X509 credentials negotiated for CertificateVerify");
+            }
+
+            // opaque signature<0..2^16-1>;
+            this.signature = Record.getBytes16(m);
+
+            byte[] hashValue = context.handshakeHash.digest();
+            byte[] contentCovered;
+            if (context.sslConfig.isClientMode) {
+                contentCovered = Arrays.copyOf(serverSignHead,
+                        serverSignHead.length + hashValue.length);
+                System.arraycopy(hashValue, 0, contentCovered,
+                        serverSignHead.length, hashValue.length);
+            } else {
+                contentCovered = Arrays.copyOf(clientSignHead,
+                        clientSignHead.length + hashValue.length);
+                System.arraycopy(hashValue, 0, contentCovered,
+                        clientSignHead.length, hashValue.length);
+            }
+
+            try {
+                Signature signer = signatureScheme.getSignature();
+                signer.initVerify(x509Credentials.popPublicKey);
+                signer.update(contentCovered);
+                if (!signer.verify(signature)) {
+                    context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid CertificateVerify signature");
+                }
+            } catch (NoSuchAlgorithmException |
+                    InvalidAlgorithmParameterException nsae) {
+                context.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Unsupported signature algorithm (" +
+                        signatureScheme.name +
+                        ") used in CertificateVerify handshake message", nsae);
+            } catch (InvalidKeyException | SignatureException ikse) {
+                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Cannot verify CertificateVerify signature", ikse);
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CERTIFICATE_VERIFY;
+        }
+
+        @Override
+        public int messageLength() {
+            return 4 + signature.length;    //  2: signature algorithm
+                                            // +2: length of signature
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putInt16(signatureScheme.id);
+            hos.putBytes16(signature);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                    "\"CertificateVerify\": '{'\n" +
+                    "  \"signature algorithm\": {0}\n" +
+                    "  \"signature\": '{'\n" +
+                    "{1}\n" +
+                    "  '}'\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            Object[] messageFields = {
+                signatureScheme.name,
+                Utilities.indent(
+                        hexEncoder.encodeBuffer(signature), "    ")
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The "CertificateVerify" handshake message producer.
+     */
+    private static final
+            class T13CertificateVerifyProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T13CertificateVerifyProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in handshake context only.
+            HandshakeContext hc = (HandshakeContext)context;
+
+            X509Possession x509Possession = null;
+            for (SSLPossession possession : hc.handshakePossessions) {
+                if (possession instanceof X509Possession) {
+                    x509Possession = (X509Possession)possession;
+                    break;
+                }
+            }
+
+            if (x509Possession == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "No X.509 credentials negotiated for CertificateVerify");
+                }
+
+                return null;
+            }
+
+            if (hc.sslConfig.isClientMode) {
+                return onProduceCertificateVerify(
+                        (ClientHandshakeContext)context, x509Possession);
+            } else {
+                return onProduceCertificateVerify(
+                        (ServerHandshakeContext)context, x509Possession);
+            }
+        }
+
+        private byte[] onProduceCertificateVerify(ServerHandshakeContext shc,
+                X509Possession x509Possession) throws IOException {
+            T13CertificateVerifyMessage cvm =
+                    new T13CertificateVerifyMessage(shc, x509Possession);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced server CertificateVerify handshake message", cvm);
+            }
+
+            // Output the handshake message.
+            cvm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+
+        private byte[] onProduceCertificateVerify(ClientHandshakeContext chc,
+                X509Possession x509Possession) throws IOException {
+            T13CertificateVerifyMessage cvm =
+                    new T13CertificateVerifyMessage(chc, x509Possession);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced client CertificateVerify handshake message", cvm);
+            }
+
+            // Output the handshake message.
+            cvm.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "CertificateVerify" handshake message consumer.
+     */
+    private static final
+            class T13CertificateVerifyConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T13CertificateVerifyConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The producing happens in handshake context only.
+            HandshakeContext hc = (HandshakeContext)context;
+            T13CertificateVerifyMessage cvm =
+                    new T13CertificateVerifyMessage(hc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming CertificateVerify handshake message", cvm);
+            }
+
+            //
+            // update
+            //
+            // Need no additional validation.
+
+            //
+            // produce
+            //
+            // Need no new handshake message producers here.
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ChangeCipherSpec.java	2018-05-11 15:08:52.046959400 -0700
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.IvParameterSpec;
+import javax.net.ssl.SSLException;
+import sun.security.ssl.SSLCipher.SSLReadCipher;
+import sun.security.ssl.SSLCipher.SSLWriteCipher;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SSLTrafficKeyDerivation.LegacyTrafficKeyDerivation;
+
+/**
+ * Pack of the ChangeCipherSpec message.
+ */
+final class ChangeCipherSpec {
+    static final SSLConsumer t10Consumer =
+            new T10ChangeCipherSpecConsumer();
+    static final HandshakeProducer t10Producer =
+            new T10ChangeCipherSpecProducer();
+    static final SSLConsumer t13Consumer =
+            new T13ChangeCipherSpecConsumer();
+
+    /**
+     * The "ChangeCipherSpec" message producer.
+     */
+    private static final
+            class T10ChangeCipherSpecProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T10ChangeCipherSpecProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            HandshakeContext hc = (HandshakeContext)context;
+            SSLKeyDerivation kd = hc.handshakeKeyDerivation;
+
+            if (!(kd instanceof LegacyTrafficKeyDerivation)) {
+                throw new UnsupportedOperationException("Not supported yet.");
+            }
+            LegacyTrafficKeyDerivation tkd = (LegacyTrafficKeyDerivation)kd;
+            CipherSuite ncs = hc.negotiatedCipherSuite;
+            Authenticator writeAuthenticator;
+            if (ncs.bulkCipher.cipherType == CipherType.AEAD_CIPHER) {
+                writeAuthenticator =
+                        Authenticator.valueOf(hc.negotiatedProtocol);
+            } else {
+                try {
+                    writeAuthenticator = Authenticator.valueOf(
+                            hc.negotiatedProtocol, ncs.macAlg,
+                            tkd.getTrafficKey(hc.sslConfig.isClientMode ?
+                                    "clientMacKey" : "serverMacKey"));
+                } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+                    // unlikely
+                    throw new SSLException("Algorithm missing:  ", e);
+                }
+            }
+
+            SecretKey writeKey =
+                    tkd.getTrafficKey(hc.sslConfig.isClientMode ?
+                                    "clientWriteKey" : "serverWriteKey");
+            SecretKey writeIv =
+                    tkd.getTrafficKey(hc.sslConfig.isClientMode ?
+                                    "clientWriteIv" : "serverWriteIv");
+            IvParameterSpec iv = (writeIv == null) ? null :
+                    new IvParameterSpec(writeIv.getEncoded());
+            SSLWriteCipher writeCipher;
+            try {
+                writeCipher = ncs.bulkCipher.createWriteCipher(
+                        writeAuthenticator,
+                        hc.negotiatedProtocol, writeKey, iv,
+                        hc.sslContext.getSecureRandom());
+            } catch (GeneralSecurityException gse) {
+                // unlikely
+                throw new SSLException("Algorithm missing:  ", gse);
+            }
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Produced ChangeCipherSpec message");
+            }
+
+            hc.conContext.outputRecord.changeWriteCiphers(writeCipher, true);
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "ChangeCipherSpec" message producer.
+     */
+    private static final
+            class T10ChangeCipherSpecConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T10ChangeCipherSpecConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            TransportContext tc = (TransportContext)context;
+
+            // This comsumer can be used only once.
+            tc.consumers.remove(ContentType.CHANGE_CIPHER_SPEC.id);
+
+            // parse
+            if (message.remaining() != 1 || message.get() != 1) {
+                tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Malformed or unexpected ChangeCipherSpec message");
+            }
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Consuming ChangeCipherSpec message");
+            }
+
+            // validate
+            if (tc.handshakeContext == null) {
+                tc.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Unexpected ChangeCipherSpec message");
+            }
+
+
+            HandshakeContext hc = tc.handshakeContext;
+
+            if (hc.handshakeKeyDerivation == null) {
+                tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected ChangeCipherSpec message");
+            }
+
+            SSLKeyDerivation kd = hc.handshakeKeyDerivation;
+            if (kd instanceof LegacyTrafficKeyDerivation) {
+                LegacyTrafficKeyDerivation tkd = (LegacyTrafficKeyDerivation)kd;
+                CipherSuite ncs = hc.negotiatedCipherSuite;
+                Authenticator readAuthenticator;
+                if (ncs.bulkCipher.cipherType == CipherType.AEAD_CIPHER) {
+                    readAuthenticator =
+                            Authenticator.valueOf(hc.negotiatedProtocol);
+                } else {
+                    try {
+                        readAuthenticator = Authenticator.valueOf(
+                                hc.negotiatedProtocol, ncs.macAlg,
+                                tkd.getTrafficKey(hc.sslConfig.isClientMode ?
+                                        "serverMacKey" : "clientMacKey"));
+                    } catch (NoSuchAlgorithmException | InvalidKeyException e) {
+                        // unlikely
+                        throw new SSLException("Algorithm missing:  ", e);
+                    }
+                }
+
+                SecretKey readKey =
+                        tkd.getTrafficKey(hc.sslConfig.isClientMode ?
+                                        "serverWriteKey" : "clientWriteKey");
+                SecretKey readIv =
+                        tkd.getTrafficKey(hc.sslConfig.isClientMode ?
+                                        "serverWriteIv" : "clientWriteIv");
+                IvParameterSpec iv = (readIv == null) ? null :
+                        new IvParameterSpec(readIv.getEncoded());
+                SSLReadCipher readCipher;
+                try {
+                    readCipher = ncs.bulkCipher.createReadCipher(
+                            readAuthenticator,
+                            hc.negotiatedProtocol, readKey, iv,
+                            hc.sslContext.getSecureRandom());
+                } catch (GeneralSecurityException gse) {
+                    // unlikely
+                    throw new SSLException("Algorithm missing:  ", gse);
+                }
+                tc.inputRecord.changeReadCiphers(readCipher);
+            } else {
+                throw new UnsupportedOperationException("Not supported yet.");
+            }
+        }
+    }
+
+    private static final
+            class T13ChangeCipherSpecConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T13ChangeCipherSpecConsumer() {
+            // blank
+        }
+
+        // An implementation may receive an unencrypted record of type
+        // change_cipher_spec consisting of the single byte value 0x01
+        // at any time after the first ClientHello message has been
+        // sent or received and before the peer's Finished message has
+        // been received and MUST simply drop it without further
+        // processing.
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            TransportContext tc = (TransportContext)context;
+
+            // This comsumer can be used only once.
+            tc.consumers.remove(ContentType.CHANGE_CIPHER_SPEC.id);
+
+            // parse
+            if (message.remaining() != 1 || message.get() != 1) {
+                tc.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Malformed or unexpected ChangeCipherSpec message");
+            }
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Consuming ChangeCipherSpec message");
+            }
+
+            // no further processing
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/CipherType.java	2018-05-11 15:08:53.649286800 -0700
@@ -0,0 +1,37 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+/**
+ * Enum for SSL/(D)TLS cipher types.
+ */
+enum CipherType {
+    NULL_CIPHER,           // null cipher
+    STREAM_CIPHER,         // stream cipher
+    BLOCK_CIPHER,          // block cipher in CBC mode
+    AEAD_CIPHER            // AEAD cipher
+}
+
--- old/src/java.base/share/classes/sun/security/ssl/ClientHandshaker.java	2018-05-11 15:08:56.018815800 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,2004 +0,0 @@
-/*
- * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.*;
-import java.math.BigInteger;
-import java.security.*;
-import java.util.*;
-
-import java.security.interfaces.ECPublicKey;
-import java.security.interfaces.RSAPublicKey;
-import java.security.spec.ECParameterSpec;
-
-import java.security.cert.X509Certificate;
-import java.security.cert.CertificateException;
-import java.security.cert.CertificateParsingException;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertPathValidatorException.Reason;
-import java.security.cert.CertPathValidatorException.BasicReason;
-import javax.security.auth.x500.X500Principal;
-
-import javax.crypto.SecretKey;
-
-import javax.net.ssl.*;
-
-import sun.security.ssl.HandshakeMessage.*;
-import static sun.security.ssl.CipherSuite.KeyExchange.*;
-
-/**
- * ClientHandshaker does the protocol handshaking from the point
- * of view of a client.  It is driven asychronously by handshake messages
- * as delivered by the parent Handshaker class, and also uses
- * common functionality (e.g. key generation) that is provided there.
- *
- * @author David Brownell
- */
-final class ClientHandshaker extends Handshaker {
-
-    // constants for subject alt names of type DNS and IP
-    private static final int ALTNAME_DNS = 2;
-    private static final int ALTNAME_IP  = 7;
-
-    // the server's public key from its certificate.
-    private PublicKey serverKey;
-
-    // the server's ephemeral public key from the server key exchange message
-    // for ECDHE/ECDH_anon and RSA_EXPORT.
-    private PublicKey ephemeralServerKey;
-
-    // server's ephemeral public value for DHE/DH_anon key exchanges
-    private BigInteger          serverDH;
-
-    private DHCrypt             dh;
-
-    private ECDHCrypt ecdh;
-
-    private CertificateRequest  certRequest;
-
-    private boolean serverKeyExchangeReceived;
-
-    private boolean staplingActive = false;
-    private X509Certificate[] deferredCerts;
-
-    /*
-     * The RSA PreMasterSecret needs to know the version of
-     * ClientHello that was used on this handshake.  This represents
-     * the "max version" this client is supporting.  In the
-     * case of an initial handshake, it's the max version enabled,
-     * but in the case of a resumption attempt, it's the version
-     * of the session we're trying to resume.
-     */
-    private ProtocolVersion maxProtocolVersion;
-
-    // To switch off the SNI extension.
-    private static final boolean enableSNIExtension =
-            Debug.getBooleanProperty("jsse.enableSNIExtension", true);
-
-    /*
-     * Allow unsafe server certificate change?
-     *
-     * Server certificate change during SSL/TLS renegotiation may be considered
-     * unsafe, as described in the Triple Handshake attacks:
-     *
-     *     https://secure-resumption.com/tlsauth.pdf
-     *
-     * Endpoint identification (See
-     * SSLParameters.getEndpointIdentificationAlgorithm()) is a pretty nice
-     * guarantee that the server certificate change in renegotiation is legal.
-     * However, endpoing identification is only enabled for HTTPS and LDAP
-     * over SSL/TLS by default.  It is not enough to protect SSL/TLS
-     * connections other than HTTPS and LDAP.
-     *
-     * The renegotiation indication extension (See RFC 5764) is a pretty
-     * strong guarantee that the endpoints on both client and server sides
-     * are identical on the same connection.  However, the Triple Handshake
-     * attacks can bypass this guarantee if there is a session-resumption
-     * handshake between the initial full handshake and the renegotiation
-     * full handshake.
-     *
-     * Server certificate change may be unsafe and should be restricted if
-     * endpoint identification is not enabled and the previous handshake is
-     * a session-resumption abbreviated initial handshake, unless the
-     * identities represented by both certificates can be regraded as the
-     * same (See isIdentityEquivalent()).
-     *
-     * Considering the compatibility impact and the actual requirements to
-     * support server certificate change in practice, the system property,
-     * jdk.tls.allowUnsafeServerCertChange, is used to define whether unsafe
-     * server certificate change in renegotiation is allowed or not.  The
-     * default value of the system property is "false".  To mitigate the
-     * compactibility impact, applications may want to set the system
-     * property to "true" at their own risk.
-     *
-     * If the value of the system property is "false", server certificate
-     * change in renegotiation after a session-resumption abbreviated initial
-     * handshake is restricted (See isIdentityEquivalent()).
-     *
-     * If the system property is set to "true" explicitly, the restriction on
-     * server certificate change in renegotiation is disabled.
-     */
-    private static final boolean allowUnsafeServerCertChange =
-        Debug.getBooleanProperty("jdk.tls.allowUnsafeServerCertChange", false);
-
-    // To switch off the max_fragment_length extension.
-    private static final boolean enableMFLExtension =
-            Debug.getBooleanProperty("jsse.enableMFLExtension", false);
-
-    // To switch off the supported_groups extension for DHE cipher suite.
-    private static final boolean enableFFDHE =
-            Debug.getBooleanProperty("jsse.enableFFDHE", true);
-
-    // Whether an ALPN extension was sent in the ClientHello
-    private boolean alpnActive = false;
-
-    private List<SNIServerName> requestedServerNames =
-            Collections.<SNIServerName>emptyList();
-
-    // maximum fragment length
-    private int requestedMFLength = -1;     // -1: no fragment length limit
-
-    private boolean serverNamesAccepted = false;
-
-    private ClientHello initialClientHelloMsg = null;   // DTLS only
-
-    /*
-     * the reserved server certificate chain in previous handshaking
-     *
-     * The server certificate chain is only reserved if the previous
-     * handshake is a session-resumption abbreviated initial handshake.
-     */
-    private X509Certificate[] reservedServerCerts = null;
-
-    /*
-     * Constructors
-     */
-    ClientHandshaker(SSLSocketImpl socket, SSLContextImpl context,
-            ProtocolList enabledProtocols,
-            ProtocolVersion activeProtocolVersion,
-            boolean isInitialHandshake, boolean secureRenegotiation,
-            byte[] clientVerifyData, byte[] serverVerifyData) {
-
-        super(socket, context, enabledProtocols, true, true,
-            activeProtocolVersion, isInitialHandshake, secureRenegotiation,
-            clientVerifyData, serverVerifyData);
-    }
-
-    ClientHandshaker(SSLEngineImpl engine, SSLContextImpl context,
-            ProtocolList enabledProtocols,
-            ProtocolVersion activeProtocolVersion,
-            boolean isInitialHandshake, boolean secureRenegotiation,
-            byte[] clientVerifyData, byte[] serverVerifyData,
-            boolean isDTLS) {
-
-        super(engine, context, enabledProtocols, true, true,
-            activeProtocolVersion, isInitialHandshake, secureRenegotiation,
-            clientVerifyData, serverVerifyData, isDTLS);
-    }
-
-    /*
-     * This routine handles all the client side handshake messages, one at
-     * a time.  Given the message type (and in some cases the pending cipher
-     * spec) it parses the type-specific message.  Then it calls a function
-     * that handles that specific message.
-     *
-     * It updates the state machine (need to verify it) as each message
-     * is processed, and writes responses as needed using the connection
-     * in the constructor.
-     */
-    @Override
-    void processMessage(byte type, int messageLen) throws IOException {
-        // check the handshake state
-        List<Byte> ignoredOptStates = handshakeState.check(type);
-
-        // If the state machine has skipped over certificate status
-        // and stapling was enabled, we need to check the chain immediately
-        // because it was deferred, waiting for CertificateStatus.
-        if (staplingActive && ignoredOptStates.contains(
-                HandshakeMessage.ht_certificate_status)) {
-            checkServerCerts(deferredCerts);
-            serverKey = session.getPeerCertificates()[0].getPublicKey();
-        }
-
-        switch (type) {
-        case HandshakeMessage.ht_hello_request:
-            HelloRequest helloRequest = new HelloRequest(input);
-            handshakeState.update(helloRequest, resumingSession);
-            this.serverHelloRequest(helloRequest);
-            break;
-
-        case HandshakeMessage.ht_hello_verify_request:
-            if (!isDTLS) {
-                throw new SSLProtocolException(
-                    "hello_verify_request is not a SSL/TLS handshake message");
-            }
-
-            HelloVerifyRequest helloVerifyRequest =
-                        new HelloVerifyRequest(input, messageLen);
-            handshakeState.update(helloVerifyRequest, resumingSession);
-            this.helloVerifyRequest(helloVerifyRequest);
-            break;
-
-        case HandshakeMessage.ht_server_hello:
-            ServerHello serverHello = new ServerHello(input, messageLen);
-            this.serverHello(serverHello);
-
-            // This handshake state update needs the resumingSession value
-            // set by serverHello().
-            handshakeState.update(serverHello, resumingSession);
-            break;
-
-        case HandshakeMessage.ht_certificate:
-            if (keyExchange == K_DH_ANON || keyExchange == K_ECDH_ANON
-                    || ClientKeyExchangeService.find(keyExchange.name) != null) {
-                // No external key exchange provider needs a cert now.
-                fatalSE(Alerts.alert_unexpected_message,
-                    "unexpected server cert chain");
-                // NOTREACHED
-            }
-            CertificateMsg certificateMsg = new CertificateMsg(input);
-            handshakeState.update(certificateMsg, resumingSession);
-            this.serverCertificate(certificateMsg);
-            if (!staplingActive) {
-                // If we are not doing stapling, we can set serverKey right
-                // away.  Otherwise, we will wait until verification of the
-                // chain has completed after CertificateStatus;
-                serverKey = session.getPeerCertificates()[0].getPublicKey();
-            }
-            break;
-
-        case HandshakeMessage.ht_certificate_status:
-            CertificateStatus certStatusMsg = new CertificateStatus(input);
-            handshakeState.update(certStatusMsg, resumingSession);
-            this.certificateStatus(certStatusMsg);
-            serverKey = session.getPeerCertificates()[0].getPublicKey();
-            break;
-
-        case HandshakeMessage.ht_server_key_exchange:
-            serverKeyExchangeReceived = true;
-            switch (keyExchange) {
-            case K_RSA_EXPORT:
-                /**
-                 * The server key exchange message is sent by the server only
-                 * when the server certificate message does not contain the
-                 * proper amount of data to allow the client to exchange a
-                 * premaster secret, such as when RSA_EXPORT is used and the
-                 * public key in the server certificate is longer than 512 bits.
-                 */
-                if (serverKey == null) {
-                    throw new SSLProtocolException
-                        ("Server did not send certificate message");
-                }
-
-                if (!(serverKey instanceof RSAPublicKey)) {
-                    throw new SSLProtocolException("Protocol violation:" +
-                        " the certificate type must be appropriate for the" +
-                        " selected cipher suite's key exchange algorithm");
-                }
-
-                if (JsseJce.getRSAKeyLength(serverKey) <= 512) {
-                    throw new SSLProtocolException("Protocol violation:" +
-                        " server sent a server key exchange message for" +
-                        " key exchange " + keyExchange +
-                        " when the public key in the server certificate" +
-                        " is less than or equal to 512 bits in length");
-                }
-
-                try {
-                    RSA_ServerKeyExchange rsaSrvKeyExchange =
-                                    new RSA_ServerKeyExchange(input);
-                    handshakeState.update(rsaSrvKeyExchange, resumingSession);
-                    this.serverKeyExchange(rsaSrvKeyExchange);
-                } catch (GeneralSecurityException e) {
-                    throw new SSLException("Server key", e);
-                }
-                break;
-            case K_DH_ANON:
-                try {
-                    DH_ServerKeyExchange dhSrvKeyExchange =
-                            new DH_ServerKeyExchange(input, protocolVersion);
-                    handshakeState.update(dhSrvKeyExchange, resumingSession);
-                    this.serverKeyExchange(dhSrvKeyExchange);
-                } catch (GeneralSecurityException e) {
-                    throw new SSLException("Server key", e);
-                }
-                break;
-            case K_DHE_DSS:
-            case K_DHE_RSA:
-                try {
-                    DH_ServerKeyExchange dhSrvKeyExchange =
-                        new DH_ServerKeyExchange(
-                            input, serverKey,
-                            clnt_random.random_bytes, svr_random.random_bytes,
-                            messageLen,
-                            getLocalSupportedSignAlgs(), protocolVersion);
-                    handshakeState.update(dhSrvKeyExchange, resumingSession);
-                    this.serverKeyExchange(dhSrvKeyExchange);
-                } catch (GeneralSecurityException e) {
-                    throw new SSLException("Server key", e);
-                }
-                break;
-            case K_ECDHE_ECDSA:
-            case K_ECDHE_RSA:
-            case K_ECDH_ANON:
-                try {
-                    ECDH_ServerKeyExchange ecdhSrvKeyExchange =
-                        new ECDH_ServerKeyExchange
-                            (input, serverKey, clnt_random.random_bytes,
-                            svr_random.random_bytes,
-                            getLocalSupportedSignAlgs(), protocolVersion);
-                    handshakeState.update(ecdhSrvKeyExchange, resumingSession);
-                    this.serverKeyExchange(ecdhSrvKeyExchange);
-                } catch (GeneralSecurityException e) {
-                    throw new SSLException("Server key", e);
-                }
-                break;
-            case K_RSA:
-            case K_DH_RSA:
-            case K_DH_DSS:
-            case K_ECDH_ECDSA:
-            case K_ECDH_RSA:
-                throw new SSLProtocolException(
-                    "Protocol violation: server sent a server key exchange"
-                    + " message for key exchange " + keyExchange);
-            default:
-                throw new SSLProtocolException(
-                    "unsupported or unexpected key exchange algorithm = "
-                    + keyExchange);
-            }
-            break;
-
-        case HandshakeMessage.ht_certificate_request:
-            // save for later, it's handled by serverHelloDone
-            if ((keyExchange == K_DH_ANON) || (keyExchange == K_ECDH_ANON)) {
-                throw new SSLHandshakeException(
-                    "Client authentication requested for "+
-                    "anonymous cipher suite.");
-            } else if (ClientKeyExchangeService.find(keyExchange.name) != null) {
-                // No external key exchange provider needs a cert now.
-                throw new SSLHandshakeException(
-                    "Client certificate requested for "+
-                    "external cipher suite: " + keyExchange);
-            }
-            certRequest = new CertificateRequest(input, protocolVersion);
-            if (debug != null && Debug.isOn("handshake")) {
-                certRequest.print(System.out);
-            }
-            handshakeState.update(certRequest, resumingSession);
-
-            if (protocolVersion.useTLS12PlusSpec()) {
-                Collection<SignatureAndHashAlgorithm> peerSignAlgs =
-                                        certRequest.getSignAlgorithms();
-                if (peerSignAlgs == null || peerSignAlgs.isEmpty()) {
-                    throw new SSLHandshakeException(
-                        "No peer supported signature algorithms");
-                }
-
-                Collection<SignatureAndHashAlgorithm> supportedPeerSignAlgs =
-                    SignatureAndHashAlgorithm.getSupportedAlgorithms(
-                            algorithmConstraints, peerSignAlgs);
-                if (supportedPeerSignAlgs.isEmpty()) {
-                    throw new SSLHandshakeException(
-                        "No supported signature and hash algorithm in common");
-                }
-
-                setPeerSupportedSignAlgs(supportedPeerSignAlgs);
-                session.setPeerSupportedSignatureAlgorithms(
-                                                supportedPeerSignAlgs);
-            }
-
-            break;
-
-        case HandshakeMessage.ht_server_hello_done:
-            ServerHelloDone serverHelloDone = new ServerHelloDone(input);
-            handshakeState.update(serverHelloDone, resumingSession);
-            this.serverHelloDone(serverHelloDone);
-
-            break;
-
-        case HandshakeMessage.ht_finished:
-            Finished serverFinished =
-                    new Finished(protocolVersion, input, cipherSuite);
-            handshakeState.update(serverFinished, resumingSession);
-            this.serverFinished(serverFinished);
-
-            break;
-
-        default:
-            throw new SSLProtocolException(
-                "Illegal client handshake msg, " + type);
-        }
-    }
-
-    /*
-     * Used by the server to kickstart negotiations -- this requests a
-     * "client hello" to renegotiate current cipher specs (e.g. maybe lots
-     * of data has been encrypted with the same keys, or the server needs
-     * the client to present a certificate).
-     */
-    private void serverHelloRequest(HelloRequest mesg) throws IOException {
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        //
-        // Could be (e.g. at connection setup) that we already
-        // sent the "client hello" but the server's not seen it.
-        //
-        if (!clientHelloDelivered) {
-            if (!secureRenegotiation && !allowUnsafeRenegotiation) {
-                // renegotiation is not allowed.
-                if (activeProtocolVersion.useTLS10PlusSpec()) {
-                    // response with a no_renegotiation warning,
-                    warningSE(Alerts.alert_no_renegotiation);
-
-                    // invalidate the handshake so that the caller can
-                    // dispose this object.
-                    invalidated = true;
-
-                    // If there is still unread block in the handshake
-                    // input stream, it would be truncated with the disposal
-                    // and the next handshake message will become incomplete.
-                    //
-                    // However, according to SSL/TLS specifications, no more
-                    // handshake message should immediately follow ClientHello
-                    // or HelloRequest. So just let it be.
-                } else {
-                    // For SSLv3, send the handshake_failure fatal error.
-                    // Note that SSLv3 does not define a no_renegotiation
-                    // alert like TLSv1. However we cannot ignore the message
-                    // simply, otherwise the other side was waiting for a
-                    // response that would never come.
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "Renegotiation is not allowed");
-                }
-            } else {
-                if (!secureRenegotiation) {
-                    if (debug != null && Debug.isOn("handshake")) {
-                        System.out.println(
-                            "Warning: continue with insecure renegotiation");
-                    }
-                }
-                kickstart();
-            }
-        }
-    }
-
-    private void helloVerifyRequest(
-            HelloVerifyRequest mesg) throws IOException {
-
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        //
-        // Note that HelloVerifyRequest.server_version is used solely to
-        // indicate packet formatting, and not as part of version negotiation.
-        // Need not to check version values match for HelloVerifyRequest
-        // message.
-        //
-        initialClientHelloMsg.cookie = mesg.cookie.clone();
-
-        if (debug != null && Debug.isOn("handshake")) {
-            initialClientHelloMsg.print(System.out);
-        }
-
-        // deliver the ClientHello message with cookie
-        initialClientHelloMsg.write(output);
-        handshakeState.update(initialClientHelloMsg, resumingSession);
-    }
-
-    /*
-     * Server chooses session parameters given options created by the
-     * client -- basically, cipher options, session id, and someday a
-     * set of compression options.
-     *
-     * There are two branches of the state machine, decided by the
-     * details of this message.  One is the "fast" handshake, where we
-     * can resume the pre-existing session we asked resume.  The other
-     * is a more expensive "full" handshake, with key exchange and
-     * probably authentication getting done.
-     */
-    private void serverHello(ServerHello mesg) throws IOException {
-        // Dispose the reserved ClientHello message (if exists).
-        initialClientHelloMsg = null;
-
-        serverKeyExchangeReceived = false;
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        // check if the server selected protocol version is OK for us
-        ProtocolVersion mesgVersion = mesg.protocolVersion;
-        if (!isNegotiable(mesgVersion)) {
-            throw new SSLHandshakeException(
-                "Server chose " + mesgVersion +
-                ", but that protocol version is not enabled or not supported " +
-                "by the client.");
-        }
-
-        handshakeHash.protocolDetermined(mesgVersion);
-
-        // Set protocolVersion and propagate to SSLSocket and the
-        // Handshake streams
-        setVersion(mesgVersion);
-
-        // check the "renegotiation_info" extension
-        RenegotiationInfoExtension serverHelloRI = (RenegotiationInfoExtension)
-                    mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
-        if (serverHelloRI != null) {
-            if (isInitialHandshake) {
-                // verify the length of the "renegotiated_connection" field
-                if (!serverHelloRI.isEmpty()) {
-                    // abort the handshake with a fatal handshake_failure alert
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "The renegotiation_info field is not empty");
-                }
-
-                secureRenegotiation = true;
-            } else {
-                // For a legacy renegotiation, the client MUST verify that
-                // it does not contain the "renegotiation_info" extension.
-                if (!secureRenegotiation) {
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "Unexpected renegotiation indication extension");
-                }
-
-                // verify the client_verify_data and server_verify_data values
-                byte[] verifyData =
-                    new byte[clientVerifyData.length + serverVerifyData.length];
-                System.arraycopy(clientVerifyData, 0, verifyData,
-                        0, clientVerifyData.length);
-                System.arraycopy(serverVerifyData, 0, verifyData,
-                        clientVerifyData.length, serverVerifyData.length);
-                if (!MessageDigest.isEqual(verifyData,
-                                serverHelloRI.getRenegotiatedConnection())) {
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "Incorrect verify data in ServerHello " +
-                        "renegotiation_info message");
-                }
-            }
-        } else {
-            // no renegotiation indication extension
-            if (isInitialHandshake) {
-                if (!allowLegacyHelloMessages) {
-                    // abort the handshake with a fatal handshake_failure alert
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "Failed to negotiate the use of secure renegotiation");
-                }
-
-                secureRenegotiation = false;
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println("Warning: No renegotiation " +
-                                    "indication extension in ServerHello");
-                }
-            } else {
-                // For a secure renegotiation, the client must abort the
-                // handshake if no "renegotiation_info" extension is present.
-                if (secureRenegotiation) {
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "No renegotiation indication extension");
-                }
-
-                // we have already allowed unsafe renegotation before request
-                // the renegotiation.
-            }
-        }
-
-        //
-        // Save server nonce, we always use it to compute connection
-        // keys and it's also used to create the master secret if we're
-        // creating a new session (i.e. in the full handshake).
-        //
-        svr_random = mesg.svr_random;
-
-        if (isNegotiable(mesg.cipherSuite) == false) {
-            fatalSE(Alerts.alert_illegal_parameter,
-                "Server selected improper ciphersuite " + mesg.cipherSuite);
-        }
-
-        setCipherSuite(mesg.cipherSuite);
-        if (protocolVersion.useTLS12PlusSpec()) {
-            handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg());
-        }
-
-        if (mesg.compression_method != 0) {
-            fatalSE(Alerts.alert_illegal_parameter,
-                "compression type not supported, "
-                + mesg.compression_method);
-            // NOTREACHED
-        }
-
-        // so far so good, let's look at the session
-        if (session != null) {
-            // we tried to resume, let's see what the server decided
-            if (session.getSessionId().equals(mesg.sessionId)) {
-                // server resumed the session, let's make sure everything
-                // checks out
-
-                // Verify that the session ciphers are unchanged.
-                CipherSuite sessionSuite = session.getSuite();
-                if (cipherSuite != sessionSuite) {
-                    throw new SSLProtocolException
-                        ("Server returned wrong cipher suite for session");
-                }
-
-                // verify protocol version match
-                ProtocolVersion sessionVersion = session.getProtocolVersion();
-                if (protocolVersion != sessionVersion) {
-                    throw new SSLProtocolException
-                        ("Server resumed session with wrong protocol version");
-                }
-
-                // validate subject identity
-                ClientKeyExchangeService p =
-                        ClientKeyExchangeService.find(
-                                sessionSuite.keyExchange.name);
-                if (p != null) {
-                    Principal localPrincipal = session.getLocalPrincipal();
-
-                    if (p.isRelated(true, getAccSE(), localPrincipal)) {
-                        if (debug != null && Debug.isOn("session"))
-                            System.out.println("Subject identity is same");
-                    } else {
-                        throw new SSLProtocolException(
-                                "Server resumed session with " +
-                                "wrong subject identity or no subject");
-                    }
-                }
-
-                // looks fine; resume it.
-                resumingSession = true;
-                calculateConnectionKeys(session.getMasterSecret());
-                if (debug != null && Debug.isOn("session")) {
-                    System.out.println("%% Server resumed " + session);
-                }
-            } else {
-                // we wanted to resume, but the server refused
-                //
-                // Invalidate the session for initial handshake in case
-                // of reusing next time.
-                if (isInitialHandshake) {
-                    session.invalidate();
-                }
-                session = null;
-                if (!enableNewSession) {
-                    throw new SSLException("New session creation is disabled");
-                }
-            }
-        }
-
-        // check the "max_fragment_length" extension
-        MaxFragmentLengthExtension maxFragLenExt = (MaxFragmentLengthExtension)
-                mesg.extensions.get(ExtensionType.EXT_MAX_FRAGMENT_LENGTH);
-        if (maxFragLenExt != null) {
-            if ((requestedMFLength == -1) ||
-                    maxFragLenExt.getMaxFragLen() != requestedMFLength) {
-                // If the client did not request this extension, or the
-                // response value is different from the length it requested,
-                // abort the handshake with a fatal illegal_parameter alert.
-                fatalSE(Alerts.alert_illegal_parameter,
-                        "Failed to negotiate the max_fragment_length");
-            }
-        } else if (!resumingSession) {
-            // no "max_fragment_length" extension
-            requestedMFLength = -1;
-        }   // Otherwise, using the value negotiated during the original
-            // session initiation
-
-        // check the "extended_master_secret" extension
-        ExtendedMasterSecretExtension extendedMasterSecretExt =
-                (ExtendedMasterSecretExtension)mesg.extensions.get(
-                        ExtensionType.EXT_EXTENDED_MASTER_SECRET);
-        if (extendedMasterSecretExt != null) {
-            // Is it the expected server extension?
-            if (!useExtendedMasterSecret ||
-                    !mesgVersion.useTLS10PlusSpec() || !requestedToUseEMS) {
-                fatalSE(Alerts.alert_unsupported_extension,
-                        "Server sent the extended_master_secret " +
-                        "extension improperly");
-            }
-
-            // For abbreviated handshake, if the original session did not use
-            // the "extended_master_secret" extension but the new ServerHello
-            // contains the extension, the client MUST abort the handshake.
-            if (resumingSession && (session != null) &&
-                    !session.getUseExtendedMasterSecret()) {
-                fatalSE(Alerts.alert_unsupported_extension,
-                        "Server sent an unexpected extended_master_secret " +
-                        "extension on session resumption");
-            }
-        } else {
-            if (useExtendedMasterSecret && !allowLegacyMasterSecret) {
-                // For full handshake, if a client receives a ServerHello
-                // without the extension, it SHOULD abort the handshake if
-                // it does not wish to interoperate with legacy servers.
-                fatalSE(Alerts.alert_handshake_failure,
-                    "Extended Master Secret extension is required");
-            }
-
-            if (resumingSession && (session != null)) {
-                if (session.getUseExtendedMasterSecret()) {
-                    // For abbreviated handshake, if the original session used
-                    // the "extended_master_secret" extension but the new
-                    // ServerHello does not contain the extension, the client
-                    // MUST abort the handshake.
-                    fatalSE(Alerts.alert_handshake_failure,
-                            "Missing Extended Master Secret extension " +
-                            "on session resumption");
-                } else if (useExtendedMasterSecret && !allowLegacyResumption) {
-                    // Unlikely, abbreviated handshake should be discarded.
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "Extended Master Secret extension is required");
-                }
-            }
-        }
-
-        // check the ALPN extension
-        ALPNExtension serverHelloALPN =
-            (ALPNExtension) mesg.extensions.get(ExtensionType.EXT_ALPN);
-
-        if (serverHelloALPN != null) {
-            // Check whether an ALPN extension was sent in ClientHello message
-            if (!alpnActive) {
-                fatalSE(Alerts.alert_unsupported_extension,
-                    "Server sent " + ExtensionType.EXT_ALPN +
-                    " extension when not requested by client");
-            }
-
-            List<String> protocols = serverHelloALPN.getPeerAPs();
-            // Only one application protocol name should be present
-            String p;
-            if ((protocols.size() == 1) &&
-                    !((p = protocols.get(0)).isEmpty())) {
-                int i;
-                for (i = 0; i < localApl.length; i++) {
-                    if (localApl[i].equals(p)) {
-                        break;
-                    }
-                }
-                if (i == localApl.length) {
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "Server has selected an application protocol name " +
-                        "which was not offered by the client: " + p);
-                }
-                applicationProtocol = p;
-            } else {
-                fatalSE(Alerts.alert_handshake_failure,
-                    "Incorrect data in ServerHello " + ExtensionType.EXT_ALPN +
-                    " message");
-            }
-        } else {
-            applicationProtocol = "";
-        }
-
-        if (resumingSession && session != null) {
-            setHandshakeSessionSE(session);
-            // Reserve the handshake state if this is a session-resumption
-            // abbreviated initial handshake.
-            if (isInitialHandshake) {
-                session.setAsSessionResumption(true);
-            }
-
-            return;
-        }
-
-        // check extensions
-        for (HelloExtension ext : mesg.extensions.list()) {
-            ExtensionType type = ext.type;
-            if (type == ExtensionType.EXT_SERVER_NAME) {
-                serverNamesAccepted = true;
-            } else if (type == ExtensionType.EXT_STATUS_REQUEST ||
-                    type == ExtensionType.EXT_STATUS_REQUEST_V2) {
-                // Only enable the stapling feature if the client asserted
-                // these extensions.
-                if (sslContext.isStaplingEnabled(true)) {
-                    staplingActive = true;
-                } else {
-                    fatalSE(Alerts.alert_unexpected_message, "Server set " +
-                            type + " extension when not requested by client");
-                }
-            } else if ((type != ExtensionType.EXT_SUPPORTED_GROUPS)
-                    && (type != ExtensionType.EXT_EC_POINT_FORMATS)
-                    && (type != ExtensionType.EXT_SERVER_NAME)
-                    && (type != ExtensionType.EXT_ALPN)
-                    && (type != ExtensionType.EXT_RENEGOTIATION_INFO)
-                    && (type != ExtensionType.EXT_STATUS_REQUEST)
-                    && (type != ExtensionType.EXT_STATUS_REQUEST_V2)
-                    && (type != ExtensionType.EXT_EXTENDED_MASTER_SECRET)) {
-                // Note: Better to check client requested extensions rather
-                // than all supported extensions.
-                fatalSE(Alerts.alert_unsupported_extension,
-                    "Server sent an unsupported extension: " + type);
-            }
-        }
-
-        // Create a new session, we need to do the full handshake
-        session = new SSLSessionImpl(protocolVersion, cipherSuite,
-                            getLocalSupportedSignAlgs(),
-                            mesg.sessionId, getHostSE(), getPortSE(),
-                            (extendedMasterSecretExt != null));
-        session.setRequestedServerNames(requestedServerNames);
-        session.setNegotiatedMaxFragSize(requestedMFLength);
-        session.setMaximumPacketSize(maximumPacketSize);
-        setHandshakeSessionSE(session);
-        if (debug != null && Debug.isOn("handshake")) {
-            System.out.println("** " + cipherSuite);
-        }
-    }
-
-    /*
-     * Server's own key was either a signing-only key, or was too
-     * large for export rules ... this message holds an ephemeral
-     * RSA key to use for key exchange.
-     */
-    private void serverKeyExchange(RSA_ServerKeyExchange mesg)
-            throws IOException, GeneralSecurityException {
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-        if (!mesg.verify(serverKey, clnt_random, svr_random)) {
-            fatalSE(Alerts.alert_handshake_failure,
-                "server key exchange invalid");
-            // NOTREACHED
-        }
-        ephemeralServerKey = mesg.getPublicKey();
-
-        // check constraints of RSA PublicKey
-        if (!algorithmConstraints.permits(
-            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
-
-            throw new SSLHandshakeException("RSA ServerKeyExchange " +
-                    "does not comply to algorithm constraints");
-        }
-    }
-
-    /*
-     * Diffie-Hellman key exchange.  We save the server public key and
-     * our own D-H algorithm object so we can defer key calculations
-     * until after we've sent the client key exchange message (which
-     * gives client and server some useful parallelism).
-     *
-     * Note per section 3 of RFC 7919, if the server is not compatible with
-     * FFDHE specification, the client MAY decide to continue the connection
-     * if the selected DHE group is acceptable under local policy, or it MAY
-     * decide to terminate the connection with a fatal insufficient_security
-     * (71) alert.  The algorithm constraints mechanism is JDK local policy
-     * used for additional DHE parameters checking.  So this implementation
-     * does not check the server compatibility and just pass to the local
-     * algorithm constraints checking.  The client will continue the
-     * connection if the server selected DHE group is acceptable by the
-     * specified algorithm constraints.
-     */
-    private void serverKeyExchange(DH_ServerKeyExchange mesg)
-            throws IOException {
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-        dh = new DHCrypt(mesg.getModulus(), mesg.getBase(),
-                                            sslContext.getSecureRandom());
-        serverDH = mesg.getServerPublicKey();
-
-        // check algorithm constraints
-        dh.checkConstraints(algorithmConstraints, serverDH);
-    }
-
-    private void serverKeyExchange(ECDH_ServerKeyExchange mesg)
-            throws IOException {
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-        ECPublicKey key = mesg.getPublicKey();
-        ecdh = new ECDHCrypt(key.getParams(), sslContext.getSecureRandom());
-        ephemeralServerKey = key;
-
-        // check constraints of EC PublicKey
-        if (!algorithmConstraints.permits(
-            EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), ephemeralServerKey)) {
-
-            throw new SSLHandshakeException("ECDH ServerKeyExchange " +
-                    "does not comply to algorithm constraints");
-        }
-    }
-
-    /*
-     * The server's "Hello Done" message is the client's sign that
-     * it's time to do all the hard work.
-     */
-    private void serverHelloDone(ServerHelloDone mesg) throws IOException {
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        /*
-         * FIRST ... if requested, send an appropriate Certificate chain
-         * to authenticate the client, and remember the associated private
-         * key to sign the CertificateVerify message.
-         */
-        PrivateKey signingKey = null;
-
-        if (certRequest != null) {
-            X509ExtendedKeyManager km = sslContext.getX509KeyManager();
-
-            ArrayList<String> keytypesTmp = new ArrayList<>(4);
-
-            for (int i = 0; i < certRequest.types.length; i++) {
-                String typeName;
-
-                switch (certRequest.types[i]) {
-                    case CertificateRequest.cct_rsa_sign:
-                        typeName = "RSA";
-                        break;
-
-                    case CertificateRequest.cct_dss_sign:
-                        typeName = "DSA";
-                            break;
-
-                    case CertificateRequest.cct_ecdsa_sign:
-                        // ignore if we do not have EC crypto available
-                        typeName = JsseJce.isEcAvailable() ? "EC" : null;
-                        break;
-
-                    // Fixed DH/ECDH client authentication not supported
-                    //
-                    // case CertificateRequest.cct_rsa_fixed_dh:
-                    // case CertificateRequest.cct_dss_fixed_dh:
-                    // case CertificateRequest.cct_rsa_fixed_ecdh:
-                    // case CertificateRequest.cct_ecdsa_fixed_ecdh:
-                    //
-                    // Any other values (currently not used in TLS)
-                    //
-                    // case CertificateRequest.cct_rsa_ephemeral_dh:
-                    // case CertificateRequest.cct_dss_ephemeral_dh:
-                    default:
-                        typeName = null;
-                        break;
-                }
-
-                if ((typeName != null) && (!keytypesTmp.contains(typeName))) {
-                    keytypesTmp.add(typeName);
-                }
-            }
-
-            String alias = null;
-            int keytypesTmpSize = keytypesTmp.size();
-            if (keytypesTmpSize != 0) {
-                String[] keytypes =
-                        keytypesTmp.toArray(new String[keytypesTmpSize]);
-
-                if (conn != null) {
-                    alias = km.chooseClientAlias(keytypes,
-                        certRequest.getAuthorities(), conn);
-                } else {
-                    alias = km.chooseEngineClientAlias(keytypes,
-                        certRequest.getAuthorities(), engine);
-                }
-            }
-
-            CertificateMsg m1 = null;
-            if (alias != null) {
-                X509Certificate[] certs = km.getCertificateChain(alias);
-                if ((certs != null) && (certs.length != 0)) {
-                    PublicKey publicKey = certs[0].getPublicKey();
-                    if (publicKey != null) {
-                        m1 = new CertificateMsg(certs);
-                        signingKey = km.getPrivateKey(alias);
-                        session.setLocalPrivateKey(signingKey);
-                        session.setLocalCertificates(certs);
-                    }
-                }
-            }
-            if (m1 == null) {
-                //
-                // No appropriate cert was found ... report this to the
-                // server.  For SSLv3, send the no_certificate alert;
-                // TLS uses an empty cert chain instead.
-                //
-                if (protocolVersion.useTLS10PlusSpec()) {
-                    m1 = new CertificateMsg(new X509Certificate [0]);
-                } else {
-                    warningSE(Alerts.alert_no_certificate);
-                }
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println(
-                        "Warning: no suitable certificate found - " +
-                        "continuing without client authentication");
-                }
-            }
-
-            //
-            // At last ... send any client certificate chain.
-            //
-            if (m1 != null) {
-                if (debug != null && Debug.isOn("handshake")) {
-                    m1.print(System.out);
-                }
-                m1.write(output);
-                handshakeState.update(m1, resumingSession);
-            }
-        }
-
-        /*
-         * SECOND ... send the client key exchange message.  The
-         * procedure used is a function of the cipher suite selected;
-         * one is always needed.
-         */
-        HandshakeMessage m2;
-
-        switch (keyExchange) {
-
-        case K_RSA:
-        case K_RSA_EXPORT:
-            if (serverKey == null) {
-                throw new SSLProtocolException
-                        ("Server did not send certificate message");
-            }
-
-            if (!(serverKey instanceof RSAPublicKey)) {
-                throw new SSLProtocolException
-                        ("Server certificate does not include an RSA key");
-            }
-
-            /*
-             * For RSA key exchange, we randomly generate a new
-             * pre-master secret and encrypt it with the server's
-             * public key.  Then we save that pre-master secret
-             * so that we can calculate the keying data later;
-             * it's a performance speedup not to do that until
-             * the client's waiting for the server response, but
-             * more of a speedup for the D-H case.
-             *
-             * If the RSA_EXPORT scheme is active, when the public
-             * key in the server certificate is less than or equal
-             * to 512 bits in length, use the cert's public key,
-             * otherwise, the ephemeral one.
-             */
-            PublicKey key;
-            if (keyExchange == K_RSA) {
-                key = serverKey;
-            } else {    // K_RSA_EXPORT
-                if (JsseJce.getRSAKeyLength(serverKey) <= 512) {
-                    // extraneous ephemeralServerKey check done
-                    // above in processMessage()
-                    key = serverKey;
-                } else {
-                    if (ephemeralServerKey == null) {
-                        throw new SSLProtocolException("Server did not send" +
-                            " a RSA_EXPORT Server Key Exchange message");
-                    }
-                    key = ephemeralServerKey;
-                }
-            }
-
-            m2 = new RSAClientKeyExchange(protocolVersion, maxProtocolVersion,
-                                sslContext.getSecureRandom(), key);
-            break;
-        case K_DH_RSA:
-        case K_DH_DSS:
-            /*
-             * For DH Key exchange, we only need to make sure the server
-             * knows our public key, so we calculate the same pre-master
-             * secret.
-             *
-             * For certs that had DH keys in them, we send an empty
-             * handshake message (no key) ... we flag this case by
-             * passing a null "dhPublic" value.
-             *
-             * Otherwise we send ephemeral DH keys, unsigned.
-             */
-            // if (useDH_RSA || useDH_DSS)
-            m2 = new DHClientKeyExchange();
-            break;
-        case K_DHE_RSA:
-        case K_DHE_DSS:
-        case K_DH_ANON:
-            if (dh == null) {
-                throw new SSLProtocolException
-                    ("Server did not send a DH Server Key Exchange message");
-            }
-            m2 = new DHClientKeyExchange(dh.getPublicKey());
-            break;
-        case K_ECDHE_RSA:
-        case K_ECDHE_ECDSA:
-        case K_ECDH_ANON:
-            if (ecdh == null) {
-                throw new SSLProtocolException
-                    ("Server did not send a ECDH Server Key Exchange message");
-            }
-            m2 = new ECDHClientKeyExchange(ecdh.getPublicKey());
-            break;
-        case K_ECDH_RSA:
-        case K_ECDH_ECDSA:
-            if (serverKey == null) {
-                throw new SSLProtocolException
-                        ("Server did not send certificate message");
-            }
-            if (serverKey instanceof ECPublicKey == false) {
-                throw new SSLProtocolException
-                        ("Server certificate does not include an EC key");
-            }
-            ECParameterSpec params = ((ECPublicKey)serverKey).getParams();
-            ecdh = new ECDHCrypt(params, sslContext.getSecureRandom());
-            m2 = new ECDHClientKeyExchange(ecdh.getPublicKey());
-            break;
-        default:
-            ClientKeyExchangeService p =
-                    ClientKeyExchangeService.find(keyExchange.name);
-            if (p == null) {
-                // somethings very wrong
-                throw new RuntimeException
-                        ("Unsupported key exchange: " + keyExchange);
-            }
-            String sniHostname = null;
-            for (SNIServerName serverName : requestedServerNames) {
-                if (serverName instanceof SNIHostName) {
-                    sniHostname = ((SNIHostName) serverName).getAsciiName();
-                    break;
-                }
-            }
-
-            ClientKeyExchange exMsg = null;
-            if (sniHostname != null) {
-                // use first requested SNI hostname
-                try {
-                    exMsg = p.createClientExchange(
-                            sniHostname, getAccSE(), protocolVersion,
-                            sslContext.getSecureRandom());
-                } catch(IOException e) {
-                    if (serverNamesAccepted) {
-                        // server accepted requested SNI hostname,
-                        // so it must be used
-                        throw e;
-                    }
-                    // fallback to using hostname
-                    if (debug != null && Debug.isOn("handshake")) {
-                        System.out.println(
-                            "Warning, cannot use Server Name Indication: "
-                                + e.getMessage());
-                    }
-                }
-            }
-
-            if (exMsg == null) {
-                String hostname = getHostSE();
-                if (hostname == null) {
-                    throw new IOException("Hostname is required" +
-                        " to use " + keyExchange + " key exchange");
-                }
-                exMsg = p.createClientExchange(
-                        hostname, getAccSE(), protocolVersion,
-                        sslContext.getSecureRandom());
-            }
-
-            // Record the principals involved in exchange
-            session.setPeerPrincipal(exMsg.getPeerPrincipal());
-            session.setLocalPrincipal(exMsg.getLocalPrincipal());
-            m2 = exMsg;
-            break;
-        }
-        if (debug != null && Debug.isOn("handshake")) {
-            m2.print(System.out);
-        }
-        m2.write(output);
-        handshakeState.update(m2, resumingSession);
-
-        /*
-         * THIRD, send a "change_cipher_spec" record followed by the
-         * "Finished" message.  We flush the messages we've queued up, to
-         * get concurrency between client and server.  The concurrency is
-         * useful as we calculate the master secret, which is needed both
-         * to compute the "Finished" message, and to compute the keys used
-         * to protect all records following the change_cipher_spec.
-         */
-        output.flush();
-
-        /*
-         * We deferred calculating the master secret and this connection's
-         * keying data; we do it now.  Deferring this calculation is good
-         * from a performance point of view, since it lets us do it during
-         * some time that network delays and the server's own calculations
-         * would otherwise cause to be "dead" in the critical path.
-         */
-        SecretKey preMasterSecret;
-        switch (keyExchange) {
-        case K_RSA:
-        case K_RSA_EXPORT:
-            preMasterSecret = ((RSAClientKeyExchange)m2).preMaster;
-            break;
-        case K_DHE_RSA:
-        case K_DHE_DSS:
-        case K_DH_ANON:
-            preMasterSecret = dh.getAgreedSecret(serverDH, true);
-            break;
-        case K_ECDHE_RSA:
-        case K_ECDHE_ECDSA:
-        case K_ECDH_ANON:
-            preMasterSecret = ecdh.getAgreedSecret(ephemeralServerKey);
-            break;
-        case K_ECDH_RSA:
-        case K_ECDH_ECDSA:
-            preMasterSecret = ecdh.getAgreedSecret(serverKey);
-            break;
-        default:
-            if (ClientKeyExchangeService.find(keyExchange.name) != null) {
-                preMasterSecret =
-                        ((ClientKeyExchange) m2).clientKeyExchange();
-            } else {
-                throw new IOException("Internal error: unknown key exchange "
-                        + keyExchange);
-            }
-        }
-
-        calculateKeys(preMasterSecret, null);
-
-        /*
-         * FOURTH, if we sent a Certificate, we need to send a signed
-         * CertificateVerify (unless the key in the client's certificate
-         * was a Diffie-Hellman key).
-         *
-         * This uses a hash of the previous handshake messages ... either
-         * a nonfinal one (if the particular implementation supports it)
-         * or else using the third element in the arrays of hashes being
-         * computed.
-         */
-        if (signingKey != null) {
-            CertificateVerify m3;
-            try {
-                SignatureAndHashAlgorithm preferableSignatureAlgorithm = null;
-                if (protocolVersion.useTLS12PlusSpec()) {
-                    preferableSignatureAlgorithm =
-                        SignatureAndHashAlgorithm.getPreferableAlgorithm(
-                            getPeerSupportedSignAlgs(),
-                            signingKey.getAlgorithm(), signingKey);
-
-                    if (preferableSignatureAlgorithm == null) {
-                        throw new SSLHandshakeException(
-                            "No supported signature algorithm");
-                    }
-
-                    String hashAlg =
-                        SignatureAndHashAlgorithm.getHashAlgorithmName(
-                                preferableSignatureAlgorithm);
-                    if (hashAlg == null || hashAlg.length() == 0) {
-                        throw new SSLHandshakeException(
-                                "No supported hash algorithm");
-                    }
-                }
-
-                m3 = new CertificateVerify(protocolVersion, handshakeHash,
-                    signingKey, session.getMasterSecret(),
-                    sslContext.getSecureRandom(),
-                    preferableSignatureAlgorithm);
-            } catch (GeneralSecurityException e) {
-                fatalSE(Alerts.alert_handshake_failure,
-                    "Error signing certificate verify", e);
-                // NOTREACHED, make compiler happy
-                m3 = null;
-            }
-            if (debug != null && Debug.isOn("handshake")) {
-                m3.print(System.out);
-            }
-            m3.write(output);
-            handshakeState.update(m3, resumingSession);
-            output.flush();
-        }
-
-        /*
-         * OK, that's that!
-         */
-        sendChangeCipherAndFinish(false);
-
-        // expecting the final ChangeCipherSpec and Finished messages
-        expectingFinishFlightSE();
-    }
-
-
-    /*
-     * "Finished" is the last handshake message sent.  If we got this
-     * far, the MAC has been validated post-decryption.  We validate
-     * the two hashes here as an additional sanity check, protecting
-     * the handshake against various active attacks.
-     */
-    private void serverFinished(Finished mesg) throws IOException {
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        boolean verified = mesg.verify(handshakeHash, Finished.SERVER,
-            session.getMasterSecret());
-
-        if (!verified) {
-            fatalSE(Alerts.alert_illegal_parameter,
-                       "server 'finished' message doesn't verify");
-            // NOTREACHED
-        }
-
-        /*
-         * save server verify data for secure renegotiation
-         */
-        if (secureRenegotiation) {
-            serverVerifyData = mesg.getVerifyData();
-        }
-
-        /*
-         * Reset the handshake state if this is not an initial handshake.
-         */
-        if (!isInitialHandshake) {
-            session.setAsSessionResumption(false);
-        }
-
-        /*
-         * OK, it verified.  If we're doing the fast handshake, add that
-         * "Finished" message to the hash of handshake messages, then send
-         * our own change_cipher_spec and Finished message for the server
-         * to verify in turn.  These are the last handshake messages.
-         *
-         * In any case, update the session cache.  We're done handshaking,
-         * so there are no threats any more associated with partially
-         * completed handshakes.
-         */
-        if (resumingSession) {
-            sendChangeCipherAndFinish(true);
-        } else {
-            handshakeFinished = true;
-        }
-        session.setLastAccessedTime(System.currentTimeMillis());
-
-        if (!resumingSession) {
-            if (session.isRejoinable()) {
-                ((SSLSessionContextImpl) sslContext
-                        .engineGetClientSessionContext())
-                        .put(session);
-                if (debug != null && Debug.isOn("session")) {
-                    System.out.println("%% Cached client session: " + session);
-                }
-            } else if (debug != null && Debug.isOn("session")) {
-                System.out.println(
-                    "%% Didn't cache non-resumable client session: "
-                    + session);
-            }
-        }
-    }
-
-
-    /*
-     * Send my change-cipher-spec and Finished message ... done as the
-     * last handshake act in either the short or long sequences.  In
-     * the short one, we've already seen the server's Finished; in the
-     * long one, we wait for it now.
-     */
-    private void sendChangeCipherAndFinish(boolean finishedTag)
-            throws IOException {
-
-        // Reload if this message has been reserved.
-        handshakeHash.reload();
-
-        Finished mesg = new Finished(protocolVersion, handshakeHash,
-            Finished.CLIENT, session.getMasterSecret(), cipherSuite);
-
-        /*
-         * Send the change_cipher_spec message, then the Finished message
-         * which we just calculated (and protected using the keys we just
-         * calculated).  Server responds with its Finished message, except
-         * in the "fast handshake" (resume session) case.
-         */
-        sendChangeCipherSpec(mesg, finishedTag);
-
-        /*
-         * save client verify data for secure renegotiation
-         */
-        if (secureRenegotiation) {
-            clientVerifyData = mesg.getVerifyData();
-        }
-    }
-
-
-    /*
-     * Returns a ClientHello message to kickstart renegotiations
-     */
-    @Override
-    HandshakeMessage getKickstartMessage() throws SSLException {
-        // session ID of the ClientHello message
-        SessionId sessionId = SSLSessionImpl.nullSession.getSessionId();
-
-        // a list of cipher suites sent by the client
-        CipherSuiteList cipherSuites = getActiveCipherSuites();
-
-        // set the max protocol version this client is supporting.
-        maxProtocolVersion = protocolVersion;
-
-        //
-        // Try to resume an existing session.  This might be mandatory,
-        // given certain API options.
-        //
-        session = ((SSLSessionContextImpl)sslContext
-                        .engineGetClientSessionContext())
-                        .get(getHostSE(), getPortSE());
-        if (debug != null && Debug.isOn("session")) {
-            if (session != null) {
-                System.out.println("%% Client cached "
-                    + session
-                    + (session.isRejoinable() ? "" : " (not rejoinable)"));
-            } else {
-                System.out.println("%% No cached client session");
-            }
-        }
-        if (session != null) {
-            // If unsafe server certificate change is not allowed, reserve
-            // current server certificates if the previous handshake is a
-            // session-resumption abbreviated initial handshake.
-            if (!allowUnsafeServerCertChange && session.isSessionResumption()) {
-                try {
-                    // If existing, peer certificate chain cannot be null.
-                    reservedServerCerts =
-                        (X509Certificate[])session.getPeerCertificates();
-                } catch (SSLPeerUnverifiedException puve) {
-                    // Maybe not certificate-based, ignore the exception.
-                }
-            }
-
-            if (!session.isRejoinable()) {
-                session = null;
-            }
-        }
-
-        if (session != null) {
-            CipherSuite sessionSuite = session.getSuite();
-            ProtocolVersion sessionVersion = session.getProtocolVersion();
-            if (isNegotiable(sessionSuite) == false) {
-                if (debug != null && Debug.isOn("session")) {
-                    System.out.println("%% can't resume, unavailable cipher");
-                }
-                session = null;
-            }
-
-            if ((session != null) && !isNegotiable(sessionVersion)) {
-                if (debug != null && Debug.isOn("session")) {
-                    System.out.println("%% can't resume, protocol disabled");
-                }
-                session = null;
-            }
-
-            if ((session != null) && useExtendedMasterSecret) {
-                boolean isTLS10Plus = sessionVersion.useTLS10PlusSpec();
-                if (isTLS10Plus && !session.getUseExtendedMasterSecret()) {
-                    if (!allowLegacyResumption) {
-                        // perform full handshake instead
-                        //
-                        // The client SHOULD NOT offer an abbreviated handshake
-                        // to resume a session that does not use an extended
-                        // master secret.  Instead, it SHOULD offer a full
-                        // handshake.
-                        session = null;
-                    }
-                }
-
-                if ((session != null) && !allowUnsafeServerCertChange) {
-                    // It is fine to move on with abbreviate handshake if
-                    // endpoint identification is enabled.
-                    String identityAlg = getEndpointIdentificationAlgorithmSE();
-                    if ((identityAlg == null || identityAlg.length() == 0)) {
-                        if (isTLS10Plus) {
-                            if (!session.getUseExtendedMasterSecret()) {
-                                // perform full handshake instead
-                                session = null;
-                            }   // Otherwise, use extended master secret.
-                        } else {
-                            // The extended master secret extension does not
-                            // apply to SSL 3.0.  Perform a full handshake
-                            // instead.
-                            //
-                            // Note that the useExtendedMasterSecret is
-                            // extended to protect SSL 3.0 connections,
-                            // by discarding abbreviate handshake.
-                            session = null;
-                        }
-                    }
-                }
-            }
-
-            if (session != null) {
-                if (debug != null) {
-                    if (Debug.isOn("handshake") || Debug.isOn("session")) {
-                        System.out.println("%% Try resuming " + session
-                            + " from port " + getLocalPortSE());
-                    }
-                }
-
-                sessionId = session.getSessionId();
-                maxProtocolVersion = sessionVersion;
-
-                // Update SSL version number in underlying SSL socket and
-                // handshake output stream, so that the output records (at the
-                // record layer) have the correct version
-                setVersion(sessionVersion);
-            }
-
-            /*
-             * Force use of the previous session ciphersuite, and
-             * add the SCSV if enabled.
-             */
-            if (!enableNewSession) {
-                if (session == null) {
-                    throw new SSLHandshakeException(
-                        "Can't reuse existing SSL client session");
-                }
-
-                Collection<CipherSuite> cipherList = new ArrayList<>(2);
-                cipherList.add(sessionSuite);
-                if (!secureRenegotiation &&
-                        cipherSuites.contains(CipherSuite.C_SCSV)) {
-                    cipherList.add(CipherSuite.C_SCSV);
-                }   // otherwise, renegotiation_info extension will be used
-
-                cipherSuites = new CipherSuiteList(cipherList);
-            }
-        }
-
-        if (session == null && !enableNewSession) {
-            throw new SSLHandshakeException("No existing session to resume");
-        }
-
-        // exclude SCSV for secure renegotiation
-        if (secureRenegotiation && cipherSuites.contains(CipherSuite.C_SCSV)) {
-            Collection<CipherSuite> cipherList =
-                        new ArrayList<>(cipherSuites.size() - 1);
-            for (CipherSuite suite : cipherSuites.collection()) {
-                if (suite != CipherSuite.C_SCSV) {
-                    cipherList.add(suite);
-                }
-            }
-
-            cipherSuites = new CipherSuiteList(cipherList);
-        }
-
-        // make sure there is a negotiable cipher suite.
-        boolean negotiable = false;
-        for (CipherSuite suite : cipherSuites.collection()) {
-            if (isNegotiable(suite)) {
-                negotiable = true;
-                break;
-            }
-        }
-
-        if (!negotiable) {
-            throw new SSLHandshakeException("No negotiable cipher suite");
-        }
-
-        // Not a TLS1.2+ handshake
-        // For SSLv2Hello, HandshakeHash.reset() will be called, so we
-        // cannot call HandshakeHash.protocolDetermined() here. As it does
-        // not follow the spec that HandshakeHash.reset() can be only be
-        // called before protocolDetermined.
-        // if (maxProtocolVersion.v < ProtocolVersion.TLS12.v) {
-        //     handshakeHash.protocolDetermined(maxProtocolVersion);
-        // }
-
-        // create the ClientHello message
-        ClientHello clientHelloMessage = new ClientHello(
-                sslContext.getSecureRandom(), maxProtocolVersion,
-                sessionId, cipherSuites, isDTLS);
-
-        // Add named groups extension for ECDHE and FFDHE if necessary.
-        SupportedGroupsExtension sge =
-                SupportedGroupsExtension.createExtension(
-                        algorithmConstraints,
-                        cipherSuites, enableFFDHE);
-        if (sge != null) {
-            clientHelloMessage.extensions.add(sge);
-            // Add elliptic point format extensions
-            if (cipherSuites.contains(NamedGroupType.NAMED_GROUP_ECDHE)) {
-                clientHelloMessage.extensions.add(
-                    EllipticPointFormatsExtension.DEFAULT);
-            }
-        }
-
-        // add signature_algorithm extension
-        if (maxProtocolVersion.useTLS12PlusSpec()) {
-            // we will always send the signature_algorithm extension
-            Collection<SignatureAndHashAlgorithm> localSignAlgs =
-                                                getLocalSupportedSignAlgs();
-            if (localSignAlgs.isEmpty()) {
-                throw new SSLHandshakeException(
-                            "No supported signature algorithm");
-            }
-
-            clientHelloMessage.addSignatureAlgorithmsExtension(localSignAlgs);
-        }
-
-        // add Extended Master Secret extension
-        if (useExtendedMasterSecret && maxProtocolVersion.useTLS10PlusSpec()) {
-            if ((session == null) || session.getUseExtendedMasterSecret()) {
-                clientHelloMessage.addExtendedMasterSecretExtension();
-                requestedToUseEMS = true;
-            }
-        }
-
-        // add server_name extension
-        if (enableSNIExtension) {
-            if (session != null) {
-                requestedServerNames = session.getRequestedServerNames();
-            } else {
-                requestedServerNames = serverNames;
-            }
-
-            if (!requestedServerNames.isEmpty()) {
-                clientHelloMessage.addSNIExtension(requestedServerNames);
-            }
-        }
-
-        // add max_fragment_length extension
-        if (enableMFLExtension) {
-            if (session != null) {
-                // The same extension should be sent for resumption.
-                requestedMFLength = session.getNegotiatedMaxFragSize();
-            } else if (maximumPacketSize != 0) {
-                // Maybe we can calculate the fragment size more accurate
-                // by condering the enabled cipher suites in the future.
-                requestedMFLength = maximumPacketSize;
-                if (isDTLS) {
-                    requestedMFLength -= DTLSRecord.maxPlaintextPlusSize;
-                } else {
-                    requestedMFLength -= SSLRecord.maxPlaintextPlusSize;
-                }
-            } else {
-                // Need no max_fragment_length extension.
-                requestedMFLength = -1;
-            }
-
-            if ((requestedMFLength > 0) &&
-                MaxFragmentLengthExtension.needFragLenNego(requestedMFLength)) {
-
-                requestedMFLength =
-                        MaxFragmentLengthExtension.getValidMaxFragLen(
-                                                        requestedMFLength);
-                clientHelloMessage.addMFLExtension(requestedMFLength);
-            } else {
-                requestedMFLength = -1;
-            }
-        }
-
-        // Add status_request and status_request_v2 extensions
-        if (sslContext.isStaplingEnabled(true)) {
-            clientHelloMessage.addCertStatusReqListV2Extension();
-            clientHelloMessage.addCertStatusRequestExtension();
-        }
-
-        // Add ALPN extension
-        if (localApl != null && localApl.length > 0) {
-            clientHelloMessage.addALPNExtension(localApl);
-            alpnActive = true;
-        }
-
-        // reset the client random cookie
-        clnt_random = clientHelloMessage.clnt_random;
-
-        /*
-         * need to set the renegotiation_info extension for:
-         * 1: secure renegotiation
-         * 2: initial handshake and no SCSV in the ClientHello
-         * 3: insecure renegotiation and no SCSV in the ClientHello
-         */
-        if (secureRenegotiation ||
-                !cipherSuites.contains(CipherSuite.C_SCSV)) {
-            clientHelloMessage.addRenegotiationInfoExtension(clientVerifyData);
-        }
-
-        if (isDTLS) {
-            // Cookie exchange need to reserve the initial ClientHello message.
-            initialClientHelloMsg = clientHelloMessage;
-        }
-
-        return clientHelloMessage;
-    }
-
-    /*
-     * Fault detected during handshake.
-     */
-    @Override
-    void handshakeAlert(byte description) throws SSLProtocolException {
-        String message = Alerts.alertDescription(description);
-
-        if (debug != null && Debug.isOn("handshake")) {
-            System.out.println("SSL - handshake alert: " + message);
-        }
-        throw new SSLProtocolException("handshake alert:  " + message);
-    }
-
-    /*
-     * Unless we are using an anonymous ciphersuite, the server always
-     * sends a certificate message (for the CipherSuites we currently
-     * support). The trust manager verifies the chain for us.
-     */
-    private void serverCertificate(CertificateMsg mesg) throws IOException {
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-        X509Certificate[] peerCerts = mesg.getCertificateChain();
-        if (peerCerts.length == 0) {
-            fatalSE(Alerts.alert_bad_certificate, "empty certificate chain");
-        }
-
-        // Allow server certificate change in client side during renegotiation
-        // after a session-resumption abbreviated initial handshake?
-        //
-        // DO NOT need to check allowUnsafeServerCertChange here.  We only
-        // reserve server certificates when allowUnsafeServerCertChange is
-        // flase.
-        //
-        // Allow server certificate change if it is negotiated to use the
-        // extended master secret.
-        if ((reservedServerCerts != null) &&
-                !session.getUseExtendedMasterSecret()) {
-            // It is not necessary to check the certificate update if endpoint
-            // identification is enabled.
-            String identityAlg = getEndpointIdentificationAlgorithmSE();
-            if ((identityAlg == null || identityAlg.length() == 0) &&
-                !isIdentityEquivalent(peerCerts[0], reservedServerCerts[0])) {
-
-                fatalSE(Alerts.alert_bad_certificate,
-                        "server certificate change is restricted " +
-                        "during renegotiation");
-            }
-        }
-
-        // ask the trust manager to verify the chain
-        if (staplingActive) {
-            // Defer the certificate check until after we've received the
-            // CertificateStatus message.  If that message doesn't come in
-            // immediately following this message we will execute the check
-            // directly from processMessage before any other SSL/TLS processing.
-            deferredCerts = peerCerts;
-        } else {
-            // We're not doing stapling, so perform the check right now
-            checkServerCerts(peerCerts);
-        }
-    }
-
-    /**
-     * If certificate status stapling has been enabled, the server will send
-     * one or more status messages to the client.
-     *
-     * @param mesg a {@code CertificateStatus} object built from the data
-     *      sent by the server.
-     *
-     * @throws IOException if any parsing errors occur.
-     */
-    private void certificateStatus(CertificateStatus mesg) throws IOException {
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        // Perform the certificate check using the deferred certificates
-        // and responses that we have obtained.
-        session.setStatusResponses(mesg.getResponses());
-        checkServerCerts(deferredCerts);
-    }
-
-    /*
-     * Whether the certificates can represent the same identity?
-     *
-     * The certificates can be used to represent the same identity:
-     *     1. If the subject alternative names of IP address are present in
-     *        both certificates, they should be identical; otherwise,
-     *     2. if the subject alternative names of DNS name are present in
-     *        both certificates, they should be identical; otherwise,
-     *     3. if the subject fields are present in both certificates, the
-     *        certificate subjects and issuers should be identical.
-     */
-    private static boolean isIdentityEquivalent(X509Certificate thisCert,
-            X509Certificate prevCert) {
-        if (thisCert.equals(prevCert)) {
-            return true;
-        }
-
-        // check subject alternative names
-        Collection<List<?>> thisSubjectAltNames = null;
-        try {
-            thisSubjectAltNames = thisCert.getSubjectAlternativeNames();
-        } catch (CertificateParsingException cpe) {
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println(
-                        "Attempt to obtain subjectAltNames extension failed!");
-            }
-        }
-
-        Collection<List<?>> prevSubjectAltNames = null;
-        try {
-            prevSubjectAltNames = prevCert.getSubjectAlternativeNames();
-        } catch (CertificateParsingException cpe) {
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println(
-                        "Attempt to obtain subjectAltNames extension failed!");
-            }
-        }
-
-        if ((thisSubjectAltNames != null) && (prevSubjectAltNames != null)) {
-            // check the iPAddress field in subjectAltName extension
-            Collection<String> thisSubAltIPAddrs =
-                        getSubjectAltNames(thisSubjectAltNames, ALTNAME_IP);
-            Collection<String> prevSubAltIPAddrs =
-                        getSubjectAltNames(prevSubjectAltNames, ALTNAME_IP);
-            if ((thisSubAltIPAddrs != null) && (prevSubAltIPAddrs != null) &&
-                (isEquivalent(thisSubAltIPAddrs, prevSubAltIPAddrs))) {
-
-                return true;
-            }
-
-            // check the dNSName field in subjectAltName extension
-            Collection<String> thisSubAltDnsNames =
-                        getSubjectAltNames(thisSubjectAltNames, ALTNAME_DNS);
-            Collection<String> prevSubAltDnsNames =
-                        getSubjectAltNames(prevSubjectAltNames, ALTNAME_DNS);
-            if ((thisSubAltDnsNames != null) && (prevSubAltDnsNames != null) &&
-                (isEquivalent(thisSubAltDnsNames, prevSubAltDnsNames))) {
-
-                return true;
-            }
-        }
-
-        // check the certificate subject and issuer
-        X500Principal thisSubject = thisCert.getSubjectX500Principal();
-        X500Principal prevSubject = prevCert.getSubjectX500Principal();
-        X500Principal thisIssuer = thisCert.getIssuerX500Principal();
-        X500Principal prevIssuer = prevCert.getIssuerX500Principal();
-        if (!thisSubject.getName().isEmpty() &&
-                !prevSubject.getName().isEmpty() &&
-                thisSubject.equals(prevSubject) &&
-                thisIssuer.equals(prevIssuer)) {
-            return true;
-        }
-
-        return false;
-    }
-
-    /*
-     * Returns the subject alternative name of the specified type in the
-     * subjectAltNames extension of a certificate.
-     *
-     * Note that only those subjectAltName types that use String data
-     * should be passed into this function.
-     */
-    private static Collection<String> getSubjectAltNames(
-            Collection<List<?>> subjectAltNames, int type) {
-
-        HashSet<String> subAltDnsNames = null;
-        for (List<?> subjectAltName : subjectAltNames) {
-            int subjectAltNameType = (Integer)subjectAltName.get(0);
-            if (subjectAltNameType == type) {
-                String subAltDnsName = (String)subjectAltName.get(1);
-                if ((subAltDnsName != null) && !subAltDnsName.isEmpty()) {
-                    if (subAltDnsNames == null) {
-                        subAltDnsNames =
-                                new HashSet<>(subjectAltNames.size());
-                    }
-                    subAltDnsNames.add(subAltDnsName);
-                }
-            }
-        }
-
-        return subAltDnsNames;
-    }
-
-    private static boolean isEquivalent(Collection<String> thisSubAltNames,
-            Collection<String> prevSubAltNames) {
-
-        for (String thisSubAltName : thisSubAltNames) {
-            for (String prevSubAltName : prevSubAltNames) {
-                // Only allow the exactly match.  Check no wildcard character.
-                if (thisSubAltName.equalsIgnoreCase(prevSubAltName)) {
-                    return true;
-                }
-            }
-        }
-
-        return false;
-    }
-
-    /**
-     * Perform client-side checking of server certificates.
-     *
-     * @param certs an array of {@code X509Certificate} objects presented
-     *      by the server in the ServerCertificate message.
-     *
-     * @throws IOException if a failure occurs during validation or
-     *      the trust manager associated with the {@code SSLContext} is not
-     *      an {@code X509ExtendedTrustManager}.
-     */
-    private void checkServerCerts(X509Certificate[] certs)
-            throws IOException {
-        X509TrustManager tm = sslContext.getX509TrustManager();
-
-        // find out the key exchange algorithm used
-        // use "RSA" for non-ephemeral "RSA_EXPORT"
-        String keyExchangeString;
-        if (keyExchange == K_RSA_EXPORT && !serverKeyExchangeReceived) {
-            keyExchangeString = K_RSA.name;
-        } else {
-            keyExchangeString = keyExchange.name;
-        }
-
-        try {
-            if (tm instanceof X509ExtendedTrustManager) {
-                if (conn != null) {
-                    ((X509ExtendedTrustManager)tm).checkServerTrusted(
-                        certs.clone(),
-                        keyExchangeString,
-                        conn);
-                } else {
-                    ((X509ExtendedTrustManager)tm).checkServerTrusted(
-                        certs.clone(),
-                        keyExchangeString,
-                        engine);
-                }
-            } else {
-                // Unlikely to happen, because we have wrapped the old
-                // X509TrustManager with the new X509ExtendedTrustManager.
-                throw new CertificateException(
-                        "Improper X509TrustManager implementation");
-            }
-
-            // Once the server certificate chain has been validated, set
-            // the certificate chain in the TLS session.
-            session.setPeerCertificates(certs);
-        } catch (CertificateException ce) {
-            fatalSE(getCertificateAlert(ce), ce);
-        }
-    }
-
-    /**
-     * When a failure happens during certificate checking from an
-     * {@link X509TrustManager}, determine what TLS alert description to use.
-     *
-     * @param cexc The exception thrown by the {@link X509TrustManager}
-     *
-     * @return A byte value corresponding to a TLS alert description number.
-     */
-    private byte getCertificateAlert(CertificateException cexc) {
-        // The specific reason for the failure will determine how to
-        // set the alert description value
-        byte alertDesc = Alerts.alert_certificate_unknown;
-
-        Throwable baseCause = cexc.getCause();
-        if (baseCause instanceof CertPathValidatorException) {
-            CertPathValidatorException cpve =
-                    (CertPathValidatorException)baseCause;
-            Reason reason = cpve.getReason();
-            if (reason == BasicReason.REVOKED) {
-                alertDesc = staplingActive ?
-                        Alerts.alert_bad_certificate_status_response :
-                        Alerts.alert_certificate_revoked;
-            } else if (reason == BasicReason.UNDETERMINED_REVOCATION_STATUS) {
-                alertDesc = staplingActive ?
-                        Alerts.alert_bad_certificate_status_response :
-                        Alerts.alert_certificate_unknown;
-            }
-        }
-
-        return alertDesc;
-    }
-}
-
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ClientHandshakeContext.java	2018-05-11 15:08:55.298344900 -0700
@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.security.cert.X509Certificate;
+
+import sun.security.ssl.ClientHello.ClientHelloMessage;
+
+class ClientHandshakeContext extends HandshakeContext {
+    /*
+     * Allow unsafe server certificate change?
+     *
+     * Server certificate change during SSL/TLS renegotiation may be considered
+     * unsafe, as described in the Triple Handshake attacks:
+     *
+     *     https://secure-resumption.com/tlsauth.pdf
+     *
+     * Endpoint identification (See
+     * SSLParameters.getEndpointIdentificationAlgorithm()) is a pretty nice
+     * guarantee that the server certificate change in renegotiation is legal.
+     * However, endpoing identification is only enabled for HTTPS and LDAP
+     * over SSL/TLS by default.  It is not enough to protect SSL/TLS
+     * connections other than HTTPS and LDAP.
+     *
+     * The renegotiation indication extension (See RFC 5746) is a pretty
+     * strong guarantee that the endpoints on both client and server sides
+     * are identical on the same connection.  However, the Triple Handshake
+     * attacks can bypass this guarantee if there is a session-resumption
+     * handshake between the initial full handshake and the renegotiation
+     * full handshake.
+     *
+     * Server certificate change may be unsafe and should be restricted if
+     * endpoint identification is not enabled and the previous handshake is
+     * a session-resumption abbreviated initial handshake, unless the
+     * identities represented by both certificates can be regraded as the
+     * same (See isIdentityEquivalent()).
+     *
+     * Considering the compatibility impact and the actual requirements to
+     * support server certificate change in practice, the system property,
+     * jdk.tls.allowUnsafeServerCertChange, is used to define whether unsafe
+     * server certificate change in renegotiation is allowed or not.  The
+     * default value of the system property is "false".  To mitigate the
+     * compactibility impact, applications may want to set the system
+     * property to "true" at their own risk.
+     *
+     * If the value of the system property is "false", server certificate
+     * change in renegotiation after a session-resumption abbreviated initial
+     * handshake is restricted (See isIdentityEquivalent()).
+     *
+     * If the system property is set to "true" explicitly, the restriction on
+     * server certificate change in renegotiation is disabled.
+     */
+    static final boolean allowUnsafeServerCertChange =
+            Utilities.getBooleanProperty(
+                    "jdk.tls.allowUnsafeServerCertChange", false);
+
+    /*
+     * the reserved server certificate chain in previous handshaking
+     *
+     * The server certificate chain is only reserved if the previous
+     * handshake is a session-resumption abbreviated initial handshake.
+     */
+    X509Certificate[] reservedServerCerts = null;
+
+    X509Certificate[] deferredCerts;
+
+    ClientHelloMessage initialClientHelloMsg = null;
+
+    ClientHandshakeContext(SSLContextImpl sslContext,
+            TransportContext conContext) throws IOException {
+        super(sslContext, conContext);
+    }
+
+    @Override
+    void kickstart() throws IOException {
+        if (kickstartMessageDelivered) {
+            return;
+        }
+
+        SSLHandshake.kickstart(this);
+        kickstartMessageDelivered = true;
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ClientHello.java	2018-05-11 15:08:57.166620000 -0700
@@ -0,0 +1,1384 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.SecureRandom;
+import java.security.cert.X509Certificate;
+import java.text.MessageFormat;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
+import javax.net.ssl.SSLPeerUnverifiedException;
+import javax.net.ssl.SSLProtocolException;
+import static sun.security.ssl.ClientAuthType.CLIENT_AUTH_REQUIRED;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SupportedVersionsExtension.CHSupportedVersionsSpec;
+
+/**
+ * Pack of the ClientHello handshake message.
+ */
+final class ClientHello {
+    static final SSLProducer kickstartProducer =
+        new ClientHelloKickstartProducer();
+
+    static final SSLConsumer handshakeConsumer =
+        new ClientHelloConsumer();
+    static final HandshakeProducer handshakeProducer =
+        new ClientHelloProducer();
+
+    private static final HandshakeConsumer t12HandshakeConsumer =
+            new T12ClientHelloConsumer();
+    private static final HandshakeConsumer t13HandshakeConsumer =
+            new T13ClientHelloConsumer();
+    private static final HandshakeConsumer d12HandshakeConsumer =
+            new D12ClientHelloConsumer();
+    private static final HandshakeConsumer d13HandshakeConsumer =
+            new D13ClientHelloConsumer();
+
+    /**
+     * The ClientHello handshake message.
+     *
+     * See RFC 5264/4346/2246/6347 for the specifications.
+     */
+    static final class ClientHelloMessage extends HandshakeMessage {
+        private final boolean       isDTLS;
+
+        final int                   clientVersion;
+        final RandomCookie          clientRandom;
+        final SessionId             sessionId;
+        private byte[]              cookie;         // DTLS only
+        final int[]                 cipherSuiteIds;
+        final List<CipherSuite>     cipherSuites;   // known cipher suites only
+        final byte[]                compressionMethod;
+        final SSLExtensions         extensions;
+
+        private static final byte[]  NULL_COMPRESSION = new byte[] {0};
+
+        ClientHelloMessage(HandshakeContext handshakeContext,
+                int clientVersion, SessionId sessionId,
+                List<CipherSuite> cipherSuites, SecureRandom generator) {
+            super(handshakeContext);
+            this.isDTLS = handshakeContext.sslContext.isDTLS();
+
+            this.clientVersion = clientVersion;
+            this.clientRandom = new RandomCookie(generator);
+            this.sessionId = sessionId;
+            if (isDTLS) {
+                this.cookie = new byte[0];
+            } else {
+                this.cookie = null;
+            }
+
+            this.cipherSuites = cipherSuites;
+            this.cipherSuiteIds = getCipherSuiteIds(cipherSuites);
+            this.extensions = new SSLExtensions(this);
+
+            // Don't support compression.
+            this.compressionMethod = NULL_COMPRESSION;
+        }
+
+        /* Read up to the binders in the PSK extension. After this method
+         * returns, the ByteBuffer position will be at end of the message
+         * fragment that should be hashed to produce the PSK binder values.
+         * The client of this method can use this position to determine the
+         * message fragment and produce the binder values.
+         */
+        static void readPartial(TransportContext tc,
+                ByteBuffer m) throws IOException {
+            boolean isDTLS = tc.sslContext.isDTLS();
+
+            // version
+            Record.getInt16(m);
+
+            new RandomCookie(m);
+
+            // session ID
+            Record.getBytes8(m);
+
+            // DTLS cookie
+            if (isDTLS) {
+                Record.getBytes8(m);
+            }
+
+            // cipher suite IDs
+            Record.getBytes16(m);
+            // compression method
+            Record.getBytes8(m);
+            // read extensions, if present
+            if (m.remaining() >= 2) {
+                int remaining = Record.getInt16(m);
+                while (remaining > 0) {
+                    int id = Record.getInt16(m);
+                    int extLen = Record.getInt16(m);
+                    remaining -= extLen + 4;
+
+                    if (id == SSLExtension.CH_PRE_SHARED_KEY.id) {
+                        // ensure pre_shared_key is the last extension
+                        if (remaining > 0) {
+                            tc.fatal(Alert.ILLEGAL_PARAMETER,
+                            "pre_shared_key extension is not last");
+                        }
+                        // read only up to the IDs
+                        Record.getBytes16(m);
+                        return;
+                    } else {
+                        m.position(m.position() + extLen);
+
+                    }
+                }
+            }   // Otherwise, ignore the remaining bytes.
+        }
+
+        ClientHelloMessage(HandshakeContext handshakeContext, ByteBuffer m,
+                SSLExtension[] supportedExtensions) throws IOException {
+            super(handshakeContext);
+            this.isDTLS = handshakeContext.sslContext.isDTLS();
+
+            this.clientVersion = ((m.get() & 0xFF) << 8) | (m.get() & 0xFF);
+            this.clientRandom = new RandomCookie(m);
+            this.sessionId = new SessionId(Record.getBytes8(m));
+            try {
+                sessionId.checkLength(clientVersion);
+            } catch (SSLProtocolException ex) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex);
+            }
+            if (isDTLS) {
+                this.cookie = Record.getBytes8(m);
+            } else {
+                this.cookie = null;
+            }
+
+            byte[] encodedIds = Record.getBytes16(m);
+            if (encodedIds.length == 0 || (encodedIds.length & 0x01) != 0) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Invalid ClientHello message");
+            }
+
+            this.cipherSuiteIds = new int[encodedIds.length >> 1];
+            for (int i = 0, j = 0; i < encodedIds.length; i++, j++) {
+                cipherSuiteIds[j] =
+                    ((encodedIds[i++] & 0xFF) << 8) | (encodedIds[i] & 0xFF);
+            }
+            this.cipherSuites = getCipherSuites(cipherSuiteIds);
+
+            this.compressionMethod = Record.getBytes8(m);
+              // In TLS 1.3, use of certain extensions is mandatory.
+            if (m.hasRemaining()) {
+                this.extensions =
+                        new SSLExtensions(this, m, supportedExtensions);
+            } else {
+                this.extensions = new SSLExtensions(this);
+            }
+        }
+
+        void setHelloCookie(byte[] cookie) {
+            this.cookie = cookie;
+        }
+
+        // DTLS 1.0/1.2, for cookie generation.
+        byte[] getHelloCookieBytes() {
+            HandshakeOutStream hos = new HandshakeOutStream(null);
+            try {
+                // copied from send() method
+                hos.putInt8((byte)((clientVersion >>> 8) & 0xFF));
+                hos.putInt8((byte)(clientVersion & 0xFF));
+                hos.write(clientRandom.randomBytes, 0, 32);
+                hos.putBytes8(sessionId.getId());
+                // ignore cookie
+                hos.putBytes16(getEncodedCipherSuites());
+                hos.putBytes8(compressionMethod);
+                extensions.send(hos);       // In TLS 1.3, use of certain
+                                            // extensions is mandatory.
+            } catch (IOException ioe) {
+                // unlikely
+            }
+
+            return hos.toByteArray();
+        }
+
+        // (D)TLS 1.3, for cookie generation.
+        byte[] getHeaderBytes() {
+            HandshakeOutStream hos = new HandshakeOutStream(null);
+            try {
+                // copied from send() method
+                hos.putInt8((byte)((clientVersion >>> 8) & 0xFF));
+                hos.putInt8((byte)(clientVersion & 0xFF));
+                hos.write(clientRandom.randomBytes, 0, 32);
+                hos.putBytes8(sessionId.getId());
+                hos.putBytes16(getEncodedCipherSuites());
+                hos.putBytes8(compressionMethod);
+            } catch (IOException ioe) {
+                // unlikely
+            }
+
+            return hos.toByteArray();
+        }
+
+        private static int[] getCipherSuiteIds(
+                List<CipherSuite> cipherSuites) {
+            if (cipherSuites != null) {
+                int[] ids = new int[cipherSuites.size()];
+                int i = 0;
+                for (CipherSuite cipherSuite : cipherSuites) {
+                    ids[i++] = cipherSuite.id;
+                }
+
+                return ids;
+            }
+
+            return new int[0];
+        }
+
+        private static List<CipherSuite> getCipherSuites(int[] ids) {
+            List<CipherSuite> cipherSuites = new LinkedList<>();
+            for (int id : ids) {
+                CipherSuite cipherSuite = CipherSuite.valueOf(id);
+                if (cipherSuite != null) {
+                    cipherSuites.add(cipherSuite);
+                }
+            }
+
+            return Collections.unmodifiableList(cipherSuites);
+        }
+
+        private List<String> getCipherSuiteNames() {
+            List<String> names = new LinkedList<>();
+            for (int id : cipherSuiteIds) {
+                names.add(CipherSuite.nameOf(id) +
+                        "(" + Utilities.byte16HexString(id) + ")");            }
+
+            return names;
+        }
+
+        private byte[] getEncodedCipherSuites() {
+            byte[] encoded = new byte[cipherSuiteIds.length << 1];
+            int i = 0;
+            for (int id : cipherSuiteIds) {
+                encoded[i++] = (byte)(id >> 8);
+                encoded[i++] = (byte)id;
+            }
+            return encoded;
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.CLIENT_HELLO;
+        }
+
+        @Override
+        public int messageLength() {
+            /*
+             * Add fixed size parts of each field...
+             * version + random + session + cipher + compress
+             */
+            return (2 + 32 + 1 + 2 + 1
+                + sessionId.length()        /* ... + variable parts */
+                + (isDTLS ? (1 + cookie.length) : 0)
+                + (cipherSuiteIds.length * 2)
+                + compressionMethod.length)
+                + extensions.length();      // In TLS 1.3, use of certain
+                                            // extensions is mandatory.
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+
+            sendCore(hos);
+            extensions.send(hos);       // In TLS 1.3, use of certain
+                                        // extensions is mandatory.
+        }
+
+        void sendCore(HandshakeOutStream hos) throws IOException {
+            hos.putInt8((byte) (clientVersion >>> 8));
+            hos.putInt8((byte) clientVersion);
+            hos.write(clientRandom.randomBytes, 0, 32);
+            hos.putBytes8(sessionId.getId());
+            if (isDTLS) {
+                hos.putBytes8(cookie);
+            }
+            hos.putBytes16(getEncodedCipherSuites());
+            hos.putBytes8(compressionMethod);
+        }
+
+        @Override
+        public String toString() {
+            if (isDTLS) {
+                MessageFormat messageFormat = new MessageFormat(
+                    "\"ClientHello\": '{'\n" +
+                    "  \"client version\"      : \"{0}\",\n" +
+                    "  \"random\"              : \"{1}\",\n" +
+                    "  \"session id\"          : \"{2}\",\n" +
+                    "  \"cookie\"              : \"{3}\",\n" +
+                    "  \"cipher suites\"       : \"{4}\",\n" +
+                    "  \"compression methods\" : \"{5}\",\n" +
+                    "  \"extensions\"          : [\n" +
+                    "{6}\n" +
+                    "  ]\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+                Object[] messageFields = {
+                    ProtocolVersion.nameOf(clientVersion),
+                    Utilities.toHexString(clientRandom.randomBytes),
+                    sessionId.toString(),
+                    Utilities.toHexString(cookie),
+                    getCipherSuiteNames().toString(),
+                    Utilities.toHexString(compressionMethod),
+                    Utilities.indent(Utilities.indent(extensions.toString()))
+                };
+
+                return messageFormat.format(messageFields);
+            } else {
+                MessageFormat messageFormat = new MessageFormat(
+                    "\"ClientHello\": '{'\n" +
+                    "  \"client version\"      : \"{0}\",\n" +
+                    "  \"random\"              : \"{1}\",\n" +
+                    "  \"session id\"          : \"{2}\",\n" +
+                    "  \"cipher suites\"       : \"{3}\",\n" +
+                    "  \"compression methods\" : \"{4}\",\n" +
+                    "  \"extensions\"          : [\n" +
+                    "{5}\n" +
+                    "  ]\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+                Object[] messageFields = {
+                    ProtocolVersion.nameOf(clientVersion),
+                    Utilities.toHexString(clientRandom.randomBytes),
+                    sessionId.toString(),
+                    getCipherSuiteNames().toString(),
+                    Utilities.toHexString(compressionMethod),
+                    Utilities.indent(Utilities.indent(extensions.toString()))
+                };
+
+                return messageFormat.format(messageFields);
+            }
+        }
+    }
+
+    /**
+     * The "ClientHello" handshake message kick start producer.
+     */
+    private static final
+            class ClientHelloKickstartProducer implements SSLProducer {
+        // Prevent instantiation of this class.
+        private ClientHelloKickstartProducer() {
+            // blank
+        }
+
+        // Produce kickstart handshake message.
+        @Override
+        public byte[] produce(ConnectionContext context) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // clean up this producer
+            chc.handshakeProducers.remove(SSLHandshake.CLIENT_HELLO.id);
+
+            // the max protocol version this client is supporting.
+            ProtocolVersion maxProtocolVersion = chc.maximumActiveProtocol;
+
+            // session ID of the ClientHello message
+            SessionId sessionId = SSLSessionImpl.nullSession.getSessionId();
+
+            // a list of cipher suites sent by the client
+            List<CipherSuite> cipherSuites = chc.activeCipherSuites;
+
+            //
+            // Try to resume an existing session.
+            //
+            SSLSessionContextImpl ssci = (SSLSessionContextImpl)
+                    chc.sslContext.engineGetClientSessionContext();
+            SSLSessionImpl session = ssci.get(
+                    chc.conContext.transport.getPeerHost(),
+                    chc.conContext.transport.getPeerPort());
+            if (session != null) {
+                // If unsafe server certificate change is not allowed, reserve
+                // current server certificates if the previous handshake is a
+                // session-resumption abbreviated initial handshake.
+                if (!ClientHandshakeContext.allowUnsafeServerCertChange &&
+                        session.isSessionResumption()) {
+                    try {
+                        // If existing, peer certificate chain cannot be null.
+                        chc.reservedServerCerts =
+                            (X509Certificate[])session.getPeerCertificates();
+                    } catch (SSLPeerUnverifiedException puve) {
+                        // Maybe not certificate-based, ignore the exception.
+                    }
+                }
+
+                if (!session.isRejoinable()) {
+                    session = null;
+                    if (SSLLogger.isOn &&
+                            SSLLogger.isOn("ssl,handshake,verbose")) {
+                        SSLLogger.finest(
+                            "Can't resume, the sessoin is not rejoinable");
+                    }
+                }
+            }
+
+            CipherSuite sessionSuite = null;
+            if (session != null) {
+                sessionSuite = session.getSuite();
+                if (!chc.isNegotiable(sessionSuite)) {
+                    session = null;
+                    if (SSLLogger.isOn &&
+                            SSLLogger.isOn("ssl,handshake,verbose")) {
+                        SSLLogger.finest(
+                            "Can't resume, unavailable sessoin cipher suite");
+                    }
+                }
+            }
+
+            ProtocolVersion sessionVersion = null;
+            if (session != null) {
+                sessionVersion = session.getProtocolVersion();
+                if (!chc.isNegotiable(sessionVersion)) {
+                    session = null;
+                    if (SSLLogger.isOn &&
+                            SSLLogger.isOn("ssl,handshake,verbose")) {
+                        SSLLogger.finest(
+                            "Can't resume, unavailable protocol version");
+                    }
+                }
+            }
+
+            if (session != null &&
+                !sessionVersion.useTLS13PlusSpec() &&
+                SSLConfiguration.useExtendedMasterSecret) {
+
+                boolean isEmsAvailable = chc.sslConfig.isAvailable(
+                    SSLExtension.CH_EXTENDED_MASTER_SECRET, sessionVersion);
+                if (isEmsAvailable && !session.useExtendedMasterSecret &&
+                        !SSLConfiguration.allowLegacyResumption) {
+                    // perform full handshake instead
+                    //
+                    // The client SHOULD NOT offer an abbreviated handshake
+                    // to resume a session that does not use an extended
+                    // master secret.  Instead, it SHOULD offer a full
+                    // handshake.
+                     session = null;
+                }
+
+                if ((session != null) &&
+                        !ClientHandshakeContext.allowUnsafeServerCertChange) {
+                    // It is fine to move on with abbreviate handshake if
+                    // endpoint identification is enabled.
+                    String identityAlg = chc.sslConfig.identificationProtocol;
+                    if ((identityAlg == null || identityAlg.length() == 0)) {
+                        if (isEmsAvailable) {
+                            if (!session.useExtendedMasterSecret) {
+                                // perform full handshake instead
+                                session = null;
+                            }   // Otherwise, use extended master secret.
+                        } else {
+                            // The extended master secret extension does not
+                            // apply to SSL 3.0.  Perform a full handshake
+                            // instead.
+                            //
+                            // Note that the useExtendedMasterSecret is
+                            // extended to protect SSL 3.0 connections,
+                            // by discarding abbreviate handshake.
+                            session = null;
+                        }
+                    }
+                }
+            }
+
+            if (session != null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake,verbose")) {
+                    SSLLogger.finest("Try resuming session", session);
+                }
+
+                sessionId = session.getSessionId();
+                if (!maxProtocolVersion.equals(sessionVersion)) {
+                    maxProtocolVersion = sessionVersion;
+
+                    // Update protocol version number in underlying socket and
+                    // handshake output stream, so that the output records
+                    // (at the record layer) have the correct version
+                    chc.setVersion(sessionVersion);
+                }
+
+                // If no new session is allowed, force use of the previous
+                // session ciphersuite, and add the renegotiation SCSV if
+                // necessary.
+                if (!chc.sslConfig.enableSessionCreation) {
+                    if (!chc.conContext.isNegotiated &&
+                        !sessionVersion.useTLS13PlusSpec() &&
+                        cipherSuites.contains(
+                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
+                        cipherSuites = Arrays.asList(sessionSuite,
+                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
+                    } else {    // otherwise, use renegotiation_info extension
+                        cipherSuites = Arrays.asList(sessionSuite);
+                    }
+
+                    if (SSLLogger.isOn &&
+                            SSLLogger.isOn("ssl,handshake,verbose")) {
+                        SSLLogger.finest(
+                            "No new session is allowed, so try to resume " +
+                            "the session cipher suite only", sessionSuite);
+                    }
+                }
+
+                chc.isResumption = true;
+                chc.resumingSession = session;
+            }
+
+            if (session == null) {
+                if (!chc.sslConfig.enableSessionCreation) {
+                    throw new SSLHandshakeException(
+                            "No new session is allowed and " +
+                            "no existing session can be resumed");
+                }
+
+                if (maxProtocolVersion.useTLS13PlusSpec() &&
+                        SSLConfiguration.useCompatibilityMode) {
+                    // In compatibility mode, the TLS 1.3 legacy_session_id
+                    // field MUST be non-empty, so a client not offering a
+                    // pre-TLS 1.3 session MUST generate a new 32-byte value.
+                    sessionId =
+                        new SessionId(true, chc.sslContext.getSecureRandom());
+                }
+            }
+
+            ProtocolVersion minimumVersion = ProtocolVersion.NONE;
+            for (ProtocolVersion pv : chc.activeProtocols) {
+                if (minimumVersion == ProtocolVersion.NONE ||
+                        pv.compare(minimumVersion) < 0) {
+                    minimumVersion = pv;
+                }
+            }
+
+            // exclude SCSV for secure renegotiation
+            if (!minimumVersion.useTLS13PlusSpec()) {
+                if (chc.conContext.secureRenegotiation &&
+                        cipherSuites.contains(
+                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
+                    // The cipherSuites may be unmodifiable
+                    cipherSuites = new LinkedList<>(cipherSuites);
+                    cipherSuites.remove(
+                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
+                }
+            }
+
+            // make sure there is a negotiable cipher suite.
+            boolean negotiable = false;
+            for (CipherSuite suite : cipherSuites) {
+                if (chc.isNegotiable(suite)) {
+                    negotiable = true;
+                    break;
+                }
+            }
+            if (!negotiable) {
+                throw new SSLHandshakeException("No negotiable cipher suite");
+            }
+
+            // Create the handshake message.
+            ProtocolVersion clientHelloVersion = maxProtocolVersion;
+            if (clientHelloVersion.useTLS13PlusSpec()) {
+                // In (D)TLS 1.3, the client indicates its version preferences
+                // in the "supported_versions" extension and the client_version
+                // (legacy_version) field MUST be set to (D)TLS 1.2.
+                if (clientHelloVersion.isDTLS) {
+                    clientHelloVersion = ProtocolVersion.DTLS12;
+                } else {
+                    clientHelloVersion = ProtocolVersion.TLS12;
+                }
+            }
+
+            ClientHelloMessage chm = new ClientHelloMessage(chc,
+                    clientHelloVersion.id, sessionId, cipherSuites,
+                    chc.sslContext.getSecureRandom());
+
+            // cache the client random number for further using
+            chc.clientHelloRandom = chm.clientRandom;
+            chc.clientHelloVersion = clientHelloVersion.id;
+
+            // Produce extensions for ClientHello handshake message.
+            SSLExtension[] extTypes = chc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.CLIENT_HELLO, chc.activeProtocols);
+            chm.extensions.produce(chc, extTypes);
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Produced ClientHello handshake message", chm);
+            }
+
+            // Output the handshake message.
+            chm.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // Reserve the initial ClientHello message for the follow on
+            // cookie exchange if needed.
+            chc.initialClientHelloMsg = chm;
+
+            // What's the expected response?
+            chc.handshakeConsumers.put(
+                    SSLHandshake.SERVER_HELLO.id, SSLHandshake.SERVER_HELLO);
+            if (chc.sslContext.isDTLS() &&
+                    !minimumVersion.useTLS13PlusSpec()) {
+                chc.handshakeConsumers.put(
+                        SSLHandshake.HELLO_VERIFY_REQUEST.id,
+                        SSLHandshake.HELLO_VERIFY_REQUEST);
+            }
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    private static final
+            class ClientHelloProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private ClientHelloProducer() {
+            // blank
+        }
+
+        // Response to one of the following handshake message:
+        //     HelloRequest                     (SSL 3.0/TLS 1.0/1.1/1.2)
+        //     ServerHello(HelloRetryRequest)   (TLS 1.3)
+        //     HelloVerifyRequest               (DTLS 1.0/1.2)
+        //     KeyUpdate                        (TLS 1.3)
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            SSLHandshake ht = message.handshakeType();
+            if (ht == null) {
+                throw new UnsupportedOperationException("Not supported yet.");
+            }
+
+            switch (ht) {
+                case HELLO_REQUEST:
+                    // SSL 3.0/TLS 1.0/1.1/1.2
+                    try {
+                        chc.kickstart();
+                    } catch (IOException ioe) {
+                        chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, ioe);
+                    }
+
+                    // The handshake message has been delivered.
+                    return null;
+                case HELLO_VERIFY_REQUEST:
+                    // DTLS 1.0/1.2
+                    //
+                    // The HelloVerifyRequest consumer should have updated the
+                    // ClientHello handshake message with cookie.
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                            "Produced ClientHello(cookie) handshake message",
+                            chc.initialClientHelloMsg);
+                    }
+
+                    // Output the handshake message.
+                    chc.initialClientHelloMsg.write(chc.handshakeOutput);
+                    chc.handshakeOutput.flush();
+
+                    // What's the expected response?
+                    chc.handshakeConsumers.put(SSLHandshake.SERVER_HELLO.id,
+                            SSLHandshake.SERVER_HELLO);
+
+                    ProtocolVersion minimumVersion = ProtocolVersion.NONE;
+                    for (ProtocolVersion pv : chc.activeProtocols) {
+                        if (minimumVersion == ProtocolVersion.NONE ||
+                                pv.compare(minimumVersion) < 0) {
+                            minimumVersion = pv;
+                        }
+                    }
+                    if (chc.sslContext.isDTLS() &&
+                            !minimumVersion.useTLS13PlusSpec()) {
+                        chc.handshakeConsumers.put(
+                                SSLHandshake.HELLO_VERIFY_REQUEST.id,
+                                SSLHandshake.HELLO_VERIFY_REQUEST);
+                    }
+
+                    // The handshake message has been delivered.
+                    return null;
+                case KEY_UPDATE:
+                    // TLS 1.3
+                    throw new UnsupportedOperationException(
+                            "Not supported yet.");
+                case HELLO_RETRY_REQUEST:
+                    // TLS 1.3
+                    // The HelloRetryRequest consumer should have updated the
+                    // ClientHello handshake message with cookie.
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                            "Produced ClientHello(HRR) handshake message",
+                            chc.initialClientHelloMsg);
+                    }
+
+                    // Output the handshake message.
+                    chc.initialClientHelloMsg.write(chc.handshakeOutput);
+                    chc.handshakeOutput.flush();
+
+                    // What's the expected response?
+                    chc.conContext.consumers.putIfAbsent(
+                            ContentType.CHANGE_CIPHER_SPEC.id,
+                            ChangeCipherSpec.t13Consumer);
+                    chc.handshakeConsumers.put(SSLHandshake.SERVER_HELLO.id,
+                            SSLHandshake.SERVER_HELLO);
+
+                    // The handshake message has been delivered.
+                    return null;
+                default:
+                    throw new UnsupportedOperationException(
+                            "Not supported yet.");
+            }
+        }
+    }
+
+    /**
+     * The "ClientHello" handshake message consumer.
+     */
+    private static final class ClientHelloConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private ClientHelloConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // clean up this consumer
+            shc.handshakeConsumers.remove(SSLHandshake.CLIENT_HELLO.id);
+            if (!shc.handshakeConsumers.isEmpty()) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "No more handshake message allowed " +
+                        "in a ClientHello flight");
+            }
+
+            // Get enabled extension types in ClientHello handshake message.
+            SSLExtension[] enabledExtensions =
+                    shc.sslConfig.getEnabledExtensions(
+                            SSLHandshake.CLIENT_HELLO);
+
+            ClientHelloMessage chm =
+                    new ClientHelloMessage(shc, message, enabledExtensions);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Consuming ClientHello handshake message", chm);
+            }
+
+            shc.clientHelloVersion = chm.clientVersion;
+            onClientHello(shc, chm);
+        }
+
+        private void onClientHello(ServerHandshakeContext context,
+                ClientHelloMessage clientHello) throws IOException {
+            // Negotiate protocol version.
+            //
+            // Check and lanuch SupportedVersions.
+            SSLExtension[] extTypes = new SSLExtension[] {
+                    SSLExtension.CH_SUPPORTED_VERSIONS
+                };
+            clientHello.extensions.consumeOnLoad(context, extTypes);
+
+            ProtocolVersion negotiatedProtocol;
+            CHSupportedVersionsSpec svs =
+                    (CHSupportedVersionsSpec)context.handshakeExtensions.get(
+                            SSLExtension.CH_SUPPORTED_VERSIONS);
+            if (svs != null) {
+                negotiatedProtocol =
+                        negotiateProtocol(context, svs.requestedProtocols);
+            } else {
+                negotiatedProtocol =
+                        negotiateProtocol(context, clientHello.clientVersion);
+            }
+            context.negotiatedProtocol = negotiatedProtocol;
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Negotiated protocol version: " + negotiatedProtocol.name);
+            }
+
+            // Consume the handshake message for the specific protocol version.
+            if (negotiatedProtocol.isDTLS) {
+                if (negotiatedProtocol.useTLS13PlusSpec()) {
+                    d13HandshakeConsumer.consume(context, clientHello);
+                } else {
+                    d12HandshakeConsumer.consume(context, clientHello);
+                }
+            } else {
+                if (negotiatedProtocol.useTLS13PlusSpec()) {
+                    t13HandshakeConsumer.consume(context, clientHello);
+                } else {
+                    t12HandshakeConsumer.consume(context, clientHello);
+                }
+            }
+        }
+
+        // Select a protocol version according to the
+        // ClientHello.client_version.
+        private ProtocolVersion negotiateProtocol(
+                ServerHandshakeContext context,
+                int clientHelloVersion) throws SSLException {
+
+            // Per TLS 1.3 specification, server MUST negotiate TLS 1.2 or prior
+            // even if ClientHello.client_version is 0x0304 or later.
+            int chv = clientHelloVersion;
+            if (context.sslContext.isDTLS()) {
+                if (chv < ProtocolVersion.DTLS12.id) {
+                    chv = ProtocolVersion.DTLS12.id;
+                }
+            } else {
+                if (chv > ProtocolVersion.TLS12.id) {
+                    chv = ProtocolVersion.TLS12.id;
+                }
+            }
+
+            // Select a protocol version from the activated protocols.
+            ProtocolVersion pv = ProtocolVersion.selectedFrom(
+                    context.activeProtocols, chv);
+            if (pv == null || pv == ProtocolVersion.NONE ||
+                    pv == ProtocolVersion.SSL20Hello) {
+                context.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    "Client requested protocol " +
+                    ProtocolVersion.nameOf(clientHelloVersion) +
+                    " is not enabled or supported in server context");
+            }
+
+            return pv;
+        }
+
+        // Select a protocol version according to the
+        // supported_versions extension.
+        private ProtocolVersion negotiateProtocol(
+                ServerHandshakeContext context,
+                int[] clientSupportedVersions) throws SSLException {
+
+            // The client supported protocol versions are present in client
+            // preference order.  This implementation chooses to use the server
+            // preference of protocol versions instead.
+            for (ProtocolVersion spv : context.activeProtocols) {
+                if (spv == ProtocolVersion.SSL20Hello) {
+                    continue;
+                }
+                for (int cpv : clientSupportedVersions) {
+                    if (cpv == ProtocolVersion.SSL20Hello.id) {
+                        continue;
+                    }
+                    if (spv.id == cpv) {
+                        return spv;
+                    }
+                }
+            }
+
+            // No protocol version can be negotiated.
+            context.conContext.fatal(Alert.PROTOCOL_VERSION,
+                "The client supported protocol versions " + Arrays.toString(
+                    ProtocolVersion.toStringArray(clientSupportedVersions)) +
+                " are not accepted by server preferences " +
+                context.activeProtocols);
+
+            return null;        // make the compiler happy
+        }
+    }
+
+    /**
+     * The "ClientHello" handshake message consumer for TLS 1.2 and
+     * prior SSL/TLS protocol versions.
+     */
+    private static final
+            class T12ClientHelloConsumer implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private T12ClientHelloConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            ClientHelloMessage clientHello = (ClientHelloMessage)message;
+
+            //
+            // validate
+            //
+
+            // Reject client initiated renegotiation?
+            //
+            // If server side should reject client-initiated renegotiation,
+            // send an Alert.HANDSHAKE_FAILURE fatal alert, not a
+            // no_renegotiation warning alert (no_renegotiation must be a
+            // warning: RFC 2246).  no_renegotiation might seem more
+            // natural at first, but warnings are not appropriate because
+            // the sending party does not know how the receiving party
+            // will behave.  This state must be treated as a fatal server
+            // condition.
+            //
+            // This will not have any impact on server initiated renegotiation.
+            if (shc.conContext.isNegotiated) {
+                if (!shc.conContext.secureRenegotiation &&
+                        !HandshakeContext.allowUnsafeRenegotiation) {
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "Unsafe renegotiation is not allowed");
+                }
+
+                if (ServerHandshakeContext.rejectClientInitiatedRenego &&
+                        !shc.kickstartMessageDelivered) {
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "Client initiated renegotiation is not allowed");
+                }
+            }
+
+            // Is it an abbreviated handshake?
+            if (clientHello.sessionId.length() != 0) {
+                SSLSessionImpl previous = ((SSLSessionContextImpl)shc.sslContext
+                            .engineGetServerSessionContext())
+                            .get(clientHello.sessionId.getId());
+
+                boolean resumingSession =
+                        (previous != null) && previous.isRejoinable();
+                if (!resumingSession) {
+                    if (SSLLogger.isOn &&
+                            SSLLogger.isOn("ssl,handshake,verbose")) {
+                        SSLLogger.finest(
+                                "Can't resume, " +
+                                "the existing sessoin is not rejoinable");
+                    }
+                }
+                // Validate the negotiated protocol version.
+                if (resumingSession) {
+                    ProtocolVersion sessionProtocol =
+                            previous.getProtocolVersion();
+                    if (sessionProtocol != shc.negotiatedProtocol) {
+                        resumingSession = false;
+                        if (SSLLogger.isOn &&
+                                SSLLogger.isOn("ssl,handshake,verbose")) {
+                            SSLLogger.finest(
+                                "Can't resume, not the same protocol version");
+                        }
+                    }
+                }
+
+                // Validate the required client authentication.
+                if (resumingSession &&
+                    (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED)) {
+
+                    try {
+                        previous.getPeerPrincipal();
+                    } catch (SSLPeerUnverifiedException e) {
+                        resumingSession = false;
+                        if (SSLLogger.isOn &&
+                                SSLLogger.isOn("ssl,handshake,verbose")) {
+                            SSLLogger.finest(
+                                "Can't resume, " +
+                                "client authentication is required");
+                        }
+                    }
+                }
+
+                // Validate that the cached cipher suite.
+                if (resumingSession) {
+                    CipherSuite suite = previous.getSuite();
+                    if ((!shc.isNegotiable(suite)) ||
+                            (!clientHello.cipherSuites.contains(suite))) {
+                        resumingSession = false;
+                        if (SSLLogger.isOn &&
+                                SSLLogger.isOn("ssl,handshake,verbose")) {
+                            SSLLogger.finest(
+                                "Can't resume, " +
+                                "the session cipher suite is absent");
+                        }
+                    }
+                }
+
+                // So far so good.  Note that the handshake extensions may reset
+                // the resuming options later.
+                shc.isResumption = resumingSession;
+                shc.resumingSession = resumingSession ? previous : null;
+            }
+
+            // cache the client random number for further using
+            shc.clientHelloRandom = clientHello.clientRandom;
+
+            // Check and launch ClientHello extensions.
+            SSLExtension[] extTypes = shc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.CLIENT_HELLO);
+            clientHello.extensions.consumeOnLoad(shc, extTypes);
+
+            //
+            // update
+            //
+            if (!shc.conContext.isNegotiated) {
+                shc.conContext.protocolVersion = shc.negotiatedProtocol;
+                shc.conContext.outputRecord.setVersion(shc.negotiatedProtocol);
+            }
+
+            // update the responders
+            //
+            // Only need to ServerHello, which may add more responders later.
+            // Note that ServerHello and HelloRetryRequest share the same
+            // handshake type/id.  The ServerHello producer may be replaced
+            // by HelloRetryRequest producer if needed.
+            shc.handshakeProducers.put(SSLHandshake.SERVER_HELLO.id,
+                    SSLHandshake.SERVER_HELLO);
+
+            //
+            // produce
+            //
+            SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
+                SSLHandshake.SERVER_HELLO,
+
+                // full handshake messages
+                SSLHandshake.CERTIFICATE,
+                SSLHandshake.CERTIFICATE_STATUS,
+                SSLHandshake.SERVER_KEY_EXCHANGE,
+                SSLHandshake.CERTIFICATE_REQUEST,
+                SSLHandshake.SERVER_HELLO_DONE,
+
+                // abbreviated handshake messages
+                SSLHandshake.FINISHED
+            };
+
+            for (SSLHandshake hs : probableHandshakeMessages) {
+                HandshakeProducer handshakeProducer =
+                        shc.handshakeProducers.remove(hs.id);
+                if (handshakeProducer != null) {
+                    handshakeProducer.produce(context, clientHello);
+                }
+            }
+        }
+    }
+
+    /**
+     * The "ClientHello" handshake message consumer for TLS 1.3.
+     */
+    private static final
+            class T13ClientHelloConsumer implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private T13ClientHelloConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            ClientHelloMessage clientHello = (ClientHelloMessage)message;
+
+            // The client may send a dummy change_cipher_spec record
+            // immediately after the first ClientHello.
+            shc.conContext.consumers.putIfAbsent(
+                    ContentType.CHANGE_CIPHER_SPEC.id,
+                    ChangeCipherSpec.t13Consumer);
+
+            //
+            // validate
+            //
+            // Check and launch ClientHello extensions.
+            SSLExtension[] extTypes = shc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.CLIENT_HELLO);
+            clientHello.extensions.consumeOnLoad(shc, extTypes);
+
+            if (!shc.handshakeProducers.isEmpty()) {
+                // Should be HelloRetryRequest producer.
+                goHelloRetryRequest(shc, clientHello);
+            } else {
+                goServerHello(shc, clientHello);
+            }
+        }
+
+        private void goHelloRetryRequest(ServerHandshakeContext shc,
+                ClientHelloMessage clientHello) throws IOException {
+            HandshakeProducer handshakeProducer =
+                    shc.handshakeProducers.remove(
+                            SSLHandshake.HELLO_RETRY_REQUEST.id);
+            if (handshakeProducer != null) {
+                    handshakeProducer.produce(shc, clientHello);
+            } else {
+                // unlikely
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No HelloRetryRequest producer: " + shc.handshakeProducers);
+            }
+
+            if (!shc.handshakeProducers.isEmpty()) {
+                // unlikely, but please double check.
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "unknown handshake producers: " + shc.handshakeProducers);
+            }
+        }
+
+        private void goServerHello(ServerHandshakeContext shc,
+                ClientHelloMessage clientHello) throws IOException {
+            //
+            // validate
+            //
+            shc.clientHelloRandom = clientHello.clientRandom;
+
+            //
+            // update
+            //
+            if (!shc.conContext.isNegotiated) {
+                shc.conContext.protocolVersion = shc.negotiatedProtocol;
+                shc.conContext.outputRecord.setVersion(shc.negotiatedProtocol);
+            }
+
+            // update the responders
+            //
+            // Only ServerHello/HelloRetryRequest producer, which adds
+            // more responders later.
+            shc.handshakeProducers.put(SSLHandshake.SERVER_HELLO.id,
+                SSLHandshake.SERVER_HELLO);
+
+            SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
+                SSLHandshake.SERVER_HELLO,
+
+                // full handshake messages
+                SSLHandshake.ENCRYPTED_EXTENSIONS,
+                SSLHandshake.CERTIFICATE_REQUEST,
+                SSLHandshake.CERTIFICATE,
+                SSLHandshake.CERTIFICATE_VERIFY,
+                SSLHandshake.FINISHED
+            };
+
+            //
+            // produce
+            //
+            for (SSLHandshake hs : probableHandshakeMessages) {
+                HandshakeProducer handshakeProducer =
+                        shc.handshakeProducers.remove(hs.id);
+                if (handshakeProducer != null) {
+                    handshakeProducer.produce(shc, clientHello);
+                }
+            }
+        }
+    }
+
+    /**
+     * The "ClientHello" handshake message consumer for DTLS 1.2 and
+     * previous DTLS protocol versions.
+     */
+    private static final
+            class D12ClientHelloConsumer implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private D12ClientHelloConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The consuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            ClientHelloMessage clientHello = (ClientHelloMessage)message;
+
+            //
+            // validate
+            //
+
+            // Reject client initiated renegotiation?
+            //
+            // If server side should reject client-initiated renegotiation,
+            // send an Alert.HANDSHAKE_FAILURE fatal alert, not a
+            // no_renegotiation warning alert (no_renegotiation must be a
+            // warning: RFC 2246).  no_renegotiation might seem more
+            // natural at first, but warnings are not appropriate because
+            // the sending party does not know how the receiving party
+            // will behave.  This state must be treated as a fatal server
+            // condition.
+            //
+            // This will not have any impact on server initiated renegotiation.
+            if (shc.conContext.isNegotiated) {
+                if (!shc.conContext.secureRenegotiation &&
+                        !HandshakeContext.allowUnsafeRenegotiation) {
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "Unsafe renegotiation is not allowed");
+                }
+
+                if (ServerHandshakeContext.rejectClientInitiatedRenego &&
+                        !shc.kickstartMessageDelivered) {
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "Client initiated renegotiation is not allowed");
+                }
+            }
+
+            // Is it an abbreviated handshake?
+            if (clientHello.sessionId.length() != 0) {
+                SSLSessionImpl previous = ((SSLSessionContextImpl)shc.sslContext
+                            .engineGetServerSessionContext())
+                            .get(clientHello.sessionId.getId());
+
+                boolean resumingSession =
+                        (previous != null) && previous.isRejoinable();
+                if (!resumingSession) {
+                    if (SSLLogger.isOn &&
+                            SSLLogger.isOn("ssl,handshake,verbose")) {
+                        SSLLogger.finest(
+                            "Can't resume, " +
+                            "the existing sessoin is not rejoinable");
+                    }
+                }
+                // Validate the negotiated protocol version.
+                if (resumingSession) {
+                    ProtocolVersion sessionProtocol =
+                            previous.getProtocolVersion();
+                    if (sessionProtocol != shc.negotiatedProtocol) {
+                        resumingSession = false;
+                        if (SSLLogger.isOn &&
+                                SSLLogger.isOn("ssl,handshake,verbose")) {
+                            SSLLogger.finest(
+                                "Can't resume, not the same protocol version");
+                        }
+                    }
+                }
+
+                // Validate the required client authentication.
+                if (resumingSession &&
+                    (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED)) {
+
+                    try {
+                        previous.getPeerPrincipal();
+                    } catch (SSLPeerUnverifiedException e) {
+                        resumingSession = false;
+                        if (SSLLogger.isOn &&
+                                SSLLogger.isOn("ssl,handshake,verbose")) {
+                            SSLLogger.finest(
+                                "Can't resume, " +
+                                "client authentication is required");
+                        }
+                    }
+                }
+
+                // Validate that the cached cipher suite.
+                if (resumingSession) {
+                    CipherSuite suite = previous.getSuite();
+                    if ((!shc.isNegotiable(suite)) ||
+                            (!clientHello.cipherSuites.contains(suite))) {
+                        resumingSession = false;
+                        if (SSLLogger.isOn &&
+                                SSLLogger.isOn("ssl,handshake,verbose")) {
+                            SSLLogger.finest(
+                                "Can't resume, " +
+                                "the session cipher suite is absent");
+                        }
+                    }
+                }
+
+                // So far so good.  Note that the handshake extensions may reset
+                // the resuming options later.
+                shc.isResumption = resumingSession;
+                shc.resumingSession = resumingSession ? previous : null;
+            }
+
+            HelloCookieManager hcm =
+                shc.sslContext.getHelloCookieManager(ProtocolVersion.DTLS10);
+            if (!shc.isResumption &&
+                !hcm.isCookieValid(shc, clientHello, clientHello.cookie)) {
+                //
+                // Perform cookie exchange for DTLS handshaking if no cookie
+                // or the cookie is invalid in the ClientHello message.
+                //
+                // update the responders
+                shc.handshakeProducers.put(
+                        SSLHandshake.HELLO_VERIFY_REQUEST.id,
+                        SSLHandshake.HELLO_VERIFY_REQUEST);
+
+                //
+                // produce response handshake message
+                //
+                SSLHandshake.HELLO_VERIFY_REQUEST.produce(context, clientHello);
+
+                return;
+            }
+
+            // cache the client random number for further using
+            shc.clientHelloRandom = clientHello.clientRandom;
+
+            // Check and launch ClientHello extensions.
+            SSLExtension[] extTypes = shc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.CLIENT_HELLO);
+            clientHello.extensions.consumeOnLoad(shc, extTypes);
+
+            //
+            // update
+            //
+            if (!shc.conContext.isNegotiated) {
+                shc.conContext.protocolVersion = shc.negotiatedProtocol;
+                shc.conContext.outputRecord.setVersion(shc.negotiatedProtocol);
+            }
+
+            // update the responders
+            //
+            // Only need to ServerHello, which may add more responders later.
+            shc.handshakeProducers.put(SSLHandshake.SERVER_HELLO.id,
+                    SSLHandshake.SERVER_HELLO);
+
+            //
+            // produce
+            //
+            SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
+                SSLHandshake.SERVER_HELLO,
+
+                // full handshake messages
+                SSLHandshake.CERTIFICATE,
+                SSLHandshake.CERTIFICATE_STATUS,
+                SSLHandshake.SERVER_KEY_EXCHANGE,
+                SSLHandshake.CERTIFICATE_REQUEST,
+                SSLHandshake.SERVER_HELLO_DONE,
+
+                // abbreviated handshake messages
+                SSLHandshake.FINISHED
+            };
+
+            for (SSLHandshake hs : probableHandshakeMessages) {
+                HandshakeProducer handshakeProducer =
+                        shc.handshakeProducers.remove(hs.id);
+                if (handshakeProducer != null) {
+                    handshakeProducer.produce(context, clientHello);
+                }
+            }
+        }
+    }
+
+    /**
+     * The "ClientHello" handshake message consumer for DTLS 1.3.
+     */
+    private static final
+            class D13ClientHelloConsumer implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private D13ClientHelloConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            throw new UnsupportedOperationException("Not supported yet.");
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ConnectionContext.java	2018-05-11 15:08:58.833474900 -0700
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+/**
+ * SSL/(D)TLS connection context.
+ */
+interface ConnectionContext {
+    // blank
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ContentType.java	2018-05-11 15:09:00.449747000 -0700
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+/**
+ * Enum for SSL/(D)TLS content types.
+ */
+enum ContentType {
+    INVALID             ((byte)0,   "invalid",
+                            ProtocolVersion.PROTOCOLS_OF_13),
+    CHANGE_CIPHER_SPEC  ((byte)20,  "change_cipher_spec",
+                            ProtocolVersion.PROTOCOLS_TO_12),
+    ALERT               ((byte)21,  "alert",
+                            ProtocolVersion.PROTOCOLS_TO_13),
+    HANDSHAKE           ((byte)22,  "handshake",
+                            ProtocolVersion.PROTOCOLS_TO_13),
+    APPLICATION_DATA    ((byte)23,  "application_data",
+                            ProtocolVersion.PROTOCOLS_TO_13);
+
+    final byte id;
+    final String name;
+    final ProtocolVersion[] supportedProtocols;
+
+    private ContentType(byte id, String name,
+            ProtocolVersion[] supportedProtocols) {
+        this.id = id;
+        this.name = name;
+        this.supportedProtocols = supportedProtocols;
+    }
+
+    static ContentType valueOf(byte id) {
+        for (ContentType ct : ContentType.values()) {
+            if (ct.id == id) {
+                return ct;
+            }
+        }
+
+        return null;
+    }
+
+    static String nameOf(byte id) {
+        for (ContentType ct : ContentType.values()) {
+            if (ct.id == id) {
+                return ct.name;
+            }
+        }
+
+        return "<UNKNOWN CONTENT TYPE: " + (id & 0x0FF) + ">";
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/CookieExtension.java	2018-05-11 15:09:02.118223700 -0700
@@ -0,0 +1,322 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.Locale;
+import javax.net.ssl.SSLProtocolException;
+
+import sun.security.ssl.ClientHello.ClientHelloMessage;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.ServerHello.ServerHelloMessage;
+import sun.security.util.HexDumpEncoder;
+
+public class CookieExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHCookieProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHCookieConsumer();
+    static final HandshakeConsumer chOnTradeConsumer =
+            new CHCookieUpdate();
+
+    static final HandshakeProducer hrrNetworkProducer =
+            new HRRCookieProducer();
+    static final ExtensionConsumer hrrOnLoadConcumer =
+            new HRRCookieConsumer();
+
+    static final HandshakeProducer hrrNetworkReproducer =
+            new HRRCookieReproducer();
+
+    static final CookieStringize cookieStringize =
+            new CookieStringize();
+
+    /**
+     * The "cookie" extension.
+     */
+    static class CookieSpec implements SSLExtensionSpec {
+        final byte[] cookie;
+
+        CookieSpec(byte[] cookie) {
+            this.cookie = cookie;
+        }
+
+        private CookieSpec(ByteBuffer m) throws IOException {
+            // opaque cookie<1..2^16-1>;
+            if (m.remaining() < 3) {
+                throw new SSLProtocolException(
+                    "Invalid cookie extension: insufficient data");
+            }
+
+            this.cookie = Record.getBytes16(m);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                    "\"cookie\": '{'\n" +
+                    "{0}\n" +
+                    "'}',", Locale.ENGLISH);
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            Object[] messageFields = {
+                Utilities.indent(hexEncoder.encode(cookie))
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    private static final class CookieStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new CookieSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    private static final
+            class CHCookieProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHCookieProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            ClientHandshakeContext chc = (ClientHandshakeContext) context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(SSLExtension.CH_COOKIE)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable cookie extension");
+                }
+                return null;
+            }
+
+            // response to an HelloRetryRequest cookie
+            CookieSpec spec = (CookieSpec)chc.handshakeExtensions.get(
+                    SSLExtension.HRR_COOKIE);
+
+            if (spec != null &&
+                    spec.cookie != null && spec.cookie.length != 0) {
+                byte[] extData = new byte[spec.cookie.length + 2];
+                ByteBuffer m = ByteBuffer.wrap(extData);
+                Record.putBytes16(m, spec.cookie);
+                return extData;
+            }
+
+            return null;
+        }
+    }
+
+    private static final
+            class CHCookieConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHCookieConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(SSLExtension.CH_COOKIE)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable cookie extension");
+                }
+                return;     // ignore the extension
+            }
+
+            CookieSpec spec;
+            try {
+                spec = new CookieSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            shc.handshakeExtensions.put(SSLExtension.CH_COOKIE, spec);
+
+            // No impact on session resumption.
+            //
+            // Note that the protocol version negotiation happens before the
+            // session resumption negotiation.  And the session resumption
+            // negotiation depends on the negotiated protocol version.
+        }
+    }
+
+    private static final
+            class CHCookieUpdate implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private CHCookieUpdate() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            ClientHelloMessage clientHello = (ClientHelloMessage)message;
+
+            CookieSpec spec = (CookieSpec)
+                    shc.handshakeExtensions.get(SSLExtension.CH_COOKIE);
+            if (spec == null) {
+                // Ignore, no "cookie" extension requested.
+                return;
+            }
+
+            HelloCookieManager hcm =
+                shc.sslContext.getHelloCookieManager(shc.negotiatedProtocol);
+            if (!hcm.isCookieValid(shc, clientHello, spec.cookie)) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "unrecognized cookie");
+                return;     // fatal() always throws, make the compiler happy.
+            }
+        }
+    }
+
+    private static final
+            class HRRCookieProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private HRRCookieProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            ServerHelloMessage hrrm = (ServerHelloMessage)message;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(SSLExtension.HRR_COOKIE)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable cookie extension");
+                }
+                return null;
+            }
+
+            HelloCookieManager hcm =
+                shc.sslContext.getHelloCookieManager(shc.negotiatedProtocol);
+
+            byte[] cookie = hcm.createCookie(shc, hrrm.clientHello);
+
+            byte[] extData = new byte[cookie.length + 2];
+            ByteBuffer m = ByteBuffer.wrap(extData);
+            Record.putBytes16(m, cookie);
+
+            return extData;
+        }
+    }
+
+    private static final
+            class HRRCookieConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private HRRCookieConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(SSLExtension.HRR_COOKIE)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable cookie extension");
+                }
+                return;     // ignore the extension
+            }
+
+            CookieSpec spec;
+            try {
+                spec = new CookieSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            chc.handshakeExtensions.put(SSLExtension.HRR_COOKIE, spec);
+        }
+    }
+
+    private static final
+            class HRRCookieReproducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private HRRCookieReproducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext) context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(SSLExtension.HRR_COOKIE)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable cookie extension");
+                }
+                return null;
+            }
+
+            // copy of the ClientHello cookie
+            CookieSpec spec = (CookieSpec)shc.handshakeExtensions.get(
+                    SSLExtension.CH_COOKIE);
+
+            if (spec != null &&
+                    spec.cookie != null && spec.cookie.length != 0) {
+                byte[] extData = new byte[spec.cookie.length + 2];
+                ByteBuffer m = ByteBuffer.wrap(extData);
+                Record.putBytes16(m, spec.cookie);
+                return extData;
+            }
+
+            return null;
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java	2018-05-11 15:09:03.832753700 -0700
@@ -0,0 +1,510 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.spec.AlgorithmParameterSpec;
+import javax.crypto.KeyAgreement;
+import javax.crypto.SecretKey;
+import javax.crypto.interfaces.DHPublicKey;
+import javax.crypto.spec.DHParameterSpec;
+import javax.crypto.spec.DHPublicKeySpec;
+import javax.crypto.spec.SecretKeySpec;
+import javax.net.ssl.SSLHandshakeException;
+import sun.security.action.GetPropertyAction;
+import sun.security.ssl.CipherSuite.HashAlg;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
+import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
+import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.KeyUtil;
+
+final class DHKeyExchange {
+    static final SSLPossessionGenerator poGenerator =
+            new DHEPossessionGenerator(false);
+    static final SSLPossessionGenerator poExportableGenerator =
+            new DHEPossessionGenerator(true);
+    static final SSLKeyAgreementGenerator kaGenerator =
+            new DHEKAGenerator();
+
+    static final class DHECredentials implements SSLCredentials {
+        final DHPublicKey popPublicKey;
+        final NamedGroup namedGroup;
+
+        DHECredentials(DHPublicKey popPublicKey, NamedGroup namedGroup) {
+            this.popPublicKey = popPublicKey;
+            this.namedGroup = namedGroup;
+        }
+
+        static DHECredentials valueOf(NamedGroup ng,
+            byte[] encodedPublic) throws IOException, GeneralSecurityException {
+
+            if (ng.type != NamedGroupType.NAMED_GROUP_FFDHE) {
+                throw new RuntimeException(
+                        "Credentials decoding:  Not FFDHE named group");
+            }
+
+            if (encodedPublic == null || encodedPublic.length == 0) {
+                return null;
+            }
+
+            DHParameterSpec params = (DHParameterSpec)ng.getParameterSpec();
+            if (params == null) {
+                return null;
+            }
+
+            KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
+            DHPublicKeySpec spec = new DHPublicKeySpec(
+                    new BigInteger(1, encodedPublic),
+                    params.getP(), params.getG());
+            DHPublicKey publicKey =
+                    (DHPublicKey)kf.generatePublic(spec);
+
+            return new DHECredentials(publicKey, ng);
+        }
+    }
+
+    static final class DHEPossession implements SSLPossession {
+        final PrivateKey privateKey;
+        final DHPublicKey publicKey;
+        final NamedGroup namedGroup;
+
+        DHEPossession(NamedGroup namedGroup, SecureRandom random) {
+            try {
+                KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DH");
+                DHParameterSpec params =
+                        (DHParameterSpec)namedGroup.getParameterSpec();
+                kpg.initialize(params, random);
+                KeyPair kp = generateDHKeyPair(kpg);
+                if (kp == null) {
+                    throw new RuntimeException("Could not generate DH keypair");
+                }
+                privateKey = kp.getPrivate();
+                publicKey = (DHPublicKey)kp.getPublic();
+            } catch (GeneralSecurityException gse) {
+                throw new RuntimeException(
+                        "Could not generate DH keypair", gse);
+            }
+
+            this.namedGroup = namedGroup;
+        }
+
+        DHEPossession(int keyLength, SecureRandom random) {
+            DHParameterSpec params =
+                    PredefinedDHParameterSpecs.definedParams.get(keyLength);
+            try {
+                KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DiffieHellman");
+                if (params != null) {
+                    kpg.initialize(params, random);
+                } else {
+                    kpg.initialize(keyLength, random);
+                }
+
+                KeyPair kp = generateDHKeyPair(kpg);
+                if (kp == null) {
+                    throw new RuntimeException(
+                            "Could not generate DH keypair of " +
+                            keyLength + " bits");
+                }
+                privateKey = kp.getPrivate();
+                publicKey = (DHPublicKey)kp.getPublic();
+            } catch (GeneralSecurityException gse) {
+                throw new RuntimeException(
+                        "Could not generate DH keypair", gse);
+            }
+
+            this.namedGroup = NamedGroup.valueOf(publicKey.getParams());
+        }
+
+        DHEPossession(DHECredentials credentials, SecureRandom random) {
+            try {
+                KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DH");
+                kpg.initialize(credentials.popPublicKey.getParams(), random);
+                KeyPair kp = generateDHKeyPair(kpg);
+                if (kp == null) {
+                    throw new RuntimeException("Could not generate DH keypair");
+                }
+                privateKey = kp.getPrivate();
+                publicKey = (DHPublicKey)kp.getPublic();
+            } catch (GeneralSecurityException gse) {
+                throw new RuntimeException(
+                        "Could not generate DH keypair", gse);
+            }
+
+            this.namedGroup = credentials.namedGroup;
+        }
+
+        // Generate and validate DHPublicKeySpec
+        private KeyPair generateDHKeyPair(
+                KeyPairGenerator kpg) throws GeneralSecurityException {
+            boolean doExtraValiadtion =
+                    (!KeyUtil.isOracleJCEProvider(kpg.getProvider().getName()));
+            boolean isRecovering = false;
+            for (int i = 0; i <= 2; i++) {      // Try to recove from failure.
+                KeyPair kp = kpg.generateKeyPair();
+                // validate the Diffie-Hellman public key
+                if (doExtraValiadtion) {
+                    DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic());
+                    try {
+                        KeyUtil.validate(spec);
+                    } catch (InvalidKeyException ivke) {
+                        if (isRecovering) {
+                            throw ivke;
+                        }
+                        // otherwise, ignore the exception and try again
+                        continue;
+                    }
+                }
+
+                return kp;
+            }
+
+            return null;
+        }
+
+        private static DHPublicKeySpec getDHPublicKeySpec(PublicKey key) {
+            if (key instanceof DHPublicKey) {
+                DHPublicKey dhKey = (DHPublicKey)key;
+                DHParameterSpec params = dhKey.getParams();
+                return new DHPublicKeySpec(dhKey.getY(),
+                                        params.getP(), params.getG());
+            }
+            try {
+                KeyFactory factory = JsseJce.getKeyFactory("DiffieHellman");
+                return factory.getKeySpec(key, DHPublicKeySpec.class);
+            } catch (Exception e) {
+                throw new RuntimeException(e);
+            }
+        }
+
+        @Override
+        public byte[] encode() {
+            // TODO: cannonical the return byte array length.
+            return publicKey.getY().toByteArray();
+        }
+    }
+
+    private static final class
+            DHEPossessionGenerator implements SSLPossessionGenerator {
+        // Flag to use smart ephemeral DH key which size matches the corresponding
+        // authentication key
+        private static final boolean useSmartEphemeralDHKeys;
+
+        // Flag to use legacy ephemeral DH key which size is 512 bits for
+        // exportable cipher suites, and 768 bits for others
+        private static final boolean useLegacyEphemeralDHKeys;
+
+        // The customized ephemeral DH key size for non-exportable cipher suites.
+        private static final int customizedDHKeySize;
+
+        // Is it for exportable cipher suite?
+        private final boolean exportable;
+
+        static {
+            String property = GetPropertyAction.privilegedGetProperty(
+                    "jdk.tls.ephemeralDHKeySize");
+            if (property == null || property.length() == 0) {
+                useLegacyEphemeralDHKeys = false;
+                useSmartEphemeralDHKeys = false;
+                customizedDHKeySize = -1;
+            } else if ("matched".equals(property)) {
+                useLegacyEphemeralDHKeys = false;
+                useSmartEphemeralDHKeys = true;
+                customizedDHKeySize = -1;
+            } else if ("legacy".equals(property)) {
+                useLegacyEphemeralDHKeys = true;
+                useSmartEphemeralDHKeys = false;
+                customizedDHKeySize = -1;
+            } else {
+                useLegacyEphemeralDHKeys = false;
+                useSmartEphemeralDHKeys = false;
+
+                try {
+                    // DH parameter generation can be extremely slow, best to
+                    // use one of the supported pre-computed DH parameters
+                    // (see DHCrypt class).
+                    customizedDHKeySize = Integer.parseUnsignedInt(property);
+                    if (customizedDHKeySize < 1024 ||
+                            customizedDHKeySize > 8192 ||
+                            (customizedDHKeySize & 0x3f) != 0) {
+                        throw new IllegalArgumentException(
+                            "Unsupported customized DH key size: " +
+                            customizedDHKeySize + ". " +
+                            "The key size must be multiple of 64, " +
+                            "and range from 1024 to 8192 (inclusive)");
+                    }
+                } catch (NumberFormatException nfe) {
+                    throw new IllegalArgumentException(
+                        "Invalid system property jdk.tls.ephemeralDHKeySize");
+                }
+            }
+        }
+
+        // Prevent instantiation of this class.
+        private DHEPossessionGenerator(boolean exportable) {
+            this.exportable = exportable;
+        }
+
+        // Used for ServerKeyExchange, TLS 1.2 and prior versions.
+        @Override
+        public SSLPossession createPossession(HandshakeContext context) {
+            NamedGroup preferableNamedGroup = null;
+            if (!useLegacyEphemeralDHKeys &&
+                    (context.clientRequestedNamedGroups != null) &&
+                    (!context.clientRequestedNamedGroups.isEmpty())) {
+                preferableNamedGroup =
+                        SupportedGroups.getPreferredGroup(
+                                context.negotiatedProtocol,
+                                context.algorithmConstraints,
+                                NamedGroupType.NAMED_GROUP_FFDHE,
+                                context.clientRequestedNamedGroups);
+                if (preferableNamedGroup != null) {
+                    return new DHEPossession(preferableNamedGroup,
+                                context.sslContext.getSecureRandom());
+                }
+            }
+
+            /*
+             * 768 bits ephemeral DH private keys were used to be used in
+             * ServerKeyExchange except that exportable ciphers max out at 512
+             * bits modulus values. We still adhere to this behavior in legacy
+             * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
+             * as "legacy").
+             *
+             * Old JDK (JDK 7 and previous) releases don't support DH keys
+             * bigger than 1024 bits. We have to consider the compatibility
+             * requirement. 1024 bits DH key is always used for non-exportable
+             * cipher suites in default mode (system property
+             * "jdk.tls.ephemeralDHKeySize" is not defined).
+             *
+             * However, if applications want more stronger strength, setting
+             * system property "jdk.tls.ephemeralDHKeySize" to "matched"
+             * is a workaround to use ephemeral DH key which size matches the
+             * corresponding authentication key. For example, if the public key
+             * size of an authentication certificate is 2048 bits, then the
+             * ephemeral DH key size should be 2048 bits accordingly unless
+             * the cipher suite is exportable.  This key sizing scheme keeps
+             * the cryptographic strength consistent between authentication
+             * keys and key-exchange keys.
+             *
+             * Applications may also want to customize the ephemeral DH key
+             * size to a fixed length for non-exportable cipher suites. This
+             * can be approached by setting system property
+             * "jdk.tls.ephemeralDHKeySize" to a valid positive integer between
+             * 1024 and 8192 bits, inclusive.
+             *
+             * Note that the minimum acceptable key size is 1024 bits except
+             * exportable cipher suites or legacy mode.
+             *
+             * Note that per RFC 2246, the key size limit of DH is 512 bits for
+             * exportable cipher suites.  Because of the weakness, exportable
+             * cipher suites are deprecated since TLS v1.1 and they are not
+             * enabled by default in Oracle provider. The legacy behavior is
+             * reserved and 512 bits DH key is always used for exportable
+             * cipher suites.
+             */
+            int keySize = exportable ? 512 : 1024;           // default mode
+            if (!exportable) {
+                if (useLegacyEphemeralDHKeys) {          // legacy mode
+                    keySize = 768;
+                } else if (useSmartEphemeralDHKeys) {    // matched mode
+                    PrivateKey key = null;
+                    ServerHandshakeContext shc =
+                            (ServerHandshakeContext)context;
+                    if (shc.interimAuthn instanceof X509Possession) {
+                        key = ((X509Possession)shc.interimAuthn).popPrivateKey;
+                    }
+
+                    if (key != null) {
+                        int ks = KeyUtil.getKeySize(key);
+
+                        // DH parameter generation can be extremely slow, make
+                        // sure to use one of the supported pre-computed DH
+                        // parameters.
+                        //
+                        // Old deployed applications may not be ready to
+                        // support DH key sizes bigger than 2048 bits.  Please
+                        // DON'T use value other than 1024 and 2048 at present.
+                        // May improve the underlying providers and key size
+                        // limit in the future when the compatibility and
+                        // interoperability impact is limited.
+                        keySize = ks <= 1024 ? 1024 : 2048;
+                    } // Otherwise, anonymous cipher suites, 1024-bit is used.
+                } else if (customizedDHKeySize > 0) {    // customized mode
+                    keySize = customizedDHKeySize;
+                }
+            }
+
+            return new DHEPossession(
+                    keySize, context.sslContext.getSecureRandom());
+        }
+    }
+
+    private static final
+            class DHEKAGenerator implements SSLKeyAgreementGenerator {
+        static private DHEKAGenerator instance = new DHEKAGenerator();
+
+        // Prevent instantiation of this class.
+        private DHEKAGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+                HandshakeContext context) throws IOException {
+            DHEPossession dhePossession = null;
+            DHECredentials dheCredentials = null;
+            for (SSLPossession poss : context.handshakePossessions) {
+                if (!(poss instanceof DHEPossession)) {
+                    continue;
+                }
+
+                DHEPossession dhep = (DHEPossession)poss;
+                for (SSLCredentials cred : context.handshakeCredentials) {
+                    if (!(cred instanceof DHECredentials)) {
+                        continue;
+                    }
+                    DHECredentials dhec = (DHECredentials)cred;
+                    if (dhep.namedGroup != null && dhec.namedGroup != null) {
+                        if (dhep.namedGroup.equals(dhec.namedGroup)) {
+                            dheCredentials = (DHECredentials)cred;
+                            break;
+                        }
+                    } else {
+                        DHParameterSpec pps = dhep.publicKey.getParams();
+                        DHParameterSpec cps = dhec.popPublicKey.getParams();
+                        if (pps.getP().equals(cps.getP()) &&
+                                pps.getG().equals(cps.getG())) {
+                            dheCredentials = (DHECredentials)cred;
+                            break;
+                        }
+                    }
+                }
+
+                if (dheCredentials != null) {
+                    dhePossession = (DHEPossession)poss;
+                    break;
+                }
+            }
+
+            if (dhePossession == null || dheCredentials == null) {
+                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No sufficient DHE key agreement parameters negotiated");
+            }
+
+            return new DHEKAKeyDerivation(context,
+                    dhePossession.privateKey, dheCredentials.popPublicKey);
+        }
+
+        private static final
+                class DHEKAKeyDerivation implements SSLKeyDerivation {
+            private final HandshakeContext context;
+            private final PrivateKey localPrivateKey;
+            private final PublicKey peerPublicKey;
+
+            DHEKAKeyDerivation(HandshakeContext context,
+                    PrivateKey localPrivateKey,
+                    PublicKey peerPublicKey) {
+                this.context = context;
+                this.localPrivateKey = localPrivateKey;
+                this.peerPublicKey = peerPublicKey;
+            }
+
+            @Override
+            public SecretKey deriveKey(String algorithm,
+                    AlgorithmParameterSpec params) throws IOException {
+                if (!context.negotiatedProtocol.useTLS13PlusSpec()) {
+                    return t12DeriveKey(algorithm, params);
+                } else {
+                    return t13DeriveKey(algorithm, params);
+                }
+            }
+
+            private SecretKey t12DeriveKey(String algorithm,
+                    AlgorithmParameterSpec params) throws IOException {
+                try {
+                    KeyAgreement ka = JsseJce.getKeyAgreement("DH");
+                    ka.init(localPrivateKey);
+                    ka.doPhase(peerPublicKey, true);
+                    SecretKey preMasterSecret =
+                            ka.generateSecret("TlsPremasterSecret");
+                    SSLMasterKeyDerivation mskd =
+                            SSLMasterKeyDerivation.valueOf(
+                                    context.negotiatedProtocol);
+                    SSLKeyDerivation kd = mskd.createKeyDerivation(
+                            context, preMasterSecret);
+                    return kd.deriveKey("TODO", params);
+                } catch (GeneralSecurityException gse) {
+                    throw (SSLHandshakeException) new SSLHandshakeException(
+                        "Could not generate secret").initCause(gse);
+                }
+            }
+
+            private SecretKey t13DeriveKey(String algorithm,
+                    AlgorithmParameterSpec params) throws IOException {
+                try {
+                    KeyAgreement ka = JsseJce.getKeyAgreement("DH");
+                    ka.init(localPrivateKey);
+                    ka.doPhase(peerPublicKey, true);
+                    SecretKey sharedSecret =
+                            ka.generateSecret("TlsPremasterSecret");
+
+                    HashAlg hashAlg = context.negotiatedCipherSuite.hashAlg;
+                    SSLKeyDerivation kd = context.handshakeKeyDerivation;
+                    HKDF hkdf = new HKDF(hashAlg.name);
+                    if (kd == null) {   // No PSK is in use.
+                        // If PSK is not in use Early Secret will still be
+                        // HKDF-Extract(0, 0).
+                        byte[] zeros = new byte[hashAlg.hashLength];
+                        SecretKeySpec ikm =
+                                new SecretKeySpec(zeros, "TlsPreSharedSecret");
+                        SecretKey earlySecret =
+                                hkdf.extract(zeros, ikm, "TlsEarlySecret");
+                        kd = new SSLSecretDerivation(context, earlySecret);
+                    }
+
+                    // derive salt secret
+                    SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
+
+                    // derive handshake secret
+                    return hkdf.extract(saltSecret, sharedSecret, algorithm);
+                } catch (GeneralSecurityException gse) {
+                    throw (SSLHandshakeException) new SSLHandshakeException(
+                        "Could not generate secret").initCause(gse);
+                }
+            }
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java	2018-05-11 15:09:05.525823600 -0700
@@ -0,0 +1,548 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.security.CryptoPrimitive;
+import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.text.MessageFormat;
+import java.util.EnumSet;
+import java.util.Locale;
+import javax.crypto.interfaces.DHPublicKey;
+import javax.crypto.spec.DHParameterSpec;
+import javax.crypto.spec.DHPublicKeySpec;
+import sun.security.ssl.DHKeyExchange.DHECredentials;
+import sun.security.ssl.DHKeyExchange.DHEPossession;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+import sun.security.ssl.X509Authentication.X509Credentials;
+import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.HexDumpEncoder;
+import sun.security.util.KeyUtil;
+
+/**
+ * Pack of the ServerKeyExchange handshake message.
+ */
+final class DHServerKeyExchange {
+    static final SSLConsumer dhHandshakeConsumer =
+            new DHServerKeyExchangeConsumer();
+    static final HandshakeProducer dhHandshakeProducer =
+            new DHServerKeyExchangeProducer();
+
+    /**
+     * The DiffieHellman ServerKeyExchange handshake message.
+     */
+    private static final
+            class DHServerKeyExchangeMessage extends HandshakeMessage {
+        // public key encapsulated in this message
+        private byte[] p;        // 1 to 2^16 - 1 bytes
+        private byte[] g;        // 1 to 2^16 - 1 bytes
+        private byte[] y;        // 1 to 2^16 - 1 bytes
+
+        // the signature algorithm used by this ServerKeyExchange message
+        private final boolean useExplicitSigAlgorithm;
+        private final SignatureScheme signatureScheme;
+
+        // signature bytes, or null if anonymous
+        private final byte[] paramsSignature;
+
+        DHServerKeyExchangeMessage(
+                HandshakeContext handshakeContext) throws IOException {
+            super(handshakeContext);
+
+            // This happens in server side only.
+            ServerHandshakeContext shc =
+                    (ServerHandshakeContext)handshakeContext;
+
+            DHEPossession dhePossession = null;
+            X509Possession x509Possession = null;
+            for (SSLPossession possession : shc.handshakePossessions) {
+                if (possession instanceof DHEPossession) {
+                    dhePossession = (DHEPossession)possession;
+                    if (x509Possession != null) {
+                        break;
+                    }
+                } else if (possession instanceof X509Possession) {
+                    x509Possession = (X509Possession)possession;
+                    if (dhePossession != null) {
+                        break;
+                    }
+                }
+            }
+
+            if (dhePossession == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "No DHE credentials negotiated for server key exchange");
+            }
+            DHPublicKey publicKey = dhePossession.publicKey;
+            DHParameterSpec params = publicKey.getParams();
+            this.p = Utilities.toByteArray(params.getP());
+            this.g = Utilities.toByteArray(params.getG());
+            this.y = Utilities.toByteArray(publicKey.getY());
+
+            if (x509Possession == null) {
+                // anonymous, no authentication, no signature
+                paramsSignature = null;
+                signatureScheme = null;
+                useExplicitSigAlgorithm = false;
+            } else {
+                useExplicitSigAlgorithm =
+                        shc.negotiatedProtocol.useTLS12PlusSpec();
+                Signature signer = null;
+                if (useExplicitSigAlgorithm) {
+                    signatureScheme = SignatureScheme.getPreferableAlgorithm(
+                            shc.peerRequestedSignatureSchemes,
+                            x509Possession.popPrivateKey,
+                            shc.negotiatedProtocol);
+                    if (signatureScheme == null) {
+                        // Unlikely, the credentials generator should have
+                        // selected the preferable signature algorithm properly.
+                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "No preferred signature algorithm");
+                    }
+                    try {
+                        signer = signatureScheme.getSignature();
+                    } catch (NoSuchAlgorithmException |
+                            InvalidAlgorithmParameterException nsae) {
+                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Unsupported signature algorithm: " +
+                            signatureScheme.name, nsae);
+                    }
+                } else {
+                    signatureScheme = null;
+                    try {
+                        signer = getSignature(
+                            x509Possession.popPrivateKey.getAlgorithm());
+                    } catch (NoSuchAlgorithmException e) {
+                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Unsupported signature algorithm: " +
+                            x509Possession.popPrivateKey.getAlgorithm(), e);
+                    }
+                }
+
+                byte[] signature = null;
+                try {
+                    signer.initSign(x509Possession.popPrivateKey);
+                    updateSignature(signer, shc.clientHelloRandom.randomBytes,
+                            shc.serverHelloRandom.randomBytes);
+                    signature = signer.sign();
+                } catch (InvalidKeyException | SignatureException ex) {
+                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Failed to sign dhe parameters: " +
+                        x509Possession.popPrivateKey.getAlgorithm(), ex);
+                }
+                paramsSignature = signature;
+            }
+        }
+
+        DHServerKeyExchangeMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+
+            // This happens in client side only.
+            ClientHandshakeContext chc =
+                    (ClientHandshakeContext)handshakeContext;
+
+            this.p = Record.getBytes16(m);
+            this.g = Record.getBytes16(m);
+            this.y = Record.getBytes16(m);
+
+            try {
+                KeyUtil.validate(new DHPublicKeySpec(
+                        new BigInteger(1, y),
+                        new BigInteger(1, p),
+                        new BigInteger(1, p)));
+            } catch (InvalidKeyException ike) {
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "Invalid DH ServerKeyExchange: invalid parameters", ike);
+            }
+
+            // TODO: check FFDHE named group
+            X509Credentials x509Credentials = null;
+            for (SSLCredentials cd : chc.handshakeCredentials) {
+                if (cd instanceof X509Credentials) {
+                    x509Credentials = (X509Credentials)cd;
+                    break;
+                }
+            }
+
+            if (x509Credentials == null) {
+                // anonymous, no authentication, no signature
+                if (m.hasRemaining()) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid DH ServerKeyExchange: unknown extra data");
+                }
+
+                this.signatureScheme = null;
+                this.paramsSignature = null;
+                this.useExplicitSigAlgorithm = false;
+
+                return;
+            }
+
+            this.useExplicitSigAlgorithm =
+                    chc.negotiatedProtocol.useTLS12PlusSpec();
+            if (useExplicitSigAlgorithm) {
+                int ssid = Record.getInt16(m);
+                signatureScheme = SignatureScheme.valueOf(ssid);
+                if (signatureScheme == null) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "Invalid signature algorithm (" + ssid +
+                            ") used in DH ServerKeyExchange handshake message");
+                }
+
+                if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "Unsupported signature algorithm (" +
+                            signatureScheme.name +
+                            ") used in DH ServerKeyExchange handshake message");
+                }
+            } else {
+                this.signatureScheme = null;
+            }
+
+            // read and verify the signature
+            this.paramsSignature = Record.getBytes16(m);
+            Signature signer;
+            if (useExplicitSigAlgorithm) {
+                try {
+                    signer = signatureScheme.getSignature();
+                } catch (NoSuchAlgorithmException |
+                        InvalidAlgorithmParameterException nsae) {
+                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Unsupported signature algorithm: " +
+                            signatureScheme.name, nsae);
+
+                    return;     // make the compiler happe
+                }
+            } else {
+                try {
+                    signer = getSignature(
+                        x509Credentials.popPublicKey.getAlgorithm());
+                } catch (NoSuchAlgorithmException e) {
+                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Unsupported signature algorithm: " +
+                            x509Credentials.popPublicKey.getAlgorithm(), e);
+
+                    return;     // make the compiler happe
+                }
+            }
+
+            try {
+                signer.initVerify(x509Credentials.popPublicKey);
+                updateSignature(signer,
+                        chc.clientHelloRandom.randomBytes,
+                        chc.serverHelloRandom.randomBytes);
+
+                if (!signer.verify(paramsSignature)) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid signature on DH ServerKeyExchange message");
+                }
+            } catch (InvalidKeyException | SignatureException ex) {
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Cannot verify DH ServerKeyExchange signature", ex);
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.SERVER_KEY_EXCHANGE;
+        }
+
+        @Override
+        public int messageLength() {
+            int sigLen = 0;
+            if (paramsSignature != null) {
+                sigLen = 2 + paramsSignature.length;
+                if (useExplicitSigAlgorithm) {
+                    sigLen += SignatureScheme.sizeInRecord();
+                }
+            }
+
+            return 6 + p.length + g.length + y.length + sigLen;
+                    // 6: overhead for p, g, y values
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putBytes16(p);
+            hos.putBytes16(g);
+            hos.putBytes16(y);
+
+            if (paramsSignature != null) {
+                if (useExplicitSigAlgorithm) {
+                    hos.putInt16(signatureScheme.id);
+                }
+
+                hos.putBytes16(paramsSignature);
+            }
+        }
+
+        @Override
+        public String toString() {
+            if (paramsSignature == null) {    // anonymous
+                MessageFormat messageFormat = new MessageFormat(
+                    "\"DH ServerKeyExchange\": '{'\n" +
+                    "  \"parameters\": '{'\n" +
+                    "    \"dh_p\": '{'\n" +
+                    "{0}\n" +
+                    "    '}',\n" +
+                    "    \"dh_g\": '{'\n" +
+                    "{1}\n" +
+                    "    '}',\n" +
+                    "    \"dh_Ys\": '{'\n" +
+                    "{2}\n" +
+                    "    '}',\n" +
+                    "  '}'\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+                HexDumpEncoder hexEncoder = new HexDumpEncoder();
+                Object[] messageFields = {
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(p), "      "),
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(g), "      "),
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(y), "      "),
+                };
+
+                return messageFormat.format(messageFields);
+            }
+
+            if (useExplicitSigAlgorithm) {
+                MessageFormat messageFormat = new MessageFormat(
+                    "\"DH ServerKeyExchange\": '{'\n" +
+                    "  \"parameters\": '{'\n" +
+                    "    \"dh_p\": '{'\n" +
+                    "{0}\n" +
+                    "    '}',\n" +
+                    "    \"dh_g\": '{'\n" +
+                    "{1}\n" +
+                    "    '}',\n" +
+                    "    \"dh_Ys\": '{'\n" +
+                    "{2}\n" +
+                    "    '}',\n" +
+                    "  '}',\n" +
+                    "  \"digital signature\":  '{'\n" +
+                    "    \"signature algorithm\": \"{3}\"\n" +
+                    "    \"signature\": '{'\n" +
+                    "{4}\n" +
+                    "    '}',\n" +
+                    "  '}'\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+                HexDumpEncoder hexEncoder = new HexDumpEncoder();
+                Object[] messageFields = {
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(p), "      "),
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(g), "      "),
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(y), "      "),
+                    signatureScheme.name,
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(paramsSignature), "      ")
+                };
+
+                return messageFormat.format(messageFields);
+            } else {
+                MessageFormat messageFormat = new MessageFormat(
+                    "\"DH ServerKeyExchange\": '{'\n" +
+                    "  \"parameters\": '{'\n" +
+                    "    \"dh_p\": '{'\n" +
+                    "{0}\n" +
+                    "    '}',\n" +
+                    "    \"dh_g\": '{'\n" +
+                    "{1}\n" +
+                    "    '}',\n" +
+                    "    \"dh_Ys\": '{'\n" +
+                    "{2}\n" +
+                    "    '}',\n" +
+                    "  '}',\n" +
+                    "  \"signature\": '{'\n" +
+                    "{3}\n" +
+                    "  '}'\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+                HexDumpEncoder hexEncoder = new HexDumpEncoder();
+                Object[] messageFields = {
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(p), "      "),
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(g), "      "),
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(y), "      "),
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(paramsSignature), "    ")
+                };
+
+                return messageFormat.format(messageFields);
+            }
+        }
+
+        private static Signature getSignature(String keyAlgorithm)
+                throws NoSuchAlgorithmException {
+            switch (keyAlgorithm) {
+                case "DSA":
+                    return JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
+                case "RSA":
+                    return RSASignature.getInstance();
+                default:
+                    throw new NoSuchAlgorithmException(
+                        "neither an RSA or a DSA key : " + keyAlgorithm);
+            }
+        }
+
+        /*
+         * Update sig with nonces and Diffie-Hellman public key.
+         */
+        private void updateSignature(Signature sig, byte[] clntNonce,
+                byte[] svrNonce) throws SignatureException {
+            int tmp;
+
+            sig.update(clntNonce);
+            sig.update(svrNonce);
+
+            sig.update((byte)(p.length >> 8));
+            sig.update((byte)(p.length & 0x0ff));
+            sig.update(p);
+
+            sig.update((byte)(g.length >> 8));
+            sig.update((byte)(g.length & 0x0ff));
+            sig.update(g);
+
+            sig.update((byte)(y.length >> 8));
+            sig.update((byte)(y.length & 0x0ff));
+            sig.update(y);
+        }
+    }
+
+    /**
+     * The DiffieHellman "ServerKeyExchange" handshake message producer.
+     */
+    static final class DHServerKeyExchangeProducer
+            implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private DHServerKeyExchangeProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            DHServerKeyExchangeMessage skem =
+                    new DHServerKeyExchangeMessage(shc);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced DH ServerKeyExchange handshake message", skem);
+            }
+
+            // Output the handshake message.
+            skem.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The DiffieHellman "ServerKeyExchange" handshake message consumer.
+     */
+    static final class DHServerKeyExchangeConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private DHServerKeyExchangeConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            DHServerKeyExchangeMessage skem =
+                    new DHServerKeyExchangeMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Consuming DH ServerKeyExchange handshake message", skem);
+            }
+
+            //
+            // validate
+            //
+            // check constraints of EC PublicKey
+            DHPublicKey publicKey;
+            try {
+                KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
+                DHPublicKeySpec spec = new DHPublicKeySpec(
+                        new BigInteger(1, skem.y),
+                        new BigInteger(1, skem.p),
+                        new BigInteger(1, skem.g));
+                publicKey = (DHPublicKey)kf.generatePublic(spec);
+            } catch (GeneralSecurityException gse) {
+                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                    "Could not generate DHPublicKey", gse);
+
+                return;     // make the compiler happy
+            }
+
+            if (!chc.algorithmConstraints.permits(
+                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
+                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                        "DH ServerKeyExchange does not comply to " +
+                        "algorithm constraints");
+            }
+
+            //
+            // update
+            //
+            NamedGroup namedGroup = NamedGroup.valueOf(publicKey.getParams());
+            chc.handshakeCredentials.add(
+                    new DHECredentials(publicKey, namedGroup));
+
+            //
+            // produce
+            //
+            // Need no new handshake message producers here.
+        }
+    }
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java	2018-05-11 15:09:07.291452200 -0700
@@ -0,0 +1,479 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.security.AlgorithmConstraints;
+import java.security.CryptoPrimitive;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.interfaces.ECPrivateKey;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.ECGenParameterSpec;
+import java.security.spec.ECParameterSpec;
+import java.security.spec.ECPoint;
+import java.security.spec.ECPublicKeySpec;
+import java.util.EnumSet;
+import javax.crypto.KeyAgreement;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+import javax.net.ssl.SSLHandshakeException;
+import sun.security.ssl.CipherSuite.HashAlg;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
+import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
+import sun.security.ssl.X509Authentication.X509Credentials;
+import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.ECUtil;
+
+final class ECDHKeyExchange {
+    static final SSLPossessionGenerator poGenerator =
+            new ECDHEPossessionGenerator();
+    static final SSLKeyAgreementGenerator ecdheKAGenerator =
+            new ECDHEKAGenerator();
+    static final SSLKeyAgreementGenerator ecdhKAGenerator =
+            new ECDHKAGenerator();
+
+    static final class ECDHECredentials implements SSLCredentials {
+        final ECPublicKey popPublicKey;
+        final NamedGroup namedGroup;
+
+        ECDHECredentials(ECPublicKey popPublicKey, NamedGroup namedGroup) {
+            this.popPublicKey = popPublicKey;
+            this.namedGroup = namedGroup;
+        }
+
+        static ECDHECredentials valueOf(NamedGroup namedGroup,
+            byte[] encodedPoint) throws IOException, GeneralSecurityException {
+
+            if (namedGroup.type != NamedGroupType.NAMED_GROUP_ECDHE) {
+                throw new RuntimeException(
+                    "Credentials decoding:  Not ECDHE named group");
+            }
+
+            if (encodedPoint == null || encodedPoint.length == 0) {
+                return null;
+            }
+
+            ECParameterSpec parameters =
+                    JsseJce.getECParameterSpec(namedGroup.oid);
+            if (parameters == null) {
+                return null;
+            }
+
+            ECPoint point = JsseJce.decodePoint(
+                    encodedPoint, parameters.getCurve());
+            KeyFactory factory = JsseJce.getKeyFactory("EC");
+            ECPublicKey publicKey = (ECPublicKey)factory.generatePublic(
+                    new ECPublicKeySpec(point, parameters));
+            return new ECDHECredentials(publicKey, namedGroup);
+        }
+    }
+
+    static final class ECDHEPossession implements SSLPossession {
+        final PrivateKey privateKey;
+        final ECPublicKey publicKey;
+        final NamedGroup namedGroup;
+
+        ECDHEPossession(NamedGroup namedGroup, SecureRandom random) {
+            try {
+                KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC");
+                ECGenParameterSpec params =
+                        (ECGenParameterSpec)namedGroup.getParameterSpec();
+                kpg.initialize(params, random);
+                KeyPair kp = kpg.generateKeyPair();
+                privateKey = kp.getPrivate();
+                publicKey = (ECPublicKey)kp.getPublic();
+            } catch (GeneralSecurityException e) {
+                throw new RuntimeException(
+                    "Could not generate ECDH keypair", e);
+            }
+
+            this.namedGroup = namedGroup;
+        }
+
+        ECDHEPossession(ECDHECredentials credentials, SecureRandom random) {
+            ECParameterSpec params = credentials.popPublicKey.getParams();
+            try {
+                KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC");
+                kpg.initialize(params, random);
+                KeyPair kp = kpg.generateKeyPair();
+                privateKey = kp.getPrivate();
+                publicKey = (ECPublicKey)kp.getPublic();
+            } catch (GeneralSecurityException e) {
+                throw new RuntimeException(
+                    "Could not generate ECDH keypair", e);
+            }
+
+            this.namedGroup = credentials.namedGroup;
+        }
+
+        @Override
+        public byte[] encode() {
+            return ECUtil.encodePoint(
+                    publicKey.getW(), publicKey.getParams().getCurve());
+        }
+
+        // called by ClientHandshaker with either the server's static or
+        // ephemeral public key
+        SecretKey getAgreedSecret(
+                PublicKey peerPublicKey) throws SSLHandshakeException {
+
+            try {
+                KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
+                ka.init(privateKey);
+                ka.doPhase(peerPublicKey, true);
+                return ka.generateSecret("TlsPremasterSecret");
+            } catch (GeneralSecurityException e) {
+                throw (SSLHandshakeException) new SSLHandshakeException(
+                    "Could not generate secret").initCause(e);
+            }
+        }
+
+        // called by ServerHandshaker
+        SecretKey getAgreedSecret(
+                byte[] encodedPoint) throws SSLHandshakeException {
+            try {
+                ECParameterSpec params = publicKey.getParams();
+                ECPoint point =
+                        JsseJce.decodePoint(encodedPoint, params.getCurve());
+                KeyFactory kf = JsseJce.getKeyFactory("EC");
+                ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
+                PublicKey peerPublicKey = kf.generatePublic(spec);
+                return getAgreedSecret(peerPublicKey);
+            } catch (GeneralSecurityException | java.io.IOException e) {
+                throw (SSLHandshakeException) new SSLHandshakeException(
+                    "Could not generate secret").initCause(e);
+            }
+        }
+
+        // Check constraints of the specified EC public key.
+        void checkConstraints(AlgorithmConstraints constraints,
+                byte[] encodedPoint) throws SSLHandshakeException {
+            try {
+
+                ECParameterSpec params = publicKey.getParams();
+                ECPoint point =
+                        JsseJce.decodePoint(encodedPoint, params.getCurve());
+                ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
+
+                KeyFactory kf = JsseJce.getKeyFactory("EC");
+                ECPublicKey pubKey = (ECPublicKey)kf.generatePublic(spec);
+
+                // check constraints of ECPublicKey
+                if (!constraints.permits(
+                        EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), pubKey)) {
+                    throw new SSLHandshakeException(
+                        "ECPublicKey does not comply to algorithm constraints");
+                }
+            } catch (GeneralSecurityException | java.io.IOException e) {
+                throw (SSLHandshakeException) new SSLHandshakeException(
+                        "Could not generate ECPublicKey").initCause(e);
+            }
+        }
+    }
+
+    private static final
+            class ECDHEPossessionGenerator implements SSLPossessionGenerator {
+        // Prevent instantiation of this class.
+        private ECDHEPossessionGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLPossession createPossession(HandshakeContext context) {
+            NamedGroup preferableNamedGroup = null;
+            if ((context.clientRequestedNamedGroups != null) &&
+                    (!context.clientRequestedNamedGroups.isEmpty())) {
+                preferableNamedGroup = SupportedGroups.getPreferredGroup(
+                        context.negotiatedProtocol,
+                        context.algorithmConstraints,
+                        NamedGroupType.NAMED_GROUP_ECDHE,
+                        context.clientRequestedNamedGroups);
+            } else {
+                preferableNamedGroup = SupportedGroups.getPreferredGroup(
+                        context.negotiatedProtocol,
+                        context.algorithmConstraints,
+                        NamedGroupType.NAMED_GROUP_ECDHE);
+            }
+
+            if (preferableNamedGroup != null) {
+                return new ECDHEPossession(preferableNamedGroup,
+                            context.sslContext.getSecureRandom());
+            }
+
+            // no match found, cannot use this cipher suite.
+            //
+            return null;
+        }
+    }
+
+    private static final
+            class ECDHKAGenerator implements SSLKeyAgreementGenerator {
+        // Prevent instantiation of this class.
+        private ECDHKAGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+                HandshakeContext context) throws IOException {
+            if (context instanceof ServerHandshakeContext) {
+                return createServerKeyDerivation(
+                        (ServerHandshakeContext)context);
+            } else {
+                return createClientKeyDerivation(
+                        (ClientHandshakeContext)context);
+            }
+        }
+
+        private SSLKeyDerivation createServerKeyDerivation(
+                ServerHandshakeContext shc) throws IOException {
+            X509Possession x509Possession = null;
+            ECDHECredentials ecdheCredentials = null;
+            for (SSLPossession poss : shc.handshakePossessions) {
+                if (!(poss instanceof X509Possession)) {
+                    continue;
+                }
+
+                PrivateKey privateKey = ((X509Possession)poss).popPrivateKey;
+                if (!privateKey.getAlgorithm().equals("EC")) {
+                    continue;
+                }
+
+                ECParameterSpec params = ((ECPrivateKey)privateKey).getParams();
+                NamedGroup ng = NamedGroup.valueOf(params);
+                if (ng == null) {
+                    // unlikely, have been checked during cipher suite negotiation.
+                    shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Unsupported EC server cert for ECDH key exchange");
+                }
+
+                for (SSLCredentials cred : shc.handshakeCredentials) {
+                    if (!(cred instanceof ECDHECredentials)) {
+                        continue;
+                    }
+                    if (ng.equals(((ECDHECredentials)cred).namedGroup)) {
+                        ecdheCredentials = (ECDHECredentials)cred;
+                        break;
+                    }
+                }
+
+                if (ecdheCredentials != null) {
+                    x509Possession = (X509Possession)poss;
+                    break;
+                }
+            }
+
+            if (x509Possession == null || ecdheCredentials == null) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No sufficient ECDHE key agreement parameters negotiated");
+            }
+
+            return new ECDHEKAKeyDerivation(shc,
+                x509Possession.popPrivateKey, ecdheCredentials.popPublicKey);
+        }
+
+        private SSLKeyDerivation createClientKeyDerivation(
+                ClientHandshakeContext chc) throws IOException {
+            ECDHEPossession ecdhePossession = null;
+            X509Credentials x509Credentials = null;
+            for (SSLPossession poss : chc.handshakePossessions) {
+                if (!(poss instanceof ECDHEPossession)) {
+                    continue;
+                }
+
+                NamedGroup ng = ((ECDHEPossession)poss).namedGroup;
+                for (SSLCredentials cred : chc.handshakeCredentials) {
+                    if (!(cred instanceof X509Credentials)) {
+                        continue;
+                    }
+
+                    PublicKey publicKey = ((X509Credentials)cred).popPublicKey;
+                    if (!publicKey.getAlgorithm().equals("EC")) {
+                        continue;
+                    }
+                    ECParameterSpec params =
+                            ((ECPublicKey)publicKey).getParams();
+                    NamedGroup namedGroup = NamedGroup.valueOf(params);
+                    if (namedGroup == null) {
+                        // unlikely, should have been checked previously
+                        chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                            "Unsupported EC server cert for ECDH key exchange");
+                    }
+
+                    if (ng.equals(namedGroup)) {
+                        x509Credentials = (X509Credentials)cred;
+                        break;
+                    }
+                }
+
+                if (x509Credentials != null) {
+                    ecdhePossession = (ECDHEPossession)poss;
+                    break;
+                }
+            }
+
+            if (ecdhePossession == null || x509Credentials == null) {
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No sufficient ECDH key agreement parameters negotiated");
+            }
+
+            return new ECDHEKAKeyDerivation(chc,
+                ecdhePossession.privateKey, x509Credentials.popPublicKey);
+        }
+    }
+
+    private static final
+            class ECDHEKAGenerator implements SSLKeyAgreementGenerator {
+        // Prevent instantiation of this class.
+        private ECDHEKAGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+                HandshakeContext context) throws IOException {
+            ECDHEPossession ecdhePossession = null;
+            ECDHECredentials ecdheCredentials = null;
+            for (SSLPossession poss : context.handshakePossessions) {
+                if (!(poss instanceof ECDHEPossession)) {
+                    continue;
+                }
+
+                NamedGroup ng = ((ECDHEPossession)poss).namedGroup;
+                for (SSLCredentials cred : context.handshakeCredentials) {
+                    if (!(cred instanceof ECDHECredentials)) {
+                        continue;
+                    }
+                    if (ng.equals(((ECDHECredentials)cred).namedGroup)) {
+                        ecdheCredentials = (ECDHECredentials)cred;
+                        break;
+                    }
+                }
+
+                if (ecdheCredentials != null) {
+                    ecdhePossession = (ECDHEPossession)poss;
+                    break;
+                }
+            }
+
+            if (ecdhePossession == null || ecdheCredentials == null) {
+                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No sufficient ECDHE key agreement parameters negotiated");
+            }
+
+            return new ECDHEKAKeyDerivation(context,
+                ecdhePossession.privateKey, ecdheCredentials.popPublicKey);
+        }
+    }
+
+    private static final
+            class ECDHEKAKeyDerivation implements SSLKeyDerivation {
+        private final HandshakeContext context;
+        private final PrivateKey localPrivateKey;
+        private final PublicKey peerPublicKey;
+
+        ECDHEKAKeyDerivation(HandshakeContext context,
+                PrivateKey localPrivateKey,
+                PublicKey peerPublicKey) {
+            this.context = context;
+            this.localPrivateKey = localPrivateKey;
+            this.peerPublicKey = peerPublicKey;
+        }
+
+        @Override
+        public SecretKey deriveKey(String algorithm,
+                AlgorithmParameterSpec params) throws IOException {
+            if (!context.negotiatedProtocol.useTLS13PlusSpec()) {
+                return t12DeriveKey(algorithm, params);
+            } else {
+                return t13DeriveKey(algorithm, params);
+            }
+        }
+
+        private SecretKey t12DeriveKey(String algorithm,
+                AlgorithmParameterSpec params) throws IOException {
+            try {
+                KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
+                ka.init(localPrivateKey);
+                ka.doPhase(peerPublicKey, true);
+                SecretKey preMasterSecret =
+                        ka.generateSecret("TlsPremasterSecret");
+
+                SSLMasterKeyDerivation mskd =
+                        SSLMasterKeyDerivation.valueOf(
+                                context.negotiatedProtocol);
+                SSLKeyDerivation kd = mskd.createKeyDerivation(
+                        context, preMasterSecret);
+                return kd.deriveKey("TODO", params);
+            } catch (GeneralSecurityException gse) {
+                throw (SSLHandshakeException) new SSLHandshakeException(
+                    "Could not generate secret").initCause(gse);
+            }
+        }
+
+        private SecretKey t13DeriveKey(String algorithm,
+                AlgorithmParameterSpec params) throws IOException {
+            try {
+                KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
+                ka.init(localPrivateKey);
+                ka.doPhase(peerPublicKey, true);
+                SecretKey sharedSecret =
+                        ka.generateSecret("TlsPremasterSecret");
+
+                HashAlg hashAlg = context.negotiatedCipherSuite.hashAlg;
+                SSLKeyDerivation kd = context.handshakeKeyDerivation;
+                HKDF hkdf = new HKDF(hashAlg.name);
+                if (kd == null) {   // No PSK is in use.
+                    // If PSK is not in use Early Secret will still be
+                    // HKDF-Extract(0, 0).
+                    byte[] zeros = new byte[hashAlg.hashLength];
+                    SecretKeySpec ikm =
+                            new SecretKeySpec(zeros, "TlsPreSharedSecret");
+                    SecretKey earlySecret =
+                            hkdf.extract(zeros, ikm, "TlsEarlySecret");
+                    kd = new SSLSecretDerivation(context, earlySecret);
+                }
+
+                // derive salt secret
+                SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
+
+                // derive handshake secret
+                return hkdf.extract(saltSecret, sharedSecret, algorithm);
+            } catch (GeneralSecurityException gse) {
+                throw (SSLHandshakeException) new SSLHandshakeException(
+                    "Could not generate secret").initCause(gse);
+            }
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java	2018-05-11 15:09:09.030098300 -0700
@@ -0,0 +1,549 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.CryptoPrimitive;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.ECParameterSpec;
+import java.security.spec.ECPoint;
+import java.security.spec.ECPublicKeySpec;
+import java.security.spec.InvalidKeySpecException;
+import java.text.MessageFormat;
+import java.util.EnumSet;
+import java.util.Locale;
+import sun.security.ssl.ECDHKeyExchange.ECDHECredentials;
+import sun.security.ssl.ECDHKeyExchange.ECDHEPossession;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
+import sun.security.ssl.X509Authentication.X509Credentials;
+import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.HexDumpEncoder;
+
+/**
+ * Pack of the ServerKeyExchange handshake message.
+ */
+final class ECDHServerKeyExchange {
+    static final SSLConsumer ecdheHandshakeConsumer =
+            new ECDHServerKeyExchangeConsumer();
+    static final HandshakeProducer ecdheHandshakeProducer =
+            new ECDHServerKeyExchangeProducer();
+
+    /**
+     * The ECDH ServerKeyExchange handshake message.
+     */
+    private static final
+            class ECDHServerKeyExchangeMessage extends HandshakeMessage {
+        private static final byte CURVE_NAMED_CURVE = (byte)0x03;
+
+        // id of the named curve
+        private final NamedGroup namedGroup;
+
+        // encoded public point
+        private final byte[] publicPoint;
+
+        // signature bytes, or null if anonymous
+        private final byte[] paramsSignature;
+
+        // public key object encapsulated in this message
+        private final ECPublicKey publicKey;
+
+        private final boolean useExplicitSigAlgorithm;
+
+        // the signature algorithm used by this ServerKeyExchange message
+        private final SignatureScheme signatureScheme;
+
+        ECDHServerKeyExchangeMessage(
+                HandshakeContext handshakeContext) throws IOException {
+            super(handshakeContext);
+
+            // This happens in server side only.
+            ServerHandshakeContext shc =
+                    (ServerHandshakeContext)handshakeContext;
+
+            ECDHEPossession ecdhePossession = null;
+            X509Possession x509Possession = null;
+            for (SSLPossession possession : shc.handshakePossessions) {
+                if (possession instanceof ECDHEPossession) {
+                    ecdhePossession = (ECDHEPossession)possession;
+                    if (x509Possession != null) {
+                        break;
+                    }
+                } else if (possession instanceof X509Possession) {
+                    x509Possession = (X509Possession)possession;
+                    if (ecdhePossession != null) {
+                        break;
+                    }
+                }
+            }
+
+            if (ecdhePossession == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "No ECDHE credentials negotiated for server key exchange");
+            }
+
+            publicKey = ecdhePossession.publicKey;
+            ECParameterSpec params = publicKey.getParams();
+            ECPoint point = publicKey.getW();
+            publicPoint = JsseJce.encodePoint(point, params.getCurve());
+
+            this.namedGroup = NamedGroup.valueOf(params);
+            if ((namedGroup == null) || (namedGroup.oid == null) ) {
+                // unlikely
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Unnamed EC parameter spec: " + params);
+            }
+
+            if (x509Possession == null) {
+                // anonymous, no authentication, no signature
+                paramsSignature = null;
+                signatureScheme = null;
+                useExplicitSigAlgorithm = false;
+            } else {
+                useExplicitSigAlgorithm =
+                        shc.negotiatedProtocol.useTLS12PlusSpec();
+                Signature signer = null;
+                if (useExplicitSigAlgorithm) {
+                    signatureScheme = SignatureScheme.getPreferableAlgorithm(
+                            shc.peerRequestedSignatureSchemes,
+                            x509Possession.popPrivateKey,
+                            shc.negotiatedProtocol);
+                    if (signatureScheme == null) {
+                        // Unlikely, the credentials generator should have
+                        // selected the preferable signature algorithm properly.
+                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                                "No preferred signature algorithm for " +
+                                x509Possession.popPrivateKey.getAlgorithm() +
+                                "  key");
+                    }
+                    try {
+                        signer = signatureScheme.getSignature();
+                    } catch (NoSuchAlgorithmException |
+                            InvalidAlgorithmParameterException nsae) {
+                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Unsupported signature algorithm: " +
+                            signatureScheme.name, nsae);
+                    }
+                } else {
+                    signatureScheme = null;
+                    try {
+                        signer = getSignature(
+                            x509Possession.popPrivateKey.getAlgorithm());
+                    } catch (NoSuchAlgorithmException e) {
+                        shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Unsupported signature algorithm: " +
+                            x509Possession.popPrivateKey.getAlgorithm(), e);
+                    }
+                }
+
+                byte[] signature = null;
+                try {
+                    signer.initSign(x509Possession.popPrivateKey);
+                    updateSignature(signer, shc.clientHelloRandom.randomBytes,
+                            shc.serverHelloRandom.randomBytes,
+                            namedGroup.id, publicPoint);
+                    signature = signer.sign();
+                } catch (InvalidKeyException | SignatureException ex) {
+                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Failed to sign ecdhe parameters: " +
+                        x509Possession.popPrivateKey.getAlgorithm(), ex);
+                }
+                paramsSignature = signature;
+            }
+        }
+
+        ECDHServerKeyExchangeMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+
+            // This happens in client side only.
+            ClientHandshakeContext chc =
+                    (ClientHandshakeContext)handshakeContext;
+
+            byte curveType = (byte)Record.getInt8(m);
+            if (curveType != CURVE_NAMED_CURVE) {
+                // Unlikely as only the named curves should be negotiated.
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Unsupported ECCurveType: " + curveType);
+            }
+
+            int namedGroupId = Record.getInt16(m);
+            this.namedGroup = NamedGroup.valueOf(namedGroupId);
+            if (namedGroup == null) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Unknown named group ID: " + namedGroupId);
+            }
+
+            if (!SupportedGroups.isSupported(namedGroup)) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Unsupported named group: " + namedGroup);
+            }
+
+            if (namedGroup.oid == null) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Unknown named EC curve: " + namedGroup);
+            }
+
+            ECParameterSpec parameters =
+                    JsseJce.getECParameterSpec(namedGroup.oid);
+            if (parameters == null) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "No supported EC parameter: " + namedGroup);
+            }
+
+            publicPoint = Record.getBytes8(m);
+            if (publicPoint.length == 0) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Insufficient ECPoint data: " + namedGroup);
+            }
+
+            ECPublicKey ecPublicKey = null;
+            try {
+                ECPoint point =
+                        JsseJce.decodePoint(publicPoint, parameters.getCurve());
+                KeyFactory factory = JsseJce.getKeyFactory("EC");
+                ecPublicKey = (ECPublicKey)factory.generatePublic(
+                    new ECPublicKeySpec(point, parameters));
+            } catch (NoSuchAlgorithmException |
+                    InvalidKeySpecException | IOException ex) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Invalid ECPoint: " + namedGroup, ex);
+            }
+
+            publicKey = ecPublicKey;
+
+            X509Credentials x509Credentials = null;
+            for (SSLCredentials cd : chc.handshakeCredentials) {
+                if (cd instanceof X509Credentials) {
+                    x509Credentials = (X509Credentials)cd;
+                    break;
+                }
+            }
+
+            if (x509Credentials == null) {
+                // anonymous, no authentication, no signature
+                if (m.hasRemaining()) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid DH ServerKeyExchange: unknown extra data");
+                }
+                this.signatureScheme = null;
+                this.paramsSignature = null;
+                this.useExplicitSigAlgorithm = false;
+
+                return;
+            }
+
+            this.useExplicitSigAlgorithm =
+                    chc.negotiatedProtocol.useTLS12PlusSpec();
+            if (useExplicitSigAlgorithm) {
+                int ssid = Record.getInt16(m);
+                signatureScheme = SignatureScheme.valueOf(ssid);
+                if (signatureScheme == null) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid signature algorithm (" + ssid +
+                        ") used in ECDH ServerKeyExchange handshake message");
+                }
+
+                if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Unsupported signature algorithm (" +
+                        signatureScheme.name +
+                        ") used in ECDH ServerKeyExchange handshake message");
+                }
+            } else {
+                signatureScheme = null;
+            }
+
+            // read and verify the signature
+            paramsSignature = Record.getBytes16(m);
+            Signature signer;
+            if (useExplicitSigAlgorithm) {
+                try {
+                    signer = signatureScheme.getSignature();
+                } catch (NoSuchAlgorithmException |
+                        InvalidAlgorithmParameterException nsae) {
+                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Unsupported signature algorithm: " +
+                        signatureScheme.name, nsae);
+
+                    return;     // make the compiler happe
+                }
+            } else {
+                try {
+                    signer = getSignature(
+                        x509Credentials.popPublicKey.getAlgorithm());
+                } catch (NoSuchAlgorithmException e) {
+                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Unsupported signature algorithm: " +
+                        x509Credentials.popPublicKey.getAlgorithm(), e);
+
+                    return;     // make the compiler happe
+                }
+            }
+
+            try {
+                signer.initVerify(x509Credentials.popPublicKey);
+                updateSignature(signer,
+                        chc.clientHelloRandom.randomBytes,
+                        chc.serverHelloRandom.randomBytes,
+                        namedGroup.id, publicPoint);
+
+                if (!signer.verify(paramsSignature)) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid ECDH ServerKeyExchange signature");
+                }
+            } catch (InvalidKeyException | SignatureException ex) {
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Cannot verify ECDH ServerKeyExchange signature", ex);
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.SERVER_KEY_EXCHANGE;
+        }
+
+        @Override
+        public int messageLength() {
+            int sigLen = 0;
+            if (paramsSignature != null) {
+                sigLen = 2 + paramsSignature.length;
+                if (useExplicitSigAlgorithm) {
+                    sigLen += SignatureScheme.sizeInRecord();
+                }
+            }
+
+            return 4 + publicPoint.length + sigLen;
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putInt8(CURVE_NAMED_CURVE);
+            hos.putInt16(namedGroup.id);
+            hos.putBytes8(publicPoint);
+            if (paramsSignature != null) {
+                if (useExplicitSigAlgorithm) {
+                    hos.putInt16(signatureScheme.id);
+                }
+
+                hos.putBytes16(paramsSignature);
+            }
+        }
+
+        @Override
+        public String toString() {
+            if (useExplicitSigAlgorithm) {
+                MessageFormat messageFormat = new MessageFormat(
+                    "\"ECDH ServerKeyExchange\": '{'\n" +
+                    "  \"parameters\": '{'\n" +
+                    "    \"named group\": \"{0}\"\n" +
+                    "    \"ecdh public\": '{'\n" +
+                    "{1}\n" +
+                    "    '}',\n" +
+                    "  '}',\n" +
+                    "  \"digital signature\":  '{'\n" +
+                    "    \"signature algorithm\": \"{2}\"\n" +
+                    "    \"signature\": '{'\n" +
+                    "{3}\n" +
+                    "    '}',\n" +
+                    "  '}'\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+                HexDumpEncoder hexEncoder = new HexDumpEncoder();
+                Object[] messageFields = {
+                    namedGroup.name,
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(publicPoint), "      "),
+                    signatureScheme.name,
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(paramsSignature), "      ")
+                };
+                return messageFormat.format(messageFields);
+            } else if (paramsSignature != null) {
+                MessageFormat messageFormat = new MessageFormat(
+                    "\"ECDH ServerKeyExchange\": '{'\n" +
+                    "  \"parameters\":  '{'\n" +
+                    "    \"named group\": \"{0}\"\n" +
+                    "    \"ecdh public\": '{'\n" +
+                    "{1}\n" +
+                    "    '}',\n" +
+                    "  '}',\n" +
+                    "  \"signature\": '{'\n" +
+                    "{2}\n" +
+                    "  '}'\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+                HexDumpEncoder hexEncoder = new HexDumpEncoder();
+                Object[] messageFields = {
+                    namedGroup.name,
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(publicPoint), "      "),
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(paramsSignature), "    ")
+                };
+
+                return messageFormat.format(messageFields);
+            } else {    // anonymous
+                MessageFormat messageFormat = new MessageFormat(
+                    "\"ECDH ServerKeyExchange\": '{'\n" +
+                    "  \"parameters\":  '{'\n" +
+                    "    \"named group\": \"{0}\"\n" +
+                    "    \"ecdh public\": '{'\n" +
+                    "{1}\n" +
+                    "    '}',\n" +
+                    "  '}'\n" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+                HexDumpEncoder hexEncoder = new HexDumpEncoder();
+                Object[] messageFields = {
+                    namedGroup.name,
+                    Utilities.indent(
+                            hexEncoder.encodeBuffer(publicPoint), "      "),
+                };
+
+                return messageFormat.format(messageFields);
+            }
+        }
+
+        private static Signature getSignature(String keyAlgorithm)
+                throws NoSuchAlgorithmException {
+            switch (keyAlgorithm) {
+                case "EC":
+                    return JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA);
+                case "RSA":
+                    return RSASignature.getInstance();
+                default:
+                    throw new NoSuchAlgorithmException(
+                        "neither an RSA or a EC key : " + keyAlgorithm);
+            }
+        }
+
+        private static void updateSignature(Signature sig,
+                byte[] clntNonce, byte[] svrNonce, int namedGroupId,
+                byte[] publicPoint) throws SignatureException {
+            sig.update(clntNonce);
+            sig.update(svrNonce);
+
+            sig.update(CURVE_NAMED_CURVE);
+            sig.update((byte)((namedGroupId >> 8) & 0xFF));
+            sig.update((byte)(namedGroupId & 0xFF));
+            sig.update((byte)publicPoint.length);
+            sig.update(publicPoint);
+        }
+    }
+
+    /**
+     * The ECDH "ServerKeyExchange" handshake message producer.
+     */
+    private static final
+            class ECDHServerKeyExchangeProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private ECDHServerKeyExchangeProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            ECDHServerKeyExchangeMessage skem =
+                    new ECDHServerKeyExchangeMessage(shc);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced ECDH ServerKeyExchange handshake message", skem);
+            }
+
+            // Output the handshake message.
+            skem.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The ECDH "ServerKeyExchange" handshake message consumer.
+     */
+    private static final
+            class ECDHServerKeyExchangeConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private ECDHServerKeyExchangeConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            ECDHServerKeyExchangeMessage skem =
+                    new ECDHServerKeyExchangeMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Consuming ECDH ServerKeyExchange handshake message", skem);
+            }
+
+            //
+            // validate
+            //
+            // check constraints of EC PublicKey
+            if (!chc.algorithmConstraints.permits(
+                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                    skem.publicKey)) {
+                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                        "ECDH ServerKeyExchange does not comply " +
+                        "to algorithm constraints");
+            }
+
+            //
+            // update
+            //
+            chc.handshakeCredentials.add(
+                    new ECDHECredentials(skem.publicKey, skem.namedGroup));
+
+            //
+            // produce
+            //
+            // Need no new handshake message producers here.
+        }
+    }
+}
+
--- old/src/java.base/share/classes/sun/security/ssl/EllipticPointFormatsExtension.java	2018-05-11 15:09:11.360935200 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,103 +0,0 @@
-/*
- * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
-
-import javax.net.ssl.SSLProtocolException;
-
-final class EllipticPointFormatsExtension extends HelloExtension {
-
-    static final int FMT_UNCOMPRESSED = 0;
-    static final int FMT_ANSIX962_COMPRESSED_PRIME = 1;
-    static final int FMT_ANSIX962_COMPRESSED_CHAR2 = 2;
-
-    static final HelloExtension DEFAULT =
-            new EllipticPointFormatsExtension(new byte[] {FMT_UNCOMPRESSED});
-
-    private final byte[] formats;
-
-    private EllipticPointFormatsExtension(byte[] formats) {
-        super(ExtensionType.EXT_EC_POINT_FORMATS);
-        this.formats = formats;
-    }
-
-    EllipticPointFormatsExtension(HandshakeInStream s, int len)
-            throws IOException {
-        super(ExtensionType.EXT_EC_POINT_FORMATS);
-        formats = s.getBytes8();
-        // RFC 4492 says uncompressed points must always be supported.
-        // Check just to make sure.
-        boolean uncompressed = false;
-        for (int format : formats) {
-            if (format == FMT_UNCOMPRESSED) {
-                uncompressed = true;
-                break;
-            }
-        }
-        if (uncompressed == false) {
-            throw new SSLProtocolException
-                ("Peer does not support uncompressed points");
-        }
-    }
-
-    @Override
-    int length() {
-        return 5 + formats.length;
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(type.id);
-        s.putInt16(formats.length + 1);
-        s.putBytes8(formats);
-    }
-
-    private static String toString(byte format) {
-        int f = format & 0xff;
-        switch (f) {
-        case FMT_UNCOMPRESSED:
-            return "uncompressed";
-        case FMT_ANSIX962_COMPRESSED_PRIME:
-            return "ansiX962_compressed_prime";
-        case FMT_ANSIX962_COMPRESSED_CHAR2:
-            return "ansiX962_compressed_char2";
-        default:
-            return "unknown-" + f;
-        }
-    }
-
-    @Override
-    public String toString() {
-        List<String> list = new ArrayList<String>();
-        for (byte format : formats) {
-            list.add(toString(format));
-        }
-        return "Extension " + type + ", formats: " + list;
-    }
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ECPointFormatsExtension.java	2018-05-11 15:09:10.650209100 -0700
@@ -0,0 +1,302 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.Locale;
+import javax.net.ssl.SSLProtocolException;
+import static sun.security.ssl.SSLExtension.CH_EC_POINT_FORMATS;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
+
+/**
+ * Pack of the "ec_point_formats" extensions [RFC 4492].
+ */
+final class ECPointFormatsExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHECPointFormatsProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHECPointFormatsConsumer();
+
+    static final ExtensionConsumer shOnLoadConcumer =
+            new SHECPointFormatsConsumer();
+
+    static final SSLStringize epfStringize =
+            new ECPointFormatsStringize();
+
+    /**
+     * The "ec_point_formats" extension.
+     */
+    static class ECPointFormatsSpec implements SSLExtensionSpec {
+        static final ECPointFormatsSpec DEFAULT =
+            new ECPointFormatsSpec(new byte[] {ECPointFormat.UNCOMPRESSED.id});
+
+        final byte[] formats;
+
+        ECPointFormatsSpec(byte[] formats) {
+            this.formats = formats;
+        }
+
+        private ECPointFormatsSpec(ByteBuffer m) throws IOException {
+            if (!m.hasRemaining()) {
+                throw new SSLProtocolException(
+                    "Invalid ec_point_formats extension: " +
+                    "insufficient data");
+            }
+
+            this.formats = Record.getBytes8(m);
+        }
+
+        private boolean hasUncompressedFormat() {
+            for (byte format : formats) {
+                if (format == ECPointFormat.UNCOMPRESSED.id) {
+                    return true;
+                }
+            }
+
+            return false;
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"formats\": '['{0}']'", Locale.ENGLISH);
+            if (formats == null || formats.length ==  0) {
+                Object[] messageFields = {
+                        "<no EC point format specified>"
+                    };
+                return messageFormat.format(messageFields);
+            } else {
+                StringBuilder builder = new StringBuilder(512);
+                boolean isFirst = true;
+                for (byte pf : formats) {
+                    if (isFirst) {
+                        isFirst = false;
+                    } else {
+                        builder.append(", ");
+                    }
+
+                    builder.append(ECPointFormat.nameOf(pf));
+                }
+
+                Object[] messageFields = {
+                        builder.toString()
+                    };
+
+                return messageFormat.format(messageFields);
+            }
+        }
+    }
+
+    private static final class ECPointFormatsStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new ECPointFormatsSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    private static enum ECPointFormat {
+        UNCOMPRESSED                    ((byte)0, "uncompressed"),
+        ANSIX962_COMPRESSED_PRIME       ((byte)1, "ansiX962_compressed_prime"),
+        FMT_ANSIX962_COMPRESSED_CHAR2   ((byte)2, "ansiX962_compressed_char2");
+
+        final byte id;
+        final String name;
+
+        private ECPointFormat(byte id, String name) {
+            this.id = id;
+            this.name = name;
+        }
+
+        static String nameOf(int id) {
+            for (ECPointFormat pf: ECPointFormat.values()) {
+                if (pf.id == id) {
+                    return pf.name;
+                }
+            }
+            return "UNDEFINED-EC-POINT-FORMAT(" + id + ")";
+        }
+    }
+
+    /**
+     * Network data producer of a "ec_point_formats" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHECPointFormatsProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHECPointFormatsProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(CH_EC_POINT_FORMATS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable ec_point_formats extension");
+                }
+                return null;
+            }
+
+            // Produce the extension.
+            //
+            // produce the extension only if EC cipher suite is activated.
+            if (NamedGroupType.NAMED_GROUP_ECDHE.isSupported(
+                    chc.activeCipherSuites)) {
+                // We are using uncompressed ECPointFormat only at present.
+                byte[] extData = new byte[] {0x01, 0x00};
+
+                // Update the context.
+                chc.handshakeExtensions.put(
+                    CH_EC_POINT_FORMATS, ECPointFormatsSpec.DEFAULT);
+
+                return extData;
+            }
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Need no ec_point_formats extension");
+            }
+            return null;
+        }
+    }
+
+    /**
+     * Network data consumer of a "ec_point_formats" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHECPointFormatsConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHECPointFormatsConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(CH_EC_POINT_FORMATS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable ec_point_formats extension");
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            ECPointFormatsSpec spec;
+            try {
+                spec = new ECPointFormatsSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // per RFC 4492, uncompressed points must always be supported.
+            if (!spec.hasUncompressedFormat()) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Invalid ec_point_formats extension data: " +
+                    "peer does not support uncompressed points");
+            }
+
+            // Update the context.
+            shc.handshakeExtensions.put(CH_EC_POINT_FORMATS, spec);
+
+            // No impact on session resumption, as only uncompressed points
+            // are supported at present.
+        }
+    }
+
+    /**
+     * Network data consumer of a "ec_point_formats" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class SHECPointFormatsConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHECPointFormatsConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to "ec_point_formats" extension request only
+            ECPointFormatsSpec requestedSpec = (ECPointFormatsSpec)
+                    chc.handshakeExtensions.get(CH_EC_POINT_FORMATS);
+            if (requestedSpec == null) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Unexpected ec_point_formats extension in ServerHello");
+            }
+
+            // Parse the extension.
+            ECPointFormatsSpec spec;
+            try {
+                spec = new ECPointFormatsSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // per RFC 4492, uncompressed points must always be supported.
+            if (!spec.hasUncompressedFormat()) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Invalid ec_point_formats extension data: " +
+                        "peer does not support uncompressed points");
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(CH_EC_POINT_FORMATS, spec);
+
+            // No impact on session resumption, as only uncompressed points
+            // are supported at present.
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/EncryptedExtensions.java	2018-05-11 15:09:12.504649500 -0700
@@ -0,0 +1,197 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.Locale;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the EncryptedExtensions handshake message.
+ */
+final class EncryptedExtensions {
+    static final HandshakeProducer handshakeProducer =
+        new EncryptedExtensionsProducer();
+    static final SSLConsumer handshakeConsumer =
+        new EncryptedExtensionsConsumer();
+
+    /**
+     * The EncryptedExtensions handshake message.
+     */
+    static final class EncryptedExtensionsMessage extends HandshakeMessage {
+        private final SSLExtensions extensions;
+
+        EncryptedExtensionsMessage(
+                HandshakeContext handshakeContext) throws IOException {
+            super(handshakeContext);
+            this.extensions = new SSLExtensions(this);
+        }
+
+        EncryptedExtensionsMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+
+            // struct {
+            //     Extension extensions<0..2^16-1>;
+            // } EncryptedExtensions;
+            if (m.remaining() < 2) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Invalid EncryptedExtensions handshake message: " +
+                        "no sufficient data");
+            }
+
+            SSLExtension[] encryptedExtensions =
+                    handshakeContext.sslConfig.getEnabledExtensions(
+                            SSLHandshake.ENCRYPTED_EXTENSIONS);
+            this.extensions = new SSLExtensions(this, m, encryptedExtensions);
+        }
+
+        @Override
+        SSLHandshake handshakeType() {
+            return SSLHandshake.ENCRYPTED_EXTENSIONS;
+        }
+
+        @Override
+        int messageLength() {
+            int extLen = extensions.length();
+            if (extLen == 0) {
+                extLen = 2;     // empty extensions
+            }
+            return extLen;
+        }
+
+        @Override
+        void send(HandshakeOutStream hos) throws IOException {
+            // Is it an empty extensions?
+            if (extensions.length() == 0) {
+                hos.putInt16(0);
+            } else {
+                extensions.send(hos);
+            }
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                    "\"EncryptedExtensions\": [\n" +
+                    "{0}\n" +
+                    "]",
+                    Locale.ENGLISH);
+            Object[] messageFields = {
+                Utilities.indent(extensions.toString())
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The EncryptedExtensions handshake message consumer.
+     */
+    private static final class EncryptedExtensionsProducer
+            implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private EncryptedExtensionsProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Change client/server handshake traffic secrets.
+            // TODO
+
+            EncryptedExtensionsMessage eem =
+                    new EncryptedExtensionsMessage(shc);
+            SSLExtension[] extTypes =
+                    shc.sslConfig.getEnabledExtensions(
+                            SSLHandshake.ENCRYPTED_EXTENSIONS,
+                            shc.negotiatedProtocol);
+            eem.extensions.produce(shc, extTypes);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Produced EncryptedExtensions message", eem);
+            }
+
+            // Output the handshake message.
+            eem.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The EncryptedExtensions handshake message consumer.
+     */
+    private static final class EncryptedExtensionsConsumer
+            implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private EncryptedExtensionsConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // clean up this consumer
+            chc.handshakeConsumers.remove(SSLHandshake.ENCRYPTED_EXTENSIONS.id);
+
+            EncryptedExtensionsMessage eem =
+                    new EncryptedExtensionsMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming EncryptedExtensions handshake message", eem);
+            }
+
+            //
+            // validate
+            //
+            SSLExtension[] extTypes = chc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.ENCRYPTED_EXTENSIONS);
+            eem.extensions.consumeOnLoad(chc, extTypes);
+
+            //
+            // update
+            //
+            // TODO: all extensions should be considered.
+            eem.extensions.consumeOnTrade(chc, extTypes);
+
+            //
+            // produce
+            //
+            // Need no new handshake message producers here.
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/Finished.java	2018-05-11 15:09:14.121468400 -0700
@@ -0,0 +1,1068 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+import java.security.ProviderException;
+import java.security.spec.AlgorithmParameterSpec;
+import java.text.MessageFormat;
+import java.util.Locale;
+import javax.crypto.KeyGenerator;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import sun.security.internal.spec.TlsPrfParameterSpec;
+import sun.security.ssl.CipherSuite.HashAlg;
+import static sun.security.ssl.CipherSuite.HashAlg.H_NONE;
+import sun.security.ssl.SSLBasicKeyDerivation.SecretSizeSpec;
+import sun.security.ssl.SSLCipher.SSLReadCipher;
+import sun.security.ssl.SSLCipher.SSLWriteCipher;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.util.HexDumpEncoder;
+
+/**
+ * Pack of the Finished handshake message.
+ */
+final class Finished {
+    static final SSLConsumer t12HandshakeConsumer =
+        new T12FinishedConsumer();
+    static final HandshakeProducer t12HandshakeProducer =
+        new T12FinishedProducer();
+
+    static final SSLConsumer t13HandshakeConsumer =
+        new T13FinishedConsumer();
+    static final HandshakeProducer t13HandshakeProducer =
+        new T13FinishedProducer();
+
+    /**
+     * The Finished handshake message.
+     */
+    private static final class FinishedMessage extends HandshakeMessage {
+        private final byte[] verifyData;
+
+        FinishedMessage(HandshakeContext context) throws IOException {
+            super(context);
+
+            VerifyDataScheme vds =
+                    VerifyDataScheme.valueOf(context.negotiatedProtocol);
+
+            byte[] vd = null;
+            try {
+                vd = vds.createVerifyData(context, false);
+            } catch (IOException ioe) {
+                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Failed to generate verify_data", ioe);
+            }
+
+            this.verifyData = vd;
+        }
+
+        FinishedMessage(HandshakeContext context,
+                ByteBuffer m) throws IOException {
+            super(context);
+            int verifyDataLen = 12;
+            if (context.negotiatedProtocol == ProtocolVersion.SSL30) {
+                verifyDataLen = 36;
+            } else if (context.negotiatedProtocol.useTLS13PlusSpec()) {
+                verifyDataLen =
+                        context.negotiatedCipherSuite.hashAlg.hashLength;
+            }
+
+            if (m.remaining() != verifyDataLen) {
+                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Inappropriate finished message: need " + verifyDataLen +
+                    " but remine " + m.remaining() + " bytes verify_data");
+            }
+
+            this.verifyData = new byte[verifyDataLen];
+            m.get(verifyData);
+
+            VerifyDataScheme vd =
+                    VerifyDataScheme.valueOf(context.negotiatedProtocol);
+            byte[] myVerifyData;
+            try {
+                myVerifyData = vd.createVerifyData(context, true);
+            } catch (IOException ioe) {
+                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Failed to generate verify_data", ioe);
+                return;     // make the compiler happy
+            }
+            if (!MessageDigest.isEqual(myVerifyData, verifyData)) {
+                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "The Finished message cannot be verified.");
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.FINISHED;
+        }
+
+        @Override
+        public int messageLength() {
+            return verifyData.length;
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.write(verifyData);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                    "\"Finished\": '{'\n" +
+                    "  \"verify data\": '{'\n" +
+                    "{0}\n" +
+                    "  '}'" +
+                    "'}'",
+                    Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            Object[] messageFields = {
+                    Utilities.indent(hexEncoder.encode(verifyData), "    "),
+                };
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    interface VerifyDataGenerator {
+        byte[] createVerifyData(HandshakeContext context,
+                boolean isValidation) throws IOException;
+    }
+
+    enum VerifyDataScheme {
+        SSL30       ("kdf_ssl30", new S30VerifyDataGenerator()),
+        TLS10       ("kdf_tls10", new T10VerifyDataGenerator()),
+        TLS12       ("kdf_tls12", new T12VerifyDataGenerator()),
+        TLS13       ("kdf_tls13", new T13VerifyDataGenerator());
+
+        final String name;
+        final VerifyDataGenerator generator;
+
+        VerifyDataScheme(String name, VerifyDataGenerator verifyDataGenerator) {
+            this.name = name;
+            this.generator = verifyDataGenerator;
+        }
+
+        static VerifyDataScheme valueOf(ProtocolVersion protocolVersion) {
+            switch (protocolVersion) {
+                case SSL30:
+                    return VerifyDataScheme.SSL30;
+                case TLS10:
+                case TLS11:
+                case DTLS10:
+                    return VerifyDataScheme.TLS10;
+                case TLS12:
+                case DTLS12:
+                    return VerifyDataScheme.TLS12;
+                case TLS13:
+                case DTLS13:
+                    return VerifyDataScheme.TLS13;
+                default:
+                    return null;
+            }
+        }
+
+        public byte[] createVerifyData(HandshakeContext context,
+                boolean isValidation) throws IOException {
+            if (generator != null) {
+                return generator.createVerifyData(context, isValidation);
+            }
+
+            throw new UnsupportedOperationException("Not supported yet.");
+        }
+    }
+
+    // SSL 3.0
+    private static final
+            class S30VerifyDataGenerator implements VerifyDataGenerator {
+        @Override
+        public byte[] createVerifyData(HandshakeContext context,
+                boolean isValidation) throws IOException {
+            HandshakeHash handshakeHash = context.handshakeHash;
+            SecretKey masterSecretKey =
+                    context.handshakeSession.getMasterSecret();
+
+            boolean useClientLabel =
+                    (context.sslConfig.isClientMode && !isValidation) ||
+                    (!context.sslConfig.isClientMode && isValidation);
+            return handshakeHash.digest(useClientLabel, masterSecretKey);
+        }
+    }
+
+    // TLS 1.0, TLS 1.1, DTLS 1.0
+    private static final
+            class T10VerifyDataGenerator implements VerifyDataGenerator {
+        @Override
+        public byte[] createVerifyData(HandshakeContext context,
+                boolean isValidation) throws IOException {
+            HandshakeHash handshakeHash = context.handshakeHash;
+            SecretKey masterSecretKey =
+                    context.handshakeSession.getMasterSecret();
+
+            boolean useClientLabel =
+                    (context.sslConfig.isClientMode && !isValidation) ||
+                    (!context.sslConfig.isClientMode && isValidation);
+            String tlsLabel;
+            if (useClientLabel) {
+                tlsLabel = "client finished";
+            } else {
+                tlsLabel = "server finished";
+            }
+
+            try {
+                byte[] seed = handshakeHash.digest();
+                String prfAlg = "SunTlsPrf";
+                HashAlg hashAlg = H_NONE;
+
+                /*
+                 * RFC 5246/7.4.9 says that finished messages can
+                 * be ciphersuite-specific in both length/PRF hash
+                 * algorithm.  If we ever run across a different
+                 * length, this call will need to be updated.
+                 */
+                @SuppressWarnings("deprecation")
+                TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
+                    masterSecretKey, tlsLabel, seed, 12,
+                    hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
+                KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
+                kg.init(spec);
+                SecretKey prfKey = kg.generateKey();
+                if (!"RAW".equals(prfKey.getFormat())) {
+                    throw new ProviderException(
+                        "Invalid PRF output, format must be RAW. " +
+                        "Format received: " + prfKey.getFormat());
+                }
+                byte[] finished = prfKey.getEncoded();
+                return finished;
+            } catch (GeneralSecurityException e) {
+                throw new RuntimeException("PRF failed", e);
+            }
+        }
+    }
+
+    // TLS 1.2
+    private static final
+            class T12VerifyDataGenerator implements VerifyDataGenerator {
+        @Override
+        public byte[] createVerifyData(HandshakeContext context,
+                boolean isValidation) throws IOException {
+            CipherSuite cipherSuite = context.negotiatedCipherSuite;
+            HandshakeHash handshakeHash = context.handshakeHash;
+            SecretKey masterSecretKey =
+                    context.handshakeSession.getMasterSecret();
+
+            boolean useClientLabel =
+                    (context.sslConfig.isClientMode && !isValidation) ||
+                    (!context.sslConfig.isClientMode && isValidation);
+            String tlsLabel;
+            if (useClientLabel) {
+                tlsLabel = "client finished";
+            } else {
+                tlsLabel = "server finished";
+            }
+
+            try {
+                byte[] seed = handshakeHash.digest();
+                String prfAlg = "SunTls12Prf";
+                HashAlg hashAlg = cipherSuite.hashAlg;
+
+                /*
+                 * RFC 5246/7.4.9 says that finished messages can
+                 * be ciphersuite-specific in both length/PRF hash
+                 * algorithm.  If we ever run across a different
+                 * length, this call will need to be updated.
+                 */
+                @SuppressWarnings("deprecation")
+                TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
+                    masterSecretKey, tlsLabel, seed, 12,
+                    hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
+                KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
+                kg.init(spec);
+                SecretKey prfKey = kg.generateKey();
+                if (!"RAW".equals(prfKey.getFormat())) {
+                    throw new ProviderException(
+                        "Invalid PRF output, format must be RAW. " +
+                        "Format received: " + prfKey.getFormat());
+                }
+                byte[] finished = prfKey.getEncoded();
+                return finished;
+            } catch (GeneralSecurityException e) {
+                throw new RuntimeException("PRF failed", e);
+            }
+        }
+    }
+
+    // TLS 1.2
+    private static final
+            class T13VerifyDataGenerator implements VerifyDataGenerator {
+        private static final byte[] hkdfLabel = "tls13 finished".getBytes();
+        private static final byte[] hkdfContext = new byte[0];
+
+        @Override
+        public byte[] createVerifyData(HandshakeContext context,
+                boolean isValidation) throws IOException {
+            // create finished secret key
+            HashAlg hashAlg =
+                    context.negotiatedCipherSuite.hashAlg;
+            SecretKey secret = isValidation ?
+                    context.baseReadSecret : context.baseWriteSecret;
+            SSLBasicKeyDerivation kdf = new SSLBasicKeyDerivation(
+                    secret, hashAlg.name,
+                    hkdfLabel, hkdfContext, hashAlg.hashLength);
+            AlgorithmParameterSpec keySpec =
+                    new SecretSizeSpec(hashAlg.hashLength);
+            SecretKey finishedSecret =
+                    kdf.deriveKey("TlsFinishedSecret", keySpec);
+
+            String hmacAlg =
+                "Hmac" + hashAlg.name.replace("-", "");
+            try {
+                Mac hmac = JsseJce.getMac(hmacAlg);
+                hmac.init(finishedSecret);
+                return hmac.doFinal(context.handshakeHash.digest());
+            } catch (NoSuchAlgorithmException |InvalidKeyException ex) {
+                throw new ProviderException(
+                        "Failed to generate verify_data", ex);
+            }
+        }
+    }
+
+    /**
+     * The "Finished" handshake message producer.
+     */
+    private static final
+            class T12FinishedProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T12FinishedProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The consuming happens in handshake context only.
+            HandshakeContext hc = (HandshakeContext)context;
+            if (hc.sslConfig.isClientMode) {
+                return onProduceFinished(
+                        (ClientHandshakeContext)context, message);
+            } else {
+                return onProduceFinished(
+                        (ServerHandshakeContext)context, message);
+            }
+        }
+
+        private byte[] onProduceFinished(ClientHandshakeContext chc,
+                HandshakeMessage message) throws IOException {
+            // Refresh handshake hash
+            chc.handshakeHash.update();
+
+            FinishedMessage fm = new FinishedMessage(chc);
+
+            // Change write cipher and delivery ChangeCipherSpec message.
+            ChangeCipherSpec.t10Producer.produce(chc, message);
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Produced client Finished handshake message", fm);
+            }
+
+            // Output the handshake message.
+            fm.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            /*
+             * save server verify data for secure renegotiation
+             */
+            if (chc.conContext.secureRenegotiation) {
+                chc.conContext.clientVerifyData = fm.verifyData;
+            }
+
+            // update the consumers and producers
+            if (!chc.isResumption) {
+                chc.conContext.consumers.put(ContentType.CHANGE_CIPHER_SPEC.id,
+                        ChangeCipherSpec.t10Consumer);
+                chc.handshakeConsumers.put(
+                        SSLHandshake.FINISHED.id, SSLHandshake.FINISHED);
+                chc.conContext.inputRecord.expectingFinishFlight();
+            } else {
+                if (chc.handshakeSession.isRejoinable()) {
+                    ((SSLSessionContextImpl)chc.sslContext.
+                        engineGetClientSessionContext()).put(
+                            chc.handshakeSession);
+                }
+                chc.conContext.conSession = chc.handshakeSession;
+                chc.conContext.protocolVersion = chc.negotiatedProtocol;
+
+                // handshake context cleanup.
+                chc.handshakeFinished = true;
+
+                // May need to retransmit the last flight for DTLS.
+                if (!chc.sslContext.isDTLS()) {
+                    chc.conContext.finishHandshake();
+                }
+            }
+
+            // The handshake message has been delivered.
+            return null;
+        }
+
+        private byte[] onProduceFinished(ServerHandshakeContext shc,
+                HandshakeMessage message) throws IOException {
+            // Refresh handshake hash
+            shc.handshakeHash.update();
+
+            FinishedMessage fm = new FinishedMessage(shc);
+
+            // Change write cipher and delivery ChangeCipherSpec message.
+            ChangeCipherSpec.t10Producer.produce(shc, message);
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Produced server Finished handshake message", fm);
+            }
+
+            // Output the handshake message.
+            fm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            /*
+             * save client verify data for secure renegotiation
+             */
+            if (shc.conContext.secureRenegotiation) {
+                shc.conContext.serverVerifyData = fm.verifyData;
+            }
+
+            // update the consumers and producers
+            if (shc.isResumption) {
+                shc.conContext.consumers.put(ContentType.CHANGE_CIPHER_SPEC.id,
+                        ChangeCipherSpec.t10Consumer);
+                shc.handshakeConsumers.put(
+                        SSLHandshake.FINISHED.id, SSLHandshake.FINISHED);
+                shc.conContext.inputRecord.expectingFinishFlight();
+            } else {
+                if (shc.handshakeSession.isRejoinable()) {
+                    ((SSLSessionContextImpl)shc.sslContext.
+                        engineGetServerSessionContext()).put(
+                            shc.handshakeSession);
+                }
+                shc.conContext.conSession = shc.handshakeSession;
+                shc.conContext.protocolVersion = shc.negotiatedProtocol;
+
+                // handshake context cleanup.
+                shc.handshakeFinished = true;
+
+                // May need to retransmit the last flight for DTLS.
+                if (!shc.sslContext.isDTLS()) {
+                    shc.conContext.finishHandshake();
+                }
+            }
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "Finished" handshake message consumer.
+     */
+    private static final class T12FinishedConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T12FinishedConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in handshake context only.
+            HandshakeContext hc = (HandshakeContext)context;
+
+            // This comsumer can be used only once.
+            hc.handshakeConsumers.remove(SSLHandshake.FINISHED.id);
+
+            // We should not be processing finished messages unless
+            // we have received ChangeCipherSpec
+            if (hc.conContext.consumers.containsKey(
+                    ContentType.CHANGE_CIPHER_SPEC.id)) {
+                hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Missing ChangeCipherSpec message");
+            }
+
+            if (hc.sslConfig.isClientMode) {
+                onConsumeFinished((ClientHandshakeContext)context, message);
+            } else {
+                onConsumeFinished((ServerHandshakeContext)context, message);
+            }
+        }
+
+        private void onConsumeFinished(ClientHandshakeContext chc,
+                ByteBuffer message) throws IOException {
+            FinishedMessage fm = new FinishedMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming server Finished handshake message", fm);
+            }
+
+            if (chc.conContext.secureRenegotiation) {
+                chc.conContext.serverVerifyData = fm.verifyData;
+            }
+
+            if (!chc.isResumption) {
+                if (chc.handshakeSession.isRejoinable()) {
+                    ((SSLSessionContextImpl)chc.sslContext.
+                        engineGetClientSessionContext()).put(
+                            chc.handshakeSession);
+                }
+                chc.conContext.conSession = chc.handshakeSession;
+                chc.conContext.protocolVersion = chc.negotiatedProtocol;
+
+                // handshake context cleanup.
+                chc.handshakeFinished = true;
+
+                // May need to retransmit the last flight for DTLS.
+                if (!chc.sslContext.isDTLS()) {
+                    chc.conContext.finishHandshake();
+                }
+            } else {
+                chc.handshakeProducers.put(SSLHandshake.FINISHED.id,
+                        SSLHandshake.FINISHED);
+            }
+
+            //
+            // produce
+            //
+            SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
+                SSLHandshake.FINISHED
+            };
+
+            for (SSLHandshake hs : probableHandshakeMessages) {
+                HandshakeProducer handshakeProducer =
+                        chc.handshakeProducers.remove(hs.id);
+                if (handshakeProducer != null) {
+                    handshakeProducer.produce(chc, fm);
+                }
+            }
+        }
+
+        private void onConsumeFinished(ServerHandshakeContext shc,
+                ByteBuffer message) throws IOException {
+            FinishedMessage fm = new FinishedMessage(shc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming client Finished handshake message", fm);
+            }
+
+            if (shc.conContext.secureRenegotiation) {
+                shc.conContext.clientVerifyData = fm.verifyData;
+            }
+
+            if (shc.isResumption) {
+                if (shc.handshakeSession.isRejoinable()) {
+                    ((SSLSessionContextImpl)shc.sslContext.
+                        engineGetServerSessionContext()).put(
+                            shc.handshakeSession);
+                }
+                shc.conContext.conSession = shc.handshakeSession;
+                shc.conContext.protocolVersion = shc.negotiatedProtocol;
+
+                // handshake context cleanup.
+                shc.handshakeFinished = true;
+
+                // May need to retransmit the last flight for DTLS.
+                if (!shc.sslContext.isDTLS()) {
+                    shc.conContext.finishHandshake();
+                }
+            } else {
+                shc.handshakeProducers.put(SSLHandshake.FINISHED.id,
+                        SSLHandshake.FINISHED);
+            }
+
+            //
+            // produce
+            //
+            SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
+                SSLHandshake.FINISHED
+            };
+
+            for (SSLHandshake hs : probableHandshakeMessages) {
+                HandshakeProducer handshakeProducer =
+                        shc.handshakeProducers.remove(hs.id);
+                if (handshakeProducer != null) {
+                    handshakeProducer.produce(shc, fm);
+                }
+            }
+        }
+    }
+
+    /**
+     * The "Finished" handshake message producer.
+     */
+    private static final
+            class T13FinishedProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T13FinishedProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The consuming happens in handshake context only.
+            HandshakeContext hc = (HandshakeContext)context;
+            if (hc.sslConfig.isClientMode) {
+                return onProduceFinished(
+                        (ClientHandshakeContext)context, message);
+            } else {
+                return onProduceFinished(
+                        (ServerHandshakeContext)context, message);
+            }
+        }
+
+        private byte[] onProduceFinished(ClientHandshakeContext chc,
+                HandshakeMessage message) throws IOException {
+            // Refresh handshake hash
+            chc.handshakeHash.update();
+
+            FinishedMessage fm = new FinishedMessage(chc);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Produced client Finished handshake message", fm);
+            }
+
+            // Output the handshake message.
+            fm.write(chc.handshakeOutput);
+            chc.handshakeOutput.flush();
+
+            // save server verify data for secure renegotiation
+            if (chc.conContext.secureRenegotiation) {
+                chc.conContext.clientVerifyData = fm.verifyData;
+            }
+
+            // update the context
+            // Change client/server application traffic secrets.
+            SSLKeyDerivation kd = chc.handshakeKeyDerivation;
+            if (kd == null) {
+                // unlikely
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "no key derivation");
+                return null;    // make the compiler happy
+            }
+
+            SSLTrafficKeyDerivation kdg =
+                    SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
+            if (kdg == null) {
+                // unlikely
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key derivation: " +
+                        chc.negotiatedProtocol);
+                return null;    // make the compiler happy
+            }
+
+            try {
+                // update the application traffic read keys.
+                SecretKey writeSecret = kd.deriveKey(
+                        "TlsClientAppTrafficSecret", null);
+
+                SSLKeyDerivation writeKD =
+                        kdg.createKeyDerivation(chc, writeSecret);
+                SecretKey writeKey = writeKD.deriveKey(
+                        "TlsKey", null);
+                SecretKey writeIvSecret = writeKD.deriveKey(
+                        "TlsIv", null);
+                IvParameterSpec writeIv =
+                        new IvParameterSpec(writeIvSecret.getEncoded());
+                SSLWriteCipher writeCipher =
+                        chc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
+                                Authenticator.valueOf(chc.negotiatedProtocol),
+                                chc.negotiatedProtocol, writeKey, writeIv,
+                                chc.sslContext.getSecureRandom());
+
+                chc.baseWriteSecret = writeSecret;
+                chc.conContext.outputRecord.changeWriteCiphers(
+                        writeCipher, false);
+
+            } catch (GeneralSecurityException gse) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Failure to derive application secrets", gse);
+                return null;    // make the compiler happy
+            }
+
+            // The resumption master secret is stored in the session so
+            // it can be used after the handshake is completed.
+            SSLSecretDerivation sd = ((SSLSecretDerivation) kd).forContext(chc);
+            SecretKey resumptionMasterSecret = sd.deriveKey(
+            "TlsResumptionMasterSecret", null);
+            chc.handshakeSession.setResumptionMasterSecret(resumptionMasterSecret);
+
+            chc.conContext.conSession = chc.handshakeSession;
+            chc.conContext.protocolVersion = chc.negotiatedProtocol;
+
+            // handshake context cleanup.
+            chc.handshakeFinished = true;
+            chc.conContext.finishHandshake();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+
+        private byte[] onProduceFinished(ServerHandshakeContext shc,
+                HandshakeMessage message) throws IOException {
+            // Refresh handshake hash
+            shc.handshakeHash.update();
+
+            FinishedMessage fm = new FinishedMessage(shc);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Produced server Finished handshake message", fm);
+            }
+
+            // Output the handshake message.
+            fm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // Change client/server application traffic secrets.
+            SSLKeyDerivation kd = shc.handshakeKeyDerivation;
+            if (kd == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "no key derivation");
+                return null;    // make the compiler happy
+            }
+
+            SSLTrafficKeyDerivation kdg =
+                    SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
+            if (kdg == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key derivation: " +
+                        shc.negotiatedProtocol);
+                return null;    // make the compiler happy
+            }
+
+            // derive salt secret
+            try {
+                SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
+
+                // derive application secrets
+                HashAlg hashAlg = shc.negotiatedCipherSuite.hashAlg;
+                HKDF hkdf = new HKDF(hashAlg.name);
+                byte[] zeros = new byte[hashAlg.hashLength];
+                SecretKeySpec sharedSecret =
+                        new SecretKeySpec(zeros, "TlsZeroSecret");
+                SecretKey masterSecret =
+                    hkdf.extract(saltSecret, sharedSecret, "TlsMasterSecret");
+
+                SSLKeyDerivation secretKD =
+                        new SSLSecretDerivation(shc, masterSecret);
+
+                // update the handshake traffic write keys.
+                SecretKey writeSecret = secretKD.deriveKey(
+                        "TlsServerAppTrafficSecret", null);
+                SSLKeyDerivation writeKD =
+                        kdg.createKeyDerivation(shc, writeSecret);
+                SecretKey writeKey = writeKD.deriveKey(
+                        "TlsKey", null);
+                SecretKey writeIvSecret = writeKD.deriveKey(
+                        "TlsIv", null);
+                IvParameterSpec writeIv =
+                        new IvParameterSpec(writeIvSecret.getEncoded());
+                SSLWriteCipher writeCipher =
+                        shc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
+                                Authenticator.valueOf(shc.negotiatedProtocol),
+                                shc.negotiatedProtocol, writeKey, writeIv,
+                                shc.sslContext.getSecureRandom());
+
+                shc.baseWriteSecret = writeSecret;
+                shc.conContext.outputRecord.changeWriteCiphers(
+                        writeCipher, false);
+
+                // TODO: the exporter_master_secret
+
+                // update the context for the following key derivation
+                shc.handshakeKeyDerivation = secretKD;
+            } catch (GeneralSecurityException gse) {
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Failure to derive application secrets", gse);
+                return null;    // make the compiler happy
+            }
+
+            /*
+             * save client verify data for secure renegotiation
+             */
+            if (shc.conContext.secureRenegotiation) {
+                shc.conContext.serverVerifyData = fm.verifyData;
+            }
+
+            // update the context
+            shc.handshakeConsumers.put(
+                    SSLHandshake.FINISHED.id, SSLHandshake.FINISHED);
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "Finished" handshake message consumer.
+     */
+    private static final class T13FinishedConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private T13FinishedConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in handshake context only.
+            HandshakeContext hc = (HandshakeContext)context;
+            if (hc.sslConfig.isClientMode) {
+                onConsumeFinished(
+                        (ClientHandshakeContext)context, message);
+            } else {
+                onConsumeFinished(
+                        (ServerHandshakeContext)context, message);
+            }
+        }
+
+        private void onConsumeFinished(ClientHandshakeContext chc,
+                ByteBuffer message) throws IOException {
+            FinishedMessage fm = new FinishedMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming server Finished handshake message", fm);
+            }
+
+            // Save client verify data for secure renegotiation.
+            if (chc.conContext.secureRenegotiation) {
+                chc.conContext.serverVerifyData = fm.verifyData;
+            }
+
+            //
+            // validate
+            //
+            // blank
+
+            //
+            // update
+            //
+            // A change_cipher_spec record received after the peer's Finished
+            // message MUST be treated as an unexpected record type.
+            chc.conContext.consumers.remove(ContentType.CHANGE_CIPHER_SPEC.id);
+
+            // Change client/server application traffic secrets.
+            // Refresh handshake hash
+            chc.handshakeHash.update();
+            SSLKeyDerivation kd = chc.handshakeKeyDerivation;
+            if (kd == null) {
+                // unlikely
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "no key derivation");
+                return;    // make the compiler happy
+            }
+
+            SSLTrafficKeyDerivation kdg =
+                    SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
+            if (kdg == null) {
+                // unlikely
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key derivation: " +
+                        chc.negotiatedProtocol);
+                return;    // make the compiler happy
+            }
+
+            // derive salt secret
+            try {
+                SecretKey saltSecret = kd.deriveKey("TlsSaltSecret", null);
+
+                // derive application secrets
+                HashAlg hashAlg = chc.negotiatedCipherSuite.hashAlg;
+                HKDF hkdf = new HKDF(hashAlg.name);
+                byte[] zeros = new byte[hashAlg.hashLength];
+                SecretKeySpec sharedSecret =
+                        new SecretKeySpec(zeros, "TlsZeroSecret");
+                SecretKey masterSecret =
+                    hkdf.extract(saltSecret, sharedSecret, "TlsMasterSecret");
+
+                SSLKeyDerivation secretKD =
+                        new SSLSecretDerivation(chc, masterSecret);
+
+                // update the handshake traffic read keys.
+                SecretKey readSecret = secretKD.deriveKey(
+                        "TlsServerAppTrafficSecret", null);
+                SSLKeyDerivation writeKD =
+                        kdg.createKeyDerivation(chc, readSecret);
+                SecretKey readKey = writeKD.deriveKey(
+                        "TlsKey", null);
+                SecretKey readIvSecret = writeKD.deriveKey(
+                        "TlsIv", null);
+                IvParameterSpec readIv =
+                        new IvParameterSpec(readIvSecret.getEncoded());
+                SSLReadCipher readCipher =
+                        chc.negotiatedCipherSuite.bulkCipher.createReadCipher(
+                                Authenticator.valueOf(chc.negotiatedProtocol),
+                                chc.negotiatedProtocol, readKey, readIv,
+                                chc.sslContext.getSecureRandom());
+
+                chc.baseReadSecret = readSecret;
+                chc.conContext.inputRecord.changeReadCiphers(readCipher);
+
+                // TODO: the exporter_master_secret
+
+                // update the context for the following key derivation
+                chc.handshakeKeyDerivation = secretKD;
+            } catch (GeneralSecurityException gse) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Failure to derive application secrets", gse);
+                return;    // make the compiler happy
+            }
+
+            //
+            // produce
+            //
+            chc.handshakeProducers.put(SSLHandshake.FINISHED.id,
+                        SSLHandshake.FINISHED);
+            SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
+                // full handshake messages
+                SSLHandshake.CERTIFICATE,
+                SSLHandshake.CERTIFICATE_VERIFY,
+                SSLHandshake.FINISHED
+            };
+
+            for (SSLHandshake hs : probableHandshakeMessages) {
+                HandshakeProducer handshakeProducer =
+                        chc.handshakeProducers.remove(hs.id);
+                if (handshakeProducer != null) {
+                    handshakeProducer.produce(chc, null);
+                }
+            }
+        }
+
+        private void onConsumeFinished(ServerHandshakeContext shc,
+                ByteBuffer message) throws IOException {
+            FinishedMessage fm = new FinishedMessage(shc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming client Finished handshake message", fm);
+            }
+
+            if (shc.conContext.secureRenegotiation) {
+                shc.conContext.clientVerifyData = fm.verifyData;
+            }
+
+            //
+            // validate
+            //
+            // blank
+
+            //
+            // update
+            //
+            // Change client/server application traffic secrets.
+            SSLKeyDerivation kd = shc.handshakeKeyDerivation;
+            if (kd == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "no key derivation");
+                return;    // make the compiler happy
+            }
+
+            SSLTrafficKeyDerivation kdg =
+                    SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
+            if (kdg == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key derivation: " +
+                        shc.negotiatedProtocol);
+                return;    // make the compiler happy
+            }
+
+            try {
+                // update the application traffic read keys.
+                SecretKey readSecret = kd.deriveKey(
+                        "TlsClientAppTrafficSecret", null);
+
+                SSLKeyDerivation readKD =
+                        kdg.createKeyDerivation(shc, readSecret);
+                SecretKey readKey = readKD.deriveKey(
+                        "TlsKey", null);
+                SecretKey readIvSecret = readKD.deriveKey(
+                        "TlsIv", null);
+                IvParameterSpec readIv =
+                        new IvParameterSpec(readIvSecret.getEncoded());
+                SSLReadCipher readCipher =
+                        shc.negotiatedCipherSuite.bulkCipher.createReadCipher(
+                                Authenticator.valueOf(shc.negotiatedProtocol),
+                                shc.negotiatedProtocol, readKey, readIv,
+                                shc.sslContext.getSecureRandom());
+
+                shc.baseReadSecret = readSecret;
+                shc.conContext.inputRecord.changeReadCiphers(readCipher);
+
+                // The resumption master secret is stored in the session so
+                // it can be used after the handshake is completed.
+                shc.handshakeHash.update();
+                SSLSecretDerivation sd = ((SSLSecretDerivation)kd).forContext(shc);
+                SecretKey resumptionMasterSecret = sd.deriveKey(
+                "TlsResumptionMasterSecret", null);
+                shc.handshakeSession.setResumptionMasterSecret(resumptionMasterSecret);
+            } catch (GeneralSecurityException gse) {
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Failure to derive application secrets", gse);
+                return;    // make the compiler happy
+            }
+
+            //  update connection context
+            shc.conContext.conSession = shc.handshakeSession;
+            shc.conContext.protocolVersion = shc.negotiatedProtocol;
+
+            // handshake context cleanup.
+            shc.handshakeFinished = true;
+
+            // May need to retransmit the last flight for DTLS.
+            if (!shc.sslContext.isDTLS()) {
+                shc.conContext.finishHandshake();
+            }
+
+            //
+            // produce
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                "Sending new session ticket");
+            }
+            NewSessionTicket.kickstartProducer.produce(shc);
+
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/HKDF.java	2018-05-11 15:09:15.746683200 -0700
@@ -0,0 +1,232 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.InvalidKeyException;
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+import javax.crypto.ShortBufferException;
+import javax.crypto.spec.SecretKeySpec;
+import java.util.Objects;
+
+/**
+ * An implementation of the HKDF key derivation algorithm outlined in RFC 5869,
+ * specific to the needs of TLS 1.3 key derivation in JSSE.  This is not a
+ * general purpose HKDF implementation and is suited only to single-key output
+ * derivations.
+ *
+ * HKDF objects are created by specifying a message digest algorithm.  That
+ * digest algorithm will be used by the HMAC function as part of the HKDF
+ * derivation process.
+ */
+class HKDF {
+    private final String hmacAlg;
+    private final Mac hmacObj;
+    private final int hmacLen;
+
+    /**
+     * Create an HDKF object, specifying the underlying message digest
+     * algorithm.
+     *
+     * @param hashAlg a standard name corresponding to a supported message
+     * digest algorithm.
+     *
+     * @throws NoSuchAlgorithmException if that message digest algorithm does
+     * not have an HMAC variant supported on any available provider.
+     */
+    HKDF(String hashAlg) throws NoSuchAlgorithmException {
+        Objects.requireNonNull(hashAlg,
+                "Must provide underlying HKDF Digest algorithm.");
+        hmacAlg = "Hmac" + hashAlg.replace("-", "");
+        hmacObj = Mac.getInstance(hmacAlg);
+        hmacLen = hmacObj.getMacLength();
+    }
+
+    /**
+     * Perform the HMAC-Extract derivation.
+     *
+     * @param salt a salt value, implemented as a {@code SecretKey}.  A
+     * {@code null} value is allowed, which will internally use an array of
+     * zero bytes the same size as the underlying hash output length.
+     * @param inputKey the input keying material provided as a
+     * {@code SecretKey}.
+     * @param keyAlg the algorithm name assigned to the resulting
+     * {@code SecretKey} object.
+     *
+     * @return a {@code SecretKey} that is the result of the HKDF extract
+     * operation.
+     *
+     * @throws InvalidKeyException if the {@code salt} parameter cannot be
+     * used to initialize the underlying HMAC.
+     */
+    SecretKey extract(SecretKey salt, SecretKey inputKey, String keyAlg)
+            throws InvalidKeyException {
+        if (salt == null) {
+            salt = new SecretKeySpec(new byte[hmacLen], "HKDF-Salt");
+        }
+        hmacObj.init(salt);
+
+        return new SecretKeySpec(hmacObj.doFinal(inputKey.getEncoded()),
+                keyAlg);
+    }
+
+    /**
+     * Perform the HMAC-Extract derivation.
+     *
+     * @param salt a salt value as cleartext bytes.  A {@code null} value is
+     * allowed, which will internally use an array of zero bytes the same
+     * size as the underlying hash output length.
+     * @param inputKey the input keying material provided as a
+     * {@code SecretKey}.
+     * @param keyAlg the algorithm name assigned to the resulting
+     * {@code SecretKey} object.
+     *
+     * @return a {@code SecretKey} that is the result of the HKDF extract
+     * operation.
+     *
+     * @throws InvalidKeyException if the {@code salt} parameter cannot be
+     * used to initialize the underlying HMAC.
+     */
+    SecretKey extract(byte[] salt, SecretKey inputKey, String keyAlg)
+            throws InvalidKeyException {
+        if (salt == null) {
+            salt = new byte[hmacLen];
+        }
+        return extract(new SecretKeySpec(salt, "HKDF-Salt"), inputKey, keyAlg);
+    }
+
+    /**
+     * Perform the HKDF-Expand derivation for a single-key output.
+     *
+     * @param pseudoRandKey the pseudo random key (PRK).
+     * @param info optional context-specific info.  A {@code null} value is
+     * allowed in which case a zero-length byte array will be used.
+     * @param outLen the length of the resulting {@code SecretKey}
+     * @param keyAlg the algorithm name applied to the resulting
+     * {@code SecretKey}
+     *
+     * @return the resulting key derivation as a {@code SecretKey} object
+     *
+     * @throws InvalidKeyException if the underlying HMAC operation cannot
+     * be initialized using the provided {@code pseudoRandKey} object.
+     */
+    SecretKey expand(SecretKey pseudoRandKey, byte[] info, int outLen,
+            String keyAlg) throws InvalidKeyException {
+        byte[] kdfOutput;
+
+        // Calculate the number of rounds of HMAC that are needed to
+        // meet the requested data.  Then set up the buffers we will need.
+        Objects.requireNonNull(pseudoRandKey, "A null PRK is not allowed.");
+        hmacObj.init(pseudoRandKey);
+        if (info == null) {
+            info = new byte[0];
+        }
+        int rounds = (outLen + hmacLen - 1) / hmacLen;
+        kdfOutput = new byte[rounds * hmacLen];
+        int offset = 0;
+        int tLength = 0;
+
+        for (int i = 0; i < rounds ; i++) {
+
+            // Calculate this round
+            try {
+                 // Add T(i).  This will be an empty string on the first
+                 // iteration since tLength starts at zero.  After the first
+                 // iteration, tLength is changed to the HMAC length for the
+                 // rest of the loop.
+                hmacObj.update(kdfOutput,
+                        Math.max(0, offset - hmacLen), tLength);
+                hmacObj.update(info);                       // Add info
+                hmacObj.update((byte)(i + 1));              // Add round number
+                hmacObj.doFinal(kdfOutput, offset);
+
+                tLength = hmacLen;
+                offset += hmacLen;                       // For next iteration
+            } catch (ShortBufferException sbe) {
+                // This really shouldn't happen given that we've
+                // sized the buffers to their largest possible size up-front,
+                // but just in case...
+                throw new RuntimeException(sbe);
+            }
+        }
+
+        return new SecretKeySpec(kdfOutput, 0, outLen, keyAlg);
+    }
+
+    /**
+     * Perform the HKDF Extract-then-Expand operation.
+     *
+     * @param inputKey the input keying material provided as a
+     * {@code SecretKey}.
+     * @param salt a salt value, implemented as a {@code SecretKey}.  A
+     * {@code null} value is allowed, which will internally use an array of
+     * zero bytes the same size as the underlying hash output length.
+     * @param info optional context-specific info.  A {@code null} value is
+     * allowed in which case a zero-length byte array will be used.
+     * @param outLen the length of the resulting {@code SecretKey}
+     * @param keyAlg the algorithm name applied to the resulting
+     * {@code SecretKey}
+     *
+     * @return the resulting derivation stored in a {@code SecretKey} object.
+     *
+     * @throws InvalidKeyException if initialization of the underlying HMAC
+     * process fails with the salt during the extract phase, or with the
+     * resulting PRK during the expand phase.
+     */
+    SecretKey extractExpand(SecretKey inputKey, SecretKey salt, byte[] info,
+            int outLen, String keyAlg) throws InvalidKeyException {
+        SecretKey prk = extract(salt, inputKey, "HKDF-PRK");
+        return expand(prk, info, outLen, keyAlg);
+    }
+
+    /**
+     * Perform the HKDF Extract-then-Expand operation.
+     *
+     * @param inputKey the input keying material provided as a
+     * {@code SecretKey}.
+     * @param salt a salt value as cleartext bytes.  A {@code null} value is
+     * allowed, which will internally use an array of zero bytes the same
+     * size as the underlying hash output length.
+     * @param info optional context-specific info.  A {@code null} value is
+     * allowed in which case a zero-length byte array will be used.
+     * @param outLen the length of the resulting {@code SecretKey}
+     * @param keyAlg the algorithm name applied to the resulting
+     * {@code SecretKey}
+     *
+     * @return the resulting derivation stored in a {@code SecretKey} object.
+     *
+     * @throws InvalidKeyException if initialization of the underlying HMAC
+     * process fails with the salt during the extract phase, or with the
+     * resulting PRK during the expand phase.
+     */
+    SecretKey extractExpand(SecretKey inputKey, byte[] salt, byte[] info,
+            int outLen, String keyAlg) throws InvalidKeyException {
+        byte[] saltBytes = (salt != null) ? salt : new byte[hmacLen];
+        return extractExpand(inputKey,
+            new SecretKeySpec(saltBytes, "HKDF-PRK"), info, outLen, keyAlg);
+    }
+}
\ No newline at end of file
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/HandshakeAbsence.java	2018-05-11 15:09:17.387733500 -0700
@@ -0,0 +1,42 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Interface for handshake message or extension absence on handshake
+ * message processing.
+ *
+ * This is typically used after the SSLSession object created, so that the
+ * extension can update/impact the session object.
+ */
+interface HandshakeAbsence {
+    void absent(ConnectionContext context,
+            HandshakeMessage message) throws IOException;
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/HandshakeConsumer.java	2018-05-11 15:09:19.154134600 -0700
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+interface HandshakeConsumer {
+    // message: the handshake message to be comsumed.
+    void consume(ConnectionContext context,
+            HandshakeMessage message) throws IOException;
+}
--- old/src/java.base/share/classes/sun/security/ssl/Handshaker.java	2018-05-11 15:09:21.723224000 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,1623 +0,0 @@
-/*
- * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-
-package sun.security.ssl;
-
-import java.io.*;
-import java.util.*;
-import java.security.*;
-import java.nio.ByteBuffer;
-import java.util.function.BiFunction;
-
-import javax.crypto.*;
-import javax.crypto.spec.*;
-
-import javax.net.ssl.*;
-import sun.security.util.HexDumpEncoder;
-
-import sun.security.internal.spec.*;
-import sun.security.internal.interfaces.TlsMasterSecret;
-
-import sun.security.ssl.HandshakeMessage.*;
-import sun.security.ssl.CipherSuite.*;
-
-import static sun.security.ssl.CipherSuite.PRF.*;
-import static sun.security.ssl.CipherSuite.CipherType.*;
-import static sun.security.ssl.NamedGroupType.*;
-
-/**
- * Handshaker ... processes handshake records from an SSL V3.0
- * data stream, handling all the details of the handshake protocol.
- *
- * Note that the real protocol work is done in two subclasses, the  base
- * class just provides the control flow and key generation framework.
- *
- * @author David Brownell
- */
-abstract class Handshaker {
-
-    // protocol version being established using this Handshaker
-    ProtocolVersion protocolVersion;
-
-    // the currently active protocol version during a renegotiation
-    ProtocolVersion     activeProtocolVersion;
-
-    // security parameters for secure renegotiation.
-    boolean             secureRenegotiation;
-    byte[]              clientVerifyData;
-    byte[]              serverVerifyData;
-
-    // Is it an initial negotiation  or a renegotiation?
-    boolean                     isInitialHandshake;
-
-    // List of enabled protocols
-    private ProtocolList        enabledProtocols;
-
-    // List of enabled CipherSuites
-    private CipherSuiteList     enabledCipherSuites;
-
-    // The endpoint identification protocol
-    String                      identificationProtocol;
-
-    // The cryptographic algorithm constraints
-    AlgorithmConstraints        algorithmConstraints = null;
-
-    // Local supported signature and algorithms
-    private Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs;
-
-    // Peer supported signature and algorithms
-    Collection<SignatureAndHashAlgorithm> peerSupportedSignAlgs;
-
-    /*
-     * List of active protocols
-     *
-     * Active protocols is a subset of enabled protocols, and will
-     * contain only those protocols that have vaild cipher suites
-     * enabled.
-     */
-    private ProtocolList       activeProtocols;
-
-    /*
-     * List of active cipher suites
-     *
-     * Active cipher suites is a subset of enabled cipher suites, and will
-     * contain only those cipher suites available for the active protocols.
-     */
-    private CipherSuiteList     activeCipherSuites;
-
-    // The server name indication and matchers
-    List<SNIServerName> serverNames = Collections.<SNIServerName>emptyList();
-    Collection<SNIMatcher> sniMatchers = Collections.<SNIMatcher>emptyList();
-
-    // List of local ApplicationProtocols
-    String[] localApl = null;
-
-    // Negotiated ALPN value
-    String applicationProtocol = null;
-
-    // Application protocol callback function (for SSLEngine)
-    BiFunction<SSLEngine,List<String>,String>
-        appProtocolSelectorSSLEngine = null;
-
-    // Application protocol callback function (for SSLSocket)
-    BiFunction<SSLSocket,List<String>,String>
-        appProtocolSelectorSSLSocket = null;
-
-    // The maximum expected network packet size for SSL/TLS/DTLS records.
-    int                         maximumPacketSize = 0;
-
-    private boolean             isClient;
-    private boolean             needCertVerify;
-
-    SSLSocketImpl               conn = null;
-    SSLEngineImpl               engine = null;
-
-    HandshakeHash               handshakeHash;
-    HandshakeInStream           input;
-    HandshakeOutStream          output;
-    SSLContextImpl              sslContext;
-    RandomCookie                clnt_random, svr_random;
-    SSLSessionImpl              session;
-
-    HandshakeStateManager       handshakeState;
-    boolean                     clientHelloDelivered;
-    boolean                     serverHelloRequested;
-    boolean                     handshakeActivated;
-    boolean                     handshakeFinished;
-
-    // current CipherSuite. Never null, initially SSL_NULL_WITH_NULL_NULL
-    CipherSuite         cipherSuite;
-
-    // current key exchange. Never null, initially K_NULL
-    KeyExchange         keyExchange;
-
-    // True if this session is being resumed (fast handshake)
-    boolean             resumingSession;
-
-    // True if it's OK to start a new SSL session
-    boolean             enableNewSession;
-
-    // Whether local cipher suites preference should be honored during
-    // handshaking?
-    //
-    // Note that in this provider, this option only applies to server side.
-    // Local cipher suites preference is always honored in client side in
-    // this provider.
-    boolean preferLocalCipherSuites = false;
-
-    // Temporary storage for the individual keys. Set by
-    // calculateConnectionKeys() and cleared once the ciphers are
-    // activated.
-    private SecretKey clntWriteKey, svrWriteKey;
-    private IvParameterSpec clntWriteIV, svrWriteIV;
-    private SecretKey clntMacSecret, svrMacSecret;
-
-    /*
-     * Delegated task subsystem data structures.
-     *
-     * If thrown is set, we need to propagate this back immediately
-     * on entry into processMessage().
-     *
-     * Data is protected by the SSLEngine.this lock.
-     */
-    private volatile boolean taskDelegated = false;
-    private volatile DelegatedTask<?> delegatedTask = null;
-    private volatile Exception thrown = null;
-
-    // Could probably use a java.util.concurrent.atomic.AtomicReference
-    // here instead of using this lock.  Consider changing.
-    private Object thrownLock = new Object();
-
-    /* Class and subclass dynamic debugging support */
-    static final Debug debug = Debug.getInstance("ssl");
-
-    // By default, disable the unsafe legacy session renegotiation
-    static final boolean allowUnsafeRenegotiation = Debug.getBooleanProperty(
-                    "sun.security.ssl.allowUnsafeRenegotiation", false);
-
-    // For maximum interoperability and backward compatibility, RFC 5746
-    // allows server (or client) to accept ClientHello (or ServerHello)
-    // message without the secure renegotiation_info extension or SCSV.
-    //
-    // For maximum security, RFC 5746 also allows server (or client) to
-    // reject such message with a fatal "handshake_failure" alert.
-    //
-    // By default, allow such legacy hello messages.
-    static final boolean allowLegacyHelloMessages = Debug.getBooleanProperty(
-                    "sun.security.ssl.allowLegacyHelloMessages", true);
-
-    // To prevent the TLS renegotiation issues, by setting system property
-    // "jdk.tls.rejectClientInitiatedRenegotiation" to true, applications in
-    // server side can disable all client initiated SSL renegotiations
-    // regardless of the support of TLS protocols.
-    //
-    // By default, allow client initiated renegotiations.
-    static final boolean rejectClientInitiatedRenego =
-            Debug.getBooleanProperty(
-                "jdk.tls.rejectClientInitiatedRenegotiation", false);
-
-    // To switch off the extended_master_secret extension.
-    static final boolean useExtendedMasterSecret;
-
-    // Allow session resumption without Extended Master Secret extension.
-    static final boolean allowLegacyResumption =
-            Debug.getBooleanProperty("jdk.tls.allowLegacyResumption", true);
-
-    // Allow full handshake without Extended Master Secret extension.
-    static final boolean allowLegacyMasterSecret =
-            Debug.getBooleanProperty("jdk.tls.allowLegacyMasterSecret", true);
-
-    // Is it requested to use extended master secret extension?
-    boolean requestedToUseEMS = false;
-
-    // need to dispose the object when it is invalidated
-    boolean invalidated;
-
-    /*
-     * Is this an instance for Datagram Transport Layer Security (DTLS)?
-     */
-    final boolean isDTLS;
-
-    // Is the extended_master_secret extension supported?
-    static {
-        boolean supportExtendedMasterSecret = true;
-        try {
-            KeyGenerator kg =
-                JsseJce.getKeyGenerator("SunTlsExtendedMasterSecret");
-        } catch (NoSuchAlgorithmException nae) {
-            supportExtendedMasterSecret = false;
-        }
-
-        if (supportExtendedMasterSecret) {
-            useExtendedMasterSecret = Debug.getBooleanProperty(
-                    "jdk.tls.useExtendedMasterSecret", true);
-        } else {
-            useExtendedMasterSecret = false;
-        }
-    }
-
-    Handshaker(SSLSocketImpl c, SSLContextImpl context,
-            ProtocolList enabledProtocols, boolean needCertVerify,
-            boolean isClient, ProtocolVersion activeProtocolVersion,
-            boolean isInitialHandshake, boolean secureRenegotiation,
-            byte[] clientVerifyData, byte[] serverVerifyData) {
-        this.conn = c;
-        this.isDTLS = false;
-        init(context, enabledProtocols, needCertVerify, isClient,
-            activeProtocolVersion, isInitialHandshake, secureRenegotiation,
-            clientVerifyData, serverVerifyData);
-   }
-
-    Handshaker(SSLEngineImpl engine, SSLContextImpl context,
-            ProtocolList enabledProtocols, boolean needCertVerify,
-            boolean isClient, ProtocolVersion activeProtocolVersion,
-            boolean isInitialHandshake, boolean secureRenegotiation,
-            byte[] clientVerifyData, byte[] serverVerifyData,
-            boolean isDTLS) {
-        this.engine = engine;
-        this.isDTLS = isDTLS;
-        init(context, enabledProtocols, needCertVerify, isClient,
-            activeProtocolVersion, isInitialHandshake, secureRenegotiation,
-            clientVerifyData, serverVerifyData);
-    }
-
-    private void init(SSLContextImpl context, ProtocolList enabledProtocols,
-            boolean needCertVerify, boolean isClient,
-            ProtocolVersion activeProtocolVersion,
-            boolean isInitialHandshake, boolean secureRenegotiation,
-            byte[] clientVerifyData, byte[] serverVerifyData) {
-
-        if (debug != null && Debug.isOn("handshake")) {
-            System.out.println(
-                "Allow unsafe renegotiation: " + allowUnsafeRenegotiation +
-                "\nAllow legacy hello messages: " + allowLegacyHelloMessages +
-                "\nIs initial handshake: " + isInitialHandshake +
-                "\nIs secure renegotiation: " + secureRenegotiation);
-        }
-
-        this.sslContext = context;
-        this.isClient = isClient;
-        this.needCertVerify = needCertVerify;
-        this.activeProtocolVersion = activeProtocolVersion;
-        this.isInitialHandshake = isInitialHandshake;
-        this.secureRenegotiation = secureRenegotiation;
-        this.clientVerifyData = clientVerifyData;
-        this.serverVerifyData = serverVerifyData;
-        this.enableNewSession = true;
-        this.invalidated = false;
-        this.handshakeState = new HandshakeStateManager(isDTLS);
-        this.clientHelloDelivered = false;
-        this.serverHelloRequested = false;
-        this.handshakeActivated = false;
-        this.handshakeFinished = false;
-
-        setCipherSuite(CipherSuite.C_NULL);
-        setEnabledProtocols(enabledProtocols);
-
-        if (conn != null) {
-            algorithmConstraints = new SSLAlgorithmConstraints(conn, true);
-        } else {        // engine != null
-            algorithmConstraints = new SSLAlgorithmConstraints(engine, true);
-        }
-    }
-
-    /*
-     * Reroutes calls to the SSLSocket or SSLEngine (*SE).
-     *
-     * We could have also done it by extra classes
-     * and letting them override, but this seemed much
-     * less involved.
-     */
-    void fatalSE(byte b, String diagnostic) throws IOException {
-        fatalSE(b, diagnostic, null);
-    }
-
-    void fatalSE(byte b, Throwable cause) throws IOException {
-        fatalSE(b, null, cause);
-    }
-
-    void fatalSE(byte b, String diagnostic, Throwable cause)
-            throws IOException {
-        if (conn != null) {
-            conn.fatal(b, diagnostic, cause);
-        } else {
-            engine.fatal(b, diagnostic, cause);
-        }
-    }
-
-    void warningSE(byte b) {
-        if (conn != null) {
-            conn.warning(b);
-        } else {
-            engine.warning(b);
-        }
-    }
-
-    // ONLY used by ClientHandshaker to setup the peer host in SSLSession.
-    String getHostSE() {
-        if (conn != null) {
-            return conn.getHost();
-        } else {
-            return engine.getPeerHost();
-        }
-    }
-
-    // ONLY used by ServerHandshaker to setup the peer host in SSLSession.
-    String getHostAddressSE() {
-        if (conn != null) {
-            return conn.getInetAddress().getHostAddress();
-        } else {
-            /*
-             * This is for caching only, doesn't matter that's is really
-             * a hostname.  The main thing is that it doesn't do
-             * a reverse DNS lookup, potentially slowing things down.
-             */
-            return engine.getPeerHost();
-        }
-    }
-
-    int getPortSE() {
-        if (conn != null) {
-            return conn.getPort();
-        } else {
-            return engine.getPeerPort();
-        }
-    }
-
-    int getLocalPortSE() {
-        if (conn != null) {
-            return conn.getLocalPort();
-        } else {
-            return -1;
-        }
-    }
-
-    AccessControlContext getAccSE() {
-        if (conn != null) {
-            return conn.getAcc();
-        } else {
-            return engine.getAcc();
-        }
-    }
-
-    String getEndpointIdentificationAlgorithmSE() {
-        SSLParameters paras;
-        if (conn != null) {
-            paras = conn.getSSLParameters();
-        } else {
-            paras = engine.getSSLParameters();
-        }
-
-        return paras.getEndpointIdentificationAlgorithm();
-    }
-
-    private void setVersionSE(ProtocolVersion protocolVersion) {
-        if (conn != null) {
-            conn.setVersion(protocolVersion);
-        } else {
-            engine.setVersion(protocolVersion);
-        }
-    }
-
-    /**
-     * Set the active protocol version and propagate it to the SSLSocket
-     * and our handshake streams. Called from ClientHandshaker
-     * and ServerHandshaker with the negotiated protocol version.
-     */
-    void setVersion(ProtocolVersion protocolVersion) {
-        this.protocolVersion = protocolVersion;
-        setVersionSE(protocolVersion);
-    }
-
-    /**
-     * Set the enabled protocols. Called from the constructor or
-     * SSLSocketImpl/SSLEngineImpl.setEnabledProtocols() (if the
-     * handshake is not yet in progress).
-     */
-    void setEnabledProtocols(ProtocolList enabledProtocols) {
-        activeCipherSuites = null;
-        activeProtocols = null;
-
-        this.enabledProtocols = enabledProtocols;
-    }
-
-    /**
-     * Set the enabled cipher suites. Called from
-     * SSLSocketImpl/SSLEngineImpl.setEnabledCipherSuites() (if the
-     * handshake is not yet in progress).
-     */
-    void setEnabledCipherSuites(CipherSuiteList enabledCipherSuites) {
-        activeCipherSuites = null;
-        activeProtocols = null;
-        this.enabledCipherSuites = enabledCipherSuites;
-    }
-
-    /**
-     * Set the algorithm constraints. Called from the constructor or
-     * SSLSocketImpl/SSLEngineImpl.setAlgorithmConstraints() (if the
-     * handshake is not yet in progress).
-     */
-    void setAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
-        activeCipherSuites = null;
-        activeProtocols = null;
-
-        this.algorithmConstraints =
-            new SSLAlgorithmConstraints(algorithmConstraints);
-        this.localSupportedSignAlgs = null;
-    }
-
-    Collection<SignatureAndHashAlgorithm> getLocalSupportedSignAlgs() {
-        if (localSupportedSignAlgs == null) {
-            localSupportedSignAlgs =
-                SignatureAndHashAlgorithm.getSupportedAlgorithms(
-                                                    algorithmConstraints);
-        }
-
-        return localSupportedSignAlgs;
-    }
-
-    void setPeerSupportedSignAlgs(
-            Collection<SignatureAndHashAlgorithm> algorithms) {
-        peerSupportedSignAlgs =
-            new ArrayList<SignatureAndHashAlgorithm>(algorithms);
-    }
-
-    Collection<SignatureAndHashAlgorithm> getPeerSupportedSignAlgs() {
-        return peerSupportedSignAlgs;
-    }
-
-
-    /**
-     * Set the identification protocol. Called from the constructor or
-     * SSLSocketImpl/SSLEngineImpl.setIdentificationProtocol() (if the
-     * handshake is not yet in progress).
-     */
-    void setIdentificationProtocol(String protocol) {
-        this.identificationProtocol = protocol;
-    }
-
-    /**
-     * Sets the server name indication of the handshake.
-     */
-    void setSNIServerNames(List<SNIServerName> serverNames) {
-        // The serverNames parameter is unmodifiable.
-        this.serverNames = serverNames;
-    }
-
-    /**
-     * Sets the server name matchers of the handshaking.
-     */
-    void setSNIMatchers(Collection<SNIMatcher> sniMatchers) {
-        // The sniMatchers parameter is unmodifiable.
-        this.sniMatchers = sniMatchers;
-    }
-
-    /**
-     * Sets the maximum packet size of the handshaking.
-     */
-    void setMaximumPacketSize(int maximumPacketSize) {
-        this.maximumPacketSize = maximumPacketSize;
-    }
-
-    /**
-     * Sets the Application Protocol list.
-     */
-    void setApplicationProtocols(String[] apl) {
-        this.localApl = apl;
-    }
-
-    /**
-     * Gets the "negotiated" ALPN value.
-     */
-    String getHandshakeApplicationProtocol() {
-        return applicationProtocol;
-    }
-
-    /**
-     * Sets the Application Protocol selector function for SSLEngine.
-     */
-    void setApplicationProtocolSelectorSSLEngine(
-        BiFunction<SSLEngine,List<String>,String> selector) {
-        this.appProtocolSelectorSSLEngine = selector;
-    }
-
-    /**
-     * Sets the Application Protocol selector function for SSLSocket.
-     */
-    void setApplicationProtocolSelectorSSLSocket(
-        BiFunction<SSLSocket,List<String>,String> selector) {
-        this.appProtocolSelectorSSLSocket = selector;
-    }
-
-    /**
-     * Sets the cipher suites preference.
-     */
-    void setUseCipherSuitesOrder(boolean on) {
-        this.preferLocalCipherSuites = on;
-    }
-
-    /**
-     * Prior to handshaking, activate the handshake and initialize the version,
-     * input stream and output stream.
-     */
-    void activate(ProtocolVersion helloVersion) throws IOException {
-        if (activeProtocols == null) {
-            activeProtocols = getActiveProtocols();
-        }
-
-        if (activeProtocols.collection().isEmpty() ||
-                activeProtocols.max.v == ProtocolVersion.NONE.v) {
-            throw new SSLHandshakeException(
-                    "No appropriate protocol (protocol is disabled or " +
-                    "cipher suites are inappropriate)");
-        }
-
-        if (activeCipherSuites == null) {
-            activeCipherSuites = getActiveCipherSuites();
-        }
-
-        if (activeCipherSuites.collection().isEmpty()) {
-            throw new SSLHandshakeException("No appropriate cipher suite");
-        }
-
-        // temporary protocol version until the actual protocol version
-        // is negotiated in the Hello exchange. This affects the record
-        // version we sent with the ClientHello.
-        if (!isInitialHandshake) {
-            protocolVersion = activeProtocolVersion;
-        } else {
-            protocolVersion = activeProtocols.max;
-        }
-
-        if (helloVersion == null || helloVersion.v == ProtocolVersion.NONE.v) {
-            helloVersion = activeProtocols.helloVersion;
-        }
-
-        // We accumulate digests of the handshake messages so that
-        // we can read/write CertificateVerify and Finished messages,
-        // getting assurance against some particular active attacks.
-        handshakeHash = new HandshakeHash(needCertVerify);
-
-        // Generate handshake input/output stream.
-        if (conn != null) {
-            input = new HandshakeInStream();
-            output = new HandshakeOutStream(conn.outputRecord);
-
-            conn.inputRecord.setHandshakeHash(handshakeHash);
-            conn.inputRecord.setHelloVersion(helloVersion);
-
-            conn.outputRecord.setHandshakeHash(handshakeHash);
-            conn.outputRecord.setHelloVersion(helloVersion);
-            conn.outputRecord.setVersion(protocolVersion);
-        } else if (engine != null) {
-            input = new HandshakeInStream();
-            output = new HandshakeOutStream(engine.outputRecord);
-
-            engine.inputRecord.setHandshakeHash(handshakeHash);
-            engine.inputRecord.setHelloVersion(helloVersion);
-
-            engine.outputRecord.setHandshakeHash(handshakeHash);
-            engine.outputRecord.setHelloVersion(helloVersion);
-            engine.outputRecord.setVersion(protocolVersion);
-        }
-
-        handshakeActivated = true;
-    }
-
-    /**
-     * Set cipherSuite and keyExchange to the given CipherSuite.
-     * Does not perform any verification that this is a valid selection,
-     * this must be done before calling this method.
-     */
-    void setCipherSuite(CipherSuite s) {
-        this.cipherSuite = s;
-        this.keyExchange = s.keyExchange;
-    }
-
-    /**
-     * Check if the given ciphersuite is enabled and available within the
-     * current active cipher suites.
-     *
-     * Does not check if the required server certificates are available.
-     */
-    boolean isNegotiable(CipherSuite s) {
-        if (activeCipherSuites == null) {
-            activeCipherSuites = getActiveCipherSuites();
-        }
-
-        return isNegotiable(activeCipherSuites, s);
-    }
-
-    /**
-     * Check if the given ciphersuite is enabled and available within the
-     * proposed cipher suite list.
-     *
-     * Does not check if the required server certificates are available.
-     */
-    static final boolean isNegotiable(CipherSuiteList proposed, CipherSuite s) {
-        return proposed.contains(s) && s.isNegotiable();
-    }
-
-    /**
-     * Check if the given protocol version is enabled and available.
-     */
-    boolean isNegotiable(ProtocolVersion protocolVersion) {
-        if (activeProtocols == null) {
-            activeProtocols = getActiveProtocols();
-        }
-
-        return activeProtocols.contains(protocolVersion);
-    }
-
-    /**
-     * Select a protocol version from the list. Called from
-     * ServerHandshaker to negotiate protocol version.
-     *
-     * Return the lower of the protocol version suggested in the
-     * clien hello and the highest supported by the server.
-     */
-    ProtocolVersion selectProtocolVersion(ProtocolVersion protocolVersion) {
-        if (activeProtocols == null) {
-            activeProtocols = getActiveProtocols();
-        }
-
-        return activeProtocols.selectProtocolVersion(protocolVersion);
-    }
-
-    /**
-     * Get the active cipher suites.
-     *
-     * In TLS 1.1, many weak or vulnerable cipher suites were obsoleted,
-     * such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT
-     * negotiate these cipher suites in TLS 1.1 or later mode.
-     *
-     * Therefore, when the active protocols only include TLS 1.1 or later,
-     * the client cannot request to negotiate those obsoleted cipher
-     * suites.  That is, the obsoleted suites should not be included in the
-     * client hello. So we need to create a subset of the enabled cipher
-     * suites, the active cipher suites, which does not contain obsoleted
-     * cipher suites of the minimum active protocol.
-     *
-     * Return empty list instead of null if no active cipher suites.
-     */
-    CipherSuiteList getActiveCipherSuites() {
-        if (activeCipherSuites == null) {
-            if (activeProtocols == null) {
-                activeProtocols = getActiveProtocols();
-            }
-
-            ArrayList<CipherSuite> suites = new ArrayList<>();
-            if (!(activeProtocols.collection().isEmpty()) &&
-                    activeProtocols.min.v != ProtocolVersion.NONE.v) {
-                Map<NamedGroupType, Boolean> cachedStatus =
-                        new EnumMap<>(NamedGroupType.class);
-                for (CipherSuite suite : enabledCipherSuites.collection()) {
-                    if (suite.isAvailable() &&
-                            (!activeProtocols.min.obsoletes(suite)) &&
-                            activeProtocols.max.supports(suite)) {
-                        if (isActivatable(suite, cachedStatus)) {
-                            suites.add(suite);
-                        }
-                    } else if (debug != null && Debug.isOn("verbose")) {
-                        if (activeProtocols.min.obsoletes(suite)) {
-                            System.out.println(
-                                "Ignoring obsoleted cipher suite: " + suite);
-                        } else {
-                            System.out.println(
-                                "Ignoring unsupported cipher suite: " + suite);
-                        }
-                    }
-                }
-            }
-            activeCipherSuites = new CipherSuiteList(suites);
-        }
-
-        return activeCipherSuites;
-    }
-
-    /*
-     * Get the active protocol versions.
-     *
-     * In TLS 1.1, many weak or vulnerable cipher suites were obsoleted,
-     * such as TLS_RSA_EXPORT_WITH_RC4_40_MD5. The implementation MUST NOT
-     * negotiate these cipher suites in TLS 1.1 or later mode.
-     *
-     * For example, if "TLS_RSA_EXPORT_WITH_RC4_40_MD5" is the
-     * only enabled cipher suite, the client cannot request TLS 1.1 or
-     * later, even though TLS 1.1 or later is enabled.  We need to create a
-     * subset of the enabled protocols, called the active protocols, which
-     * contains protocols appropriate to the list of enabled Ciphersuites.
-     *
-     * Return empty list instead of null if no active protocol versions.
-     */
-    ProtocolList getActiveProtocols() {
-        if (activeProtocols == null) {
-            boolean enabledSSL20Hello = false;
-            boolean checkedCurves = false;
-            boolean hasCurves = false;
-            ArrayList<ProtocolVersion> protocols = new ArrayList<>(4);
-            for (ProtocolVersion protocol : enabledProtocols.collection()) {
-                // Need not to check the SSL20Hello protocol.
-                if (protocol.v == ProtocolVersion.SSL20Hello.v) {
-                    enabledSSL20Hello = true;
-                    continue;
-                }
-
-                if (!algorithmConstraints.permits(
-                        EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
-                        protocol.name, null)) {
-                    if (debug != null && Debug.isOn("verbose")) {
-                        System.out.println(
-                            "Ignoring disabled protocol: " + protocol);
-                    }
-
-                    continue;
-                }
-
-                boolean found = false;
-                Map<NamedGroupType, Boolean> cachedStatus =
-                        new EnumMap<>(NamedGroupType.class);
-                for (CipherSuite suite : enabledCipherSuites.collection()) {
-                    if (suite.isAvailable() && (!protocol.obsoletes(suite)) &&
-                                               protocol.supports(suite)) {
-                        if (isActivatable(suite, cachedStatus)) {
-                            protocols.add(protocol);
-                            found = true;
-                            break;
-                        }
-                    } else if (debug != null && Debug.isOn("verbose")) {
-                        System.out.println(
-                            "Ignoring unsupported cipher suite: " + suite +
-                                 " for " + protocol);
-                    }
-                }
-
-                if (!found && (debug != null) && Debug.isOn("handshake")) {
-                    System.out.println(
-                        "No available cipher suite for " + protocol);
-                }
-            }
-
-            if (!protocols.isEmpty() && enabledSSL20Hello) {
-                protocols.add(ProtocolVersion.SSL20Hello);
-            }
-
-            activeProtocols = new ProtocolList(protocols);
-        }
-
-        return activeProtocols;
-    }
-
-    private boolean isActivatable(CipherSuite suite,
-            Map<NamedGroupType, Boolean> cachedStatus) {
-
-        if (algorithmConstraints.permits(
-                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) {
-            boolean available = true;
-            NamedGroupType groupType = suite.keyExchange.groupType;
-            if (groupType != NAMED_GROUP_NONE) {
-                Boolean checkedStatus = cachedStatus.get(groupType);
-                if (checkedStatus == null) {
-                    available = SupportedGroupsExtension.isActivatable(
-                            algorithmConstraints, groupType);
-                    cachedStatus.put(groupType, available);
-
-                    if (!available && debug != null && Debug.isOn("verbose")) {
-                        System.out.println("No activated named group");
-                    }
-                } else {
-                    available = checkedStatus.booleanValue();
-                }
-
-                if (!available && debug != null && Debug.isOn("verbose")) {
-                    System.out.println(
-                        "No active named group, ignore " + suite);
-                }
-
-                return available;
-            } else {
-                return true;
-            }
-        } else if (debug != null && Debug.isOn("verbose")) {
-            System.out.println("Ignoring disabled cipher suite: " + suite);
-        }
-
-        return false;
-    }
-
-    /**
-     * As long as handshaking has not activated, we can
-     * change whether session creations are allowed.
-     *
-     * Callers should do their own checking if handshaking
-     * has activated.
-     */
-    void setEnableSessionCreation(boolean newSessions) {
-        enableNewSession = newSessions;
-    }
-
-    /**
-     * Create a new read cipher and return it to caller.
-     */
-    CipherBox newReadCipher() throws NoSuchAlgorithmException {
-        BulkCipher cipher = cipherSuite.cipher;
-        CipherBox box;
-        if (isClient) {
-            box = cipher.newCipher(protocolVersion, svrWriteKey, svrWriteIV,
-                                   sslContext.getSecureRandom(), false);
-            svrWriteKey = null;
-            svrWriteIV = null;
-        } else {
-            box = cipher.newCipher(protocolVersion, clntWriteKey, clntWriteIV,
-                                   sslContext.getSecureRandom(), false);
-            clntWriteKey = null;
-            clntWriteIV = null;
-        }
-        return box;
-    }
-
-    /**
-     * Create a new write cipher and return it to caller.
-     */
-    CipherBox newWriteCipher() throws NoSuchAlgorithmException {
-        BulkCipher cipher = cipherSuite.cipher;
-        CipherBox box;
-        if (isClient) {
-            box = cipher.newCipher(protocolVersion, clntWriteKey, clntWriteIV,
-                                   sslContext.getSecureRandom(), true);
-            clntWriteKey = null;
-            clntWriteIV = null;
-        } else {
-            box = cipher.newCipher(protocolVersion, svrWriteKey, svrWriteIV,
-                                   sslContext.getSecureRandom(), true);
-            svrWriteKey = null;
-            svrWriteIV = null;
-        }
-        return box;
-    }
-
-    /**
-     * Create a new read MAC and return it to caller.
-     */
-    Authenticator newReadAuthenticator()
-            throws NoSuchAlgorithmException, InvalidKeyException {
-
-        Authenticator authenticator = null;
-        if (cipherSuite.cipher.cipherType == AEAD_CIPHER) {
-            authenticator = new Authenticator(protocolVersion);
-        } else {
-            MacAlg macAlg = cipherSuite.macAlg;
-            if (isClient) {
-                authenticator = macAlg.newMac(protocolVersion, svrMacSecret);
-                svrMacSecret = null;
-            } else {
-                authenticator = macAlg.newMac(protocolVersion, clntMacSecret);
-                clntMacSecret = null;
-            }
-        }
-
-        return authenticator;
-    }
-
-    /**
-     * Create a new write MAC and return it to caller.
-     */
-    Authenticator newWriteAuthenticator()
-            throws NoSuchAlgorithmException, InvalidKeyException {
-
-        Authenticator authenticator = null;
-        if (cipherSuite.cipher.cipherType == AEAD_CIPHER) {
-            authenticator = new Authenticator(protocolVersion);
-        } else {
-            MacAlg macAlg = cipherSuite.macAlg;
-            if (isClient) {
-                authenticator = macAlg.newMac(protocolVersion, clntMacSecret);
-                clntMacSecret = null;
-            } else {
-                authenticator = macAlg.newMac(protocolVersion, svrMacSecret);
-                svrMacSecret = null;
-            }
-        }
-
-        return authenticator;
-    }
-
-    /*
-     * Returns true iff the handshake sequence is done, so that
-     * this freshly created session can become the current one.
-     */
-    boolean isDone() {
-        return started() && handshakeState.isEmpty() && handshakeFinished;
-    }
-
-
-    /*
-     * Returns the session which was created through this
-     * handshake sequence ... should be called after isDone()
-     * returns true.
-     */
-    SSLSessionImpl getSession() {
-        return session;
-    }
-
-    /*
-     * Set the handshake session
-     */
-    void setHandshakeSessionSE(SSLSessionImpl handshakeSession) {
-        if (conn != null) {
-            conn.setHandshakeSession(handshakeSession);
-        } else {
-            engine.setHandshakeSession(handshakeSession);
-        }
-    }
-
-    void expectingFinishFlightSE() {
-        if (conn != null) {
-            conn.expectingFinishFlight();
-        } else {
-            engine.expectingFinishFlight();
-        }
-    }
-
-    /*
-     * Returns true if renegotiation is in use for this connection.
-     */
-    boolean isSecureRenegotiation() {
-        return secureRenegotiation;
-    }
-
-    /*
-     * Returns the verify_data from the Finished message sent by the client.
-     */
-    byte[] getClientVerifyData() {
-        return clientVerifyData;
-    }
-
-    /*
-     * Returns the verify_data from the Finished message sent by the server.
-     */
-    byte[] getServerVerifyData() {
-        return serverVerifyData;
-    }
-
-    /*
-     * This routine is fed SSL handshake records when they become available,
-     * and processes messages found therein.
-     */
-    void processRecord(ByteBuffer record,
-            boolean expectingFinished) throws IOException {
-
-        checkThrown();
-
-        /*
-         * Store the incoming handshake data, then see if we can
-         * now process any completed handshake messages
-         */
-        input.incomingRecord(record);
-
-        /*
-         * We don't need to create a separate delegatable task
-         * for finished messages.
-         */
-        if ((conn != null) || expectingFinished) {
-            processLoop();
-        } else {
-            delegateTask(new PrivilegedExceptionAction<Void>() {
-                @Override
-                public Void run() throws Exception {
-                    processLoop();
-                    return null;
-                }
-            });
-        }
-    }
-
-    /*
-     * On input, we hash messages one at a time since servers may need
-     * to access an intermediate hash to validate a CertificateVerify
-     * message.
-     *
-     * Note that many handshake messages can come in one record (and often
-     * do, to reduce network resource utilization), and one message can also
-     * require multiple records (e.g. very large Certificate messages).
-     */
-    void processLoop() throws IOException {
-
-        // need to read off 4 bytes at least to get the handshake
-        // message type and length.
-        while (input.available() >= 4) {
-            byte messageType;
-            int messageLen;
-
-            /*
-             * See if we can read the handshake message header, and
-             * then the entire handshake message.  If not, wait till
-             * we can read and process an entire message.
-             */
-            input.mark(4);
-
-            messageType = (byte)input.getInt8();
-            if (HandshakeMessage.isUnsupported(messageType)) {
-                throw new SSLProtocolException(
-                    "Received unsupported or unknown handshake message: " +
-                    messageType);
-            }
-
-            messageLen = input.getInt24();
-
-            if (input.available() < messageLen) {
-                input.reset();
-                return;
-            }
-
-            // Set the flags in the message receiving side.
-            if (messageType == HandshakeMessage.ht_client_hello) {
-                clientHelloDelivered = true;
-            } else if (messageType == HandshakeMessage.ht_hello_request) {
-                serverHelloRequested = true;
-            }
-
-            /*
-             * Process the message.  We require
-             * that processMessage() consumes the entire message.  In
-             * lieu of explicit error checks (how?!) we assume that the
-             * data will look like garbage on encoding/processing errors,
-             * and that other protocol code will detect such errors.
-             *
-             * Note that digesting is normally deferred till after the
-             * message has been processed, though to process at least the
-             * client's Finished message (i.e. send the server's) we need
-             * to acccelerate that digesting.
-             *
-             * Also, note that hello request messages are never hashed;
-             * that includes the hello request header, too.
-             */
-            processMessage(messageType, messageLen);
-
-            // Reload if this message has been reserved.
-            //
-            // Note: in the implementation, only certificate_verify and
-            // finished messages are reserved.
-            if ((messageType == HandshakeMessage.ht_finished) ||
-                (messageType == HandshakeMessage.ht_certificate_verify)) {
-
-                handshakeHash.reload();
-            }
-        }
-    }
-
-
-    /**
-     * Returns true iff the handshaker has been activated.
-     *
-     * In activated state, the handshaker may not send any messages out.
-     */
-    boolean activated() {
-        return handshakeActivated;
-    }
-
-    /**
-     * Returns true iff the handshaker has sent any messages.
-     */
-    boolean started() {
-        return (serverHelloRequested || clientHelloDelivered);
-    }
-
-    /*
-     * Used to kickstart the negotiation ... either writing a
-     * ClientHello or a HelloRequest as appropriate, whichever
-     * the subclass returns.  NOP if handshaking's already started.
-     */
-    void kickstart() throws IOException {
-        if ((isClient && clientHelloDelivered) ||
-                (!isClient && serverHelloRequested)) {
-            return;
-        }
-
-        HandshakeMessage m = getKickstartMessage();
-        handshakeState.update(m, resumingSession);
-
-        if (debug != null && Debug.isOn("handshake")) {
-            m.print(System.out);
-        }
-        m.write(output);
-        output.flush();
-
-        // Set the flags in the message delivering side.
-        int handshakeType = m.messageType();
-        if (handshakeType == HandshakeMessage.ht_hello_request) {
-            serverHelloRequested = true;
-        } else {        // HandshakeMessage.ht_client_hello
-            clientHelloDelivered = true;
-        }
-    }
-
-    /**
-     * Both client and server modes can start handshaking; but the
-     * message they send to do so is different.
-     */
-    abstract HandshakeMessage getKickstartMessage() throws SSLException;
-
-    /*
-     * Client and Server side protocols are each driven though this
-     * call, which processes a single message and drives the appropriate
-     * side of the protocol state machine (depending on the subclass).
-     */
-    abstract void processMessage(byte messageType, int messageLen)
-        throws IOException;
-
-    /*
-     * Most alerts in the protocol relate to handshaking problems.
-     * Alerts are detected as the connection reads data.
-     */
-    abstract void handshakeAlert(byte description) throws SSLProtocolException;
-
-    /*
-     * Sends a change cipher spec message and updates the write side
-     * cipher state so that future messages use the just-negotiated spec.
-     */
-    void sendChangeCipherSpec(Finished mesg, boolean lastMessage)
-            throws IOException {
-
-        output.flush(); // i.e. handshake data
-
-        /*
-         * The write cipher state is protected by the connection write lock
-         * so we must grab it while making the change. We also
-         * make sure no writes occur between sending the ChangeCipherSpec
-         * message, installing the new cipher state, and sending the
-         * Finished message.
-         *
-         * We already hold SSLEngine/SSLSocket "this" by virtue
-         * of this being called from the readRecord code.
-         */
-        if (conn != null) {
-            conn.writeLock.lock();
-            try {
-                handshakeState.changeCipherSpec(false, isClient);
-                conn.changeWriteCiphers();
-                if (debug != null && Debug.isOn("handshake")) {
-                    mesg.print(System.out);
-                }
-
-                handshakeState.update(mesg, resumingSession);
-                mesg.write(output);
-                output.flush();
-            } finally {
-                conn.writeLock.unlock();
-            }
-        } else {
-            synchronized (engine.writeLock) {
-                handshakeState.changeCipherSpec(false, isClient);
-                engine.changeWriteCiphers();
-                if (debug != null && Debug.isOn("handshake")) {
-                    mesg.print(System.out);
-                }
-
-                handshakeState.update(mesg, resumingSession);
-                mesg.write(output);
-                output.flush();
-            }
-        }
-
-        if (lastMessage) {
-            handshakeFinished = true;
-        }
-    }
-
-    void receiveChangeCipherSpec() throws IOException {
-        handshakeState.changeCipherSpec(true, isClient);
-    }
-
-    /*
-     * Single access point to key calculation logic.  Given the
-     * pre-master secret and the nonces from client and server,
-     * produce all the keying material to be used.
-     */
-    void calculateKeys(SecretKey preMasterSecret, ProtocolVersion version) {
-        SecretKey master = calculateMasterSecret(preMasterSecret, version);
-        session.setMasterSecret(master);
-        calculateConnectionKeys(master);
-    }
-
-    /*
-     * Calculate the master secret from its various components.  This is
-     * used for key exchange by all cipher suites.
-     *
-     * The master secret is the catenation of three MD5 hashes, each
-     * consisting of the pre-master secret and a SHA1 hash.  Those three
-     * SHA1 hashes are of (different) constant strings, the pre-master
-     * secret, and the nonces provided by the client and the server.
-     */
-    @SuppressWarnings("deprecation")
-    private SecretKey calculateMasterSecret(SecretKey preMasterSecret,
-            ProtocolVersion requestedVersion) {
-
-        if (debug != null && Debug.isOn("keygen")) {
-            HexDumpEncoder      dump = new HexDumpEncoder();
-
-            System.out.println("SESSION KEYGEN:");
-
-            System.out.println("PreMaster Secret:");
-            printHex(dump, preMasterSecret.getEncoded());
-
-            // Nonces are dumped with connection keygen, no
-            // benefit to doing it twice
-        }
-
-        // What algs/params do we need to use?
-        String masterAlg;
-        PRF prf;
-
-        byte majorVersion = protocolVersion.major;
-        byte minorVersion = protocolVersion.minor;
-        if (protocolVersion.isDTLSProtocol()) {
-            // Use TLS version number for DTLS key calculation
-            if (protocolVersion.v == ProtocolVersion.DTLS10.v) {
-                majorVersion = ProtocolVersion.TLS11.major;
-                minorVersion = ProtocolVersion.TLS11.minor;
-
-                masterAlg = "SunTlsMasterSecret";
-                prf = P_NONE;
-            } else {    // DTLS 1.2
-                majorVersion = ProtocolVersion.TLS12.major;
-                minorVersion = ProtocolVersion.TLS12.minor;
-
-                masterAlg = "SunTls12MasterSecret";
-                prf = cipherSuite.prfAlg;
-            }
-        } else {
-            if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
-                masterAlg = "SunTls12MasterSecret";
-                prf = cipherSuite.prfAlg;
-            } else {
-                masterAlg = "SunTlsMasterSecret";
-                prf = P_NONE;
-            }
-        }
-
-        String prfHashAlg = prf.getPRFHashAlg();
-        int prfHashLength = prf.getPRFHashLength();
-        int prfBlockSize = prf.getPRFBlockSize();
-
-        TlsMasterSecretParameterSpec spec;
-        if (session.getUseExtendedMasterSecret()) {
-            // reset to use the extended master secret algorithm
-            masterAlg = "SunTlsExtendedMasterSecret";
-
-            byte[] sessionHash = null;
-            if (protocolVersion.useTLS12PlusSpec()) {
-                sessionHash = handshakeHash.getFinishedHash();
-            } else {
-                // TLS 1.0/1.1, DTLS 1.0
-                sessionHash = new byte[36];
-                try {
-                    handshakeHash.getMD5Clone().digest(sessionHash, 0, 16);
-                    handshakeHash.getSHAClone().digest(sessionHash, 16, 20);
-                } catch (DigestException de) {
-                    throw new ProviderException(de);
-                }
-            }
-
-            spec = new TlsMasterSecretParameterSpec(
-                    preMasterSecret,
-                    (majorVersion & 0xFF), (minorVersion & 0xFF),
-                    sessionHash,
-                    prfHashAlg, prfHashLength, prfBlockSize);
-        } else {
-            spec = new TlsMasterSecretParameterSpec(
-                    preMasterSecret,
-                    (majorVersion & 0xFF), (minorVersion & 0xFF),
-                    clnt_random.random_bytes, svr_random.random_bytes,
-                    prfHashAlg, prfHashLength, prfBlockSize);
-        }
-
-        try {
-            KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
-            kg.init(spec);
-            return kg.generateKey();
-        } catch (InvalidAlgorithmParameterException |
-                NoSuchAlgorithmException iae) {
-            // unlikely to happen, otherwise, must be a provider exception
-            //
-            // For RSA premaster secrets, do not signal a protocol error
-            // due to the Bleichenbacher attack. See comments further down.
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println("RSA master secret generation error:");
-                iae.printStackTrace(System.out);
-            }
-            throw new ProviderException(iae);
-
-        }
-    }
-
-    /*
-     * Calculate the keys needed for this connection, once the session's
-     * master secret has been calculated.  Uses the master key and nonces;
-     * the amount of keying material generated is a function of the cipher
-     * suite that's been negotiated.
-     *
-     * This gets called both on the "full handshake" (where we exchanged
-     * a premaster secret and started a new session) as well as on the
-     * "fast handshake" (where we just resumed a pre-existing session).
-     */
-    @SuppressWarnings("deprecation")
-    void calculateConnectionKeys(SecretKey masterKey) {
-        /*
-         * For both the read and write sides of the protocol, we use the
-         * master to generate MAC secrets and cipher keying material.  Block
-         * ciphers need initialization vectors, which we also generate.
-         *
-         * First we figure out how much keying material is needed.
-         */
-        int hashSize = cipherSuite.macAlg.size;
-        boolean is_exportable = cipherSuite.exportable;
-        BulkCipher cipher = cipherSuite.cipher;
-        int expandedKeySize = is_exportable ? cipher.expandedKeySize : 0;
-
-        // Which algs/params do we need to use?
-        String keyMaterialAlg;
-        PRF prf;
-
-        byte majorVersion = protocolVersion.major;
-        byte minorVersion = protocolVersion.minor;
-        if (protocolVersion.isDTLSProtocol()) {
-            // Use TLS version number for DTLS key calculation
-            if (protocolVersion.v == ProtocolVersion.DTLS10.v) {
-                majorVersion = ProtocolVersion.TLS11.major;
-                minorVersion = ProtocolVersion.TLS11.minor;
-
-                keyMaterialAlg = "SunTlsKeyMaterial";
-                prf = P_NONE;
-            } else {    // DTLS 1.2+
-                majorVersion = ProtocolVersion.TLS12.major;
-                minorVersion = ProtocolVersion.TLS12.minor;
-
-                keyMaterialAlg = "SunTls12KeyMaterial";
-                prf = cipherSuite.prfAlg;
-            }
-        } else {
-            if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
-                keyMaterialAlg = "SunTls12KeyMaterial";
-                prf = cipherSuite.prfAlg;
-            } else {
-                keyMaterialAlg = "SunTlsKeyMaterial";
-                prf = P_NONE;
-            }
-        }
-
-        String prfHashAlg = prf.getPRFHashAlg();
-        int prfHashLength = prf.getPRFHashLength();
-        int prfBlockSize = prf.getPRFBlockSize();
-
-        // TLS v1.1+ and DTLS use an explicit IV in CBC cipher suites to
-        // protect against the CBC attacks.  AEAD/GCM cipher suites in TLS
-        // v1.2 or later use a fixed IV as the implicit part of the partially
-        // implicit nonce technique described in RFC 5116.
-        int ivSize = cipher.ivSize;
-        if (cipher.cipherType == AEAD_CIPHER) {
-            ivSize = cipher.fixedIvSize;
-        } else if ((cipher.cipherType == BLOCK_CIPHER) &&
-                protocolVersion.useTLS11PlusSpec()) {
-            ivSize = 0;
-        }
-
-        TlsKeyMaterialParameterSpec spec = new TlsKeyMaterialParameterSpec(
-                masterKey, (majorVersion & 0xFF), (minorVersion & 0xFF),
-                clnt_random.random_bytes, svr_random.random_bytes,
-                cipher.algorithm, cipher.keySize, expandedKeySize,
-                ivSize, hashSize,
-                prfHashAlg, prfHashLength, prfBlockSize);
-
-        try {
-            KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg);
-            kg.init(spec);
-            TlsKeyMaterialSpec keySpec = (TlsKeyMaterialSpec)kg.generateKey();
-
-            // Return null if cipher keys are not supposed to be generated.
-            clntWriteKey = keySpec.getClientCipherKey();
-            svrWriteKey = keySpec.getServerCipherKey();
-
-            // Return null if IVs are not supposed to be generated.
-            clntWriteIV = keySpec.getClientIv();
-            svrWriteIV = keySpec.getServerIv();
-
-            // Return null if MAC keys are not supposed to be generated.
-            clntMacSecret = keySpec.getClientMacKey();
-            svrMacSecret = keySpec.getServerMacKey();
-        } catch (GeneralSecurityException e) {
-            throw new ProviderException(e);
-        }
-
-        //
-        // Dump the connection keys as they're generated.
-        //
-        if (debug != null && Debug.isOn("keygen")) {
-            synchronized (System.out) {
-                HexDumpEncoder  dump = new HexDumpEncoder();
-
-                System.out.println("CONNECTION KEYGEN:");
-
-                // Inputs:
-                System.out.println("Client Nonce:");
-                printHex(dump, clnt_random.random_bytes);
-                System.out.println("Server Nonce:");
-                printHex(dump, svr_random.random_bytes);
-                System.out.println("Master Secret:");
-                printHex(dump, masterKey.getEncoded());
-
-                // Outputs:
-                if (clntMacSecret != null) {
-                    System.out.println("Client MAC write Secret:");
-                    printHex(dump, clntMacSecret.getEncoded());
-                    System.out.println("Server MAC write Secret:");
-                    printHex(dump, svrMacSecret.getEncoded());
-                } else {
-                    System.out.println("... no MAC keys used for this cipher");
-                }
-
-                if (clntWriteKey != null) {
-                    System.out.println("Client write key:");
-                    printHex(dump, clntWriteKey.getEncoded());
-                    System.out.println("Server write key:");
-                    printHex(dump, svrWriteKey.getEncoded());
-                } else {
-                    System.out.println("... no encryption keys used");
-                }
-
-                if (clntWriteIV != null) {
-                    System.out.println("Client write IV:");
-                    printHex(dump, clntWriteIV.getIV());
-                    System.out.println("Server write IV:");
-                    printHex(dump, svrWriteIV.getIV());
-                } else {
-                    if (protocolVersion.useTLS11PlusSpec()) {
-                        System.out.println(
-                                "... no IV derived for this protocol");
-                    } else {
-                        System.out.println("... no IV used for this cipher");
-                    }
-                }
-                System.out.flush();
-            }
-        }
-    }
-
-    private static void printHex(HexDumpEncoder dump, byte[] bytes) {
-        if (bytes == null) {
-            System.out.println("(key bytes not available)");
-        } else {
-            try {
-                dump.encodeBuffer(bytes, System.out);
-            } catch (IOException e) {
-                // just for debugging, ignore this
-            }
-        }
-    }
-
-    /*
-     * Implement a simple task delegator.
-     *
-     * We are currently implementing this as a single delegator, may
-     * try for parallel tasks later.  Client Authentication could
-     * benefit from this, where ClientKeyExchange/CertificateVerify
-     * could be carried out in parallel.
-     */
-    class DelegatedTask<E> implements Runnable {
-
-        private PrivilegedExceptionAction<E> pea;
-
-        DelegatedTask(PrivilegedExceptionAction<E> pea) {
-            this.pea = pea;
-        }
-
-        public void run() {
-            synchronized (engine) {
-                try {
-                    AccessController.doPrivileged(pea, engine.getAcc());
-                } catch (PrivilegedActionException pae) {
-                    thrown = pae.getException();
-                } catch (RuntimeException rte) {
-                    thrown = rte;
-                }
-                delegatedTask = null;
-                taskDelegated = false;
-            }
-        }
-    }
-
-    private <T> void delegateTask(PrivilegedExceptionAction<T> pea) {
-        delegatedTask = new DelegatedTask<T>(pea);
-        taskDelegated = false;
-        thrown = null;
-    }
-
-    DelegatedTask<?> getTask() {
-        if (!taskDelegated) {
-            taskDelegated = true;
-            return delegatedTask;
-        } else {
-            return null;
-        }
-    }
-
-    /*
-     * See if there are any tasks which need to be delegated
-     *
-     * Locked by SSLEngine.this.
-     */
-    boolean taskOutstanding() {
-        return (delegatedTask != null);
-    }
-
-    /*
-     * The previous caller failed for some reason, report back the
-     * Exception.  We won't worry about Error's.
-     *
-     * Locked by SSLEngine.this.
-     */
-    void checkThrown() throws SSLException {
-        synchronized (thrownLock) {
-            if (thrown != null) {
-
-                String msg = thrown.getMessage();
-
-                if (msg == null) {
-                    msg = "Delegated task threw Exception/Error";
-                }
-
-                /*
-                 * See what the underlying type of exception is.  We should
-                 * throw the same thing.  Chain thrown to the new exception.
-                 */
-                Exception e = thrown;
-                thrown = null;
-
-                if (e instanceof RuntimeException) {
-                    throw new RuntimeException(msg, e);
-                } else if (e instanceof SSLHandshakeException) {
-                    throw (SSLHandshakeException)
-                        new SSLHandshakeException(msg).initCause(e);
-                } else if (e instanceof SSLKeyException) {
-                    throw (SSLKeyException)
-                        new SSLKeyException(msg).initCause(e);
-                } else if (e instanceof SSLPeerUnverifiedException) {
-                    throw (SSLPeerUnverifiedException)
-                        new SSLPeerUnverifiedException(msg).initCause(e);
-                } else if (e instanceof SSLProtocolException) {
-                    throw (SSLProtocolException)
-                        new SSLProtocolException(msg).initCause(e);
-                } else {
-                    /*
-                     * If it's SSLException or any other Exception,
-                     * we'll wrap it in an SSLException.
-                     */
-                    throw new SSLException(msg, e);
-                }
-            }
-        }
-    }
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/HandshakeContext.java	2018-05-11 15:09:20.967778400 -0700
@@ -0,0 +1,540 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.AlgorithmConstraints;
+import java.security.CryptoPrimitive;
+import java.util.AbstractMap.SimpleImmutableEntry;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.EnumMap;
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+import java.util.Queue;
+import javax.crypto.SecretKey;
+import javax.net.ssl.SNIServerName;
+import javax.net.ssl.SSLHandshakeException;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
+import static sun.security.ssl.SupportedGroupsExtension.NamedGroupType.*;
+import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
+import sun.security.ssl.PskKeyExchangeModesExtension.PskKeyExchangeMode;
+
+abstract class HandshakeContext implements ConnectionContext {
+    // System properties
+
+    // By default, disable the unsafe legacy session renegotiation.
+    static final boolean allowUnsafeRenegotiation =
+            Utilities.getBooleanProperty(
+                    "sun.security.ssl.allowUnsafeRenegotiation", false);
+
+    // For maximum interoperability and backward compatibility, RFC 5746
+    // allows server (or client) to accept ClientHello (or ServerHello)
+    // message without the secure renegotiation_info extension or SCSV.
+    //
+    // For maximum security, RFC 5746 also allows server (or client) to
+    // reject such message with a fatal "handshake_failure" alert.
+    //
+    // By default, allow such legacy hello messages.
+    static final boolean allowLegacyHelloMessages =
+            Utilities.getBooleanProperty(
+                    "sun.security.ssl.allowLegacyHelloMessages", true);
+
+    // registered handshake message actors
+    final LinkedHashMap<Byte, SSLConsumer>  handshakeConsumers;
+    final HashMap<Byte, HandshakeProducer>  handshakeProducers;
+
+    // context
+    final SSLContextImpl                    sslContext;
+    final TransportContext                  conContext;
+    final SSLConfiguration                  sslConfig;
+
+    // consolidated parameters
+    final List<ProtocolVersion>             activeProtocols;
+    final List<CipherSuite>                 activeCipherSuites;
+    final AlgorithmConstraints              algorithmConstraints;
+    final ProtocolVersion                   maximumActiveProtocol;
+
+    // output stream
+    final HandshakeOutStream                handshakeOutput;
+
+    // handshake transcript hash
+    final HandshakeHash                     handshakeHash;
+
+    // negotiated security parameters
+    SSLSessionImpl                          handshakeSession;
+    boolean                                 handshakeFinished;
+    // boolean                                 isInvalidated;
+
+    boolean                                 kickstartMessageDelivered;
+
+    // Resumption
+    boolean                                 isResumption;
+    SSLSessionImpl                          resumingSession;
+
+    final Queue<Map.Entry<Byte, ByteBuffer>> delegatedActions;
+    volatile boolean                        taskDelegated = false;
+    volatile Exception                      delegatedThrown = null;
+
+    ProtocolVersion                         negotiatedProtocol;
+    CipherSuite                             negotiatedCipherSuite;
+    final List<SSLPossession>               handshakePossessions;
+    final List<SSLCredentials>              handshakeCredentials;
+    SSLKeyDerivation                        handshakeKeyDerivation;
+    SSLKeyExchange                          handshakeKeyExchange;
+    SecretKey                               baseReadSecret;
+    SecretKey                               baseWriteSecret;
+
+    // protocol version being established
+    ProtocolVersion                         protocolVersion;
+    int                                     clientHelloVersion;
+    String                                  applicationProtocol;
+
+    // the preferable signature algorithm used by ServerKeyExchange message
+    SignatureScheme                         preferableSignatureAlgorithm;
+
+    RandomCookie                            clientHelloRandom;
+    RandomCookie                            serverHelloRandom;
+    byte[]                                  certRequestContext;
+
+    ////////////////////
+    // Extensions
+
+    // the extensions used in the handshake
+    final Map<SSLExtension, SSLExtension.SSLExtensionSpec>
+                                            handshakeExtensions;
+
+    // MaxFragmentLength
+    int                                     maxFragmentLength;
+
+    // SignatureScheme
+    List<SignatureScheme>                   localSupportedSignAlgs;
+    List<SignatureScheme>                   peerRequestedSignatureSchemes;
+    List<SignatureScheme>                   peerRequestedCertSignSchemes;
+
+    // SupportedGroups
+    List<NamedGroup>                        clientRequestedNamedGroups;
+
+    // HelloRetryRequest
+    NamedGroup                              serverSelectedNamedGroup;
+
+    // if server name indicator is negotiated
+    //
+    // May need a public API for the indication in the future.
+    List<SNIServerName>                     requestedServerNames;
+    SNIServerName                           negotiatedServerName;
+
+    List<PskKeyExchangeMode>                pskKeyExchangeModes = new ArrayList<>();
+
+    // OCSP Stapling info
+    boolean                                 staplingActive = false;
+
+    protected HandshakeContext(SSLContextImpl sslContext,
+            TransportContext conContext) throws IOException {
+        this.sslContext = sslContext;
+        this.conContext = conContext;
+        this.sslConfig = (SSLConfiguration)conContext.sslConfig.clone();
+
+        this.activeProtocols = getActiveProtocols(sslConfig.enabledProtocols,
+                sslConfig.enabledCipherSuites, sslConfig.algorithmConstraints);
+        if (activeProtocols.isEmpty()) {
+            throw new SSLHandshakeException(
+                "No appropriate protocol (protocol is disabled or " +
+                "cipher suites are inappropriate)");
+        }
+
+        ProtocolVersion maximumVersion = ProtocolVersion.NONE;
+        for (ProtocolVersion pv : this.activeProtocols) {
+            if (maximumVersion == ProtocolVersion.NONE ||
+                    pv.compare(maximumVersion) > 0) {
+                maximumVersion = pv;
+            }
+        }
+        this.maximumActiveProtocol = maximumVersion;
+        this.activeCipherSuites = getActiveCipherSuites(this.activeProtocols,
+                sslConfig.enabledCipherSuites, sslConfig.algorithmConstraints);
+        if (activeCipherSuites.isEmpty()) {
+            throw new SSLHandshakeException("No appropriate cipher suite");
+        }
+        this.algorithmConstraints =
+                new SSLAlgorithmConstraints(sslConfig.algorithmConstraints);
+
+        this.handshakeConsumers = new LinkedHashMap<>();
+        this.handshakeProducers = new HashMap<>();
+        this.handshakeHash = conContext.inputRecord.handshakeHash;
+        this.handshakeOutput = new HandshakeOutStream(conContext.outputRecord);
+
+        this.handshakeFinished = false;
+        this.kickstartMessageDelivered = false;
+
+        this.delegatedActions = new LinkedList<>();
+        this.handshakeExtensions = new HashMap<>();
+        this.handshakePossessions = new LinkedList<>();
+        this.handshakeCredentials = new LinkedList<>();
+        this.requestedServerNames = new LinkedList<>();
+        this.negotiatedServerName = null;
+        this.negotiatedCipherSuite = conContext.cipherSuite;
+
+        initialize();
+    }
+
+    // Initialize the non-final class variables.
+    private void initialize() throws IOException {
+        ProtocolVersion inputHelloVersion;
+        ProtocolVersion outputHelloVersion;
+        if (conContext.isNegotiated) {
+            inputHelloVersion = conContext.protocolVersion;
+            outputHelloVersion = conContext.protocolVersion;
+        } else {
+            if (activeProtocols.contains(ProtocolVersion.SSL20Hello)) {
+                inputHelloVersion = ProtocolVersion.SSL20Hello;
+
+                // Per TLS 1.3 protocol, implementation MUST NOT send an SSL
+                // version 2.0 compatible CLIENT-HELLO.
+                if (maximumActiveProtocol.useTLS13PlusSpec()) {
+                    outputHelloVersion = maximumActiveProtocol;
+                } else {
+                    outputHelloVersion = ProtocolVersion.SSL20Hello;
+                }
+            } else {
+                inputHelloVersion = maximumActiveProtocol;
+                outputHelloVersion = maximumActiveProtocol;
+            }
+        }
+
+        conContext.inputRecord.setHelloVersion(inputHelloVersion);
+        conContext.outputRecord.setHelloVersion(outputHelloVersion);
+
+        if (!conContext.isNegotiated) {
+            conContext.protocolVersion = maximumActiveProtocol;
+        }
+        conContext.outputRecord.setVersion(conContext.protocolVersion);
+    }
+
+    private static List<ProtocolVersion> getActiveProtocols(
+            List<ProtocolVersion> enabledProtocols,
+            List<CipherSuite> enabledCipherSuites,
+            AlgorithmConstraints algorithmConstraints) {
+        boolean enabledSSL20Hello = false;
+        ArrayList<ProtocolVersion> protocols = new ArrayList<>(4);
+        for (ProtocolVersion protocol : enabledProtocols) {
+            if (!enabledSSL20Hello && protocol == ProtocolVersion.SSL20Hello) {
+                enabledSSL20Hello = true;
+                continue;
+            }
+
+            if (!algorithmConstraints.permits(
+                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                    protocol.name, null)) {
+                // Ignore disabled protocol.
+                continue;
+            }
+
+            boolean found = false;
+            Map<NamedGroupType, Boolean> cachedStatus =
+                    new EnumMap<>(NamedGroupType.class);
+            for (CipherSuite suite : enabledCipherSuites) {
+                if (suite.isAvailable() && suite.supports(protocol)) {
+                    if (isActivatable(suite,
+                            algorithmConstraints, cachedStatus)) {
+                        protocols.add(protocol);
+                        found = true;
+                        break;
+                    }
+                } else if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine(
+                        "Ignore unsupported cipher suite: " + suite +
+                             " for " + protocol);
+                }
+            }
+
+            if (!found && (SSLLogger.isOn) && SSLLogger.isOn("handshake")) {
+                SSLLogger.fine(
+                    "No available cipher suite for " + protocol);
+            }
+        }
+
+        if (!protocols.isEmpty()) {
+            if (enabledSSL20Hello) {
+                protocols.add(ProtocolVersion.SSL20Hello);
+            }
+            Collections.sort(protocols);
+        }
+
+        return Collections.unmodifiableList(protocols);
+    }
+
+    private static List<CipherSuite> getActiveCipherSuites(
+            List<ProtocolVersion> enabledProtocols,
+            List<CipherSuite> enabledCipherSuites,
+            AlgorithmConstraints algorithmConstraints) {
+
+        List<CipherSuite> suites = new LinkedList<>();
+        if (enabledProtocols != null && !enabledProtocols.isEmpty()) {
+            Map<NamedGroupType, Boolean> cachedStatus =
+                    new EnumMap<>(NamedGroupType.class);
+            for (CipherSuite suite : enabledCipherSuites) {
+                if (!suite.isAvailable()) {
+                    continue;
+                }
+
+                boolean isSupported = false;
+                for (ProtocolVersion protocol : enabledProtocols) {
+                    if (!suite.supports(protocol)) {
+                        continue;
+                    }
+                    if (isActivatable(suite,
+                            algorithmConstraints, cachedStatus)) {
+                        suites.add(suite);
+                        isSupported = true;
+                        break;
+                    }
+                }
+
+                if (!isSupported &&
+                        SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.finest(
+                            "Ignore unsupported cipher suite: " + suite);
+                }
+            }
+        }
+
+        return Collections.unmodifiableList(suites);
+    }
+
+    void dispatch(Plaintext plaintext) throws IOException {
+        // parse the handshake record.
+        //
+        //     struct {
+        //         HandshakeType msg_type;    /* handshake type */
+        //         uint24 length;             /* bytes in message */
+        //         select (HandshakeType) {
+        //             ...
+        //         } body;
+        //     } Handshake;
+        if (plaintext.contentType != ContentType.HANDSHAKE.id) {
+            conContext.fatal(Alert.INTERNAL_ERROR,
+                "Unexpected operation for record: " + plaintext.contentType);
+
+            return;     // make the compiler happy
+        }
+
+        if (plaintext.fragment == null || plaintext.fragment.remaining() < 4) {
+            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Invalid handshake message: insufficient data");
+
+            return;     // make the compiler happy
+        }
+
+        byte handshakeType = (byte)Record.getInt8(plaintext.fragment);
+        int handshakeLen = Record.getInt24(plaintext.fragment);
+        if (handshakeLen != plaintext.fragment.remaining()) {
+            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Invalid handshake message: insufficient handshake body");
+
+            return;     // make the compiler happy
+        }
+
+        if (conContext.transport.useDelegatedTask()) {
+            boolean hasDelegated = !delegatedActions.isEmpty();
+            if (hasDelegated || handshakeType != SSLHandshake.FINISHED.id) {
+                if (!hasDelegated) {
+                    taskDelegated = false;
+                    delegatedThrown = null;
+                }
+
+                // Clone the fragment for delegated actions.
+                //
+                // The plaintext may share the application buffers.  It is
+                // fine to use shared buffers if no delegated actions.
+                // However, for delegated actions, the shared buffers may be
+                // polluted in application layer before the delegated actions
+                // executed.
+                ByteBuffer fragment = ByteBuffer.wrap(
+                        new byte[plaintext.fragment.remaining()]);
+                fragment.put(plaintext.fragment);
+                fragment = fragment.rewind();
+
+                delegatedActions.add(new SimpleImmutableEntry<>(
+                        handshakeType,
+                        fragment
+                    ));
+            } else {
+                dispatch(handshakeType, plaintext.fragment);
+            }
+        } else {
+            dispatch(handshakeType, plaintext.fragment);
+        }
+    }
+
+    void dispatch(byte handshakeType,
+            ByteBuffer fragment) throws IOException {
+        SSLConsumer consumer;
+        if (handshakeType == SSLHandshake.HELLO_REQUEST.id) {
+            // For TLS 1.2 and prior versions, the HelloRequest message MAY
+            // be sent by the server at any time.
+            consumer = SSLHandshake.HELLO_REQUEST;
+        } else if (handshakeType == SSLHandshake.NEW_SESSION_TICKET.id) {
+            // new session ticket may be sent any time after server finished
+            consumer = SSLHandshake.NEW_SESSION_TICKET;
+        } else if (handshakeType == SSLHandshake.KEY_UPDATE.id) {
+            consumer = SSLHandshake.KEY_UPDATE;
+        } else {
+            consumer = handshakeConsumers.get(handshakeType);
+        }
+
+        if (consumer == null) {
+            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Unexpected handshake message: " +
+                    SSLHandshake.nameOf(handshakeType));
+            return;     // make the compiler happy
+        }
+
+        try {
+            consumer.consume(this, fragment);
+        } catch (UnsupportedOperationException unsoe) {
+            conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Unsupported handshake message: " +
+                    SSLHandshake.nameOf(handshakeType), unsoe);
+        }
+
+        // update handshake hash after handshake message consumption.
+        handshakeHash.consume();
+    }
+
+    abstract void kickstart() throws IOException;
+
+    /**
+     * Check if the given cipher suite is enabled and available within
+     * the current active cipher suites.
+     *
+     * Does not check if the required server certificates are available.
+     */
+    boolean isNegotiable(CipherSuite cs) {
+        return isNegotiable(activeCipherSuites, cs);
+    }
+
+    /**
+     * Check if the given cipher suite is enabled and available within
+     * the proposed cipher suite list.
+     *
+     * Does not check if the required server certificates are available.
+     */
+    static final boolean isNegotiable(
+            List<CipherSuite> proposed, CipherSuite cs) {
+        return proposed.contains(cs) && cs.isNegotiable();
+    }
+
+    /**
+     * Check if the given cipher suite is enabled and available within
+     * the proposed cipher suite list and specific protocol version.
+     *
+     * Does not check if the required server certificates are available.
+     */
+    static final boolean isNegotiable(List<CipherSuite> proposed,
+            ProtocolVersion protocolVersion, CipherSuite cs) {
+        return proposed.contains(cs) &&
+                cs.isNegotiable() && cs.supports(protocolVersion);
+    }
+
+    /**
+     * Check if the given protocol version is enabled and available.
+     */
+    boolean isNegotiable(ProtocolVersion protocolVersion) {
+        return activeProtocols.contains(protocolVersion);
+    }
+
+    boolean isNegotiable(byte majorVersion, byte minorVersion) {
+        ProtocolVersion pv =
+                ProtocolVersion.valueOf(majorVersion, minorVersion);
+        if (pv == null) {
+            // unsupported protocol version
+            return false;
+        }
+
+        return activeProtocols.contains(pv);
+    }
+
+    /**
+     * Set the active protocol version and propagate it to the SSLSocket
+     * and our handshake streams. Called from ClientHandshaker
+     * and ServerHandshaker with the negotiated protocol version.
+     */
+    void setVersion(ProtocolVersion protocolVersion) {
+        this.protocolVersion = protocolVersion;
+        this.conContext.protocolVersion = protocolVersion;
+    }
+
+    private static boolean isActivatable(CipherSuite suite,
+            AlgorithmConstraints algorithmConstraints,
+            Map<NamedGroupType, Boolean> cachedStatus) {
+
+        if (algorithmConstraints.permits(
+                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), suite.name, null)) {
+            if (suite.keyExchange == null) {
+                // TLS 1.3, no definition of key exchange in cipher suite.
+                return true;
+            }
+
+            boolean available;
+            NamedGroupType groupType = suite.keyExchange.groupType;
+            if (groupType != NAMED_GROUP_NONE) {
+                Boolean checkedStatus = cachedStatus.get(groupType);
+                if (checkedStatus == null) {
+                    available = SupportedGroups.isActivatable(
+                            algorithmConstraints, groupType);
+                    cachedStatus.put(groupType, available);
+
+                    if (!available &&
+                            SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                        SSLLogger.fine("No activated named group");
+                    }
+                } else {
+                    available = checkedStatus;
+                }
+
+                if (!available && SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+                    SSLLogger.fine(
+                        "No active named group, ignore " + suite);
+                }
+                return available;
+            } else {
+                return true;
+            }
+        } else if (SSLLogger.isOn && SSLLogger.isOn("verbose")) {
+            SSLLogger.fine("Ignore disabled cipher suite: " + suite);
+        }
+
+        return false;
+    }
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/HandshakeProducer.java	2018-05-11 15:09:22.965250400 -0700
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+interface HandshakeProducer {
+    // return the encoded producing if it has not been dumped to the context
+    //
+    // message: the handshake message responded to, can be null for producing
+    //          of kickstart handshake message
+    byte[] produce(ConnectionContext context,
+            HandshakeMessage message) throws IOException;
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/HelloRequest.java	2018-05-11 15:09:24.606943500 -0700
@@ -0,0 +1,217 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the HelloRequest handshake message.
+ */
+final class HelloRequest {
+    static final SSLProducer kickstartProducer =
+        new HelloRequestKickstartProducer();
+
+    static final SSLConsumer handshakeConsumer =
+        new HelloRequestConsumer();
+    static final HandshakeProducer handshakeProducer =
+        new HelloRequestProducer();
+
+    /**
+     * The HelloRequest handshake message.
+     *
+     * [RFC 5246] The HelloRequest message MAY be sent by the server at any
+     * time.  HelloRequest is a simple notification that the client should
+     * begin the negotiation process anew.
+     *
+     *      struct { } HelloRequest;
+     */
+    static final class HelloRequestMessage extends HandshakeMessage {
+        HelloRequestMessage(HandshakeContext handshakeContext) {
+            super(handshakeContext);
+        }
+
+        HelloRequestMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+            if (m.hasRemaining()) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Error parsing HelloRequest message: not empty");
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.HELLO_REQUEST;
+        }
+
+        @Override
+        public int messageLength() {
+            return 0;
+        }
+
+        @Override
+        public void send(HandshakeOutStream s) throws IOException {
+            // empty, nothing to send
+        }
+
+        @Override
+        public String toString() {
+            return "<empty>";
+        }
+    }
+
+    /**
+     * The "HelloRequest" handshake message kick start producer.
+     */
+    private static final
+            class HelloRequestKickstartProducer implements SSLProducer {
+        // Prevent instantiation of this class.
+        private HelloRequestKickstartProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            HelloRequestMessage hrm = new HelloRequestMessage(shc);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Produced HelloRequest handshake message", hrm);
+            }
+
+            // Output the handshake message.
+            hrm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // update the context
+
+            // What's the expected response?
+            shc.handshakeConsumers.put(
+                    SSLHandshake.CLIENT_HELLO.id, SSLHandshake.CLIENT_HELLO);
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "HelloRequest" handshake message producer.
+     */
+    private static final class HelloRequestProducer
+            implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private HelloRequestProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            HelloRequestMessage hrm = new HelloRequestMessage(shc);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Produced HelloRequest handshake message", hrm);
+            }
+
+            // Output the handshake message.
+            hrm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // update the context
+
+            // What's the expected response?
+            shc.handshakeConsumers.put(
+                    SSLHandshake.CLIENT_HELLO.id, SSLHandshake.CLIENT_HELLO);
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "HelloRequest" handshake message consumer.
+     */
+    private static final class HelloRequestConsumer
+            implements SSLConsumer {
+
+        // Prevent instantiation of this class.
+        private HelloRequestConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // For TLS 1.2 and prior versions, the HelloRequest message MAY
+            // be sent by the server at any time.  Please don't clean up this
+            // handshake consumer.
+            HelloRequestMessage hrm = new HelloRequestMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming HelloRequest handshake message", hrm);
+            }
+
+            if (!chc.kickstartMessageDelivered) {
+                if (!chc.conContext.secureRenegotiation &&
+                        !HandshakeContext.allowUnsafeRenegotiation) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "Unsafe renegotiation is not allowed");
+                }
+
+                if (!chc.conContext.secureRenegotiation) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning(
+                                "Continue with insecure renegotiation");
+                    }
+                }
+
+                // update the responders
+                chc.handshakeProducers.put(
+                        SSLHandshake.CLIENT_HELLO.id,
+                        SSLHandshake.CLIENT_HELLO);
+
+                //
+                // produce response handshake message
+                //
+                SSLHandshake.CLIENT_HELLO.produce(context, hrm);
+            } else {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ingore HelloRequest, handshaking is in progress");
+                }
+            }
+        }
+    }
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java	2018-05-11 15:09:26.274600100 -0700
@@ -0,0 +1,216 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.Locale;
+import sun.security.ssl.ClientHello.ClientHelloMessage;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the HelloVerifyRequest handshake message.
+ */
+final class HelloVerifyRequest {
+    static final SSLConsumer handshakeConsumer =
+            new HelloVerifyRequestConsumer();
+    static final HandshakeProducer handshakeProducer =
+            new HelloVerifyRequestProducer();
+
+    /**
+     * The HelloVerifyRequest handshake message [RFC 6347].
+     */
+    static final class HelloVerifyRequestMessage extends HandshakeMessage {
+        final int                   serverVersion;
+        final byte[]                cookie;
+
+        HelloVerifyRequestMessage(HandshakeContext context,
+                HandshakeMessage message) throws IOException {
+            super(context);
+            // This happens in server side only.
+            ServerHandshakeContext shc =
+                    (ServerHandshakeContext)context;
+            ClientHelloMessage clientHello = (ClientHelloMessage)message;
+
+            HelloCookieManager hcMgr =
+                shc.sslContext.getHelloCookieManager(ProtocolVersion.DTLS10);
+            this.serverVersion = shc.clientHelloVersion;
+            this.cookie = hcMgr.createCookie(shc, clientHello);
+        }
+
+        HelloVerifyRequestMessage(HandshakeContext context,
+                ByteBuffer m) throws IOException {
+            super(context);
+            // This happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            //  struct {
+            //      ProtocolVersion server_version;
+            //      opaque cookie<0..2^8-1>;
+            //  } HelloVerifyRequest;
+            if (m.remaining() < 3) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Invalid HelloVerifyRequest: no sufficient data");
+            }
+
+            byte major = m.get();
+            byte minor = m.get();
+            this.serverVersion = ((major & 0xFF) << 8) | (minor & 0xFF);
+            this.cookie = Record.getBytes8(m);
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.HELLO_VERIFY_REQUEST;
+        }
+
+        @Override
+        public int messageLength() {
+            return 2 + cookie.length;   // 2: the length of protocol version
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putInt8((byte)((serverVersion >>> 8) & 0xFF));
+            hos.putInt8((byte)(serverVersion & 0xFF));
+            hos.putBytes8(cookie);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"HelloVerifyRequest\": '{'\n" +
+                "  \"server version\"      : \"{0}\",\n" +
+                "  \"cookie\"              : \"{1}\",\n" +
+                "'}'",
+                Locale.ENGLISH);
+            Object[] messageFields = {
+                ProtocolVersion.nameOf(serverVersion),
+                Utilities.toHexString(cookie),
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The "HelloVerifyRequest" handshake message producer.
+     */
+    private static final
+            class HelloVerifyRequestProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private HelloVerifyRequestProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // clean up this producer
+            shc.handshakeProducers.remove(SSLHandshake.HELLO_VERIFY_REQUEST.id);
+
+            HelloVerifyRequestMessage hvrm =
+                    new HelloVerifyRequestMessage(shc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Produced HelloVerifyRequest handshake message", hvrm);
+            }
+
+            // Output the handshake message.
+            hvrm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // update the context
+
+            // TODO: stateless, clean up the handshake context?
+            shc.handshakeHash.finish();     // forgot about the handshake hash
+            shc.handshakeExtensions.clear();
+
+            // What's the expected response?
+            shc.handshakeConsumers.put(
+                    SSLHandshake.CLIENT_HELLO.id, SSLHandshake.CLIENT_HELLO);
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "HelloVerifyRequest" handshake message consumer.
+     */
+    private static final class HelloVerifyRequestConsumer
+            implements SSLConsumer {
+
+        // Prevent instantiation of this class.
+        private HelloVerifyRequestConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // clean up this consumer
+            chc.handshakeConsumers.remove(SSLHandshake.HELLO_VERIFY_REQUEST.id);
+            if (!chc.handshakeConsumers.isEmpty()) {
+                chc.handshakeConsumers.remove(SSLHandshake.SERVER_HELLO.id);
+            }
+            if (!chc.handshakeConsumers.isEmpty()) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "No more message expected before " +
+                        "HelloVerifyRequest is processed");
+            }
+
+            // Refresh handshake hash.
+            chc.handshakeHash.finish();     // forgot about the handshake hash
+
+            HelloVerifyRequestMessage hvrm =
+                    new HelloVerifyRequestMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming HelloVerifyRequest handshake message", hvrm);
+            }
+
+            // Note that HelloVerifyRequest.server_version is used solely to
+            // indicate packet formatting, and not as part of version
+            // negotiation.  Need not to check version values match for
+            // HelloVerifyRequest message.
+            chc.initialClientHelloMsg.setHelloCookie(hvrm.cookie);
+
+            //
+            // produce response handshake message
+            //
+            SSLHandshake.CLIENT_HELLO.produce(context, hvrm);
+        }
+    }
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java	2018-05-11 15:09:27.934225600 -0700
@@ -0,0 +1,960 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.CryptoPrimitive;
+import java.security.GeneralSecurityException;
+import java.text.MessageFormat;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import javax.net.ssl.SSLProtocolException;
+import sun.security.ssl.DHKeyExchange.DHECredentials;
+import sun.security.ssl.DHKeyExchange.DHEPossession;
+import sun.security.ssl.ECDHKeyExchange.ECDHECredentials;
+import sun.security.ssl.ECDHKeyExchange.ECDHEPossession;
+import sun.security.ssl.KeyShareExtension.CHKeyShareSpec;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
+import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
+import sun.security.util.HexDumpEncoder;
+
+/**
+ * Pack of the "key_share" extensions.
+ */
+final class KeyShareExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHKeyShareProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHKeyShareConsumer();
+    static final SSLStringize chStringize =
+            new CHKeyShareStringize();
+
+    static final HandshakeProducer shNetworkProducer =
+            new SHKeyShareProducer();
+    static final ExtensionConsumer shOnLoadConcumer =
+            new SHKeyShareConsumer();
+    static final HandshakeAbsence shOnLoadAbsence =
+            new SHKeyShareAbsence();
+    static final SSLStringize shStringize =
+            new SHKeyShareStringize();
+
+    static final HandshakeProducer hrrNetworkProducer =
+            new HRRKeyShareProducer();
+    static final ExtensionConsumer hrrOnLoadConcumer =
+            new HRRKeyShareConsumer();
+    static final HandshakeProducer hrrNetworkReproducer =
+            new HRRKeyShareReproducer();
+    static final SSLStringize hrrStringize =
+            new HRRKeyShareStringize();
+
+    /**
+     * The key share entry used in "key_share" extensions.
+     */
+    private static final class KeyShareEntry {
+        final int namedGroupId;
+        final byte[] keyExchange;
+
+        private KeyShareEntry(int namedGroupId, byte[] keyExchange) {
+            this.namedGroupId = namedGroupId;
+            this.keyExchange = keyExchange;
+        }
+
+        private byte[] getEncoded() {
+            byte[] buffer = new byte[keyExchange.length + 4];
+                                            //  2: named group id
+                                            // +2: key exchange length
+            ByteBuffer m = ByteBuffer.wrap(buffer);
+            try {
+                Record.putInt16(m, namedGroupId);
+                Record.putBytes16(m, keyExchange);
+            } catch (IOException ioe) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                        "Unlikely IOException", ioe);
+                }
+            }
+
+            return buffer;
+        }
+
+        private int getEncodedSize() {
+            return keyExchange.length + 4;  //  2: named group id
+                                            // +2: key exchange length
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\n'{'\n" +
+                "  \"named group\": {0}\n" +
+                "  \"key_exchange\": '{'\n" +
+                "{1}\n" +
+                "  '}'\n" +
+                "'}',", Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            Object[] messageFields = {
+                NamedGroup.nameOf(namedGroupId),
+                Utilities.indent(hexEncoder.encode(keyExchange), "    ")
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The "key_share" extension in a ClientHello handshake message.
+     */
+    static final class CHKeyShareSpec implements SSLExtensionSpec {
+        final List<KeyShareEntry> clientShares;
+
+        private CHKeyShareSpec(List<KeyShareEntry> clientShares) {
+            this.clientShares = clientShares;
+        }
+
+        private CHKeyShareSpec(ByteBuffer buffer) throws IOException {
+            // struct {
+            //      KeyShareEntry client_shares<0..2^16-1>;
+            // } KeyShareClientHello;
+            if (buffer.remaining() < 2) {
+                throw new SSLProtocolException(
+                    "Invalid key_share extension: " +
+                    "insufficient data (length=" + buffer.remaining() + ")");
+            }
+
+            int listLen = Record.getInt16(buffer);
+            if (listLen != buffer.remaining()) {
+                throw new SSLProtocolException(
+                    "Invalid key_share extension: " +
+                    "incorrect list length (length=" + listLen + ")");
+            }
+
+            List<KeyShareEntry> keyShares = new LinkedList<>();
+            while (buffer.hasRemaining()) {
+                int namedGroupId = Record.getInt16(buffer);
+                byte[] keyExchange = Record.getBytes16(buffer);
+                if (keyExchange.length == 0) {
+                    throw new SSLProtocolException(
+                        "Invalid key_share extension: empty key_exchange");
+                }
+
+                keyShares.add(new KeyShareEntry(namedGroupId, keyExchange));
+            }
+
+            this.clientShares = Collections.unmodifiableList(keyShares);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"client_shares\": '['{0}\n']'", Locale.ENGLISH);
+
+            StringBuilder builder = new StringBuilder(512);
+            for (KeyShareEntry entry : clientShares) {
+                builder.append(entry.toString());
+            }
+
+            Object[] messageFields = {
+                Utilities.indent(builder.toString())
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    private static final class CHKeyShareStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new CHKeyShareSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    /**
+     * Network data producer of the extension in a ClientHello
+     * handshake message.
+     */
+    private static final
+            class CHKeyShareProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHKeyShareProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(SSLExtension.CH_KEY_SHARE)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable key_share extension");
+                }
+                return null;
+            }
+
+            List<NamedGroup> namedGroups;
+            if (chc.serverSelectedNamedGroup != null) {
+                // Response to HelloRetryRequest
+                namedGroups = Arrays.asList(chc.serverSelectedNamedGroup);
+            } else {
+                namedGroups = chc.clientRequestedNamedGroups;
+                if (namedGroups == null || namedGroups.isEmpty()) {
+                    // No supported groups.
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning(
+                            "Ignore key_share extension, no supported groups");
+                    }
+                    return null;
+                }
+            }
+
+            List<KeyShareEntry> keyShares = new LinkedList<>();
+            for (NamedGroup ng : namedGroups) {
+                SSLKeyExchange ke = SSLKeyExchange.valueOf(ng);
+                if (ke == null) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning(
+                            "No key exchange for named group " + ng.name);
+                    }
+                    continue;
+                }
+
+                SSLPossession[] poses = ke.createPossessions(chc);
+                for (SSLPossession pos : poses) {
+                    // update the context
+                    chc.handshakePossessions.add(pos);
+                    if (!(pos instanceof ECDHEPossession) &&
+                            !(pos instanceof DHEPossession)) {
+                        // May need more possesion types in the future.
+                        continue;
+                    }
+
+                    keyShares.add(new KeyShareEntry(ng.id, pos.encode()));
+                }
+
+                // One key share entry only.  Too much key share entries makes
+                // the ClientHello handshake message really big.
+                if (!keyShares.isEmpty()) {
+                    break;
+                }
+            }
+
+            int listLen = 0;
+            for (KeyShareEntry entry : keyShares) {
+                listLen += entry.getEncodedSize();
+            }
+            byte[] extData = new byte[listLen + 2];     //  2: list length
+            ByteBuffer m = ByteBuffer.wrap(extData);
+            Record.putInt16(m, listLen);
+            for (KeyShareEntry entry : keyShares) {
+                m.put(entry.getEncoded());
+            }
+
+            // update the context
+            chc.handshakeExtensions.put(SSLExtension.CH_KEY_SHARE,
+                    new CHKeyShareSpec(keyShares));
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of the extension in a ClientHello
+     * handshake message.
+     */
+    private static final class CHKeyShareConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHKeyShareConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            if (shc.handshakeExtensions.containsKey(SSLExtension.CH_KEY_SHARE)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "The key_share extension has been loaded");
+                }
+                return;
+            }
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(SSLExtension.CH_KEY_SHARE)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable key_share extension");
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension
+            CHKeyShareSpec spec;
+            try {
+                spec = new CHKeyShareSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            List<SSLCredentials> credentials = new LinkedList<>();
+            for (KeyShareEntry entry : spec.clientShares) {
+                NamedGroup ng = NamedGroup.valueOf(entry.namedGroupId);
+                if (ng != null && !SupportedGroups.isActivatable(
+                        shc.sslConfig.algorithmConstraints, ng)) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                                "Ignore unsupported named group: " +
+                                NamedGroup.nameOf(entry.namedGroupId));
+                    }
+                    continue;
+                }
+
+                if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) {
+                    try {
+                        ECDHECredentials ecdhec =
+                            ECDHECredentials.valueOf(ng, entry.keyExchange);
+                        if (ecdhec != null) {
+                            if (!shc.algorithmConstraints.permits(
+                                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                                    ecdhec.popPublicKey)) {
+                                SSLLogger.warning(
+                                        "ECDHE key share entry does not " +
+                                        "comply to algorithm constraints");
+                            } else {
+                                credentials.add(ecdhec);
+                            }
+                        }
+                    } catch (IOException | GeneralSecurityException ex) {
+                        SSLLogger.warning(
+                                "Cannot decode named group: " +
+                                NamedGroup.nameOf(entry.namedGroupId));
+                    }
+                } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) {
+                    try {
+                        DHECredentials dhec =
+                                DHECredentials.valueOf(ng, entry.keyExchange);
+                        if (dhec != null) {
+                            if (!shc.algorithmConstraints.permits(
+                                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                                    dhec.popPublicKey)) {
+                                SSLLogger.warning(
+                                        "DHE key share entry does not " +
+                                        "comply to algorithm constraints");
+                            } else {
+                                credentials.add(dhec);
+                            }
+                        }
+                    } catch (IOException | GeneralSecurityException ex) {
+                        SSLLogger.warning(
+                                "Cannot decode named group: " +
+                                NamedGroup.nameOf(entry.namedGroupId));
+                    }
+                }
+            }
+
+            if (!credentials.isEmpty()) {
+                shc.handshakeCredentials.addAll(credentials);
+            } else {
+                // New handshake credentials are required from the client side.
+                shc.handshakeProducers.put(
+                        SSLHandshake.HELLO_RETRY_REQUEST.id,
+                        SSLHandshake.HELLO_RETRY_REQUEST);
+            }
+
+            // update the context
+            shc.handshakeExtensions.put(SSLExtension.CH_KEY_SHARE, spec);
+        }
+    }
+
+    /**
+     * The key share entry used in ServerHello "key_share" extensions.
+     */
+    static final class SHKeyShareSpec implements SSLExtensionSpec {
+        final KeyShareEntry serverShare;
+
+        SHKeyShareSpec(KeyShareEntry serverShare) {
+            this.serverShare = serverShare;
+        }
+
+        private SHKeyShareSpec(ByteBuffer buffer) throws IOException {
+            // struct {
+            //      KeyShareEntry server_share;
+            // } KeyShareServerHello;
+            if (buffer.remaining() < 5) {       // 5: minimal server_share
+                throw new SSLProtocolException(
+                    "Invalid key_share extension: " +
+                    "insufficient data (length=" + buffer.remaining() + ")");
+            }
+
+            int namedGroupId = Record.getInt16(buffer);
+            byte[] keyExchange = Record.getBytes16(buffer);
+
+            if (buffer.hasRemaining()) {
+                throw new SSLProtocolException(
+                    "Invalid key_share extension: unknown extra data");
+            }
+
+            this.serverShare = new KeyShareEntry(namedGroupId, keyExchange);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"server_share\": '{'\n" +
+                "  \"named group\": {0}\n" +
+                "  \"key_exchange\": '{'\n" +
+                "{1}\n" +
+                "  '}'\n" +
+                "'}',", Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            Object[] messageFields = {
+                NamedGroup.nameOf(serverShare.namedGroupId),
+                Utilities.indent(
+                        hexEncoder.encode(serverShare.keyExchange), "    ")
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    private static final class SHKeyShareStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new SHKeyShareSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    /**
+     * Network data producer of the extension in a ServerHello
+     * handshake message.
+     */
+    private static final class SHKeyShareProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private SHKeyShareProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // In response to key_share request only
+            CHKeyShareSpec kss =
+                    (CHKeyShareSpec)shc.handshakeExtensions.get(
+                            SSLExtension.CH_KEY_SHARE);
+            if (kss == null) {
+                // Unlikely, no key_share extension requested.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "Ignore, no client key_share extension");
+                }
+                return null;
+            }
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "Ignore, no available server key_share extension");
+                }
+                return null;
+            }
+
+            // use requested key share entries
+            if ((shc.handshakeCredentials == null) ||
+                    shc.handshakeCredentials.isEmpty()) {
+                // Unlikely, HelloRetryRequest should be used ealier.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "No available client key share entries");
+                }
+                return null;
+            }
+
+            KeyShareEntry keyShare = null;
+            for (SSLCredentials cd : shc.handshakeCredentials) {
+                NamedGroup ng = null;
+                if (cd instanceof ECDHECredentials) {
+                    ng = ((ECDHECredentials)cd).namedGroup;
+                } else if (cd instanceof DHECredentials) {
+                    ng = ((DHECredentials)cd).namedGroup;
+                }
+
+                if (ng == null) {
+                    continue;
+                }
+
+                SSLKeyExchange ke = SSLKeyExchange.valueOf(ng);
+                if (ke == null) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning(
+                            "No key exchange for named group " + ng.name);
+                    }
+                    continue;
+                }
+
+                SSLPossession[] poses = ke.createPossessions(shc);
+                for (SSLPossession pos : poses) {
+                    if (!(pos instanceof ECDHEPossession) &&
+                            !(pos instanceof DHEPossession)) {
+                        // May need more possesion types in the future.
+                        continue;
+                    }
+
+                    // update the context
+                    shc.handshakeKeyExchange = ke;
+                    shc.handshakePossessions.add(pos);
+                    keyShare = new KeyShareEntry(ng.id, pos.encode());
+                    break;
+                }
+
+                if (keyShare != null) {
+                    for (Map.Entry<Byte, HandshakeProducer> me :
+                            ke.getHandshakeProducers(shc)) {
+                        shc.handshakeProducers.put(
+                                me.getKey(), me.getValue());
+                    }
+
+                    // We have got one! Don't forgor to break.
+                    break;
+                }
+            }
+
+            if (keyShare == null) {
+                // Unlikely, HelloRetryRequest should be used instead ealier.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "No available server key_share extension");
+                }
+                return null;
+            }
+
+            byte[] extData = keyShare.getEncoded();
+
+            // update the context
+            SHKeyShareSpec spec = new SHKeyShareSpec(keyShare);
+            shc.handshakeExtensions.put(SSLExtension.SH_KEY_SHARE, spec);
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of the extension in a ServerHello
+     * handshake message.
+     */
+    private static final class SHKeyShareConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHKeyShareConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // Happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            if (chc.clientRequestedNamedGroups == null ||
+                    chc.clientRequestedNamedGroups.isEmpty()) {
+                // No supported groups.
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected key_share extension in ServerHello");
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unsupported key_share extension in ServerHello");
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Parse the extension
+            SHKeyShareSpec spec;
+            try {
+                spec = new SHKeyShareSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            KeyShareEntry keyShare = spec.serverShare;
+            NamedGroup ng = NamedGroup.valueOf(keyShare.namedGroupId);
+            if (ng == null || !SupportedGroups.isActivatable(
+                    chc.sslConfig.algorithmConstraints, ng)) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unsupported named group: " +
+                        NamedGroup.nameOf(keyShare.namedGroupId));
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            SSLKeyExchange ke = SSLKeyExchange.valueOf(ng);
+            if (ke == null) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "No key exchange for named group " + ng.name);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            SSLCredentials credentials = null;
+            if (ng.type == NamedGroupType.NAMED_GROUP_ECDHE) {
+                try {
+                    ECDHECredentials ecdhec =
+                            ECDHECredentials.valueOf(ng, keyShare.keyExchange);
+                    if (ecdhec != null) {
+                        if (!chc.algorithmConstraints.permits(
+                                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                                ecdhec.popPublicKey)) {
+                            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                                    "ECDHE key share entry does not " +
+                                    "comply to algorithm constraints");
+                        } else {
+                            credentials = ecdhec;
+                        }
+                    }
+                } catch (IOException | GeneralSecurityException ex) {
+                    chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                            "Cannot decode named group: " +
+                            NamedGroup.nameOf(keyShare.namedGroupId));
+                }
+            } else if (ng.type == NamedGroupType.NAMED_GROUP_FFDHE) {
+                try {
+                    DHECredentials dhec =
+                            DHECredentials.valueOf(ng, keyShare.keyExchange);
+                    if (dhec != null) {
+                        if (!chc.algorithmConstraints.permits(
+                                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
+                                dhec.popPublicKey)) {
+                            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                                    "DHE key share entry does not " +
+                                    "comply to algorithm constraints");
+                        } else {
+                            credentials = dhec;
+                        }
+                    }
+                } catch (IOException | GeneralSecurityException ex) {
+                    chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                            "Cannot decode named group: " +
+                            NamedGroup.nameOf(keyShare.namedGroupId));
+                }
+            } else {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unsupported named group: " +
+                        NamedGroup.nameOf(keyShare.namedGroupId));
+            }
+
+            if (credentials == null) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unsupported named group: " + ng.name);
+            }
+
+            // update the context
+            chc.handshakeKeyExchange = ke;
+            chc.handshakeCredentials.add(credentials);
+            chc.handshakeExtensions.put(SSLExtension.SH_KEY_SHARE, spec);
+        }
+    }
+
+    /**
+     * The absence processing if the extension is not present in
+     * the ServerHello handshake message.
+     */
+    private static final class SHKeyShareAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Cannot use the previous requested key shares any more.
+            if (SSLLogger.isOn && SSLLogger.isOn("handshake")) {
+                SSLLogger.fine(
+                        "No key_share extension in ServerHello, " +
+                        "cleanup the key shares if necessary");
+            }
+            chc.handshakePossessions.clear();
+        }
+    }
+
+    /**
+     * The key share entry used in HelloRetryRequest "key_share" extensions.
+     */
+    static final class HRRKeyShareSpec implements SSLExtensionSpec {
+        final int selectedGroup;
+
+        HRRKeyShareSpec(NamedGroup serverGroup) {
+            this.selectedGroup = serverGroup.id;
+        }
+
+        private HRRKeyShareSpec(ByteBuffer buffer) throws IOException {
+            // struct {
+            //     NamedGroup selected_group;
+            // } KeyShareHelloRetryRequest;
+            if (buffer.remaining() != 2) {
+                throw new SSLProtocolException(
+                    "Invalid key_share extension: " +
+                    "improper data (length=" + buffer.remaining() + ")");
+            }
+
+            this.selectedGroup = Record.getInt16(buffer);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"selected group\": '['{0}']'", Locale.ENGLISH);
+
+            Object[] messageFields = {
+                    NamedGroup.nameOf(selectedGroup)
+                };
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    private static final class HRRKeyShareStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new HRRKeyShareSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    /**
+     * Network data producer of the extension in a HelloRetryRequest
+     * handshake message.
+     */
+    private static final
+            class HRRKeyShareProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private HRRKeyShareProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext) context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unsupported key_share extension in HelloRetryRequest");
+                return null;    // make the compiler happy.
+            }
+
+            if (shc.clientRequestedNamedGroups == null ||
+                    shc.clientRequestedNamedGroups.isEmpty()) {
+                // No supported groups.
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected key_share extension in HelloRetryRequest");
+                return null;    // make the compiler happy.
+            }
+
+            NamedGroup selectedGroup = null;
+            for (NamedGroup ng : shc.clientRequestedNamedGroups) {
+                if (SupportedGroups.isActivatable(
+                        shc.sslConfig.algorithmConstraints, ng)) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                                "HelloRetryRequest selected named group: " +
+                                ng.name);
+                    }
+
+                    // TODO: is the named group supported by the underlying
+                    // crypto provider?
+                    selectedGroup = ng;
+                    break;
+                }
+            }
+
+            if (selectedGroup == null) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        new IOException("No common named group"));
+                return null;    // make the complier happy
+            }
+
+            byte[] extdata = new byte[] {
+                    (byte)((selectedGroup.id >> 8) & 0xFF),
+                    (byte)(selectedGroup.id & 0xFF)
+                };
+
+            // update the context
+            shc.serverSelectedNamedGroup = selectedGroup;
+            shc.handshakeExtensions.put(SSLExtension.HRR_KEY_SHARE,
+                    new HRRKeyShareSpec(selectedGroup));
+
+            return extdata;
+        }
+    }
+
+    /**
+     * Network data producer of the extension for stateless
+     * HelloRetryRequest reconstruction.
+     */
+    private static final
+            class HRRKeyShareReproducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private HRRKeyShareReproducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext) context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unsupported key_share extension in HelloRetryRequest");
+                return null;    // make the compiler happy.
+            }
+
+            CHKeyShareSpec spec = (CHKeyShareSpec)shc.handshakeExtensions.get(
+                    SSLExtension.CH_KEY_SHARE);
+            if (spec != null && spec.clientShares != null &&
+                    spec.clientShares.size() == 1) {
+                int namedGroupId = spec.clientShares.get(0).namedGroupId;
+
+                byte[] extdata = new byte[] {
+                        (byte)((namedGroupId >> 8) & 0xFF),
+                        (byte)(namedGroupId & 0xFF)
+                    };
+
+                return extdata;
+            }
+
+            return null;
+        }
+    }
+
+    /**
+     * Network data consumer of the extension in a HelloRetryRequest
+     * handshake message.
+     */
+    private static final
+            class HRRKeyShareConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private HRRKeyShareConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unsupported key_share extension in HelloRetryRequest");
+                return;     // make the compiler happy.
+            }
+
+            if (chc.clientRequestedNamedGroups == null ||
+                    chc.clientRequestedNamedGroups.isEmpty()) {
+                // No supported groups.
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected key_share extension in HelloRetryRequest");
+                return;     // make the compiler happy.
+            }
+
+            // Parse the extension
+            HRRKeyShareSpec spec;
+            try {
+                spec = new HRRKeyShareSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            NamedGroup serverGroup = NamedGroup.valueOf(spec.selectedGroup);
+            if (serverGroup == null) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unsupported HelloRetryRequest selected group: " +
+                                NamedGroup.nameOf(spec.selectedGroup));
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            if (!chc.clientRequestedNamedGroups.contains(serverGroup)) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected HelloRetryRequest selected group: " +
+                                serverGroup.name);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // TODO: the selected group does not correspond to a group which
+            // was provided in the "key_share" extension in the original
+            // ClientHello.
+
+            // update the context
+
+            // When sending the new ClientHello, the client MUST replace the
+            // original "key_share" extension with one containing only a new
+            // KeyShareEntry for the group indicated in the selected_group
+            // field of the triggering HelloRetryRequest.
+            //
+            chc.serverSelectedNamedGroup = serverGroup;
+            chc.handshakeExtensions.put(SSLExtension.HRR_KEY_SHARE, spec);
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/KeyUpdate.java	2018-05-11 15:09:29.879028500 -0700
@@ -0,0 +1,284 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SSLCipher.SSLReadCipher;
+import sun.security.ssl.SSLCipher.SSLWriteCipher;
+
+import javax.crypto.SecretKey;
+import javax.crypto.spec.IvParameterSpec;
+
+/**
+ * Pack of the KeyUpdate handshake message.
+ */
+final class KeyUpdate {
+    static final SSLProducer kickstartProducer =
+        new KeyUpdateKickstartProducer();
+
+    static final SSLConsumer handshakeConsumer =
+        new KeyUpdateConsumer();
+    static final HandshakeProducer handshakeProducer =
+        new KeyUpdateProducer();
+
+    /**
+     * The KeyUpdate handshake message.
+     *
+     * The KeyUpdate handshake message is used to indicate that the sender is
+     * updating its sending cryptographic keys.
+     *
+     *       enum {
+     *           update_not_requested(0), update_requested(1), (255)
+     *       } KeyUpdateRequest;
+     *
+     *       struct {
+     *           KeyUpdateRequest request_update;
+     *       } KeyUpdate;
+     */
+    static final class KeyUpdateMessage extends HandshakeMessage {
+        static final byte NOTREQUSTED = 0;
+        static final byte REQUSTED = 1;
+        private byte status;
+        HandshakeOutStream hos;
+
+        KeyUpdateMessage(HandshakeContext context, byte status) {
+            super(context);
+            this.status = status;
+            if (status > 1) {
+                new IOException("KeyUpdate message value invalid: " + status);
+            }
+        }
+        KeyUpdateMessage(HandshakeContext context, ByteBuffer m)
+                throws IOException{
+            super(context);
+
+            if (m.remaining() != 1) {
+                throw new IOException("KeyUpdate has an unexpected length of "+
+                        m.remaining());
+            }
+
+            status = m.get();
+            if (status > 1) {
+                new IOException("KeyUpdate message value invalid: " + status);
+            }
+        }
+
+        KeyUpdateMessage(PostHandshakeContext context, byte status) {
+            super(context);
+            this.status = status;
+            if (status > 1) {
+                new IOException("KeyUpdate message value invalid: " + status);
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.KEY_UPDATE;
+        }
+
+        @Override
+        public int messageLength() {
+            // one byte enum
+            return 1;
+        }
+
+        @Override
+        public void send(HandshakeOutStream s) throws IOException {
+            s.write(status);
+        }
+
+        @Override
+        public String toString() {
+            throw new UnsupportedOperationException("Not supported yet.");
+        }
+
+        byte getStatus() {
+            return status;
+        }
+    }
+
+    private static final
+            class KeyUpdateKickstartProducer implements SSLProducer {
+        // Prevent instantiation of this class.
+        private KeyUpdateKickstartProducer() {
+            // blank
+        }
+
+        // Produce kickstart handshake message.
+        @Override
+        public byte[] produce(ConnectionContext context) throws IOException {
+            HandshakeContext hc = (HandshakeContext)context;
+            handshakeProducer.produce(hc,
+                    new KeyUpdateMessage(hc, KeyUpdateMessage.REQUSTED));
+            return null;
+        }
+    }
+
+    /**
+     * The "KeyUpdate" handshake message consumer.
+     */
+    private static final class KeyUpdateConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private KeyUpdateConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            HandshakeContext hc = (HandshakeContext)context;
+            KeyUpdateMessage km = new KeyUpdateMessage(hc, message);
+
+            if (km.getStatus() == KeyUpdateMessage.NOTREQUSTED) {
+                return;
+            }
+
+            SSLTrafficKeyDerivation kdg =
+                    SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
+            if (kdg == null) {
+                // unlikely
+                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key derivation: " +
+                                hc.conContext.protocolVersion);
+                return;
+            }
+
+            SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
+                    hc.conContext.inputRecord.readCipher.baseSecret);
+            SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
+            if (skd == null) {
+                // unlikely
+                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "no key derivation");
+                return;
+            }
+
+            SSLKeyDerivation kd = kdg.createKeyDerivation(hc, nplus1);
+            SecretKey key = kd.deriveKey("TlsKey", null);
+            IvParameterSpec ivSpec =
+                    new IvParameterSpec(kd.deriveKey("TlsIv", null)
+                            .getEncoded());
+            try {
+                SSLReadCipher rc =
+                        hc.negotiatedCipherSuite.bulkCipher.createReadCipher(
+                                Authenticator.valueOf(hc.conContext.protocolVersion),
+                                hc.conContext.protocolVersion, key, ivSpec,
+                                hc.sslContext.getSecureRandom());
+                hc.conContext.inputRecord.changeReadCiphers(rc);
+                hc.conContext.inputRecord.readCipher.baseSecret = nplus1;
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.fine("KeyUpdate: read key updated");
+                }
+
+            } catch (GeneralSecurityException e) {
+                throw new IOException(e);
+            }
+
+            // Send Reply
+            handshakeProducer.produce(hc,
+                    new KeyUpdateMessage(hc, KeyUpdateMessage.NOTREQUSTED));
+        }
+    }
+
+    /**
+     * The "KeyUpdate" handshake message producer.
+     */
+    private static final class KeyUpdateProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private KeyUpdateProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            HandshakeContext hc = (HandshakeContext)context;
+            KeyUpdateMessage km = (KeyUpdateMessage)message;
+
+            SecretKey secret;
+
+            if (km.getStatus() == KeyUpdateMessage.REQUSTED) {
+                secret = hc.conContext.outputRecord.writeCipher.baseSecret;
+            } else {
+                km.write(hc.handshakeOutput);
+                hc.handshakeOutput.flush();
+                return null;
+            }
+
+            SSLTrafficKeyDerivation kdg =
+                    SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
+            if (kdg == null) {
+                // unlikely
+                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key derivation: " +
+                                hc.conContext.protocolVersion);
+                return null;
+            }
+            // update the application traffic read keys.
+            SSLKeyDerivation skd = kdg.createKeyDerivation(hc, secret);
+            if (skd == null) {
+                // unlikely
+                hc.conContext.fatal(Alert.INTERNAL_ERROR,"no key derivation");
+                return null;
+            }
+            SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
+            SSLKeyDerivation kd =
+                    kdg.createKeyDerivation(hc, nplus1);
+            SecretKey key = kd.deriveKey("TlsKey", null);
+            IvParameterSpec ivSpec =
+                    new IvParameterSpec(kd.deriveKey("TlsIv", null)
+                            .getEncoded());
+
+            SSLWriteCipher wc;
+            try {
+                wc = hc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
+                        Authenticator.valueOf(hc.conContext.protocolVersion),
+                        hc.conContext.protocolVersion, key, ivSpec,
+                        hc.sslContext.getSecureRandom());
+
+            } catch (GeneralSecurityException gse){
+                hc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Failure to derive application secrets", gse);
+                return null;
+            }
+
+            km.write(hc.handshakeOutput);
+            hc.handshakeOutput.flush();
+            hc.conContext.outputRecord.changeWriteCiphers(wc, false);
+            hc.conContext.outputRecord.writeCipher.baseSecret = nplus1;
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.fine("KeyUpdate: write key updated");
+            }
+            return null;
+        }
+    }
+}
--- old/src/java.base/share/classes/sun/security/ssl/MaxFragmentLengthExtension.java	2018-05-11 15:09:32.264014700 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,139 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-import javax.net.ssl.SSLProtocolException;
-
-/*
- * [RFC6066] TLS specifies a fixed maximum plaintext fragment length of
- * 2^14 bytes.  It may be desirable for constrained clients to negotiate
- * a smaller maximum fragment length due to memory limitations or bandwidth
- * limitations.
- *
- * In order to negotiate smaller maximum fragment lengths, clients MAY
- * include an extension of type "max_fragment_length" in the (extended)
- * client hello.  The "extension_data" field of this extension SHALL
- * contain:
- *
- *    enum{
- *        2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
- *    } MaxFragmentLength;
- *
- * whose value is the desired maximum fragment length.
- */
-final class MaxFragmentLengthExtension extends HelloExtension {
-
-    private static final int MAX_FRAGMENT_LENGTH_512  = 1;      // 2^9
-    private static final int MAX_FRAGMENT_LENGTH_1024 = 2;      // 2^10
-    private static final int MAX_FRAGMENT_LENGTH_2048 = 3;      // 2^11
-    private static final int MAX_FRAGMENT_LENGTH_4096 = 4;      // 2^12
-
-    final int maxFragmentLength;
-
-    MaxFragmentLengthExtension(int fragmentSize) {
-        super(ExtensionType.EXT_MAX_FRAGMENT_LENGTH);
-
-        if (fragmentSize < 1024) {
-            maxFragmentLength = MAX_FRAGMENT_LENGTH_512;
-        } else if (fragmentSize < 2048) {
-            maxFragmentLength = MAX_FRAGMENT_LENGTH_1024;
-        } else if (fragmentSize < 4096) {
-            maxFragmentLength = MAX_FRAGMENT_LENGTH_2048;
-        } else {
-            maxFragmentLength = MAX_FRAGMENT_LENGTH_4096;
-        }
-    }
-
-    MaxFragmentLengthExtension(HandshakeInStream s, int len)
-                throws IOException {
-        super(ExtensionType.EXT_MAX_FRAGMENT_LENGTH);
-
-        // check the extension length
-        if (len != 1) {
-            throw new SSLProtocolException("Invalid " + type + " extension");
-        }
-
-        maxFragmentLength = s.getInt8();
-        if ((maxFragmentLength > 4) || (maxFragmentLength < 1)) {
-            throw new SSLProtocolException("Invalid " + type + " extension");
-        }
-    }
-
-    // Length of the encoded extension, including the type and length fields
-    @Override
-    int length() {
-        return 5;               // 4: extension type and length fields
-                                // 1: MaxFragmentLength field
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(type.id);
-        s.putInt16(1);
-        s.putInt8(maxFragmentLength);
-    }
-
-    int getMaxFragLen() {
-        switch (maxFragmentLength) {
-            case MAX_FRAGMENT_LENGTH_512:
-                return 512;
-            case MAX_FRAGMENT_LENGTH_1024:
-                return 1024;
-            case MAX_FRAGMENT_LENGTH_2048:
-                return 2048;
-            case MAX_FRAGMENT_LENGTH_4096:
-                return 4096;
-        }
-
-        // unlikely to happen
-        return -1;
-    }
-
-    static boolean needFragLenNego(int fragmentSize) {
-        return (fragmentSize > 0) && (fragmentSize <= 4096);
-    }
-
-    static int getValidMaxFragLen(int fragmentSize) {
-        if (fragmentSize < 1024) {
-            return 512;
-        } else if (fragmentSize < 2048) {
-            return 1024;
-        } else if (fragmentSize < 4096) {
-            return 2048;
-        } else if (fragmentSize == 4096) {
-            return 4096;
-        } else {
-            return 16384;
-        }
-    }
-
-    @Override
-    public String toString() {
-        return "Extension " + type + ", max_fragment_length: " +
-                "(2^" + (maxFragmentLength + 8) + ")";
-    }
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/MaxFragExtension.java	2018-05-11 15:09:31.521298900 -0700
@@ -0,0 +1,620 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import javax.net.ssl.SSLProtocolException;
+import static sun.security.ssl.SSLExtension.CH_MAX_FRAGMENT_LENGTH;
+import static sun.security.ssl.SSLExtension.EE_MAX_FRAGMENT_LENGTH;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import static sun.security.ssl.SSLExtension.SH_MAX_FRAGMENT_LENGTH;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the "max_fragment_length" extensions [RFC6066].
+ */
+final class MaxFragExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHMaxFragmentLengthProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHMaxFragmentLengthConsumer();
+
+    static final HandshakeProducer shNetworkProducer =
+            new SHMaxFragmentLengthProducer();
+    static final ExtensionConsumer shOnLoadConcumer =
+            new SHMaxFragmentLengthConsumer();
+    static final HandshakeConsumer shOnTradeConsumer =
+            new SHMaxFragmentLengthUpdate();
+
+    static final HandshakeProducer eeNetworkProducer =
+            new EEMaxFragmentLengthProducer();
+    static final ExtensionConsumer eeOnLoadConcumer =
+            new EEMaxFragmentLengthConsumer();
+    static final HandshakeConsumer eeOnTradeConsumer =
+            new EEMaxFragmentLengthUpdate();
+
+    static final SSLStringize maxFragLenStringize =
+            new MaxFragLenStringize();
+
+    /**
+     * The "max_fragment_length" extension [RFC 6066].
+     */
+    static final class MaxFragLenSpec implements SSLExtensionSpec {
+        byte id;
+
+        private MaxFragLenSpec(byte id) {
+            this.id = id;
+        }
+
+        private MaxFragLenSpec(ByteBuffer buffer) throws IOException {
+            if (buffer.remaining() != 1) {
+                throw new SSLProtocolException(
+                    "Invalid max_fragment_length extension data");
+            }
+
+            this.id = buffer.get();
+        }
+
+        @Override
+        public String toString() {
+            return MaxFragLenEnum.nameOf(id);
+        }
+    }
+
+    private static final class MaxFragLenStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new MaxFragLenSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    static enum MaxFragLenEnum {
+        MFL_512     ((byte)0x01,  512,  "2^9"),
+        MFL_1024    ((byte)0x02, 1024,  "2^10"),
+        MFL_2048    ((byte)0x03, 2048,  "2^11"),
+        MFL_4096    ((byte)0x04, 4096,  "2^12");
+
+        final byte id;
+        final int fragmentSize;
+        final String description;
+
+        private MaxFragLenEnum(byte id, int fragmentSize, String description) {
+            this.id = id;
+            this.fragmentSize = fragmentSize;
+            this.description = description;
+        }
+
+        private static MaxFragLenEnum valueOf(byte id) {
+            for (MaxFragLenEnum mfl : MaxFragLenEnum.values()) {
+                if (mfl.id == id) {
+                    return mfl;
+                }
+            }
+
+            return null;
+        }
+
+        private static String nameOf(byte id) {
+            for (MaxFragLenEnum mfl : MaxFragLenEnum.values()) {
+                if (mfl.id == id) {
+                    return mfl.description;
+                }
+            }
+
+            return "UNDEFINED-MAX-FRAGMENT-LENGTH(" + id + ")";
+        }
+
+        /**
+         * Returns the best match enum constant of the specified
+         * fragment size.
+         */
+        static MaxFragLenEnum valueOf(int fragmentSize) {
+            if (fragmentSize <= 0) {
+                return null;
+            } else if (fragmentSize < 1024) {
+                return MFL_512;
+            } else if (fragmentSize < 2048) {
+                return MFL_1024;
+            } else if (fragmentSize < 4096) {
+                return MFL_2048;
+            } else if (fragmentSize == 4096) {
+                return MFL_4096;
+            }
+
+            return null;
+        }
+    }
+
+    /**
+     * Network data producer of a "max_fragment_length" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHMaxFragmentLengthProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHMaxFragmentLengthProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(CH_MAX_FRAGMENT_LENGTH)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable max_fragment_length extension");
+                }
+                return null;
+            }
+
+            // Produce the extension and update the context.
+            int requestedMFLength;
+            if (chc.isResumption && (chc.resumingSession != null)) {
+                // The same extension should be sent for resumption.
+                requestedMFLength =
+                    chc.resumingSession.getNegotiatedMaxFragSize();
+            } else if (chc.sslConfig.maximumPacketSize != 0) {
+                // Maybe we can calculate the fragment size more accurate
+                // by condering the enabled cipher suites in the future.
+                requestedMFLength = chc.sslConfig.maximumPacketSize;
+                if (chc.sslContext.isDTLS()) {
+                    requestedMFLength -= DTLSRecord.maxPlaintextPlusSize;
+                } else {
+                    requestedMFLength -= SSLRecord.maxPlaintextPlusSize;
+                }
+            } else {
+                // Need no max_fragment_length extension.
+                requestedMFLength = -1;
+            }
+
+            MaxFragLenEnum mfl = MaxFragLenEnum.valueOf(requestedMFLength);
+            if (mfl != null) {
+                // update the context.
+                chc.handshakeExtensions.put(
+                        CH_MAX_FRAGMENT_LENGTH, new MaxFragLenSpec(mfl.id));
+
+                return new byte[] { mfl.id };
+            } else {
+                // log and ignore, no MFL extension.
+                chc.maxFragmentLength = -1;
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "No available max_fragment_length extension can " +
+                        "be used for fragment size of " +
+                        requestedMFLength + "bytes");
+                }
+            }
+
+            return null;
+        }
+    }
+
+    /**
+     * Network data consumer of a "max_fragment_length" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHMaxFragmentLengthConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHMaxFragmentLengthConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            if (!shc.sslConfig.isAvailable(CH_MAX_FRAGMENT_LENGTH)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable max_fragment_length extension");
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            MaxFragLenSpec spec;
+            try {
+                spec = new MaxFragLenSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
+            if (mfle == null) {
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "the requested maximum fragment length is other " +
+                    "than the allowed values");
+            }
+
+            // Update the context.
+            shc.maxFragmentLength = mfle.fragmentSize;
+            shc.handshakeExtensions.put(CH_MAX_FRAGMENT_LENGTH, spec);
+
+            // No impact on session resumption.
+        }
+    }
+
+    /**
+     * Network data producer of a "max_fragment_length" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class SHMaxFragmentLengthProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private SHMaxFragmentLengthProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // In response to "max_fragment_length" extension request only
+            MaxFragLenSpec spec = (MaxFragLenSpec)
+                    shc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
+            if (spec == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "Ignore unavailable max_fragment_length extension");
+                }
+                return null;        // ignore the extension
+            }
+
+            if ((shc.maxFragmentLength > 0) &&
+                    (shc.sslConfig.maximumPacketSize != 0)) {
+                int estimatedMaxFragSize =
+                        shc.negotiatedCipherSuite.calculatePacketSize(
+                                shc.maxFragmentLength, shc.negotiatedProtocol,
+                                shc.sslContext.isDTLS());
+                if (estimatedMaxFragSize > shc.sslConfig.maximumPacketSize) {
+                    // For better interoperability, abort the maximum
+                    // fragment length negotiation, rather than terminate
+                    // the connection with a fatal alert.
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                            "Abort the maximum fragment length negotiation, " +
+                            "may overflow the maximum packet size limit.");
+                    }
+                    shc.maxFragmentLength = -1;
+                }
+            }
+
+            // update the context
+            if (shc.maxFragmentLength > 0) {
+                shc.handshakeSession.setNegotiatedMaxFragSize(
+                        shc.maxFragmentLength);
+                shc.conContext.inputRecord.changeFragmentSize(
+                        shc.maxFragmentLength);
+                shc.conContext.outputRecord.changeFragmentSize(
+                        shc.maxFragmentLength);
+
+                // The response extension data is the same as the requested one.
+                shc.handshakeExtensions.put(SH_MAX_FRAGMENT_LENGTH, spec);
+                return new byte[] { spec.id };
+            }
+
+            return null;
+        }
+    }
+
+    /**
+     * Network data consumer of a "max_fragment_length" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class SHMaxFragmentLengthConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHMaxFragmentLengthConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to "max_fragment_length" extension request only
+            MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
+                    chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
+            if (requestedSpec == null) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Unexpected max_fragment_length extension in ServerHello");
+            }
+
+            // Parse the extension.
+            MaxFragLenSpec spec;
+            try {
+                spec = new MaxFragLenSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            if (spec.id != requestedSpec.id) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "The maximum fragment length response is not requested");
+            }
+
+            MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
+            if (mfle == null) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "the requested maximum fragment length is other " +
+                    "than the allowed values");
+            }
+
+            // update the context
+            chc.maxFragmentLength = mfle.fragmentSize;
+            chc.handshakeExtensions.put(SH_MAX_FRAGMENT_LENGTH, spec);
+        }
+    }
+
+    /**
+     * After session creation consuming of a "max_fragment_length"
+     * extension in the ClientHello handshake message.
+     */
+    private static final class SHMaxFragmentLengthUpdate
+            implements HandshakeConsumer {
+
+        // Prevent instantiation of this class.
+        private SHMaxFragmentLengthUpdate() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            MaxFragLenSpec spec = (MaxFragLenSpec)
+                    chc.handshakeExtensions.get(SH_MAX_FRAGMENT_LENGTH);
+            if (spec == null) {
+                // Ignore, no "max_fragment_length" extension response.
+                return;
+            }
+
+            if ((chc.maxFragmentLength > 0) &&
+                    (chc.sslConfig.maximumPacketSize != 0)) {
+                int estimatedMaxFragSize =
+                        chc.negotiatedCipherSuite.calculatePacketSize(
+                                chc.maxFragmentLength, chc.negotiatedProtocol,
+                                chc.sslContext.isDTLS());
+                if (estimatedMaxFragSize > chc.sslConfig.maximumPacketSize) {
+                    // For better interoperability, abort the maximum
+                    // fragment length negotiation, rather than terminate
+                    // the connection with a fatal alert.
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                            "Abort the maximum fragment length negotiation, " +
+                            "may overflow the maximum packet size limit.");
+                    }
+                    chc.maxFragmentLength = -1;
+                }
+            }
+
+            // update the context
+            if (chc.maxFragmentLength > 0) {
+                chc.handshakeSession.setNegotiatedMaxFragSize(
+                        chc.maxFragmentLength);
+                chc.conContext.inputRecord.changeFragmentSize(
+                        chc.maxFragmentLength);
+                chc.conContext.outputRecord.changeFragmentSize(
+                        chc.maxFragmentLength);
+            }
+        }
+    }
+
+    /**
+     * Network data producer of a "max_fragment_length" extension in
+     * the EncryptedExtensions handshake message.
+     */
+    private static final
+            class EEMaxFragmentLengthProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private EEMaxFragmentLengthProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // In response to "max_fragment_length" extension request only
+            MaxFragLenSpec spec = (MaxFragLenSpec)
+                    shc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
+            if (spec == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "Ignore unavailable max_fragment_length extension");
+                }
+                return null;        // ignore the extension
+            }
+
+            if ((shc.maxFragmentLength > 0) &&
+                    (shc.sslConfig.maximumPacketSize != 0)) {
+                int estimatedMaxFragSize =
+                        shc.negotiatedCipherSuite.calculatePacketSize(
+                                shc.maxFragmentLength, shc.negotiatedProtocol,
+                                shc.sslContext.isDTLS());
+                if (estimatedMaxFragSize > shc.sslConfig.maximumPacketSize) {
+                    // For better interoperability, abort the maximum
+                    // fragment length negotiation, rather than terminate
+                    // the connection with a fatal alert.
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                            "Abort the maximum fragment length negotiation, " +
+                            "may overflow the maximum packet size limit.");
+                    }
+                    shc.maxFragmentLength = -1;
+                }
+            }
+
+            // update the context
+            if (shc.maxFragmentLength > 0) {
+                shc.handshakeSession.setNegotiatedMaxFragSize(
+                        shc.maxFragmentLength);
+                shc.conContext.inputRecord.changeFragmentSize(
+                        shc.maxFragmentLength);
+                shc.conContext.outputRecord.changeFragmentSize(
+                        shc.maxFragmentLength);
+
+                // The response extension data is the same as the requested one.
+                shc.handshakeExtensions.put(EE_MAX_FRAGMENT_LENGTH, spec);
+                return new byte[] { spec.id };
+            }
+
+            return null;
+        }
+    }
+
+    /**
+     * Network data consumer of a "max_fragment_length" extension in the
+     * EncryptedExtensions handshake message.
+     */
+    private static final
+            class EEMaxFragmentLengthConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private EEMaxFragmentLengthConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to "max_fragment_length" extension request only
+            MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
+                    chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
+            if (requestedSpec == null) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "Unexpected max_fragment_length extension in ServerHello");
+            }
+
+            // Parse the extension.
+            MaxFragLenSpec spec;
+            try {
+                spec = new MaxFragLenSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            if (spec.id != requestedSpec.id) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "The maximum fragment length response is not requested");
+            }
+
+            MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
+            if (mfle == null) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "the requested maximum fragment length is other " +
+                    "than the allowed values");
+            }
+
+            // update the context
+            chc.maxFragmentLength = mfle.fragmentSize;
+            chc.handshakeExtensions.put(EE_MAX_FRAGMENT_LENGTH, spec);
+        }
+    }
+
+    /**
+     * After session creation consuming of a "max_fragment_length"
+     * extension in the EncryptedExtensions handshake message.
+     */
+    private static final
+            class EEMaxFragmentLengthUpdate implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private EEMaxFragmentLengthUpdate() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            MaxFragLenSpec spec = (MaxFragLenSpec)
+                    chc.handshakeExtensions.get(EE_MAX_FRAGMENT_LENGTH);
+            if (spec == null) {
+                // Ignore, no "max_fragment_length" extension response.
+                return;
+            }
+
+            if ((chc.maxFragmentLength > 0) &&
+                    (chc.sslConfig.maximumPacketSize != 0)) {
+                int estimatedMaxFragSize =
+                        chc.negotiatedCipherSuite.calculatePacketSize(
+                                chc.maxFragmentLength, chc.negotiatedProtocol,
+                                chc.sslContext.isDTLS());
+                if (estimatedMaxFragSize > chc.sslConfig.maximumPacketSize) {
+                    // For better interoperability, abort the maximum
+                    // fragment length negotiation, rather than terminate
+                    // the connection with a fatal alert.
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                            "Abort the maximum fragment length negotiation, " +
+                            "may overflow the maximum packet size limit.");
+                    }
+                    chc.maxFragmentLength = -1;
+                }
+            }
+
+            // update the context
+            if (chc.maxFragmentLength > 0) {
+                chc.handshakeSession.setNegotiatedMaxFragSize(
+                        chc.maxFragmentLength);
+                chc.conContext.inputRecord.changeFragmentSize(
+                        chc.maxFragmentLength);
+                chc.conContext.outputRecord.changeFragmentSize(
+                        chc.maxFragmentLength);
+            }
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java	2018-05-11 15:09:33.379472200 -0700
@@ -0,0 +1,337 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+import java.security.ProviderException;
+import java.security.SecureRandom;
+import java.text.MessageFormat;
+import java.util.Locale;
+import java.util.Optional;
+import javax.crypto.SecretKey;
+import javax.net.ssl.SSLHandshakeException;
+
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the NewSessionTicket handshake message.
+ */
+final class NewSessionTicket {
+
+    private static final int SEVEN_DAYS_IN_SECONDS = 604800;
+
+    static final SSLConsumer handshakeConsumer =
+        new NewSessionTicketConsumer();
+    static final SSLProducer kickstartProducer =
+        new NewSessionTicketKickstartProducer();
+    static final HandshakeProducer handshakeProducer =
+        new NewSessionTicketProducer();
+
+    /**
+     * The NewSessionTicketMessage handshake message.
+     */
+    static final class NewSessionTicketMessage extends HandshakeMessage {
+        final int ticketLifetime;
+        final int ticketAgeAdd;
+        final byte[] ticketNonce;
+        final byte[] ticket;
+        final SSLExtensions extensions;
+
+        NewSessionTicketMessage(HandshakeContext context,
+                int ticketLifetime, SecureRandom generator,
+                byte[] ticketNonce, byte[] ticket) {
+            super(context);
+
+            this.ticketLifetime = ticketLifetime;
+            this.ticketAgeAdd = generator.nextInt();
+            this.ticketNonce = ticketNonce;
+            this.ticket = ticket;
+            this.extensions = new SSLExtensions(this);
+        }
+
+        NewSessionTicketMessage(HandshakeContext context,
+                ByteBuffer m) throws IOException {
+            super(context);
+
+            this.ticketLifetime = Record.getInt32(m);
+            this.ticketAgeAdd = Record.getInt32(m);
+            this.ticketNonce = Record.getBytes8(m);
+            this.ticket = Record.getBytes16(m);
+            if (this.ticket.length == 0) {
+                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                "Ticket has length 0");
+            }
+
+            SSLExtension[] supportedExtensions =
+                context.sslConfig.getEnabledExtensions(
+                SSLHandshake.NEW_SESSION_TICKET);
+
+            if (m.hasRemaining()) {
+                this.extensions =
+                    new SSLExtensions(this, m, supportedExtensions);
+            } else {
+                this.extensions = new SSLExtensions(this);
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.NEW_SESSION_TICKET;
+        }
+
+        @Override
+        public int messageLength() {
+            return 8 + ticketNonce.length + 1 + ticket.length
+                + 2 + extensions.length();
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putInt32(ticketLifetime);
+            hos.putInt32(ticketAgeAdd);
+            hos.putBytes8(ticketNonce);
+            hos.putBytes16(ticket);
+            extensions.send(hos);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"NewSessionTicket\": '{'\n" +
+                "  \"ticket_lifetime\"      : \"{0}\",\n" +
+                "  \"ticket_age_add\"       : \"{1}\",\n" +
+                "  \"ticket_nonce\"         : \"{2}\",\n" +
+                "  \"ticket\"               : \"{3}\",\n" +
+                "  \"extensions\"           : [\n" +
+                "{5}\n" +
+                "  ]\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            Object[] messageFields = {
+                ticketLifetime,
+                "omitted", //ticketAgeAdd should not be logged
+                Utilities.toHexString(ticketNonce),
+                Utilities.toHexString(ticket),
+                Utilities.indent(extensions.toString(), "    ")
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    private static SecretKey derivePreSharedKey(CipherSuite.HashAlg hashAlg,
+                                                SecretKey resumptionMasterSecret,
+                                                byte[] nonce) throws IOException {
+
+        try {
+            HKDF hkdf = new HKDF(hashAlg.name);
+            byte[] hkdfInfo = SSLSecretDerivation.createHkdfInfo(
+                "tls13 resumption".getBytes(), nonce, hashAlg.hashLength);
+            return hkdf.expand(resumptionMasterSecret, hkdfInfo,
+                hashAlg.hashLength, "TlsPreSharedKey");
+
+        } catch  (GeneralSecurityException gse) {
+            throw (SSLHandshakeException) new SSLHandshakeException(
+                "Could not derive PSK").initCause(gse);
+        }
+    }
+
+    private static final
+    class NewSessionTicketKickstartProducer implements SSLProducer {
+
+        @Override
+        public byte[] produce(ConnectionContext context) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            if (shc.pskKeyExchangeModes.isEmpty()) {
+                // client doesn't support PSK
+                return null;
+            }
+            if (!shc.handshakeSession.isRejoinable()) {
+                return null;
+            }
+
+            // get a new session ID
+            SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
+                shc.sslContext.engineGetServerSessionContext();
+            SessionId newId = new SessionId(true,
+                shc.sslContext.getSecureRandom());
+
+            Optional<SecretKey> resumptionMasterSecret =
+                shc.handshakeSession.getResumptionMasterSecret();
+            if (!resumptionMasterSecret.isPresent()) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                    "Session has no resumption secret. No ticket sent.");
+                }
+                return null;
+            }
+
+            // construct the PSK and handshake message
+            BigInteger nonce = shc.handshakeSession.incrTicketNonceCounter();
+            byte[] nonceArr = nonce.toByteArray();
+            SecretKey psk = derivePreSharedKey(shc.negotiatedCipherSuite.hashAlg,
+                resumptionMasterSecret.get(), nonceArr);
+
+            int sessionTimeoutSeconds = sessionCache.getSessionTimeout();
+            if (sessionTimeoutSeconds > SEVEN_DAYS_IN_SECONDS) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                    "Session timeout is too long. No NewSessionTicket sent.");
+                }
+                return null;
+            }
+            NewSessionTicketMessage nstm = new NewSessionTicketMessage(shc,
+                sessionTimeoutSeconds, shc.sslContext.getSecureRandom(),
+                nonceArr, newId.getId());
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Produced NewSessionTicket handshake message", nstm);
+            }
+
+            // cache the new session
+            SSLSessionImpl sessionCopy = new SSLSessionImpl(shc,
+                shc.handshakeSession.getSuite(), newId,
+                shc.handshakeSession.getCreationTime());
+            sessionCopy.setPreSharedKey(psk);
+            sessionCopy.setPskIdentity(newId.getId());
+            sessionCopy.setTicketAgeAdd(nstm.ticketAgeAdd);
+            sessionCache.put(sessionCopy);
+
+            // Output the handshake message.
+            nstm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // The message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "NewSessionTicket" handshake message producer.
+     */
+    private static final class NewSessionTicketProducer
+            implements HandshakeProducer {
+
+        // Prevent instantiation of this class.
+        private NewSessionTicketProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+
+            // NSTM may be sent in response to handshake messages.
+            // For example: key update
+
+            throw new ProviderException(
+                "NewSessionTicket handshake producer not implemented");
+        }
+    }
+
+
+
+    private static final
+            class NewSessionTicketConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private NewSessionTicketConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                            ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            NewSessionTicketMessage nstm = new NewSessionTicketMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                "Consuming NewSessionTicket message", nstm);
+            }
+
+            // discard tickets with timeout 0
+            if (nstm.ticketLifetime <= 0 ||
+                nstm.ticketLifetime > SEVEN_DAYS_IN_SECONDS) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                    "Discarding NewSessionTicket with lifetime "
+                        + nstm.ticketLifetime, nstm);
+                }
+                return;
+            }
+
+            SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
+                chc.sslContext.engineGetClientSessionContext();
+
+            if (sessionCache.getSessionTimeout() > SEVEN_DAYS_IN_SECONDS) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                    "Session cache lifetime is too long. Discarding ticket.");
+                }
+                return;
+            }
+
+            SSLSessionImpl sessionToSave = chc.conContext.conSession;
+
+            Optional<SecretKey> resumptionMasterSecret =
+                sessionToSave.getResumptionMasterSecret();
+            if (!resumptionMasterSecret.isPresent()) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                    "Session has no resumption master secret. Ignoring ticket.");
+                }
+                return;
+            }
+
+            // derive the PSK
+            SecretKey psk = derivePreSharedKey(
+                sessionToSave.getSuite().hashAlg, resumptionMasterSecret.get(),
+                nstm.ticketNonce);
+
+            // create the new session from the context
+            chc.negotiatedProtocol = chc.conContext.protocolVersion;
+            SessionId newId =
+                new SessionId(true, chc.sslContext.getSecureRandom());
+            SSLSessionImpl sessionCopy =
+                new SSLSessionImpl(chc, sessionToSave.getSuite(), newId,
+                sessionToSave.getCreationTime());
+            sessionCopy.setPreSharedKey(psk);
+            sessionCopy.setTicketAgeAdd(nstm.ticketAgeAdd);
+            sessionCopy.setPskIdentity(nstm.ticket);
+            sessionCache.put(sessionCopy);
+
+            // The handshakeContext is no longer needed
+            chc.conContext.handshakeContext = null;
+        }
+    }
+
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/PostHandshakeContext.java	2018-05-11 15:09:34.986572600 -0700
@@ -0,0 +1,43 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+
+/**
+ * A clean implementation of HandshakeContext for post-handshake messages
+ */
+
+public class PostHandshakeContext extends HandshakeContext {
+
+    PostHandshakeContext(TransportContext context) throws IOException {
+        super(context.sslContext, context);
+    }
+
+    @Override
+    void kickstart() throws IOException {
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java	2018-05-11 15:09:36.566681000 -0700
@@ -0,0 +1,743 @@
+/*
+ * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.*;
+import java.text.MessageFormat;
+import java.util.Map;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Locale;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Optional;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+import javax.crypto.Mac;
+import javax.crypto.SecretKey;
+
+import static sun.security.ssl.SSLExtension.*;
+
+/**
+ * Pack of the "pre_shared_key" extension.
+ */
+final class PreSharedKeyExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHPreSharedKeyProducer();
+    static final ExtensionConsumer chOnLoadConsumer =
+            new CHPreSharedKeyConsumer();
+    static final HandshakeAbsence chOnLoadAbsence =
+            new CHPreSharedKeyAbsence();
+    static final HandshakeConsumer chOnTradeConsumer=
+            new CHPreSharedKeyUpdate();
+
+    static final HandshakeProducer shNetworkProducer =
+            new SHPreSharedKeyProducer();
+    static final ExtensionConsumer shOnLoadConsumer =
+            new SHPreSharedKeyConsumer();
+    static final HandshakeAbsence shOnLoadAbsence =
+            new SHPreSharedKeyAbsence();
+
+    static final class PskIdentity {
+        final byte[] identity;
+        final int obfuscatedAge;
+
+        public PskIdentity(byte[] identity, int obfuscatedAge) {
+            this.identity = identity;
+            this.obfuscatedAge = obfuscatedAge;
+        }
+
+        public PskIdentity(ByteBuffer m)
+            throws IllegalParameterException, IOException {
+
+            identity = Record.getBytes16(m);
+            if (identity.length == 0) {
+                throw new IllegalParameterException("identity has length 0");
+            }
+            obfuscatedAge = Record.getInt32(m);
+        }
+
+        int getEncodedLength() {
+            return 2 + identity.length + 4;
+        }
+
+        public void writeEncoded(ByteBuffer m) throws IOException {
+            Record.putBytes16(m, identity);
+            Record.putInt32(m, obfuscatedAge);
+        }
+        @Override
+        public String toString() {
+            return "{" + Utilities.toHexString(identity) + "," +
+                obfuscatedAge + "}";
+        }
+    }
+
+    static final class CHPreSharedKeySpec implements SSLExtensionSpec {
+        final List<PskIdentity> identities;
+        final List<byte[]> binders;
+
+        CHPreSharedKeySpec(List<PskIdentity> identities, List<byte[]> binders) {
+            this.identities = identities;
+            this.binders = binders;
+        }
+
+        CHPreSharedKeySpec(ByteBuffer m)
+            throws IllegalParameterException, IOException {
+
+            identities = new ArrayList<>();
+            int idEncodedLength = Record.getInt16(m);
+            int idReadLength = 0;
+            while (idReadLength < idEncodedLength) {
+                PskIdentity id = new PskIdentity(m);
+                identities.add(id);
+                idReadLength += id.getEncodedLength();
+            }
+
+            binders = new ArrayList<>();
+            int bindersEncodedLength = Record.getInt16(m);
+            int bindersReadLength = 0;
+            while (bindersReadLength < bindersEncodedLength) {
+                byte[] binder = Record.getBytes8(m);
+                if (binder.length < 32) {
+                    throw new IllegalParameterException(
+                        "binder has length < 32");
+                }
+                binders.add(binder);
+                bindersReadLength += 1 + binder.length;
+            }
+        }
+
+        int getIdsEncodedLength() {
+            int idEncodedLength = 0;
+            for(PskIdentity curId : identities) {
+                idEncodedLength += curId.getEncodedLength();
+            }
+            return idEncodedLength;
+        }
+
+        int getBindersEncodedLength() {
+            return getBindersEncodedLength(binders);
+        }
+        static int getBindersEncodedLength(Iterable<byte[]> binders) {
+            int binderEncodedLength = 0;
+            for (byte[] curBinder : binders) {
+                binderEncodedLength += 1 + curBinder.length;
+            }
+            return binderEncodedLength;
+        }
+
+        byte[] getEncoded() throws IOException {
+
+            int idsEncodedLength = getIdsEncodedLength();
+            int bindersEncodedLength = getBindersEncodedLength();
+            int encodedLength = 4 + idsEncodedLength + bindersEncodedLength;
+            byte[] buffer = new byte[encodedLength];
+            ByteBuffer m = ByteBuffer.wrap(buffer);
+            Record.putInt16(m, idsEncodedLength);
+            for(PskIdentity curId : identities) {
+                curId.writeEncoded(m);
+            }
+            Record.putInt16(m, bindersEncodedLength);
+            for (byte[] curBinder : binders) {
+                Record.putBytes8(m, curBinder);
+            }
+
+            return buffer;
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"PreSharedKey\": '{'\n" +
+                "  \"identities\"      : \"{0}\",\n" +
+                "  \"binders\"       : \"{1}\",\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            Object[] messageFields = {
+                Utilities.indent(identitiesString()),
+                Utilities.indent(bindersString())
+            };
+
+            return messageFormat.format(messageFields);
+        }
+
+        String identitiesString() {
+            StringBuilder result = new StringBuilder();
+            for(PskIdentity curId : identities) {
+                result.append(curId.toString() + "\n");
+            }
+
+            return result.toString();
+        }
+
+        String bindersString() {
+            StringBuilder result = new StringBuilder();
+            for(byte[] curBinder : binders) {
+                result.append("{" + Utilities.toHexString(curBinder) + "}\n");
+            }
+
+            return result.toString();
+        }
+    }
+
+    static final class SHPreSharedKeySpec implements SSLExtensionSpec {
+        final int selectedIdentity;
+
+        SHPreSharedKeySpec(int selectedIdentity) {
+            this.selectedIdentity = selectedIdentity;
+        }
+
+        SHPreSharedKeySpec(ByteBuffer m) throws IOException {
+            this.selectedIdentity = Record.getInt16(m);
+        }
+
+        byte[] getEncoded() throws IOException {
+
+            byte[] buffer = new byte[2];
+            ByteBuffer m = ByteBuffer.wrap(buffer);
+            Record.putInt16(m, selectedIdentity);
+
+            return buffer;
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"PreSharedKey\": '{'\n" +
+                "  \"selected_identity\"      : \"{0}\",\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            Object[] messageFields = {
+                selectedIdentity
+            };
+
+            return messageFormat.format(messageFields);
+        }
+
+    }
+
+
+    private static class IllegalParameterException extends Exception {
+
+        private static final long serialVersionUID = 0;
+
+        private final String message;
+
+        private IllegalParameterException(String message) {
+            this.message = message;
+        }
+    }
+
+    private static final class CHPreSharedKeyConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHPreSharedKeyConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                            HandshakeMessage message,
+                            ByteBuffer buffer) throws IOException {
+
+            ServerHandshakeContext shc = (ServerHandshakeContext) message.handshakeContext;
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(SSLExtension.CH_PRE_SHARED_KEY)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                    "Ignore unavailable pre_shared_key extension");
+                }
+                return;     // ignore the extension
+            }
+
+            CHPreSharedKeySpec pskSpec = null;
+            try {
+                pskSpec = new CHPreSharedKeySpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            } catch (IllegalParameterException ex) {
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex.message);
+            }
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                "Received PSK extension: ", pskSpec);
+            }
+
+            if (shc.pskKeyExchangeModes.isEmpty()) {
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                "Client sent PSK but does not support PSK modes");
+            }
+
+            // error if id and binder lists are not the same length
+            if (pskSpec.identities.size() != pskSpec.binders.size()) {
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                "PSK extension has incorrect number of binders");
+            }
+
+            shc.handshakeExtensions.put(SSLExtension.CH_PRE_SHARED_KEY, pskSpec);
+
+            SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
+            message.handshakeContext.sslContext.engineGetServerSessionContext();
+
+            // The session to resume will be decided below.
+            // It could have been set by previous actions (e.g. PSK received
+            // earlier), and it must be recalculated.
+            shc.isResumption = false;
+            shc.resumingSession = null;
+
+            int idIndex = 0;
+            for (PskIdentity requestedId : pskSpec.identities) {
+                SSLSessionImpl s = sessionCache.get(requestedId.identity);
+                if (s != null && s.getPreSharedKey().isPresent()) {
+                    resumeSession(shc, s, idIndex);
+                    break;
+                }
+
+                ++idIndex;
+            }
+        }
+    }
+
+    private static final class CHPreSharedKeyUpdate implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private CHPreSharedKeyUpdate() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                            HandshakeMessage message) throws IOException {
+
+            ServerHandshakeContext shc = (ServerHandshakeContext) message.handshakeContext;
+
+            if (!shc.isResumption || shc.resumingSession == null) {
+                // not resuming---nothing to do
+                return;
+            }
+
+            CHPreSharedKeySpec chPsk = (CHPreSharedKeySpec)shc.handshakeExtensions.get(SSLExtension.CH_PRE_SHARED_KEY);
+            SHPreSharedKeySpec shPsk = (SHPreSharedKeySpec)shc.handshakeExtensions.get(SSLExtension.SH_PRE_SHARED_KEY);
+
+            if (chPsk == null || shPsk == null) {
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                "Required extensions are unavailable");
+            }
+
+            byte[] binder = chPsk.binders.get(shPsk.selectedIdentity);
+
+            // set up PSK binder hash
+            HandshakeHash pskBinderHash = shc.handshakeHash.copy();
+            byte[] lastMessage = pskBinderHash.removeLastReceived();
+            ByteBuffer messageBuf = ByteBuffer.wrap(lastMessage);
+            // skip the type and length
+            messageBuf.position(4);
+            // read to find the beginning of the binders
+            ClientHello.ClientHelloMessage.readPartial(shc.conContext, messageBuf);
+            int length = messageBuf.position();
+            messageBuf.position(0);
+            pskBinderHash.receive(messageBuf, length);
+
+            checkBinder(shc, shc.resumingSession, pskBinderHash, binder);
+
+            SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
+                message.handshakeContext.sslContext.engineGetServerSessionContext();
+        }
+    }
+
+    private static void resumeSession(ServerHandshakeContext shc,
+                                      SSLSessionImpl session,
+                                      int index)
+        throws IOException {
+
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+            SSLLogger.fine(
+            "Resuming session: ", session);
+        }
+
+        // binder will be checked later
+
+        shc.isResumption = true;
+        shc.resumingSession = session;
+
+        SHPreSharedKeySpec pskMsg = new SHPreSharedKeySpec(index);
+        shc.handshakeExtensions.put(SH_PRE_SHARED_KEY, pskMsg);
+    }
+
+    private static void checkBinder(ServerHandshakeContext shc, SSLSessionImpl session,
+                                    HandshakeHash pskBinderHash, byte[] binder) throws IOException {
+
+        Optional<SecretKey> pskOpt = session.getPreSharedKey();
+        if (!pskOpt.isPresent()) {
+            shc.conContext.fatal(Alert.INTERNAL_ERROR,
+            "Session has no PSK");
+        }
+        SecretKey psk = pskOpt.get();
+
+        SecretKey binderKey = deriveBinderKey(psk, session);
+        byte[] computedBinder = computeBinder(binderKey, session, pskBinderHash);
+        if (!Arrays.equals(binder, computedBinder)) {
+            shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+            "Incorect PSK binder value");
+        }
+    }
+
+    // Class that produces partial messages used to compute binder hash
+    static final class PartialClientHelloMessage extends HandshakeMessage {
+
+        private final ClientHello.ClientHelloMessage msg;
+        private final CHPreSharedKeySpec psk;
+
+        PartialClientHelloMessage(HandshakeContext ctx,
+                                  ClientHello.ClientHelloMessage msg,
+                                  CHPreSharedKeySpec psk) {
+            super(ctx);
+
+            this.msg = msg;
+            this.psk = psk;
+        }
+
+        @Override
+        SSLHandshake handshakeType() {
+            return msg.handshakeType();
+        }
+
+        private int pskTotalLength() {
+            return psk.getIdsEncodedLength() +
+                psk.getBindersEncodedLength() + 8;
+        }
+
+        @Override
+        int messageLength() {
+
+            if (msg.extensions.get(SSLExtension.CH_PRE_SHARED_KEY) != null) {
+                return msg.messageLength();
+            } else {
+                return msg.messageLength() + pskTotalLength();
+            }
+        }
+
+        @Override
+        void send(HandshakeOutStream hos) throws IOException {
+            msg.sendCore(hos);
+
+            // complete extensions
+            int extsLen = msg.extensions.length();
+            if (msg.extensions.get(SSLExtension.CH_PRE_SHARED_KEY) == null) {
+                extsLen += pskTotalLength();
+            }
+            hos.putInt16(extsLen - 2);
+            // write the complete extensions
+            for (SSLExtension ext : SSLExtension.values()) {
+                byte[] extData = msg.extensions.get(ext);
+                if (extData == null) {
+                    continue;
+                }
+                // the PSK could be there from an earlier round
+                if (ext == SSLExtension.CH_PRE_SHARED_KEY) {
+                    continue;
+                }
+                System.err.println("partial CH extension: " + ext.name());
+                int extID = ext.id;
+                hos.putInt16(extID);
+                hos.putBytes16(extData);
+            }
+
+            // partial PSK extension
+            int extID = SSLExtension.CH_PRE_SHARED_KEY.id;
+            hos.putInt16(extID);
+            byte[] encodedPsk = psk.getEncoded();
+            hos.putInt16(encodedPsk.length);
+            hos.write(encodedPsk, 0, psk.getIdsEncodedLength() + 2);
+        }
+    }
+
+    private static final class CHPreSharedKeyProducer implements HandshakeProducer {
+
+        // Prevent instantiation of this class.
+        private CHPreSharedKeyProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            if (!chc.isResumption || chc.resumingSession == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                    "No session to resume.");
+                }
+                return null;
+            }
+
+            Optional<SecretKey> pskOpt = chc.resumingSession.getPreSharedKey();
+            if (!pskOpt.isPresent()) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                    "Existing session has no PSK.");
+                }
+                return null;
+            }
+            SecretKey psk = pskOpt.get();
+            Optional<byte[]> pskIdOpt = chc.resumingSession.getPskIdentity();
+            if (!pskIdOpt.isPresent()) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                    "PSK has no identity, or identity was already used");
+                }
+                return null;
+            }
+            byte[] pskId = pskIdOpt.get();
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                "Found resumable session. Preparing PSK message.");
+            }
+
+            List<PskIdentity> identities = new ArrayList<>();
+            int ageMillis = (int)(System.currentTimeMillis() - chc.resumingSession.getTicketCreationTime());
+            int obfuscatedAge = ageMillis + chc.resumingSession.getTicketAgeAdd();
+            identities.add(new PskIdentity(pskId, obfuscatedAge));
+
+            SecretKey binderKey = deriveBinderKey(psk, chc.resumingSession);
+            ClientHello.ClientHelloMessage clientHello = (ClientHello.ClientHelloMessage) message;
+            CHPreSharedKeySpec pskPrototype = createPskPrototype(chc.resumingSession.getSuite().hashAlg.hashLength, identities);
+            HandshakeHash pskBinderHash = chc.handshakeHash.copy();
+
+            byte[] binder = computeBinder(binderKey, pskBinderHash, chc.resumingSession, chc, clientHello, pskPrototype);
+
+            List<byte[]> binders = new ArrayList<>();
+            binders.add(binder);
+
+            CHPreSharedKeySpec pskMessage = new CHPreSharedKeySpec(identities, binders);
+            chc.handshakeExtensions.put(CH_PRE_SHARED_KEY, pskMessage);
+            return pskMessage.getEncoded();
+        }
+
+        private CHPreSharedKeySpec createPskPrototype(int hashLength, List<PskIdentity> identities) {
+            List<byte[]> binders = new ArrayList<>();
+            byte[] binderProto = new byte[hashLength];
+            for (PskIdentity curId : identities) {
+                binders.add(binderProto);
+            }
+
+            return new CHPreSharedKeySpec(identities, binders);
+        }
+    }
+
+    private static byte[] computeBinder(SecretKey binderKey, SSLSessionImpl session, HandshakeHash pskBinderHash) throws IOException {
+
+        pskBinderHash.determine(session.getProtocolVersion(), session.getSuite());
+        pskBinderHash.update();
+        byte[] digest = pskBinderHash.digest();
+
+        return computeBinder(binderKey, session, digest);
+    }
+
+    private static byte[] computeBinder(SecretKey binderKey, HandshakeHash hash, SSLSessionImpl session,
+                                        HandshakeContext ctx, ClientHello.ClientHelloMessage hello,
+                                        CHPreSharedKeySpec pskPrototype) throws IOException {
+
+        PartialClientHelloMessage partialMsg = new PartialClientHelloMessage(ctx, hello, pskPrototype);
+
+        SSLEngineOutputRecord record = new SSLEngineOutputRecord(hash);
+        HandshakeOutStream hos = new HandshakeOutStream(record);
+        partialMsg.write(hos);
+
+        hash.determine(session.getProtocolVersion(), session.getSuite());
+        hash.update();
+        byte[] digest = hash.digest();
+
+        return computeBinder(binderKey, session, digest);
+    }
+
+    private static byte[] computeBinder(SecretKey binderKey, SSLSessionImpl session,
+                                        byte[] digest) throws IOException {
+
+        try {
+            CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg;
+            HKDF hkdf = new HKDF(hashAlg.name);
+            byte[] label = ("tls13 finished").getBytes();
+            byte[] hkdfInfo = SSLSecretDerivation.createHkdfInfo(label, new byte[0], hashAlg.hashLength);
+            SecretKey finishedKey = hkdf.expand(binderKey, hkdfInfo, hashAlg.hashLength, "TlsBinderKey");
+
+            String hmacAlg =
+                "Hmac" + hashAlg.name.replace("-", "");
+            try {
+                Mac hmac = JsseJce.getMac(hmacAlg);
+                hmac.init(finishedKey);
+                return hmac.doFinal(digest);
+            } catch (NoSuchAlgorithmException | InvalidKeyException ex) {
+                throw new IOException(ex);
+            }
+        } catch(GeneralSecurityException ex) {
+            throw new IOException(ex);
+        }
+    }
+
+    private static SecretKey deriveBinderKey(SecretKey psk,
+                                             SSLSessionImpl session)
+        throws IOException {
+
+        try {
+            CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg;
+            HKDF hkdf = new HKDF(hashAlg.name);
+            byte[] zeros = new byte[hashAlg.hashLength];
+            SecretKey earlySecret = hkdf.extract(zeros, psk, "TlsEarlySecret");
+
+            byte[] label = ("tls13 res binder").getBytes();
+            MessageDigest md = MessageDigest.getInstance(hashAlg.toString());;
+            byte[] hkdfInfo = SSLSecretDerivation.createHkdfInfo(
+                label, md.digest(new byte[0]), hashAlg.hashLength);
+            return hkdf.expand(earlySecret, hkdfInfo, hashAlg.hashLength,
+                "TlsBinderKey");
+
+        } catch (GeneralSecurityException ex) {
+            throw new IOException(ex);
+        }
+    }
+
+    private static final class CHPreSharedKeyAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                           HandshakeMessage message) throws IOException {
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                "Handling pre_shared_key absence.");
+            }
+
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Resumption is only determined by PSK, when enabled
+            shc.resumingSession = null;
+            shc.isResumption = false;
+        }
+    }
+
+    private static final class SHPreSharedKeyConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHPreSharedKeyConsumer() {
+
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            ClientHandshakeContext chc = (ClientHandshakeContext) message.handshakeContext;
+
+            SHPreSharedKeySpec shPsk = new SHPreSharedKeySpec(buffer);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                "Received pre_shared_key extension: ", shPsk);
+            }
+
+            if (!chc.handshakeExtensions.containsKey(SSLExtension.CH_PRE_SHARED_KEY)) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                "Server sent unexpected pre_shared_key extension");
+            }
+
+            // The PSK identity should not be reused, even if it is
+            // not selected.
+            chc.resumingSession.consumePskIdentity();
+
+            if (shPsk.selectedIdentity != 0) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                "Selected identity index is not in correct range.");
+            }
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                "Resuming session: ", chc.resumingSession);
+            }
+
+            // remove the session from the cache
+            SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
+                chc.sslContext.engineGetClientSessionContext();
+            sessionCache.remove(chc.resumingSession.getSessionId());
+        }
+    }
+
+    private static final class SHPreSharedKeyAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                           HandshakeMessage message) throws IOException {
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                "Handling pre_shared_key absence.");
+            }
+
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            if (!chc.handshakeExtensions.containsKey(SSLExtension.CH_PRE_SHARED_KEY)) {
+                // absence is expected---nothing to do
+                return;
+            }
+
+            // The PSK identity should not be reused, even if it is
+            // not selected.
+            chc.resumingSession.consumePskIdentity();
+
+            // If the client requested to resume, the server refused
+            chc.resumingSession = null;
+            chc.isResumption = false;
+        }
+    }
+
+    private static final class SHPreSharedKeyProducer implements HandshakeProducer {
+
+        // Prevent instantiation of this class.
+        private SHPreSharedKeyProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+
+            ServerHandshakeContext shc = (ServerHandshakeContext)
+                message.handshakeContext;
+            SHPreSharedKeySpec psk = (SHPreSharedKeySpec)
+                shc.handshakeExtensions.get(SH_PRE_SHARED_KEY);
+            if (psk == null) {
+                return null;
+            }
+
+            return psk.getEncoded();
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/PskKeyExchangeModesExtension.java	2018-05-11 15:09:38.168351200 -0700
@@ -0,0 +1,174 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.*;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the "psk_key_exchange_modes" extensions.
+ */
+final class PskKeyExchangeModesExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new PskKeyExchangeModesProducer();
+    static final ExtensionConsumer chOnLoadConsumer =
+            new PskKeyExchangeModesConsumer();
+
+    enum PskKeyExchangeMode {
+        PSK_KE(0),
+        PSK_DHE_KE(1);
+
+        private final int v;
+
+        PskKeyExchangeMode(int v) {
+            this.v = v;
+        }
+
+        static PskKeyExchangeMode ofInt(int v) {
+            for(PskKeyExchangeMode mode : values()) {
+                if (mode.v == v) {
+                    return mode;
+                }
+            }
+
+            return null;
+        }
+    }
+
+    static final class PskKeyExchangeModesSpec implements SSLExtensionSpec {
+
+
+        final List<PskKeyExchangeMode> modes;
+
+        PskKeyExchangeModesSpec(List<PskKeyExchangeMode> modes) {
+            this.modes = modes;
+        }
+
+        PskKeyExchangeModesSpec(ByteBuffer m) throws IOException {
+
+            modes = new ArrayList<>();
+            int modesEncodedLength = Record.getInt8(m);
+            int modesReadLength = 0;
+            while (modesReadLength < modesEncodedLength) {
+                int mode = Record.getInt8(m);
+                // TODO: handle incorrect values
+                modes.add(PskKeyExchangeMode.ofInt(mode));
+                modesReadLength += 1;
+            }
+        }
+
+        byte[] getEncoded() throws IOException {
+
+            int encodedLength = modes.size() + 1;
+            byte[] buffer = new byte[encodedLength];
+            ByteBuffer m = ByteBuffer.wrap(buffer);
+            Record.putInt8(m, modes.size());
+            for(PskKeyExchangeMode curMode : modes) {
+                Record.putInt8(m, curMode.v);
+            }
+
+            return buffer;
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+            "\"PskKeyExchangeModes\": '{'\n" +
+            "  \"ke_modes\"      : \"{0}\",\n" +
+            "'}'",
+            Locale.ENGLISH);
+
+            Object[] messageFields = {
+            Utilities.indent(modesString()),
+            };
+
+            return messageFormat.format(messageFields);
+        }
+
+        String modesString() {
+            StringBuilder result = new StringBuilder();
+            for(PskKeyExchangeMode curMode : modes) {
+                result.append(curMode.toString() + "\n");
+            }
+
+            return result.toString();
+        }
+    }
+
+
+    private static final
+            class PskKeyExchangeModesConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private PskKeyExchangeModesConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            ServerHandshakeContext shc =
+                    (ServerHandshakeContext) message.handshakeContext;
+
+            PskKeyExchangeModesSpec modes = new PskKeyExchangeModesSpec(buffer);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                "Received PskKeyExchangeModes extension: ", modes);
+            }
+
+            shc.pskKeyExchangeModes = modes.modes;
+        }
+
+    }
+
+    private static final
+            class PskKeyExchangeModesProducer implements HandshakeProducer {
+
+        static final List<PskKeyExchangeMode> MODES =
+            List.of(PskKeyExchangeMode.PSK_DHE_KE);
+        static final PskKeyExchangeModesSpec MODES_MSG =
+            new PskKeyExchangeModesSpec(MODES);
+
+        // Prevent instantiation of this class.
+        private PskKeyExchangeModesProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+
+            return MODES_MSG.getEncoded();
+        }
+
+    }
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java	2018-05-11 15:09:39.781319500 -0700
@@ -0,0 +1,306 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.AlgorithmParameterSpec;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import sun.security.internal.spec.TlsRsaPremasterSecretParameterSpec;
+import sun.security.util.KeyUtil;
+
+final class RSAKeyExchange {
+    static final SSLPossessionGenerator poGenerator =
+            new EphemeralRSAPossessionGenerator();
+    static final SSLKeyAgreementGenerator kaGenerator =
+            new RSAKAGenerator();
+
+    static final class EphemeralRSAPossession implements SSLPossession {
+        // Proof of possession of the private key corresponding to the public
+        // key for which a certificate is being provided for authentication.
+        final RSAPublicKey        popPublicKey;
+        final PrivateKey          popPrivateKey;
+
+        EphemeralRSAPossession(PrivateKey popPrivateKey,
+                RSAPublicKey popPublicKey) {
+            this.popPublicKey = popPublicKey;
+            this.popPrivateKey = popPrivateKey;
+        }
+    }
+
+    static final class EphemeralRSACredentials implements SSLCredentials {
+        final RSAPublicKey popPublicKey;
+
+        EphemeralRSACredentials(RSAPublicKey popPublicKey) {
+            this.popPublicKey = popPublicKey;
+        }
+    }
+
+    private static final class EphemeralRSAPossessionGenerator
+            implements SSLPossessionGenerator {
+        // Prevent instantiation of this class.
+        private EphemeralRSAPossessionGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLPossession createPossession(HandshakeContext context) {
+            try {
+                EphemeralKeyManager ekm =
+                        context.sslContext.getEphemeralKeyManager();
+                KeyPair kp = ekm.getRSAKeyPair(
+                        true, context.sslContext.getSecureRandom());
+                if (kp != null) {
+                    return new EphemeralRSAPossession(
+                            kp.getPrivate(), (RSAPublicKey)kp.getPublic());
+                } else {
+                    // Could not generate the ephemeral key, ignore.
+                    return null;
+                }
+            } catch (RuntimeException rte) {
+                // Could not determine keylength, ignore.
+                return null;
+            }
+        }
+    }
+
+    static final
+            class RSAPremasterSecret implements SSLPossession, SSLCredentials {
+        final SecretKey premasterSecret;
+
+        RSAPremasterSecret(SecretKey premasterSecret) {
+            this.premasterSecret = premasterSecret;
+        }
+
+        byte[] getEncoded(PublicKey publicKey,
+                SecureRandom secureRandom) throws GeneralSecurityException {
+            Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
+            cipher.init(Cipher.WRAP_MODE, publicKey, secureRandom);
+            return cipher.wrap(premasterSecret);
+        }
+
+        @SuppressWarnings("deprecation")
+        static RSAPremasterSecret createPremasterSecret(
+                ClientHandshakeContext chc) throws GeneralSecurityException {
+            String algorithm = chc.negotiatedProtocol.useTLS12PlusSpec() ?
+                    "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret";
+            KeyGenerator kg = JsseJce.getKeyGenerator(algorithm);
+            TlsRsaPremasterSecretParameterSpec spec =
+                    new TlsRsaPremasterSecretParameterSpec(
+                            chc.clientHelloVersion,
+                            chc.negotiatedProtocol.id);
+            kg.init(spec, chc.sslContext.getSecureRandom());
+
+            return new RSAPremasterSecret(kg.generateKey());
+        }
+
+        @SuppressWarnings("deprecation")
+        static RSAPremasterSecret decode(ServerHandshakeContext shc,
+                PrivateKey privateKey,
+                byte[] encrypted) throws GeneralSecurityException {
+
+            byte[] encoded = null;
+            boolean needFailover = false;
+            Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
+            try {
+                // Try UNWRAP_MODE mode firstly.
+                cipher.init(Cipher.UNWRAP_MODE, privateKey,
+                        new TlsRsaPremasterSecretParameterSpec(
+                                shc.clientHelloVersion,
+                                shc.negotiatedProtocol.id),
+                                shc.sslContext.getSecureRandom());
+
+                // The provider selection can be delayed, please don't call
+                // any Cipher method before the call to Cipher.init().
+                needFailover = !KeyUtil.isOracleJCEProvider(
+                        cipher.getProvider().getName());
+            } catch (InvalidKeyException | UnsupportedOperationException iue) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("The Cipher provider "
+                            + safeProviderName(cipher)
+                            + " caused exception: " + iue.getMessage());
+                }
+
+                needFailover = true;
+            }
+
+            SecretKey preMaster;
+            if (needFailover) {
+                // The cipher might be spoiled by unsuccessful call to init(),
+                // so request a fresh instance
+                cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1);
+
+                // Use DECRYPT_MODE and dispose the previous initialization.
+                cipher.init(Cipher.DECRYPT_MODE, privateKey);
+                boolean failed = false;
+                try {
+                    encoded = cipher.doFinal(encrypted);
+                } catch (BadPaddingException bpe) {
+                    // Note: encoded == null
+                    failed = true;
+                }
+                encoded = KeyUtil.checkTlsPreMasterSecretKey(
+                        shc.clientHelloVersion, shc.negotiatedProtocol.id,
+                        shc.sslContext.getSecureRandom(), encoded, failed);
+                preMaster = generatePremasterSecret(
+                        shc.clientHelloVersion, shc.negotiatedProtocol.id,
+                        encoded, shc.sslContext.getSecureRandom());
+            } else {
+                // the cipher should have been initialized
+                preMaster = (SecretKey)cipher.unwrap(encrypted,
+                        "TlsRsaPremasterSecret", Cipher.SECRET_KEY);
+            }
+
+            return new RSAPremasterSecret(preMaster);
+        }
+
+        /*
+         * Retrieving the cipher's provider name for the debug purposes
+         * can throw an exception by itself.
+         */
+        private static String safeProviderName(Cipher cipher) {
+            try {
+                return cipher.getProvider().toString();
+            } catch (Exception e) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("Retrieving The Cipher provider name" +
+                            " caused exception ", e);
+                }
+            }
+            try {
+                return cipher.toString() + " (provider name not available)";
+            } catch (Exception e) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("Retrieving The Cipher name" +
+                            " caused exception ", e);
+                }
+            }
+
+            return "(cipher/provider names not available)";
+        }
+
+        // generate a premaster secret with the specified version number
+        @SuppressWarnings("deprecation")
+        private static SecretKey generatePremasterSecret(
+                int clientVersion, int serverVersion, byte[] encodedSecret,
+                SecureRandom generator) throws GeneralSecurityException {
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Generating a premaster secret");
+            }
+
+            try {
+                String s = ((clientVersion >= ProtocolVersion.TLS12.id) ?
+                    "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret");
+                KeyGenerator kg = JsseJce.getKeyGenerator(s);
+                kg.init(new TlsRsaPremasterSecretParameterSpec(
+                        clientVersion, serverVersion, encodedSecret),
+                        generator);
+                return kg.generateKey();
+            } catch (InvalidAlgorithmParameterException |
+                    NoSuchAlgorithmException iae) {
+                // unlikely to happen, otherwise, must be a provider exception
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("RSA premaster secret generation error:");
+                    iae.printStackTrace(System.out);
+                }
+
+                throw new GeneralSecurityException(
+                        "Could not generate premaster secret", iae);
+            }
+        }
+    }
+
+    private static final
+            class RSAKAGenerator implements SSLKeyAgreementGenerator {
+        // Prevent instantiation of this class.
+        private RSAKAGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+                HandshakeContext context) throws IOException {
+            RSAPremasterSecret premaster = null;
+            if (context instanceof ClientHandshakeContext) {
+                for (SSLPossession possession : context.handshakePossessions) {
+                    if (possession instanceof RSAPremasterSecret) {
+                        premaster = (RSAPremasterSecret)possession;
+                        break;
+                    }
+                }
+            } else {
+                for (SSLCredentials credential : context.handshakeCredentials) {
+                    if (credential instanceof RSAPremasterSecret) {
+                        premaster = (RSAPremasterSecret)credential;
+                        break;
+                    }
+                }
+            }
+
+            if (premaster == null) {
+                context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No sufficient RSA key agreement parameters negotiated");
+            }
+
+            return new RSAKAKeyDerivation(context, premaster.premasterSecret);
+        }
+
+        private static final
+                class RSAKAKeyDerivation implements SSLKeyDerivation {
+            private final HandshakeContext context;
+            private final SecretKey preMasterSecret;
+
+            RSAKAKeyDerivation(
+                    HandshakeContext context, SecretKey preMasterSecret) {
+                this.context = context;
+                this.preMasterSecret = preMasterSecret;
+            }
+
+            @Override
+            public SecretKey deriveKey(String algorithm,
+                    AlgorithmParameterSpec params) throws IOException {
+                SSLMasterKeyDerivation mskd =
+                        SSLMasterKeyDerivation.valueOf(
+                                context.negotiatedProtocol);
+                SSLKeyDerivation kd = mskd.createKeyDerivation(
+                        context, preMasterSecret);
+                return kd.deriveKey("TODO", params);
+            }
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java	2018-05-11 15:09:41.401629300 -0700
@@ -0,0 +1,343 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.ByteBuffer;
+import java.security.CryptoPrimitive;
+import java.security.GeneralSecurityException;
+import java.security.InvalidKeyException;
+import java.security.KeyFactory;
+import java.security.NoSuchAlgorithmException;
+import java.security.Signature;
+import java.security.SignatureException;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.RSAPublicKeySpec;
+import java.text.MessageFormat;
+import java.util.EnumSet;
+import java.util.Locale;
+import sun.security.ssl.RSAKeyExchange.EphemeralRSACredentials;
+import sun.security.ssl.RSAKeyExchange.EphemeralRSAPossession;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.X509Authentication.X509Credentials;
+import sun.security.ssl.X509Authentication.X509Possession;
+import sun.security.util.HexDumpEncoder;
+
+/**
+ * Pack of the ServerKeyExchange handshake message.
+ */
+final class RSAServerKeyExchange {
+    static final SSLConsumer rsaHandshakeConsumer =
+        new RSAServerKeyExchangeConsumer();
+    static final HandshakeProducer rsaHandshakeProducer =
+        new RSAServerKeyExchangeProducer();
+
+    /**
+     * The ephemeral RSA ServerKeyExchange handshake message.
+     *
+     * Used for RSA_EXPORT, SSL 3.0 and TLS 1.0 only.
+     */
+    private static final
+            class RSAServerKeyExchangeMessage extends HandshakeMessage {
+        // public key encapsulated in this message
+        private final byte[] modulus;     // 1 to 2^16 - 1 bytes
+        private final byte[] exponent;    // 1 to 2^16 - 1 bytes
+
+        // signature bytes, none-null as no anonymous RSA key exchange.
+        private final byte[] paramsSignature;
+
+        private RSAServerKeyExchangeMessage(HandshakeContext handshakeContext,
+                X509Possession x509Possession,
+                EphemeralRSAPossession rsaPossession) throws IOException {
+            super(handshakeContext);
+
+            // This happens in server side only.
+            ServerHandshakeContext shc =
+                    (ServerHandshakeContext)handshakeContext;
+
+            RSAPublicKey publicKey = rsaPossession.popPublicKey;
+            RSAPublicKeySpec spec = JsseJce.getRSAPublicKeySpec(publicKey);
+            this.modulus = Utilities.toByteArray(spec.getModulus());
+            this.exponent = Utilities.toByteArray(spec.getPublicExponent());
+            byte[] signature = null;
+            try {
+                Signature signer = RSASignature.getInstance();
+                signer.initSign(x509Possession.popPrivateKey,
+                        shc.sslContext.getSecureRandom());
+                updateSignature(signer,
+                          shc.clientHelloRandom.randomBytes,
+                          shc.serverHelloRandom.randomBytes);
+                signature = signer.sign();
+            } catch (NoSuchAlgorithmException |
+                    InvalidKeyException | SignatureException ex) {
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Failed to sign ephemeral RSA parameters", ex);
+            }
+
+            this.paramsSignature = signature;
+        }
+
+        RSAServerKeyExchangeMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+
+            // This happens in client side only.
+            ClientHandshakeContext chc =
+                    (ClientHandshakeContext)handshakeContext;
+
+            this.modulus = Record.getBytes16(m);
+            this.exponent = Record.getBytes16(m);
+            this.paramsSignature = Record.getBytes16(m);
+
+            X509Credentials x509Credentials = null;
+            for (SSLCredentials cd : chc.handshakeCredentials) {
+                if (cd instanceof X509Credentials) {
+                    x509Credentials = (X509Credentials)cd;
+                    break;
+                }
+            }
+
+            if (x509Credentials == null) {
+                chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "No RSA credentials negotiated for server key exchange");
+            }
+
+            try {
+                Signature signer = RSASignature.getInstance();
+                signer.initVerify(x509Credentials.popPublicKey);
+                updateSignature(signer,
+                          chc.clientHelloRandom.randomBytes,
+                          chc.serverHelloRandom.randomBytes);
+                if (!signer.verify(paramsSignature)) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid signature of RSA ServerKeyExchange message");
+                }
+            } catch (NoSuchAlgorithmException |
+                    InvalidKeyException | SignatureException ex) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "Failed to sign ephemeral RSA parameters", ex);
+            }
+        }
+
+        @Override
+        SSLHandshake handshakeType() {
+            return SSLHandshake.SERVER_KEY_EXCHANGE;
+        }
+
+        @Override
+        int messageLength() {
+            return 6 + modulus.length + exponent.length
+                   + paramsSignature.length;
+        }
+
+        @Override
+        void send(HandshakeOutStream hos) throws IOException {
+            hos.putBytes16(modulus);
+            hos.putBytes16(exponent);
+            hos.putBytes16(paramsSignature);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"RSA ServerKeyExchange\": '{'\n" +
+                "  \"parameters\": '{'\n" +
+                "    \"rsa_modulus\": '{'\n" +
+                "{0}\n" +
+                "    '}',\n" +
+                "    \"rsa_exponent\": '{'\n" +
+                "{1}\n" +
+                "    '}'\n" +
+                "  '}',\n" +
+                "  \"digital signature\":  '{'\n" +
+                "    \"signature\": '{'\n" +
+                "{2}\n" +
+                "    '}',\n" +
+                "  '}'\n" +
+                "'}'",
+                Locale.ENGLISH);
+
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            Object[] messageFields = {
+                Utilities.indent(
+                        hexEncoder.encodeBuffer(modulus), "      "),
+                Utilities.indent(
+                        hexEncoder.encodeBuffer(exponent), "      "),
+                Utilities.indent(
+                        hexEncoder.encodeBuffer(paramsSignature), "      ")
+            };
+            return messageFormat.format(messageFields);
+        }
+
+        /*
+         * Hash the nonces and the ephemeral RSA public key.
+         */
+        private void updateSignature(Signature signature,
+                byte[] clntNonce, byte[] svrNonce) throws SignatureException {
+            signature.update(clntNonce);
+            signature.update(svrNonce);
+
+            signature.update((byte)(modulus.length >> 8));
+            signature.update((byte)(modulus.length & 0x0ff));
+            signature.update(modulus);
+
+            signature.update((byte)(exponent.length >> 8));
+            signature.update((byte)(exponent.length & 0x0ff));
+            signature.update(exponent);
+        }
+    }
+
+    /**
+     * The RSA "ServerKeyExchange" handshake message producer.
+     */
+    private static final
+            class RSAServerKeyExchangeProducer implements HandshakeProducer {
+        static final RSAServerKeyExchangeProducer INSTANCE =
+                new RSAServerKeyExchangeProducer();
+
+        // Prevent instantiation of this class.
+        private RSAServerKeyExchangeProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            EphemeralRSAPossession rsaPossession = null;
+            X509Possession x509Possession = null;
+            for (SSLPossession possession : shc.handshakePossessions) {
+                if (possession instanceof EphemeralRSAPossession) {
+                    rsaPossession = (EphemeralRSAPossession)possession;
+                    if (x509Possession != null) {
+                        break;
+                    }
+                } else if (possession instanceof X509Possession) {
+                    x509Possession = (X509Possession)possession;
+                    if (rsaPossession != null) {
+                        break;
+                    }
+                }
+            }
+
+            if (rsaPossession == null) {
+                // The X.509 certificate itself should be used for RSA_EXPORT
+                // key exchange.  The ServerKeyExchange handshake message is
+                // not needed.
+                return null;
+            } else if (x509Possession == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "No RSA certificate negotiated for server key exchange");
+            } else if (!"RSA".equals(
+                    x509Possession.popPrivateKey.getAlgorithm())) {
+                // unlikely
+                shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "No X.509 possession can be used for " +
+                        "ephemeral RSA ServerKeyExchange");
+            }
+
+            RSAServerKeyExchangeMessage skem =
+                    new RSAServerKeyExchangeMessage(
+                            shc, x509Possession, rsaPossession);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Produced RSA ServerKeyExchange handshake message", skem);
+            }
+
+            // Output the handshake message.
+            skem.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The RSA "ServerKeyExchange" handshake message consumer.
+     */
+    private static final
+            class RSAServerKeyExchangeConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private RSAServerKeyExchangeConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            RSAServerKeyExchangeMessage skem =
+                    new RSAServerKeyExchangeMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Consuming RSA ServerKeyExchange handshake message", skem);
+            }
+
+            //
+            // validate
+            //
+            // check constraints of EC PublicKey
+            RSAPublicKey publicKey;
+            try {
+                KeyFactory kf = JsseJce.getKeyFactory("RSA");
+                RSAPublicKeySpec spec = new RSAPublicKeySpec(
+                    new BigInteger(1, skem.modulus),
+                    new BigInteger(1, skem.exponent));
+                publicKey = (RSAPublicKey)kf.generatePublic(spec);
+            } catch (GeneralSecurityException gse) {
+                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                        "Could not generate RSAPublicKey", gse);
+
+                return;     // make the compiler happy
+            }
+
+            if (!chc.algorithmConstraints.permits(
+                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
+                chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
+                        "RSA ServerKeyExchange does not comply to " +
+                        "algorithm constraints");
+            }
+
+            //
+            // update
+            //
+            chc.handshakeCredentials.add(new EphemeralRSACredentials(publicKey));
+
+            //
+            // produce
+            //
+            // Need no new handshake message producers here.
+        }
+    }
+}
+
--- old/src/java.base/share/classes/sun/security/ssl/RenegotiationInfoExtension.java	2018-05-11 15:09:43.791274800 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,115 +0,0 @@
-/*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-
-import javax.net.ssl.SSLProtocolException;
-
-/*
- * For secure renegotiation, RFC5746 defines a new TLS extension,
- * "renegotiation_info" (with extension type 0xff01), which contains a
- * cryptographic binding to the enclosing TLS connection (if any) for
- * which the renegotiation is being performed.  The "extension data"
- * field of this extension contains a "RenegotiationInfo" structure:
- *
- *      struct {
- *          opaque renegotiated_connection<0..255>;
- *      } RenegotiationInfo;
- */
-final class RenegotiationInfoExtension extends HelloExtension {
-    private final byte[] renegotiated_connection;
-
-    RenegotiationInfoExtension(byte[] clientVerifyData,
-                byte[] serverVerifyData) {
-        super(ExtensionType.EXT_RENEGOTIATION_INFO);
-
-        if (clientVerifyData.length != 0) {
-            renegotiated_connection =
-                    new byte[clientVerifyData.length + serverVerifyData.length];
-            System.arraycopy(clientVerifyData, 0, renegotiated_connection,
-                    0, clientVerifyData.length);
-
-            if (serverVerifyData.length != 0) {
-                System.arraycopy(serverVerifyData, 0, renegotiated_connection,
-                        clientVerifyData.length, serverVerifyData.length);
-            }
-        } else {
-            // ignore both the client and server verify data.
-            renegotiated_connection = new byte[0];
-        }
-    }
-
-    RenegotiationInfoExtension(HandshakeInStream s, int len)
-                throws IOException {
-        super(ExtensionType.EXT_RENEGOTIATION_INFO);
-
-        // check the extension length
-        if (len < 1) {
-            throw new SSLProtocolException("Invalid " + type + " extension");
-        }
-
-        int renegoInfoDataLen = s.getInt8();
-        if (renegoInfoDataLen + 1 != len) {  // + 1 = the byte we just read
-            throw new SSLProtocolException("Invalid " + type + " extension");
-        }
-
-        renegotiated_connection = new byte[renegoInfoDataLen];
-        if (renegoInfoDataLen != 0) {
-            s.read(renegotiated_connection, 0, renegoInfoDataLen);
-        }
-    }
-
-
-    // Length of the encoded extension, including the type and length fields
-    @Override
-    int length() {
-        return 5 + renegotiated_connection.length;
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(type.id);
-        s.putInt16(renegotiated_connection.length + 1);
-        s.putBytes8(renegotiated_connection);
-    }
-
-    boolean isEmpty() {
-        return renegotiated_connection.length == 0;
-    }
-
-    byte[] getRenegotiatedConnection() {
-        return renegotiated_connection;
-    }
-
-    @Override
-    public String toString() {
-        return "Extension " + type + ", renegotiated_connection: " +
-                    (renegotiated_connection.length == 0 ? "<empty>" :
-                    Debug.toString(renegotiated_connection));
-    }
-
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java	2018-05-11 15:09:43.063032400 -0700
@@ -0,0 +1,558 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.Arrays;
+import java.util.Locale;
+import javax.net.ssl.SSLProtocolException;
+import sun.security.ssl.ClientHello.ClientHelloMessage;
+import static sun.security.ssl.SSLExtension.CH_RENEGOTIATION_INFO;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import static sun.security.ssl.SSLExtension.SH_RENEGOTIATION_INFO;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the "renegotiation_info" extensions [RFC 5746].
+ */
+final class RenegoInfoExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHRenegotiationInfoProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHRenegotiationInfoConsumer();
+    static final HandshakeAbsence chOnLoadAbsence =
+            new CHRenegotiationInfoAbsence();
+
+    static final HandshakeProducer shNetworkProducer =
+            new SHRenegotiationInfoProducer();
+    static final ExtensionConsumer shOnLoadConcumer =
+            new SHRenegotiationInfoConsumer();
+    static final HandshakeAbsence shOnLoadAbsence =
+            new SHRenegotiationInfoAbsence();
+
+    static final SSLStringize rniStringize =
+            new RenegotiationInfoStringize();
+
+    /**
+     * The "renegotiation_info" extension.
+     */
+    static final class RenegotiationInfoSpec implements SSLExtensionSpec {
+        // A nominal object that does not holding any real renegotiation info.
+        static final RenegotiationInfoSpec NOMINAL =
+                new RenegotiationInfoSpec(new byte[0]);
+
+        private final byte[] renegotiatedConnection;
+
+        private RenegotiationInfoSpec(byte[] renegotiatedConnection) {
+            this.renegotiatedConnection = Arrays.copyOf(
+                    renegotiatedConnection, renegotiatedConnection.length);
+        }
+
+        private RenegotiationInfoSpec(ByteBuffer m) throws IOException {
+            // Parse the extension.
+            if (!m.hasRemaining() || m.remaining() < 1) {
+                throw new SSLProtocolException(
+                    "Invalid renegotiation_info extension data: " +
+                    "insufficient data");
+            }
+            this.renegotiatedConnection = Record.getBytes8(m);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"renegotiated connection\": '['{0}']'", Locale.ENGLISH);
+            if (renegotiatedConnection.length == 0) {
+                Object[] messageFields = {
+                        "<no renegotiated connection>"
+                    };
+                return messageFormat.format(messageFields);
+            } else {
+                Object[] messageFields = {
+                        Utilities.toHexString(renegotiatedConnection)
+                    };
+                return messageFormat.format(messageFields);
+            }
+        }
+    }
+
+    private static final
+            class RenegotiationInfoStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new RenegotiationInfoSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    /**
+     * Network data producer of a "renegotiation_info" extension in
+     * the ClientHello handshake message.
+     */
+    private static final
+            class CHRenegotiationInfoProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHRenegotiationInfoProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(CH_RENEGOTIATION_INFO)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore unavailable renegotiation_info extension");
+                }
+
+                return null;
+            }
+
+            if (!chc.conContext.isNegotiated) {
+                if (chc.activeCipherSuites.contains(
+                        CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
+                    // Using the the TLS_EMPTY_RENEGOTIATION_INFO_SCSV instead.
+                    return null;
+                }
+
+                // initial handshaking.
+                //
+                // If this is the initial handshake for a connection, then the
+                // "renegotiated_connection" field is of zero length in both
+                // the ClientHello and the ServerHello. [RFC 5746]
+                byte[] extData = new byte[] { 0x00 };
+                chc.handshakeExtensions.put(
+                        CH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+                return extData;
+            } else if (chc.conContext.secureRenegotiation) {
+                // secure renegotiation
+                //
+                // For ClientHello handshake message in renegotiation, this
+                // field contains the "client_verify_data".
+                byte[] extData =
+                        new byte[chc.conContext.clientVerifyData.length + 1];
+                ByteBuffer m = ByteBuffer.wrap(extData);
+                Record.putBytes8(m, chc.conContext.clientVerifyData);
+
+                // The conContext.clientVerifyData will be used for further
+                // processing, so it does not matter to save whatever in the
+                // RenegotiationInfoSpec object.
+                chc.handshakeExtensions.put(
+                        CH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+                return extData;
+            } else {    // not secure renegotiation
+                if (HandshakeContext.allowUnsafeRenegotiation) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning("Using insecure renegotiation");
+                    }
+
+                    return null;
+                } else {
+                    // terminate the session.
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "insecure renegotiation is not allowed");
+                }
+            }
+
+            return null;
+        }
+    }
+
+    /**
+     * Network data producer of a "renegotiation_info" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class CHRenegotiationInfoConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHRenegotiationInfoConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(CH_RENEGOTIATION_INFO)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("Ignore unavailable extension: " +
+                            CH_RENEGOTIATION_INFO.name);
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            RenegotiationInfoSpec spec;
+            try {
+                spec = new RenegotiationInfoSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            if (!shc.conContext.isNegotiated) {
+                // initial handshaking.
+                if (spec.renegotiatedConnection.length != 0) {
+                    shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Invalid renegotiation_info extension data: not empty");
+                }
+                shc.conContext.secureRenegotiation = true;
+            } else {
+                if (!shc.conContext.secureRenegotiation) {
+                    // Unexpected RI extension for insecure renegotiation,
+                    // abort the handshake with a fatal handshake_failure alert.
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "The renegotiation_info is present in a insecure " +
+                            "renegotiation");
+                } else {
+                    // verify the client_verify_data value
+                    if (!Arrays.equals(shc.conContext.clientVerifyData,
+                            spec.renegotiatedConnection)) {
+                        shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                            "Invalid renegotiation_info extension data: " +
+                            "incorrect verify data in ClientHello");
+                    }
+                }
+            }
+
+            // Update the context.
+            //
+            // The conContext.clientVerifyData will be used for further
+            // processing, so it does not matter to save whatever in the
+            // RenegotiationInfoSpec object.
+            shc.handshakeExtensions.put(
+                    CH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+            // No impact on session resumption.
+        }
+    }
+
+    /**
+     * The absence processing if a "renegotiation_info" extension is
+     * not present in the ClientHello handshake message.
+     */
+    private static final
+            class CHRenegotiationInfoAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            ClientHelloMessage clientHello = (ClientHelloMessage)message;
+
+            if (!shc.conContext.isNegotiated) {
+                // initial handshaking.
+                for (int id : clientHello.cipherSuiteIds) {
+                    if (id ==
+                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV.id) {
+                        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                            SSLLogger.finest(
+                                "Safe renegotiation, using the SCSV signgling");
+                        }
+                        shc.conContext.secureRenegotiation = true;
+                        return;
+                    }
+                }
+
+                if (!HandshakeContext.allowLegacyHelloMessages) {
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Failed to negotiate the use of secure renegotiation");
+                }   // otherwise, allow legacy hello message
+
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("Warning: No renegotiation " +
+                        "indication in ClientHello, allow legacy ClientHello");
+                }
+
+                shc.conContext.secureRenegotiation = false;
+            } else if (shc.conContext.secureRenegotiation) {
+                // Require secure renegotiation, terminate the connection.
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Inconsistent secure renegotiation indication");
+            } else {    // renegotiation, not secure
+                if (HandshakeContext.allowUnsafeRenegotiation) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning("Using insecure renegotiation");
+                    }
+                } else {
+                    // Unsafe renegotiation should have been aborted in
+                    // ealier processes.
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine("Terminate insecure renegotiation");
+                    }
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Unsafe renegotiation is not allowed");
+                }
+            }
+        }
+    }
+
+    /**
+     * Network data producer of a "renegotiation_info" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class SHRenegotiationInfoProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private SHRenegotiationInfoProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // In response to "renegotiation_info" extension request only.
+            RenegotiationInfoSpec requestedSpec = (RenegotiationInfoSpec)
+                    shc.handshakeExtensions.get(CH_RENEGOTIATION_INFO);
+            if (requestedSpec == null && !shc.conContext.secureRenegotiation) {
+                // Ignore, no renegotiation_info extension or SCSV signgling
+                // requested.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "Ignore unavailable renegotiation_info extension");
+                }
+                return null;        // ignore the extension
+            }
+
+            if (!shc.conContext.secureRenegotiation) {
+                // Ignore, no secure renegotiation is negotiated.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.finest(
+                        "No secure renegotiation has been negotiated");
+                }
+                return null;        // ignore the extension
+            }
+
+            if (!shc.conContext.isNegotiated) {
+                // initial handshaking.
+                //
+                // If this is the initial handshake for a connection, then the
+                // "renegotiated_connection" field is of zero length in both
+                // the ClientHello and the ServerHello. [RFC 5746]
+                byte[] extData = new byte[] { 0x00 };
+
+                // The conContext.client/serverVerifyData will be used for
+                // further processing, so it does not matter to save whatever
+                // in the RenegotiationInfoSpec object.
+                shc.handshakeExtensions.put(
+                        SH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+                return extData;
+            } else {
+                // secure renegotiation
+                //
+                // For secure renegotiation, the server MUST include a
+                // "renegotiation_info" extension containing the saved
+                // client_verify_data and server_verify_data in the ServerHello.
+                int infoLen = shc.conContext.clientVerifyData.length +
+                              shc.conContext.serverVerifyData.length;
+                byte[] extData = new byte[infoLen + 1];
+                ByteBuffer m = ByteBuffer.wrap(extData);
+                Record.putInt8(m, infoLen);
+                m.put(shc.conContext.clientVerifyData);
+                m.put(shc.conContext.serverVerifyData);
+
+                // The conContext.client/serverVerifyData will be used for
+                // further processing, so it does not matter to save whatever
+                // in the RenegotiationInfoSpec object.
+                shc.handshakeExtensions.put(
+                        SH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+                return extData;
+            }
+        }
+    }
+
+    /**
+     * Network data consumer of a "renegotiation_info" extension in
+     * the ServerHello handshake message.
+     */
+    private static final
+            class SHRenegotiationInfoConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHRenegotiationInfoConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to the client renegotiation_info extension request
+            // or SCSV signling, which is mandatory for ClientHello message.
+            RenegotiationInfoSpec requestedSpec = (RenegotiationInfoSpec)
+                    chc.handshakeExtensions.get(CH_RENEGOTIATION_INFO);
+            if (requestedSpec == null &&
+                    !chc.activeCipherSuites.contains(
+                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "Missing renegotiation_info and SCSV detected in " +
+                    "ClientHello");
+            }
+
+            // Parse the extension.
+            RenegotiationInfoSpec spec;
+            try {
+                spec = new RenegotiationInfoSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+
+            if (!chc.conContext.isNegotiated) {     // initial handshake
+                // If the extension is present, set the secure_renegotiation
+                // flag to TRUE.  The client MUST then verify that the
+                // length of the "renegotiated_connection" field is zero,
+                // and if it is not, MUST abort the handshake (by sending
+                // a fatal handshake_failure alert). [RFC 5746]
+                if (spec.renegotiatedConnection.length != 0) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid renegotiation_info in ServerHello: " +
+                        "not empty renegotiated_connection");
+                }
+
+                chc.conContext.secureRenegotiation = true;
+            } else {        // renegotiation
+                // The client MUST then verify that the first half of the
+                // "renegotiated_connection" field is equal to the saved
+                // client_verify_data value, and the second half is equal to the
+                // saved server_verify_data value.  If they are not, the client
+                // MUST abort the handshake. [RFC 5746]
+                int infoLen = chc.conContext.clientVerifyData.length +
+                              chc.conContext.serverVerifyData.length;
+                if (spec.renegotiatedConnection.length != infoLen) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid renegotiation_info in ServerHello: " +
+                        "invalid renegotiated_connection length (" +
+                        spec.renegotiatedConnection.length + ")");
+                }
+
+                byte[] cvd = chc.conContext.clientVerifyData;
+                if (!Arrays.equals(spec.renegotiatedConnection,
+                        0, cvd.length, cvd, 0, cvd.length)) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid renegotiation_info in ServerHello: " +
+                        "unmatched client_verify_data value");
+                }
+                byte[] svd = chc.conContext.serverVerifyData;
+                if (!Arrays.equals(spec.renegotiatedConnection,
+                        cvd.length, infoLen, svd, 0, svd.length)) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Invalid renegotiation_info in ServerHello: " +
+                        "unmatched server_verify_data value");
+                }
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(
+                    SH_RENEGOTIATION_INFO, RenegotiationInfoSpec.NOMINAL);
+
+            // No impact on session resumption.
+        }
+    }
+
+    /**
+     * The absence processing if a "renegotiation_info" extension is
+     * not present in the ServerHello handshake message.
+     */
+    private static final
+            class SHRenegotiationInfoAbsence implements HandshakeAbsence {
+        @Override
+        public void absent(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // In response to the client renegotiation_info extension request
+            // or SCSV signling, which is mandatory for ClientHello message.
+            RenegotiationInfoSpec requestedSpec = (RenegotiationInfoSpec)
+                    chc.handshakeExtensions.get(CH_RENEGOTIATION_INFO);
+            if (requestedSpec == null &&
+                    !chc.activeCipherSuites.contains(
+                            CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "Missing renegotiation_info and SCSV detected in " +
+                    "ClientHello");
+            }
+
+            if (!chc.conContext.isNegotiated) {
+                // initial handshaking.
+                if (!HandshakeContext.allowLegacyHelloMessages) {
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Failed to negotiate the use of secure renegotiation");
+                }   // otherwise, allow legacy hello message
+
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning("Warning: No renegotiation " +
+                        "indication in ServerHello, allow legacy ServerHello");
+                }
+
+                chc.conContext.secureRenegotiation = false;
+            } else if (chc.conContext.secureRenegotiation) {
+                // Require secure renegotiation, terminate the connection.
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Inconsistent secure renegotiation indication");
+            } else {    // renegotiation, not secure
+                if (HandshakeContext.allowUnsafeRenegotiation) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning("Using insecure renegotiation");
+                    }
+                } else {
+                    // Unsafe renegotiation should have been aborted in
+                    // ealier processes.
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine("Terminate insecure renegotiation");
+                    }
+                    chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Unsafe renegotiation is not allowed");
+                }
+            }
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLAuthentication.java	2018-05-11 15:09:44.944367900 -0700
@@ -0,0 +1,31 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+interface SSLAuthentication
+        extends SSLPossessionGenerator, SSLHandshakeBinding {
+    // blank
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLBasicKeyDerivation.java	2018-05-11 15:09:46.773761000 -0700
@@ -0,0 +1,81 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+import java.security.spec.AlgorithmParameterSpec;
+import javax.crypto.SecretKey;
+import javax.net.ssl.SSLHandshakeException;
+
+final class SSLBasicKeyDerivation implements SSLKeyDerivation {
+    private final String hashAlg;
+    private final SecretKey secret;
+    private final byte[] hkdfInfo;
+
+    SSLBasicKeyDerivation(SecretKey secret, String hashAlg,
+            byte[] label, byte[] context, int length) {
+        this.hashAlg = hashAlg.replace("-", "");
+        this.secret = secret;
+        this.hkdfInfo = createHkdfInfo(label, context, length);
+    }
+
+    @Override
+    public SecretKey deriveKey(String algorithm,
+            AlgorithmParameterSpec keySpec) throws IOException {
+        try {
+            HKDF hkdf = new HKDF(hashAlg);
+            return hkdf.expand(secret, hkdfInfo,
+                    ((SecretSizeSpec)keySpec).length, algorithm);
+        } catch (GeneralSecurityException gse) {
+            throw (SSLHandshakeException) new SSLHandshakeException(
+                "Could not generate secret").initCause(gse);
+        }
+    }
+
+    private static byte[] createHkdfInfo(
+            byte[] label, byte[] context, int length) {
+        byte[] info = new byte[4 + label.length + context.length];
+        ByteBuffer m = ByteBuffer.wrap(info);
+        try {
+            Record.putInt16(m, length);
+            Record.putBytes8(m, label);
+            Record.putBytes8(m, context);
+        } catch (IOException ioe) {
+            // unlikely
+        }
+        return info;
+    }
+
+    static class SecretSizeSpec implements AlgorithmParameterSpec {
+        final int length;
+
+        SecretSizeSpec(int length) {
+            this.length = length;
+        }
+    }
+}
--- old/src/java.base/share/classes/sun/security/ssl/CipherBox.java	2018-05-11 15:09:49.215706300 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,1150 +0,0 @@
-/*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-
-package sun.security.ssl;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.util.Hashtable;
-import java.util.Arrays;
-
-import java.security.*;
-import javax.crypto.*;
-import javax.crypto.spec.IvParameterSpec;
-import javax.crypto.spec.GCMParameterSpec;
-
-import java.nio.*;
-
-import sun.security.ssl.CipherSuite.*;
-import static sun.security.ssl.CipherSuite.*;
-import static sun.security.ssl.CipherSuite.CipherType.*;
-
-import sun.security.util.HexDumpEncoder;
-
-
-/**
- * This class handles bulk data enciphering/deciphering for each SSLv3
- * message.  This provides data confidentiality.  Stream ciphers (such
- * as RC4) don't need to do padding; block ciphers (e.g. DES) need it.
- *
- * Individual instances are obtained by calling the static method
- * newCipherBox(), which should only be invoked by BulkCipher.newCipher().
- *
- * In RFC 2246, with bock ciphers in CBC mode, the Initialization
- * Vector (IV) for the first record is generated with the other keys
- * and secrets when the security parameters are set.  The IV for
- * subsequent records is the last ciphertext block from the previous
- * record.
- *
- * In RFC 4346, the implicit Initialization Vector (IV) is replaced
- * with an explicit IV to protect against CBC attacks.  RFC 4346
- * recommends two algorithms used to generated the per-record IV.
- * The implementation uses the algorithm (2)(b), as described at
- * section 6.2.3.2 of RFC 4346.
- *
- * The usage of IV in CBC block cipher can be illustrated in
- * the following diagrams.
- *
- *   (random)
- *        R         P1                    IV        C1
- *        |          |                     |         |
- *  SIV---+    |-----+    |-...            |-----    |------
- *        |    |     |    |                |    |    |     |
- *     +----+  |  +----+  |             +----+  |  +----+  |
- *     | Ek |  |  + Ek +  |             | Dk |  |  | Dk |  |
- *     +----+  |  +----+  |             +----+  |  +----+  |
- *        |    |     |    |                |    |    |     |
- *        |----|     |----|           SIV--+    |----|     |-...
- *        |          |                     |       |
- *       IV         C1                     R      P1
- *                                     (discard)
- *
- *       CBC Encryption                    CBC Decryption
- *
- * NOTE that any ciphering involved in key exchange (e.g. with RSA) is
- * handled separately.
- *
- * @author David Brownell
- * @author Andreas Sterbenz
- */
-final class CipherBox {
-
-    // A CipherBox that implements the identity operation
-    static final CipherBox NULL = new CipherBox();
-
-    /* Class and subclass dynamic debugging support */
-    private static final Debug debug = Debug.getInstance("ssl");
-
-    // the protocol version this cipher conforms to
-    private final ProtocolVersion protocolVersion;
-
-    // cipher object
-    private final Cipher cipher;
-
-    /**
-     * secure random
-     */
-    private SecureRandom random;
-
-    /**
-     * fixed IV, the implicit nonce of AEAD cipher suite, only apply to
-     * AEAD cipher suites
-     */
-    private final byte[] fixedIv;
-
-    /**
-     * the key, reserved only for AEAD cipher initialization
-     */
-    private final Key key;
-
-    /**
-     * the operation mode, reserved for AEAD cipher initialization
-     */
-    private final int mode;
-
-    /**
-     * the authentication tag size, only apply to AEAD cipher suites
-     */
-    private final int tagSize;
-
-    /**
-     * the record IV length, only apply to AEAD cipher suites
-     */
-    private final int recordIvSize;
-
-    /**
-     * cipher type
-     */
-    private final CipherType cipherType;
-
-    /**
-     * Fixed masks of various block size, as the initial decryption IVs
-     * for TLS 1.1 or later.
-     *
-     * For performance, we do not use random IVs. As the initial decryption
-     * IVs will be discarded by TLS decryption processes, so the fixed masks
-     * do not hurt cryptographic strength.
-     */
-    private static Hashtable<Integer, IvParameterSpec> masks;
-
-    /**
-     * NULL cipherbox. Identity operation, no encryption.
-     */
-    private CipherBox() {
-        this.protocolVersion = ProtocolVersion.DEFAULT_TLS;
-        this.cipher = null;
-        this.cipherType = NULL_CIPHER;
-        this.fixedIv = new byte[0];
-        this.key = null;
-        this.mode = Cipher.ENCRYPT_MODE;    // choose at random
-        this.random = null;
-        this.tagSize = 0;
-        this.recordIvSize = 0;
-    }
-
-    /**
-     * Construct a new CipherBox using the cipher transformation.
-     *
-     * @exception NoSuchAlgorithmException if no appropriate JCE Cipher
-     * implementation could be found.
-     */
-    private CipherBox(ProtocolVersion protocolVersion, BulkCipher bulkCipher,
-            SecretKey key, IvParameterSpec iv, SecureRandom random,
-            boolean encrypt) throws NoSuchAlgorithmException {
-        try {
-            this.protocolVersion = protocolVersion;
-            this.cipher = JsseJce.getCipher(bulkCipher.transformation);
-            this.mode = encrypt ? Cipher.ENCRYPT_MODE : Cipher.DECRYPT_MODE;
-
-            if (random == null) {
-                random = JsseJce.getSecureRandom();
-            }
-            this.random = random;
-            this.cipherType = bulkCipher.cipherType;
-
-            /*
-             * RFC 4346 recommends two algorithms used to generated the
-             * per-record IV. The implementation uses the algorithm (2)(b),
-             * as described at section 6.2.3.2 of RFC 4346.
-             *
-             * As we don't care about the initial IV value for TLS 1.1 or
-             * later, so if the "iv" parameter is null, we use the default
-             * value generated by Cipher.init() for encryption, and a fixed
-             * mask for decryption.
-             */
-            if (iv == null && bulkCipher.ivSize != 0 &&
-                    mode == Cipher.DECRYPT_MODE &&
-                    protocolVersion.useTLS11PlusSpec()) {
-                iv = getFixedMask(bulkCipher.ivSize);
-            }
-
-            if (cipherType == AEAD_CIPHER) {
-                // AEAD must completely initialize the cipher for each packet,
-                // and so we save initialization parameters for packet
-                // processing time.
-
-                // Set the tag size for AEAD cipher
-                tagSize = bulkCipher.tagSize;
-
-                // Reserve the key for AEAD cipher initialization
-                this.key = key;
-
-                fixedIv = iv.getIV();
-                if (fixedIv == null ||
-                        fixedIv.length != bulkCipher.fixedIvSize) {
-                    throw new RuntimeException("Improper fixed IV for AEAD");
-                }
-
-                // Set the record IV length for AEAD cipher
-                recordIvSize = bulkCipher.ivSize - bulkCipher.fixedIvSize;
-
-                // DON'T initialize the cipher for AEAD!
-            } else {
-                // CBC only requires one initialization during its lifetime
-                // (future packets/IVs set the proper CBC state), so we can
-                // initialize now.
-
-                // Zeroize the variables that only apply to AEAD cipher
-                this.tagSize = 0;
-                this.fixedIv = new byte[0];
-                this.recordIvSize = 0;
-                this.key = null;
-
-                // Initialize the cipher
-                cipher.init(mode, key, iv, random);
-            }
-        } catch (NoSuchAlgorithmException e) {
-            throw e;
-        } catch (Exception e) {
-            throw new NoSuchAlgorithmException
-                    ("Could not create cipher " + bulkCipher, e);
-        } catch (ExceptionInInitializerError e) {
-            throw new NoSuchAlgorithmException
-                    ("Could not create cipher " + bulkCipher, e);
-        }
-    }
-
-    /*
-     * Factory method to obtain a new CipherBox object.
-     */
-    static CipherBox newCipherBox(ProtocolVersion version, BulkCipher cipher,
-            SecretKey key, IvParameterSpec iv, SecureRandom random,
-            boolean encrypt) throws NoSuchAlgorithmException {
-        if (cipher.allowed == false) {
-            throw new NoSuchAlgorithmException("Unsupported cipher " + cipher);
-        }
-
-        if (cipher == BulkCipher.B_NULL) {
-            return NULL;
-        } else {
-            return new CipherBox(version, cipher, key, iv, random, encrypt);
-        }
-    }
-
-    /*
-     * Get a fixed mask, as the initial decryption IVs for TLS 1.1 or later.
-     */
-    private static IvParameterSpec getFixedMask(int ivSize) {
-        if (masks == null) {
-            masks = new Hashtable<Integer, IvParameterSpec>(5);
-        }
-
-        IvParameterSpec iv = masks.get(ivSize);
-        if (iv == null) {
-            iv = new IvParameterSpec(new byte[ivSize]);
-            masks.put(ivSize, iv);
-        }
-
-        return iv;
-    }
-
-    /*
-     * Encrypts a block of data, returning the size of the
-     * resulting block.
-     */
-    int encrypt(byte[] buf, int offset, int len) {
-        if (cipher == null) {
-            return len;
-        }
-
-        try {
-            int blockSize = cipher.getBlockSize();
-            if (cipherType == BLOCK_CIPHER) {
-                len = addPadding(buf, offset, len, blockSize);
-            }
-
-            if (debug != null && Debug.isOn("plaintext")) {
-                try {
-                    HexDumpEncoder hd = new HexDumpEncoder();
-
-                    System.out.println(
-                        "Padded plaintext before ENCRYPTION:  len = "
-                        + len);
-                    hd.encodeBuffer(
-                        new ByteArrayInputStream(buf, offset, len),
-                        System.out);
-                } catch (IOException e) { }
-            }
-
-
-            if (cipherType == AEAD_CIPHER) {
-                try {
-                    return cipher.doFinal(buf, offset, len, buf, offset);
-                } catch (IllegalBlockSizeException | BadPaddingException ibe) {
-                    // unlikely to happen
-                    throw new RuntimeException(
-                        "Cipher error in AEAD mode in JCE provider " +
-                        cipher.getProvider().getName(), ibe);
-                }
-            } else {
-                int newLen = cipher.update(buf, offset, len, buf, offset);
-                if (newLen != len) {
-                    // catch BouncyCastle buffering error
-                    throw new RuntimeException("Cipher buffering error " +
-                        "in JCE provider " + cipher.getProvider().getName());
-                }
-                return newLen;
-            }
-        } catch (ShortBufferException e) {
-            // unlikely to happen, we should have enough buffer space here
-            throw new ArrayIndexOutOfBoundsException(e.toString());
-        }
-    }
-
-    /*
-     * Encrypts a ByteBuffer block of data, returning the size of the
-     * resulting block.
-     *
-     * The byte buffers position and limit initially define the amount
-     * to encrypt.  On return, the position and limit are
-     * set to last position padded/encrypted.  The limit may have changed
-     * because of the added padding bytes.
-     */
-    int encrypt(ByteBuffer bb, int outLimit) {
-
-        int len = bb.remaining();
-
-        if (cipher == null) {
-            bb.position(bb.limit());
-            return len;
-        }
-
-        int pos = bb.position();
-
-        int blockSize = cipher.getBlockSize();
-        if (cipherType == BLOCK_CIPHER) {
-            // addPadding adjusts pos/limit
-            len = addPadding(bb, blockSize);
-            bb.position(pos);
-        }
-
-        if (debug != null && Debug.isOn("plaintext")) {
-            try {
-                HexDumpEncoder hd = new HexDumpEncoder();
-
-                System.out.println(
-                    "Padded plaintext before ENCRYPTION:  len = "
-                    + len);
-                hd.encodeBuffer(bb.duplicate(), System.out);
-
-            } catch (IOException e) { }
-        }
-
-        /*
-         * Encrypt "in-place".  This does not add its own padding.
-         */
-        ByteBuffer dup = bb.duplicate();
-        if (cipherType == AEAD_CIPHER) {
-            try {
-                int outputSize = cipher.getOutputSize(dup.remaining());
-                if (outputSize > bb.remaining()) {
-                    // need to expand the limit of the output buffer for
-                    // the authentication tag.
-                    //
-                    // DON'T worry about the buffer's capacity, we have
-                    // reserved space for the authentication tag.
-                    if (outLimit < pos + outputSize) {
-                        // unlikely to happen
-                        throw new ShortBufferException(
-                                    "need more space in output buffer");
-                    }
-                    bb.limit(pos + outputSize);
-                }
-                int newLen = cipher.doFinal(dup, bb);
-                if (newLen != outputSize) {
-                    throw new RuntimeException(
-                            "Cipher buffering error in JCE provider " +
-                            cipher.getProvider().getName());
-                }
-                return newLen;
-            } catch (IllegalBlockSizeException |
-                           BadPaddingException | ShortBufferException ibse) {
-                // unlikely to happen
-                throw new RuntimeException(
-                        "Cipher error in AEAD mode in JCE provider " +
-                        cipher.getProvider().getName(), ibse);
-            }
-        } else {
-            int newLen;
-            try {
-                newLen = cipher.update(dup, bb);
-            } catch (ShortBufferException sbe) {
-                // unlikely to happen
-                throw new RuntimeException("Cipher buffering error " +
-                    "in JCE provider " + cipher.getProvider().getName());
-            }
-
-            if (bb.position() != dup.position()) {
-                throw new RuntimeException("bytebuffer padding error");
-            }
-
-            if (newLen != len) {
-                // catch BouncyCastle buffering error
-                throw new RuntimeException("Cipher buffering error " +
-                    "in JCE provider " + cipher.getProvider().getName());
-            }
-            return newLen;
-        }
-    }
-
-
-    /*
-     * Decrypts a block of data, returning the size of the
-     * resulting block if padding was required.
-     *
-     * For SSLv3 and TLSv1.0, with block ciphers in CBC mode the
-     * Initialization Vector (IV) for the first record is generated by
-     * the handshake protocol, the IV for subsequent records is the
-     * last ciphertext block from the previous record.
-     *
-     * From TLSv1.1, the implicit IV is replaced with an explicit IV to
-     * protect against CBC attacks.
-     *
-     * Differentiating between bad_record_mac and decryption_failed alerts
-     * may permit certain attacks against CBC mode. It is preferable to
-     * uniformly use the bad_record_mac alert to hide the specific type of
-     * the error.
-     */
-    int decrypt(byte[] buf, int offset, int len,
-            int tagLen) throws BadPaddingException {
-        if (cipher == null) {
-            return len;
-        }
-
-        try {
-            int newLen;
-            if (cipherType == AEAD_CIPHER) {
-                try {
-                    newLen = cipher.doFinal(buf, offset, len, buf, offset);
-                } catch (IllegalBlockSizeException ibse) {
-                    // unlikely to happen
-                    throw new RuntimeException(
-                        "Cipher error in AEAD mode in JCE provider " +
-                        cipher.getProvider().getName(), ibse);
-                }
-            } else {
-                newLen = cipher.update(buf, offset, len, buf, offset);
-                if (newLen != len) {
-                    // catch BouncyCastle buffering error
-                    throw new RuntimeException("Cipher buffering error " +
-                        "in JCE provider " + cipher.getProvider().getName());
-                }
-            }
-            if (debug != null && Debug.isOn("plaintext")) {
-                try {
-                    HexDumpEncoder hd = new HexDumpEncoder();
-
-                    System.out.println(
-                        "Padded plaintext after DECRYPTION:  len = "
-                        + newLen);
-                    hd.encodeBuffer(
-                        new ByteArrayInputStream(buf, offset, newLen),
-                        System.out);
-                } catch (IOException e) { }
-            }
-
-            if (cipherType == BLOCK_CIPHER) {
-                int blockSize = cipher.getBlockSize();
-                newLen = removePadding(
-                    buf, offset, newLen, tagLen, blockSize, protocolVersion);
-
-                if (protocolVersion.useTLS11PlusSpec()) {
-                    if (newLen < blockSize) {
-                        throw new BadPaddingException("The length after " +
-                        "padding removal (" + newLen + ") should be larger " +
-                        "than <" + blockSize + "> since explicit IV used");
-                    }
-                }
-            }
-            return newLen;
-        } catch (ShortBufferException e) {
-            // unlikely to happen, we should have enough buffer space here
-            throw new ArrayIndexOutOfBoundsException(e.toString());
-        }
-    }
-
-    /*
-     * Decrypts a block of data, returning the size of the
-     * resulting block if padding was required.  position and limit
-     * point to the end of the decrypted/depadded data.  The initial
-     * limit and new limit may be different, given we may
-     * have stripped off some padding bytes.
-     *
-     *  @see decrypt(byte[], int, int)
-     */
-    int decrypt(ByteBuffer bb, int tagLen) throws BadPaddingException {
-
-        int len = bb.remaining();
-
-        if (cipher == null) {
-            bb.position(bb.limit());
-            return len;
-        }
-
-        try {
-            /*
-             * Decrypt "in-place".
-             */
-            int pos = bb.position();
-            ByteBuffer dup = bb.duplicate();
-            int newLen;
-            if (cipherType == AEAD_CIPHER) {
-                try {
-                    newLen = cipher.doFinal(dup, bb);
-                } catch (IllegalBlockSizeException ibse) {
-                    // unlikely to happen
-                    throw new RuntimeException(
-                        "Cipher error in AEAD mode \"" + ibse.getMessage() +
-                        " \"in JCE provider " + cipher.getProvider().getName());
-                }
-            } else {
-                newLen = cipher.update(dup, bb);
-                if (newLen != len) {
-                    // catch BouncyCastle buffering error
-                    throw new RuntimeException("Cipher buffering error " +
-                        "in JCE provider " + cipher.getProvider().getName());
-                }
-            }
-
-            // reset the limit to the end of the decryted data
-            bb.limit(pos + newLen);
-
-            if (debug != null && Debug.isOn("plaintext")) {
-                try {
-                    HexDumpEncoder hd = new HexDumpEncoder();
-
-                    System.out.println(
-                        "Padded plaintext after DECRYPTION:  len = "
-                        + newLen);
-
-                    hd.encodeBuffer(
-                        bb.duplicate().position(pos), System.out);
-                } catch (IOException e) { }
-            }
-
-            /*
-             * Remove the block padding.
-             */
-            if (cipherType == BLOCK_CIPHER) {
-                int blockSize = cipher.getBlockSize();
-                bb.position(pos);
-                newLen = removePadding(bb, tagLen, blockSize, protocolVersion);
-
-                // check the explicit IV of TLS v1.1 or later
-                if (protocolVersion.useTLS11PlusSpec()) {
-                    if (newLen < blockSize) {
-                        throw new BadPaddingException("The length after " +
-                        "padding removal (" + newLen + ") should be larger " +
-                        "than <" + blockSize + "> since explicit IV used");
-                    }
-
-                    // reset the position to the end of the decrypted data
-                    bb.position(bb.limit());
-                }
-            }
-            return newLen;
-        } catch (ShortBufferException e) {
-            // unlikely to happen, we should have enough buffer space here
-            throw new ArrayIndexOutOfBoundsException(e.toString());
-        }
-    }
-
-    private static int addPadding(byte[] buf, int offset, int len,
-            int blockSize) {
-        int     newlen = len + 1;
-        byte    pad;
-        int     i;
-
-        if ((newlen % blockSize) != 0) {
-            newlen += blockSize - 1;
-            newlen -= newlen % blockSize;
-        }
-        pad = (byte) (newlen - len);
-
-        if (buf.length < (newlen + offset)) {
-            throw new IllegalArgumentException("no space to pad buffer");
-        }
-
-        /*
-         * TLS version of the padding works for both SSLv3 and TLSv1
-         */
-        for (i = 0, offset += len; i < pad; i++) {
-            buf [offset++] = (byte) (pad - 1);
-        }
-        return newlen;
-    }
-
-    /*
-     * Apply the padding to the buffer.
-     *
-     * Limit is advanced to the new buffer length.
-     * Position is equal to limit.
-     */
-    private static int addPadding(ByteBuffer bb, int blockSize) {
-
-        int     len = bb.remaining();
-        int     offset = bb.position();
-
-        int     newlen = len + 1;
-        byte    pad;
-        int     i;
-
-        if ((newlen % blockSize) != 0) {
-            newlen += blockSize - 1;
-            newlen -= newlen % blockSize;
-        }
-        pad = (byte) (newlen - len);
-
-        /*
-         * Update the limit to what will be padded.
-         */
-        bb.limit(newlen + offset);
-
-        /*
-         * TLS version of the padding works for both SSLv3 and TLSv1
-         */
-        for (i = 0, offset += len; i < pad; i++) {
-            bb.put(offset++, (byte) (pad - 1));
-        }
-
-        bb.position(offset);
-        bb.limit(offset);
-
-        return newlen;
-    }
-
-    /*
-     * A constant-time check of the padding.
-     *
-     * NOTE that we are checking both the padding and the padLen bytes here.
-     *
-     * The caller MUST ensure that the len parameter is a positive number.
-     */
-    private static int[] checkPadding(
-            byte[] buf, int offset, int len, byte pad) {
-
-        if (len <= 0) {
-            throw new RuntimeException("padding len must be positive");
-        }
-
-        // An array of hits is used to prevent Hotspot optimization for
-        // the purpose of a constant-time check.
-        int[] results = {0, 0};    // {missed #, matched #}
-        for (int i = 0; i <= 256;) {
-            for (int j = 0; j < len && i <= 256; j++, i++) {     // j <= i
-                if (buf[offset + j] != pad) {
-                    results[0]++;       // mismatched padding data
-                } else {
-                    results[1]++;       // matched padding data
-                }
-            }
-        }
-
-        return results;
-    }
-
-    /*
-     * A constant-time check of the padding.
-     *
-     * NOTE that we are checking both the padding and the padLen bytes here.
-     *
-     * The caller MUST ensure that the bb parameter has remaining.
-     */
-    private static int[] checkPadding(ByteBuffer bb, byte pad) {
-
-        if (!bb.hasRemaining()) {
-            throw new RuntimeException("hasRemaining() must be positive");
-        }
-
-        // An array of hits is used to prevent Hotspot optimization for
-        // the purpose of a constant-time check.
-        int[] results = {0, 0};    // {missed #, matched #}
-        bb.mark();
-        for (int i = 0; i <= 256; bb.reset()) {
-            for (; bb.hasRemaining() && i <= 256; i++) {
-                if (bb.get() != pad) {
-                    results[0]++;       // mismatched padding data
-                } else {
-                    results[1]++;       // matched padding data
-                }
-            }
-        }
-
-        return results;
-    }
-
-    /*
-     * Typical TLS padding format for a 64 bit block cipher is as follows:
-     *   xx xx xx xx xx xx xx 00
-     *   xx xx xx xx xx xx 01 01
-     *   ...
-     *   xx 06 06 06 06 06 06 06
-     *   07 07 07 07 07 07 07 07
-     * TLS also allows any amount of padding from 1 and 256 bytes as long
-     * as it makes the data a multiple of the block size
-     */
-    private static int removePadding(byte[] buf, int offset, int len,
-            int tagLen, int blockSize,
-            ProtocolVersion protocolVersion) throws BadPaddingException {
-
-        // last byte is length byte (i.e. actual padding length - 1)
-        int padOffset = offset + len - 1;
-        int padLen = buf[padOffset] & 0xFF;
-
-        int newLen = len - (padLen + 1);
-        if ((newLen - tagLen) < 0) {
-            // If the buffer is not long enough to contain the padding plus
-            // a MAC tag, do a dummy constant-time padding check.
-            //
-            // Note that it is a dummy check, so we won't care about what is
-            // the actual padding data.
-            checkPadding(buf, offset, len, (byte)(padLen & 0xFF));
-
-            throw new BadPaddingException("Invalid Padding length: " + padLen);
-        }
-
-        // The padding data should be filled with the padding length value.
-        int[] results = checkPadding(buf, offset + newLen,
-                        padLen + 1, (byte)(padLen & 0xFF));
-        if (protocolVersion.useTLS10PlusSpec()) {
-            if (results[0] != 0) {          // padding data has invalid bytes
-                throw new BadPaddingException("Invalid TLS padding data");
-            }
-        } else { // SSLv3
-            // SSLv3 requires 0 <= length byte < block size
-            // some implementations do 1 <= length byte <= block size,
-            // so accept that as well
-            // v3 does not require any particular value for the other bytes
-            if (padLen > blockSize) {
-                throw new BadPaddingException("Padding length (" +
-                padLen + ") of SSLv3 message should not be bigger " +
-                "than the block size (" + blockSize + ")");
-            }
-        }
-        return newLen;
-    }
-
-    /*
-     * Position/limit is equal the removed padding.
-     */
-    private static int removePadding(ByteBuffer bb,
-            int tagLen, int blockSize,
-            ProtocolVersion protocolVersion) throws BadPaddingException {
-
-        int len = bb.remaining();
-        int offset = bb.position();
-
-        // last byte is length byte (i.e. actual padding length - 1)
-        int padOffset = offset + len - 1;
-        int padLen = bb.get(padOffset) & 0xFF;
-
-        int newLen = len - (padLen + 1);
-        if ((newLen - tagLen) < 0) {
-            // If the buffer is not long enough to contain the padding plus
-            // a MAC tag, do a dummy constant-time padding check.
-            //
-            // Note that it is a dummy check, so we won't care about what is
-            // the actual padding data.
-            checkPadding(bb.duplicate(), (byte)(padLen & 0xFF));
-
-            throw new BadPaddingException("Invalid Padding length: " + padLen);
-        }
-
-        // The padding data should be filled with the padding length value.
-        int[] results = checkPadding(
-                bb.duplicate().position(offset + newLen),
-                (byte)(padLen & 0xFF));
-        if (protocolVersion.useTLS10PlusSpec()) {
-            if (results[0] != 0) {          // padding data has invalid bytes
-                throw new BadPaddingException("Invalid TLS padding data");
-            }
-        } else { // SSLv3
-            // SSLv3 requires 0 <= length byte < block size
-            // some implementations do 1 <= length byte <= block size,
-            // so accept that as well
-            // v3 does not require any particular value for the other bytes
-            if (padLen > blockSize) {
-                throw new BadPaddingException("Padding length (" +
-                padLen + ") of SSLv3 message should not be bigger " +
-                "than the block size (" + blockSize + ")");
-            }
-        }
-
-        /*
-         * Reset buffer limit to remove padding.
-         */
-        bb.position(offset + newLen);
-        bb.limit(offset + newLen);
-
-        return newLen;
-    }
-
-    /*
-     * Dispose of any intermediate state in the underlying cipher.
-     * For PKCS11 ciphers, this will release any attached sessions, and
-     * thus make finalization faster.
-     */
-    void dispose() {
-        try {
-            if (cipher != null) {
-                // ignore return value.
-                cipher.doFinal();
-            }
-        } catch (Exception e) {
-            // swallow all types of exceptions.
-        }
-    }
-
-    /*
-     * Does the cipher use CBC mode?
-     *
-     * @return true if the cipher use CBC mode, false otherwise.
-     */
-    boolean isCBCMode() {
-        return cipherType == BLOCK_CIPHER;
-    }
-
-    /*
-     * Does the cipher use AEAD mode?
-     *
-     * @return true if the cipher use AEAD mode, false otherwise.
-     */
-    boolean isAEADMode() {
-        return cipherType == AEAD_CIPHER;
-    }
-
-    /*
-     * Is the cipher null?
-     *
-     * @return true if the cipher is null, false otherwise.
-     */
-    boolean isNullCipher() {
-        return cipher == null;
-    }
-
-    /*
-     * Gets the explicit nonce/IV size of the cipher.
-     *
-     * The returned value is the SecurityParameters.record_iv_length in
-     * RFC 4346/5246.  It is the size of explicit IV for CBC mode, and the
-     * size of explicit nonce for AEAD mode.
-     *
-     * @return the explicit nonce size of the cipher.
-     */
-    int getExplicitNonceSize() {
-        switch (cipherType) {
-            case BLOCK_CIPHER:
-                // For block ciphers, the explicit IV length is of length
-                // SecurityParameters.record_iv_length, which is equal to
-                // the SecurityParameters.block_size.
-                if (protocolVersion.useTLS11PlusSpec()) {
-                    return cipher.getBlockSize();
-                }
-                break;
-            case AEAD_CIPHER:
-                return recordIvSize;
-                        // It is also the length of sequence number, which is
-                        // used as the nonce_explicit for AEAD cipher suites.
-        }
-
-        return 0;
-    }
-
-    /*
-     * Applies the explicit nonce/IV to this cipher. This method is used to
-     * decrypt an SSL/TLS input record.
-     *
-     * The returned value is the SecurityParameters.record_iv_length in
-     * RFC 4346/5246.  It is the size of explicit IV for CBC mode, and the
-     * size of explicit nonce for AEAD mode.
-     *
-     * @param  authenticator the authenticator to get the additional
-     *         authentication data
-     * @param  contentType the content type of the input record
-     * @param  bb the byte buffer to get the explicit nonce from
-     *
-     * @return the explicit nonce size of the cipher.
-     */
-    int applyExplicitNonce(Authenticator authenticator, byte contentType,
-            ByteBuffer bb, byte[] sequence) throws BadPaddingException {
-        switch (cipherType) {
-            case BLOCK_CIPHER:
-                // sanity check length of the ciphertext
-                int tagLen = (authenticator instanceof MAC) ?
-                                    ((MAC)authenticator).MAClen() : 0;
-                if (tagLen != 0) {
-                    if (!sanityCheck(tagLen, bb.remaining())) {
-                        throw new BadPaddingException(
-                                "ciphertext sanity check failed");
-                    }
-                }
-
-                // For block ciphers, the explicit IV length is of length
-                // SecurityParameters.record_iv_length, which is equal to
-                // the SecurityParameters.block_size.
-                if (protocolVersion.useTLS11PlusSpec()) {
-                    return cipher.getBlockSize();
-                }
-                break;
-            case AEAD_CIPHER:
-                if (bb.remaining() < (recordIvSize + tagSize)) {
-                    throw new BadPaddingException(
-                        "Insufficient buffer remaining for AEAD cipher " +
-                        "fragment (" + bb.remaining() + "). Needs to be " +
-                        "more than or equal to IV size (" + recordIvSize +
-                         ") + tag size (" + tagSize + ")");
-                }
-
-                // initialize the AEAD cipher for the unique IV
-                byte[] iv = Arrays.copyOf(fixedIv,
-                                    fixedIv.length + recordIvSize);
-                bb.get(iv, fixedIv.length, recordIvSize);
-                bb.position(bb.position() - recordIvSize);
-                GCMParameterSpec spec = new GCMParameterSpec(tagSize * 8, iv);
-                try {
-                    cipher.init(mode, key, spec, random);
-                } catch (InvalidKeyException |
-                            InvalidAlgorithmParameterException ikae) {
-                    // unlikely to happen
-                    throw new RuntimeException(
-                                "invalid key or spec in GCM mode", ikae);
-                }
-
-                // update the additional authentication data
-                byte[] aad = authenticator.acquireAuthenticationBytes(
-                        contentType, bb.remaining() - recordIvSize - tagSize,
-                        sequence);
-                cipher.updateAAD(aad);
-
-                return recordIvSize;
-                        // It is also the length of sequence number, which is
-                        // used as the nonce_explicit for AEAD cipher suites.
-        }
-
-       return 0;
-    }
-
-    /*
-     * Creates the explicit nonce/IV to this cipher. This method is used to
-     * encrypt an SSL/TLS output record.
-     *
-     * The size of the returned array is the SecurityParameters.record_iv_length
-     * in RFC 4346/5246.  It is the size of explicit IV for CBC mode, and the
-     * size of explicit nonce for AEAD mode.
-     *
-     * @param  authenticator the authenticator to get the additional
-     *         authentication data
-     * @param  contentType the content type of the input record
-     * @param  fragmentLength the fragment length of the output record, it is
-     *         the TLSCompressed.length in RFC 4346/5246.
-     *
-     * @return the explicit nonce of the cipher.
-     */
-    byte[] createExplicitNonce(Authenticator authenticator,
-            byte contentType, int fragmentLength) {
-
-        byte[] nonce = new byte[0];
-        switch (cipherType) {
-            case BLOCK_CIPHER:
-                if (protocolVersion.useTLS11PlusSpec()) {
-                    // For block ciphers, the explicit IV length is of length
-                    // SecurityParameters.record_iv_length, which is equal to
-                    // the SecurityParameters.block_size.
-                    //
-                    // Generate a random number as the explicit IV parameter.
-                    nonce = new byte[cipher.getBlockSize()];
-                    random.nextBytes(nonce);
-                }
-                break;
-            case AEAD_CIPHER:
-                // To be unique and aware of overflow-wrap, sequence number
-                // is used as the nonce_explicit of AEAD cipher suites.
-                nonce = authenticator.sequenceNumber();
-
-                // initialize the AEAD cipher for the unique IV
-                byte[] iv = Arrays.copyOf(fixedIv,
-                                            fixedIv.length + nonce.length);
-                System.arraycopy(nonce, 0, iv, fixedIv.length, nonce.length);
-                GCMParameterSpec spec = new GCMParameterSpec(tagSize * 8, iv);
-                try {
-                    cipher.init(mode, key, spec, random);
-                } catch (InvalidKeyException |
-                            InvalidAlgorithmParameterException ikae) {
-                    // unlikely to happen
-                    throw new RuntimeException(
-                                "invalid key or spec in GCM mode", ikae);
-                }
-
-                // Update the additional authentication data, using the
-                // implicit sequence number of the authenticator.
-                byte[] aad = authenticator.acquireAuthenticationBytes(
-                                        contentType, fragmentLength, null);
-                cipher.updateAAD(aad);
-                break;
-        }
-
-        return nonce;
-    }
-
-    // See also CipherSuite.calculatePacketSize().
-    int calculatePacketSize(int fragmentSize, int macLen, int headerSize) {
-        int packetSize = fragmentSize;
-        if (cipher != null) {
-            int blockSize = cipher.getBlockSize();
-            switch (cipherType) {
-                case BLOCK_CIPHER:
-                    packetSize += macLen;
-                    packetSize += 1;        // 1 byte padding length field
-                    packetSize +=           // use the minimal padding
-                            (blockSize - (packetSize % blockSize)) % blockSize;
-                    if (protocolVersion.useTLS11PlusSpec()) {
-                        packetSize += blockSize;        // explicit IV
-                    }
-
-                    break;
-                case AEAD_CIPHER:
-                    packetSize += recordIvSize;
-                    packetSize += tagSize;
-
-                    break;
-                default:    // NULL_CIPHER or STREAM_CIPHER
-                    packetSize += macLen;
-            }
-        }
-
-        return packetSize + headerSize;
-    }
-
-    // See also CipherSuite.calculateFragSize().
-    int calculateFragmentSize(int packetLimit, int macLen, int headerSize) {
-        int fragLen = packetLimit - headerSize;
-        if (cipher != null) {
-            int blockSize = cipher.getBlockSize();
-            switch (cipherType) {
-                case BLOCK_CIPHER:
-                    if (protocolVersion.useTLS11PlusSpec()) {
-                        fragLen -= blockSize;           // explicit IV
-                    }
-                    fragLen -= (fragLen % blockSize);   // cannot hold a block
-                    // No padding for a maximum fragment.
-                    fragLen -= 1;       // 1 byte padding length field: 0x00
-                    fragLen -= macLen;
-
-                    break;
-                case AEAD_CIPHER:
-                    fragLen -= recordIvSize;
-                    fragLen -= tagSize;
-
-                    break;
-                default:    // NULL_CIPHER or STREAM_CIPHER
-                    fragLen -= macLen;
-            }
-        }
-
-        return fragLen;
-    }
-
-    // Estimate the maximum fragment size of a received packet.
-    int estimateFragmentSize(int packetSize, int macLen, int headerSize) {
-        int fragLen = packetSize - headerSize;
-        if (cipher != null) {
-            int blockSize = cipher.getBlockSize();
-            switch (cipherType) {
-                case BLOCK_CIPHER:
-                    if (protocolVersion.useTLS11PlusSpec()) {
-                        fragLen -= blockSize;       // explicit IV
-                    }
-                    // No padding for a maximum fragment.
-                    fragLen -= 1;       // 1 byte padding length field: 0x00
-                    fragLen -= macLen;
-
-                    break;
-                case AEAD_CIPHER:
-                    fragLen -= recordIvSize;
-                    fragLen -= tagSize;
-
-                    break;
-                default:    // NULL_CIPHER or STREAM_CIPHER
-                    fragLen -= macLen;
-            }
-        }
-
-        return fragLen;
-    }
-
-    /**
-     * Sanity check the length of a fragment before decryption.
-     *
-     * In CBC mode, check that the fragment length is one or multiple times
-     * of the block size of the cipher suite, and is at least one (one is the
-     * smallest size of padding in CBC mode) bigger than the tag size of the
-     * MAC algorithm except the explicit IV size for TLS 1.1 or later.
-     *
-     * In non-CBC mode, check that the fragment length is not less than the
-     * tag size of the MAC algorithm.
-     *
-     * @return true if the length of a fragment matches above requirements
-     */
-    private boolean sanityCheck(int tagLen, int fragmentLen) {
-        if (!isCBCMode()) {
-            return fragmentLen >= tagLen;
-        }
-
-        int blockSize = cipher.getBlockSize();
-        if ((fragmentLen % blockSize) == 0) {
-            int minimal = tagLen + 1;
-            minimal = (minimal >= blockSize) ? minimal : blockSize;
-            if (protocolVersion.useTLS11PlusSpec()) {
-                minimal += blockSize;   // plus the size of the explicit IV
-            }
-
-            return (fragmentLen >= minimal);
-        }
-
-        return false;
-    }
-
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLCipher.java	2018-05-11 15:09:48.470437000 -0700
@@ -0,0 +1,2356 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.nio.ByteBuffer;
+import java.security.AccessController;
+import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.PrivilegedAction;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.AbstractMap.SimpleImmutableEntry;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.SecretKey;
+import javax.crypto.ShortBufferException;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.IvParameterSpec;
+import sun.security.ssl.Authenticator.MAC;
+import static sun.security.ssl.CipherType.*;
+import static sun.security.ssl.JsseJce.*;
+
+enum SSLCipher {
+    // exportable ciphers
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_NULL("NULL", NULL_CIPHER, 0, 0, 0, 0, true, true,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new NullReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_NONE
+            ),
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new NullReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_13
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new NullWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_NONE
+            ),
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new NullWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_13
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_RC4_40(CIPHER_RC4, STREAM_CIPHER, 5, 16, 0, 0, true, true,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new StreamReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new StreamWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_RC2_40("RC2", BLOCK_CIPHER, 5, 16, 8, 0, false, true,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new StreamReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new StreamWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_DES_40(CIPHER_DES,  BLOCK_CIPHER, 5, 8, 8, 0, true, true,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T10BlockReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T10BlockWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            )
+        })),
+
+    // domestic strength ciphers
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_RC4_128(CIPHER_RC4, STREAM_CIPHER, 16, 16, 0, 0, true, false,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new StreamReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new StreamWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_DES(CIPHER_DES, BLOCK_CIPHER, 8, 8, 8, 0, true, false,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T10BlockReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            ),
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T11BlockReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_11
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T10BlockWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            ),
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T11BlockWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_11
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_3DES(CIPHER_3DES, BLOCK_CIPHER, 24, 24, 8, 0, true, false,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T10BlockReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            ),
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T11BlockReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_11_12
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T10BlockWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            ),
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T11BlockWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_11_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_IDEA("IDEA", BLOCK_CIPHER, 16, 16, 8, 0, false, false,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                null,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                null,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_AES_128(CIPHER_AES, BLOCK_CIPHER, 16, 16, 16, 0, true, false,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T10BlockReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            ),
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T11BlockReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_11_12
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T10BlockWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            ),
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T11BlockWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_11_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_AES_256(CIPHER_AES, BLOCK_CIPHER, 32, 32, 16, 0, true, false,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T10BlockReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            ),
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T11BlockReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_11_12
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T10BlockWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_TO_10
+            ),
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T11BlockWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_11_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_AES_128_GCM(CIPHER_AES_GCM, AEAD_CIPHER, 16, 16, 12, 4, true, false,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T12GcmReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_12
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T12GcmWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_AES_256_GCM(CIPHER_AES_GCM, AEAD_CIPHER, 32, 32, 12, 4, true, false,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T12GcmReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_12
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T12GcmWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_AES_128_GCM_IV(CIPHER_AES_GCM, AEAD_CIPHER, 16, 16, 12, 0, true, false,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T13GcmReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T13GcmWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    B_AES_256_GCM_IV(CIPHER_AES_GCM, AEAD_CIPHER, 32, 32, 12, 0, true, false,
+        (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<ReadCipherGenerator, ProtocolVersion[]>(
+                new T13GcmReadCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        }),
+        (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<WriteCipherGenerator, ProtocolVersion[]>(
+                new T13GcmWriteCipherGenerator(),
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        }));
+
+    // descriptive name including key size, e.g. AES/128
+    final String description;
+
+    // JCE cipher transformation string, e.g. AES/CBC/NoPadding
+    final String transformation;
+
+    // algorithm name, e.g. AES
+    final String algorithm;
+
+    // supported and compile time enabled. Also see isAvailable()
+    final boolean allowed;
+
+    // number of bytes of entropy in the key
+    final int keySize;
+
+    // length of the actual cipher key in bytes.
+    // for non-exportable ciphers, this is the same as keySize
+    final int expandedKeySize;
+
+    // size of the IV
+    final int ivSize;
+
+    // size of fixed IV
+    //
+    // record_iv_length = ivSize - fixedIvSize
+    final int fixedIvSize;
+
+    // exportable under 512/40 bit rules
+    final boolean exportable;
+
+    // Is the cipher algorithm of Cipher Block Chaining (CBC) mode?
+    final CipherType cipherType;
+
+    // size of the authentication tag, only applicable to cipher suites in
+    // Galois Counter Mode (GCM)
+    //
+    // As far as we know, all supported GCM cipher suites use 128-bits
+    // authentication tags.
+    final int tagSize = 16;
+
+    // runtime availability
+    private final boolean isAvailable;
+
+    private final Map.Entry<ReadCipherGenerator,
+            ProtocolVersion[]>[] readCipherGenerators;
+    private final Map.Entry<WriteCipherGenerator,
+            ProtocolVersion[]>[] writeCipherGenerators;
+
+    // Map of Ciphers listed in jdk.tls.KeyLimit
+    private static final HashMap<String, Long> cipherLimits = new HashMap<>();
+
+    // Keywords found on the jdk.tls.KeyLimit security property.
+    final static String tag[] = {"KEYUPDATE"};
+
+    static  {
+        final long max = 4611686018427387904L; // 2^62
+        String prop = AccessController.doPrivileged(
+                new PrivilegedAction<String>() {
+            @Override
+            public String run() {
+                return Security.getProperty("jdk.tls.keyLimits");
+            }
+        });
+
+        if (prop != null) {
+            String propvalue[] = prop.split(",");
+
+            for (String entry : propvalue) {
+                int index;
+                // If this is not a UsageLimit, goto to next entry.
+                String values[] = entry.trim().toUpperCase().split(" ");
+
+                if (values[1].contains(tag[0])) {
+                    index = 0;
+                } else {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                        SSLLogger.fine("jdk.net.keyLimits:  Unknown action:  " +
+                                entry);
+                    }
+                    continue;
+                }
+
+                long size;
+                int i = values[2].indexOf("^");
+                try {
+                    if (i >= 0) {
+                        size = (long) Math.pow(2,
+                                Integer.parseInt(values[2].substring(i + 1)));
+                    } else {
+                        size = Long.parseLong(values[2]);
+                    }
+                    if (size < 1 || size > max) {
+                        throw new NumberFormatException("Length exceeded limits");
+                    }
+                } catch (NumberFormatException e) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                        SSLLogger.fine("jdk.net.keyLimits:  " + e.getMessage() +
+                                ":  " +  entry);
+                    }
+                    continue;
+                }
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.fine("jdk.net.keyLimits:  entry = " + entry +
+                            ". " + values[0] + ":" + tag[index] + " = " + size);
+                }
+                cipherLimits.put(values[0] + ":" + tag[index], size);
+            }
+        }
+    }
+
+    private SSLCipher(String transformation,
+            CipherType cipherType, int keySize,
+            int expandedKeySize, int ivSize,
+            int fixedIvSize, boolean allowed, boolean exportable,
+            Map.Entry<ReadCipherGenerator,
+                    ProtocolVersion[]>[] readCipherGenerators,
+            Map.Entry<WriteCipherGenerator,
+                    ProtocolVersion[]>[] writeCipherGenerators) {
+        this.transformation = transformation;
+        String[] splits = transformation.split("/");
+        this.algorithm = splits[0];
+        this.cipherType = cipherType;
+        this.description = this.algorithm + "/" + (keySize << 3);
+        this.keySize = keySize;
+        this.ivSize = ivSize;
+        this.fixedIvSize = fixedIvSize;
+        this.allowed = allowed;
+
+        this.expandedKeySize = expandedKeySize;
+        this.exportable = exportable;
+
+        // availability of this bulk cipher
+        //
+        // We assume all supported ciphers are always available since they are
+        // shipped with the SunJCE  provider.  However, AES/256 is unavailable
+        // when the default JCE policy jurisdiction files are installed because
+        // of key length restrictions.
+        this.isAvailable =
+                allowed ? isUnlimited(keySize, transformation) : false;
+
+        this.readCipherGenerators = readCipherGenerators;
+        this.writeCipherGenerators = writeCipherGenerators;
+    }
+
+    SSLReadCipher createReadCipher(Authenticator authenticator,
+            ProtocolVersion protocolVersion,
+            SecretKey key, IvParameterSpec iv,
+            SecureRandom random) throws GeneralSecurityException {
+        if (readCipherGenerators.length == 0) {
+            return null;
+        }
+
+        ReadCipherGenerator rcg = null;
+        for (Map.Entry<ReadCipherGenerator,
+                ProtocolVersion[]> me : readCipherGenerators) {
+            for (ProtocolVersion pv : me.getValue()) {
+                if (protocolVersion == pv) {
+                    rcg = me.getKey();
+                }
+            }
+        }
+
+        if (rcg != null) {
+            return rcg.createCipher(this, authenticator,
+                    protocolVersion, transformation, key, iv, random);
+        }
+        return null;
+    }
+
+    SSLWriteCipher createWriteCipher(Authenticator authenticator,
+            ProtocolVersion protocolVersion,
+            SecretKey key, IvParameterSpec iv,
+            SecureRandom random) throws GeneralSecurityException {
+        if (readCipherGenerators.length == 0) {
+            return null;
+        }
+
+        WriteCipherGenerator rcg = null;
+        for (Map.Entry<WriteCipherGenerator,
+                ProtocolVersion[]> me : writeCipherGenerators) {
+            for (ProtocolVersion pv : me.getValue()) {
+                if (protocolVersion == pv) {
+                    rcg = me.getKey();
+                }
+            }
+        }
+
+        if (rcg != null) {
+            return rcg.createCipher(this, authenticator,
+                    protocolVersion, transformation, key, iv, random);
+        }
+        return null;
+    }
+
+    public static final String getDefaultType() {
+        String prop = AccessController.doPrivileged(
+                new PrivilegedAction<String>() {
+            @Override
+            public String run() {
+                return Security.getProperty("jdk.tls.KeyLimits");
+            }
+        });
+        return prop;
+    }
+
+    /**
+     * Test if this bulk cipher is available. For use by CipherSuite.
+     */
+    boolean isAvailable() {
+        return this.isAvailable;
+    }
+
+    private static boolean isUnlimited(int keySize, String transformation) {
+        int keySizeInBits = keySize * 8;
+        if (keySizeInBits > 128) {    // need the JCE unlimited
+                                      // strength jurisdiction policy
+            try {
+                if (Cipher.getMaxAllowedKeyLength(
+                        transformation) < keySizeInBits) {
+                    return false;
+                }
+            } catch (Exception e) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    @Override
+    public String toString() {
+        return description;
+    }
+
+    interface ReadCipherGenerator {
+        SSLReadCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator,
+                ProtocolVersion protocolVersion, String algorithm,
+                Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException;
+    }
+
+    abstract static class SSLReadCipher {
+        final Authenticator authenticator;
+        final ProtocolVersion protocolVersion;
+        SecretKey baseSecret;
+
+        SSLReadCipher(Authenticator authenticator,
+                ProtocolVersion protocolVersion) {
+            this.authenticator = authenticator;
+            this.protocolVersion = protocolVersion;
+        }
+
+        static final SSLReadCipher nullTlsReadCipher() {
+            try {
+                return B_NULL.createReadCipher(
+                        Authenticator.nullTlsMac(),
+                        ProtocolVersion.NONE, null, null, null);
+            } catch (GeneralSecurityException gse) {
+                // unlikely
+                throw new RuntimeException("Cannot create NULL SSLCipher", gse);
+            }
+        }
+
+        static final SSLReadCipher nullDTlsReadCipher() {
+            try {
+                return B_NULL.createReadCipher(
+                        Authenticator.nullDtlsMac(),
+                        ProtocolVersion.NONE, null, null, null);
+            } catch (GeneralSecurityException gse) {
+                // unlikely
+                throw new RuntimeException("Cannot create NULL SSLCipher", gse);
+            }
+        }
+
+        abstract Plaintext decrypt(byte contentType, ByteBuffer bb,
+                    byte[] sequence) throws GeneralSecurityException;
+
+        void dispose() {
+            // blank
+        }
+
+        abstract int estimateFragmentSize(int packetSize, int headerSize);
+
+        boolean isNullCipher() {
+            return false;
+        }
+    }
+
+    interface WriteCipherGenerator {
+        SSLWriteCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator,
+                ProtocolVersion protocolVersion, String algorithm,
+                Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException;
+    }
+
+    abstract static class SSLWriteCipher {
+        final Authenticator authenticator;
+        final ProtocolVersion protocolVersion;
+        boolean keyLimitEnabled = false;
+        long keyLimitCountdown = 0;
+        SecretKey baseSecret;
+
+        SSLWriteCipher(Authenticator authenticator,
+                ProtocolVersion protocolVersion) {
+            this.authenticator = authenticator;
+            this.protocolVersion = protocolVersion;
+        }
+
+        abstract int encrypt(byte contentType, ByteBuffer bb);
+
+        static final SSLWriteCipher nullTlsWriteCipher() {
+            try {
+                return B_NULL.createWriteCipher(
+                        Authenticator.nullTlsMac(),
+                        ProtocolVersion.NONE, null, null, null);
+            } catch (GeneralSecurityException gse) {
+                // unlikely
+                throw new RuntimeException(
+                        "Cannot create NULL SSL write Cipher", gse);
+            }
+        }
+
+        static final SSLWriteCipher nullDTlsWriteCipher() {
+            try {
+                return B_NULL.createWriteCipher(
+                        Authenticator.nullDtlsMac(),
+                        ProtocolVersion.NONE, null, null, null);
+            } catch (GeneralSecurityException gse) {
+                // unlikely
+                throw new RuntimeException(
+                        "Cannot create NULL SSL write Cipher", gse);
+            }
+        }
+
+        void dispose() {
+            // blank
+        }
+
+        abstract int getExplicitNonceSize();
+        abstract int calculateFragmentSize(int packetLimit, int headerSize);
+        abstract int calculatePacketSize(int fragmentSize, int headerSize);
+
+        boolean isCBCMode() {
+            return false;
+        }
+
+        boolean isNullCipher() {
+            return false;
+        }
+
+        /**
+         * Check if processed bytes have reached the key usage limit.
+         * If key usage limit is not be monitored, return false.
+         */
+        public boolean atKeyLimit() {
+            if (keyLimitCountdown >= 0) {
+                return false;
+            }
+
+            // Turn off limit checking as KeyUpdate will be occurring
+            keyLimitEnabled = false;
+            return true;
+        }
+    }
+
+    private static final
+            class NullReadCipherGenerator implements ReadCipherGenerator {
+        @Override
+        public SSLReadCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator,
+                ProtocolVersion protocolVersion, String algorithm,
+                Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new NullReadCipher(authenticator, protocolVersion);
+        }
+
+        static final class NullReadCipher extends SSLReadCipher {
+            NullReadCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion) {
+                super(authenticator, protocolVersion);
+            }
+
+            @Override
+            public Plaintext decrypt(byte contentType, ByteBuffer bb,
+                    byte[] sequence) throws GeneralSecurityException {
+                MAC signer = (MAC)authenticator;
+                if (signer.macAlg().size != 0) {
+                    checkStreamMac(signer, bb, contentType, sequence);
+                } else {
+                    authenticator.increaseSequenceNumber();
+                }
+
+                return new Plaintext(contentType,
+                        ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor,
+                        -1, -1L, bb.slice());
+            }
+
+            @Override
+            int estimateFragmentSize(int packetSize, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+                return packetSize - headerSize - macLen;
+            }
+
+            @Override
+            boolean isNullCipher() {
+                return true;
+            }
+        }
+    }
+
+    private static final
+            class NullWriteCipherGenerator implements WriteCipherGenerator {
+        @Override
+        public SSLWriteCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator,
+                ProtocolVersion protocolVersion, String algorithm,
+                Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new NullWriteCipher(authenticator, protocolVersion);
+        }
+
+        static final class NullWriteCipher extends SSLWriteCipher {
+            NullWriteCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion) {
+                super(authenticator, protocolVersion);
+            }
+
+            @Override
+            public int encrypt(byte contentType, ByteBuffer bb) {
+                // add message authentication code
+                MAC signer = (MAC)authenticator;
+                if (signer.macAlg().size != 0) {
+                    addMac(signer, bb, contentType);
+                } else {
+                    authenticator.increaseSequenceNumber();
+                }
+
+                int len = bb.remaining();
+                bb.position(bb.limit());
+                return len;
+            }
+
+
+            @Override
+            int getExplicitNonceSize() {
+                return 0;
+            }
+
+            @Override
+            int calculateFragmentSize(int packetLimit, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+                return packetLimit - headerSize - macLen;
+            }
+
+            @Override
+            int calculatePacketSize(int fragmentSize, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+                return fragmentSize + headerSize + macLen;
+            }
+
+            @Override
+            boolean isNullCipher() {
+                return true;
+            }
+        }
+    }
+
+    private static final
+            class StreamReadCipherGenerator implements ReadCipherGenerator {
+        @Override
+        public SSLReadCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator,
+                ProtocolVersion protocolVersion, String algorithm,
+                Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new StreamReadCipher(authenticator, protocolVersion,
+                    algorithm, key, params, random);
+        }
+
+        static final class StreamReadCipher extends SSLReadCipher {
+            private final Cipher cipher;
+
+            StreamReadCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion, String algorithm,
+                    Key key, AlgorithmParameterSpec params,
+                    SecureRandom random) throws GeneralSecurityException {
+                super(authenticator, protocolVersion);
+                this.cipher = JsseJce.getCipher(algorithm);
+                cipher.init(Cipher.DECRYPT_MODE, key, params, random);
+            }
+
+            @Override
+            public Plaintext decrypt(byte contentType, ByteBuffer bb,
+                    byte[] sequence) throws GeneralSecurityException {
+                int len = bb.remaining();
+                int pos = bb.position();
+                ByteBuffer dup = bb.duplicate();
+                try {
+                    if (len != cipher.update(dup, bb)) {
+                        // catch BouncyCastle buffering error
+                        throw new RuntimeException(
+                                "Unexpected number of plaintext bytes");
+                    }
+                    if (bb.position() != dup.position()) {
+                        throw new RuntimeException(
+                                "Unexpected Bytebuffer position");
+                    }
+                } catch (ShortBufferException sbe) {
+                    // catch BouncyCastle buffering error
+                    throw new RuntimeException("Cipher buffering error in " +
+                        "JCE provider " + cipher.getProvider().getName(), sbe);
+                }
+                bb.position(pos);
+                if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) {
+                    SSLLogger.fine(
+                            "Plaintext after DECRYPTION", bb.duplicate());
+                }
+
+                MAC signer = (MAC)authenticator;
+                if (signer.macAlg().size != 0) {
+                    checkStreamMac(signer, bb, contentType, sequence);
+                } else {
+                    authenticator.increaseSequenceNumber();
+                }
+
+                return new Plaintext(contentType,
+                        ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor,
+                        -1, -1L, bb.slice());
+            }
+
+            @Override
+            void dispose() {
+                if (cipher != null) {
+                    try {
+                        cipher.doFinal();
+                    } catch (Exception e) {
+                        // swallow all types of exceptions.
+                    }
+                }
+            }
+
+            @Override
+            int estimateFragmentSize(int packetSize, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+                return packetSize - headerSize - macLen;
+            }
+        }
+    }
+
+    private static final
+            class StreamWriteCipherGenerator implements WriteCipherGenerator {
+        @Override
+        public SSLWriteCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator,
+                ProtocolVersion protocolVersion, String algorithm,
+                Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new StreamWriteCipher(authenticator,
+                    protocolVersion, algorithm, key, params, random);
+        }
+
+        static final class StreamWriteCipher extends SSLWriteCipher {
+            private final Cipher cipher;
+
+            StreamWriteCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion, String algorithm,
+                    Key key, AlgorithmParameterSpec params,
+                    SecureRandom random) throws GeneralSecurityException {
+                super(authenticator, protocolVersion);
+                this.cipher = JsseJce.getCipher(algorithm);
+                cipher.init(Cipher.ENCRYPT_MODE, key, params, random);
+            }
+
+            @Override
+            public int encrypt(byte contentType, ByteBuffer bb) {
+                // add message authentication code
+                MAC signer = (MAC)authenticator;
+                if (signer.macAlg().size != 0) {
+                    addMac(signer, bb, contentType);
+                } else {
+                    authenticator.increaseSequenceNumber();
+                }
+
+                if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) {
+                    SSLLogger.finest(
+                        "Padded plaintext before ENCRYPTION", bb.duplicate());
+                }
+
+                int len = bb.remaining();
+                ByteBuffer dup = bb.duplicate();
+                try {
+                    if (len != cipher.update(dup, bb)) {
+                        // catch BouncyCastle buffering error
+                        throw new RuntimeException(
+                                "Unexpected number of plaintext bytes");
+                    }
+                    if (bb.position() != dup.position()) {
+                        throw new RuntimeException(
+                                "Unexpected Bytebuffer position");
+                    }
+                } catch (ShortBufferException sbe) {
+                    // catch BouncyCastle buffering error
+                    throw new RuntimeException("Cipher buffering error in " +
+                        "JCE provider " + cipher.getProvider().getName(), sbe);
+                }
+
+                return len;
+            }
+
+            @Override
+            void dispose() {
+                if (cipher != null) {
+                    try {
+                        cipher.doFinal();
+                    } catch (Exception e) {
+                        // swallow all types of exceptions.
+                    }
+                }
+            }
+
+            @Override
+            int getExplicitNonceSize() {
+                return 0;
+            }
+
+            @Override
+            int calculateFragmentSize(int packetLimit, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+                return packetLimit - headerSize - macLen;
+            }
+
+            @Override
+            int calculatePacketSize(int fragmentSize, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+                return fragmentSize + headerSize + macLen;
+            }
+        }
+    }
+
+    private static final
+            class T10BlockReadCipherGenerator implements ReadCipherGenerator {
+        @Override
+        public SSLReadCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator,
+                ProtocolVersion protocolVersion, String algorithm,
+                Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new BlockReadCipher(authenticator,
+                    protocolVersion, algorithm, key, params, random);
+        }
+
+        static final class BlockReadCipher extends SSLReadCipher {
+            private final Cipher cipher;
+
+            BlockReadCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion, String algorithm,
+                    Key key, AlgorithmParameterSpec params,
+                    SecureRandom random) throws GeneralSecurityException {
+                super(authenticator, protocolVersion);
+                this.cipher = JsseJce.getCipher(algorithm);
+                cipher.init(Cipher.DECRYPT_MODE, key, params, random);
+            }
+
+            @Override
+            public Plaintext decrypt(byte contentType, ByteBuffer bb,
+                    byte[] sequence) throws GeneralSecurityException {
+                BadPaddingException reservedBPE = null;
+
+                // sanity check length of the ciphertext
+                MAC signer = (MAC)authenticator;
+                int cipheredLength = bb.remaining();
+                int tagLen = signer.macAlg().size;
+                if (tagLen != 0) {
+                    if (!sanityCheck(tagLen, bb.remaining())) {
+                        reservedBPE = new BadPaddingException(
+                                "ciphertext sanity check failed");
+                    }
+                }
+                // decryption
+                int len = bb.remaining();
+                int pos = bb.position();
+                ByteBuffer dup = bb.duplicate();
+                try {
+                    if (len != cipher.update(dup, bb)) {
+                        // catch BouncyCastle buffering error
+                        throw new RuntimeException(
+                                "Unexpected number of plaintext bytes");
+                    }
+
+                    if (bb.position() != dup.position()) {
+                        throw new RuntimeException(
+                                "Unexpected Bytebuffer position");
+                    }
+                } catch (ShortBufferException sbe) {
+                    // catch BouncyCastle buffering error
+                    throw new RuntimeException("Cipher buffering error in " +
+                        "JCE provider " + cipher.getProvider().getName(), sbe);
+                }
+
+                if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) {
+                    SSLLogger.fine(
+                            "Padded plaintext after DECRYPTION",
+                            bb.duplicate().position(pos));
+                }
+
+                // remove the block padding
+                int blockSize = cipher.getBlockSize();
+                bb.position(pos);
+                try {
+                    removePadding(bb, tagLen, blockSize, protocolVersion);
+                } catch (BadPaddingException bpe) {
+                    if (reservedBPE == null) {
+                        reservedBPE = bpe;
+                    }
+                }
+
+                // Requires message authentication code for null, stream and
+                // block cipher suites.
+                try {
+                    if (tagLen != 0) {
+                        checkCBCMac(signer, bb,
+                                contentType, cipheredLength, sequence);
+                    } else {
+                        authenticator.increaseSequenceNumber();
+                    }
+                } catch (BadPaddingException bpe) {
+                    if (reservedBPE == null) {
+                        reservedBPE = bpe;
+                    }
+                }
+
+                // Is it a failover?
+                if (reservedBPE != null) {
+                    throw reservedBPE;
+                }
+
+                return new Plaintext(contentType,
+                        ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor,
+                        -1, -1L, bb.slice());
+            }
+
+            @Override
+            void dispose() {
+                if (cipher != null) {
+                    try {
+                        cipher.doFinal();
+                    } catch (Exception e) {
+                        // swallow all types of exceptions.
+                    }
+                }
+            }
+
+            @Override
+            int estimateFragmentSize(int packetSize, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+
+                // No padding for a maximum fragment.
+                //
+                // 1 byte padding length field: 0x00
+                return packetSize - headerSize - macLen - 1;
+            }
+
+            /**
+             * Sanity check the length of a fragment before decryption.
+             *
+             * In CBC mode, check that the fragment length is one or multiple
+             * times of the block size of the cipher suite, and is at least
+             * one (one is the smallest size of padding in CBC mode) bigger
+             * than the tag size of the MAC algorithm except the explicit IV
+             * size for TLS 1.1 or later.
+             *
+             * In non-CBC mode, check that the fragment length is not less than
+             * the tag size of the MAC algorithm.
+             *
+             * @return true if the length of a fragment matches above
+             *         requirements
+             */
+            private boolean sanityCheck(int tagLen, int fragmentLen) {
+                int blockSize = cipher.getBlockSize();
+                if ((fragmentLen % blockSize) == 0) {
+                    int minimal = tagLen + 1;
+                    minimal = (minimal >= blockSize) ? minimal : blockSize;
+
+                    return (fragmentLen >= minimal);
+                }
+
+                return false;
+            }
+        }
+    }
+
+    private static final
+            class T10BlockWriteCipherGenerator implements WriteCipherGenerator {
+        @Override
+        public SSLWriteCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator,
+                ProtocolVersion protocolVersion, String algorithm,
+                Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new BlockWriteCipher(authenticator,
+                    protocolVersion, algorithm, key, params, random);
+        }
+
+        static final class BlockWriteCipher extends SSLWriteCipher {
+            private final Cipher cipher;
+
+            BlockWriteCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion, String algorithm,
+                    Key key, AlgorithmParameterSpec params,
+                    SecureRandom random) throws GeneralSecurityException {
+                super(authenticator, protocolVersion);
+                this.cipher = JsseJce.getCipher(algorithm);
+                cipher.init(Cipher.ENCRYPT_MODE, key, params, random);
+            }
+
+            @Override
+            public int encrypt(byte contentType, ByteBuffer bb) {
+                int pos = bb.position();
+
+                // add message authentication code
+                MAC signer = (MAC)authenticator;
+                if (signer.macAlg().size != 0) {
+                    addMac(signer, bb, contentType);
+                } else {
+                    authenticator.increaseSequenceNumber();
+                }
+
+                int blockSize = cipher.getBlockSize();
+                int len = addPadding(bb, blockSize);
+                bb.position(pos);
+
+                if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) {
+                    SSLLogger.fine(
+                            "Padded plaintext before ENCRYPTION",
+                            bb.duplicate());
+                }
+
+                ByteBuffer dup = bb.duplicate();
+                try {
+                    if (len != cipher.update(dup, bb)) {
+                        // catch BouncyCastle buffering error
+                        throw new RuntimeException(
+                                "Unexpected number of plaintext bytes");
+                    }
+
+                    if (bb.position() != dup.position()) {
+                        throw new RuntimeException(
+                                "Unexpected Bytebuffer position");
+                    }
+                } catch (ShortBufferException sbe) {
+                    // catch BouncyCastle buffering error
+                    throw new RuntimeException("Cipher buffering error in " +
+                        "JCE provider " + cipher.getProvider().getName(), sbe);
+                }
+
+                return len;
+            }
+
+            @Override
+            void dispose() {
+                if (cipher != null) {
+                    try {
+                        cipher.doFinal();
+                    } catch (Exception e) {
+                        // swallow all types of exceptions.
+                    }
+                }
+            }
+
+            @Override
+            int getExplicitNonceSize() {
+                return 0;
+            }
+
+            @Override
+            int calculateFragmentSize(int packetLimit, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+                int blockSize = cipher.getBlockSize();
+                int fragLen = packetLimit - headerSize;
+                fragLen -= (fragLen % blockSize);   // cannot hold a block
+                // No padding for a maximum fragment.
+                fragLen -= 1;       // 1 byte padding length field: 0x00
+                fragLen -= macLen;
+                return fragLen;
+            }
+
+            @Override
+            int calculatePacketSize(int fragmentSize, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+                int blockSize = cipher.getBlockSize();
+                int paddedLen = fragmentSize + macLen + 1;
+                if ((paddedLen % blockSize)  != 0) {
+                    paddedLen += blockSize - 1;
+                    paddedLen -= paddedLen % blockSize;
+                }
+
+                return headerSize + paddedLen;
+            }
+
+            @Override
+            boolean isCBCMode() {
+                return true;
+            }
+        }
+    }
+
+    // For TLS 1.1 and 1.2
+    private static final
+            class T11BlockReadCipherGenerator implements ReadCipherGenerator {
+        @Override
+        public SSLReadCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator, ProtocolVersion protocolVersion,
+                String algorithm, Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new BlockReadCipher(authenticator, protocolVersion,
+                    sslCipher, algorithm, key, params, random);
+        }
+
+        static final class BlockReadCipher extends SSLReadCipher {
+            private final Cipher cipher;
+
+            BlockReadCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion,
+                    SSLCipher sslCipher, String algorithm,
+                    Key key, AlgorithmParameterSpec params,
+                    SecureRandom random) throws GeneralSecurityException {
+                super(authenticator, protocolVersion);
+                this.cipher = JsseJce.getCipher(algorithm);
+                if (params == null) {
+                    params = new IvParameterSpec(new byte[sslCipher.ivSize]);
+                }
+                cipher.init(Cipher.DECRYPT_MODE, key, params, random);
+            }
+
+            @Override
+            public Plaintext decrypt(byte contentType, ByteBuffer bb,
+                    byte[] sequence) throws GeneralSecurityException {
+                BadPaddingException reservedBPE = null;
+
+                // sanity check length of the ciphertext
+                MAC signer = (MAC)authenticator;
+                int cipheredLength = bb.remaining();
+                int tagLen = signer.macAlg().size;
+                if (tagLen != 0) {
+                    if (!sanityCheck(tagLen, bb.remaining())) {
+                        reservedBPE = new BadPaddingException(
+                                "ciphertext sanity check failed");
+                    }
+                }
+
+                // decryption
+                int len = bb.remaining();
+                int pos = bb.position();
+                ByteBuffer dup = bb.duplicate();
+                try {
+                    if (len != cipher.update(dup, bb)) {
+                        // catch BouncyCastle buffering error
+                        throw new RuntimeException(
+                                "Unexpected number of plaintext bytes");
+                    }
+
+                    if (bb.position() != dup.position()) {
+                        throw new RuntimeException(
+                                "Unexpected Bytebuffer position");
+                    }
+                } catch (ShortBufferException sbe) {
+                    // catch BouncyCastle buffering error
+                    throw new RuntimeException("Cipher buffering error in " +
+                        "JCE provider " + cipher.getProvider().getName(), sbe);
+                }
+
+                if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) {
+                    SSLLogger.fine(
+                            "Padded plaintext after DECRYPTION",
+                            bb.duplicate().position(pos));
+                }
+
+                // Ignore the explicit nonce.
+                bb.position(pos + cipher.getBlockSize());
+                pos = bb.position();
+
+                // remove the block padding
+                int blockSize = cipher.getBlockSize();
+                bb.position(pos);
+                try {
+                    removePadding(bb, tagLen, blockSize, protocolVersion);
+                } catch (BadPaddingException bpe) {
+                    if (reservedBPE == null) {
+                        reservedBPE = bpe;
+                    }
+                }
+
+                // Requires message authentication code for null, stream and
+                // block cipher suites.
+                try {
+                    if (tagLen != 0) {
+                        checkCBCMac(signer, bb,
+                                contentType, cipheredLength, sequence);
+                    } else {
+                        authenticator.increaseSequenceNumber();
+                    }
+                } catch (BadPaddingException bpe) {
+                    if (reservedBPE == null) {
+                        reservedBPE = bpe;
+                    }
+                }
+
+                // Is it a failover?
+                if (reservedBPE != null) {
+                    throw reservedBPE;
+                }
+
+                return new Plaintext(contentType,
+                        ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor,
+                        -1, -1L, bb.slice());
+            }
+
+            @Override
+            void dispose() {
+                if (cipher != null) {
+                    try {
+                        cipher.doFinal();
+                    } catch (Exception e) {
+                        // swallow all types of exceptions.
+                    }
+                }
+            }
+
+            @Override
+            int estimateFragmentSize(int packetSize, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+
+                // No padding for a maximum fragment.
+                //
+                // 1 byte padding length field: 0x00
+                int nonceSize = cipher.getBlockSize();
+                return packetSize - headerSize - nonceSize - macLen - 1;
+            }
+
+            /**
+             * Sanity check the length of a fragment before decryption.
+             *
+             * In CBC mode, check that the fragment length is one or multiple
+             * times of the block size of the cipher suite, and is at least
+             * one (one is the smallest size of padding in CBC mode) bigger
+             * than the tag size of the MAC algorithm except the explicit IV
+             * size for TLS 1.1 or later.
+             *
+             * In non-CBC mode, check that the fragment length is not less than
+             * the tag size of the MAC algorithm.
+             *
+             * @return true if the length of a fragment matches above
+             *         requirements
+             */
+            private boolean sanityCheck(int tagLen, int fragmentLen) {
+                int blockSize = cipher.getBlockSize();
+                if ((fragmentLen % blockSize) == 0) {
+                    int minimal = tagLen + 1;
+                    minimal = (minimal >= blockSize) ? minimal : blockSize;
+                    minimal += blockSize;
+
+                    return (fragmentLen >= minimal);
+                }
+
+                return false;
+            }
+        }
+    }
+
+    // For TLS 1.1 and 1.2
+    private static final
+            class T11BlockWriteCipherGenerator implements WriteCipherGenerator {
+        @Override
+        public SSLWriteCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator, ProtocolVersion protocolVersion,
+                String algorithm, Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new BlockWriteCipher(authenticator, protocolVersion,
+                    sslCipher, algorithm, key, params, random);
+        }
+
+        static final class BlockWriteCipher extends SSLWriteCipher {
+            private final Cipher cipher;
+            private final SecureRandom random;
+
+            BlockWriteCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion,
+                    SSLCipher sslCipher, String algorithm,
+                    Key key, AlgorithmParameterSpec params,
+                    SecureRandom random) throws GeneralSecurityException {
+                super(authenticator, protocolVersion);
+                this.cipher = JsseJce.getCipher(algorithm);
+                this.random = random;
+                if (params == null) {
+                    params = new IvParameterSpec(new byte[sslCipher.ivSize]);
+                }
+                cipher.init(Cipher.ENCRYPT_MODE, key, params, random);
+            }
+
+            @Override
+            public int encrypt(byte contentType, ByteBuffer bb) {
+                // To be unique and aware of overflow-wrap, sequence number
+                // is used as the nonce_explicit of block cipher suites.
+                int pos = bb.position();
+
+                // add message authentication code
+                MAC signer = (MAC)authenticator;
+                if (signer.macAlg().size != 0) {
+                    addMac(signer, bb, contentType);
+                } else {
+                    authenticator.increaseSequenceNumber();
+                }
+
+                // DON'T WORRY, the nonce spaces are considered already.
+                byte[] nonce = new byte[cipher.getBlockSize()];
+                random.nextBytes(nonce);
+                pos = pos - nonce.length;
+                bb.position(pos);
+                bb.put(nonce);
+                bb.position(pos);
+
+                int blockSize = cipher.getBlockSize();
+                int len = addPadding(bb, blockSize);
+                bb.position(pos);
+
+                if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) {
+                    SSLLogger.fine(
+                            "Padded plaintext before ENCRYPTION",
+                            bb.duplicate());
+                }
+
+                ByteBuffer dup = bb.duplicate();
+                try {
+                    if (len != cipher.update(dup, bb)) {
+                        // catch BouncyCastle buffering error
+                        throw new RuntimeException(
+                                "Unexpected number of plaintext bytes");
+                    }
+
+                    if (bb.position() != dup.position()) {
+                        throw new RuntimeException(
+                                "Unexpected Bytebuffer position");
+                    }
+                } catch (ShortBufferException sbe) {
+                    // catch BouncyCastle buffering error
+                    throw new RuntimeException("Cipher buffering error in " +
+                        "JCE provider " + cipher.getProvider().getName(), sbe);
+                }
+
+                return len;
+            }
+
+            @Override
+            void dispose() {
+                if (cipher != null) {
+                    try {
+                        cipher.doFinal();
+                    } catch (Exception e) {
+                        // swallow all types of exceptions.
+                    }
+                }
+            }
+
+            @Override
+            int getExplicitNonceSize() {
+                return cipher.getBlockSize();
+            }
+
+            @Override
+            int calculateFragmentSize(int packetLimit, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+                int blockSize = cipher.getBlockSize();
+                int fragLen = packetLimit - headerSize - blockSize;
+                fragLen -= (fragLen % blockSize);   // cannot hold a block
+                // No padding for a maximum fragment.
+                fragLen -= 1;       // 1 byte padding length field: 0x00
+                fragLen -= macLen;
+                return fragLen;
+            }
+
+            @Override
+            int calculatePacketSize(int fragmentSize, int headerSize) {
+                int macLen = ((MAC)authenticator).macAlg().size;
+                int blockSize = cipher.getBlockSize();
+                int paddedLen = fragmentSize + macLen + 1;
+                if ((paddedLen % blockSize)  != 0) {
+                    paddedLen += blockSize - 1;
+                    paddedLen -= paddedLen % blockSize;
+                }
+
+                return headerSize + blockSize + paddedLen;
+            }
+
+            @Override
+            boolean isCBCMode() {
+                return true;
+            }
+        }
+    }
+
+    private static final
+            class T12GcmReadCipherGenerator implements ReadCipherGenerator {
+        @Override
+        public SSLReadCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator,
+                ProtocolVersion protocolVersion, String algorithm,
+                Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new GcmReadCipher(authenticator, protocolVersion, sslCipher,
+                    algorithm, key, params, random);
+        }
+
+        static final class GcmReadCipher extends SSLReadCipher {
+            private final Cipher cipher;
+            private final int tagSize;
+            private final Key key;
+            private final byte[] fixedIv;
+            private final int recordIvSize;
+            private final SecureRandom random;
+
+            GcmReadCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion,
+                    SSLCipher sslCipher, String algorithm,
+                    Key key, AlgorithmParameterSpec params,
+                    SecureRandom random) throws GeneralSecurityException {
+                super(authenticator, protocolVersion);
+                this.cipher = JsseJce.getCipher(algorithm);
+                this.tagSize = sslCipher.tagSize;
+                this.key = key;
+                this.fixedIv = ((IvParameterSpec)params).getIV();
+                this.recordIvSize = sslCipher.ivSize - sslCipher.fixedIvSize;
+                this.random = random;
+
+                // DON'T initialize the cipher for AEAD!
+            }
+
+            @Override
+            public Plaintext decrypt(byte contentType, ByteBuffer bb,
+                    byte[] sequence) throws GeneralSecurityException {
+                if (bb.remaining() < (recordIvSize + tagSize)) {
+                    throw new BadPaddingException(
+                        "Insufficient buffer remaining for AEAD cipher " +
+                        "fragment (" + bb.remaining() + "). Needs to be " +
+                        "more than or equal to IV size (" + recordIvSize +
+                         ") + tag size (" + tagSize + ")");
+                }
+
+                // initialize the AEAD cipher for the unique IV
+                byte[] iv = Arrays.copyOf(fixedIv,
+                                    fixedIv.length + recordIvSize);
+                bb.get(iv, fixedIv.length, recordIvSize);
+                GCMParameterSpec spec = new GCMParameterSpec(tagSize * 8, iv);
+                try {
+                    cipher.init(Cipher.DECRYPT_MODE, key, spec, random);
+                } catch (InvalidKeyException |
+                            InvalidAlgorithmParameterException ikae) {
+                    // unlikely to happen
+                    throw new RuntimeException(
+                                "invalid key or spec in GCM mode", ikae);
+                }
+
+                // update the additional authentication data
+                byte[] aad = authenticator.acquireAuthenticationBytes(
+                        contentType, bb.remaining() - tagSize,
+                        sequence);
+                cipher.updateAAD(aad);
+
+                // DON'T decrypt the nonce_explicit for AEAD mode. The buffer
+                // position has moved out of the nonce_explicit range.
+                int len = bb.remaining();
+                int pos = bb.position();
+                ByteBuffer dup = bb.duplicate();
+                try {
+                    len = cipher.doFinal(dup, bb);
+                } catch (IllegalBlockSizeException ibse) {
+                    // unlikely to happen
+                    throw new RuntimeException(
+                        "Cipher error in AEAD mode \"" + ibse.getMessage() +
+                        " \"in JCE provider " + cipher.getProvider().getName());
+                } catch (ShortBufferException sbe) {
+                    // catch BouncyCastle buffering error
+                    throw new RuntimeException("Cipher buffering error in " +
+                        "JCE provider " + cipher.getProvider().getName(), sbe);
+                }
+                // reset the limit to the end of the decryted data
+                bb.position(pos);
+                bb.limit(pos + len);
+
+                if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) {
+                    SSLLogger.fine(
+                            "Plaintext after DECRYPTION", bb.duplicate());
+                }
+
+                return new Plaintext(contentType,
+                        ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor,
+                        -1, -1L, bb.slice());
+            }
+
+            @Override
+            void dispose() {
+                if (cipher != null) {
+                    try {
+                        cipher.doFinal();
+                    } catch (Exception e) {
+                        // swallow all types of exceptions.
+                    }
+                }
+            }
+
+            @Override
+            int estimateFragmentSize(int packetSize, int headerSize) {
+                return packetSize - headerSize - recordIvSize - tagSize;
+            }
+        }
+    }
+
+    private static final
+            class T12GcmWriteCipherGenerator implements WriteCipherGenerator {
+        @Override
+        public SSLWriteCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator,
+                ProtocolVersion protocolVersion, String algorithm,
+                Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new GcmWriteCipher(authenticator, protocolVersion, sslCipher,
+                    algorithm, key, params, random);
+        }
+
+        private static final class GcmWriteCipher extends SSLWriteCipher {
+            private final Cipher cipher;
+            private final int tagSize;
+            private final Key key;
+            private final byte[] fixedIv;
+            private final int recordIvSize;
+            private final SecureRandom random;
+
+            GcmWriteCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion,
+                    SSLCipher sslCipher, String algorithm,
+                    Key key, AlgorithmParameterSpec params,
+                    SecureRandom random) throws GeneralSecurityException {
+                super(authenticator, protocolVersion);
+                this.cipher = JsseJce.getCipher(algorithm);
+                this.tagSize = sslCipher.tagSize;
+                this.key = key;
+                this.fixedIv = ((IvParameterSpec)params).getIV();
+                this.recordIvSize = sslCipher.ivSize - sslCipher.fixedIvSize;
+                this.random = random;
+
+                // DON'T initialize the cipher for AEAD!
+            }
+
+            @Override
+            public int encrypt(byte contentType,
+                    ByteBuffer bb) {
+                // To be unique and aware of overflow-wrap, sequence number
+                // is used as the nonce_explicit of AEAD cipher suites.
+                byte[] nonce = authenticator.sequenceNumber();
+
+                // initialize the AEAD cipher for the unique IV
+                byte[] iv = Arrays.copyOf(fixedIv,
+                                            fixedIv.length + nonce.length);
+                System.arraycopy(nonce, 0, iv, fixedIv.length, nonce.length);
+
+                GCMParameterSpec spec = new GCMParameterSpec(tagSize * 8, iv);
+                try {
+                    cipher.init(Cipher.ENCRYPT_MODE, key, spec, random);
+                } catch (InvalidKeyException |
+                            InvalidAlgorithmParameterException ikae) {
+                    // unlikely to happen
+                    throw new RuntimeException(
+                                "invalid key or spec in GCM mode", ikae);
+                }
+
+                // Update the additional authentication data, using the
+                // implicit sequence number of the authenticator.
+                byte[] aad = authenticator.acquireAuthenticationBytes(
+                                        contentType, bb.remaining(), null);
+                cipher.updateAAD(aad);
+
+                // DON'T WORRY, the nonce spaces are considered already.
+                bb.position(bb.position() - nonce.length);
+                bb.put(nonce);
+
+                // DON'T encrypt the nonce for AEAD mode.
+                int len = bb.remaining();
+                int pos = bb.position();
+                if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) {
+                    SSLLogger.fine(
+                            "Plaintext before ENCRYPTION",
+                            bb.duplicate());
+                }
+
+                ByteBuffer dup = bb.duplicate();
+                int outputSize = cipher.getOutputSize(dup.remaining());
+                if (outputSize > bb.remaining()) {
+                    // Need to expand the limit of the output buffer for
+                    // the authentication tag.
+                    //
+                    // DON'T worry about the buffer's capacity, we have
+                    // reserved space for the authentication tag.
+                    bb.limit(pos + outputSize);
+                }
+
+                try {
+                    len = cipher.doFinal(dup, bb);
+                } catch (IllegalBlockSizeException |
+                            BadPaddingException | ShortBufferException ibse) {
+                    // unlikely to happen
+                    throw new RuntimeException(
+                            "Cipher error in AEAD mode in JCE provider " +
+                            cipher.getProvider().getName(), ibse);
+                }
+
+                if (len != outputSize) {
+                    throw new RuntimeException(
+                            "Cipher buffering error in JCE provider " +
+                            cipher.getProvider().getName());
+                }
+
+                return len + nonce.length;
+            }
+
+            @Override
+            void dispose() {
+                if (cipher != null) {
+                    try {
+                        cipher.doFinal();
+                    } catch (Exception e) {
+                        // swallow all types of exceptions.
+                    }
+                }
+            }
+
+            @Override
+            int getExplicitNonceSize() {
+                return recordIvSize;
+            }
+
+            @Override
+            int calculateFragmentSize(int packetLimit, int headerSize) {
+                return packetLimit - headerSize - recordIvSize - tagSize;
+            }
+
+            @Override
+            int calculatePacketSize(int fragmentSize, int headerSize) {
+                return fragmentSize + headerSize + recordIvSize + tagSize;
+            }
+        }
+    }
+
+    private static final
+            class T13GcmReadCipherGenerator implements ReadCipherGenerator {
+
+        @Override
+        public SSLReadCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator, ProtocolVersion protocolVersion,
+                String algorithm, Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new GcmReadCipher(authenticator, protocolVersion, sslCipher,
+                    algorithm, key, params, random);
+        }
+
+        static final class GcmReadCipher extends SSLReadCipher {
+            private final Cipher cipher;
+            private final int tagSize;
+            private final Key key;
+            private final byte[] iv;
+            private final SecureRandom random;
+
+            GcmReadCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion,
+                    SSLCipher sslCipher, String algorithm,
+                    Key key, AlgorithmParameterSpec params,
+                    SecureRandom random) throws GeneralSecurityException {
+                super(authenticator, protocolVersion);
+                this.cipher = JsseJce.getCipher(algorithm);
+                this.tagSize = sslCipher.tagSize;
+                this.key = key;
+                this.iv = ((IvParameterSpec)params).getIV();
+                this.random = random;
+
+                // DON'T initialize the cipher for AEAD!
+            }
+
+            @Override
+            public Plaintext decrypt(byte contentType, ByteBuffer bb,
+                    byte[] sequence) throws GeneralSecurityException {
+                // An implementation may receive an unencrypted record of type
+                // change_cipher_spec consisting of the single byte value 0x01
+                // at any time after the first ClientHello message has been
+                // sent or received and before the peer's Finished message has
+                // been received and MUST simply drop it without further
+                // processing.
+                if (contentType == ContentType.CHANGE_CIPHER_SPEC.id) {
+                    return new Plaintext(contentType,
+                        ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor,
+                        -1, -1L, bb.slice());
+                }
+
+                if (bb.remaining() <= tagSize) {
+                    throw new BadPaddingException(
+                        "Insufficient buffer remaining for AEAD cipher " +
+                        "fragment (" + bb.remaining() + "). Needs to be " +
+                        "more than tag size (" + tagSize + ")");
+                }
+
+                byte[] sn = sequence;
+                if (sn == null) {
+                    sn = authenticator.sequenceNumber();
+                }
+                byte[] nonce = iv.clone();
+                int offset = nonce.length - sn.length;
+                for (int i = 0; i < sn.length; i++) {
+                    nonce[offset + i] ^= sn[i];
+                }
+
+                // initialize the AEAD cipher for the unique IV
+                GCMParameterSpec spec =
+                        new GCMParameterSpec(tagSize * 8, nonce);
+                try {
+                    cipher.init(Cipher.DECRYPT_MODE, key, spec, random);
+                } catch (InvalidKeyException |
+                            InvalidAlgorithmParameterException ikae) {
+                    // unlikely to happen
+                    throw new RuntimeException(
+                                "invalid key or spec in GCM mode", ikae);
+                }
+
+                // Update the additional authentication data, using the
+                // implicit sequence number of the authenticator.
+                byte[] aad = authenticator.acquireAuthenticationBytes(
+                                        contentType, bb.remaining(), sn);
+                cipher.updateAAD(aad);
+
+                int len = bb.remaining();
+                int pos = bb.position();
+                ByteBuffer dup = bb.duplicate();
+                try {
+                    len = cipher.doFinal(dup, bb);
+                } catch (IllegalBlockSizeException ibse) {
+                    // unlikely to happen
+                    throw new RuntimeException(
+                        "Cipher error in AEAD mode \"" + ibse.getMessage() +
+                        " \"in JCE provider " + cipher.getProvider().getName());
+                } catch (ShortBufferException sbe) {
+                    // catch BouncyCastle buffering error
+                    throw new RuntimeException("Cipher buffering error in " +
+                        "JCE provider " + cipher.getProvider().getName(), sbe);
+                }
+                // reset the limit to the end of the decryted data
+                bb.position(pos);
+                bb.limit(pos + len);
+
+                // remove inner plaintext padding
+                int i = bb.limit() - 1;
+                for (; i > 0 && bb.get(i) == 0; i--) {
+                    // blank
+                }
+                if (i < (pos + 1)) {
+                    throw new BadPaddingException(
+                            "Incorrect inner plaintext: no content type");
+                }
+                contentType = bb.get(i);
+                bb.limit(i);
+
+                if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) {
+                    SSLLogger.fine(
+                            "Plaintext after DECRYPTION", bb.duplicate());
+                }
+
+                return new Plaintext(contentType,
+                        ProtocolVersion.NONE.major, ProtocolVersion.NONE.minor,
+                        -1, -1L, bb.slice());
+            }
+
+            @Override
+            void dispose() {
+                if (cipher != null) {
+                    try {
+                        cipher.doFinal();
+                    } catch (Exception e) {
+                        // swallow all types of exceptions.
+                    }
+                }
+            }
+
+            @Override
+            int estimateFragmentSize(int packetSize, int headerSize) {
+                return packetSize - headerSize - tagSize;
+            }
+        }
+    }
+
+    private static final
+            class T13GcmWriteCipherGenerator implements WriteCipherGenerator {
+        @Override
+        public SSLWriteCipher createCipher(SSLCipher sslCipher,
+                Authenticator authenticator, ProtocolVersion protocolVersion,
+                String algorithm, Key key, AlgorithmParameterSpec params,
+                SecureRandom random) throws GeneralSecurityException {
+            return new GcmWriteCipher(authenticator, protocolVersion, sslCipher,
+                    algorithm, key, params, random);
+        }
+
+        private static final class GcmWriteCipher extends SSLWriteCipher {
+            private final Cipher cipher;
+            private final int tagSize;
+            private final Key key;
+            private final byte[] iv;
+            private final SecureRandom random;
+
+            GcmWriteCipher(Authenticator authenticator,
+                    ProtocolVersion protocolVersion,
+                    SSLCipher sslCipher, String algorithm,
+                    Key key, AlgorithmParameterSpec params,
+                    SecureRandom random) throws GeneralSecurityException {
+                super(authenticator, protocolVersion);
+                this.cipher = JsseJce.getCipher(algorithm);
+                this.tagSize = sslCipher.tagSize;
+                this.key = key;
+                this.iv = ((IvParameterSpec)params).getIV();
+                this.random = random;
+
+                keyLimitCountdown = cipherLimits.getOrDefault(
+                        algorithm.toUpperCase() + ":" + tag[0], 0L);
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.fine("algorithm = " + algorithm.toUpperCase() +
+                            ":" + tag[0] + "\ncountdown value = " +
+                            keyLimitCountdown);
+                }
+                if (keyLimitCountdown > 0) {
+                    keyLimitEnabled = true;
+                }
+
+                // DON'T initialize the cipher for AEAD!
+            }
+
+            @Override
+            public int encrypt(byte contentType,
+                    ByteBuffer bb) {
+                byte[] sn = authenticator.sequenceNumber();
+                byte[] nonce = iv.clone();
+                int offset = nonce.length - sn.length;
+                for (int i = 0; i < sn.length; i++) {
+                    nonce[offset + i] ^= sn[i];
+                }
+
+                // initialize the AEAD cipher for the unique IV
+                GCMParameterSpec spec =
+                        new GCMParameterSpec(tagSize * 8, nonce);
+                try {
+                    cipher.init(Cipher.ENCRYPT_MODE, key, spec, random);
+                } catch (InvalidKeyException |
+                            InvalidAlgorithmParameterException ikae) {
+                    // unlikely to happen
+                    throw new RuntimeException(
+                                "invalid key or spec in GCM mode", ikae);
+                }
+
+                // Update the additional authentication data, using the
+                // implicit sequence number of the authenticator.
+                int outputSize = cipher.getOutputSize(bb.remaining());
+                byte[] aad = authenticator.acquireAuthenticationBytes(
+                                        contentType, outputSize, sn);
+                cipher.updateAAD(aad);
+
+                int len = bb.remaining();
+                int pos = bb.position();
+                if (SSLLogger.isOn && SSLLogger.isOn("plaintext")) {
+                    SSLLogger.fine(
+                            "Plaintext before ENCRYPTION",
+                            bb.duplicate());
+                }
+
+                ByteBuffer dup = bb.duplicate();
+                if (outputSize > bb.remaining()) {
+                    // Need to expand the limit of the output buffer for
+                    // the authentication tag.
+                    //
+                    // DON'T worry about the buffer's capacity, we have
+                    // reserved space for the authentication tag.
+                    bb.limit(pos + outputSize);
+                }
+
+                try {
+                    len = cipher.doFinal(dup, bb);
+                } catch (IllegalBlockSizeException |
+                            BadPaddingException | ShortBufferException ibse) {
+                    // unlikely to happen
+                    throw new RuntimeException(
+                            "Cipher error in AEAD mode in JCE provider " +
+                            cipher.getProvider().getName(), ibse);
+                }
+
+                if (len != outputSize) {
+                    throw new RuntimeException(
+                            "Cipher buffering error in JCE provider " +
+                            cipher.getProvider().getName());
+                }
+
+                if (keyLimitEnabled) {
+                    keyLimitCountdown -= len;
+                }
+                return len;
+            }
+
+            @Override
+            void dispose() {
+                if (cipher != null) {
+                    try {
+                        cipher.doFinal();
+                    } catch (Exception e) {
+                        // swallow all types of exceptions.
+                    }
+                }
+            }
+
+            @Override
+            int getExplicitNonceSize() {
+                return 0;
+            }
+
+            @Override
+            int calculateFragmentSize(int packetLimit, int headerSize) {
+                return packetLimit - headerSize - tagSize;
+            }
+
+            @Override
+            int calculatePacketSize(int fragmentSize, int headerSize) {
+                return fragmentSize + headerSize + tagSize;
+            }
+        }
+    }
+
+    private static void addMac(MAC signer,
+            ByteBuffer destination, byte contentType) {
+        if (signer.macAlg().size != 0) {
+            int dstContent = destination.position();
+            byte[] hash = signer.compute(contentType, destination, false);
+
+            /*
+             * position was advanced to limit in MAC compute above.
+             *
+             * Mark next area as writable (above layers should have
+             * established that we have plenty of room), then write
+             * out the hash.
+             */
+            destination.limit(destination.limit() + hash.length);
+            destination.put(hash);
+
+            // reset the position and limit
+            destination.position(dstContent);
+        }
+    }
+
+    // for null and stream cipher
+    private static void checkStreamMac(MAC signer, ByteBuffer bb,
+            byte contentType,  byte[] sequence) throws BadPaddingException {
+        int tagLen = signer.macAlg().size;
+
+        // Requires message authentication code for null, stream and
+        // block cipher suites.
+        if (tagLen != 0) {
+            int contentLen = bb.remaining() - tagLen;
+            if (contentLen < 0) {
+                throw new BadPaddingException("bad record");
+            }
+
+            // Run MAC computation and comparison on the payload.
+            //
+            // MAC data would be stripped off during the check.
+            if (checkMacTags(contentType, bb, signer, sequence, false)) {
+                throw new BadPaddingException("bad record MAC");
+            }
+        }
+    }
+
+    // for CBC cipher
+    private static void checkCBCMac(MAC signer, ByteBuffer bb,
+            byte contentType, int cipheredLength,
+            byte[] sequence) throws BadPaddingException {
+        BadPaddingException reservedBPE = null;
+        int tagLen = signer.macAlg().size;
+        int pos = bb.position();
+
+        if (tagLen != 0) {
+            int contentLen = bb.remaining() - tagLen;
+            if (contentLen < 0) {
+                reservedBPE = new BadPaddingException("bad record");
+
+                // set offset of the dummy MAC
+                contentLen = cipheredLength - tagLen;
+                bb.limit(pos + cipheredLength);
+            }
+
+            // Run MAC computation and comparison on the payload.
+            //
+            // MAC data would be stripped off during the check.
+            if (checkMacTags(contentType, bb, signer, sequence, false)) {
+                if (reservedBPE == null) {
+                    reservedBPE =
+                            new BadPaddingException("bad record MAC");
+                }
+            }
+
+            // Run MAC computation and comparison on the remainder.
+            int remainingLen = calculateRemainingLen(
+                    signer, cipheredLength, contentLen);
+
+            // NOTE: remainingLen may be bigger (less than 1 block of the
+            // hash algorithm of the MAC) than the cipheredLength.
+            //
+            // Is it possible to use a static buffer, rather than allocate
+            // it dynamically?
+            remainingLen += signer.macAlg().size;
+            ByteBuffer temporary = ByteBuffer.allocate(remainingLen);
+
+            // Won't need to worry about the result on the remainder. And
+            // then we won't need to worry about what's actual data to
+            // check MAC tag on.  We start the check from the header of the
+            // buffer so that we don't need to construct a new byte buffer.
+            checkMacTags(contentType, temporary, signer, sequence, true);
+        }
+
+        // Is it a failover?
+        if (reservedBPE != null) {
+            throw reservedBPE;
+        }
+    }
+
+    /*
+     * Run MAC computation and comparison
+     */
+    private static boolean checkMacTags(byte contentType, ByteBuffer bb,
+            MAC signer, byte[] sequence, boolean isSimulated) {
+        int tagLen = signer.macAlg().size;
+        int position = bb.position();
+        int lim = bb.limit();
+        int macOffset = lim - tagLen;
+
+        bb.limit(macOffset);
+        byte[] hash = signer.compute(contentType, bb, sequence, isSimulated);
+        if (hash == null || tagLen != hash.length) {
+            // Something is wrong with MAC implementation.
+            throw new RuntimeException("Internal MAC error");
+        }
+
+        bb.position(macOffset);
+        bb.limit(lim);
+        try {
+            int[] results = compareMacTags(bb, hash);
+            return (results[0] != 0);
+        } finally {
+            // reset to the data
+            bb.position(position);
+            bb.limit(macOffset);
+        }
+    }
+
+    /*
+     * A constant-time comparison of the MAC tags.
+     *
+     * Please DON'T change the content of the ByteBuffer parameter!
+     */
+    private static int[] compareMacTags(ByteBuffer bb, byte[] tag) {
+        // An array of hits is used to prevent Hotspot optimization for
+        // the purpose of a constant-time check.
+        int[] results = {0, 0};     // {missed #, matched #}
+
+        // The caller ensures there are enough bytes available in the buffer.
+        // So we won't need to check the remaining of the buffer.
+        for (int i = 0; i < tag.length; i++) {
+            if (bb.get() != tag[i]) {
+                results[0]++;       // mismatched bytes
+            } else {
+                results[1]++;       // matched bytes
+            }
+        }
+
+        return results;
+    }
+
+    /*
+     * Calculate the length of a dummy buffer to run MAC computation
+     * and comparison on the remainder.
+     *
+     * The caller MUST ensure that the fullLen is not less than usedLen.
+     */
+    private static int calculateRemainingLen(
+            MAC signer, int fullLen, int usedLen) {
+
+        int blockLen = signer.macAlg().hashBlockSize;
+        int minimalPaddingLen = signer.macAlg().minimalPaddingSize;
+
+        // (blockLen - minimalPaddingLen) is the maximum message size of
+        // the last block of hash function operation. See FIPS 180-4, or
+        // MD5 specification.
+        fullLen += 13 - (blockLen - minimalPaddingLen);
+        usedLen += 13 - (blockLen - minimalPaddingLen);
+
+        // Note: fullLen is always not less than usedLen, and blockLen
+        // is always bigger than minimalPaddingLen, so we don't worry
+        // about negative values. 0x01 is added to the result to ensure
+        // that the return value is positive.  The extra one byte does
+        // not impact the overall MAC compression function evaluations.
+        return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) -
+                Math.ceil(usedLen/(1.0d * blockLen))) * blockLen;
+    }
+
+    private static int addPadding(ByteBuffer bb, int blockSize) {
+
+        int     len = bb.remaining();
+        int     offset = bb.position();
+
+        int     newlen = len + 1;
+        byte    pad;
+        int     i;
+
+        if ((newlen % blockSize) != 0) {
+            newlen += blockSize - 1;
+            newlen -= newlen % blockSize;
+        }
+        pad = (byte) (newlen - len);
+
+        /*
+         * Update the limit to what will be padded.
+         */
+        bb.limit(newlen + offset);
+
+        /*
+         * TLS version of the padding works for both SSLv3 and TLSv1
+         */
+        for (i = 0, offset += len; i < pad; i++) {
+            bb.put(offset++, (byte) (pad - 1));
+        }
+
+        bb.position(offset);
+        bb.limit(offset);
+
+        return newlen;
+    }
+
+    private static int removePadding(ByteBuffer bb,
+            int tagLen, int blockSize,
+            ProtocolVersion protocolVersion) throws BadPaddingException {
+        int len = bb.remaining();
+        int offset = bb.position();
+
+        // last byte is length byte (i.e. actual padding length - 1)
+        int padOffset = offset + len - 1;
+        int padLen = bb.get(padOffset) & 0xFF;
+
+        int newLen = len - (padLen + 1);
+        if ((newLen - tagLen) < 0) {
+            // If the buffer is not long enough to contain the padding plus
+            // a MAC tag, do a dummy constant-time padding check.
+            //
+            // Note that it is a dummy check, so we won't care about what is
+            // the actual padding data.
+            checkPadding(bb.duplicate(), (byte)(padLen & 0xFF));
+
+            throw new BadPaddingException("Invalid Padding length: " + padLen);
+        }
+
+        // The padding data should be filled with the padding length value.
+        int[] results = checkPadding(
+                bb.duplicate().position(offset + newLen),
+                (byte)(padLen & 0xFF));
+        if (protocolVersion.useTLS10PlusSpec()) {
+            if (results[0] != 0) {          // padding data has invalid bytes
+                throw new BadPaddingException("Invalid TLS padding data");
+            }
+        } else { // SSLv3
+            // SSLv3 requires 0 <= length byte < block size
+            // some implementations do 1 <= length byte <= block size,
+            // so accept that as well
+            // v3 does not require any particular value for the other bytes
+            if (padLen > blockSize) {
+                throw new BadPaddingException("Padding length (" +
+                padLen + ") of SSLv3 message should not be bigger " +
+                "than the block size (" + blockSize + ")");
+            }
+        }
+
+        // Reset buffer limit to remove padding.
+        bb.limit(offset + newLen);
+
+        return newLen;
+    }
+
+    /*
+     * A constant-time check of the padding.
+     *
+     * NOTE that we are checking both the padding and the padLen bytes here.
+     *
+     * The caller MUST ensure that the bb parameter has remaining.
+     */
+    private static int[] checkPadding(ByteBuffer bb, byte pad) {
+        if (!bb.hasRemaining()) {
+            throw new RuntimeException("hasRemaining() must be positive");
+        }
+
+        // An array of hits is used to prevent Hotspot optimization for
+        // the purpose of a constant-time check.
+        int[] results = {0, 0};    // {missed #, matched #}
+        bb.mark();
+        for (int i = 0; i <= 256; bb.reset()) {
+            for (; bb.hasRemaining() && i <= 256; i++) {
+                if (bb.get() != pad) {
+                    results[0]++;       // mismatched padding data
+                } else {
+                    results[1]++;       // matched padding data
+                }
+            }
+        }
+
+        return results;
+    }
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java	2018-05-11 15:09:50.548539500 -0700
@@ -0,0 +1,413 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.AlgorithmConstraints;
+import java.security.NoSuchAlgorithmException;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.function.BiFunction;
+import javax.crypto.KeyGenerator;
+import javax.net.ssl.HandshakeCompletedListener;
+import javax.net.ssl.SNIMatcher;
+import javax.net.ssl.SNIServerName;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLSocket;
+import sun.security.ssl.SSLExtension.ClientExtensions;
+import sun.security.ssl.SSLExtension.ServerExtensions;
+
+/**
+ * SSL/(D)TLS configuration.
+ */
+class SSLConfiguration implements Cloneable {
+    // configurations with SSLParameters
+    AlgorithmConstraints        algorithmConstraints;
+    List<ProtocolVersion>       enabledProtocols;
+    List<CipherSuite>           enabledCipherSuites;
+    ClientAuthType              clientAuthType;
+    String                      identificationProtocol;
+    List<SNIServerName>         serverNames;
+    Collection<SNIMatcher>      sniMatchers;
+    String[]                    applicationProtocols;
+    boolean                     preferLocalCipherSuites;
+    boolean                     enableRetransmissions;
+    int                         maximumPacketSize;
+
+    // the maximum protocol version of enabled protocols
+    ProtocolVersion             maximumProtocolVersion;
+
+    // Configurations per SSLSocket or SSLEngine instance.
+    boolean                     isClientMode;
+    boolean                     enableSessionCreation;
+
+    // the application layer protocol negotiation configuration
+    BiFunction<SSLSocket, List<String>, String> socketAPSelector;
+    BiFunction<SSLEngine, List<String>, String> engineAPSelector;
+
+    HashMap<HandshakeCompletedListener, AccessControlContext>
+                                handshakeListeners;
+
+    boolean                     noSniExtension;
+    boolean                     noSniMatcher;
+
+    // To switch off the extended_master_secret extension.
+    static final boolean useExtendedMasterSecret;
+
+    // Allow session resumption without Extended Master Secret extension.
+    static final boolean allowLegacyResumption =
+        Utilities.getBooleanProperty("jdk.tls.allowLegacyResumption", true);
+
+    // Allow full handshake without Extended Master Secret extension.
+    static final boolean allowLegacyMasterSecret =
+        Utilities.getBooleanProperty("jdk.tls.allowLegacyMasterSecret", true);
+
+    // Allow full handshake without Extended Master Secret extension.
+    static final boolean useCompatibilityMode = Utilities.getBooleanProperty(
+            "jdk.tls.client.useCompatibilityMode", true);
+
+// TODO: Please remove after TLS 1.3 draft interop testing
+// delete me
+static int tls13VN = 0x0304;
+
+    // Is the extended_master_secret extension supported?
+    static {
+        boolean supportExtendedMasterSecret = true;
+        try {
+            KeyGenerator kg =
+                JsseJce.getKeyGenerator("SunTlsExtendedMasterSecret");
+        } catch (NoSuchAlgorithmException nae) {
+            supportExtendedMasterSecret = false;
+        }
+
+        if (supportExtendedMasterSecret) {
+            useExtendedMasterSecret = Utilities.getBooleanProperty(
+                    "jdk.tls.useExtendedMasterSecret", true);
+        } else {
+            useExtendedMasterSecret = false;
+        }
+
+// delete me
+try {
+    tls13VN =
+        AccessController.doPrivileged(
+            new PrivilegedExceptionAction<Integer>() {
+                @Override
+                public Integer run() throws Exception {
+                    return Integer.parseInt(
+                        System.getProperty("jdk.tls13.version", "0304"), 16);
+                }
+            });
+} catch (PrivilegedActionException ex) {
+    // blank
+}
+    }
+
+    SSLConfiguration(SSLContextImpl sslContext, boolean isClientMode) {
+
+        // Configurations with SSLParameters, default values.
+        this.algorithmConstraints = SSLAlgorithmConstraints.DEFAULT;
+        this.enabledProtocols =
+                sslContext.getDefaultProtocolVersions(!isClientMode);
+        this.enabledCipherSuites =
+                sslContext.getDefaultCipherSuites(!isClientMode);
+        this.clientAuthType = ClientAuthType.CLIENT_AUTH_NONE;
+
+        this.identificationProtocol = null;
+        this.serverNames = Collections.<SNIServerName>emptyList();
+        this.sniMatchers = Collections.<SNIMatcher>emptyList();
+        this.preferLocalCipherSuites = false;
+
+        this.applicationProtocols = new String[0];
+        this.enableRetransmissions = sslContext.isDTLS();
+        this.maximumPacketSize = 0;         // please reset it explicitly later
+
+        this.maximumProtocolVersion = ProtocolVersion.NONE;
+        for (ProtocolVersion pv : enabledProtocols) {
+            if (pv.compareTo(maximumProtocolVersion) > 0) {
+                this.maximumProtocolVersion = pv;
+            }
+        }
+
+        // Configurations per SSLSocket or SSLEngine instance.
+        this.isClientMode = isClientMode;
+        this.enableSessionCreation = true;
+        this.socketAPSelector = null;
+        this.engineAPSelector = null;
+
+        this.handshakeListeners = null;
+        this.noSniExtension = false;
+        this.noSniMatcher = false;
+    }
+
+    SSLParameters getSSLParameters() {
+        SSLParameters params = new SSLParameters();
+
+        params.setAlgorithmConstraints(this.algorithmConstraints);
+        params.setProtocols(ProtocolVersion.toStringArray(enabledProtocols));
+        params.setCipherSuites(CipherSuite.namesOf(enabledCipherSuites));
+        switch (this.clientAuthType) {
+            case CLIENT_AUTH_REQUIRED:
+                params.setNeedClientAuth(true);
+                break;
+            case CLIENT_AUTH_REQUESTED:
+                params.setWantClientAuth(true);
+                break;
+            default:
+                params.setWantClientAuth(false);
+        }
+        params.setEndpointIdentificationAlgorithm(this.identificationProtocol);
+
+        if (serverNames.isEmpty() && !noSniExtension) {
+            // 'null' indicates none has been set
+            params.setServerNames(null);
+        } else {
+            params.setServerNames(this.serverNames);
+        }
+
+        if (sniMatchers.isEmpty() && !noSniMatcher) {
+            // 'null' indicates none has been set
+            params.setSNIMatchers(null);
+        } else {
+            params.setSNIMatchers(this.sniMatchers);
+        }
+
+        params.setApplicationProtocols(this.applicationProtocols);
+        params.setUseCipherSuitesOrder(this.preferLocalCipherSuites);
+        params.setEnableRetransmissions(this.enableRetransmissions);
+        params.setMaximumPacketSize(this.maximumPacketSize);
+
+        return params;
+    }
+
+    void setSSLParameters(SSLParameters params) {
+        AlgorithmConstraints ac = params.getAlgorithmConstraints();
+        if (ac != null) {
+            this.algorithmConstraints = ac;
+        }   // otherwise, use the default value
+
+        String[] sa = params.getCipherSuites();
+        if (sa != null) {
+            this.enabledCipherSuites = CipherSuite.validValuesOf(sa);
+        }   // otherwise, use the default values
+
+        sa = params.getProtocols();
+        if (sa != null) {
+            this.enabledProtocols = ProtocolVersion.namesOf(sa);
+
+            this.maximumProtocolVersion = ProtocolVersion.NONE;
+            for (ProtocolVersion pv : enabledProtocols) {
+                if (pv.compareTo(maximumProtocolVersion) > 0) {
+                    this.maximumProtocolVersion = pv;
+                }
+            }
+        }   // otherwise, use the default values
+
+        if (params.getNeedClientAuth()) {
+            this.clientAuthType = ClientAuthType.CLIENT_AUTH_REQUIRED;
+        } else if (params.getWantClientAuth()) {
+            this.clientAuthType = ClientAuthType.CLIENT_AUTH_REQUESTED;
+        } else {
+            this.clientAuthType = ClientAuthType.CLIENT_AUTH_NONE;
+        }
+
+        String s = params.getEndpointIdentificationAlgorithm();
+        if (s != null) {
+            this.identificationProtocol = s;
+        }   // otherwise, use the default value
+
+        List<SNIServerName> sniNames = params.getServerNames();
+        if (sniNames != null) {
+            this.noSniExtension = sniNames.isEmpty();
+            this.serverNames = sniNames;
+        }   // null if none has been set
+
+        Collection<SNIMatcher> matchers = params.getSNIMatchers();
+        if (matchers != null) {
+            this.noSniMatcher = matchers.isEmpty();
+            this.sniMatchers = matchers;
+        }   // null if none has been set
+
+        sa = params.getApplicationProtocols();
+        if (sa != null) {
+            this.applicationProtocols = sa;
+        }   // otherwise, use the default values
+
+        this.preferLocalCipherSuites = params.getUseCipherSuitesOrder();
+        this.enableRetransmissions = params.getEnableRetransmissions();
+        this.maximumPacketSize = params.getMaximumPacketSize();
+    }
+
+    // SSLSocket only
+    void addHandshakeCompletedListener(
+            HandshakeCompletedListener listener) {
+
+        if (handshakeListeners == null) {
+            handshakeListeners = new HashMap<>(4);
+        }
+
+        handshakeListeners.put(listener, AccessController.getContext());
+    }
+
+    // SSLSocket only
+    void removeHandshakeCompletedListener(
+            HandshakeCompletedListener listener) {
+
+        if (handshakeListeners == null) {
+            throw new IllegalArgumentException("no listeners");
+        }
+
+        if (handshakeListeners.remove(listener) == null) {
+            throw new IllegalArgumentException("listener not registered");
+        }
+
+        if (handshakeListeners.isEmpty()) {
+            handshakeListeners = null;
+        }
+    }
+
+    /**
+     * Return true if the extension is available.
+     */
+    boolean isAvailable(SSLExtension extension) {
+        for (ProtocolVersion protocolVersion : enabledProtocols) {
+            if (extension.isAvailable(protocolVersion)) {
+                if (isClientMode ?
+                        ClientExtensions.defaults.contains(extension) :
+                        ServerExtensions.defaults.contains(extension)) {
+                    return true;
+                }
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * Return true if the extension is available for the specific protocol.
+     */
+    boolean isAvailable(SSLExtension extension,
+            ProtocolVersion protocolVersion) {
+        return extension.isAvailable(protocolVersion) &&
+                (isClientMode ? ClientExtensions.defaults.contains(extension) :
+                                ServerExtensions.defaults.contains(extension));
+    }
+
+    /**
+     * Get the enabled extensions for the specific handshake message.
+     *
+     * Used to consume handshake extensions.
+     */
+    SSLExtension[] getEnabledExtensions(SSLHandshake handshakeType) {
+        List<SSLExtension> extensions = new ArrayList<>();
+        for (SSLExtension extension : SSLExtension.values()) {
+            if (extension.handshakeType == handshakeType) {
+                if (isAvailable(extension)) {
+                    extensions.add(extension);
+                }
+            }
+        }
+
+        return extensions.toArray(new SSLExtension[0]);
+    }
+
+    /**
+     * Get the enabled extensions for the specific handshake message
+     * and the specific protocol version.
+     *
+     * Used to produce handshake extensions after handshake protocol
+     * version negotiation.
+     */
+    SSLExtension[] getEnabledExtensions(
+            SSLHandshake handshakeType, ProtocolVersion protocolVersion) {
+        List<SSLExtension> extensions = new ArrayList<>();
+        for (SSLExtension extension : SSLExtension.values()) {
+            if (extension.handshakeType == handshakeType) {
+                if (isAvailable(extension) &&
+                        extension.isAvailable(protocolVersion)) {
+                    extensions.add(extension);
+                }
+            }
+        }
+
+        return extensions.toArray(new SSLExtension[0]);
+    }
+
+    /**
+     * Get the enabled extensions for the specific handshake message
+     * and the specific protocol versions.
+     *
+     * Used to produce ClientHello extensions before handshake protocol
+     * version negotiation.
+     */
+    SSLExtension[] getEnabledExtensions(
+            SSLHandshake handshakeType, List<ProtocolVersion> activeProtocols) {
+        List<SSLExtension> extensions = new ArrayList<>();
+        for (SSLExtension extension : SSLExtension.values()) {
+            if (extension.handshakeType == handshakeType) {
+                if (!isAvailable(extension)) {
+                    continue;
+                }
+
+                for (ProtocolVersion protocolVersion : activeProtocols) {
+                    if (extension.isAvailable(protocolVersion)) {
+                        extensions.add(extension);
+                        break;
+                    }
+                }
+            }
+        }
+
+        return extensions.toArray(new SSLExtension[0]);
+    }
+
+    @Override
+    @SuppressWarnings({"unchecked", "CloneDeclaresCloneNotSupported"})
+    public Object clone() {
+        // Note that only references to the configurations are copied.
+        try {
+            SSLConfiguration config = (SSLConfiguration)super.clone();
+            if (handshakeListeners != null) {
+                config.handshakeListeners =
+                    (HashMap<HandshakeCompletedListener, AccessControlContext>)
+                            handshakeListeners.clone();
+            }
+
+            return config;
+        } catch (CloneNotSupportedException cnse) {
+            // unlikely
+        }
+
+        return null;    // unlikely
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLConsumer.java	2018-05-11 15:09:52.156194900 -0700
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+
+interface SSLConsumer {
+    void consume(ConnectionContext context,
+            ByteBuffer message) throws IOException;
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLCredentials.java	2018-05-11 15:09:53.761516500 -0700
@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+interface SSLCredentials {
+}
--- old/src/java.base/share/classes/sun/security/ssl/HelloExtension.java	2018-05-11 15:09:56.155554100 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,46 +0,0 @@
-/*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-
-abstract class HelloExtension {
-
-    final ExtensionType type;
-
-    HelloExtension(ExtensionType type) {
-        this.type = type;
-    }
-
-    // Length of the encoded extension, including the type and length fields
-    abstract int length();
-
-    abstract void send(HandshakeOutStream s) throws IOException;
-
-    @Override
-    public abstract String toString();
-
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLExtension.java	2018-05-11 15:09:55.429777800 -0700
@@ -0,0 +1,691 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.LinkedList;
+import java.util.Locale;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.util.HexDumpEncoder;
+
+enum SSLExtension implements SSLStringize {
+    // Extensions defined in RFC 3546
+    CH_SERVER_NAME          (0x0000,  "server_name",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_13,
+                                ServerNameExtension.chNetworkProducer,
+                                ServerNameExtension.chOnLoadConcumer,
+                                null,
+                                null,
+                                ServerNameExtension.chStringize),
+    SH_SERVER_NAME          (0x0000, "server_name",
+                                SSLHandshake.SERVER_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_12,
+                                ServerNameExtension.shNetworkProducer,
+                                ServerNameExtension.shOnLoadConcumer,
+                                null,
+                                null,
+                                ServerNameExtension.shStringize),
+    EE_SERVER_NAME          (0x0000, "server_name",
+                                SSLHandshake.ENCRYPTED_EXTENSIONS,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                ServerNameExtension.eeNetworkProducer,
+                                ServerNameExtension.eeOnLoadConcumer,
+                                null,
+                                null,
+                                ServerNameExtension.shStringize),
+    CH_MAX_FRAGMENT_LENGTH (0x0001, "max_fragment_length",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_13,
+                                MaxFragExtension.chNetworkProducer,
+                                MaxFragExtension.chOnLoadConcumer,
+                                null,
+                                null,
+                                MaxFragExtension.maxFragLenStringize),
+    SH_MAX_FRAGMENT_LENGTH (0x0001, "max_fragment_length",
+                                SSLHandshake.SERVER_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_12,
+                                MaxFragExtension.shNetworkProducer,
+                                MaxFragExtension.shOnLoadConcumer,
+                                null,
+                                MaxFragExtension.shOnTradeConsumer,
+                                MaxFragExtension.maxFragLenStringize),
+    EE_MAX_FRAGMENT_LENGTH (0x0001, "max_fragment_length",
+                                SSLHandshake.ENCRYPTED_EXTENSIONS,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                MaxFragExtension.eeNetworkProducer,
+                                MaxFragExtension.eeOnLoadConcumer,
+                                null,
+                                MaxFragExtension.eeOnTradeConsumer,
+                                MaxFragExtension.maxFragLenStringize),
+    CLIENT_CERTIFICATE_URL  (0x0002, "client_certificate_url"),
+    TRUSTED_CA_KEYS         (0x0003, "trusted_ca_keys"),
+    TRUNCATED_HMAC          (0x0004, "truncated_hmac"),
+
+    CH_STATUS_REQUEST       (0x0005, "status_request",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_13,
+                                CertStatusExtension.chNetworkProducer,
+                                CertStatusExtension.chOnLoadConsumer,
+                                null,
+                                null,
+                                CertStatusExtension.certStatusReqStringize),
+    SH_STATUS_REQUEST       (0x0005, "status_request",
+                                SSLHandshake.SERVER_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_12,
+                                CertStatusExtension.shNetworkProducer,
+                                CertStatusExtension.shOnLoadConsumer,
+                                null,
+                                null,
+                                CertStatusExtension.certStatusReqStringize),
+
+    CR_STATUS_REQUEST       (0x0005, "status_request"),
+    CT_STATUS_REQUEST       (0x0005, "status_request",
+                                SSLHandshake.CERTIFICATE,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                CertStatusExtension.ctNetworkProducer,
+                                CertStatusExtension.ctOnLoadConsumer,
+                                null,
+                                null,
+                                CertStatusExtension.certStatusRespStringize),
+    // extensions defined in RFC 4681
+    USER_MAPPING            (0x0006, "user_mapping"),
+
+    // extensions defined in RFC 5878
+    CLIENT_AUTHZ            (0x0007, "client_authz"),
+    SERVER_AUTHZ            (0x0008, "server_authz"),
+
+    // extensions defined in RFC 5081
+    CERT_TYPE               (0x0009, "cert_type"),
+
+    // extensions defined in RFC 4492 (ECC)
+    CH_SUPPORTED_GROUPS     (0x000A, "supported_groups",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_13,
+                                SupportedGroupsExtension.chNetworkProducer,
+                                SupportedGroupsExtension.chOnLoadConcumer,
+                                null,
+                                null,
+                                SupportedGroupsExtension.sgsStringize),
+    EE_SUPPORTED_GROUPS     (0x000A, "supported_groups",
+                                SSLHandshake.ENCRYPTED_EXTENSIONS,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                SupportedGroupsExtension.eeNetworkProducer,
+                                SupportedGroupsExtension.eeOnLoadConcumer,
+                                null,
+                                null,
+                                SupportedGroupsExtension.sgsStringize),
+
+    CH_EC_POINT_FORMATS     (0x000B, "ec_point_formats",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_12,
+                                ECPointFormatsExtension.chNetworkProducer,
+                                ECPointFormatsExtension.chOnLoadConcumer,
+                                null,
+                                null,
+                                ECPointFormatsExtension.epfStringize),
+    SH_EC_POINT_FORMATS     (0x000B, "ec_point_formats",
+                                SSLHandshake.SERVER_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_12,
+                                null,   // not use of the producer
+                                ECPointFormatsExtension.shOnLoadConcumer,
+                                null,
+                                null,
+                                ECPointFormatsExtension.epfStringize),
+
+    // extensions defined in RFC 5054
+    SRP                     (0x000C, "srp"),
+
+    // extensions defined in RFC 5246
+    CH_SIGNATURE_ALGORITHMS (0x000D, "signature_algorithms",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_12_13,
+                                SignatureAlgorithmsExtension.chNetworkProducer,
+                                SignatureAlgorithmsExtension.chOnLoadConcumer,
+                                SignatureAlgorithmsExtension.chOnLoadAbsence,
+                                SignatureAlgorithmsExtension.chOnTradeConsumer,
+                                SignatureAlgorithmsExtension.ssStringize),
+    CR_SIGNATURE_ALGORITHMS (0x000D, "signature_algorithms",
+                                SSLHandshake.CERTIFICATE_REQUEST,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                SignatureAlgorithmsExtension.crNetworkProducer,
+                                SignatureAlgorithmsExtension.crOnLoadConcumer,
+                                SignatureAlgorithmsExtension.crOnLoadAbsence,
+                                SignatureAlgorithmsExtension.crOnTradeConsumer,
+                                SignatureAlgorithmsExtension.ssStringize),
+
+    CH_SIGNATURE_ALGORITHMS_CERT (0x0032, "signature_algorithms_cert",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_12_13,
+                                CertSignAlgsExtension.chNetworkProducer,
+                                CertSignAlgsExtension.chOnLoadConcumer,
+                                null,
+                                CertSignAlgsExtension.chOnTradeConsumer,
+                                CertSignAlgsExtension.ssStringize),
+    CR_SIGNATURE_ALGORITHMS_CERT (0x0032, "signature_algorithms_cert",
+                                SSLHandshake.CERTIFICATE_REQUEST,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                CertSignAlgsExtension.crNetworkProducer,
+                                CertSignAlgsExtension.crOnLoadConcumer,
+                                null,
+                                CertSignAlgsExtension.crOnTradeConsumer,
+                                CertSignAlgsExtension.ssStringize),
+
+    // extensions defined in RFC 5764
+    USE_SRTP                (0x000E, "use_srtp"),
+
+    // extensions defined in RFC 6520
+    HEARTBEAT               (0x000E, "heartbeat"),
+
+    // extension defined in RFC 7301 (ALPN)
+    CH_ALPN                 (0x0010, "application_layer_protocol_negotiation",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_13,
+                                AlpnExtension.chNetworkProducer,
+                                AlpnExtension.chOnLoadConcumer,
+                                AlpnExtension.chOnLoadAbsence,
+                                null,
+                                AlpnExtension.alpnStringize),
+    SH_ALPN                 (0x0010, "application_layer_protocol_negotiation",
+                                SSLHandshake.SERVER_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_12,
+                                AlpnExtension.shNetworkProducer,
+                                AlpnExtension.shOnLoadConcumer,
+                                AlpnExtension.shOnLoadAbsence,
+                                null,
+                                AlpnExtension.alpnStringize),
+    EE_ALPN                 (0x0010, "application_layer_protocol_negotiation",
+                                SSLHandshake.ENCRYPTED_EXTENSIONS,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                AlpnExtension.shNetworkProducer,
+                                AlpnExtension.shOnLoadConcumer,
+                                AlpnExtension.shOnLoadAbsence,
+                                null,
+                                AlpnExtension.alpnStringize),
+
+    // extensions defined in RFC 6961
+    CH_STATUS_REQUEST_V2    (0x0011, "status_request_v2",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_12,
+                                CertStatusExtension.chV2NetworkProducer,
+                                CertStatusExtension.chV2OnLoadConsumer,
+                                null,
+                                null,
+                                CertStatusExtension.certStatusReqV2Stringize),
+    SH_STATUS_REQUEST_V2    (0x0011, "status_request_v2",
+                                SSLHandshake.SERVER_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_12,
+                                CertStatusExtension.shV2NetworkProducer,
+                                CertStatusExtension.shV2OnLoadConsumer,
+                                null,
+                                null,
+                                CertStatusExtension.certStatusReqV2Stringize),
+
+    // extensions defined in RFC 6962
+    SIGNED_CERT_TIMESTAMP   (0x0012, "signed_certificate_timestamp"),
+
+    // extensions defined in RFC 7250
+    CLIENT_CERT_TYPE        (0x0013, "padding"),
+    SERVER_CERT_TYPE        (0x0014, "server_certificate_type"),
+
+    // extensions defined in RFC 7685
+    PADDING                 (0x0015, "client_certificate_type"),
+
+    // extensions defined in RFC 7366
+    ENCRYPT_THEN_MAC        (0x0016, "encrypt_then_mac"),
+
+    // extensions defined in RFC 7627
+    CH_EXTENDED_MASTER_SECRET  (0x0017, "extended_master_secret",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_10_12,
+                                ExtendedMasterSecretExtension.chNetworkProducer,
+                                ExtendedMasterSecretExtension.chOnLoadConcumer,
+                                ExtendedMasterSecretExtension.chOnLoadAbsence,
+                                null,
+                                ExtendedMasterSecretExtension.emsStringize),
+    SH_EXTENDED_MASTER_SECRET  (0x0017, "extended_master_secret",
+                                SSLHandshake.SERVER_HELLO,
+                                ProtocolVersion.PROTOCOLS_10_12,
+                                ExtendedMasterSecretExtension.shNetworkProducer,
+                                ExtendedMasterSecretExtension.shOnLoadConcumer,
+                                ExtendedMasterSecretExtension.shOnLoadAbsence,
+                                null,
+                                ExtendedMasterSecretExtension.emsStringize),
+
+    // extensions defined in RFC draft-ietf-tokbind-negotiation
+    TOKEN_BINDING           (0x0018, "token_binding "),
+
+    // extensions defined in RFC 7924
+    CACHED_INFO             (0x0019, "cached_info"),
+
+    // extensions defined in RFC 4507/5077
+    SESSION_TICKET          (0x0023, "session_ticket"),
+
+    // extensions defined in TLS 1.3
+    CH_EARLY_DATA           (0x002A, "early_data"),
+    EE_EARLY_DATA           (0x002A, "early_data"),
+    NST_EARLY_DATA          (0x002A, "early_data"),
+
+    CH_SUPPORTED_VERSIONS   (0x002B, "supported_versions",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                SupportedVersionsExtension.chNetworkProducer,
+                                SupportedVersionsExtension.chOnLoadConcumer,
+                                null,
+                                null,
+                                SupportedVersionsExtension.chStringize),
+    SH_SUPPORTED_VERSIONS   (0x002B, "supported_versions",
+                                SSLHandshake.SERVER_HELLO,
+                                        // and HelloRetryRequest
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                SupportedVersionsExtension.shNetworkProducer,
+                                SupportedVersionsExtension.shOnLoadConcumer,
+                                null,
+                                null,
+                                SupportedVersionsExtension.shStringize),
+    HRR_SUPPORTED_VERSIONS  (0x002B, "supported_versions",
+                                SSLHandshake.HELLO_RETRY_REQUEST,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                SupportedVersionsExtension.hrrNetworkProducer,
+                                SupportedVersionsExtension.hrrOnLoadConcumer,
+                                null,
+                                null,
+                                SupportedVersionsExtension.hrrStringize),
+    MH_SUPPORTED_VERSIONS   (0x002B, "supported_versions",
+                                SSLHandshake.MESSAGE_HASH,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                SupportedVersionsExtension.hrrReproducer,
+                                null, null, null,
+                                SupportedVersionsExtension.hrrStringize),
+
+    CH_COOKIE               (0x002C, "cookie",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                CookieExtension.chNetworkProducer,
+                                CookieExtension.chOnLoadConcumer,
+                                null,
+                                CookieExtension.chOnTradeConsumer,
+                                CookieExtension.cookieStringize),
+    HRR_COOKIE              (0x002C, "cookie",
+                                SSLHandshake.HELLO_RETRY_REQUEST,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                CookieExtension.hrrNetworkProducer,
+                                CookieExtension.hrrOnLoadConcumer,
+                                null, null,
+                                CookieExtension.cookieStringize),
+    MH_COOKIE               (0x002C, "cookie",
+                                SSLHandshake.MESSAGE_HASH,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                CookieExtension.hrrNetworkReproducer,
+                                null, null, null,
+                                CookieExtension.cookieStringize),
+
+    PSK_KEY_EXCHANGE_MODES  (0x002D, "psk_key_exchange_modes",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                PskKeyExchangeModesExtension.chNetworkProducer,
+                                PskKeyExchangeModesExtension.chOnLoadConsumer,
+                                null, null, null),
+    CERTIFICATE_AUTHORITIES (0x002F, "certificate_authorities"),
+    OID_FILTERS             (0x0030, "oid_filters"),
+    POST_HANDSHAKE_AUTH     (0x0030, "post_handshake_auth"),
+
+    CH_KEY_SHARE            (0x0033, "key_share",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                KeyShareExtension.chNetworkProducer,
+                                KeyShareExtension.chOnLoadConcumer,
+                                null, null,
+                                KeyShareExtension.chStringize),
+    SH_KEY_SHARE            (0x0033, "key_share",
+                                SSLHandshake.SERVER_HELLO,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                KeyShareExtension.shNetworkProducer,
+                                KeyShareExtension.shOnLoadConcumer,
+                                KeyShareExtension.shOnLoadAbsence,
+                                null,
+                                KeyShareExtension.shStringize),
+    HRR_KEY_SHARE           (0x0033, "key_share",
+                                SSLHandshake.HELLO_RETRY_REQUEST,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                KeyShareExtension.hrrNetworkProducer,
+                                KeyShareExtension.hrrOnLoadConcumer,
+                                null, null,
+                                KeyShareExtension.hrrStringize),
+    MH_KEY_SHARE            (0x0033, "key_share",
+                                SSLHandshake.MESSAGE_HASH,
+                                ProtocolVersion.PROTOCOLS_OF_13,
+                                KeyShareExtension.hrrNetworkReproducer,
+                                null, null, null,
+                                KeyShareExtension.hrrStringize),
+
+    // Extensions defined in RFC 5746
+    CH_RENEGOTIATION_INFO   (0xff01, "renegotiation_info",
+                                SSLHandshake.CLIENT_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_12,
+                                RenegoInfoExtension.chNetworkProducer,
+                                RenegoInfoExtension.chOnLoadConcumer,
+                                RenegoInfoExtension.chOnLoadAbsence,
+                                null,
+                                RenegoInfoExtension.rniStringize),
+    SH_RENEGOTIATION_INFO   (0xff01, "renegotiation_info",
+                                SSLHandshake.SERVER_HELLO,
+                                ProtocolVersion.PROTOCOLS_TO_12,
+                                RenegoInfoExtension.shNetworkProducer,
+                                RenegoInfoExtension.shOnLoadConcumer,
+                                RenegoInfoExtension.shOnLoadAbsence,
+                                null,
+                                RenegoInfoExtension.rniStringize),
+
+    // TLS 1.3 PSK extension must be last
+    CH_PRE_SHARED_KEY       (0x0029, "pre_shared_key",
+                            SSLHandshake.CLIENT_HELLO,
+                            ProtocolVersion.PROTOCOLS_OF_13,
+                            PreSharedKeyExtension.chNetworkProducer,
+                            PreSharedKeyExtension.chOnLoadConsumer,
+                            PreSharedKeyExtension.chOnLoadAbsence,
+                            PreSharedKeyExtension.chOnTradeConsumer,
+                            null),
+    SH_PRE_SHARED_KEY       (0x0029, "pre_shared_key",
+                            SSLHandshake.SERVER_HELLO,
+                            ProtocolVersion.PROTOCOLS_OF_13,
+                            PreSharedKeyExtension.shNetworkProducer,
+                            PreSharedKeyExtension.shOnLoadConsumer,
+                            PreSharedKeyExtension.shOnLoadAbsence,
+                            null, null);
+
+    final int id;
+    final SSLHandshake handshakeType;
+    final String name;
+    final ProtocolVersion[] supportedProtocols;
+    final HandshakeProducer networkProducer;
+    final ExtensionConsumer onLoadConcumer;
+    final HandshakeAbsence  onLoadAbsence;
+    final HandshakeConsumer onTradeConsumer;
+    final SSLStringize stringize;
+
+    // known but unsupported extension
+    private SSLExtension(int id, String name) {
+        this.id = id;
+        this.handshakeType = SSLHandshake.NOT_APPLICABLE;
+        this.name = name;
+        this.supportedProtocols = new ProtocolVersion[0];
+        this.networkProducer = null;
+        this.onLoadConcumer = null;
+        this.onLoadAbsence = null;
+        this.onTradeConsumer = null;
+        this.stringize = null;
+    }
+
+    // supported extension
+    private SSLExtension(int id, String name, SSLHandshake handshakeType,
+            ProtocolVersion[] supportedProtocols,
+            HandshakeProducer producer,
+            ExtensionConsumer onLoadConcumer, HandshakeAbsence onLoadAbsence,
+            HandshakeConsumer onTradeConsumer, SSLStringize stringize) {
+
+        this.id = id;
+        this.handshakeType = handshakeType;
+        this.name = name;
+        this.supportedProtocols = supportedProtocols;
+        this.networkProducer = producer;
+        this.onLoadConcumer = onLoadConcumer;
+        this.onLoadAbsence = onLoadAbsence;
+        this.onTradeConsumer = onTradeConsumer;
+        this.stringize = stringize;
+    }
+
+    static SSLExtension valueOf(SSLHandshake handshakeType, int extensionType) {
+        for (SSLExtension ext : SSLExtension.values()) {
+            if (ext.id == extensionType &&
+                    ext.handshakeType == handshakeType) {
+                return ext;
+            }
+        }
+
+        return null;
+    }
+
+    static boolean isConsumable(int extensionType) {
+        for (SSLExtension ext : SSLExtension.values()) {
+            if (ext.id == extensionType &&
+                    ext.onLoadConcumer != null) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    public byte[] produce(ConnectionContext context,
+            HandshakeMessage message) throws IOException {
+        if (networkProducer != null) {
+            return networkProducer.produce(context, message);
+        } else {
+            throw new UnsupportedOperationException(
+                    "Not yet supported extension producing.");
+        }
+    }
+
+    public void consumeOnLoad(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+        if (onLoadConcumer != null) {
+            onLoadConcumer.consume(context, message, buffer);
+        } else {
+            throw new UnsupportedOperationException(
+                    "Not yet supported extension loading.");
+        }
+    }
+
+    public void consumeOnTrade(ConnectionContext context,
+            HandshakeMessage message) throws IOException {
+        if (onTradeConsumer != null) {
+            onTradeConsumer.consume(context, message);
+        } else {
+            throw new UnsupportedOperationException(
+                    "Not yet supported extension processing.");
+        }
+    }
+
+    void absent(ConnectionContext context,
+            HandshakeMessage message) throws IOException {
+        if (onLoadAbsence != null) {
+            onLoadAbsence.absent(context, message);
+        } else {
+            throw new UnsupportedOperationException(
+                    "Not yet supported extension absence processing.");
+        }
+    }
+
+    public boolean isAvailable(ProtocolVersion protocolVersion) {
+        /*
+        for (ProtocolVersion pv : supportedProtocols) {
+            if (pv == protocolVersion) {
+                return true;
+            }
+        }
+        */
+        for (int i = 0; i < supportedProtocols.length; i++) {
+            if (supportedProtocols[i] == protocolVersion) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    @Override
+    public String toString() {
+        return name;
+    }
+
+    @Override
+    public String toString(ByteBuffer byteBuffer) {
+        MessageFormat messageFormat = new MessageFormat(
+            "\"{0} ({1})\": '{'\n" +
+            "{2}\n" +
+            "'}'",
+            Locale.ENGLISH);
+
+        String extData;
+        if (stringize == null) {
+            HexDumpEncoder hexEncoder = new HexDumpEncoder();
+            String encoded = hexEncoder.encode(byteBuffer.duplicate());
+            extData = encoded;
+        } else {
+            extData = stringize.toString(byteBuffer);
+        }
+
+        Object[] messageFields = {
+            this.name,
+            this.id,
+            Utilities.indent(extData)
+        };
+
+        return messageFormat.format(messageFields);
+    }
+
+    //////////////////////////////////////////////////////
+    // Nested extension, consumer and producer interfaces.
+
+    static interface ExtensionConsumer {
+        void consume(ConnectionContext context,
+                HandshakeMessage message, ByteBuffer buffer) throws IOException;
+    }
+
+    /**
+     * A (transparent) specification of extension data.
+     *
+     * This interface contains no methods or constants. Its only purpose is to
+     * group all extension data.  All extension data should implement this
+     * interface if the data is expected to handle in the following handshake
+     * processes.
+     */
+    static interface SSLExtensionSpec {
+        // blank
+    }
+
+    // Default enabled client extensions.
+    static final class ClientExtensions {
+        static final Collection<SSLExtension> defaults;
+
+        static {
+            Collection<SSLExtension> extensions = new LinkedList<>();
+            for (SSLExtension extension : SSLExtension.values()) {
+                if (extension.handshakeType != SSLHandshake.NOT_APPLICABLE) {
+                    extensions.add(extension);
+                }
+            }
+
+            // Switch off SNI extention?
+            boolean enableExtension =
+                Utilities.getBooleanProperty("jsse.enableSNIExtension", true);
+            if (!enableExtension) {
+                extensions.remove(CH_SERVER_NAME);
+            }
+
+            // To switch off the max_fragment_length extension.
+            enableExtension =
+                Utilities.getBooleanProperty("jsse.enableMFLExtension", false);
+            if (!enableExtension) {
+                extensions.remove(CH_MAX_FRAGMENT_LENGTH);
+            }
+
+//            enableExtension = Utilities.getBooleanProperty(
+//                    "jdk.tls.client.enableStatusRequestExtension", true);
+//            if (!enableExtension) {
+//                extensions.remove(CH_STATUS_REQUEST);
+//                extensions.remove(CR_STATUS_REQUEST);
+//                extensions.remove(CT_STATUS_REQUEST);
+//
+//                extensions.remove(CH_STATUS_REQUEST_V2);
+//            }
+
+            if (!SSLConfiguration.useExtendedMasterSecret) {
+                extensions.remove(CH_EXTENDED_MASTER_SECRET);
+            }
+
+            defaults = Collections.unmodifiableCollection(extensions);
+        }
+    }
+
+    // Default enabled server extensions.
+    static final class ServerExtensions {
+        static final Collection<SSLExtension> defaults;
+
+        static {
+            Collection<SSLExtension> extensions = new LinkedList<>();
+            for (SSLExtension extension : SSLExtension.values()) {
+                if (extension.handshakeType != SSLHandshake.NOT_APPLICABLE) {
+                    extensions.add(extension);
+                }
+            }
+
+/*
+            // Switch off SNI extention?
+            boolean enableExtension =
+                Utilities.getBooleanProperty("jsse.enableSNIExtension", true);
+            if (!enableExtension) {
+                extensions.remove(CH_SERVER_NAME);
+                extensions.remove(SH_SERVER_NAME);
+                extensions.remove(EE_SERVER_NAME);
+            }
+
+            // To switch off the max_fragment_length extension.
+            enableExtension =
+                Utilities.getBooleanProperty("jsse.enableMFLExtension", false);
+            if (!enableExtension) {
+                extensions.remove(CH_MAX_FRAGMENT_LENGTH);
+                extensions.remove(SH_MAX_FRAGMENT_LENGTH);
+                extensions.remove(EE_MAX_FRAGMENT_LENGTH);
+            }
+*/
+
+//            enableExtension = Utilities.getBooleanProperty(
+//                    "jdk.tls.server.enableStatusRequestExtension", true);
+//            if (!enableExtension) {
+//                extensions.remove(CH_STATUS_REQUEST);
+//                extensions.remove(SH_STATUS_REQUEST);
+//                extensions.remove(CR_STATUS_REQUEST);
+//                extensions.remove(CT_STATUS_REQUEST);
+//
+//                extensions.remove(SH_STATUS_REQUEST_V2);
+//            }
+
+/*
+            if (!SSLConfiguration.useExtendedMasterSecret) {
+                extensions.remove(CH_EXTENDED_MASTER_SECRET);
+                extensions.remove(SH_EXTENDED_MASTER_SECRET);
+            }
+*/
+            defaults = Collections.unmodifiableCollection(extensions);
+        }
+    }
+}
--- old/src/java.base/share/classes/sun/security/ssl/HelloExtensions.java	2018-05-11 15:09:58.073456600 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,163 +0,0 @@
-/*
- * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-import java.io.PrintStream;
-import java.util.*;
-import javax.net.ssl.*;
-
-/**
- * This file contains all the classes relevant to TLS Extensions for the
- * ClientHello and ServerHello messages. The extension mechanism and
- * several extensions are defined in RFC 6066. Additional extensions are
- * defined in the ECC RFC 4492 and the ALPN extension is defined in RFC 7301.
- *
- * Currently, only the two ECC extensions are fully supported.
- *
- * The classes contained in this file are:
- *  . HelloExtensions: a List of extensions as used in the client hello
- *      and server hello messages.
- *  . ExtensionType: an enum style class for the extension type
- *  . HelloExtension: abstract base class for all extensions. All subclasses
- *      must be immutable.
- *
- *  . UnknownExtension: used to represent all parsed extensions that we do not
- *      explicitly support.
- *  . ServerNameExtension: the server_name extension.
- *  . SignatureAlgorithmsExtension: the signature_algorithms extension.
- *  . SupportedGroupsExtension: the supported groups extension.
- *  . EllipticPointFormatsExtension: the ECC supported point formats
- *      (compressed/uncompressed) extension.
- *  . ALPNExtension: the application_layer_protocol_negotiation extension.
- *
- * @since   1.6
- * @author  Andreas Sterbenz
- */
-final class HelloExtensions {
-
-    private List<HelloExtension> extensions;
-    private int encodedLength;
-
-    HelloExtensions() {
-        extensions = Collections.emptyList();
-    }
-
-    HelloExtensions(HandshakeInStream s) throws IOException {
-        int len = s.getInt16();
-        extensions = new ArrayList<HelloExtension>();
-        encodedLength = len + 2;
-        while (len > 0) {
-            int type = s.getInt16();
-            int extlen = s.getInt16();
-            ExtensionType extType = ExtensionType.get(type);
-            HelloExtension extension;
-            if (extType == ExtensionType.EXT_SERVER_NAME) {
-                extension = new ServerNameExtension(s, extlen);
-            } else if (extType == ExtensionType.EXT_SIGNATURE_ALGORITHMS) {
-                extension = new SignatureAlgorithmsExtension(s, extlen);
-            } else if (extType == ExtensionType.EXT_SUPPORTED_GROUPS) {
-                extension = new SupportedGroupsExtension(s, extlen);
-            } else if (extType == ExtensionType.EXT_EC_POINT_FORMATS) {
-                extension = new EllipticPointFormatsExtension(s, extlen);
-            } else if (extType == ExtensionType.EXT_RENEGOTIATION_INFO) {
-                extension = new RenegotiationInfoExtension(s, extlen);
-            } else if (extType == ExtensionType.EXT_ALPN) {
-                extension = new ALPNExtension(s, extlen);
-            } else if (extType == ExtensionType.EXT_MAX_FRAGMENT_LENGTH) {
-                extension = new MaxFragmentLengthExtension(s, extlen);
-            } else if (extType == ExtensionType.EXT_STATUS_REQUEST) {
-                extension = new CertStatusReqExtension(s, extlen);
-            } else if (extType == ExtensionType.EXT_STATUS_REQUEST_V2) {
-                extension = new CertStatusReqListV2Extension(s, extlen);
-            } else if (extType == ExtensionType.EXT_EXTENDED_MASTER_SECRET) {
-                extension = new ExtendedMasterSecretExtension(s, extlen);
-            } else {
-                extension = new UnknownExtension(s, extlen, extType);
-            }
-            extensions.add(extension);
-            len -= extlen + 4;
-        }
-        if (len != 0) {
-            throw new SSLProtocolException(
-                        "Error parsing extensions: extra data");
-        }
-    }
-
-    // Return the List of extensions. Must not be modified by the caller.
-    List<HelloExtension> list() {
-        return extensions;
-    }
-
-    void add(HelloExtension ext) {
-        if (extensions.isEmpty()) {
-            extensions = new ArrayList<HelloExtension>();
-        }
-        extensions.add(ext);
-        encodedLength = -1;
-    }
-
-    HelloExtension get(ExtensionType type) {
-        for (HelloExtension ext : extensions) {
-            if (ext.type == type) {
-                return ext;
-            }
-        }
-        return null;
-    }
-
-    int length() {
-        if (encodedLength >= 0) {
-            return encodedLength;
-        }
-        if (extensions.isEmpty()) {
-            encodedLength = 0;
-        } else {
-            encodedLength = 2;
-            for (HelloExtension ext : extensions) {
-                encodedLength += ext.length();
-            }
-        }
-        return encodedLength;
-    }
-
-    void send(HandshakeOutStream s) throws IOException {
-        int length = length();
-        if (length == 0) {
-            return;
-        }
-        s.putInt16(length - 2);
-        for (HelloExtension ext : extensions) {
-            ext.send(s);
-        }
-    }
-
-    void print(PrintStream s) throws IOException {
-        for (HelloExtension ext : extensions) {
-            s.println(ext.toString());
-        }
-    }
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java	2018-05-11 15:09:57.349557200 -0700
@@ -0,0 +1,360 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.*;
+
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.util.HexDumpEncoder;
+
+/**
+ * SSL/(D)TLS extensions in a handshake message.
+ */
+final class SSLExtensions {
+    private final HandshakeMessage handshakeMessage;
+    private Map<SSLExtension, byte[]> extMap = new LinkedHashMap<>();
+    private int encodedLength;
+
+    // Extension map for debug logging
+    private final Map<Integer, byte[]> logMap =
+            SSLLogger.isOn ? null : new LinkedHashMap<>();
+
+    SSLExtensions(HandshakeMessage handshakeMessage) {
+        this.handshakeMessage = handshakeMessage;
+        this.encodedLength = 2;         // 2: the length of the extensions.
+    }
+
+    SSLExtensions(HandshakeMessage hm,
+            ByteBuffer m, SSLExtension[] extensions) throws IOException {
+        this.handshakeMessage = hm;
+
+        int len = Record.getInt16(m);
+        encodedLength = len + 2;        // 2: the length of the extensions.
+        while (len > 0) {
+            int extId = Record.getInt16(m);
+            int extLen = Record.getInt16(m);
+            if (extLen > m.remaining()) {
+                hm.handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                        "Error parsing extension (" + extId +
+                        "): no sufficient data");
+            }
+
+            SSLHandshake handshakeType = hm.handshakeType();
+            if (SSLExtension.isConsumable(extId) &&
+                    SSLExtension.valueOf(handshakeType, extId) == null) {
+                hm.handshakeContext.conContext.fatal(
+                        Alert.UNSUPPORTED_EXTENSION,
+                        "extension (" + extId +
+                        ") should not be presented in " + handshakeType.name);
+            }
+
+            boolean isSupported = false;
+            for (SSLExtension extension : extensions) {
+                if ((extension.id != extId) ||
+                        (extension.onLoadConcumer == null)) {
+                    continue;
+                }
+
+                if (extension.handshakeType != handshakeType) {
+                    hm.handshakeContext.conContext.fatal(
+                            Alert.UNSUPPORTED_EXTENSION,
+                            "extension (" + extId + ") should not be " +
+                            "presented in " + handshakeType.name);
+                }
+
+                byte[] extData = new byte[extLen];
+                m.get(extData);
+                extMap.put(extension, extData);
+                if (logMap != null) {
+                    logMap.put(extId, extData);
+                }
+
+                isSupported = true;
+                break;
+            }
+
+            if (!isSupported) {
+                if (logMap != null) {
+                    // cache the extension for debug logging
+                    byte[] extData = new byte[extLen];
+                    m.get(extData);
+                    logMap.put(extId, extData);
+
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.fine(
+                                "Ignore unknown or unsupported extension",
+                                toString(extId, extData));
+                    }
+                } else {
+                    // ignore the extension
+                    int pos = m.position() + extLen;
+                    m.position(pos);
+                }
+            }
+
+            len -= extLen + 4;
+        }
+    }
+
+    byte[] get(SSLExtension ext) {
+        return extMap.get(ext);
+    }
+
+    /**
+     * Consume the specified extensions.
+     */
+    void consumeOnLoad(HandshakeContext context,
+            SSLExtension[] extensions) throws IOException {
+        for (SSLExtension extension : extensions) {
+            if (context.negotiatedProtocol != null &&
+                    !extension.isAvailable(context.negotiatedProtocol)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unsupported extension: " + extension.name);
+                }
+                continue;
+                // context.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
+                //         context.negotiatedProtocol + " does not support " +
+                //         extension + " extension");
+            }
+
+            if (!extMap.containsKey(extension)) {
+                if (extension.onLoadAbsence != null) {
+                    extension.absent(context, handshakeMessage);
+                } else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable extension: " + extension.name);
+                }
+                continue;
+            }
+
+
+            if (extension.onLoadConcumer == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                        "Ignore unsupported extension: " + extension.name);
+                }
+                continue;
+            }
+
+            ByteBuffer m = ByteBuffer.wrap(extMap.get(extension));
+            extension.consumeOnLoad(context, handshakeMessage, m);
+
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Consumed extension: " + extension.name);
+            }
+        }
+    }
+
+    /**
+     * Consider impact of the specified extensions.
+     */
+    void consumeOnTrade(HandshakeContext context,
+            SSLExtension[] extensions) throws IOException {
+        for (SSLExtension extension : extensions) {
+            if (!extMap.containsKey(extension)) {
+                // No impact could be expected, so just ignore the absence.
+                continue;
+            }
+
+            if (extension.onTradeConsumer == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "Ignore impact of unsupported extension: " +
+                            extension.name);
+                }
+                continue;
+            }
+
+            extension.consumeOnTrade(context, handshakeMessage);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Populated with extension: " + extension.name);
+            }
+        }
+    }
+
+    /**
+     * Produce extension values for the specified extensions.
+     */
+    void produce(HandshakeContext context,
+            SSLExtension[] extensions) throws IOException {
+        for (SSLExtension extension : extensions) {
+            if (extMap.containsKey(extension)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                            "Ignore, duplicated extension: " +
+                            extension.name);
+                }
+                continue;
+            }
+
+            if (extension.networkProducer == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "Ignore, no extension producer defined: " +
+                            extension.name);
+                }
+                continue;
+            }
+
+            byte[] encoded = extension.produce(context, handshakeMessage);
+            if (encoded != null) {
+                extMap.put(extension, encoded);
+                encodedLength += encoded.length + 4; // extension_type (2)
+                                                     // extension_data length(2)
+            } else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                // The extension is not available in the context.
+                SSLLogger.fine(
+                        "Ignore, context unavailable extension: " +
+                        extension.name);
+            }
+        }
+    }
+
+    /**
+     * Produce extension values for the specified extensions, replacing if
+     * there is an existing extension value for a specified extension.
+     */
+    void reproduce(HandshakeContext context,
+            SSLExtension[] extensions) throws IOException {
+        for (SSLExtension extension : extensions) {
+            if (extension.networkProducer == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "Ignore, no extension producer defined: " +
+                            extension.name);
+                }
+                continue;
+            }
+
+            byte[] encoded = extension.produce(context, handshakeMessage);
+            if (encoded != null) {
+                if (extMap.containsKey(extension)) {
+                    byte[] old = extMap.replace(extension, encoded);
+                    if (old != null) {
+                        encodedLength -= old.length + 4;
+                    }
+                    encodedLength += encoded.length + 4;
+                } else {
+                    extMap.put(extension, encoded);
+                    encodedLength += encoded.length + 4;
+                                                    // extension_type (2)
+                                                    // extension_data length(2)
+                }
+            } else if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                // The extension is not available in the context.
+                SSLLogger.fine(
+                        "Ignore, context unavailable extension: " +
+                        extension.name);
+            }
+        }
+    }
+
+    // Note that TLS 1.3 may use empty extensions.  Please consider it while
+    // using this method.
+    int length() {
+        if (extMap.isEmpty()) {
+            return 0;
+        } else {
+            return encodedLength;
+        }
+    }
+
+    // Note that TLS 1.3 may use empty extensions.  Please consider it while
+    // using this method.
+    void send(HandshakeOutStream hos) throws IOException {
+        int extsLen = length();
+        if (extsLen == 0) {
+            return;
+        }
+        hos.putInt16(extsLen - 2);
+        // extensions must be sent in the order they appear in the enum
+        for (SSLExtension ext : SSLExtension.values()) {
+            byte[] extData = extMap.get(ext);
+            if (extData != null) {
+                hos.putInt16(ext.id);
+                hos.putBytes16(extData);
+            }
+        }
+    }
+
+    @Override
+    public String toString() {
+        if (extMap.isEmpty() && (logMap == null || logMap.isEmpty())) {
+            return "<no extension>";
+        } else {
+            StringBuilder builder = new StringBuilder(512);
+            if (logMap != null) {
+                for (Map.Entry<Integer, byte[]> en : logMap.entrySet()) {
+                    SSLExtension ext = SSLExtension.valueOf(
+                            handshakeMessage.handshakeType(), en.getKey());
+                    if (builder.length() != 0) {
+                        builder.append(",\n");
+                    }
+                    if (ext != null) {
+                        builder.append(
+                                ext.toString(ByteBuffer.wrap(en.getValue())));
+                    } else {
+                        builder.append(toString(en.getKey(), en.getValue()));
+                    }
+                }
+
+                return builder.toString();
+            } else {
+                for (Map.Entry<SSLExtension, byte[]> en : extMap.entrySet()) {
+                    if (builder.length() != 0) {
+                        builder.append(",\n");
+                    }
+                    builder.append(
+                        en.getKey().toString(ByteBuffer.wrap(en.getValue())));
+                }
+
+                return builder.toString();
+            }
+        }
+    }
+
+    private static String toString(int extId, byte[] extData) {
+        MessageFormat messageFormat = new MessageFormat(
+            "\"unknown extension ({0})\": '{'\n" +
+            "{1}\n" +
+            "'}'",
+            Locale.ENGLISH);
+
+        HexDumpEncoder hexEncoder = new HexDumpEncoder();
+        String encoded = hexEncoder.encodeBuffer(extData);
+
+        Object[] messageFields = {
+            extId,
+            Utilities.indent(encoded)
+        };
+
+        return messageFormat.format(messageFields);
+    }
+}
--- old/src/java.base/share/classes/sun/security/ssl/HandshakeMessage.java	2018-05-11 15:09:59.897506000 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,2430 +0,0 @@
-/*
- * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.*;
-import java.math.BigInteger;
-import java.security.*;
-import java.security.interfaces.*;
-import java.security.spec.*;
-import java.security.cert.*;
-import java.security.cert.Certificate;
-import java.util.*;
-import java.util.concurrent.ConcurrentHashMap;
-
-import java.lang.reflect.*;
-
-import javax.security.auth.x500.X500Principal;
-
-import javax.crypto.KeyGenerator;
-import javax.crypto.SecretKey;
-import javax.crypto.spec.DHPublicKeySpec;
-
-import javax.net.ssl.*;
-
-import sun.security.internal.spec.TlsPrfParameterSpec;
-import sun.security.ssl.CipherSuite.*;
-import static sun.security.ssl.CipherSuite.PRF.*;
-import sun.security.util.KeyUtil;
-import sun.security.util.MessageDigestSpi2;
-import sun.security.provider.certpath.OCSPResponse;
-
-/**
- * Many data structures are involved in the handshake messages.  These
- * classes are used as structures, with public data members.  They are
- * not visible outside the SSL package.
- *
- * Handshake messages all have a common header format, and they are all
- * encoded in a "handshake data" SSL record substream.  The base class
- * here (HandshakeMessage) provides a common framework and records the
- * SSL record type of the particular handshake message.
- *
- * This file contains subclasses for all the basic handshake messages.
- * All handshake messages know how to encode and decode themselves on
- * SSL streams; this facilitates using the same code on SSL client and
- * server sides, although they don't send and receive the same messages.
- *
- * Messages also know how to print themselves, which is quite handy
- * for debugging.  They always identify their type, and can optionally
- * dump all of their content.
- *
- * @author David Brownell
- */
-public abstract class HandshakeMessage {
-
-    /* Class and subclass dynamic debugging support */
-    public static final Debug debug = Debug.getInstance("ssl");
-
-    // enum HandshakeType:
-    //
-    // Please update the isUnsupported() method accordingly if the handshake
-    // types get updated in the future.
-    static final byte   ht_hello_request          = 0;      // RFC 5246
-    static final byte   ht_client_hello           = 1;      // RFC 5246
-    static final byte   ht_server_hello           = 2;      // RFC 5246
-    static final byte   ht_hello_verify_request   = 3;      // RFC 6347
-    static final byte   ht_new_session_ticket     = 4;      // RFC 4507
-
-    static final byte   ht_certificate            = 11;     // RFC 5246
-    static final byte   ht_server_key_exchange    = 12;     // RFC 5246
-    static final byte   ht_certificate_request    = 13;     // RFC 5246
-    static final byte   ht_server_hello_done      = 14;     // RFC 5246
-    static final byte   ht_certificate_verify     = 15;     // RFC 5246
-    static final byte   ht_client_key_exchange    = 16;     // RFC 5246
-
-    static final byte   ht_finished               = 20;     // RFC 5246
-    static final byte   ht_certificate_url        = 21;     // RFC 6066
-    static final byte   ht_certificate_status     = 22;     // RFC 6066
-    static final byte   ht_supplemental_data      = 23;     // RFC 4680
-
-    static final byte   ht_not_applicable         = -1;     // N/A
-
-    /*
-     * SSL 3.0 MAC padding constants.
-     * Also used by CertificateVerify and Finished during the handshake.
-     */
-    static final byte[] MD5_pad1 = genPad(0x36, 48);
-    static final byte[] MD5_pad2 = genPad(0x5c, 48);
-
-    static final byte[] SHA_pad1 = genPad(0x36, 40);
-    static final byte[] SHA_pad2 = genPad(0x5c, 40);
-
-    // default constructor
-    HandshakeMessage() {
-    }
-
-    /**
-     * Utility method to convert a BigInteger to a byte array in unsigned
-     * format as needed in the handshake messages. BigInteger uses
-     * 2's complement format, i.e. it prepends an extra zero if the MSB
-     * is set. We remove that.
-     */
-    static byte[] toByteArray(BigInteger bi) {
-        byte[] b = bi.toByteArray();
-        if ((b.length > 1) && (b[0] == 0)) {
-            int n = b.length - 1;
-            byte[] newarray = new byte[n];
-            System.arraycopy(b, 1, newarray, 0, n);
-            b = newarray;
-        }
-        return b;
-    }
-
-    static boolean isUnsupported(byte handshakeType) {
-        return (handshakeType != ht_hello_request) &&
-               (handshakeType != ht_client_hello) &&
-               (handshakeType != ht_server_hello) &&
-               (handshakeType != ht_hello_verify_request) &&
-               (handshakeType != ht_new_session_ticket) &&
-               (handshakeType != ht_certificate) &&
-               (handshakeType != ht_server_key_exchange) &&
-               (handshakeType != ht_certificate_request) &&
-               (handshakeType != ht_server_hello_done) &&
-               (handshakeType != ht_certificate_verify) &&
-               (handshakeType != ht_client_key_exchange) &&
-               (handshakeType != ht_finished) &&
-               (handshakeType != ht_certificate_url) &&
-               (handshakeType != ht_certificate_status) &&
-               (handshakeType != ht_supplemental_data);
-    }
-
-    private static byte[] genPad(int b, int count) {
-        byte[] padding = new byte[count];
-        Arrays.fill(padding, (byte)b);
-        return padding;
-    }
-
-    /*
-     * Write a handshake message on the (handshake) output stream.
-     * This is just a four byte header followed by the data.
-     *
-     * NOTE that huge messages -- notably, ones with huge cert
-     * chains -- are handled correctly.
-     */
-    final void write(HandshakeOutStream s) throws IOException {
-        int len = messageLength();
-        if (len >= Record.OVERFLOW_OF_INT24) {
-            throw new SSLException("Handshake message too big"
-                + ", type = " + messageType() + ", len = " + len);
-        }
-        s.write(messageType());
-        s.putInt24(len);
-        send(s);
-        s.complete();
-    }
-
-    /*
-     * Subclasses implement these methods so those kinds of
-     * messages can be emitted.  Base class delegates to subclass.
-     */
-    abstract int  messageType();
-    abstract int  messageLength();
-    abstract void send(HandshakeOutStream s) throws IOException;
-
-    /*
-     * Write a descriptive message on the output stream; for debugging.
-     */
-    abstract void print(PrintStream p) throws IOException;
-
-//
-// NOTE:  the rest of these classes are nested within this one, and are
-// imported by other classes in this package.  There are a few other
-// handshake message classes, not neatly nested here because of current
-// licensing requirement for native (RSA) methods.  They belong here,
-// but those native methods complicate things a lot!
-//
-
-
-/*
- * HelloRequest ... SERVER --> CLIENT
- *
- * Server can ask the client to initiate a new handshake, e.g. to change
- * session parameters after a connection has been (re)established.
- */
-static final class HelloRequest extends HandshakeMessage {
-    @Override
-    int messageType() { return ht_hello_request; }
-
-    HelloRequest() { }
-
-    HelloRequest(HandshakeInStream in) throws IOException
-    {
-        // nothing in this message
-    }
-
-    @Override
-    int messageLength() { return 0; }
-
-    @Override
-    void send(HandshakeOutStream out) throws IOException
-    {
-        // nothing in this messaage
-    }
-
-    @Override
-    void print(PrintStream out) throws IOException
-    {
-        out.println("*** HelloRequest (empty)");
-    }
-
-}
-
-/*
- * HelloVerifyRequest ... SERVER --> CLIENT  [DTLS only]
- *
- * The definition of HelloVerifyRequest is as follows:
- *
- *     struct {
- *       ProtocolVersion server_version;
- *       opaque cookie<0..2^8-1>;
- *     } HelloVerifyRequest;
- *
- * For DTLS protocols, once the client has transmitted the ClientHello message,
- * it expects to see a HelloVerifyRequest from the server.  However, if the
- * server's message is lost, the client knows that either the ClientHello or
- * the HelloVerifyRequest has been lost and retransmits. [RFC 6347]
- */
-static final class HelloVerifyRequest extends HandshakeMessage {
-    ProtocolVersion     protocolVersion;
-    byte[]              cookie;         // 1 to 2^8 - 1 bytes
-
-    HelloVerifyRequest(HelloCookieManager helloCookieManager,
-            ClientHello clientHelloMsg) {
-
-        this.protocolVersion = clientHelloMsg.protocolVersion;
-        this.cookie = helloCookieManager.getCookie(clientHelloMsg);
-    }
-
-    HelloVerifyRequest(
-            HandshakeInStream input, int messageLength) throws IOException {
-
-        this.protocolVersion =
-                ProtocolVersion.valueOf(input.getInt8(), input.getInt8());
-        this.cookie = input.getBytes8();
-
-        // Is it a valid cookie?
-        HelloCookieManager.checkCookie(protocolVersion, cookie);
-    }
-
-    @Override
-    int messageType() {
-        return ht_hello_verify_request;
-    }
-
-    @Override
-    int messageLength() {
-        return 2 + cookie.length;       // 2: the length of protocolVersion
-    }
-
-    @Override
-    void send(HandshakeOutStream hos) throws IOException {
-        hos.putInt8(protocolVersion.major);
-        hos.putInt8(protocolVersion.minor);
-        hos.putBytes8(cookie);
-    }
-
-    @Override
-    void print(PrintStream out) throws IOException {
-        out.println("*** HelloVerifyRequest");
-        if (debug != null && Debug.isOn("verbose")) {
-            out.println("server_version: " + protocolVersion);
-            Debug.println(out, "cookie", cookie);
-        }
-    }
-}
-
-/*
- * ClientHello ... CLIENT --> SERVER
- *
- * Client initiates handshake by telling server what it wants, and what it
- * can support (prioritized by what's first in the ciphe suite list).
- *
- * By RFC2246:7.4.1.2 it's explicitly anticipated that this message
- * will have more data added at the end ... e.g. what CAs the client trusts.
- * Until we know how to parse it, we will just read what we know
- * about, and let our caller handle the jumps over unknown data.
- */
-static final class ClientHello extends HandshakeMessage {
-
-    ProtocolVersion             protocolVersion;
-    RandomCookie                clnt_random;
-    SessionId                   sessionId;
-    byte[]                      cookie;                     // DTLS only
-    private CipherSuiteList     cipherSuites;
-    private final boolean       isDTLS;
-    byte[]                      compression_methods;
-
-    HelloExtensions extensions = new HelloExtensions();
-
-    private static final byte[]  NULL_COMPRESSION = new byte[] {0};
-
-    ClientHello(SecureRandom generator, ProtocolVersion protocolVersion,
-            SessionId sessionId, CipherSuiteList cipherSuites,
-            boolean isDTLS) {
-
-        this.isDTLS = isDTLS;
-        this.protocolVersion = protocolVersion;
-        this.sessionId = sessionId;
-        this.cipherSuites = cipherSuites;
-        if (isDTLS) {
-            this.cookie = new byte[0];
-        } else {
-            this.cookie = null;
-        }
-
-        clnt_random = new RandomCookie(generator);
-        compression_methods = NULL_COMPRESSION;
-    }
-
-    ClientHello(HandshakeInStream s,
-            int messageLength, boolean isDTLS) throws IOException {
-
-        this.isDTLS = isDTLS;
-
-        protocolVersion = ProtocolVersion.valueOf(s.getInt8(), s.getInt8());
-        clnt_random = new RandomCookie(s);
-        sessionId = new SessionId(s.getBytes8());
-        sessionId.checkLength(protocolVersion);
-        if (isDTLS) {
-            cookie = s.getBytes8();
-        } else {
-            cookie = null;
-        }
-
-        cipherSuites = new CipherSuiteList(s);
-        compression_methods = s.getBytes8();
-        if (messageLength() != messageLength) {
-            extensions = new HelloExtensions(s);
-        }
-    }
-
-    CipherSuiteList getCipherSuites() {
-        return cipherSuites;
-    }
-
-    // add renegotiation_info extension
-    void addRenegotiationInfoExtension(byte[] clientVerifyData) {
-        HelloExtension renegotiationInfo = new RenegotiationInfoExtension(
-                    clientVerifyData, new byte[0]);
-        extensions.add(renegotiationInfo);
-    }
-
-    // add server_name extension
-    void addSNIExtension(List<SNIServerName> serverNames) {
-        try {
-            extensions.add(new ServerNameExtension(serverNames));
-        } catch (IOException ioe) {
-            // ignore the exception and return
-        }
-    }
-
-    // add signature_algorithm extension
-    void addSignatureAlgorithmsExtension(
-            Collection<SignatureAndHashAlgorithm> algorithms) {
-        HelloExtension signatureAlgorithm =
-                new SignatureAlgorithmsExtension(algorithms);
-        extensions.add(signatureAlgorithm);
-    }
-
-    void addExtendedMasterSecretExtension() {
-        extensions.add(new ExtendedMasterSecretExtension());
-    }
-
-    void addMFLExtension(int maximumPacketSize) {
-        HelloExtension maxFragmentLength =
-                new MaxFragmentLengthExtension(maximumPacketSize);
-        extensions.add(maxFragmentLength);
-    }
-
-    void updateHelloCookie(MessageDigest cookieDigest) {
-        //
-        // Just use HandshakeOutStream to compute the hello verify cookie.
-        // Not actually used to output handshake message records.
-        //
-        HandshakeOutStream hos = new HandshakeOutStream(null);
-
-        try {
-            send(hos, false);    // Do not count hello verify cookie.
-        } catch (IOException ioe) {
-            // unlikely to happen
-        }
-
-        cookieDigest.update(hos.toByteArray());
-    }
-
-    // Add status_request extension type
-    void addCertStatusRequestExtension() {
-        extensions.add(new CertStatusReqExtension(StatusRequestType.OCSP,
-                new OCSPStatusRequest()));
-    }
-
-    // Add status_request_v2 extension type
-    void addCertStatusReqListV2Extension() {
-        // Create a default OCSPStatusRequest that we can use for both
-        // OCSP_MULTI and OCSP request list items.
-        OCSPStatusRequest osr = new OCSPStatusRequest();
-        List<CertStatusReqItemV2> itemList = new ArrayList<>(2);
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
-                osr));
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr));
-        extensions.add(new CertStatusReqListV2Extension(itemList));
-    }
-
-    // add application_layer_protocol_negotiation extension
-    void addALPNExtension(String[] applicationProtocols) throws SSLException {
-        extensions.add(new ALPNExtension(applicationProtocols));
-    }
-
-    @Override
-    int messageType() { return ht_client_hello; }
-
-    @Override
-    int messageLength() {
-        /*
-         * Add fixed size parts of each field...
-         * version + random + session + cipher + compress
-         */
-        return (2 + 32 + 1 + 2 + 1
-            + sessionId.length()                /* ... + variable parts */
-            + (isDTLS ? (1 + cookie.length) : 0)
-            + (cipherSuites.size() * 2)
-            + compression_methods.length)
-            + extensions.length();
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        send(s, true);  // Count hello verify cookie.
-    }
-
-    @Override
-    void print(PrintStream s) throws IOException {
-        s.println("*** ClientHello, " + protocolVersion);
-
-        if (debug != null && Debug.isOn("verbose")) {
-            s.print("RandomCookie:  ");
-            clnt_random.print(s);
-
-            s.print("Session ID:  ");
-            s.println(sessionId);
-
-            if (isDTLS) {
-                Debug.println(s, "cookie", cookie);
-            }
-
-            s.println("Cipher Suites: " + cipherSuites);
-
-            Debug.println(s, "Compression Methods", compression_methods);
-            extensions.print(s);
-            s.println("***");
-        }
-    }
-
-    private void send(HandshakeOutStream s,
-            boolean computeCookie) throws IOException {
-        s.putInt8(protocolVersion.major);
-        s.putInt8(protocolVersion.minor);
-        clnt_random.send(s);
-        s.putBytes8(sessionId.getId());
-        if (isDTLS && computeCookie) {
-            s.putBytes8(cookie);
-        }
-        cipherSuites.send(s);
-        s.putBytes8(compression_methods);
-        extensions.send(s);
-    }
-
-}
-
-/*
- * ServerHello ... SERVER --> CLIENT
- *
- * Server chooses protocol options from among those it supports and the
- * client supports.  Then it sends the basic session descriptive parameters
- * back to the client.
- */
-static final
-class ServerHello extends HandshakeMessage
-{
-    @Override
-    int messageType() { return ht_server_hello; }
-
-    ProtocolVersion     protocolVersion;
-    RandomCookie        svr_random;
-    SessionId           sessionId;
-    CipherSuite         cipherSuite;
-    byte                compression_method;
-    HelloExtensions extensions = new HelloExtensions();
-
-    ServerHello() {
-        // empty
-    }
-
-    ServerHello(HandshakeInStream input, int messageLength)
-            throws IOException {
-        protocolVersion = ProtocolVersion.valueOf(input.getInt8(),
-                                                  input.getInt8());
-        svr_random = new RandomCookie(input);
-        sessionId = new SessionId(input.getBytes8());
-        sessionId.checkLength(protocolVersion);
-        cipherSuite = CipherSuite.valueOf(input.getInt8(), input.getInt8());
-        compression_method = (byte)input.getInt8();
-        if (messageLength() != messageLength) {
-            extensions = new HelloExtensions(input);
-        }
-    }
-
-    @Override
-    int messageLength()
-    {
-        // almost fixed size, except session ID and extensions:
-        //      major + minor = 2
-        //      random = 32
-        //      session ID len field = 1
-        //      cipher suite + compression = 3
-        //      extensions: if present, 2 + length of extensions
-        return 38 + sessionId.length() + extensions.length();
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException
-    {
-        s.putInt8(protocolVersion.major);
-        s.putInt8(protocolVersion.minor);
-        svr_random.send(s);
-        s.putBytes8(sessionId.getId());
-        s.putInt8(cipherSuite.id >> 8);
-        s.putInt8(cipherSuite.id & 0xff);
-        s.putInt8(compression_method);
-        extensions.send(s);
-    }
-
-    @Override
-    void print(PrintStream s) throws IOException
-    {
-        s.println("*** ServerHello, " + protocolVersion);
-
-        if (debug != null && Debug.isOn("verbose")) {
-            s.print("RandomCookie:  ");
-            svr_random.print(s);
-
-            s.print("Session ID:  ");
-            s.println(sessionId);
-
-            s.println("Cipher Suite: " + cipherSuite);
-            s.println("Compression Method: " + compression_method);
-            extensions.print(s);
-            s.println("***");
-        }
-    }
-}
-
-
-/*
- * CertificateMsg ... send by both CLIENT and SERVER
- *
- * Each end of a connection may need to pass its certificate chain to
- * the other end.  Such chains are intended to validate an identity with
- * reference to some certifying authority.  Examples include companies
- * like Verisign, or financial institutions.  There's some control over
- * the certifying authorities which are sent.
- *
- * NOTE: that these messages might be huge, taking many handshake records.
- * Up to 2^48 bytes of certificate may be sent, in records of at most 2^14
- * bytes each ... up to 2^32 records sent on the output stream.
- */
-static final
-class CertificateMsg extends HandshakeMessage
-{
-    @Override
-    int messageType() { return ht_certificate; }
-
-    private X509Certificate[] chain;
-
-    private List<byte[]> encodedChain;
-
-    private int messageLength;
-
-    CertificateMsg(X509Certificate[] certs) {
-        chain = certs;
-    }
-
-    CertificateMsg(HandshakeInStream input) throws IOException {
-        int chainLen = input.getInt24();
-        List<Certificate> v = new ArrayList<>(4);
-
-        CertificateFactory cf = null;
-        while (chainLen > 0) {
-            byte[] cert = input.getBytes24();
-            chainLen -= (3 + cert.length);
-            try {
-                if (cf == null) {
-                    cf = CertificateFactory.getInstance("X.509");
-                }
-                v.add(cf.generateCertificate(new ByteArrayInputStream(cert)));
-            } catch (CertificateException e) {
-                throw (SSLProtocolException)new SSLProtocolException(
-                    e.getMessage()).initCause(e);
-            }
-        }
-
-        chain = v.toArray(new X509Certificate[v.size()]);
-    }
-
-    @Override
-    int messageLength() {
-        if (encodedChain == null) {
-            messageLength = 3;
-            encodedChain = new ArrayList<byte[]>(chain.length);
-            try {
-                for (X509Certificate cert : chain) {
-                    byte[] b = cert.getEncoded();
-                    encodedChain.add(b);
-                    messageLength += b.length + 3;
-                }
-            } catch (CertificateEncodingException e) {
-                encodedChain = null;
-                throw new RuntimeException("Could not encode certificates", e);
-            }
-        }
-        return messageLength;
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt24(messageLength() - 3);
-        for (byte[] b : encodedChain) {
-            s.putBytes24(b);
-        }
-    }
-
-    @Override
-    void print(PrintStream s) throws IOException {
-        s.println("*** Certificate chain");
-
-        if (chain.length == 0) {
-            s.println("<Empty>");
-        } else if (debug != null && Debug.isOn("verbose")) {
-            for (int i = 0; i < chain.length; i++) {
-                s.println("chain [" + i + "] = " + chain[i]);
-            }
-        }
-        s.println("***");
-    }
-
-    X509Certificate[] getCertificateChain() {
-        return chain.clone();
-    }
-}
-
-/*
- * CertificateStatus ... SERVER --> CLIENT
- *
- * When a ClientHello asserting the status_request or status_request_v2
- * extensions is accepted by the server, it will fetch and return one
- * or more status responses in this handshake message.
- *
- * NOTE: Like the Certificate handshake message, this can potentially
- * be a very large message both due to the size of multiple status
- * responses and the certificate chains that are often attached to them.
- * Up to 2^24 bytes of status responses may be sent, possibly fragmented
- * over multiple TLS records.
- */
-static final class CertificateStatus extends HandshakeMessage
-{
-    private final StatusRequestType statusType;
-    private int encodedResponsesLen;
-    private int messageLength = -1;
-    private List<byte[]> encodedResponses;
-
-    @Override
-    int messageType() { return ht_certificate_status; }
-
-    /**
-     * Create a CertificateStatus message from the certificates and their
-     * respective OCSP responses
-     *
-     * @param type an indication of the type of response (OCSP or OCSP_MULTI)
-     * @param responses a {@code List} of OCSP responses in DER-encoded form.
-     *      For the OCSP type, only the first entry in the response list is
-     *      used, and must correspond to the end-entity certificate sent to the
-     *      peer.  Zero-length or null values for the response data are not
-     *      allowed for the OCSP type.  For the OCSP_MULTI type, each entry in
-     *      the list should match its corresponding certificate sent in the
-     *      Server Certificate message.  Where an OCSP response does not exist,
-     *      either a zero-length array or a null value should be used.
-     *
-     * @throws SSLException if an unsupported StatusRequestType or invalid
-     *      OCSP response data is provided.
-     */
-    CertificateStatus(StatusRequestType type, X509Certificate[] chain,
-            Map<X509Certificate, byte[]> responses) {
-        statusType = type;
-        encodedResponsesLen = 0;
-        encodedResponses = new ArrayList<>(chain.length);
-
-        Objects.requireNonNull(chain, "Null chain not allowed");
-        Objects.requireNonNull(responses, "Null responses not allowed");
-
-        if (statusType == StatusRequestType.OCSP) {
-            // Just get the response for the end-entity certificate
-            byte[] respDER = responses.get(chain[0]);
-            if (respDER != null && respDER.length > 0) {
-                encodedResponses.add(respDER);
-                encodedResponsesLen = 3 + respDER.length;
-            } else {
-                throw new IllegalArgumentException("Zero-length or null " +
-                        "OCSP Response");
-            }
-        } else if (statusType == StatusRequestType.OCSP_MULTI) {
-            for (X509Certificate cert : chain) {
-                byte[] respDER = responses.get(cert);
-                if (respDER != null) {
-                    encodedResponses.add(respDER);
-                    encodedResponsesLen += (respDER.length + 3);
-                } else {
-                    // If we cannot find a response for a given certificate
-                    // then use a zero-length placeholder.
-                    encodedResponses.add(new byte[0]);
-                    encodedResponsesLen += 3;
-                }
-            }
-        } else {
-            throw new IllegalArgumentException(
-                    "Unsupported StatusResponseType: " + statusType);
-        }
-    }
-
-    /**
-     * Decode the CertificateStatus handshake message coming from a
-     * {@code HandshakeInputStream}.
-     *
-     * @param input the {@code HandshakeInputStream} containing the
-     * CertificateStatus message bytes.
-     *
-     * @throws SSLHandshakeException if a zero-length response is found in the
-     * OCSP response type, or an unsupported response type is detected.
-     * @throws IOException if a decoding error occurs.
-     */
-    CertificateStatus(HandshakeInStream input) throws IOException {
-        encodedResponsesLen = 0;
-        encodedResponses = new ArrayList<>();
-
-        statusType = StatusRequestType.get(input.getInt8());
-        if (statusType == StatusRequestType.OCSP) {
-            byte[] respDER = input.getBytes24();
-            // Convert the incoming bytes to a OCSPResponse strucutre
-            if (respDER.length > 0) {
-                encodedResponses.add(respDER);
-                encodedResponsesLen = 3 + respDER.length;
-            } else {
-                throw new SSLHandshakeException("Zero-length OCSP Response");
-            }
-        } else if (statusType == StatusRequestType.OCSP_MULTI) {
-            int respListLen = input.getInt24();
-            encodedResponsesLen = respListLen;
-
-            // Add each OCSP reponse into the array list in the order
-            // we receive them off the wire.  A zero-length array is
-            // allowed for ocsp_multi, and means that a response for
-            // a given certificate is not available.
-            while (respListLen > 0) {
-                byte[] respDER = input.getBytes24();
-                encodedResponses.add(respDER);
-                respListLen -= (respDER.length + 3);
-            }
-
-            if (respListLen != 0) {
-                throw new SSLHandshakeException(
-                        "Bad OCSP response list length");
-            }
-        } else {
-            throw new SSLHandshakeException("Unsupported StatusResponseType: " +
-                    statusType);
-        }
-    }
-
-    /**
-     * Get the length of the CertificateStatus message.
-     *
-     * @return the length of the message in bytes.
-     */
-    @Override
-    int messageLength() {
-        int len = 1;            // Length + Status type
-
-        if (messageLength == -1) {
-            if (statusType == StatusRequestType.OCSP) {
-                len += encodedResponsesLen;
-            } else if (statusType == StatusRequestType.OCSP_MULTI) {
-                len += 3 + encodedResponsesLen;
-            }
-            messageLength = len;
-        }
-
-        return messageLength;
-    }
-
-    /**
-     * Encode the CertificateStatus handshake message and place it on a
-     * {@code HandshakeOutputStream}.
-     *
-     * @param s the HandshakeOutputStream that will the message bytes.
-     *
-     * @throws IOException if an encoding error occurs.
-     */
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt8(statusType.id);
-        if (statusType == StatusRequestType.OCSP) {
-            s.putBytes24(encodedResponses.get(0));
-        } else if (statusType == StatusRequestType.OCSP_MULTI) {
-            s.putInt24(encodedResponsesLen);
-            for (byte[] respBytes : encodedResponses) {
-                if (respBytes != null) {
-                    s.putBytes24(respBytes);
-                } else {
-                    s.putBytes24(null);
-                }
-            }
-        } else {
-            // It is highly unlikely that we will fall into this section of
-            // the code.
-            throw new SSLHandshakeException("Unsupported status_type: " +
-                    statusType.id);
-        }
-    }
-
-    /**
-     * Display a human-readable representation of the CertificateStatus message.
-     *
-     * @param s the PrintStream used to display the message data.
-     *
-     * @throws IOException if any errors occur while parsing the OCSP response
-     * bytes into a readable form.
-     */
-    @Override
-    void print(PrintStream s) throws IOException {
-        s.println("*** CertificateStatus");
-        if (debug != null && Debug.isOn("verbose")) {
-            s.println("Type: " + statusType);
-            if (statusType == StatusRequestType.OCSP) {
-                OCSPResponse oResp = new OCSPResponse(encodedResponses.get(0));
-                s.println(oResp);
-            } else if (statusType == StatusRequestType.OCSP_MULTI) {
-                int numResponses = encodedResponses.size();
-                s.println(numResponses +
-                        (numResponses == 1 ? " entry:" : " entries:"));
-                for (byte[] respDER : encodedResponses) {
-                    if (respDER.length > 0) {
-                        OCSPResponse oResp = new OCSPResponse(respDER);
-                        s.println(oResp);
-                    } else {
-                        s.println("<Zero-length entry>");
-                    }
-                }
-            }
-        }
-    }
-
-    /**
-     * Get the type of CertificateStatus message
-     *
-     * @return the {@code StatusRequestType} for this CertificateStatus
-     *      message.
-     */
-    StatusRequestType getType() {
-        return statusType;
-    }
-
-    /**
-     * Get the list of non-zero length OCSP responses.
-     * The responses returned in this list can be used to map to
-     * {@code X509Certificate} objects provided by the peer and
-     * provided to a {@code PKIXRevocationChecker}.
-     *
-     * @return an unmodifiable List of zero or more byte arrays, each one
-     *      consisting of a single status response.
-     */
-    List<byte[]> getResponses() {
-        return Collections.unmodifiableList(encodedResponses);
-    }
-}
-
-/*
- * ServerKeyExchange ... SERVER --> CLIENT
- *
- * The cipher suite selected, when combined with the certificate exchanged,
- * implies one of several different kinds of key exchange.  Most current
- * cipher suites require the server to send more than its certificate.
- *
- * The primary exceptions are when a server sends an encryption-capable
- * RSA public key in its cert, to be used with RSA (or RSA_export) key
- * exchange; and when a server sends its Diffie-Hellman cert.  Those kinds
- * of key exchange do not require a ServerKeyExchange message.
- *
- * Key exchange can be viewed as having three modes, which are explicit
- * for the Diffie-Hellman flavors and poorly specified for RSA ones:
- *
- *      - "Ephemeral" keys.  Here, a "temporary" key is allocated by the
- *        server, and signed.  Diffie-Hellman keys signed using RSA or
- *        DSS are ephemeral (DHE flavor).  RSA keys get used to do the same
- *        thing, to cut the key size down to 512 bits (export restrictions)
- *        or for signing-only RSA certificates.
- *
- *      - Anonymity.  Here no server certificate is sent, only the public
- *        key of the server.  This case is subject to man-in-the-middle
- *        attacks.  This can be done with Diffie-Hellman keys (DH_anon) or
- *        with RSA keys, but is only used in SSLv3 for DH_anon.
- *
- *      - "Normal" case.  Here a server certificate is sent, and the public
- *        key there is used directly in exchanging the premaster secret.
- *        For example, Diffie-Hellman "DH" flavor, and any RSA flavor with
- *        only 512 bit keys.
- *
- * If a server certificate is sent, there is no anonymity.  However,
- * when a certificate is sent, ephemeral keys may still be used to
- * exchange the premaster secret.  That's how RSA_EXPORT often works,
- * as well as how the DHE_* flavors work.
- */
-abstract static class ServerKeyExchange extends HandshakeMessage
-{
-    @Override
-    int messageType() { return ht_server_key_exchange; }
-}
-
-
-/*
- * Using RSA for Key Exchange:  exchange a session key that's not as big
- * as the signing-only key.  Used for export applications, since exported
- * RSA encryption keys can't be bigger than 512 bytes.
- *
- * This is never used when keys are 512 bits or smaller, and isn't used
- * on "US Domestic" ciphers in any case.
- */
-static final
-class RSA_ServerKeyExchange extends ServerKeyExchange
-{
-    private byte[] rsa_modulus;     // 1 to 2^16 - 1 bytes
-    private byte[] rsa_exponent;    // 1 to 2^16 - 1 bytes
-
-    private Signature signature;
-    private byte[] signatureBytes;
-
-    /*
-     * Hash the nonces and the ephemeral RSA public key.
-     */
-    private void updateSignature(byte[] clntNonce, byte[] svrNonce)
-            throws SignatureException {
-        int tmp;
-
-        signature.update(clntNonce);
-        signature.update(svrNonce);
-
-        tmp = rsa_modulus.length;
-        signature.update((byte)(tmp >> 8));
-        signature.update((byte)(tmp & 0x0ff));
-        signature.update(rsa_modulus);
-
-        tmp = rsa_exponent.length;
-        signature.update((byte)(tmp >> 8));
-        signature.update((byte)(tmp & 0x0ff));
-        signature.update(rsa_exponent);
-    }
-
-
-    /*
-     * Construct an RSA server key exchange message, using data
-     * known _only_ to the server.
-     *
-     * The client knows the public key corresponding to this private
-     * key, from the Certificate message sent previously.  To comply
-     * with US export regulations we use short RSA keys ... either
-     * long term ones in the server's X509 cert, or else ephemeral
-     * ones sent using this message.
-     */
-    RSA_ServerKeyExchange(PublicKey ephemeralKey, PrivateKey privateKey,
-            RandomCookie clntNonce, RandomCookie svrNonce, SecureRandom sr)
-            throws GeneralSecurityException {
-        RSAPublicKeySpec rsaKey = JsseJce.getRSAPublicKeySpec(ephemeralKey);
-        rsa_modulus = toByteArray(rsaKey.getModulus());
-        rsa_exponent = toByteArray(rsaKey.getPublicExponent());
-        signature = RSASignature.getInstance();
-        signature.initSign(privateKey, sr);
-        updateSignature(clntNonce.random_bytes, svrNonce.random_bytes);
-        signatureBytes = signature.sign();
-    }
-
-
-    /*
-     * Parse an RSA server key exchange message, using data known
-     * to the client (and, in some situations, eavesdroppers).
-     */
-    RSA_ServerKeyExchange(HandshakeInStream input)
-            throws IOException, NoSuchAlgorithmException {
-        signature = RSASignature.getInstance();
-        rsa_modulus = input.getBytes16();
-        rsa_exponent = input.getBytes16();
-        signatureBytes = input.getBytes16();
-    }
-
-    /*
-     * Get the ephemeral RSA public key that will be used in this
-     * SSL connection.
-     */
-    PublicKey getPublicKey() {
-        try {
-            KeyFactory kfac = JsseJce.getKeyFactory("RSA");
-            // modulus and exponent are always positive
-            RSAPublicKeySpec kspec = new RSAPublicKeySpec(
-                new BigInteger(1, rsa_modulus),
-                new BigInteger(1, rsa_exponent));
-            return kfac.generatePublic(kspec);
-        } catch (Exception e) {
-            throw new RuntimeException(e);
-        }
-    }
-
-    /*
-     * Verify the signed temporary key using the hashes computed
-     * from it and the two nonces.  This is called by clients
-     * with "exportable" RSA flavors.
-     */
-    boolean verify(PublicKey certifiedKey, RandomCookie clntNonce,
-            RandomCookie svrNonce) throws GeneralSecurityException {
-        signature.initVerify(certifiedKey);
-        updateSignature(clntNonce.random_bytes, svrNonce.random_bytes);
-        return signature.verify(signatureBytes);
-    }
-
-    @Override
-    int messageLength() {
-        return 6 + rsa_modulus.length + rsa_exponent.length
-               + signatureBytes.length;
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putBytes16(rsa_modulus);
-        s.putBytes16(rsa_exponent);
-        s.putBytes16(signatureBytes);
-    }
-
-    @Override
-    void print(PrintStream s) throws IOException {
-        s.println("*** RSA ServerKeyExchange");
-
-        if (debug != null && Debug.isOn("verbose")) {
-            Debug.println(s, "RSA Modulus", rsa_modulus);
-            Debug.println(s, "RSA Public Exponent", rsa_exponent);
-        }
-    }
-}
-
-
-/*
- * Using Diffie-Hellman algorithm for key exchange.  All we really need to
- * do is securely get Diffie-Hellman keys (using the same P, G parameters)
- * to our peer, then we automatically have a shared secret without need
- * to exchange any more data.  (D-H only solutions, such as SKIP, could
- * eliminate key exchange negotiations and get faster connection setup.
- * But they still need a signature algorithm like DSS/DSA to support the
- * trusted distribution of keys without relying on unscalable physical
- * key distribution systems.)
- *
- * This class supports several DH-based key exchange algorithms, though
- * perhaps eventually each deserves its own class.  Notably, this has
- * basic support for DH_anon and its DHE_DSS and DHE_RSA signed variants.
- */
-static final
-class DH_ServerKeyExchange extends ServerKeyExchange
-{
-    // Fix message encoding, see 4348279
-    private static final boolean dhKeyExchangeFix =
-        Debug.getBooleanProperty("com.sun.net.ssl.dhKeyExchangeFix", true);
-
-    private byte[]                dh_p;        // 1 to 2^16 - 1 bytes
-    private byte[]                dh_g;        // 1 to 2^16 - 1 bytes
-    private byte[]                dh_Ys;       // 1 to 2^16 - 1 bytes
-
-    private byte[]                signature;
-
-    // protocol version being established using this ServerKeyExchange message
-    ProtocolVersion protocolVersion;
-
-    // the preferable signature algorithm used by this ServerKeyExchange message
-    private SignatureAndHashAlgorithm preferableSignatureAlgorithm;
-
-    /*
-     * Construct from initialized DH key object, for DH_anon
-     * key exchange.
-     */
-    DH_ServerKeyExchange(DHCrypt obj, ProtocolVersion protocolVersion) {
-        this.protocolVersion = protocolVersion;
-        this.preferableSignatureAlgorithm = null;
-
-        // The DH key has been validated in the constructor of DHCrypt.
-        setValues(obj);
-        signature = null;
-    }
-
-    /*
-     * Construct from initialized DH key object and the key associated
-     * with the cert chain which was sent ... for DHE_DSS and DHE_RSA
-     * key exchange.  (Constructor called by server.)
-     */
-    DH_ServerKeyExchange(DHCrypt obj, PrivateKey key, byte[] clntNonce,
-            byte[] svrNonce, SecureRandom sr,
-            SignatureAndHashAlgorithm signAlgorithm,
-            ProtocolVersion protocolVersion) throws GeneralSecurityException {
-
-        this.protocolVersion = protocolVersion;
-
-        // The DH key has been validated in the constructor of DHCrypt.
-        setValues(obj);
-
-        Signature sig;
-        if (protocolVersion.useTLS12PlusSpec()) {
-            this.preferableSignatureAlgorithm = signAlgorithm;
-            sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
-        } else {
-            this.preferableSignatureAlgorithm = null;
-            if (key.getAlgorithm().equals("DSA")) {
-                sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
-            } else {
-                sig = RSASignature.getInstance();
-            }
-        }
-
-        sig.initSign(key, sr);
-        updateSignature(sig, clntNonce, svrNonce);
-        signature = sig.sign();
-    }
-
-    /*
-     * Construct a DH_ServerKeyExchange message from an input
-     * stream, as if sent from server to client for use with
-     * DH_anon key exchange
-     */
-    DH_ServerKeyExchange(HandshakeInStream input,
-            ProtocolVersion protocolVersion)
-            throws IOException, GeneralSecurityException {
-
-        this.protocolVersion = protocolVersion;
-        this.preferableSignatureAlgorithm = null;
-
-        dh_p = input.getBytes16();
-        dh_g = input.getBytes16();
-        dh_Ys = input.getBytes16();
-        KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys),
-                                             new BigInteger(1, dh_p),
-                                             new BigInteger(1, dh_g)));
-
-        signature = null;
-    }
-
-    /*
-     * Construct a DH_ServerKeyExchange message from an input stream
-     * and a certificate, as if sent from server to client for use with
-     * DHE_DSS or DHE_RSA key exchange.  (Called by client.)
-     */
-    DH_ServerKeyExchange(HandshakeInStream input, PublicKey publicKey,
-            byte[] clntNonce, byte[] svrNonce, int messageSize,
-            Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
-            ProtocolVersion protocolVersion)
-            throws IOException, GeneralSecurityException {
-
-        this.protocolVersion = protocolVersion;
-
-        // read params: ServerDHParams
-        dh_p = input.getBytes16();
-        dh_g = input.getBytes16();
-        dh_Ys = input.getBytes16();
-        KeyUtil.validate(new DHPublicKeySpec(new BigInteger(1, dh_Ys),
-                                             new BigInteger(1, dh_p),
-                                             new BigInteger(1, dh_g)));
-
-        // read the signature and hash algorithm
-        if (protocolVersion.useTLS12PlusSpec()) {
-            int hash = input.getInt8();         // hash algorithm
-            int signature = input.getInt8();    // signature algorithm
-
-            preferableSignatureAlgorithm =
-                SignatureAndHashAlgorithm.valueOf(hash, signature, 0);
-
-            // Is it a local supported signature algorithm?
-            if (!localSupportedSignAlgs.contains(
-                    preferableSignatureAlgorithm)) {
-                throw new SSLHandshakeException(
-                    "Unsupported SignatureAndHashAlgorithm in " +
-                    "ServerKeyExchange message: " +
-                    preferableSignatureAlgorithm);
-            }
-        } else {
-            this.preferableSignatureAlgorithm = null;
-        }
-
-        // read the signature
-        byte[] signature;
-        if (dhKeyExchangeFix) {
-            signature = input.getBytes16();
-        } else {
-            messageSize -= (dh_p.length + 2);
-            messageSize -= (dh_g.length + 2);
-            messageSize -= (dh_Ys.length + 2);
-
-            signature = new byte[messageSize];
-            input.read(signature);
-        }
-
-        Signature sig;
-        String algorithm = publicKey.getAlgorithm();
-        if (protocolVersion.useTLS12PlusSpec()) {
-            sig = JsseJce.getSignature(
-                        preferableSignatureAlgorithm.getAlgorithmName());
-        } else {
-                switch (algorithm) {
-                    case "DSA":
-                        sig = JsseJce.getSignature(JsseJce.SIGNATURE_DSA);
-                        break;
-                    case "RSA":
-                        sig = RSASignature.getInstance();
-                        break;
-                    default:
-                        throw new SSLKeyException(
-                            "neither an RSA or a DSA key: " + algorithm);
-                }
-        }
-
-        sig.initVerify(publicKey);
-        updateSignature(sig, clntNonce, svrNonce);
-
-        if (sig.verify(signature) == false ) {
-            throw new SSLKeyException("Server D-H key verification failed");
-        }
-    }
-
-    /* Return the Diffie-Hellman modulus */
-    BigInteger getModulus() {
-        return new BigInteger(1, dh_p);
-    }
-
-    /* Return the Diffie-Hellman base/generator */
-    BigInteger getBase() {
-        return new BigInteger(1, dh_g);
-    }
-
-    /* Return the server's Diffie-Hellman public key */
-    BigInteger getServerPublicKey() {
-        return new BigInteger(1, dh_Ys);
-    }
-
-    /*
-     * Update sig with nonces and Diffie-Hellman public key.
-     */
-    private void updateSignature(Signature sig, byte[] clntNonce,
-            byte[] svrNonce) throws SignatureException {
-        int tmp;
-
-        sig.update(clntNonce);
-        sig.update(svrNonce);
-
-        tmp = dh_p.length;
-        sig.update((byte)(tmp >> 8));
-        sig.update((byte)(tmp & 0x0ff));
-        sig.update(dh_p);
-
-        tmp = dh_g.length;
-        sig.update((byte)(tmp >> 8));
-        sig.update((byte)(tmp & 0x0ff));
-        sig.update(dh_g);
-
-        tmp = dh_Ys.length;
-        sig.update((byte)(tmp >> 8));
-        sig.update((byte)(tmp & 0x0ff));
-        sig.update(dh_Ys);
-    }
-
-    private void setValues(DHCrypt obj) {
-        dh_p = toByteArray(obj.getModulus());
-        dh_g = toByteArray(obj.getBase());
-        dh_Ys = toByteArray(obj.getPublicKey());
-    }
-
-    @Override
-    int messageLength() {
-        int temp = 6;   // overhead for p, g, y(s) values.
-
-        temp += dh_p.length;
-        temp += dh_g.length;
-        temp += dh_Ys.length;
-
-        if (signature != null) {
-            if (protocolVersion.useTLS12PlusSpec()) {
-                temp += SignatureAndHashAlgorithm.sizeInRecord();
-            }
-
-            temp += signature.length;
-            if (dhKeyExchangeFix) {
-                temp += 2;
-            }
-        }
-
-        return temp;
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putBytes16(dh_p);
-        s.putBytes16(dh_g);
-        s.putBytes16(dh_Ys);
-
-        if (signature != null) {
-            if (protocolVersion.useTLS12PlusSpec()) {
-                s.putInt8(preferableSignatureAlgorithm.getHashValue());
-                s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
-            }
-
-            if (dhKeyExchangeFix) {
-                s.putBytes16(signature);
-            } else {
-                s.write(signature);
-            }
-        }
-    }
-
-    @Override
-    void print(PrintStream s) throws IOException {
-        s.println("*** Diffie-Hellman ServerKeyExchange");
-
-        if (debug != null && Debug.isOn("verbose")) {
-            Debug.println(s, "DH Modulus", dh_p);
-            Debug.println(s, "DH Base", dh_g);
-            Debug.println(s, "Server DH Public Key", dh_Ys);
-
-            if (signature == null) {
-                s.println("Anonymous");
-            } else {
-                if (protocolVersion.useTLS12PlusSpec()) {
-                    s.println("Signature Algorithm " +
-                        preferableSignatureAlgorithm.getAlgorithmName());
-                }
-
-                s.println("Signed with a DSA or RSA public key");
-            }
-        }
-    }
-}
-
-/*
- * ECDH server key exchange message. Sent by the server for ECDHE and ECDH_anon
- * ciphersuites to communicate its ephemeral public key (including the
- * EC domain parameters).
- *
- * We support named curves only, no explicitly encoded curves.
- */
-static final
-class ECDH_ServerKeyExchange extends ServerKeyExchange {
-
-    // constants for ECCurveType
-    private static final int CURVE_EXPLICIT_PRIME = 1;
-    private static final int CURVE_EXPLICIT_CHAR2 = 2;
-    private static final int CURVE_NAMED_CURVE    = 3;
-
-    // id of the named group we are using
-    private int groupId;
-
-    // encoded public point
-    private byte[] pointBytes;
-
-    // signature bytes (or null if anonymous)
-    private byte[] signatureBytes;
-
-    // public key object encapsulated in this message
-    private ECPublicKey publicKey;
-
-    // protocol version being established using this ServerKeyExchange message
-    ProtocolVersion protocolVersion;
-
-    // the preferable signature algorithm used by this ServerKeyExchange message
-    private SignatureAndHashAlgorithm preferableSignatureAlgorithm;
-
-    ECDH_ServerKeyExchange(ECDHCrypt obj, PrivateKey privateKey,
-            byte[] clntNonce, byte[] svrNonce, SecureRandom sr,
-            SignatureAndHashAlgorithm signAlgorithm,
-            ProtocolVersion protocolVersion)
-            throws SSLHandshakeException, GeneralSecurityException {
-
-        this.protocolVersion = protocolVersion;
-
-        publicKey = (ECPublicKey)obj.getPublicKey();
-        ECParameterSpec params = publicKey.getParams();
-        ECPoint point = publicKey.getW();
-        pointBytes = JsseJce.encodePoint(point, params.getCurve());
-
-        NamedGroup namedGroup = NamedGroup.valueOf(params);
-        if ((namedGroup == null) || (namedGroup.oid == null) ){
-            // unlikely
-            throw new SSLHandshakeException(
-                "Unnamed EC parameter spec: " + params);
-        }
-        groupId = namedGroup.id;
-
-        if (privateKey == null) {
-            // ECDH_anon
-            return;
-        }
-
-        Signature sig;
-        if (protocolVersion.useTLS12PlusSpec()) {
-            this.preferableSignatureAlgorithm = signAlgorithm;
-            sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
-        } else {
-            sig = getSignature(privateKey.getAlgorithm());
-        }
-        sig.initSign(privateKey, sr);
-
-        updateSignature(sig, clntNonce, svrNonce);
-        signatureBytes = sig.sign();
-    }
-
-    /*
-     * Parse an ECDH server key exchange message.
-     */
-    ECDH_ServerKeyExchange(HandshakeInStream input, PublicKey signingKey,
-            byte[] clntNonce, byte[] svrNonce,
-            Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
-            ProtocolVersion protocolVersion)
-            throws IOException, GeneralSecurityException {
-
-        this.protocolVersion = protocolVersion;
-
-        // read params: ServerECDHParams
-        int curveType = input.getInt8();
-        ECParameterSpec parameters;
-        // These parsing errors should never occur as we negotiated
-        // the supported curves during the exchange of the Hello messages.
-        if (curveType == CURVE_NAMED_CURVE) {
-            groupId = input.getInt16();
-            NamedGroup namedGroup = NamedGroup.valueOf(groupId);
-            if (namedGroup == null) {
-                throw new SSLHandshakeException(
-                    "Unknown named group ID: " + groupId);
-            }
-
-            if (!SupportedGroupsExtension.supports(namedGroup)) {
-                throw new SSLHandshakeException(
-                    "Unsupported named group: " + namedGroup);
-            }
-
-            if (namedGroup.oid == null) {
-                throw new SSLHandshakeException(
-                    "Unknown named EC curve: " + namedGroup);
-            }
-
-            parameters = JsseJce.getECParameterSpec(namedGroup.oid);
-            if (parameters == null) {
-                throw new SSLHandshakeException(
-                    "No supported EC parameter for named group: " + namedGroup);
-            }
-        } else {
-            throw new SSLHandshakeException(
-                "Unsupported ECCurveType: " + curveType);
-        }
-        pointBytes = input.getBytes8();
-
-        ECPoint point = JsseJce.decodePoint(pointBytes, parameters.getCurve());
-        KeyFactory factory = JsseJce.getKeyFactory("EC");
-        publicKey = (ECPublicKey)factory.generatePublic(
-            new ECPublicKeySpec(point, parameters));
-
-        if (signingKey == null) {
-            // ECDH_anon
-            return;
-        }
-
-        // read the signature and hash algorithm
-        if (protocolVersion.useTLS12PlusSpec()) {
-            int hash = input.getInt8();         // hash algorithm
-            int signature = input.getInt8();    // signature algorithm
-
-            preferableSignatureAlgorithm =
-                SignatureAndHashAlgorithm.valueOf(hash, signature, 0);
-
-            // Is it a local supported signature algorithm?
-            if (!localSupportedSignAlgs.contains(
-                    preferableSignatureAlgorithm)) {
-                throw new SSLHandshakeException(
-                        "Unsupported SignatureAndHashAlgorithm in " +
-                        "ServerKeyExchange message: " +
-                        preferableSignatureAlgorithm);
-            }
-        }
-
-        // read the signature
-        signatureBytes = input.getBytes16();
-
-        // verify the signature
-        Signature sig;
-        if (protocolVersion.useTLS12PlusSpec()) {
-            sig = JsseJce.getSignature(
-                        preferableSignatureAlgorithm.getAlgorithmName());
-        } else {
-            sig = getSignature(signingKey.getAlgorithm());
-        }
-        sig.initVerify(signingKey);
-
-        updateSignature(sig, clntNonce, svrNonce);
-
-        if (sig.verify(signatureBytes) == false ) {
-            throw new SSLKeyException(
-                "Invalid signature on ECDH server key exchange message");
-        }
-    }
-
-    /*
-     * Get the ephemeral EC public key encapsulated in this message.
-     */
-    ECPublicKey getPublicKey() {
-        return publicKey;
-    }
-
-    private static Signature getSignature(String keyAlgorithm)
-            throws NoSuchAlgorithmException {
-            switch (keyAlgorithm) {
-                case "EC":
-                    return JsseJce.getSignature(JsseJce.SIGNATURE_ECDSA);
-                case "RSA":
-                    return RSASignature.getInstance();
-                default:
-                    throw new NoSuchAlgorithmException(
-                        "neither an RSA or a EC key : " + keyAlgorithm);
-            }
-    }
-
-    private void updateSignature(Signature sig, byte[] clntNonce,
-            byte[] svrNonce) throws SignatureException {
-        sig.update(clntNonce);
-        sig.update(svrNonce);
-
-        sig.update((byte)CURVE_NAMED_CURVE);
-        sig.update((byte)(groupId >> 8));
-        sig.update((byte)groupId);
-        sig.update((byte)pointBytes.length);
-        sig.update(pointBytes);
-    }
-
-    @Override
-    int messageLength() {
-        int sigLen = 0;
-        if (signatureBytes != null) {
-            sigLen = 2 + signatureBytes.length;
-            if (protocolVersion.useTLS12PlusSpec()) {
-                sigLen += SignatureAndHashAlgorithm.sizeInRecord();
-            }
-        }
-
-        return 4 + pointBytes.length + sigLen;
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt8(CURVE_NAMED_CURVE);
-        s.putInt16(groupId);
-        s.putBytes8(pointBytes);
-
-        if (signatureBytes != null) {
-            if (protocolVersion.useTLS12PlusSpec()) {
-                s.putInt8(preferableSignatureAlgorithm.getHashValue());
-                s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
-            }
-
-            s.putBytes16(signatureBytes);
-        }
-    }
-
-    @Override
-    void print(PrintStream s) throws IOException {
-        s.println("*** ECDH ServerKeyExchange");
-
-        if (debug != null && Debug.isOn("verbose")) {
-            if (signatureBytes == null) {
-                s.println("Anonymous");
-            } else {
-                if (protocolVersion.useTLS12PlusSpec()) {
-                    s.println("Signature Algorithm " +
-                            preferableSignatureAlgorithm.getAlgorithmName());
-                }
-            }
-
-            s.println("Server key: " + publicKey);
-        }
-    }
-}
-
-static final class DistinguishedName {
-
-    /*
-     * DER encoded distinguished name.
-     * TLS requires that its not longer than 65535 bytes.
-     */
-    byte[] name;
-
-    DistinguishedName(HandshakeInStream input) throws IOException {
-        name = input.getBytes16();
-    }
-
-    DistinguishedName(X500Principal dn) {
-        name = dn.getEncoded();
-    }
-
-    X500Principal getX500Principal() throws IOException {
-        try {
-            return new X500Principal(name);
-        } catch (IllegalArgumentException e) {
-            throw (SSLProtocolException)new SSLProtocolException(
-                e.getMessage()).initCause(e);
-        }
-    }
-
-    int length() {
-        return 2 + name.length;
-    }
-
-    void send(HandshakeOutStream output) throws IOException {
-        output.putBytes16(name);
-    }
-
-    void print(PrintStream output) throws IOException {
-        X500Principal principal = new X500Principal(name);
-        output.println("<" + principal.toString() + ">");
-    }
-}
-
-/*
- * CertificateRequest ... SERVER --> CLIENT
- *
- * Authenticated servers may ask clients to authenticate themselves
- * in turn, using this message.
- *
- * Prior to TLS 1.2, the structure of the message is defined as:
- *     struct {
- *         ClientCertificateType certificate_types<1..2^8-1>;
- *         DistinguishedName certificate_authorities<0..2^16-1>;
- *     } CertificateRequest;
- *
- * In TLS 1.2, the structure is changed to:
- *     struct {
- *         ClientCertificateType certificate_types<1..2^8-1>;
- *         SignatureAndHashAlgorithm
- *           supported_signature_algorithms<2^16-1>;
- *         DistinguishedName certificate_authorities<0..2^16-1>;
- *     } CertificateRequest;
- *
- */
-static final
-class CertificateRequest extends HandshakeMessage
-{
-    // enum ClientCertificateType
-    static final int   cct_rsa_sign = 1;
-    static final int   cct_dss_sign = 2;
-    static final int   cct_rsa_fixed_dh = 3;
-    static final int   cct_dss_fixed_dh = 4;
-
-    // The existance of these two values is a bug in the SSL specification.
-    // They are never used in the protocol.
-    static final int   cct_rsa_ephemeral_dh = 5;
-    static final int   cct_dss_ephemeral_dh = 6;
-
-    // From RFC 4492 (ECC)
-    static final int    cct_ecdsa_sign       = 64;
-    static final int    cct_rsa_fixed_ecdh   = 65;
-    static final int    cct_ecdsa_fixed_ecdh = 66;
-
-    private static final byte[] TYPES_NO_ECC = { cct_rsa_sign, cct_dss_sign };
-    private static final byte[] TYPES_ECC =
-        { cct_rsa_sign, cct_dss_sign, cct_ecdsa_sign };
-
-    byte[]                types;               // 1 to 255 types
-    DistinguishedName[]   authorities;         // 3 to 2^16 - 1
-        // ... "3" because that's the smallest DER-encoded X500 DN
-
-    // protocol version being established using this CertificateRequest message
-    ProtocolVersion protocolVersion;
-
-    // supported_signature_algorithms for TLS 1.2 or later
-    private Collection<SignatureAndHashAlgorithm> algorithms;
-
-    // length of supported_signature_algorithms
-    private int algorithmsLen;
-
-    CertificateRequest(X509Certificate[] ca, KeyExchange keyExchange,
-            Collection<SignatureAndHashAlgorithm> signAlgs,
-            ProtocolVersion protocolVersion) throws IOException {
-
-        this.protocolVersion = protocolVersion;
-
-        // always use X500Principal
-        authorities = new DistinguishedName[ca.length];
-        for (int i = 0; i < ca.length; i++) {
-            X500Principal x500Principal = ca[i].getSubjectX500Principal();
-            authorities[i] = new DistinguishedName(x500Principal);
-        }
-        // we support RSA, DSS, and ECDSA client authentication and they
-        // can be used with all ciphersuites. If this changes, the code
-        // needs to be adapted to take keyExchange into account.
-        // We only request ECDSA client auth if we have ECC crypto available.
-        this.types = JsseJce.isEcAvailable() ? TYPES_ECC : TYPES_NO_ECC;
-
-        // Use supported_signature_algorithms for TLS 1.2 or later.
-        if (protocolVersion.useTLS12PlusSpec()) {
-            if (signAlgs == null || signAlgs.isEmpty()) {
-                throw new SSLProtocolException(
-                        "No supported signature algorithms");
-            }
-
-            algorithms = new ArrayList<SignatureAndHashAlgorithm>(signAlgs);
-            algorithmsLen =
-                SignatureAndHashAlgorithm.sizeInRecord() * algorithms.size();
-        } else {
-            algorithms = new ArrayList<SignatureAndHashAlgorithm>();
-            algorithmsLen = 0;
-        }
-    }
-
-    CertificateRequest(HandshakeInStream input,
-            ProtocolVersion protocolVersion) throws IOException {
-
-        this.protocolVersion = protocolVersion;
-
-        // Read the certificate_types.
-        types = input.getBytes8();
-
-        // Read the supported_signature_algorithms for TLS 1.2 or later.
-        if (protocolVersion.useTLS12PlusSpec()) {
-            algorithmsLen = input.getInt16();
-            if (algorithmsLen < 2) {
-                throw new SSLProtocolException(
-                    "Invalid supported_signature_algorithms field: " +
-                    algorithmsLen);
-            }
-
-            algorithms = new ArrayList<SignatureAndHashAlgorithm>();
-            int remains = algorithmsLen;
-            int sequence = 0;
-            while (remains > 1) {    // needs at least two bytes
-                int hash = input.getInt8();         // hash algorithm
-                int signature = input.getInt8();    // signature algorithm
-
-                SignatureAndHashAlgorithm algorithm =
-                    SignatureAndHashAlgorithm.valueOf(hash, signature,
-                                                                ++sequence);
-                algorithms.add(algorithm);
-                remains -= 2;  // one byte for hash, one byte for signature
-            }
-
-            if (remains != 0) {
-                throw new SSLProtocolException(
-                    "Invalid supported_signature_algorithms field. remains: " +
-                    remains);
-            }
-        } else {
-            algorithms = new ArrayList<SignatureAndHashAlgorithm>();
-            algorithmsLen = 0;
-        }
-
-        // read the certificate_authorities
-        int len = input.getInt16();
-        ArrayList<DistinguishedName> v = new ArrayList<>();
-        while (len >= 3) {
-            DistinguishedName dn = new DistinguishedName(input);
-            v.add(dn);
-            len -= dn.length();
-        }
-
-        if (len != 0) {
-            throw new SSLProtocolException(
-                "Bad CertificateRequest DN length: " + len);
-        }
-
-        authorities = v.toArray(new DistinguishedName[v.size()]);
-    }
-
-    X500Principal[] getAuthorities() throws IOException {
-        X500Principal[] ret = new X500Principal[authorities.length];
-        for (int i = 0; i < authorities.length; i++) {
-            ret[i] = authorities[i].getX500Principal();
-        }
-        return ret;
-    }
-
-    Collection<SignatureAndHashAlgorithm> getSignAlgorithms() {
-        return algorithms;
-    }
-
-    @Override
-    int messageType() {
-        return ht_certificate_request;
-    }
-
-    @Override
-    int messageLength() {
-        int len = 1 + types.length + 2;
-
-        if (protocolVersion.useTLS12PlusSpec()) {
-            len += algorithmsLen + 2;
-        }
-
-        for (int i = 0; i < authorities.length; i++) {
-            len += authorities[i].length();
-        }
-
-        return len;
-    }
-
-    @Override
-    void send(HandshakeOutStream output) throws IOException {
-        // put certificate_types
-        output.putBytes8(types);
-
-        // put supported_signature_algorithms
-        if (protocolVersion.useTLS12PlusSpec()) {
-            output.putInt16(algorithmsLen);
-            for (SignatureAndHashAlgorithm algorithm : algorithms) {
-                output.putInt8(algorithm.getHashValue());      // hash
-                output.putInt8(algorithm.getSignatureValue()); // signature
-            }
-        }
-
-        // put certificate_authorities
-        int len = 0;
-        for (int i = 0; i < authorities.length; i++) {
-            len += authorities[i].length();
-        }
-
-        output.putInt16(len);
-        for (int i = 0; i < authorities.length; i++) {
-            authorities[i].send(output);
-        }
-    }
-
-    @Override
-    void print(PrintStream s) throws IOException {
-        s.println("*** CertificateRequest");
-
-        if (debug != null && Debug.isOn("verbose")) {
-            s.print("Cert Types: ");
-            for (int i = 0; i < types.length; i++) {
-                switch (types[i]) {
-                  case cct_rsa_sign:
-                    s.print("RSA"); break;
-                  case cct_dss_sign:
-                    s.print("DSS"); break;
-                  case cct_rsa_fixed_dh:
-                    s.print("Fixed DH (RSA sig)"); break;
-                  case cct_dss_fixed_dh:
-                    s.print("Fixed DH (DSS sig)"); break;
-                  case cct_rsa_ephemeral_dh:
-                    s.print("Ephemeral DH (RSA sig)"); break;
-                  case cct_dss_ephemeral_dh:
-                    s.print("Ephemeral DH (DSS sig)"); break;
-                  case cct_ecdsa_sign:
-                    s.print("ECDSA"); break;
-                  case cct_rsa_fixed_ecdh:
-                    s.print("Fixed ECDH (RSA sig)"); break;
-                  case cct_ecdsa_fixed_ecdh:
-                    s.print("Fixed ECDH (ECDSA sig)"); break;
-                  default:
-                    s.print("Type-" + (types[i] & 0xff)); break;
-                }
-                if (i != types.length - 1) {
-                    s.print(", ");
-                }
-            }
-            s.println();
-
-            if (protocolVersion.useTLS12PlusSpec()) {
-                StringBuilder sb = new StringBuilder();
-                boolean opened = false;
-                for (SignatureAndHashAlgorithm signAlg : algorithms) {
-                    if (opened) {
-                        sb.append(", ").append(signAlg.getAlgorithmName());
-                    } else {
-                        sb.append(signAlg.getAlgorithmName());
-                        opened = true;
-                    }
-                }
-                s.println("Supported Signature Algorithms: " + sb);
-            }
-
-            s.println("Cert Authorities:");
-            if (authorities.length == 0) {
-                s.println("<Empty>");
-            } else {
-                for (int i = 0; i < authorities.length; i++) {
-                    authorities[i].print(s);
-                }
-            }
-        }
-    }
-}
-
-
-/*
- * ServerHelloDone ... SERVER --> CLIENT
- *
- * When server's done sending its messages in response to the client's
- * "hello" (e.g. its own hello, certificate, key exchange message, perhaps
- * client certificate request) it sends this message to flag that it's
- * done that part of the handshake.
- */
-static final
-class ServerHelloDone extends HandshakeMessage
-{
-    @Override
-    int messageType() { return ht_server_hello_done; }
-
-    ServerHelloDone() { }
-
-    ServerHelloDone(HandshakeInStream input)
-    {
-        // nothing to do
-    }
-
-    @Override
-    int messageLength()
-    {
-        return 0;
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException
-    {
-        // nothing to send
-    }
-
-    @Override
-    void print(PrintStream s) throws IOException
-    {
-        s.println("*** ServerHelloDone");
-    }
-}
-
-
-/*
- * CertificateVerify ... CLIENT --> SERVER
- *
- * Sent after client sends signature-capable certificates (e.g. not
- * Diffie-Hellman) to verify.
- */
-static final class CertificateVerify extends HandshakeMessage {
-
-    // the signature bytes
-    private byte[] signature;
-
-    // protocol version being established using this CertificateVerify message
-    ProtocolVersion protocolVersion;
-
-    // the preferable signature algorithm used by this CertificateVerify message
-    private SignatureAndHashAlgorithm preferableSignatureAlgorithm = null;
-
-    /*
-     * Create an RSA or DSA signed certificate verify message.
-     */
-    CertificateVerify(ProtocolVersion protocolVersion,
-            HandshakeHash handshakeHash, PrivateKey privateKey,
-            SecretKey masterSecret, SecureRandom sr,
-            SignatureAndHashAlgorithm signAlgorithm)
-            throws GeneralSecurityException {
-
-        this.protocolVersion = protocolVersion;
-
-        String algorithm = privateKey.getAlgorithm();
-        Signature sig = null;
-        if (protocolVersion.useTLS12PlusSpec()) {
-            this.preferableSignatureAlgorithm = signAlgorithm;
-            sig = JsseJce.getSignature(signAlgorithm.getAlgorithmName());
-        } else {
-            sig = getSignature(protocolVersion, algorithm);
-        }
-        sig.initSign(privateKey, sr);
-        updateSignature(sig, protocolVersion, handshakeHash, algorithm,
-                        masterSecret);
-        signature = sig.sign();
-    }
-
-    //
-    // Unmarshal the signed data from the input stream.
-    //
-    CertificateVerify(HandshakeInStream input,
-            Collection<SignatureAndHashAlgorithm> localSupportedSignAlgs,
-            ProtocolVersion protocolVersion) throws IOException  {
-
-        this.protocolVersion = protocolVersion;
-
-        // read the signature and hash algorithm
-        if (protocolVersion.useTLS12PlusSpec()) {
-            int hashAlg = input.getInt8();         // hash algorithm
-            int signAlg = input.getInt8();         // signature algorithm
-
-            preferableSignatureAlgorithm =
-                SignatureAndHashAlgorithm.valueOf(hashAlg, signAlg, 0);
-
-            // Is it a local supported signature algorithm?
-            if (!localSupportedSignAlgs.contains(
-                    preferableSignatureAlgorithm)) {
-                throw new SSLHandshakeException(
-                    "Unsupported SignatureAndHashAlgorithm in " +
-                    "CertificateVerify message: " + preferableSignatureAlgorithm);
-            }
-        }
-
-        // read the signature
-        signature = input.getBytes16();
-    }
-
-    /*
-     * Get the preferable signature algorithm used by this message
-     */
-    SignatureAndHashAlgorithm getPreferableSignatureAlgorithm() {
-        return preferableSignatureAlgorithm;
-    }
-
-    /*
-     * Verify a certificate verify message. Return the result of verification,
-     * if there is a problem throw a GeneralSecurityException.
-     */
-    boolean verify(ProtocolVersion protocolVersion,
-            HandshakeHash handshakeHash, PublicKey publicKey,
-            SecretKey masterSecret) throws GeneralSecurityException {
-        String algorithm = publicKey.getAlgorithm();
-        Signature sig = null;
-        if (protocolVersion.useTLS12PlusSpec()) {
-            sig = JsseJce.getSignature(
-                        preferableSignatureAlgorithm.getAlgorithmName());
-        } else {
-            sig = getSignature(protocolVersion, algorithm);
-        }
-        sig.initVerify(publicKey);
-        updateSignature(sig, protocolVersion, handshakeHash, algorithm,
-                        masterSecret);
-        return sig.verify(signature);
-    }
-
-    /*
-     * Get the Signature object appropriate for verification using the
-     * given signature algorithm and protocol version.
-     */
-    private static Signature getSignature(ProtocolVersion protocolVersion,
-            String algorithm) throws GeneralSecurityException {
-            switch (algorithm) {
-                case "RSA":
-                    return RSASignature.getInternalInstance();
-                case "DSA":
-                    return JsseJce.getSignature(JsseJce.SIGNATURE_RAWDSA);
-                case "EC":
-                    return JsseJce.getSignature(JsseJce.SIGNATURE_RAWECDSA);
-                default:
-                    throw new SignatureException("Unrecognized algorithm: "
-                        + algorithm);
-            }
-    }
-
-    /*
-     * Update the Signature with the data appropriate for the given
-     * signature algorithm and protocol version so that the object is
-     * ready for signing or verifying.
-     */
-    private static void updateSignature(Signature sig,
-            ProtocolVersion protocolVersion,
-            HandshakeHash handshakeHash, String algorithm, SecretKey masterKey)
-            throws SignatureException {
-
-        if (algorithm.equals("RSA")) {
-            if (!protocolVersion.useTLS12PlusSpec()) {  // TLS1.1-
-                MessageDigest md5Clone = handshakeHash.getMD5Clone();
-                MessageDigest shaClone = handshakeHash.getSHAClone();
-
-                if (!protocolVersion.useTLS10PlusSpec()) {  // SSLv3
-                    updateDigest(md5Clone, MD5_pad1, MD5_pad2, masterKey);
-                    updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey);
-                }
-
-                // The signature must be an instance of RSASignature, need
-                // to use these hashes directly.
-                RSASignature.setHashes(sig, md5Clone, shaClone);
-            } else {  // TLS1.2+
-                sig.update(handshakeHash.getAllHandshakeMessages());
-            }
-        } else { // DSA, ECDSA
-            if (!protocolVersion.useTLS12PlusSpec()) {  // TLS1.1-
-                MessageDigest shaClone = handshakeHash.getSHAClone();
-
-                if (!protocolVersion.useTLS10PlusSpec()) {  // SSLv3
-                    updateDigest(shaClone, SHA_pad1, SHA_pad2, masterKey);
-                }
-
-                sig.update(shaClone.digest());
-            } else {  // TLS1.2+
-                sig.update(handshakeHash.getAllHandshakeMessages());
-            }
-        }
-    }
-
-    /*
-     * Update the MessageDigest for SSLv3 certificate verify or finished
-     * message calculation. The digest must already have been updated with
-     * all preceding handshake messages.
-     * Used by the Finished class as well.
-     */
-    private static void updateDigest(MessageDigest md,
-            byte[] pad1, byte[] pad2,
-            SecretKey masterSecret) {
-        // Digest the key bytes if available.
-        // Otherwise (sensitive key), try digesting the key directly.
-        // That is currently only implemented in SunPKCS11 using a private
-        // reflection API, so we avoid that if possible.
-        byte[] keyBytes = "RAW".equals(masterSecret.getFormat())
-                        ? masterSecret.getEncoded() : null;
-        if (keyBytes != null) {
-            md.update(keyBytes);
-        } else {
-            digestKey(md, masterSecret);
-        }
-        md.update(pad1);
-        byte[] temp = md.digest();
-
-        if (keyBytes != null) {
-            md.update(keyBytes);
-        } else {
-            digestKey(md, masterSecret);
-        }
-        md.update(pad2);
-        md.update(temp);
-    }
-
-    private static void digestKey(MessageDigest md, SecretKey key) {
-        try {
-            if (md instanceof MessageDigestSpi2) {
-                ((MessageDigestSpi2)md).engineUpdate(key);
-            } else {
-                throw new Exception(
-                    "Digest does not support implUpdate(SecretKey)");
-            }
-        } catch (Exception e) {
-            throw new RuntimeException(
-                "Could not obtain encoded key and "
-                + "MessageDigest cannot digest key", e);
-        }
-    }
-
-    @Override
-    int messageType() {
-        return ht_certificate_verify;
-    }
-
-    @Override
-    int messageLength() {
-        int temp = 2;
-
-        if (protocolVersion.useTLS12PlusSpec()) {
-            temp += SignatureAndHashAlgorithm.sizeInRecord();
-        }
-
-        return temp + signature.length;
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        if (protocolVersion.useTLS12PlusSpec()) {
-            s.putInt8(preferableSignatureAlgorithm.getHashValue());
-            s.putInt8(preferableSignatureAlgorithm.getSignatureValue());
-        }
-
-        s.putBytes16(signature);
-    }
-
-    @Override
-    void print(PrintStream s) throws IOException {
-        s.println("*** CertificateVerify");
-
-        if (debug != null && Debug.isOn("verbose")) {
-            if (protocolVersion.useTLS12PlusSpec()) {
-                s.println("Signature Algorithm " +
-                        preferableSignatureAlgorithm.getAlgorithmName());
-            }
-        }
-    }
-}
-
-
-/*
- * FINISHED ... sent by both CLIENT and SERVER
- *
- * This is the FINISHED message as defined in the SSL and TLS protocols.
- * Both protocols define this handshake message slightly differently.
- * This class supports both formats.
- *
- * When handshaking is finished, each side sends a "change_cipher_spec"
- * record, then immediately sends a "finished" handshake message prepared
- * according to the newly adopted cipher spec.
- *
- * NOTE that until this is sent, no application data may be passed, unless
- * some non-default cipher suite has already been set up on this connection
- * connection (e.g. a previous handshake arranged one).
- */
-static final class Finished extends HandshakeMessage {
-
-    // constant for a Finished message sent by the client
-    static final int CLIENT = 1;
-
-    // constant for a Finished message sent by the server
-    static final int SERVER = 2;
-
-    // enum Sender:  "CLNT" and "SRVR"
-    private static final byte[] SSL_CLIENT = { 0x43, 0x4C, 0x4E, 0x54 };
-    private static final byte[] SSL_SERVER = { 0x53, 0x52, 0x56, 0x52 };
-
-    /*
-     * Contents of the finished message ("checksum"). For TLS, it
-     * is 12 bytes long, for SSLv3 36 bytes.
-     */
-    private byte[] verifyData;
-
-    /*
-     * Current cipher suite we are negotiating.  TLS 1.2 has
-     * ciphersuite-defined PRF algorithms.
-     */
-    private ProtocolVersion protocolVersion;
-    private CipherSuite cipherSuite;
-
-    /*
-     * Create a finished message to send to the remote peer.
-     */
-    Finished(ProtocolVersion protocolVersion, HandshakeHash handshakeHash,
-            int sender, SecretKey master, CipherSuite cipherSuite) {
-        this.protocolVersion = protocolVersion;
-        this.cipherSuite = cipherSuite;
-        verifyData = getFinished(handshakeHash, sender, master);
-    }
-
-    /*
-     * Constructor that reads FINISHED message from stream.
-     */
-    Finished(ProtocolVersion protocolVersion, HandshakeInStream input,
-            CipherSuite cipherSuite) throws IOException {
-        this.protocolVersion = protocolVersion;
-        this.cipherSuite = cipherSuite;
-        int msgLen = protocolVersion.useTLS10PlusSpec() ?  12 : 36;
-        verifyData = new byte[msgLen];
-        input.read(verifyData);
-    }
-
-    /*
-     * Verify that the hashes here are what would have been produced
-     * according to a given set of inputs.  This is used to ensure that
-     * both client and server are fully in sync, and that the handshake
-     * computations have been successful.
-     */
-    boolean verify(HandshakeHash handshakeHash, int sender, SecretKey master) {
-        byte[] myFinished = getFinished(handshakeHash, sender, master);
-        return MessageDigest.isEqual(myFinished, verifyData);
-    }
-
-    /*
-     * Perform the actual finished message calculation.
-     */
-    private byte[] getFinished(HandshakeHash handshakeHash,
-            int sender, SecretKey masterKey) {
-        byte[] sslLabel;
-        String tlsLabel;
-        if (sender == CLIENT) {
-            sslLabel = SSL_CLIENT;
-            tlsLabel = "client finished";
-        } else if (sender == SERVER) {
-            sslLabel = SSL_SERVER;
-            tlsLabel = "server finished";
-        } else {
-            throw new RuntimeException("Invalid sender: " + sender);
-        }
-
-        if (protocolVersion.useTLS10PlusSpec()) {
-            // TLS 1.0+
-            try {
-                byte[] seed;
-                String prfAlg;
-                PRF prf;
-
-                // Get the KeyGenerator alg and calculate the seed.
-                if (protocolVersion.useTLS12PlusSpec()) {
-                    // TLS 1.2+ or DTLS 1.2+
-                    seed = handshakeHash.getFinishedHash();
-
-                    prfAlg = "SunTls12Prf";
-                    prf = cipherSuite.prfAlg;
-                } else {
-                    // TLS 1.0/1.1, DTLS 1.0
-                    MessageDigest md5Clone = handshakeHash.getMD5Clone();
-                    MessageDigest shaClone = handshakeHash.getSHAClone();
-                    seed = new byte[36];
-                    md5Clone.digest(seed, 0, 16);
-                    shaClone.digest(seed, 16, 20);
-
-                    prfAlg = "SunTlsPrf";
-                    prf = P_NONE;
-                }
-
-                String prfHashAlg = prf.getPRFHashAlg();
-                int prfHashLength = prf.getPRFHashLength();
-                int prfBlockSize = prf.getPRFBlockSize();
-
-                /*
-                 * RFC 5246/7.4.9 says that finished messages can
-                 * be ciphersuite-specific in both length/PRF hash
-                 * algorithm.  If we ever run across a different
-                 * length, this call will need to be updated.
-                 */
-                @SuppressWarnings("deprecation")
-                TlsPrfParameterSpec spec = new TlsPrfParameterSpec(
-                    masterKey, tlsLabel, seed, 12,
-                    prfHashAlg, prfHashLength, prfBlockSize);
-
-                KeyGenerator kg = JsseJce.getKeyGenerator(prfAlg);
-                kg.init(spec);
-                SecretKey prfKey = kg.generateKey();
-                if ("RAW".equals(prfKey.getFormat()) == false) {
-                    throw new ProviderException(
-                        "Invalid PRF output, format must be RAW. " +
-                        "Format received: " + prfKey.getFormat());
-                }
-                byte[] finished = prfKey.getEncoded();
-                return finished;
-            } catch (GeneralSecurityException e) {
-                throw new RuntimeException("PRF failed", e);
-            }
-        } else {
-            // SSLv3
-            MessageDigest md5Clone = handshakeHash.getMD5Clone();
-            MessageDigest shaClone = handshakeHash.getSHAClone();
-            updateDigest(md5Clone, sslLabel, MD5_pad1, MD5_pad2, masterKey);
-            updateDigest(shaClone, sslLabel, SHA_pad1, SHA_pad2, masterKey);
-            byte[] finished = new byte[36];
-            try {
-                md5Clone.digest(finished, 0, 16);
-                shaClone.digest(finished, 16, 20);
-            } catch (DigestException e) {
-                // cannot occur
-                throw new RuntimeException("Digest failed", e);
-            }
-            return finished;
-        }
-    }
-
-    /*
-     * Update the MessageDigest for SSLv3 finished message calculation.
-     * The digest must already have been updated with all preceding handshake
-     * messages. This operation is almost identical to the certificate verify
-     * hash, reuse that code.
-     */
-    private static void updateDigest(MessageDigest md, byte[] sender,
-            byte[] pad1, byte[] pad2, SecretKey masterSecret) {
-        md.update(sender);
-        CertificateVerify.updateDigest(md, pad1, pad2, masterSecret);
-    }
-
-    // get the verify_data of the finished message
-    byte[] getVerifyData() {
-        return verifyData;
-    }
-
-    @Override
-    int messageType() { return ht_finished; }
-
-    @Override
-    int messageLength() {
-        return verifyData.length;
-    }
-
-    @Override
-    void send(HandshakeOutStream out) throws IOException {
-        out.write(verifyData);
-    }
-
-    @Override
-    void print(PrintStream s) throws IOException {
-        s.println("*** Finished");
-        if (debug != null && Debug.isOn("verbose")) {
-            Debug.println(s, "verify_data", verifyData);
-            s.println("***");
-        }
-    }
-}
-
-//
-// END of nested classes
-//
-
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLHandshake.java	2018-05-11 15:09:59.187140500 -0700
@@ -0,0 +1,562 @@
+/*
+ * Copyright (c) 2006, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.AbstractMap.SimpleImmutableEntry;
+import java.util.Map;
+import javax.net.ssl.SSLException;
+
+enum SSLHandshake implements SSLConsumer, HandshakeProducer {
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    HELLO_REQUEST ((byte)0x00, "hello_request",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                HelloRequest.handshakeConsumer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                HelloRequest.handshakeProducer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    CLIENT_HELLO ((byte)0x01, "client_hello",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                ClientHello.handshakeConsumer,
+                ProtocolVersion.PROTOCOLS_TO_13
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                ClientHello.handshakeProducer,
+                ProtocolVersion.PROTOCOLS_TO_13
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    SERVER_HELLO ((byte)0x02, "server_hello",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                ServerHello.handshakeConsumer,
+                ProtocolVersion.PROTOCOLS_TO_13
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                ServerHello.t12HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            ),
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                ServerHello.t13HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    HELLO_RETRY_REQUEST ((byte)0x02, "hello_retry_request",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                ServerHello.handshakeConsumer,      // Use ServerHello consumer
+                ProtocolVersion.PROTOCOLS_TO_13
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                ServerHello.hrrHandshakeProducer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    HELLO_VERIFY_REQUEST        ((byte)0x03, "hello_verify_request",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                HelloVerifyRequest.handshakeConsumer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                HelloVerifyRequest.handshakeProducer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    NEW_SESSION_TICKET          ((byte)0x04, "new_session_ticket",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                NewSessionTicket.handshakeConsumer,
+                ProtocolVersion.PROTOCOLS_OF_13
+        )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                NewSessionTicket.handshakeProducer,
+                ProtocolVersion.PROTOCOLS_OF_13
+        )
+        })),
+    END_OF_EARLY_DATA           ((byte)0x05, "end_of_early_data"),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    ENCRYPTED_EXTENSIONS        ((byte)0x08, "encrypted_extensions",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                EncryptedExtensions.handshakeConsumer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                EncryptedExtensions.handshakeProducer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    CERTIFICATE                 ((byte)0x0B, "certificate",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                CertificateMessage.t12HandshakeConsumer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            ),
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                CertificateMessage.t13HandshakeConsumer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                CertificateMessage.t12HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            ),
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                CertificateMessage.t13HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    SERVER_KEY_EXCHANGE         ((byte)0x0C, "server_key_exchange",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                ServerKeyExchange.handshakeConsumer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                ServerKeyExchange.handshakeProducer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    CERTIFICATE_REQUEST         ((byte)0x0D, "certificate_request",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                CertificateRequest.t10HandshakeConsumer,
+                ProtocolVersion.PROTOCOLS_TO_11
+            ),
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                CertificateRequest.t12HandshakeConsumer,
+                ProtocolVersion.PROTOCOLS_OF_12
+            ),
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                CertificateRequest.t13HandshakeConsumer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                CertificateRequest.t10HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_TO_11
+            ),
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                CertificateRequest.t12HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_OF_12
+            ),
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                CertificateRequest.t13HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    SERVER_HELLO_DONE           ((byte)0x0E, "server_hello_done",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                ServerHelloDone.handshakeConsumer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                ServerHelloDone.handshakeProducer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    CERTIFICATE_VERIFY          ((byte)0x0F, "certificate_verify",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                CertificateVerify.s30HandshakeConsumer,
+                ProtocolVersion.PROTOCOLS_OF_30
+            ),
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                CertificateVerify.t10HandshakeConsumer,
+                ProtocolVersion.PROTOCOLS_10_11
+            ),
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                CertificateVerify.t12HandshakeConsumer,
+                ProtocolVersion.PROTOCOLS_OF_12
+            ),
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                CertificateVerify.t13HandshakeConsumer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                CertificateVerify.s30HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_OF_30
+            ),
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                CertificateVerify.t10HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_10_11
+            ),
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                CertificateVerify.t12HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_OF_12
+            ),
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                CertificateVerify.t13HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    CLIENT_KEY_EXCHANGE         ((byte)0x10, "client_key_exchange",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                ClientKeyExchange.handshakeConsumer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                ClientKeyExchange.handshakeProducer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        })),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    FINISHED                    ((byte)0x14, "finished",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                Finished.t12HandshakeConsumer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            ),
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                Finished.t13HandshakeConsumer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                Finished.t12HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            ),
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                Finished.t13HandshakeProducer,
+                ProtocolVersion.PROTOCOLS_OF_13
+            )
+        })),
+
+    CERTIFICATE_URL             ((byte)0x15, "certificate_url"),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    CERTIFICATE_STATUS          ((byte)0x16, "certificate_status",
+        (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                CertificateStatus.handshakeConsumer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        }),
+        (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                CertificateStatus.handshakeProducer,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        }),
+        (Map.Entry<HandshakeAbsence, ProtocolVersion[]>[])(new Map.Entry[] {
+            new SimpleImmutableEntry<HandshakeAbsence, ProtocolVersion[]>(
+                CertificateStatus.handshakeAbsence,
+                ProtocolVersion.PROTOCOLS_TO_12
+            )
+        })),
+
+    SUPPLEMENTAL_DATA           ((byte)0x17, "supplemental_data"),
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    KEY_UPDATE                  ((byte)0x18, "key_update",
+            (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(new Map.Entry[] {
+                    new SimpleImmutableEntry<SSLConsumer, ProtocolVersion[]>(
+                            KeyUpdate.handshakeConsumer,
+                            ProtocolVersion.PROTOCOLS_OF_13
+                    )
+            }),
+            (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(new Map.Entry[] {
+                    new SimpleImmutableEntry<HandshakeProducer, ProtocolVersion[]>(
+                            KeyUpdate.handshakeProducer,
+                            ProtocolVersion.PROTOCOLS_OF_13
+                    )
+            })),
+    MESSAGE_HASH                ((byte)0xFE, "message_hash"),
+    NOT_APPLICABLE              ((byte)0xFF, "not_applicable");
+
+    final byte id;
+    final String name;
+    final Map.Entry<SSLConsumer, ProtocolVersion[]>[] handshakeConsumers;
+    final Map.Entry<HandshakeProducer, ProtocolVersion[]>[] handshakeProducers;
+    final Map.Entry<HandshakeAbsence, ProtocolVersion[]>[] handshakeAbsences;
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    SSLHandshake(byte id, String name) {
+        this(id, name,
+                (Map.Entry<SSLConsumer, ProtocolVersion[]>[])(
+                        new Map.Entry[0]),
+                (Map.Entry<HandshakeProducer, ProtocolVersion[]>[])(
+                        new Map.Entry[0]),
+                (Map.Entry<HandshakeAbsence, ProtocolVersion[]>[])(
+                        new Map.Entry[0]));
+    }
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    SSLHandshake(byte id, String name,
+        Map.Entry<SSLConsumer, ProtocolVersion[]>[] handshakeConsumers,
+        Map.Entry<HandshakeProducer, ProtocolVersion[]>[] handshakeProducers) {
+        this(id, name, handshakeConsumers, handshakeProducers,
+                (Map.Entry<HandshakeAbsence, ProtocolVersion[]>[])(
+                        new Map.Entry[0]));
+    }
+
+    SSLHandshake(byte id, String name,
+        Map.Entry<SSLConsumer, ProtocolVersion[]>[] handshakeConsumers,
+        Map.Entry<HandshakeProducer, ProtocolVersion[]>[] handshakeProducers,
+        Map.Entry<HandshakeAbsence, ProtocolVersion[]>[] handshakeAbsence) {
+        this.id = id;
+        this.name = name;
+        this.handshakeConsumers = handshakeConsumers;
+        this.handshakeProducers = handshakeProducers;
+        this.handshakeAbsences = handshakeAbsence;
+    }
+
+    @Override
+    public void consume(ConnectionContext context,
+            ByteBuffer message) throws IOException {
+        SSLConsumer hc = getHandshakeConsumer(context);
+        if (hc != null) {
+            hc.consume(context, message);
+        } else {
+            throw new UnsupportedOperationException(
+                    "Unsupported handshake consumer: " + this.name);
+        }
+    }
+
+    private SSLConsumer getHandshakeConsumer(ConnectionContext context) {
+        if (handshakeConsumers.length == 0) {
+            return null;
+        }
+
+        // The comsuming happens in handshake context only.
+        HandshakeContext hc = (HandshakeContext)context;
+        ProtocolVersion protocolVersion;
+        if ((hc.negotiatedProtocol == null) ||
+                (hc.negotiatedProtocol == ProtocolVersion.NONE)) {
+            protocolVersion = hc.maximumActiveProtocol;
+        } else {
+            protocolVersion = hc.negotiatedProtocol;
+        }
+
+        for (Map.Entry<SSLConsumer,
+                ProtocolVersion[]> phe : handshakeConsumers) {
+            for (ProtocolVersion pv : phe.getValue()) {
+                if (protocolVersion == pv) {
+                    return phe.getKey();
+                }
+            }
+        }
+
+        return null;
+    }
+
+    @Override
+    public byte[] produce(ConnectionContext context,
+            HandshakeMessage message) throws IOException {
+        HandshakeProducer hp = getHandshakeProducer(context);
+        if (hp != null) {
+            return hp.produce(context, message);
+        } else {
+            throw new UnsupportedOperationException(
+                    "Unsupported handshake producer: " + this.name);
+        }
+    }
+
+    private HandshakeProducer getHandshakeProducer(
+            ConnectionContext context) {
+        if (handshakeConsumers.length == 0) {
+            return null;
+        }
+
+        // The comsuming happens in handshake context only.
+        HandshakeContext hc = (HandshakeContext)context;
+        ProtocolVersion protocolVersion;
+        if ((hc.negotiatedProtocol == null) ||
+                (hc.negotiatedProtocol == ProtocolVersion.NONE)) {
+            protocolVersion = hc.maximumActiveProtocol;
+        } else {
+            protocolVersion = hc.negotiatedProtocol;
+        }
+
+        for (Map.Entry<HandshakeProducer,
+                ProtocolVersion[]> phe : handshakeProducers) {
+            for (ProtocolVersion pv : phe.getValue()) {
+                if (protocolVersion == pv) {
+                    return phe.getKey();
+                }
+            }
+        }
+
+        return null;
+    }
+
+    @Override
+    public String toString() {
+        return name;
+    }
+
+    /*
+    static SSLHandshake valueOf(byte id) {
+        for (SSLHandshake hs : SSLHandshake.values()) {
+            if (hs.id == id) {
+                return hs;
+            }
+        }
+
+        return null;
+    }
+    */
+
+    static String nameOf(byte id) {
+        // If two handshake message share the same handshake type, returns
+        // the first handshake message name.
+        //
+        // It is not a big issue at present as only ServerHello and
+        // HellRetryRequest share a handshake type.
+        for (SSLHandshake hs : SSLHandshake.values()) {
+            if (hs.id == id) {
+                return hs.name;
+            }
+        }
+
+        return "UNKNOWN-HANDSHAKE-MESSAGE(" + id + ")";
+    }
+
+    static final void kickstart(HandshakeContext context) throws IOException {
+        if (context instanceof ClientHandshakeContext) {
+            // For initial handshaking, including session resumption,
+            // ClientHello message is used as the kickstart message.
+            //
+            // (D)TLS 1.2 and older protocols support renegotiation on existing
+            // connections.  A ClientHello messages is used to kickstart the
+            // renegotiation.
+            //
+            // (D)TLS 1.3 forbids renegotiation.  The post-handshake KeyUpdate
+            // message is used to update the sending cryptographic keys.
+            if (context.conContext.isNegotiated &&
+                    context.conContext.protocolVersion.useTLS13PlusSpec()) {
+                // Use KeyUpdate message for renegotiation.
+                KeyUpdate.kickstartProducer.produce(context);
+            } else {
+                // Using ClientHello message for the initial handshaking
+                // (including session resumption) or renegotiation.
+                // SSLHandshake.CLIENT_HELLO.produce(context);
+                ClientHello.kickstartProducer.produce(context);
+            }
+        } else {
+            // The server side can delivering kickstart message after the
+            // connection has established.
+            //
+            // (D)TLS 1.2 and older protocols use HelloRequest to begin a
+            // negotiation process anew.
+            //
+            // While (D)TLS 1.3 uses the post-handshake KeyUpdate message
+            // to update the sending cryptographic keys.
+            if (context.conContext.protocolVersion.useTLS13PlusSpec()) {
+                // Use KeyUpdate message for renegotiation.
+                KeyUpdate.kickstartProducer.produce(context);
+            } else {
+                // SSLHandshake.HELLO_REQUEST.produce(context);
+                HelloRequest.kickstartProducer.produce(context);
+            }
+        }
+    }
+
+    /**
+     * A (transparent) specification of handshake message.
+     */
+    static abstract class HandshakeMessage {
+        final HandshakeContext      handshakeContext;
+
+        HandshakeMessage(HandshakeContext handshakeContext) {
+            this.handshakeContext = handshakeContext;
+        }
+
+        abstract SSLHandshake handshakeType();
+        abstract int messageLength();
+        abstract void send(HandshakeOutStream hos) throws IOException;
+
+        void write(HandshakeOutStream hos) throws IOException {
+            int len = messageLength();
+            if (len >= Record.OVERFLOW_OF_INT24) {
+                throw new SSLException("Handshake message is overflow"
+                        + ", type = " + handshakeType() + ", len = " + len);
+            }
+            hos.write(handshakeType().id);
+            hos.putInt24(len);
+            send(hos);
+            hos.complete();
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLHandshakeBinding.java	2018-05-11 15:10:01.102251200 -0700
@@ -0,0 +1,47 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.util.Map;
+
+interface SSLHandshakeBinding {
+    default SSLHandshake[] getRelatedHandshakers(
+            HandshakeContext handshakeContext) {
+        return new SSLHandshake[0];
+    }
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    default Map.Entry<Byte, HandshakeProducer>[] getHandshakeProducers(
+            HandshakeContext handshakeContext) {
+        return (Map.Entry<Byte, HandshakeProducer>[])(new Map.Entry[0]);
+    }
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    default Map.Entry<Byte, SSLConsumer>[] getHandshakeConsumers(
+            HandshakeContext handshakeContext) {
+        return (Map.Entry<Byte, SSLConsumer>[])(new Map.Entry[0]);
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLKeyAgreement.java	2018-05-11 15:10:02.866265900 -0700
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+interface SSLKeyAgreement
+        extends SSLPossessionGenerator, SSLKeyAgreementGenerator,
+        SSLHandshakeBinding {
+    // blank
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLKeyAgreementGenerator.java	2018-05-11 15:10:04.518380300 -0700
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+
+interface SSLKeyAgreementGenerator {
+    SSLKeyDerivation createKeyDerivation(
+            HandshakeContext context) throws IOException;
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLKeyDerivation.java	2018-05-11 15:10:06.218139500 -0700
@@ -0,0 +1,35 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.security.spec.AlgorithmParameterSpec;
+import javax.crypto.SecretKey;
+
+interface SSLKeyDerivation {
+    SecretKey deriveKey(String algorithm,
+            AlgorithmParameterSpec params) throws IOException;
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLKeyDerivationGenerator.java	2018-05-11 15:10:07.891892100 -0700
@@ -0,0 +1,34 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import javax.crypto.SecretKey;
+
+interface SSLKeyDerivationGenerator {
+    SSLKeyDerivation createKeyDerivation(HandshakeContext context,
+            SecretKey secretKey) throws IOException;
+}
--- old/src/java.base/share/classes/sun/security/ssl/ClientKeyExchangeService.java	2018-05-11 15:10:10.464760300 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,138 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import sun.security.action.GetPropertyAction;
-
-import java.io.File;
-import java.io.FilePermission;
-import java.io.IOException;
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.Principal;
-import java.security.PrivilegedAction;
-import java.security.SecureRandom;
-import java.util.*;
-
-/**
- * Models a service that provides support for a particular client key exchange
- * mode. Currently used to implement Kerberos-related cipher suites.
- *
- * @since 9
- */
-public interface ClientKeyExchangeService {
-
-    static class Loader {
-        private static final Map<String,ClientKeyExchangeService>
-                providers = new HashMap<>();
-
-        static {
-            String path = GetPropertyAction.privilegedGetProperty("java.home");
-            ServiceLoader<ClientKeyExchangeService> sc =
-                    AccessController.doPrivileged(
-                            (PrivilegedAction<ServiceLoader<ClientKeyExchangeService>>)
-                                    () -> ServiceLoader.loadInstalled(ClientKeyExchangeService.class),
-                            null,
-                            new FilePermission(new File(path, "-").toString(), "read"));
-            Iterator<ClientKeyExchangeService> iter = sc.iterator();
-            while (iter.hasNext()) {
-                ClientKeyExchangeService cs = iter.next();
-                for (String ex: cs.supported()) {
-                    providers.put(ex, cs);
-                }
-            }
-        }
-
-    }
-
-    public static ClientKeyExchangeService find(String ex) {
-        return Loader.providers.get(ex);
-    }
-
-
-    /**
-     * Returns the supported key exchange modes by this provider.
-     * @return the supported key exchange modes
-     */
-    String[] supported();
-
-    /**
-     * Returns a generalized credential object on the server side. The server
-     * side can use the info to determine if a cipher suite can be enabled.
-     * @param acc the AccessControlContext of the SSL session
-     * @return the credential object
-     */
-    Object getServiceCreds(AccessControlContext acc);
-
-    /**
-     * Returns the host name for a service principal. The info can be used in
-     * SNI or host name verifier.
-     * @param principal the principal of a service
-     * @return the string formed host name
-     */
-    String getServiceHostName(Principal principal);
-
-    /**
-     * Returns whether the specified principal is related to the current
-     * SSLSession. The info can be used to verify a SSL resume.
-     * @param isClient if true called from client side, otherwise from server
-     * @param acc the AccessControlContext of the SSL session
-     * @param p the specified principal
-     * @return true if related
-     */
-    boolean isRelated(boolean isClient, AccessControlContext acc, Principal p);
-
-    /**
-     * Creates the ClientKeyExchange object on the client side.
-     * @param serverName the intented peer name
-     * @param acc the AccessControlContext of the SSL session
-     * @param protocolVersion the TLS protocol version
-     * @param rand the SecureRandom that will used to generate the premaster
-     * @return the new Exchanger object
-     * @throws IOException if there is an error
-     */
-    ClientKeyExchange createClientExchange(String serverName, AccessControlContext acc,
-            ProtocolVersion protocolVersion, SecureRandom rand) throws IOException;
-
-    /**
-     * Create the ClientKeyExchange on the server side.
-     * @param protocolVersion the protocol version
-     * @param clientVersion the input protocol version
-     * @param rand a SecureRandom object used to generate premaster
-     *             (if the server has to create one)
-     * @param encodedTicket the ticket from client
-     * @param encrypted the encrypted premaster secret from client
-     * @param acc the AccessControlContext of the SSL session
-     * @param ServiceCreds the service side credentials object as retrived from
-     *                     {@link #getServiceCreds}
-     * @return the new Exchanger object
-     * @throws IOException if there is an error
-     */
-    ClientKeyExchange createServerExchange(
-            ProtocolVersion protocolVersion, ProtocolVersion clientVersion,
-            SecureRandom rand, byte[] encodedTicket, byte[] encrypted,
-            AccessControlContext acc, Object ServiceCreds) throws IOException;
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLKeyExchange.java	2018-05-11 15:10:09.725369200 -0700
@@ -0,0 +1,584 @@
+/*
+ * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.util.AbstractMap.SimpleImmutableEntry;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.Map;
+import sun.security.ssl.DHKeyExchange.DHEPossession;
+import sun.security.ssl.ECDHKeyExchange.ECDHEPossession;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroupType;
+import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
+import sun.security.ssl.X509Authentication.X509Possession;
+
+final class SSLKeyExchange implements SSLKeyAgreement {
+    private final SSLAuthentication authentication;
+    private final SSLKeyAgreement keyAgreement;
+
+    SSLKeyExchange(X509Authentication authentication,
+            SSLKeyAgreement keyAgreement) {
+        this.authentication = authentication;
+        this.keyAgreement = keyAgreement;
+    }
+
+    SSLPossession[] createPossessions(HandshakeContext context) {
+        // authentication
+        SSLPossession authPossession = null;
+        if (authentication != null) {
+            authPossession = authentication.createPossession(context);
+            if (authPossession == null) {
+                return new SSLPossession[0];
+            } else if (context instanceof ServerHandshakeContext) {
+                // The authentication information may be used further for
+                // key agreement parameters negotiation.
+                ServerHandshakeContext shc = (ServerHandshakeContext)context;
+                shc.interimAuthn = authPossession;
+            }
+        }
+
+        // key agreement
+        SSLPossession kaPossession;
+        if (keyAgreement == T12KeyAgreement.RSA_EXPORT) {
+            // a special case
+            X509Possession x509Possession = (X509Possession)authPossession;
+            if (JsseJce.getRSAKeyLength(
+                    x509Possession.popCerts[0].getPublicKey()) > 512) {
+                kaPossession = keyAgreement.createPossession(context);
+
+                if (kaPossession == null) {
+                    return new SSLPossession[0];
+                } else {
+                    return authentication != null ?
+                            new SSLPossession[] {authPossession, kaPossession} :
+                            new SSLPossession[] {kaPossession};
+                }
+            } else {
+                return authentication != null ?
+                        new SSLPossession[] {authPossession} :
+                        new SSLPossession[0];
+            }
+        } else {
+            kaPossession = keyAgreement.createPossession(context);
+            if (kaPossession == null) {
+                // special cases
+                if (keyAgreement == T12KeyAgreement.RSA ||
+                        keyAgreement == T12KeyAgreement.ECDH) {
+                    return authentication != null ?
+                            new SSLPossession[] {authPossession} :
+                            new SSLPossession[0];
+                } else {
+                    return new SSLPossession[0];
+                }
+            } else {
+                return authentication != null ?
+                        new SSLPossession[] {authPossession, kaPossession} :
+                        new SSLPossession[] {kaPossession};
+            }
+        }
+    }
+
+    @Override
+    public SSLPossession createPossession(HandshakeContext handshakeContext) {
+        // Please call createPossessions() so that the SSLAuthentication
+        // is counted.
+        throw new UnsupportedOperationException(
+                "SSLKeyExchange.createPossessions() should be used instead");
+    }
+
+    @Override
+    public SSLKeyDerivation createKeyDerivation(
+            HandshakeContext handshakeContext) throws IOException {
+        return keyAgreement.createKeyDerivation(handshakeContext);
+    }
+
+    @Override
+    public SSLHandshake[] getRelatedHandshakers(
+            HandshakeContext handshakeContext) {
+        SSLHandshake[] auHandshakes;
+        if (authentication != null) {
+            auHandshakes =
+                authentication.getRelatedHandshakers(handshakeContext);
+        } else {
+            auHandshakes = null;
+        }
+
+        SSLHandshake[] kaHandshakes =
+                keyAgreement.getRelatedHandshakers(handshakeContext);
+
+        if (auHandshakes == null || auHandshakes.length == 0) {
+            return kaHandshakes;
+        } else if (kaHandshakes == null || kaHandshakes.length == 0) {
+            return auHandshakes;
+        } else {
+            SSLHandshake[] producers = Arrays.copyOf(
+                     auHandshakes, auHandshakes.length + kaHandshakes.length);
+            System.arraycopy(kaHandshakes, 0,
+                    producers, auHandshakes.length, kaHandshakes.length);
+            return producers;
+        }
+    }
+
+    @Override
+    public Map.Entry<Byte, HandshakeProducer>[] getHandshakeProducers(
+            HandshakeContext handshakeContext) {
+        Map.Entry<Byte, HandshakeProducer>[] auProducers;
+        if (authentication != null) {
+            auProducers =
+                authentication.getHandshakeProducers(handshakeContext);
+        } else {
+            auProducers = null;
+        }
+
+        Map.Entry<Byte, HandshakeProducer>[] kaProducers =
+                keyAgreement.getHandshakeProducers(handshakeContext);
+
+        if (auProducers == null || auProducers.length == 0) {
+            return kaProducers;
+        } else if (kaProducers == null || kaProducers.length == 0) {
+            return auProducers;
+        } else {
+            Map.Entry<Byte, HandshakeProducer>[] producers = Arrays.copyOf(
+                     auProducers, auProducers.length + kaProducers.length);
+            System.arraycopy(kaProducers, 0,
+                    producers, auProducers.length, kaProducers.length);
+            return producers;
+        }
+    }
+
+    @Override
+    public Map.Entry<Byte, SSLConsumer>[] getHandshakeConsumers(
+            HandshakeContext handshakeContext) {
+        Map.Entry<Byte, SSLConsumer>[] auConsumers;
+        if (authentication != null) {
+            auConsumers =
+                authentication.getHandshakeConsumers(handshakeContext);
+        } else {
+            auConsumers = null;
+        }
+
+        Map.Entry<Byte, SSLConsumer>[] kaConsumers =
+                keyAgreement.getHandshakeConsumers(handshakeContext);
+
+        if (auConsumers == null || auConsumers.length == 0) {
+            return kaConsumers;
+        } else if (kaConsumers == null || kaConsumers.length == 0) {
+            return auConsumers;
+        } else {
+            Map.Entry<Byte, SSLConsumer>[] producers = Arrays.copyOf(
+                     auConsumers, auConsumers.length + kaConsumers.length);
+            System.arraycopy(kaConsumers, 0,
+                    producers, auConsumers.length, kaConsumers.length);
+            return producers;
+        }
+    }
+
+    // SSL 3.0 - (D)TLS 1.2
+    static SSLKeyExchange valueOf(
+            CipherSuite.KeyExchange keyExchange) {
+        if (keyExchange == null) {
+            return null;
+        }
+
+        switch (keyExchange) {
+            case K_RSA:
+                return SSLKeyExRSA.KE;
+            case K_RSA_EXPORT:
+                return SSLKeyExRSAExport.KE;
+            case K_DHE_DSS:
+                return SSLKeyExDHEDSS.KE;
+            case K_DHE_DSS_EXPORT:
+                return SSLKeyExDHEDSSExport.KE;
+            case K_DHE_RSA:
+                return SSLKeyExDHERSA.KE;
+            case K_DHE_RSA_EXPORT:
+                return SSLKeyExDHERSAExport.KE;
+            case K_DH_ANON:
+                return SSLKeyExDHANON.KE;
+            case K_DH_ANON_EXPORT:
+                return SSLKeyExDHANONExport.KE;
+            case K_ECDH_ECDSA:
+                return SSLKeyExECDHECDSA.KE;
+            case K_ECDH_RSA:
+                return SSLKeyExECDHRSA.KE;
+            case K_ECDHE_ECDSA:
+                return SSLKeyExECDHEECDSA.KE;
+            case K_ECDHE_RSA:
+                return SSLKeyExECDHERSA.KE;
+            case K_ECDH_ANON:
+                return SSLKeyExECDHANON.KE;
+        }
+
+        return null;
+    }
+
+    // TLS 1.3
+    static SSLKeyExchange valueOf(NamedGroup namedGroup) {
+        SSLKeyAgreement ka = T13KeyAgreement.valueOf(namedGroup);
+        if (ka != null) {
+            return new SSLKeyExchange(
+                null, T13KeyAgreement.valueOf(namedGroup));
+        }
+
+        return null;
+    }
+
+    private static class SSLKeyExRSA {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                X509Authentication.RSA, T12KeyAgreement.RSA);
+    }
+
+    private static class SSLKeyExRSAExport {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                X509Authentication.RSA, T12KeyAgreement.RSA_EXPORT);
+    }
+
+    private static class SSLKeyExDHEDSS {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                X509Authentication.DSA, T12KeyAgreement.DHE);
+    }
+
+    private static class SSLKeyExDHEDSSExport {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                X509Authentication.DSA, T12KeyAgreement.DHE_EXPORT);
+    }
+
+    private static class SSLKeyExDHERSA {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                X509Authentication.RSA, T12KeyAgreement.DHE);
+    }
+
+    private static class SSLKeyExDHERSAExport {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                X509Authentication.RSA, T12KeyAgreement.DHE_EXPORT);
+    }
+
+    private static class SSLKeyExDHANON {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                null, T12KeyAgreement.DHE);
+    }
+
+    private static class SSLKeyExDHANONExport {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                null, T12KeyAgreement.DHE_EXPORT);
+    }
+
+    private static class SSLKeyExECDHECDSA {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                X509Authentication.EC, T12KeyAgreement.ECDH);
+    }
+
+    private static class SSLKeyExECDHRSA {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                X509Authentication.EC, T12KeyAgreement.ECDH);
+    }
+
+    private static class SSLKeyExECDHEECDSA {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                X509Authentication.EC, T12KeyAgreement.ECDHE);
+    }
+
+    private static class SSLKeyExECDHERSA {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                X509Authentication.RSA, T12KeyAgreement.ECDHE);
+    }
+
+    private static class SSLKeyExECDHANON {
+        private static SSLKeyExchange KE = new SSLKeyExchange(
+                null, T12KeyAgreement.ECDHE);
+    }
+
+    private enum T12KeyAgreement implements SSLKeyAgreement {
+        RSA             ("rsa",         null,
+                                        RSAKeyExchange.kaGenerator),
+        RSA_EXPORT      ("rsa_export",  RSAKeyExchange.poGenerator,
+                                        RSAKeyExchange.kaGenerator),
+        DHE             ("dhe",         DHKeyExchange.poGenerator,
+                                        DHKeyExchange.kaGenerator),
+        DHE_EXPORT      ("dhe_export",  DHKeyExchange.poExportableGenerator,
+                                        DHKeyExchange.kaGenerator),
+        ECDH            ("ecdh",        null,
+                                        ECDHKeyExchange.ecdhKAGenerator),
+        ECDHE           ("ecdhe",       ECDHKeyExchange.poGenerator,
+                                        ECDHKeyExchange.ecdheKAGenerator);
+
+        final String name;
+        final SSLPossessionGenerator possessionGenerator;
+        final SSLKeyAgreementGenerator keyAgreementGenerator;
+
+        T12KeyAgreement(String name,
+                SSLPossessionGenerator possessionGenerator,
+                SSLKeyAgreementGenerator keyAgreementGenerator) {
+            this.name = name;
+            this.possessionGenerator = possessionGenerator;
+            this.keyAgreementGenerator = keyAgreementGenerator;
+        }
+
+        @Override
+        public SSLPossession createPossession(HandshakeContext context) {
+            if (possessionGenerator != null) {
+                return possessionGenerator.createPossession(context);
+            }
+
+            return null;
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+                HandshakeContext context) throws IOException {
+            return keyAgreementGenerator.createKeyDerivation(context);
+        }
+
+        @Override
+        public SSLHandshake[] getRelatedHandshakers(
+                HandshakeContext handshakeContext) {
+            if (!handshakeContext.negotiatedProtocol.useTLS13PlusSpec()) {
+                if (this.possessionGenerator != null) {
+                    return new SSLHandshake[] {
+                            SSLHandshake.SERVER_KEY_EXCHANGE
+                        };
+                }
+            }
+
+            return new SSLHandshake[0];
+        }
+
+        @Override
+        @SuppressWarnings({"unchecked", "rawtypes"})
+        public Map.Entry<Byte, HandshakeProducer>[] getHandshakeProducers(
+                HandshakeContext handshakeContext) {
+            if (handshakeContext.negotiatedProtocol.useTLS13PlusSpec()) {
+                return (Map.Entry<Byte, HandshakeProducer>[])(new Map.Entry[0]);
+            }
+
+            if (handshakeContext.sslConfig.isClientMode) {
+                switch (this) {
+                    case RSA:
+                    case RSA_EXPORT:
+                        return (Map.Entry<Byte,
+                                HandshakeProducer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                    SSLHandshake.CLIENT_KEY_EXCHANGE.id,
+                                    RSAClientKeyExchange.rsaHandshakeProducer
+                            )
+                        });
+
+                    case DHE:
+                    case DHE_EXPORT:
+                        return (Map.Entry<Byte,
+                                HandshakeProducer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<Byte, HandshakeProducer>(
+                                    SSLHandshake.CLIENT_KEY_EXCHANGE.id,
+                                    DHClientKeyExchange.dhHandshakeProducer
+                            )
+                        });
+
+                    case ECDH:
+                        return (Map.Entry<Byte,
+                                HandshakeProducer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                SSLHandshake.CLIENT_KEY_EXCHANGE.id,
+                                ECDHClientKeyExchange.ecdhHandshakeProducer
+                            )
+                        });
+
+                    case ECDHE:
+                        return (Map.Entry<Byte,
+                                HandshakeProducer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                SSLHandshake.CLIENT_KEY_EXCHANGE.id,
+                                ECDHClientKeyExchange.ecdheHandshakeProducer
+                            )
+                        });
+                }
+            } else {
+                switch (this) {
+                    case RSA_EXPORT:
+                        return (Map.Entry<Byte,
+                                HandshakeProducer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                    SSLHandshake.SERVER_KEY_EXCHANGE.id,
+                                    RSAServerKeyExchange.rsaHandshakeProducer
+                            )
+                        });
+
+                    case DHE:
+                    case DHE_EXPORT:
+                        return (Map.Entry<Byte,
+                                HandshakeProducer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                    SSLHandshake.SERVER_KEY_EXCHANGE.id,
+                                    DHServerKeyExchange.dhHandshakeProducer
+                            )
+                        });
+
+                    case ECDHE:
+                        return (Map.Entry<Byte,
+                                HandshakeProducer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                    SSLHandshake.SERVER_KEY_EXCHANGE.id,
+                                    ECDHServerKeyExchange.ecdheHandshakeProducer
+                            )
+                        });
+                }
+            }
+
+            return (Map.Entry<Byte, HandshakeProducer>[])(new Map.Entry[0]);
+        }
+
+        @Override
+        @SuppressWarnings({"unchecked", "rawtypes"})
+        public Map.Entry<Byte, SSLConsumer>[] getHandshakeConsumers(
+                HandshakeContext handshakeContext) {
+            if (handshakeContext.negotiatedProtocol.useTLS13PlusSpec()) {
+                return (Map.Entry<Byte, SSLConsumer>[])(new Map.Entry[0]);
+            }
+
+            if (handshakeContext.sslConfig.isClientMode) {
+                switch (this) {
+                    case RSA_EXPORT:
+                        return (Map.Entry<Byte,
+                                SSLConsumer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                    SSLHandshake.SERVER_KEY_EXCHANGE.id,
+                                    RSAServerKeyExchange.rsaHandshakeConsumer
+                            )
+                        });
+
+                    case DHE:
+                    case DHE_EXPORT:
+                        return (Map.Entry<Byte,
+                                SSLConsumer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                    SSLHandshake.SERVER_KEY_EXCHANGE.id,
+                                    DHServerKeyExchange.dhHandshakeConsumer
+                            )
+                        });
+
+                    case ECDHE:
+                        return (Map.Entry<Byte,
+                                SSLConsumer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                    SSLHandshake.SERVER_KEY_EXCHANGE.id,
+                                    ECDHServerKeyExchange.ecdheHandshakeConsumer
+                            )
+                        });
+                }
+            } else {
+                switch (this) {
+                    case RSA:
+                    case RSA_EXPORT:
+                        return (Map.Entry<Byte,
+                                SSLConsumer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                    SSLHandshake.CLIENT_KEY_EXCHANGE.id,
+                                    RSAClientKeyExchange.rsaHandshakeConsumer
+                            )
+                        });
+
+                    case DHE:
+                    case DHE_EXPORT:
+                        return (Map.Entry<Byte,
+                                SSLConsumer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                    SSLHandshake.CLIENT_KEY_EXCHANGE.id,
+                                    DHClientKeyExchange.dhHandshakeConsumer
+                            )
+                        });
+
+                    case ECDH:
+                        return (Map.Entry<Byte,
+                                SSLConsumer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                SSLHandshake.CLIENT_KEY_EXCHANGE.id,
+                                ECDHClientKeyExchange.ecdhHandshakeConsumer
+                            )
+                        });
+
+                    case ECDHE:
+                        return (Map.Entry<Byte,
+                                SSLConsumer>[])(new Map.Entry[] {
+                            new SimpleImmutableEntry<>(
+                                SSLHandshake.CLIENT_KEY_EXCHANGE.id,
+                                ECDHClientKeyExchange.ecdheHandshakeConsumer
+                            )
+                        });
+                }
+            }
+
+            return (Map.Entry<Byte, SSLConsumer>[])(new Map.Entry[0]);
+        }
+    }
+
+    private static final class T13KeyAgreement implements SSLKeyAgreement {
+        private final NamedGroup namedGroup;
+        static final Map<NamedGroup, T13KeyAgreement>
+                supportedKeyShares = new HashMap<>();
+
+        static {
+            for (NamedGroup namedGroup :
+                    SupportedGroups.supportedNamedGroups) {
+                supportedKeyShares.put(
+                        namedGroup, new T13KeyAgreement(namedGroup));
+            }
+        }
+
+        private T13KeyAgreement(NamedGroup namedGroup) {
+            this.namedGroup = namedGroup;
+        }
+
+        static T13KeyAgreement valueOf(NamedGroup namedGroup) {
+            return supportedKeyShares.get(namedGroup);
+        }
+
+        @Override
+        public SSLPossession createPossession(HandshakeContext hc) {
+            if (namedGroup.type == NamedGroupType.NAMED_GROUP_ECDHE) {
+                return new ECDHEPossession(
+                        namedGroup, hc.sslContext.getSecureRandom());
+            } else if (namedGroup.type == NamedGroupType.NAMED_GROUP_FFDHE) {
+                return new DHEPossession(
+                        namedGroup, hc.sslContext.getSecureRandom());
+            }
+
+            return null;
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+                HandshakeContext hc) throws IOException {
+            if (namedGroup.type == NamedGroupType.NAMED_GROUP_ECDHE) {
+                return ECDHKeyExchange.ecdheKAGenerator.createKeyDerivation(hc);
+            } else if (namedGroup.type == NamedGroupType.NAMED_GROUP_FFDHE) {
+                return DHKeyExchange.kaGenerator.createKeyDerivation(hc);
+            }
+
+            return null;
+        }
+    }
+}
--- old/src/java.base/share/classes/sun/security/ssl/Debug.java	2018-05-11 15:10:12.347930100 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,250 +0,0 @@
-/*
- * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.PrintStream;
-import java.util.Locale;
-
-import sun.security.util.HexDumpEncoder;
-import java.nio.ByteBuffer;
-
-import sun.security.action.GetPropertyAction;
-
-/**
- * This class has be shamefully lifted from sun.security.util.Debug
- *
- * @author Gary Ellison
- */
-public class Debug {
-
-    private String prefix;
-
-    private static String args;
-
-    static {
-        args = GetPropertyAction.privilegedGetProperty("javax.net.debug", "");
-        args = args.toLowerCase(Locale.ENGLISH);
-        if (args.equals("help")) {
-            Help();
-        }
-    }
-
-    public static void Help()
-    {
-        System.err.println();
-        System.err.println("all            turn on all debugging");
-        System.err.println("ssl            turn on ssl debugging");
-        System.err.println();
-        System.err.println("The following can be used with ssl:");
-        System.err.println("\trecord       enable per-record tracing");
-        System.err.println("\thandshake    print each handshake message");
-        System.err.println("\tkeygen       print key generation data");
-        System.err.println("\tsession      print session activity");
-        System.err.println("\tdefaultctx   print default SSL initialization");
-        System.err.println("\tsslctx       print SSLContext tracing");
-        System.err.println("\tsessioncache print session cache tracing");
-        System.err.println("\tkeymanager   print key manager tracing");
-        System.err.println("\ttrustmanager print trust manager tracing");
-        System.err.println("\tpluggability print pluggability tracing");
-        System.err.println();
-        System.err.println("\thandshake debugging can be widened with:");
-        System.err.println("\tdata         hex dump of each handshake message");
-        System.err.println("\tverbose      verbose handshake message printing");
-        System.err.println();
-        System.err.println("\trecord debugging can be widened with:");
-        System.err.println("\tplaintext    hex dump of record plaintext");
-        System.err.println("\tpacket       print raw SSL/TLS packets");
-        System.err.println();
-        System.exit(0);
-    }
-
-    /**
-     * Get a Debug object corresponding to whether or not the given
-     * option is set. Set the prefix to be the same as option.
-     */
-
-    public static Debug getInstance(String option)
-    {
-        return getInstance(option, option);
-    }
-
-    /**
-     * Get a Debug object corresponding to whether or not the given
-     * option is set. Set the prefix to be prefix.
-     */
-    public static Debug getInstance(String option, String prefix)
-    {
-        if (isOn(option)) {
-            Debug d = new Debug();
-            d.prefix = prefix;
-            return d;
-        } else {
-            return null;
-        }
-    }
-
-    /**
-     * True if the property "javax.net.debug" contains the
-     * string "option".
-     */
-    public static boolean isOn(String option)
-    {
-        if (args == null) {
-            return false;
-        } else {
-            int n = 0;
-            option = option.toLowerCase(Locale.ENGLISH);
-
-            if (args.indexOf("all") != -1) {
-                return true;
-            } else if ((n = args.indexOf("ssl")) != -1) {
-                if (args.indexOf("sslctx", n) == -1) {
-                    // don't enable data and plaintext options by default
-                    if (!(option.equals("data")
-                        || option.equals("packet")
-                        || option.equals("plaintext"))) {
-                        return true;
-                    }
-                }
-            }
-            return (args.indexOf(option) != -1);
-        }
-    }
-
-    /**
-     * print a message to stderr that is prefixed with the prefix
-     * created from the call to getInstance.
-     */
-
-    public void println(String message)
-    {
-        System.err.println(prefix + ": "+message);
-    }
-
-    /**
-     * Print a message to stdout.
-     */
-    static void log(String message) {
-        System.out.println(Thread.currentThread().getName() + ": " + message);
-    }
-
-    /**
-     * print a blank line to stderr that is prefixed with the prefix.
-     */
-
-    public void println()
-    {
-        System.err.println(prefix + ":");
-    }
-
-    /**
-     * print a message to stderr that is prefixed with the prefix.
-     */
-    public static void println(String prefix, String message)
-    {
-        System.err.println(prefix + ": "+message);
-    }
-
-    public static void println(PrintStream s, String name, byte[] data) {
-        s.print(name + ":  { ");
-        if (data == null) {
-            s.print("null");
-        } else {
-            for (int i = 0; i < data.length; i++) {
-                if (i != 0) s.print(", ");
-                s.print(data[i] & 0x0ff);
-            }
-        }
-        s.println(" }");
-    }
-
-    /**
-     * Return the value of the boolean System property propName.
-     *
-     * Note use of privileged action. Do NOT make accessible to applications.
-     */
-    static boolean getBooleanProperty(String propName, boolean defaultValue) {
-        // if set, require value of either true or false
-        String b = GetPropertyAction.privilegedGetProperty(propName);
-        if (b == null) {
-            return defaultValue;
-        } else if (b.equalsIgnoreCase("false")) {
-            return false;
-        } else if (b.equalsIgnoreCase("true")) {
-            return true;
-        } else {
-            throw new RuntimeException("Value of " + propName
-                + " must either be 'true' or 'false'");
-        }
-    }
-
-    static String toString(byte[] b) {
-        return sun.security.util.Debug.toString(b);
-    }
-
-    static void printHex(String prefix, byte[] bytes) {
-        HexDumpEncoder dump = new HexDumpEncoder();
-
-        synchronized (System.out) {
-            System.out.println(prefix);
-            try {
-                dump.encodeBuffer(bytes, System.out);
-            } catch (Exception e) {
-                // ignore
-            }
-            System.out.flush();
-        }
-    }
-
-    static void printHex(String prefix, ByteBuffer bb) {
-        HexDumpEncoder dump = new HexDumpEncoder();
-
-        synchronized (System.out) {
-            System.out.println(prefix);
-            try {
-                dump.encodeBuffer(bb.slice(), System.out);
-            } catch (Exception e) {
-                // ignore
-            }
-            System.out.flush();
-        }
-    }
-
-    static void printHex(String prefix, byte[] bytes, int offset, int length) {
-        HexDumpEncoder dump = new HexDumpEncoder();
-
-        synchronized (System.out) {
-            System.out.println(prefix);
-            try {
-                ByteBuffer bb = ByteBuffer.wrap(bytes, offset, length);
-                dump.encodeBuffer(bb, System.out);
-            } catch (Exception e) {
-                // ignore
-            }
-            System.out.flush();
-        }
-    }
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLLogger.java	2018-05-11 15:10:11.607573700 -0700
@@ -0,0 +1,609 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.PrintStream;
+import java.lang.System.Logger;
+import java.lang.System.Logger.Level;
+import java.nio.ByteBuffer;
+import java.security.cert.Certificate;
+import java.security.cert.Extension;
+import java.security.cert.X509Certificate;
+import java.text.MessageFormat;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Locale;
+import java.util.Map;
+import java.util.ResourceBundle;
+import sun.security.action.GetPropertyAction;
+import sun.security.util.HexDumpEncoder;
+import sun.security.x509.*;
+
+/**
+ * Implementation of SSL logger.
+ *
+ * If the system property "javax.net.debug" is not defined, the debug logging
+ * is turned off.  If the system property "javax.net.debug" is defined as
+ * empty, the debug logger is specified by System.getLogger("javax.net.ssl"),
+ * and applications can customize and configure the logger or use external
+ * logging mechanisms.  If the system property "javax.net.debug" is defined
+ * and non-empty, a private debug logger implemented in this class is used.
+ */
+public final class SSLLogger {
+    private static final System.Logger logger;
+    private static final String property;
+    public static final boolean isOn;
+
+    static {
+        String p = GetPropertyAction.privilegedGetProperty("javax.net.debug");
+        if (p != null) {
+            if (p.isEmpty()) {
+                property = "";
+                logger = System.getLogger("javax.net.ssl");
+            } else {
+                property = p.toLowerCase(Locale.ENGLISH);
+                if (property.equals("help")) {
+                    help();
+                }
+
+                logger = new SSLConsoleLogger("javax.net.ssl", p);
+            }
+            isOn = true;
+        } else {
+            property = null;
+            logger = null;
+            isOn = false;
+        }
+    }
+
+    private static void help() {
+        System.err.println();
+        System.err.println("help           print the help messages");
+        System.err.println("expand         expand debugging information");
+        System.err.println();
+        System.err.println("all            turn on all debugging");
+        System.err.println("ssl            turn on ssl debugging");
+        System.err.println();
+        System.err.println("The following can be used with ssl:");
+        System.err.println("\trecord       enable per-record tracing");
+        System.err.println("\thandshake    print each handshake message");
+        System.err.println("\tkeygen       print key generation data");
+        System.err.println("\tsession      print session activity");
+        System.err.println("\tdefaultctx   print default SSL initialization");
+        System.err.println("\tsslctx       print SSLContext tracing");
+        System.err.println("\tsessioncache print session cache tracing");
+        System.err.println("\tkeymanager   print key manager tracing");
+        System.err.println("\ttrustmanager print trust manager tracing");
+        System.err.println("\tpluggability print pluggability tracing");
+        System.err.println();
+        System.err.println("\thandshake debugging can be widened with:");
+        System.err.println("\tdata         hex dump of each handshake message");
+        System.err.println("\tverbose      verbose handshake message printing");
+        System.err.println();
+        System.err.println("\trecord debugging can be widened with:");
+        System.err.println("\tplaintext    hex dump of record plaintext");
+        System.err.println("\tpacket       print raw SSL/TLS packets");
+        System.err.println();
+        System.exit(0);
+    }
+
+    /**
+     * Return true if the "javax.net.debug" property contains the
+     * debug check points, or System.Logger is used.
+     */
+    public static boolean isOn(String checkPoints) {
+        if (property == null) {              // debugging is turned off
+            return false;
+        } else if (property.isEmpty()) {     // use System.Logger
+            return true;
+        }                                   // use provider logger
+
+        String[] options = checkPoints.split(",");
+        for (String option : options) {
+            option = option.trim();
+            if (!SSLLogger.hasOption(option)) {
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    private static boolean hasOption(String option) {
+        option = option.toLowerCase(Locale.ENGLISH);
+        if (property.contains("all")) {
+            return true;
+        } else {
+            int offset = property.indexOf("ssl");
+            if (offset != -1 && property.indexOf("sslctx", offset) != -1) {
+                // don't enable data and plaintext options by default
+                if (!(option.equals("data")
+                        || option.equals("packet")
+                        || option.equals("plaintext"))) {
+                    return true;
+                }
+            }
+        }
+
+        return property.contains(option);
+    }
+
+    public static void severe(String msg, Object... params) {
+        SSLLogger.log(Level.ERROR, msg, params);
+    }
+
+    public static void warning(String msg, Object... params) {
+        SSLLogger.log(Level.WARNING, msg, params);
+    }
+
+    public static void info(String msg, Object... params) {
+        SSLLogger.log(Level.INFO, msg, params);
+    }
+
+    public static void fine(String msg, Object... params) {
+        SSLLogger.log(Level.DEBUG, msg, params);
+    }
+
+    public static void finer(String msg, Object... params) {
+        SSLLogger.log(Level.TRACE, msg, params);
+    }
+
+    public static void finest(String msg, Object... params) {
+        SSLLogger.log(Level.ALL, msg, params);
+    }
+
+    private static void log(Level level, String msg, Object... params) {
+        if (logger.isLoggable(level)) {
+            if (params == null || params.length == 0) {
+                logger.log(level, msg);
+            } else {
+                try {
+                    String formatted =
+                            SSLSimpleFormatter.formatParameters(params);
+                    logger.log(level, msg, formatted);
+                } catch (Exception exp) {
+                    // ignore it, just for debugging.
+                }
+            }
+        }
+    }
+
+    static String toString(Object... params) {
+        try {
+            return SSLSimpleFormatter.formatParameters(params);
+        } catch (Exception exp) {
+            return "unexpected exception thrown: " + exp.getMessage();
+        }
+    }
+
+    private static class SSLConsoleLogger implements Logger {
+        private final String loggerName;
+        private final boolean useCompactFormat;
+
+        SSLConsoleLogger(String loggerName, String options) {
+            this.loggerName = loggerName;
+            options = options.toLowerCase(Locale.ENGLISH);
+            this.useCompactFormat = !options.contains("expand");
+        }
+
+        @Override
+        public String getName() {
+            return loggerName;
+        }
+
+        @Override
+        public boolean isLoggable(Level level) {
+            return (level != Level.OFF);
+        }
+
+        @Override
+        public void log(Level level,
+                ResourceBundle rb, String message, Throwable thrwbl) {
+            if (isLoggable(level)) {
+                try {
+                    String formatted =
+                        SSLSimpleFormatter.format(this, level, message, thrwbl);
+                    System.err.write(formatted.getBytes("UTF-8"));
+                } catch (Exception exp) {
+                    // ignore it, just for debugging.
+                }
+            }
+        }
+
+        @Override
+        public void log(Level level,
+                ResourceBundle rb, String message, Object... params) {
+            if (isLoggable(level)) {
+                try {
+                    String formatted =
+                        SSLSimpleFormatter.format(this, level, message, params);
+                    System.err.write(formatted.getBytes("UTF-8"));
+                } catch (Exception exp) {
+                    // ignore it, just for debugging.
+                }
+            }
+        }
+    }
+
+    private static class SSLSimpleFormatter {
+        private static final ThreadLocal<SimpleDateFormat> dateFormat =
+            new ThreadLocal<SimpleDateFormat>() {
+                @Override protected SimpleDateFormat initialValue() {
+                    return new SimpleDateFormat(
+                            "yyyy-MM-dd kk:mm:ss.SSS z", Locale.ENGLISH);
+                }
+            };
+
+        private static final MessageFormat basicCertFormat = new MessageFormat(
+                "\"version\"            : \"v{0}\",\n" +
+                "\"serial number\"      : \"{1}\",\n" +
+                "\"signature algorithm\": \"{2}\",\n" +
+                "\"issuer\"             : \"{3}\",\n" +
+                "\"not before\"         : \"{4}\",\n" +
+                "\"not  after\"         : \"{5}\",\n" +
+                "\"subject\"            : \"{6}\",\n" +
+                "\"subject public key\" : \"{7}\"\n",
+                Locale.ENGLISH);
+
+        private static final MessageFormat extendedCertFormart =
+            new MessageFormat(
+                "\"version\"            : \"v{0}\",\n" +
+                "\"serial number\"      : \"{1}\",\n" +
+                "\"signature algorithm\": \"{2}\",\n" +
+                "\"issuer\"             : \"{3}\",\n" +
+                "\"not before\"         : \"{4}\",\n" +
+                "\"not  after\"         : \"{5}\",\n" +
+                "\"subject\"            : \"{6}\",\n" +
+                "\"subject public key\" : \"{7}\",\n" +
+                "\"extensions\"         : [\n" +
+                "{8}\n" +
+                "]\n",
+                Locale.ENGLISH);
+
+        //
+        // private static MessageFormat certExtFormat = new MessageFormat(
+        //         "{0} [{1}] '{'\n" +
+        //         "  critical: {2}\n" +
+        //         "  value: {3}\n" +
+        //         "'}'",
+        //         Locale.ENGLISH);
+        //
+
+        private static final MessageFormat messageFormatNoParas =
+            new MessageFormat(
+                "'{'\n" +
+                "  \"logger\"      : \"{0}\",\n" +
+                "  \"level\"       : \"{1}\",\n" +
+                "  \"thread id\"   : \"{2}\",\n" +
+                "  \"thread name\" : \"{3}\",\n" +
+                "  \"time\"        : \"{4}\",\n" +
+                "  \"caller\"      : \"{5}\",\n" +
+                "  \"message\"     : \"{6}\"\n" +
+                "'}'\n",
+                Locale.ENGLISH);
+
+        private static final MessageFormat messageCompactFormatNoParas =
+            new MessageFormat(
+                "{0}|{1}|{2}|{3}|{4}|{5}|{6}\n",
+                Locale.ENGLISH);
+
+        private static final MessageFormat messageFormatWithParas =
+            new MessageFormat(
+                "'{'\n" +
+                "  \"logger\"      : \"{0}\",\n" +
+                "  \"level\"       : \"{1}\",\n" +
+                "  \"thread id\"   : \"{2}\",\n" +
+                "  \"thread name\" : \"{3}\",\n" +
+                "  \"time\"        : \"{4}\",\n" +
+                "  \"caller\"      : \"{5}\",\n" +
+                "  \"message\"     : \"{6}\",\n" +
+                "  \"specifics\"   : [\n" +
+                "{7}\n" +
+                "  ]\n" +
+                "'}'\n",
+                Locale.ENGLISH);
+
+        private static final MessageFormat messageCompactFormatWithParas =
+            new MessageFormat(
+                "{0}|{1}|{2}|{3}|{4}|{5}|{6} (\n" +
+                "{7}\n" +
+                ")\n",
+                Locale.ENGLISH);
+
+        private static final MessageFormat keyObjectFormat = new MessageFormat(
+                "\"{0}\" : '{'\n" +
+                "{1}" +
+                "'}'\n",
+                Locale.ENGLISH);
+
+        // INFO: [TH: 123450] 2011-08-20 23:12:32.3225 PDT
+        //     log message
+        //     log message
+        //     ...
+        private static String format(SSLConsoleLogger logger, Level level,
+                    String message, Object ... parameters) {
+
+            if (parameters == null || parameters.length == 0) {
+                Object[] messageFields = {
+                    logger.loggerName,
+                    level.getName(),
+                    Utilities.toHexString(Thread.currentThread().getId()),
+                    Thread.currentThread().getName(),
+                    dateFormat.get().format(new Date(System.currentTimeMillis())),
+                    formatCaller(),
+                    message
+                };
+
+                if (logger.useCompactFormat) {
+                    return messageCompactFormatNoParas.format(messageFields);
+                } else {
+                    return messageFormatNoParas.format(messageFields);
+                }
+            }
+
+            Object[] messageFields = {
+                    logger.loggerName,
+                    level.getName(),
+                    Utilities.toHexString(Thread.currentThread().getId()),
+                    Thread.currentThread().getName(),
+                    dateFormat.get().format(new Date(System.currentTimeMillis())),
+                    formatCaller(),
+                    message,
+                    (logger.useCompactFormat ?
+                        formatParameters(parameters) :
+                        Utilities.indent(formatParameters(parameters)))
+                };
+
+            if (logger.useCompactFormat) {
+                return messageCompactFormatWithParas.format(messageFields);
+            } else {
+                return messageFormatWithParas.format(messageFields);
+            }
+        }
+
+        private static String formatCaller() {
+            boolean isSSLLogger = false;
+            for (StackTraceElement ste: (new Throwable()).getStackTrace()) {
+                String cn = ste.getClassName();
+                if (cn.equals("sun.security.ssl.SSLLogger")) {
+                    // May be SSLLogger.log() or SSLLogger.fine(), etc.
+                    isSSLLogger = true;
+                } else if (isSSLLogger) {
+                    // Here is the caller to SSLLogger.fine(), etc.
+                    return ste.getFileName() + ":" + ste.getLineNumber();
+                }
+            }
+
+            return "unknown caller";
+        }
+
+        private static boolean isLoggerImpl(StackTraceElement ste) {
+            String cn = ste.getClassName();
+            System.out.println("class name: " + cn);
+            return cn.equals("sun.security.ssl.SSLLogger");
+        }
+
+        private static String formatParameters(Object ... parameters) {
+            StringBuilder builder = new StringBuilder(512);
+            boolean isFirst = true;
+            for (Object parameter : parameters) {
+                if (isFirst) {
+                    isFirst = false;
+                } else {
+                    builder.append(",\n");
+                }
+
+                if (parameter instanceof Throwable) {
+                    builder.append(formatThrowable((Throwable)parameter));
+                } else if (parameter instanceof Certificate) {
+                    builder.append(formatCertificate((Certificate)parameter));
+                } else if (parameter instanceof ByteArrayInputStream) {
+                    builder.append(formatByteArrayInputStream(
+                        (ByteArrayInputStream)parameter));
+                } else if (parameter instanceof ByteBuffer) {
+                    builder.append(formatByteBuffer((ByteBuffer)parameter));
+                } else if (parameter instanceof byte[]) {
+                    builder.append(formatByteArrayInputStream(
+                        new ByteArrayInputStream((byte[])parameter)));
+                } else if (parameter instanceof Map.Entry) {
+                    @SuppressWarnings("unchecked")
+                    Map.Entry<String, ?> mapParameter =
+                        (Map.Entry<String, ?>)parameter;
+                    builder.append(formatMapEntry(mapParameter));
+                } else {
+                    builder.append(formatObject(parameter));
+                }
+            }
+
+            return builder.toString();
+        }
+
+        // "throwable": {
+        //   ...
+        // }
+        private static String formatThrowable(Throwable throwable) {
+            StringBuilder builder = new StringBuilder(512);
+            ByteArrayOutputStream bytesOut = new ByteArrayOutputStream();
+            try (PrintStream out = new PrintStream(bytesOut)) {
+                throwable.printStackTrace(out);
+                builder.append(Utilities.indent(bytesOut.toString()));
+            }
+            Object[] fields = {
+                    "throwable",
+                    builder.toString()
+                };
+
+            return keyObjectFormat.format(fields);
+        }
+
+        // "certificate": {
+        //   ...
+        // }
+        private static String formatCertificate(Certificate certificate) {
+
+            if (!(certificate instanceof X509Certificate)) {
+                return Utilities.indent(certificate.toString());
+            }
+
+            StringBuilder builder = new StringBuilder(512);
+            try {
+                X509CertImpl x509 =
+                    X509CertImpl.toImpl((X509Certificate)certificate);
+                X509CertInfo certInfo =
+                        (X509CertInfo)x509.get(X509CertImpl.NAME + "." +
+                                                       X509CertImpl.INFO);
+                CertificateExtensions certExts = (CertificateExtensions)
+                        certInfo.get(X509CertInfo.EXTENSIONS);
+                if (certExts == null) {
+                    Object[] certFields = {
+                        x509.getVersion(),
+                        Utilities.toHexString(
+                                x509.getSerialNumber().toByteArray()),
+                        x509.getSigAlgName(),
+                        x509.getIssuerX500Principal().toString(),
+                        dateFormat.get().format(x509.getNotBefore()),
+                        dateFormat.get().format(x509.getNotAfter()),
+                        x509.getSubjectX500Principal().toString(),
+                        x509.getPublicKey().getAlgorithm()
+                        };
+                    builder.append(Utilities.indent(
+                            basicCertFormat.format(certFields)));
+                } else {
+                    StringBuilder extBuilder = new StringBuilder(512);
+                    boolean isFirst = true;
+                    for (Extension certExt : certExts.getAllExtensions()) {
+                        if (isFirst) {
+                            isFirst = false;
+                        } else {
+                            extBuilder.append(",\n");
+                        }
+                        extBuilder.append("{\n" +
+                            Utilities.indent(certExt.toString()) + "\n}");
+                    }
+                    Object[] certFields = {
+                        x509.getVersion(),
+                        Utilities.toHexString(
+                                x509.getSerialNumber().toByteArray()),
+                        x509.getSigAlgName(),
+                        x509.getIssuerX500Principal().toString(),
+                        dateFormat.get().format(x509.getNotBefore()),
+                        dateFormat.get().format(x509.getNotAfter()),
+                        x509.getSubjectX500Principal().toString(),
+                        x509.getPublicKey().getAlgorithm(),
+                        Utilities.indent(extBuilder.toString())
+                        };
+                    builder.append(Utilities.indent(
+                            extendedCertFormart.format(certFields)));
+                }
+            } catch (Exception ce) {
+                // ignore the exception
+            }
+
+            Object[] fields = {
+                    "certificate",
+                    builder.toString()
+                };
+
+            return Utilities.indent(keyObjectFormat.format(fields));
+        }
+
+        private static String formatByteArrayInputStream(
+                ByteArrayInputStream bytes) {
+            StringBuilder builder = new StringBuilder(512);
+
+            try (ByteArrayOutputStream bytesOut = new ByteArrayOutputStream()) {
+                HexDumpEncoder hexEncoder = new HexDumpEncoder();
+                hexEncoder.encodeBuffer(bytes, bytesOut);
+
+                builder.append(Utilities.indent(bytesOut.toString()));
+            } catch (IOException ioe) {
+                // ignore it, just for debugging.
+            }
+
+            return builder.toString();
+        }
+
+        private static String formatByteBuffer(ByteBuffer byteBuffer) {
+            StringBuilder builder = new StringBuilder(512);
+            try (ByteArrayOutputStream bytesOut = new ByteArrayOutputStream()) {
+                HexDumpEncoder hexEncoder = new HexDumpEncoder();
+                hexEncoder.encodeBuffer(byteBuffer.duplicate(), bytesOut);
+                builder.append(Utilities.indent(bytesOut.toString()));
+            } catch (IOException ioe) {
+                // ignore it, just for debugging.
+            }
+
+            return builder.toString();
+        }
+
+        private static String formatMapEntry(Map.Entry<String, ?> entry) {
+            String key = entry.getKey();
+            Object value = entry.getValue();
+
+            String formatted;
+            if (value instanceof String) {
+                // "key": "value"
+                formatted = "\"" + key + "\": \"" + (String)value + "\"";
+            } else if (value instanceof String[]) {
+                // "key": [ "string a",
+                //          "string b",
+                //          "string c"
+                //        ]
+                StringBuilder builder = new StringBuilder(512);
+                String[] strings = (String[])value;
+                builder.append("\"" + key + "\": [\n");
+                for (String string : strings) {
+                    builder.append("      \"" + string + "\"");
+                    if (string != strings[strings.length - 1]) {
+                        builder.append(",");
+                    }
+                    builder.append("\n");
+                }
+                builder.append("      ]");
+
+                formatted = builder.toString();
+            } else if (value instanceof byte[]) {
+                formatted = "\"" + key + "\": \"" +
+                    Utilities.toHexString((byte[])value) + "\"";
+            } else if (value instanceof Byte) {
+                formatted = "\"" + key + "\": \"" +
+                    Utilities.toHexString((byte)value) + "\"";
+            } else {
+                formatted = "\"" + key + "\": " +
+                    "\"" + value.toString() + "\"";
+            }
+
+            return Utilities.indent(formatted);
+        }
+
+        private static String formatObject(Object obj) {
+            return obj.toString();
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLMasterKeyDerivation.java	2018-05-11 15:10:13.467664500 -0700
@@ -0,0 +1,223 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.ProviderException;
+import java.security.spec.AlgorithmParameterSpec;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import sun.security.internal.spec.TlsMasterSecretParameterSpec;
+import sun.security.ssl.CipherSuite.HashAlg;
+import static sun.security.ssl.CipherSuite.HashAlg.H_NONE;
+
+enum SSLMasterKeyDerivation implements SSLKeyDerivationGenerator {
+    SSL30       ("kdf_ssl30", S30MasterSecretKeyDerivationGenerator.instance),
+    TLS10       ("kdf_tls10", T10MasterSecretKeyDerivationGenerator.instance),
+    TLS12       ("kdf_tls12", T12MasterSecretKeyDerivationGenerator.instance),
+    TLS13       ("kdf_tls13", null);
+
+    final String name;
+    final SSLKeyDerivationGenerator keyDerivationGenerator;
+
+    SSLMasterKeyDerivation(String name,
+            SSLKeyDerivationGenerator keyDerivationGenerator) {
+        this.name = name;
+        this.keyDerivationGenerator = keyDerivationGenerator;
+    }
+
+    static SSLMasterKeyDerivation valueOf(ProtocolVersion protocolVersion) {
+        switch (protocolVersion) {
+            case SSL30:
+                return SSLMasterKeyDerivation.SSL30;
+            case TLS10:
+            case TLS11:
+            case DTLS10:
+                return SSLMasterKeyDerivation.TLS10;
+            case TLS12:
+            case DTLS12:
+                return SSLMasterKeyDerivation.TLS12;
+            case TLS13:
+            case DTLS13:
+                return SSLMasterKeyDerivation.TLS13;
+            default:
+                return null;
+        }
+    }
+
+    @Override
+    public SSLKeyDerivation createKeyDerivation(HandshakeContext context,
+            SecretKey secretKey) throws IOException {
+        return keyDerivationGenerator.createKeyDerivation(context, secretKey);
+    }
+
+    private static final class S30MasterSecretKeyDerivationGenerator
+            implements SSLKeyDerivationGenerator {
+        private static final S30MasterSecretKeyDerivationGenerator instance =
+                new S30MasterSecretKeyDerivationGenerator();
+
+        // Prevent instantiation of this class.
+        private S30MasterSecretKeyDerivationGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+            HandshakeContext context, SecretKey secretKey) throws IOException {
+            return new LegacyMasterKeyDerivation(context, secretKey);
+        }
+    }
+
+
+    private static final class T10MasterSecretKeyDerivationGenerator
+            implements SSLKeyDerivationGenerator {
+        private static final T10MasterSecretKeyDerivationGenerator instance =
+                new T10MasterSecretKeyDerivationGenerator();
+
+        // Prevent instantiation of this class.
+        private T10MasterSecretKeyDerivationGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+            HandshakeContext context, SecretKey secretKey) throws IOException {
+            return new LegacyMasterKeyDerivation(context, secretKey);
+        }
+    }
+
+    private static final class T12MasterSecretKeyDerivationGenerator
+            implements SSLKeyDerivationGenerator {
+        private static final T12MasterSecretKeyDerivationGenerator instance =
+                new T12MasterSecretKeyDerivationGenerator();
+
+        // Prevent instantiation of this class.
+        private T12MasterSecretKeyDerivationGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+            HandshakeContext context, SecretKey secretKey) throws IOException {
+            return new LegacyMasterKeyDerivation(context, secretKey);
+        }
+
+    }
+
+    private static final
+            class LegacyMasterKeyDerivation implements SSLKeyDerivation {
+
+        final HandshakeContext context;
+        final SecretKey preMasterSecret;
+
+        LegacyMasterKeyDerivation(
+                HandshakeContext context, SecretKey preMasterSecret) {
+            this.context = context;
+            this.preMasterSecret = preMasterSecret;
+        }
+
+        @Override
+        @SuppressWarnings("deprecation")
+        public SecretKey deriveKey(String algorithm,
+                AlgorithmParameterSpec params) throws IOException {
+
+            CipherSuite cipherSuite = context.negotiatedCipherSuite;
+            ProtocolVersion protocolVersion = context.negotiatedProtocol;
+
+            // What algs/params do we need to use?
+            String masterAlg;
+            HashAlg hashAlg;
+
+            byte majorVersion = protocolVersion.major;
+            byte minorVersion = protocolVersion.minor;
+            if (protocolVersion.isDTLS) {
+                // Use TLS version number for DTLS key calculation
+                if (protocolVersion.id == ProtocolVersion.DTLS10.id) {
+                    majorVersion = ProtocolVersion.TLS11.major;
+                    minorVersion = ProtocolVersion.TLS11.minor;
+
+                    masterAlg = "SunTlsMasterSecret";
+                    hashAlg = H_NONE;
+                } else {    // DTLS 1.2
+                    majorVersion = ProtocolVersion.TLS12.major;
+                    minorVersion = ProtocolVersion.TLS12.minor;
+
+                    masterAlg = "SunTls12MasterSecret";
+                    hashAlg = cipherSuite.hashAlg;
+                }
+            } else {
+                if (protocolVersion.id >= ProtocolVersion.TLS12.id) {
+                    masterAlg = "SunTls12MasterSecret";
+                    hashAlg = cipherSuite.hashAlg;
+                } else {
+                    masterAlg = "SunTlsMasterSecret";
+                    hashAlg = H_NONE;
+                }
+            }
+
+            TlsMasterSecretParameterSpec spec;
+            if (context.handshakeSession.useExtendedMasterSecret) {
+                // reset to use the extended master secret algorithm
+                masterAlg = "SunTlsExtendedMasterSecret";
+
+                // For the session hash, use the handshake messages up to and
+                // including the ClientKeyExchange message.
+                context.handshakeHash.utilize();
+                byte[] sessionHash = context.handshakeHash.digest();
+                spec = new TlsMasterSecretParameterSpec(
+                        preMasterSecret,
+                        (majorVersion & 0xFF), (minorVersion & 0xFF),
+                        sessionHash,
+                        hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
+            } else {
+                spec = new TlsMasterSecretParameterSpec(
+                        preMasterSecret,
+                        (majorVersion & 0xFF), (minorVersion & 0xFF),
+                        context.clientHelloRandom.randomBytes,
+                        context.serverHelloRandom.randomBytes,
+                        hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
+            }
+
+            try {
+                KeyGenerator kg = JsseJce.getKeyGenerator(masterAlg);
+                kg.init(spec);
+                return kg.generateKey();
+            } catch (InvalidAlgorithmParameterException |
+                    NoSuchAlgorithmException iae) {
+                // unlikely to happen, otherwise, must be a provider exception
+                //
+                // For RSA premaster secrets, do not signal a protocol error
+                // due to the Bleichenbacher attack. See comments further down.
+                if (SSLLogger.isOn && SSLLogger.isOn("handshake")) {
+                    SSLLogger.fine("RSA master secret generation error.", iae);
+                }
+                throw new ProviderException(iae);
+            }
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLPossession.java	2018-05-11 15:10:15.033570300 -0700
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+interface SSLPossession {
+    default byte[] encode() {
+        return new byte[0];
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLPossessionGenerator.java	2018-05-11 15:10:16.766066200 -0700
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+interface SSLPossessionGenerator {
+    SSLPossession createPossession(HandshakeContext handshakeContext);
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLProducer.java	2018-05-11 15:10:18.398865000 -0700
@@ -0,0 +1,33 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+
+interface SSLProducer {
+    // return the encoded producing if it has not been dumped to the context
+    byte[] produce(ConnectionContext context) throws IOException;
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLSecretDerivation.java	2018-05-11 15:10:20.035384800 -0700
@@ -0,0 +1,154 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+import java.security.spec.AlgorithmParameterSpec;
+import javax.crypto.SecretKey;
+import javax.net.ssl.SSLHandshakeException;
+import sun.security.ssl.CipherSuite.HashAlg;
+
+final class SSLSecretDerivation implements SSLKeyDerivation {
+    private static final byte[] sha256EmptyDigest = new byte[] {
+        (byte)0xE3, (byte)0xB0, (byte)0xC4, (byte)0x42,
+        (byte)0x98, (byte)0xFC, (byte)0x1C, (byte)0x14,
+        (byte)0x9A, (byte)0xFB, (byte)0xF4, (byte)0xC8,
+        (byte)0x99, (byte)0x6F, (byte)0xB9, (byte)0x24,
+        (byte)0x27, (byte)0xAE, (byte)0x41, (byte)0xE4,
+        (byte)0x64, (byte)0x9B, (byte)0x93, (byte)0x4C,
+        (byte)0xA4, (byte)0x95, (byte)0x99, (byte)0x1B,
+        (byte)0x78, (byte)0x52, (byte)0xB8, (byte)0x55
+    };
+
+    private static final byte[] sha384EmptyDigest = new byte[] {
+        (byte)0x38, (byte)0xB0, (byte)0x60, (byte)0xA7,
+        (byte)0x51, (byte)0xAC, (byte)0x96, (byte)0x38,
+        (byte)0x4C, (byte)0xD9, (byte)0x32, (byte)0x7E,
+        (byte)0xB1, (byte)0xB1, (byte)0xE3, (byte)0x6A,
+        (byte)0x21, (byte)0xFD, (byte)0xB7, (byte)0x11,
+        (byte)0x14, (byte)0xBE, (byte)0x07, (byte)0x43,
+        (byte)0x4C, (byte)0x0C, (byte)0xC7, (byte)0xBF,
+        (byte)0x63, (byte)0xF6, (byte)0xE1, (byte)0xDA,
+        (byte)0x27, (byte)0x4E, (byte)0xDE, (byte)0xBF,
+        (byte)0xE7, (byte)0x6F, (byte)0x65, (byte)0xFB,
+        (byte)0xD5, (byte)0x1A, (byte)0xD2, (byte)0xF1,
+        (byte)0x48, (byte)0x98, (byte)0xB9, (byte)0x5B
+    };
+
+    private final HandshakeContext context;
+    private final String hkdfAlg;
+    private final HashAlg hashAlg;
+    private final SecretKey secret;
+    private final byte[] transcriptHash;  // handshake messages transcript hash
+
+    SSLSecretDerivation(
+            HandshakeContext context, SecretKey secret) {
+        this.context = context;
+        this.secret = secret;
+        // TODO: May need the hash algogorithm if the secret is a PSK.
+        // if (secret is a PSK) {
+        //     ...
+        // } else {
+            this.hashAlg = context.negotiatedCipherSuite.hashAlg;
+            this.hkdfAlg =
+                    "HKDF-Expand/Hmac" + hashAlg.name.replace("-", "");
+            context.handshakeHash.update();
+            this.transcriptHash = context.handshakeHash.digest();
+        // }
+    }
+
+    SSLSecretDerivation forContext(HandshakeContext context) {
+        return new SSLSecretDerivation(context, secret);
+    }
+
+    @Override
+    public SecretKey deriveKey(String algorithm,
+            AlgorithmParameterSpec params) throws IOException {
+        SecretSchedule ks = SecretSchedule.valueOf(algorithm);
+        try {
+            byte[] expandContext;
+            if (ks == SecretSchedule.TlsSaltSecret) {
+                if (hashAlg == HashAlg.H_SHA256) {
+                    expandContext = sha256EmptyDigest;
+                } else if (hashAlg == HashAlg.H_SHA384) {
+                    expandContext = sha384EmptyDigest;
+                } else {
+                    // unlikely, but please update if more hash algorithm
+                    // get supported in the future.
+                    expandContext = new byte[0];
+                }
+            } else {
+                expandContext = transcriptHash;
+            }
+            byte[] hkdfInfo = createHkdfInfo(ks.label,
+                    expandContext, hashAlg.hashLength);
+
+            HKDF hkdf = new HKDF(hashAlg.name);
+            return hkdf.expand(secret, hkdfInfo, hashAlg.hashLength, algorithm);
+        } catch (GeneralSecurityException gse) {
+            throw (SSLHandshakeException) new SSLHandshakeException(
+                "Could not generate secret").initCause(gse);
+        }
+    }
+
+    public static byte[] createHkdfInfo(
+            byte[] label, byte[] context, int length) {
+        byte[] info = new byte[4 + label.length + context.length];
+        ByteBuffer m = ByteBuffer.wrap(info);
+        try {
+            Record.putInt16(m, length);
+            Record.putBytes8(m, label);
+            Record.putBytes8(m, context);
+        } catch (IOException ioe) {
+            // unlikely
+        }
+
+        return info;
+    }
+
+    private enum SecretSchedule {
+        // Note that we use enum name as the key/secret name.
+        TlsSaltSecret                       ("derived"),
+        TlsExtBinderKey                     ("ext binder"),
+        TlsResBinderKey                     ("res binder"),
+        TlsClientEarlyTrafficSecret         ("c e traffic"),
+        TlsEarlyExporterMasterSecret        ("e exp master"),
+        TlsClientHandshakeTrafficSecret     ("c hs traffic"),
+        TlsServerHandshakeTrafficSecret     ("s hs traffic"),
+        TlsClientAppTrafficSecret           ("c ap traffic"),
+        TlsServerAppTrafficSecret           ("s ap traffic"),
+        TlsExporterMasterSecret             ("exp master"),
+        TlsResumptionMasterSecret           ("res master");
+
+        private final byte[] label;
+
+        private SecretSchedule(String label) {
+            this.label = ("tls13 " + label).getBytes();
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLStringize.java	2018-05-11 15:10:21.627045200 -0700
@@ -0,0 +1,38 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.nio.ByteBuffer;
+
+/**
+ * Interface to decode a {@code ByteBuffer} into legible {@code String}.
+ */
+interface SSLStringize {
+    /**
+     * Returns a legible string representation of a {@code ByteBuffer}.
+     */
+    String toString(ByteBuffer buffer);
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLTrafficKeyDerivation.java	2018-05-11 15:10:23.250696600 -0700
@@ -0,0 +1,322 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.GeneralSecurityException;
+import java.security.ProviderException;
+import java.security.spec.AlgorithmParameterSpec;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import javax.net.ssl.SSLHandshakeException;
+import sun.security.internal.spec.TlsKeyMaterialParameterSpec;
+import sun.security.internal.spec.TlsKeyMaterialSpec;
+import sun.security.ssl.CipherSuite.HashAlg;
+import static sun.security.ssl.CipherSuite.HashAlg.H_NONE;
+
+enum SSLTrafficKeyDerivation implements SSLKeyDerivationGenerator {
+    SSL30       ("kdf_ssl30", new S30TrafficKeyDerivationGenerator()),
+    TLS10       ("kdf_tls10", new T10TrafficKeyDerivationGenerator()),
+    TLS12       ("kdf_tls12", new T12TrafficKeyDerivationGenerator()),
+    TLS13       ("kdf_tls13", new T13TrafficKeyDerivationGenerator());
+
+    final String name;
+    final SSLKeyDerivationGenerator keyDerivationGenerator;
+
+    SSLTrafficKeyDerivation(String name,
+            SSLKeyDerivationGenerator keyDerivationGenerator) {
+        this.name = name;
+        this.keyDerivationGenerator = keyDerivationGenerator;
+    }
+
+    static SSLTrafficKeyDerivation valueOf(ProtocolVersion protocolVersion) {
+        switch (protocolVersion) {
+            case SSL30:
+                return SSLTrafficKeyDerivation.SSL30;
+            case TLS10:
+            case TLS11:
+            case DTLS10:
+                return SSLTrafficKeyDerivation.TLS10;
+            case TLS12:
+            case DTLS12:
+                return SSLTrafficKeyDerivation.TLS12;
+            case TLS13:
+            case DTLS13:
+                return SSLTrafficKeyDerivation.TLS13;
+        }
+
+        return null;
+    }
+
+    @Override
+    public SSLKeyDerivation createKeyDerivation(HandshakeContext context,
+            SecretKey secretKey) throws IOException {
+        return keyDerivationGenerator.createKeyDerivation(context, secretKey);
+    }
+
+    private static final class S30TrafficKeyDerivationGenerator
+            implements SSLKeyDerivationGenerator {
+        private S30TrafficKeyDerivationGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+            HandshakeContext context, SecretKey secretKey) throws IOException {
+            return new LegacyTrafficKeyDerivation(context, secretKey);
+        }
+    }
+
+    private static final class T10TrafficKeyDerivationGenerator
+            implements SSLKeyDerivationGenerator {
+        private T10TrafficKeyDerivationGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+            HandshakeContext context, SecretKey secretKey) throws IOException {
+            return new LegacyTrafficKeyDerivation(context, secretKey);
+        }
+    }
+
+    private static final class T12TrafficKeyDerivationGenerator
+            implements SSLKeyDerivationGenerator {
+        private T12TrafficKeyDerivationGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+            HandshakeContext context, SecretKey secretKey) throws IOException {
+            return new LegacyTrafficKeyDerivation(context, secretKey);
+        }
+    }
+
+    private static final class T13TrafficKeyDerivationGenerator
+            implements SSLKeyDerivationGenerator {
+        private T13TrafficKeyDerivationGenerator() {
+            // blank
+        }
+
+        @Override
+        public SSLKeyDerivation createKeyDerivation(
+                HandshakeContext context,
+                SecretKey secretKey) throws IOException {
+            return new T13TrafficKeyDerivation(context, secretKey);
+        }
+    }
+
+    static final class T13TrafficKeyDerivation implements SSLKeyDerivation {
+        private final CipherSuite cs;
+        private final SecretKey secret;
+
+        T13TrafficKeyDerivation(
+                HandshakeContext context, SecretKey secret) {
+            this.secret = secret;
+            this.cs = context.negotiatedCipherSuite;
+        }
+
+        @Override
+        public SecretKey deriveKey(String algorithm,
+                AlgorithmParameterSpec params) throws IOException {
+            KeySchedule ks = KeySchedule.valueOf(algorithm);
+            try {
+                HKDF hkdf = new HKDF(cs.hashAlg.name);
+                byte[] hkdfInfo =
+                        createHkdfInfo(ks.label, ks.getKeyLength(cs));
+                return hkdf.expand(secret, hkdfInfo,
+                        ks.getKeyLength(cs),
+                        ks.getAlgorithm(cs, algorithm));
+            } catch (GeneralSecurityException gse) {
+                throw (SSLHandshakeException)(new SSLHandshakeException(
+                    "Could not generate secret").initCause(gse));
+            }
+        }
+
+        private static byte[] createHkdfInfo(
+                byte[] label, int length) throws IOException {
+            byte[] info = new byte[4 + label.length];
+            ByteBuffer m = ByteBuffer.wrap(info);
+            try {
+                Record.putInt16(m, length);
+                Record.putBytes8(m, label);
+                Record.putInt8(m, 0x00);    // zero-length context
+            } catch (IOException ioe) {
+                // unlikely
+            }
+
+            return info;
+        }
+    }
+
+    private enum KeySchedule {
+        // Note that we use enum name as the key/ name.
+        TlsKey              ("key", false),
+        TlsIv               ("iv",  true),
+        TlsUpdateNplus1     ("traffic upd", false);
+
+        private final byte[] label;
+        private final boolean isIv;
+
+        private KeySchedule(String label, boolean isIv) {
+            this.label = ("tls13 " + label).getBytes();
+            this.isIv = isIv;
+        }
+
+        int getKeyLength(CipherSuite cs) {
+            if (this == KeySchedule.TlsUpdateNplus1)
+                return cs.hashAlg.hashLength;
+            return isIv ? cs.bulkCipher.ivSize : cs.bulkCipher.keySize;
+        }
+
+        String getAlgorithm(CipherSuite cs, String algorithm) {
+            return isIv ? algorithm : cs.bulkCipher.algorithm;
+        }
+    }
+
+    @SuppressWarnings("deprecation")
+    static final class LegacyTrafficKeyDerivation implements SSLKeyDerivation {
+        private final HandshakeContext context;
+        private final SecretKey masterSecret;
+        private final TlsKeyMaterialSpec keyMaterialSpec;
+
+        LegacyTrafficKeyDerivation(
+                HandshakeContext context, SecretKey masterSecret) {
+            this.context = context;
+            this.masterSecret = masterSecret;
+
+            CipherSuite cipherSuite = context.negotiatedCipherSuite;
+            ProtocolVersion protocolVersion = context.negotiatedProtocol;
+
+            /*
+             * For both the read and write sides of the protocol, we use the
+             * master to generate MAC secrets and cipher keying material.  Block
+             * ciphers need initialization vectors, which we also generate.
+             *
+             * First we figure out how much keying material is needed.
+             */
+            int hashSize = cipherSuite.macAlg.size;
+            boolean is_exportable = cipherSuite.exportable;
+            SSLCipher cipher = cipherSuite.bulkCipher;
+            int expandedKeySize = is_exportable ? cipher.expandedKeySize : 0;
+
+            // Which algs/params do we need to use?
+            String keyMaterialAlg;
+            HashAlg hashAlg;
+
+            byte majorVersion = protocolVersion.major;
+            byte minorVersion = protocolVersion.minor;
+            if (protocolVersion.isDTLS) {
+                // Use TLS version number for DTLS key calculation
+                if (protocolVersion.id == ProtocolVersion.DTLS10.id) {
+                    majorVersion = ProtocolVersion.TLS11.major;
+                    minorVersion = ProtocolVersion.TLS11.minor;
+
+                    keyMaterialAlg = "SunTlsKeyMaterial";
+                    hashAlg = H_NONE;
+                } else {    // DTLS 1.2+
+                    majorVersion = ProtocolVersion.TLS12.major;
+                    minorVersion = ProtocolVersion.TLS12.minor;
+
+                    keyMaterialAlg = "SunTls12KeyMaterial";
+                    hashAlg = cipherSuite.hashAlg;
+                }
+            } else {
+                if (protocolVersion.id >= ProtocolVersion.TLS12.id) {
+                    keyMaterialAlg = "SunTls12KeyMaterial";
+                    hashAlg = cipherSuite.hashAlg;
+                } else {
+                    keyMaterialAlg = "SunTlsKeyMaterial";
+                    hashAlg = H_NONE;
+                }
+            }
+
+            // TLS v1.1+ and DTLS use an explicit IV in CBC cipher suites to
+            // protect against the CBC attacks.  AEAD/GCM cipher suites in
+            // TLS v1.2 or later use a fixed IV as the implicit part of the
+            // partially implicit nonce technique described in RFC 5116.
+            int ivSize = cipher.ivSize;
+            if (cipher.cipherType == CipherType.AEAD_CIPHER) {
+                ivSize = cipher.fixedIvSize;
+            } else if (
+                    cipher.cipherType == CipherType.BLOCK_CIPHER &&
+                    protocolVersion.useTLS11PlusSpec()) {
+                ivSize = 0;
+            }
+
+            TlsKeyMaterialParameterSpec spec = new TlsKeyMaterialParameterSpec(
+                    masterSecret, (majorVersion & 0xFF), (minorVersion & 0xFF),
+                    context.clientHelloRandom.randomBytes,
+                    context.serverHelloRandom.randomBytes,
+                    cipher.algorithm, cipher.keySize, expandedKeySize,
+                    ivSize, hashSize,
+                    hashAlg.name, hashAlg.hashLength, hashAlg.blockSize);
+
+            try {
+                KeyGenerator kg = JsseJce.getKeyGenerator(keyMaterialAlg);
+                kg.init(spec);
+
+                this.keyMaterialSpec = (TlsKeyMaterialSpec)kg.generateKey();
+            } catch (GeneralSecurityException e) {
+                throw new ProviderException(e);
+            }
+        }
+
+        SecretKey getTrafficKey(String algorithm) {
+            switch (algorithm) {
+                case "clientMacKey":
+                    return keyMaterialSpec.getClientMacKey();
+                case "serverMacKey":
+                    return keyMaterialSpec.getServerMacKey();
+                case "clientWriteKey":
+                    return keyMaterialSpec.getClientCipherKey();
+                case "serverWriteKey":
+                    return keyMaterialSpec.getServerCipherKey();
+                case "clientWriteIv":
+                    IvParameterSpec cliIvSpec = keyMaterialSpec.getClientIv();
+                    return  (cliIvSpec == null) ? null :
+                            new SecretKeySpec(cliIvSpec.getIV(), "TlsIv");
+                case "serverWriteIv":
+                    IvParameterSpec srvIvSpec = keyMaterialSpec.getServerIv();
+                    return  (srvIvSpec == null) ? null :
+                            new SecretKeySpec(srvIvSpec.getIV(), "TlsIv");
+            }
+
+            return null;
+        }
+
+        @Override
+        public SecretKey deriveKey(String algorithm,
+                AlgorithmParameterSpec params) throws IOException {
+            return getTrafficKey(algorithm);
+        }
+    }
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SSLTransport.java	2018-05-11 15:10:24.859852700 -0700
@@ -0,0 +1,200 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import javax.crypto.BadPaddingException;
+import javax.net.ssl.SSLHandshakeException;
+
+/**
+ * Interface for SSL/(D)TLS transportation.
+ */
+interface SSLTransport {
+
+    /**
+     * Returns the host name of the peer.
+     *
+     * @return  the host name of the peer, or null if nothing is
+     *          available.
+     */
+    String getPeerHost();
+
+    /**
+     * Returns the port number of the peer.
+     *
+     * @return  the port number of the peer, or -1 if nothing is
+     *          available.
+     */
+    int getPeerPort();
+
+    /**
+     * Shutdown the transport.
+     */
+    default void shutdown() throws IOException {
+        // blank
+    }
+
+    /**
+     * Return true if delegated tasks used for handshaking operations.
+     *
+     * @return true if delegated tasks used for handshaking operations.
+     */
+    boolean useDelegatedTask();
+
+    /**
+     * Decodes an array of SSL/(D)TLS network source data into the
+     * destination application data buffers.
+     *
+     * For SSL/TLS connections, if no source data, the network data may be
+     * received from the underlying underlying SSL/TLS input stream.
+     *
+     * @param context      the transportation context
+     * @param srcs         an array of {@code ByteBuffers} containing the
+     *                      inbound network data
+     * @param srcsOffset   The offset within the {@code srcs} buffer array
+     *                      of the first buffer from which bytes are to be
+     *                      retrieved; it must be non-negative and no larger
+     *                      than {@code srcs.length}.
+     * @param srcsLength   The maximum number of {@code srcs} buffers to be
+     *                      accessed; it must be non-negative and no larger than
+     *                      {@code srcs.length}&nbsp;-&nbsp;{@code srcsOffset}.
+     * @param dsts         an array of {@code ByteBuffers} to hold inbound
+     *                      application data
+     * @param dstsOffset   The offset within the {@code dsts} buffer array
+     *                      of the first buffer from which bytes are to be
+     *                      placed; it must be non-negative and no larger
+     *                      than {@code dsts.length}.
+     * @param dstsLength   The maximum number of {@code dsts} buffers to be
+     *                      accessed; it must be non-negative and no larger than
+     *                      {@code dsts.length}&nbsp;-&nbsp;{@code dstsOffset}.
+     *
+     * @return             a {@code Ciphertext} describing the result of
+     *                      the operation
+     * @throws IOException if a problem was encountered while receiving or
+     *                      decoding networking data
+     */
+    static Plaintext decode(TransportContext context,
+        ByteBuffer[] srcs, int srcsOffset, int srcsLength,
+        ByteBuffer[] dsts, int dstsOffset, int dstsLength) throws IOException {
+
+        Plaintext[] plaintexts = null;
+        try {
+            plaintexts =
+                    context.inputRecord.decode(srcs, srcsOffset, srcsLength);
+        } catch (UnsupportedOperationException unsoe) {         // SSLv2Hello
+            // Hack code to deliver SSLv2 error message for SSL/TLS connections.
+            if (!context.sslContext.isDTLS()) {
+                context.outputRecord.encodeV2NoCipher();
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.finest("may be talking to SSLv2");
+                }
+            }
+
+            context.fatal(Alert.UNEXPECTED_MESSAGE, unsoe);
+        } catch (BadPaddingException bpe) {
+            /*
+             * The basic SSLv3 record protection involves (optional)
+             * encryption for privacy, and an integrity check ensuring
+             * data origin authentication.  We do them both here, and
+             * throw a fatal alert if the integrity check fails.
+             */
+            Alert alert = (context.handshakeContext != null) ?
+                    Alert.HANDSHAKE_FAILURE :
+                    Alert.BAD_RECORD_MAC;
+            context.fatal(alert, bpe);
+        } catch (SSLHandshakeException she) {
+            // may be record sequence number overflow
+            context.fatal(Alert.HANDSHAKE_FAILURE, she);
+        } catch (IOException ioe) {
+            context.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+        }
+
+        if (plaintexts == null || plaintexts.length == 0) {
+            // Connection closed or record should be discarded.
+            return Plaintext.PLAINTEXT_NULL;
+        }
+
+        Plaintext finalPlaintext = Plaintext.PLAINTEXT_NULL;
+        for (Plaintext plainText : plaintexts) {
+            // plainText should never be null for TLS protocols
+            if (plainText == Plaintext.PLAINTEXT_NULL) {
+                // Only happens for DTLS protocols.
+                //
+                // Received a retransmitted flight, and need to retransmit the
+                // previous delivered handshake flight messages.
+                if (context.handshakeContext != null &&
+                    context.handshakeContext.sslConfig.enableRetransmissions &&
+                    context.sslContext.isDTLS()) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,verbose")) {
+                        SSLLogger.finest("retransmited handshake flight");
+                    }
+
+                    context.outputRecord.launchRetransmission();
+                }   // Otherwise, discard the retransmitted flight.
+            } else if (plainText != null &&
+                    plainText.contentType != ContentType.APPLICATION_DATA.id) {
+                context.dispatch(plainText);
+            }
+
+            if (plainText == null) {
+                plainText = Plaintext.PLAINTEXT_NULL;
+            } else {
+                // File the destination buffers.
+                if (dsts != null && dstsLength > 0 &&
+                    plainText.contentType == ContentType.APPLICATION_DATA.id) {
+
+                    ByteBuffer fragment = plainText.fragment;
+                    int remains = fragment.remaining();
+
+                    // Should have enough room in the destination buffers.
+                    int limit = dstsOffset + dstsLength;
+                    for (int i = dstsOffset;
+                            ((i < limit) && (remains > 0)); i++) {
+
+                        int amount = Math.min(dsts[i].remaining(), remains);
+                        fragment.limit(fragment.position() + amount);
+                        dsts[i].put(fragment);
+                        remains -= amount;
+
+                        if (!dsts[i].hasRemaining()) {
+                            dstsOffset++;
+                        }
+                    }
+
+                    if (remains > 0) {
+                        context.fatal(Alert.INTERNAL_ERROR,
+                            "no sufficient room in the destination buffers");
+                    }
+                }
+            }
+
+            finalPlaintext = plainText;
+        }
+
+        return finalPlaintext;
+    }
+}
--- old/src/java.base/share/classes/sun/security/ssl/ServerHandshaker.java	2018-05-11 15:10:27.180689700 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,2344 +0,0 @@
-/*
- * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-
-package sun.security.ssl;
-
-import java.io.*;
-import java.util.*;
-import java.util.concurrent.TimeUnit;
-import java.security.*;
-import java.security.cert.*;
-import java.security.interfaces.*;
-import java.security.spec.ECParameterSpec;
-import java.math.BigInteger;
-import java.util.function.BiFunction;
-
-import javax.crypto.SecretKey;
-import javax.net.ssl.*;
-
-import sun.security.action.GetLongAction;
-import sun.security.util.KeyUtil;
-import sun.security.util.LegacyAlgorithmConstraints;
-import sun.security.action.GetPropertyAction;
-import sun.security.ssl.HandshakeMessage.*;
-import sun.security.ssl.CipherSuite.*;
-import sun.security.ssl.SignatureAndHashAlgorithm.*;
-import static sun.security.ssl.CipherSuite.KeyExchange.*;
-
-/**
- * ServerHandshaker does the protocol handshaking from the point
- * of view of a server.  It is driven asychronously by handshake messages
- * as delivered by the parent Handshaker class, and also uses
- * common functionality (e.g. key generation) that is provided there.
- *
- * @author David Brownell
- */
-final class ServerHandshaker extends Handshaker {
-
-    // The default number of milliseconds the handshaker will wait for
-    // revocation status responses.
-    private static final long DEFAULT_STATUS_RESP_DELAY = 5000;
-
-    // is the server going to require the client to authenticate?
-    private ClientAuthType      doClientAuth;
-
-    // our authentication info
-    private X509Certificate[]   certs;
-    private PrivateKey          privateKey;
-
-    private Object              serviceCreds;
-
-    // flag to check for clientCertificateVerify message
-    private boolean             needClientVerify = false;
-
-    /*
-     * For exportable ciphersuites using non-exportable key sizes, we use
-     * ephemeral RSA keys. We could also do anonymous RSA in the same way
-     * but there are no such ciphersuites currently defined.
-     */
-    private PrivateKey          tempPrivateKey;
-    private PublicKey           tempPublicKey;
-
-    /*
-     * For anonymous and ephemeral Diffie-Hellman key exchange, we use
-     * ephemeral Diffie-Hellman keys.
-     */
-    private DHCrypt dh;
-
-    // Helper for ECDH based key exchanges
-    private ECDHCrypt ecdh;
-
-    // version request by the client in its ClientHello
-    // we remember it for the RSA premaster secret version check
-    private ProtocolVersion clientRequestedVersion;
-
-    // client supported elliptic curves
-    private SupportedGroupsExtension requestedGroups;
-
-    // the preferable signature algorithm used by ServerKeyExchange message
-    SignatureAndHashAlgorithm preferableSignatureAlgorithm;
-
-    // Flag to use smart ephemeral DH key which size matches the corresponding
-    // authentication key
-    private static final boolean useSmartEphemeralDHKeys;
-
-    // Flag to use legacy ephemeral DH key which size is 512 bits for
-    // exportable cipher suites, and 768 bits for others
-    private static final boolean useLegacyEphemeralDHKeys;
-
-    // The customized ephemeral DH key size for non-exportable cipher suites.
-    private static final int customizedDHKeySize;
-
-    // legacy algorithm constraints
-    private static final AlgorithmConstraints legacyAlgorithmConstraints =
-            new LegacyAlgorithmConstraints(
-                    LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
-                    new SSLAlgorithmDecomposer());
-
-    private long statusRespTimeout;
-
-    static {
-        String property = GetPropertyAction
-                .privilegedGetProperty("jdk.tls.ephemeralDHKeySize");
-        if (property == null || property.length() == 0) {
-            useLegacyEphemeralDHKeys = false;
-            useSmartEphemeralDHKeys = false;
-            customizedDHKeySize = -1;
-        } else if ("matched".equals(property)) {
-            useLegacyEphemeralDHKeys = false;
-            useSmartEphemeralDHKeys = true;
-            customizedDHKeySize = -1;
-        } else if ("legacy".equals(property)) {
-            useLegacyEphemeralDHKeys = true;
-            useSmartEphemeralDHKeys = false;
-            customizedDHKeySize = -1;
-        } else {
-            useLegacyEphemeralDHKeys = false;
-            useSmartEphemeralDHKeys = false;
-
-            try {
-                // DH parameter generation can be extremely slow, best to
-                // use one of the supported pre-computed DH parameters
-                // (see DHCrypt class).
-                customizedDHKeySize = Integer.parseUnsignedInt(property);
-                if (customizedDHKeySize < 1024 || customizedDHKeySize > 8192 ||
-                        (customizedDHKeySize & 0x3f) != 0) {
-                    throw new IllegalArgumentException(
-                        "Unsupported customized DH key size: " +
-                        customizedDHKeySize + ". " +
-                        "The key size must be multiple of 64, " +
-                        "and can only range from 1024 to 8192 (inclusive)");
-                }
-            } catch (NumberFormatException nfe) {
-                throw new IllegalArgumentException(
-                        "Invalid system property jdk.tls.ephemeralDHKeySize");
-            }
-        }
-    }
-
-    /*
-     * Constructor ... use the keys found in the auth context.
-     */
-    ServerHandshaker(SSLSocketImpl socket, SSLContextImpl context,
-            ProtocolList enabledProtocols, ClientAuthType clientAuth,
-            ProtocolVersion activeProtocolVersion, boolean isInitialHandshake,
-            boolean secureRenegotiation,
-            byte[] clientVerifyData, byte[] serverVerifyData) {
-
-        super(socket, context, enabledProtocols,
-                (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
-                activeProtocolVersion, isInitialHandshake, secureRenegotiation,
-                clientVerifyData, serverVerifyData);
-        doClientAuth = clientAuth;
-        statusRespTimeout = AccessController.doPrivileged(
-                    new GetLongAction("jdk.tls.stapling.responseTimeout",
-                        DEFAULT_STATUS_RESP_DELAY));
-        statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :
-                DEFAULT_STATUS_RESP_DELAY;
-    }
-
-    /*
-     * Constructor ... use the keys found in the auth context.
-     */
-    ServerHandshaker(SSLEngineImpl engine, SSLContextImpl context,
-            ProtocolList enabledProtocols, ClientAuthType clientAuth,
-            ProtocolVersion activeProtocolVersion,
-            boolean isInitialHandshake, boolean secureRenegotiation,
-            byte[] clientVerifyData, byte[] serverVerifyData,
-            boolean isDTLS) {
-
-        super(engine, context, enabledProtocols,
-                (clientAuth != ClientAuthType.CLIENT_AUTH_NONE), false,
-                activeProtocolVersion, isInitialHandshake, secureRenegotiation,
-                clientVerifyData, serverVerifyData, isDTLS);
-        doClientAuth = clientAuth;
-        statusRespTimeout = AccessController.doPrivileged(
-                    new GetLongAction("jdk.tls.stapling.responseTimeout",
-                        DEFAULT_STATUS_RESP_DELAY));
-        statusRespTimeout = statusRespTimeout >= 0 ? statusRespTimeout :
-                DEFAULT_STATUS_RESP_DELAY;
-    }
-
-    /*
-     * As long as handshaking has not started, we can change
-     * whether client authentication is required.  Otherwise,
-     * we will need to wait for the next handshake.
-     */
-    void setClientAuth(ClientAuthType clientAuth) {
-        doClientAuth = clientAuth;
-    }
-
-    /*
-     * This routine handles all the server side handshake messages, one at
-     * a time.  Given the message type (and in some cases the pending cipher
-     * spec) it parses the type-specific message.  Then it calls a function
-     * that handles that specific message.
-     *
-     * It updates the state machine as each message is processed, and writes
-     * responses as needed using the connection in the constructor.
-     */
-    @Override
-    void processMessage(byte type, int message_len)
-            throws IOException {
-
-        // check the handshake state
-        handshakeState.check(type);
-
-        switch (type) {
-            case HandshakeMessage.ht_client_hello:
-                ClientHello ch = new ClientHello(input, message_len, isDTLS);
-                handshakeState.update(ch, resumingSession);
-
-                /*
-                 * send it off for processing.
-                 */
-                this.clientHello(ch);
-                break;
-
-            case HandshakeMessage.ht_certificate:
-                if (doClientAuth == ClientAuthType.CLIENT_AUTH_NONE) {
-                    fatalSE(Alerts.alert_unexpected_message,
-                                "client sent unsolicited cert chain");
-                    // NOTREACHED
-                }
-                CertificateMsg certificateMsg = new CertificateMsg(input);
-                handshakeState.update(certificateMsg, resumingSession);
-                this.clientCertificate(certificateMsg);
-                break;
-
-            case HandshakeMessage.ht_client_key_exchange:
-                SecretKey preMasterSecret;
-                switch (keyExchange) {
-                case K_RSA:
-                case K_RSA_EXPORT:
-                    /*
-                     * The client's pre-master secret is decrypted using
-                     * either the server's normal private RSA key, or the
-                     * temporary one used for non-export or signing-only
-                     * certificates/keys.
-                     */
-                    RSAClientKeyExchange pms = new RSAClientKeyExchange(
-                            protocolVersion, clientRequestedVersion,
-                            sslContext.getSecureRandom(), input,
-                            message_len, privateKey);
-                    handshakeState.update(pms, resumingSession);
-                    preMasterSecret = this.clientKeyExchange(pms);
-                    break;
-                case K_DHE_RSA:
-                case K_DHE_DSS:
-                case K_DH_ANON:
-                    /*
-                     * The pre-master secret is derived using the normal
-                     * Diffie-Hellman calculation.   Note that the main
-                     * protocol difference in these five flavors is in how
-                     * the ServerKeyExchange message was constructed!
-                     */
-                    DHClientKeyExchange dhcke = new DHClientKeyExchange(input);
-                    handshakeState.update(dhcke, resumingSession);
-                    preMasterSecret = this.clientKeyExchange(dhcke);
-                    break;
-                case K_ECDH_RSA:
-                case K_ECDH_ECDSA:
-                case K_ECDHE_RSA:
-                case K_ECDHE_ECDSA:
-                case K_ECDH_ANON:
-                    ECDHClientKeyExchange ecdhcke =
-                                    new ECDHClientKeyExchange(input);
-                    handshakeState.update(ecdhcke, resumingSession);
-                    preMasterSecret = this.clientKeyExchange(ecdhcke);
-                    break;
-                default:
-                    ClientKeyExchangeService p =
-                            ClientKeyExchangeService.find(keyExchange.name);
-                    if (p == null) {
-                        throw new SSLProtocolException
-                                ("Unrecognized key exchange: " + keyExchange);
-                    }
-                    byte[] encodedTicket = input.getBytes16();
-                    input.getBytes16();
-                    byte[] secret = input.getBytes16();
-                    ClientKeyExchange cke = p.createServerExchange(protocolVersion,
-                            clientRequestedVersion,
-                            sslContext.getSecureRandom(),
-                            encodedTicket,
-                            secret,
-                            this.getAccSE(), serviceCreds);
-                    handshakeState.update(cke, resumingSession);
-                    preMasterSecret = this.clientKeyExchange(cke);
-                    break;
-                }
-
-                //
-                // All keys are calculated from the premaster secret
-                // and the exchanged nonces in the same way.
-                //
-                calculateKeys(preMasterSecret, clientRequestedVersion);
-                break;
-
-            case HandshakeMessage.ht_certificate_verify:
-                CertificateVerify cvm =
-                        new CertificateVerify(input,
-                            getLocalSupportedSignAlgs(), protocolVersion);
-                handshakeState.update(cvm, resumingSession);
-                this.clientCertificateVerify(cvm);
-
-                break;
-
-            case HandshakeMessage.ht_finished:
-                Finished cfm =
-                    new Finished(protocolVersion, input, cipherSuite);
-                handshakeState.update(cfm, resumingSession);
-                this.clientFinished(cfm);
-
-                break;
-
-            default:
-                throw new SSLProtocolException(
-                        "Illegal server handshake msg, " + type);
-        }
-
-    }
-
-
-    /*
-     * ClientHello presents the server with a bunch of options, to which the
-     * server replies with a ServerHello listing the ones which this session
-     * will use.  If needed, it also writes its Certificate plus in some cases
-     * a ServerKeyExchange message.  It may also write a CertificateRequest,
-     * to elicit a client certificate.
-     *
-     * All these messages are terminated by a ServerHelloDone message.  In
-     * most cases, all this can be sent in a single Record.
-     */
-    private void clientHello(ClientHello mesg) throws IOException {
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        // Reject client initiated renegotiation?
-        //
-        // If server side should reject client-initiated renegotiation,
-        // send an alert_handshake_failure fatal alert, not a no_renegotiation
-        // warning alert (no_renegotiation must be a warning: RFC 2246).
-        // no_renegotiation might seem more natural at first, but warnings
-        // are not appropriate because the sending party does not know how
-        // the receiving party will behave.  This state must be treated as
-        // a fatal server condition.
-        //
-        // This will not have any impact on server initiated renegotiation.
-        if (rejectClientInitiatedRenego && !isInitialHandshake &&
-                !serverHelloRequested) {
-            fatalSE(Alerts.alert_handshake_failure,
-                "Client initiated renegotiation is not allowed");
-        }
-
-        // check the server name indication if required
-        ServerNameExtension clientHelloSNIExt = (ServerNameExtension)
-                    mesg.extensions.get(ExtensionType.EXT_SERVER_NAME);
-        if (!sniMatchers.isEmpty()) {
-            // we do not reject client without SNI extension
-            if (clientHelloSNIExt != null &&
-                        !clientHelloSNIExt.isMatched(sniMatchers)) {
-                fatalSE(Alerts.alert_unrecognized_name,
-                    "Unrecognized server name indication");
-            }
-        }
-
-        // Does the message include security renegotiation indication?
-        boolean renegotiationIndicated = false;
-
-        // check the TLS_EMPTY_RENEGOTIATION_INFO_SCSV
-        CipherSuiteList cipherSuites = mesg.getCipherSuites();
-        if (cipherSuites.contains(CipherSuite.C_SCSV)) {
-            renegotiationIndicated = true;
-            if (isInitialHandshake) {
-                secureRenegotiation = true;
-            } else {
-                // abort the handshake with a fatal handshake_failure alert
-                if (secureRenegotiation) {
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "The SCSV is present in a secure renegotiation");
-                } else {
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "The SCSV is present in a insecure renegotiation");
-                }
-            }
-        }
-
-        // check the "renegotiation_info" extension
-        RenegotiationInfoExtension clientHelloRI = (RenegotiationInfoExtension)
-                    mesg.extensions.get(ExtensionType.EXT_RENEGOTIATION_INFO);
-        if (clientHelloRI != null) {
-            renegotiationIndicated = true;
-            if (isInitialHandshake) {
-                // verify the length of the "renegotiated_connection" field
-                if (!clientHelloRI.isEmpty()) {
-                    // abort the handshake with a fatal handshake_failure alert
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "The renegotiation_info field is not empty");
-                }
-
-                secureRenegotiation = true;
-            } else {
-                if (!secureRenegotiation) {
-                    // unexpected RI extension for insecure renegotiation,
-                    // abort the handshake with a fatal handshake_failure alert
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "The renegotiation_info is present in a insecure " +
-                        "renegotiation");
-                }
-
-                // verify the client_verify_data value
-                if (!MessageDigest.isEqual(clientVerifyData,
-                                clientHelloRI.getRenegotiatedConnection())) {
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "Incorrect verify data in ClientHello " +
-                        "renegotiation_info message");
-                }
-            }
-        } else if (!isInitialHandshake && secureRenegotiation) {
-           // if the connection's "secure_renegotiation" flag is set to TRUE
-           // and the "renegotiation_info" extension is not present, abort
-           // the handshake.
-            fatalSE(Alerts.alert_handshake_failure,
-                        "Inconsistent secure renegotiation indication");
-        }
-
-        // if there is no security renegotiation indication or the previous
-        // handshake is insecure.
-        if (!renegotiationIndicated || !secureRenegotiation) {
-            if (isInitialHandshake) {
-                if (!allowLegacyHelloMessages) {
-                    // abort the handshake with a fatal handshake_failure alert
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "Failed to negotiate the use of secure renegotiation");
-                }
-
-                // continue with legacy ClientHello
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println("Warning: No renegotiation " +
-                        "indication in ClientHello, allow legacy ClientHello");
-                }
-            } else if (!allowUnsafeRenegotiation) {
-                // abort the handshake
-                if (activeProtocolVersion.useTLS10PlusSpec()) {
-                    // respond with a no_renegotiation warning
-                    warningSE(Alerts.alert_no_renegotiation);
-
-                    // invalidate the handshake so that the caller can
-                    // dispose this object.
-                    invalidated = true;
-
-                    // If there is still unread block in the handshake
-                    // input stream, it would be truncated with the disposal
-                    // and the next handshake message will become incomplete.
-                    //
-                    // However, according to SSL/TLS specifications, no more
-                    // handshake message could immediately follow ClientHello
-                    // or HelloRequest. But in case of any improper messages,
-                    // we'd better check to ensure there is no remaining bytes
-                    // in the handshake input stream.
-                    if (input.available() > 0) {
-                        fatalSE(Alerts.alert_unexpected_message,
-                            "ClientHello followed by an unexpected  " +
-                            "handshake message");
-                    }
-
-                    return;
-                } else {
-                    // For SSLv3, send the handshake_failure fatal error.
-                    // Note that SSLv3 does not define a no_renegotiation
-                    // alert like TLSv1. However we cannot ignore the message
-                    // simply, otherwise the other side was waiting for a
-                    // response that would never come.
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "Renegotiation is not allowed");
-                }
-            } else {   // !isInitialHandshake && allowUnsafeRenegotiation
-                // continue with unsafe renegotiation.
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println(
-                            "Warning: continue with insecure renegotiation");
-                }
-            }
-        }
-
-        // check the "max_fragment_length" extension
-        MaxFragmentLengthExtension maxFragLenExt = (MaxFragmentLengthExtension)
-                    mesg.extensions.get(ExtensionType.EXT_MAX_FRAGMENT_LENGTH);
-        if ((maxFragLenExt != null) && (maximumPacketSize != 0)) {
-            // Not yet consider the impact of IV/MAC/padding.
-            int estimatedMaxFragSize = maximumPacketSize;
-            if (isDTLS) {
-                estimatedMaxFragSize -= DTLSRecord.headerSize;
-            } else {
-                estimatedMaxFragSize -= SSLRecord.headerSize;
-            }
-
-            if (maxFragLenExt.getMaxFragLen() > estimatedMaxFragSize) {
-                // For better interoperability, abort the maximum fragment
-                // length negotiation, rather than terminate the connection
-                // with a fatal alert.
-                maxFragLenExt = null;
-
-                // fatalSE(Alerts.alert_illegal_parameter,
-                //         "Not an allowed max_fragment_length value");
-            }
-        }
-
-        // check out the "extended_master_secret" extension
-        if (useExtendedMasterSecret) {
-            ExtendedMasterSecretExtension extendedMasterSecretExtension =
-                    (ExtendedMasterSecretExtension)mesg.extensions.get(
-                            ExtensionType.EXT_EXTENDED_MASTER_SECRET);
-            if (extendedMasterSecretExtension != null) {
-                requestedToUseEMS = true;
-            } else if (mesg.protocolVersion.useTLS10PlusSpec()) {
-                if (!allowLegacyMasterSecret) {
-                    // For full handshake, if the server receives a ClientHello
-                    // without the extension, it SHOULD abort the handshake if
-                    // it does not wish to interoperate with legacy clients.
-                    //
-                    // As if extended master extension is required for full
-                    // handshake, it MUST be used in abbreviated handshake too.
-                    fatalSE(Alerts.alert_handshake_failure,
-                        "Extended Master Secret extension is required");
-                }
-            }
-        }
-
-        // check the ALPN extension
-        ALPNExtension clientHelloALPN = (ALPNExtension)
-            mesg.extensions.get(ExtensionType.EXT_ALPN);
-
-        // Use the application protocol callback when provided.
-        // Otherwise use the local list of application protocols.
-        boolean hasAPCallback =
-            ((engine != null && appProtocolSelectorSSLEngine != null) ||
-                (conn != null && appProtocolSelectorSSLSocket != null));
-
-        if (!hasAPCallback) {
-            if ((clientHelloALPN != null) && (localApl.length > 0)) {
-
-                // Intersect the requested and the locally supported,
-                // and save for later.
-                String negotiatedValue = null;
-                List<String> protocols = clientHelloALPN.getPeerAPs();
-
-                // Use server preference order
-                for (String ap : localApl) {
-                    if (protocols.contains(ap)) {
-                        negotiatedValue = ap;
-                        break;
-                    }
-                }
-
-                if (negotiatedValue == null) {
-                    fatalSE(Alerts.alert_no_application_protocol,
-                        new SSLHandshakeException(
-                            "No matching ALPN values"));
-                }
-                applicationProtocol = negotiatedValue;
-
-            } else {
-                applicationProtocol = "";
-            }
-        }  // Otherwise, applicationProtocol will be set by the callback.
-
-        session = null; // forget about the current session
-        //
-        // Here we go down either of two paths:  (a) the fast one, where
-        // the client's asked to rejoin an existing session, and the server
-        // permits this; (b) the other one, where a new session is created.
-        //
-        if (mesg.sessionId.length() != 0) {
-            // client is trying to resume a session, let's see...
-
-            SSLSessionImpl previous = ((SSLSessionContextImpl)sslContext
-                        .engineGetServerSessionContext())
-                        .get(mesg.sessionId.getId());
-            //
-            // Check if we can use the fast path, resuming a session.  We
-            // can do so iff we have a valid record for that session, and
-            // the cipher suite for that session was on the list which the
-            // client requested, and if we're not forgetting any needed
-            // authentication on the part of the client.
-            //
-            if (previous != null) {
-                resumingSession = previous.isRejoinable();
-
-                if (resumingSession) {
-                    ProtocolVersion oldVersion = previous.getProtocolVersion();
-                    // cannot resume session with different version
-                    if (oldVersion != mesg.protocolVersion) {
-                        resumingSession = false;
-                    }
-                }
-
-                if (resumingSession && useExtendedMasterSecret) {
-                    if (requestedToUseEMS &&
-                            !previous.getUseExtendedMasterSecret()) {
-                        // For abbreviated handshake request, If the original
-                        // session did not use the "extended_master_secret"
-                        // extension but the new ClientHello contains the
-                        // extension, then the server MUST NOT perform the
-                        // abbreviated handshake.  Instead, it SHOULD continue
-                        // with a full handshake.
-                        resumingSession = false;
-                    } else if (!requestedToUseEMS &&
-                            previous.getUseExtendedMasterSecret()) {
-                        // For abbreviated handshake request, if the original
-                        // session used the "extended_master_secret" extension
-                        // but the new ClientHello does not contain it, the
-                        // server MUST abort the abbreviated handshake.
-                        fatalSE(Alerts.alert_handshake_failure,
-                                "Missing Extended Master Secret extension " +
-                                "on session resumption");
-                    } else if (!requestedToUseEMS &&
-                            !previous.getUseExtendedMasterSecret()) {
-                        // For abbreviated handshake request, if neither the
-                        // original session nor the new ClientHello uses the
-                        // extension, the server SHOULD abort the handshake.
-                        if (!allowLegacyResumption) {
-                            fatalSE(Alerts.alert_handshake_failure,
-                                "Missing Extended Master Secret extension " +
-                                "on session resumption");
-                        } else {  // Otherwise, continue with a full handshake.
-                            resumingSession = false;
-                        }
-                    }
-                }
-
-                // cannot resume session with different server name indication
-                if (resumingSession) {
-                    List<SNIServerName> oldServerNames =
-                            previous.getRequestedServerNames();
-                    if (clientHelloSNIExt != null) {
-                        if (!clientHelloSNIExt.isIdentical(oldServerNames)) {
-                            resumingSession = false;
-                        }
-                    } else if (!oldServerNames.isEmpty()) {
-                        resumingSession = false;
-                    }
-
-                    if (!resumingSession &&
-                            debug != null && Debug.isOn("handshake")) {
-                        System.out.println(
-                            "The requested server name indication " +
-                            "is not identical to the previous one");
-                    }
-                }
-
-                if (resumingSession &&
-                        (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED)) {
-                    try {
-                        previous.getPeerPrincipal();
-                    } catch (SSLPeerUnverifiedException e) {
-                        resumingSession = false;
-                    }
-                }
-
-                // validate subject identity
-                if (resumingSession) {
-                    CipherSuite suite = previous.getSuite();
-                    ClientKeyExchangeService p =
-                        ClientKeyExchangeService.find(suite.keyExchange.name);
-                    if (p != null) {
-                        Principal localPrincipal = previous.getLocalPrincipal();
-
-                        if (p.isRelated(
-                                false, getAccSE(), localPrincipal)) {
-                            if (debug != null && Debug.isOn("session"))
-                                System.out.println("Subject can" +
-                                        " provide creds for princ");
-                        } else {
-                            resumingSession = false;
-                            if (debug != null && Debug.isOn("session"))
-                                System.out.println("Subject cannot" +
-                                        " provide creds for princ");
-                        }
-                    }
-                }
-
-                if (resumingSession) {
-                    CipherSuite suite = previous.getSuite();
-                    // verify that the ciphersuite from the cached session
-                    // is in the list of client requested ciphersuites and
-                    // we have it enabled
-                    if ((isNegotiable(suite) == false) ||
-                            (mesg.getCipherSuites().contains(suite) == false)) {
-                        resumingSession = false;
-                    } else {
-                        // everything looks ok, set the ciphersuite
-                        // this should be done last when we are sure we
-                        // will resume
-                        setCipherSuite(suite);
-                    }
-                }
-
-                if (resumingSession) {
-                    session = previous;
-                    if (debug != null &&
-                        (Debug.isOn("handshake") || Debug.isOn("session"))) {
-                        System.out.println("%% Resuming " + session);
-                    }
-                }
-            }
-        }   // else client did not try to resume
-
-        // cookie exchange
-        if (isDTLS && !resumingSession) {
-             HelloCookieManager hcMgr = sslContext.getHelloCookieManager();
-             if ((mesg.cookie == null) || (mesg.cookie.length == 0) ||
-                    (!hcMgr.isValid(mesg))) {
-
-                //
-                // Perform cookie exchange for DTLS handshaking if no cookie
-                // or the cookie is invalid in the ClientHello message.
-                //
-                HelloVerifyRequest m0 = new HelloVerifyRequest(hcMgr, mesg);
-
-                if (debug != null && Debug.isOn("handshake")) {
-                    m0.print(System.out);
-                }
-
-                m0.write(output);
-                handshakeState.update(m0, resumingSession);
-                output.flush();
-
-                return;
-            }
-        }
-
-        /*
-         * FIRST, construct the ServerHello using the options and priorities
-         * from the ClientHello.  Update the (pending) cipher spec as we do
-         * so, and save the client's version to protect against rollback
-         * attacks.
-         *
-         * There are a bunch of minor tasks here, and one major one: deciding
-         * if the short or the full handshake sequence will be used.
-         */
-        ServerHello m1 = new ServerHello();
-
-        clientRequestedVersion = mesg.protocolVersion;
-
-        // select a proper protocol version.
-        ProtocolVersion selectedVersion =
-               selectProtocolVersion(clientRequestedVersion);
-        if (selectedVersion == null ||
-                selectedVersion.v == ProtocolVersion.SSL20Hello.v) {
-            fatalSE(Alerts.alert_handshake_failure,
-                "Client requested protocol " + clientRequestedVersion +
-                " not enabled or not supported");
-        }
-
-        handshakeHash.protocolDetermined(selectedVersion);
-        setVersion(selectedVersion);
-
-        m1.protocolVersion = protocolVersion;
-
-        //
-        // random ... save client and server values for later use
-        // in computing the master secret (from pre-master secret)
-        // and thence the other crypto keys.
-        //
-        // NOTE:  this use of three inputs to generating _each_ set
-        // of ciphers slows things down, but it does increase the
-        // security since each connection in the session can hold
-        // its own authenticated (and strong) keys.  One could make
-        // creation of a session a rare thing...
-        //
-        clnt_random = mesg.clnt_random;
-        svr_random = new RandomCookie(sslContext.getSecureRandom());
-        m1.svr_random = svr_random;
-
-        //
-        // If client hasn't specified a session we can resume, start a
-        // new one and choose its cipher suite and compression options.
-        // Unless new session creation is disabled for this connection!
-        //
-        if (session == null) {
-            if (!enableNewSession) {
-                throw new SSLException("Client did not resume a session");
-            }
-
-            requestedGroups = (SupportedGroupsExtension)
-                    mesg.extensions.get(ExtensionType.EXT_SUPPORTED_GROUPS);
-
-            // We only need to handle the "signature_algorithm" extension
-            // for full handshakes and TLS 1.2 or later.
-            if (protocolVersion.useTLS12PlusSpec()) {
-                SignatureAlgorithmsExtension signAlgs =
-                    (SignatureAlgorithmsExtension)mesg.extensions.get(
-                                    ExtensionType.EXT_SIGNATURE_ALGORITHMS);
-                if (signAlgs != null) {
-                    Collection<SignatureAndHashAlgorithm> peerSignAlgs =
-                                            signAlgs.getSignAlgorithms();
-                    if (peerSignAlgs == null || peerSignAlgs.isEmpty()) {
-                        throw new SSLHandshakeException(
-                            "No peer supported signature algorithms");
-                    }
-
-                    Collection<SignatureAndHashAlgorithm>
-                        supportedPeerSignAlgs =
-                            SignatureAndHashAlgorithm.getSupportedAlgorithms(
-                                algorithmConstraints, peerSignAlgs);
-                    if (supportedPeerSignAlgs.isEmpty()) {
-                        throw new SSLHandshakeException(
-                            "No signature and hash algorithm in common");
-                    }
-
-                    setPeerSupportedSignAlgs(supportedPeerSignAlgs);
-                } // else, need to use peer implicit supported signature algs
-            }
-
-            session = new SSLSessionImpl(protocolVersion, CipherSuite.C_NULL,
-                        getLocalSupportedSignAlgs(),
-                        sslContext.getSecureRandom(),
-                        getHostAddressSE(), getPortSE(),
-                        (requestedToUseEMS &&
-                                protocolVersion.useTLS10PlusSpec()));
-
-            if (protocolVersion.useTLS12PlusSpec()) {
-                if (peerSupportedSignAlgs != null) {
-                    session.setPeerSupportedSignatureAlgorithms(
-                            peerSupportedSignAlgs);
-                }   // else, we will set the implicit peer supported signature
-                    // algorithms in chooseCipherSuite()
-            }
-
-            // set the server name indication in the session
-            List<SNIServerName> clientHelloSNI =
-                    Collections.<SNIServerName>emptyList();
-            if (clientHelloSNIExt != null) {
-                clientHelloSNI = clientHelloSNIExt.getServerNames();
-            }
-            session.setRequestedServerNames(clientHelloSNI);
-
-            // set the handshake session
-            setHandshakeSessionSE(session);
-
-            // choose cipher suite and corresponding private key
-            chooseCipherSuite(mesg);
-
-            session.setSuite(cipherSuite);
-            session.setLocalPrivateKey(privateKey);
-
-            // chooseCompression(mesg);
-
-            // set the negotiated maximum fragment in the session
-            //
-            // The protocol version and cipher suite have been negotiated
-            // in previous processes.
-            if (maxFragLenExt != null) {
-                int maxFragLen = maxFragLenExt.getMaxFragLen();
-
-                // More check of the requested "max_fragment_length" extension.
-                if (maximumPacketSize != 0) {
-                    int estimatedMaxFragSize = cipherSuite.calculatePacketSize(
-                            maxFragLen, protocolVersion, isDTLS);
-                    if (estimatedMaxFragSize > maximumPacketSize) {
-                        // For better interoperability, abort the maximum
-                        // fragment length negotiation, rather than terminate
-                        // the connection with a fatal alert.
-                        maxFragLenExt = null;
-
-                        // fatalSE(Alerts.alert_illegal_parameter,
-                        //         "Not an allowed max_fragment_length value");
-                    }
-                }
-
-                if (maxFragLenExt != null) {
-                    session.setNegotiatedMaxFragSize(maxFragLen);
-                }
-            }
-
-            session.setMaximumPacketSize(maximumPacketSize);
-        } else {
-            // set the handshake session
-            setHandshakeSessionSE(session);
-        }
-
-        if (protocolVersion.useTLS12PlusSpec()) {
-            handshakeHash.setFinishedAlg(cipherSuite.prfAlg.getPRFHashAlg());
-        }
-
-        m1.cipherSuite = cipherSuite;
-        m1.sessionId = session.getSessionId();
-        m1.compression_method = session.getCompression();
-
-        if (secureRenegotiation) {
-            // For ServerHellos that are initial handshakes, then the
-            // "renegotiated_connection" field in "renegotiation_info"
-            // extension is of zero length.
-            //
-            // For ServerHellos that are renegotiating, this field contains
-            // the concatenation of client_verify_data and server_verify_data.
-            //
-            // Note that for initial handshakes, both the clientVerifyData
-            // variable and serverVerifyData variable are of zero length.
-            HelloExtension serverHelloRI = new RenegotiationInfoExtension(
-                                        clientVerifyData, serverVerifyData);
-            m1.extensions.add(serverHelloRI);
-        }
-
-        if (!sniMatchers.isEmpty() && clientHelloSNIExt != null) {
-            // When resuming a session, the server MUST NOT include a
-            // server_name extension in the server hello.
-            if (!resumingSession) {
-                ServerNameExtension serverHelloSNI = new ServerNameExtension();
-                m1.extensions.add(serverHelloSNI);
-            }
-        }
-
-        if ((maxFragLenExt != null) && !resumingSession) {
-            // When resuming a session, the server MUST NOT include a
-            // max_fragment_length extension in the server hello.
-            //
-            // Otherwise, use the same value as the requested extension.
-            m1.extensions.add(maxFragLenExt);
-        }
-
-        if (session.getUseExtendedMasterSecret()) {
-            m1.extensions.add(new ExtendedMasterSecretExtension());
-        }
-
-        StaplingParameters staplingParams = processStapling(mesg);
-        if (staplingParams != null) {
-            // We now can safely assert status_request[_v2] in our
-            // ServerHello, and know for certain that we can provide
-            // responses back to this client for this connection.
-            if (staplingParams.statusRespExt ==
-                    ExtensionType.EXT_STATUS_REQUEST) {
-                m1.extensions.add(new CertStatusReqExtension());
-            } else if (staplingParams.statusRespExt ==
-                    ExtensionType.EXT_STATUS_REQUEST_V2) {
-                m1.extensions.add(new CertStatusReqListV2Extension());
-            }
-        }
-
-        // Prepare the ALPN response
-        if (clientHelloALPN != null) {
-            List<String> peerAPs = clientHelloALPN.getPeerAPs();
-
-            // check for a callback function
-            if (hasAPCallback) {
-                if (conn != null) {
-                    applicationProtocol =
-                        appProtocolSelectorSSLSocket.apply(conn, peerAPs);
-                } else {
-                    applicationProtocol =
-                        appProtocolSelectorSSLEngine.apply(engine, peerAPs);
-                }
-            }
-
-            // check for no-match and that the selected name was also proposed
-            // by the TLS peer
-            if (applicationProtocol == null ||
-                   (!applicationProtocol.isEmpty() &&
-                        !peerAPs.contains(applicationProtocol))) {
-
-                fatalSE(Alerts.alert_no_application_protocol,
-                    new SSLHandshakeException(
-                        "No matching ALPN values"));
-
-            } else if (!applicationProtocol.isEmpty()) {
-                m1.extensions.add(new ALPNExtension(applicationProtocol));
-            }
-        } else {
-            // Nothing was negotiated, returned at end of the handshake
-            applicationProtocol = "";
-        }
-
-        if (debug != null && Debug.isOn("handshake")) {
-            m1.print(System.out);
-            System.out.println("Cipher suite:  " + session.getSuite());
-        }
-        m1.write(output);
-        handshakeState.update(m1, resumingSession);
-
-        //
-        // If we are resuming a session, we finish writing handshake
-        // messages right now and then finish.
-        //
-        if (resumingSession) {
-            calculateConnectionKeys(session.getMasterSecret());
-            sendChangeCipherAndFinish(false);
-
-            // expecting the final ChangeCipherSpec and Finished messages
-            expectingFinishFlightSE();
-
-            return;
-        }
-
-
-        /*
-         * SECOND, write the server Certificate(s) if we need to.
-         *
-         * NOTE:  while an "anonymous RSA" mode is explicitly allowed by
-         * the protocol, we can't support it since all of the SSL flavors
-         * defined in the protocol spec are explicitly stated to require
-         * using RSA certificates.
-         */
-        if (ClientKeyExchangeService.find(
-                cipherSuite.keyExchange.name) != null) {
-            // No external key exchange provider needs a cert now.
-        } else if ((keyExchange != K_DH_ANON) && (keyExchange != K_ECDH_ANON)) {
-            if (certs == null) {
-                throw new RuntimeException("no certificates");
-            }
-
-            CertificateMsg m2 = new CertificateMsg(certs);
-
-            /*
-             * Set local certs in the SSLSession, output
-             * debug info, and then actually write to the client.
-             */
-            session.setLocalCertificates(certs);
-            if (debug != null && Debug.isOn("handshake")) {
-                m2.print(System.out);
-            }
-            m2.write(output);
-            handshakeState.update(m2, resumingSession);
-
-            // XXX has some side effects with OS TCP buffering,
-            // leave it out for now
-
-            // let client verify chain in the meantime...
-            // output.flush();
-        } else {
-            if (certs != null) {
-                throw new RuntimeException("anonymous keyexchange with certs");
-            }
-        }
-
-        /**
-         * The CertificateStatus message ... only if it is needed.
-         * This would only be needed if we've established that this handshake
-         * supports status stapling and there is at least one response to
-         * return to the client.
-         */
-        if (staplingParams != null) {
-            CertificateStatus csMsg = new CertificateStatus(
-                    staplingParams.statReqType, certs,
-                    staplingParams.responseMap);
-            if (debug != null && Debug.isOn("handshake")) {
-                csMsg.print(System.out);
-            }
-            csMsg.write(output);
-            handshakeState.update(csMsg, resumingSession);
-        }
-
-        /*
-         * THIRD, the ServerKeyExchange message ... iff it's needed.
-         *
-         * It's usually needed unless there's an encryption-capable
-         * RSA cert, or a D-H cert.  The notable exception is that
-         * exportable ciphers used with big RSA keys need to downgrade
-         * to use short RSA keys, even when the key/cert encrypts OK.
-         */
-
-        ServerKeyExchange m3;
-        switch (keyExchange) {
-        case K_RSA:
-            // no server key exchange for RSA ciphersuites
-            m3 = null;
-            break;
-        case K_RSA_EXPORT:
-            if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
-                try {
-                    m3 = new RSA_ServerKeyExchange(
-                        tempPublicKey, privateKey,
-                        clnt_random, svr_random,
-                        sslContext.getSecureRandom());
-                    privateKey = tempPrivateKey;
-                } catch (GeneralSecurityException e) {
-                    m3 = null; // make compiler happy
-                    throw new SSLException(
-                            "Error generating RSA server key exchange", e);
-                }
-            } else {
-                // RSA_EXPORT with short key, don't need ServerKeyExchange
-                m3 = null;
-            }
-            break;
-        case K_DHE_RSA:
-        case K_DHE_DSS:
-            try {
-                m3 = new DH_ServerKeyExchange(dh,
-                    privateKey,
-                    clnt_random.random_bytes,
-                    svr_random.random_bytes,
-                    sslContext.getSecureRandom(),
-                    preferableSignatureAlgorithm,
-                    protocolVersion);
-            } catch (GeneralSecurityException e) {
-                m3 = null; // make compiler happy
-                throw new SSLException(
-                        "Error generating DH server key exchange", e);
-            }
-            break;
-        case K_DH_ANON:
-            m3 = new DH_ServerKeyExchange(dh, protocolVersion);
-            break;
-        case K_ECDHE_RSA:
-        case K_ECDHE_ECDSA:
-        case K_ECDH_ANON:
-            try {
-                m3 = new ECDH_ServerKeyExchange(ecdh,
-                    privateKey,
-                    clnt_random.random_bytes,
-                    svr_random.random_bytes,
-                    sslContext.getSecureRandom(),
-                    preferableSignatureAlgorithm,
-                    protocolVersion);
-            } catch (GeneralSecurityException e) {
-                m3 = null; // make compiler happy
-                throw new SSLException(
-                        "Error generating ECDH server key exchange", e);
-            }
-            break;
-        case K_ECDH_RSA:
-        case K_ECDH_ECDSA:
-            // ServerKeyExchange not used for fixed ECDH
-            m3 = null;
-            break;
-        default:
-            ClientKeyExchangeService p =
-                    ClientKeyExchangeService.find(keyExchange.name);
-            if (p != null) {
-                // No external key exchange provider needs a cert now.
-                m3 = null;
-                break;
-            }
-            throw new RuntimeException("internal error: " + keyExchange);
-        }
-        if (m3 != null) {
-            if (debug != null && Debug.isOn("handshake")) {
-                m3.print(System.out);
-            }
-            m3.write(output);
-            handshakeState.update(m3, resumingSession);
-        }
-
-        //
-        // FOURTH, the CertificateRequest message.  The details of
-        // the message can be affected by the key exchange algorithm
-        // in use.  For example, certs with fixed Diffie-Hellman keys
-        // are only useful with the DH_DSS and DH_RSA key exchange
-        // algorithms.
-        //
-        // Needed only if server requires client to authenticate self.
-        // Illegal for anonymous flavors, so we need to check that.
-        //
-        // No external key exchange provider needs a cert now.
-        if (doClientAuth != ClientAuthType.CLIENT_AUTH_NONE &&
-                keyExchange != K_DH_ANON && keyExchange != K_ECDH_ANON &&
-                ClientKeyExchangeService.find(keyExchange.name) == null) {
-
-            CertificateRequest m4;
-            X509Certificate[] caCerts;
-
-            Collection<SignatureAndHashAlgorithm> localSignAlgs = null;
-            if (protocolVersion.useTLS12PlusSpec()) {
-                // We currently use all local upported signature and hash
-                // algorithms. However, to minimize the computation cost
-                // of requested hash algorithms, we may use a restricted
-                // set of signature algorithms in the future.
-                localSignAlgs = getLocalSupportedSignAlgs();
-                if (localSignAlgs.isEmpty()) {
-                    throw new SSLHandshakeException(
-                            "No supported signature algorithm");
-                }
-
-                Set<String> localHashAlgs =
-                    SignatureAndHashAlgorithm.getHashAlgorithmNames(
-                        localSignAlgs);
-                if (localHashAlgs.isEmpty()) {
-                    throw new SSLHandshakeException(
-                            "No supported signature algorithm");
-                }
-            }
-
-            caCerts = sslContext.getX509TrustManager().getAcceptedIssuers();
-            m4 = new CertificateRequest(caCerts, keyExchange,
-                                            localSignAlgs, protocolVersion);
-
-            if (debug != null && Debug.isOn("handshake")) {
-                m4.print(System.out);
-            }
-            m4.write(output);
-            handshakeState.update(m4, resumingSession);
-        }
-
-        /*
-         * FIFTH, say ServerHelloDone.
-         */
-        ServerHelloDone m5 = new ServerHelloDone();
-
-        if (debug != null && Debug.isOn("handshake")) {
-            m5.print(System.out);
-        }
-        m5.write(output);
-        handshakeState.update(m5, resumingSession);
-
-        /*
-         * Flush any buffered messages so the client will see them.
-         * Ideally, all the messages above go in a single network level
-         * message to the client.  Without big Certificate chains, it's
-         * going to be the common case.
-         */
-        output.flush();
-    }
-
-    /*
-     * Choose cipher suite from among those supported by client. Sets
-     * the cipherSuite and keyExchange variables.
-     */
-    private void chooseCipherSuite(ClientHello mesg) throws IOException {
-        CipherSuiteList prefered;
-        CipherSuiteList proposed;
-        if (preferLocalCipherSuites) {
-            prefered = getActiveCipherSuites();
-            proposed = mesg.getCipherSuites();
-        } else {
-            prefered = mesg.getCipherSuites();
-            proposed = getActiveCipherSuites();
-        }
-
-        List<CipherSuite> legacySuites = new ArrayList<>();
-        for (CipherSuite suite : prefered.collection()) {
-            if (isNegotiable(proposed, suite) == false) {
-                continue;
-            }
-
-            if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) {
-                if ((suite.keyExchange == K_DH_ANON) ||
-                    (suite.keyExchange == K_ECDH_ANON)) {
-                    continue;
-                }
-            }
-
-            if (!legacyAlgorithmConstraints.permits(null, suite.name, null)) {
-                legacySuites.add(suite);
-                continue;
-            }
-
-            if (trySetCipherSuite(suite) == false) {
-                continue;
-            }
-
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println("Standard ciphersuite chosen: " + suite);
-            }
-            return;
-        }
-
-        for (CipherSuite suite : legacySuites) {
-            if (trySetCipherSuite(suite)) {
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println("Legacy ciphersuite chosen: " + suite);
-                }
-                return;
-            }
-        }
-
-        fatalSE(Alerts.alert_handshake_failure, "no cipher suites in common");
-    }
-
-    /**
-     * Set the given CipherSuite, if possible. Return the result.
-     * The call succeeds if the CipherSuite is available and we have
-     * the necessary certificates to complete the handshake. We don't
-     * check if the CipherSuite is actually enabled.
-     *
-     * If successful, this method also generates ephemeral keys if
-     * required for this ciphersuite. This may take some time, so this
-     * method should only be called if you really want to use the
-     * CipherSuite.
-     *
-     * This method is called from chooseCipherSuite() in this class.
-     */
-    boolean trySetCipherSuite(CipherSuite suite) {
-        /*
-         * If we're resuming a session we know we can
-         * support this key exchange algorithm and in fact
-         * have already cached the result of it in
-         * the session state.
-         */
-        if (resumingSession) {
-            return true;
-        }
-
-        if (suite.isNegotiable() == false) {
-            return false;
-        }
-
-        // must not negotiate the obsoleted weak cipher suites.
-        if (protocolVersion.obsoletes(suite)) {
-            return false;
-        }
-
-        // must not negotiate unsupported cipher suites.
-        if (!protocolVersion.supports(suite)) {
-            return false;
-        }
-
-        KeyExchange keyExchange = suite.keyExchange;
-
-        // null out any existing references
-        privateKey = null;
-        certs = null;
-        dh = null;
-        tempPrivateKey = null;
-        tempPublicKey = null;
-
-        Collection<SignatureAndHashAlgorithm> supportedSignAlgs = null;
-        if (protocolVersion.useTLS12PlusSpec()) {
-            if (peerSupportedSignAlgs != null) {
-                supportedSignAlgs = peerSupportedSignAlgs;
-            } else {
-                SignatureAndHashAlgorithm algorithm = null;
-
-                // we may optimize the performance
-                switch (keyExchange) {
-                    // If the negotiated key exchange algorithm is one of
-                    // (RSA, DHE_RSA, DH_RSA, RSA_PSK, ECDH_RSA, ECDHE_RSA),
-                    // behave as if client had sent the value {sha1,rsa}.
-                    case K_RSA:
-                    case K_DHE_RSA:
-                    case K_DH_RSA:
-                    // case K_RSA_PSK:
-                    case K_ECDH_RSA:
-                    case K_ECDHE_RSA:
-                        algorithm = SignatureAndHashAlgorithm.valueOf(
-                                HashAlgorithm.SHA1.value,
-                                SignatureAlgorithm.RSA.value, 0);
-                        break;
-                    // If the negotiated key exchange algorithm is one of
-                    // (DHE_DSS, DH_DSS), behave as if the client had
-                    // sent the value {sha1,dsa}.
-                    case K_DHE_DSS:
-                    case K_DH_DSS:
-                        algorithm = SignatureAndHashAlgorithm.valueOf(
-                                HashAlgorithm.SHA1.value,
-                                SignatureAlgorithm.DSA.value, 0);
-                        break;
-                    // If the negotiated key exchange algorithm is one of
-                    // (ECDH_ECDSA, ECDHE_ECDSA), behave as if the client
-                    // had sent value {sha1,ecdsa}.
-                    case K_ECDH_ECDSA:
-                    case K_ECDHE_ECDSA:
-                        algorithm = SignatureAndHashAlgorithm.valueOf(
-                                HashAlgorithm.SHA1.value,
-                                SignatureAlgorithm.ECDSA.value, 0);
-                        break;
-                    default:
-                        // no peer supported signature algorithms
-                }
-
-                if (algorithm == null) {
-                    supportedSignAlgs =
-                        Collections.<SignatureAndHashAlgorithm>emptySet();
-                } else {
-                    supportedSignAlgs =
-                        new ArrayList<SignatureAndHashAlgorithm>(1);
-                    supportedSignAlgs.add(algorithm);
-
-                    supportedSignAlgs =
-                            SignatureAndHashAlgorithm.getSupportedAlgorithms(
-                                algorithmConstraints, supportedSignAlgs);
-
-                    // May be no default activated signature algorithm, but
-                    // let the following process make the final decision.
-                }
-
-                // Sets the peer supported signature algorithm to use in KM
-                // temporarily.
-                session.setPeerSupportedSignatureAlgorithms(supportedSignAlgs);
-            }
-        }
-
-        // The named group used for ECDHE and FFDHE.
-        NamedGroup namedGroup = null;
-        switch (keyExchange) {
-        case K_RSA:
-            // need RSA certs for authentication
-            if (setupPrivateKeyAndChain("RSA") == false) {
-                return false;
-            }
-            break;
-        case K_RSA_EXPORT:
-            // need RSA certs for authentication
-            if (setupPrivateKeyAndChain("RSA") == false) {
-                return false;
-            }
-
-            try {
-               if (JsseJce.getRSAKeyLength(certs[0].getPublicKey()) > 512) {
-                    if (!setupEphemeralRSAKeys(suite.exportable)) {
-                        return false;
-                    }
-               }
-            } catch (RuntimeException e) {
-                // could not determine keylength, ignore key
-                return false;
-            }
-            break;
-        case K_DHE_RSA:
-            // Is ephemeral DH cipher suite usable for the connection?
-            //
-            // [RFC 7919] If a compatible TLS server receives a Supported
-            // Groups extension from a client that includes any FFDHE group
-            // (i.e., any codepoint between 256 and 511, inclusive, even if
-            // unknown to the server), and if none of the client-proposed
-            // FFDHE groups are known and acceptable to the server, then
-            // the server MUST NOT select an FFDHE cipher suite.  In this
-            // case, the server SHOULD select an acceptable non-FFDHE cipher
-            // suite from the client's offered list.  If the extension is
-            // present with FFDHE groups, none of the client's offered
-            // groups are acceptable by the server, and none of the client's
-            // proposed non-FFDHE cipher suites are acceptable to the server,
-            // the server MUST end the connection with a fatal TLS alert
-            // of type insufficient_security(71).
-            //
-            // Note: For compatibility, if an application is customized to
-            // use legacy sizes (512 bits for exportable cipher suites and
-            // 768 bits for others), or the cipher suite is exportable, the
-            // FFDHE extension will not be used.
-            if ((!useLegacyEphemeralDHKeys) && (!suite.exportable) &&
-                (requestedGroups != null) && requestedGroups.hasFFDHEGroup()) {
-
-                namedGroup = requestedGroups.getPreferredGroup(
-                    algorithmConstraints, NamedGroupType.NAMED_GROUP_FFDHE);
-                if (namedGroup == null) {
-                    // no match found, cannot use this cipher suite.
-                    return false;
-                }
-            }
-
-            // need RSA certs for authentication
-            if (setupPrivateKeyAndChain("RSA") == false) {
-                return false;
-            }
-
-            // get preferable peer signature algorithm for server key exchange
-            if (protocolVersion.useTLS12PlusSpec()) {
-                preferableSignatureAlgorithm =
-                    SignatureAndHashAlgorithm.getPreferableAlgorithm(
-                                        supportedSignAlgs, "RSA", privateKey);
-                if (preferableSignatureAlgorithm == null) {
-                    if ((debug != null) && Debug.isOn("handshake")) {
-                        System.out.println(
-                                "No signature and hash algorithm for cipher " +
-                                suite);
-                    }
-                    return false;
-                }
-            }
-
-            setupEphemeralDHKeys(namedGroup, suite.exportable, privateKey);
-            break;
-        case K_ECDHE_RSA:
-            // Is ECDHE cipher suite usable for the connection?
-            namedGroup = (requestedGroups != null) ?
-                requestedGroups.getPreferredGroup(
-                    algorithmConstraints, NamedGroupType.NAMED_GROUP_ECDHE) :
-                SupportedGroupsExtension.getPreferredECGroup(
-                    algorithmConstraints);
-            if (namedGroup == null) {
-                // no match found, cannot use this ciphersuite
-                return false;
-            }
-
-            // need RSA certs for authentication
-            if (setupPrivateKeyAndChain("RSA") == false) {
-                return false;
-            }
-
-            // get preferable peer signature algorithm for server key exchange
-            if (protocolVersion.useTLS12PlusSpec()) {
-                preferableSignatureAlgorithm =
-                    SignatureAndHashAlgorithm.getPreferableAlgorithm(
-                                        supportedSignAlgs, "RSA", privateKey);
-                if (preferableSignatureAlgorithm == null) {
-                    if ((debug != null) && Debug.isOn("handshake")) {
-                        System.out.println(
-                                "No signature and hash algorithm for cipher " +
-                                suite);
-                    }
-                    return false;
-                }
-            }
-
-            setupEphemeralECDHKeys(namedGroup);
-            break;
-        case K_DHE_DSS:
-            // Is ephemeral DH cipher suite usable for the connection?
-            //
-            // See comment in K_DHE_RSA case.
-            if ((!useLegacyEphemeralDHKeys) && (!suite.exportable) &&
-                (requestedGroups != null) && requestedGroups.hasFFDHEGroup()) {
-
-                namedGroup = requestedGroups.getPreferredGroup(
-                    algorithmConstraints, NamedGroupType.NAMED_GROUP_FFDHE);
-                if (namedGroup == null) {
-                    // no match found, cannot use this cipher suite.
-                    return false;
-                }
-            }
-
-            // get preferable peer signature algorithm for server key exchange
-            if (protocolVersion.useTLS12PlusSpec()) {
-                preferableSignatureAlgorithm =
-                    SignatureAndHashAlgorithm.getPreferableAlgorithm(
-                                                supportedSignAlgs, "DSA");
-                if (preferableSignatureAlgorithm == null) {
-                    if ((debug != null) && Debug.isOn("handshake")) {
-                        System.out.println(
-                                "No signature and hash algorithm for cipher " +
-                                suite);
-                    }
-                    return false;
-                }
-            }
-
-            // need DSS certs for authentication
-            if (setupPrivateKeyAndChain("DSA") == false) {
-                return false;
-            }
-
-            setupEphemeralDHKeys(namedGroup, suite.exportable, privateKey);
-            break;
-        case K_ECDHE_ECDSA:
-            // Is ECDHE cipher suite usable for the connection?
-            namedGroup = (requestedGroups != null) ?
-                requestedGroups.getPreferredGroup(
-                    algorithmConstraints, NamedGroupType.NAMED_GROUP_ECDHE) :
-                SupportedGroupsExtension.getPreferredECGroup(
-                    algorithmConstraints);
-            if (namedGroup == null) {
-                // no match found, cannot use this ciphersuite
-                return false;
-            }
-
-            // get preferable peer signature algorithm for server key exchange
-            if (protocolVersion.useTLS12PlusSpec()) {
-                preferableSignatureAlgorithm =
-                    SignatureAndHashAlgorithm.getPreferableAlgorithm(
-                                            supportedSignAlgs, "ECDSA");
-                if (preferableSignatureAlgorithm == null) {
-                    if ((debug != null) && Debug.isOn("handshake")) {
-                        System.out.println(
-                                "No signature and hash algorithm for cipher " +
-                                suite);
-                    }
-                    return false;
-                }
-            }
-
-            // need EC cert
-            if (setupPrivateKeyAndChain("EC") == false) {
-                return false;
-            }
-
-            setupEphemeralECDHKeys(namedGroup);
-            break;
-        case K_ECDH_RSA:
-            // need EC cert
-            if (setupPrivateKeyAndChain("EC") == false) {
-                return false;
-            }
-            setupStaticECDHKeys();
-            break;
-        case K_ECDH_ECDSA:
-            // need EC cert
-            if (setupPrivateKeyAndChain("EC") == false) {
-                return false;
-            }
-            setupStaticECDHKeys();
-            break;
-        case K_DH_ANON:
-            // Is ephemeral DH cipher suite usable for the connection?
-            //
-            // See comment in K_DHE_RSA case.
-            if ((!useLegacyEphemeralDHKeys) && (!suite.exportable) &&
-                (requestedGroups != null) && requestedGroups.hasFFDHEGroup()) {
-                namedGroup = requestedGroups.getPreferredGroup(
-                    algorithmConstraints, NamedGroupType.NAMED_GROUP_FFDHE);
-                if (namedGroup == null) {
-                    // no match found, cannot use this cipher suite.
-                    return false;
-                }
-            }
-
-            // no certs needed for anonymous
-            setupEphemeralDHKeys(namedGroup, suite.exportable, null);
-            break;
-        case K_ECDH_ANON:
-            // Is ECDHE cipher suite usable for the connection?
-            namedGroup = (requestedGroups != null) ?
-                requestedGroups.getPreferredGroup(
-                    algorithmConstraints, NamedGroupType.NAMED_GROUP_ECDHE) :
-                SupportedGroupsExtension.getPreferredECGroup(
-                    algorithmConstraints);
-            if (namedGroup == null) {
-                // no match found, cannot use this ciphersuite
-                return false;
-            }
-
-            // no certs needed for anonymous
-            setupEphemeralECDHKeys(namedGroup);
-            break;
-        default:
-            ClientKeyExchangeService p =
-                    ClientKeyExchangeService.find(keyExchange.name);
-            if (p == null) {
-                // internal error, unknown key exchange
-                throw new RuntimeException(
-                        "Unrecognized cipherSuite: " + suite);
-            }
-            // need service creds
-            if (serviceCreds == null) {
-                AccessControlContext acc = getAccSE();
-                serviceCreds = p.getServiceCreds(acc);
-                if (serviceCreds != null) {
-                    if (debug != null && Debug.isOn("handshake")) {
-                        System.out.println("Using serviceCreds");
-                    }
-                }
-                if (serviceCreds == null) {
-                    return false;
-                }
-            }
-            break;
-        }
-        setCipherSuite(suite);
-
-        // set the peer implicit supported signature algorithms
-        if (protocolVersion.useTLS12PlusSpec()) {
-            if (peerSupportedSignAlgs == null) {
-                setPeerSupportedSignAlgs(supportedSignAlgs);
-                // we had alreay update the session
-            }
-        }
-        return true;
-    }
-
-    /*
-     * Get some "ephemeral" RSA keys for this context. This means
-     * generating them if it's not already been done.
-     *
-     * Note that we currently do not implement any ciphersuites that use
-     * strong ephemeral RSA. (We do not support the EXPORT1024 ciphersuites
-     * and standard RSA ciphersuites prohibit ephemeral mode for some reason)
-     * This means that export is always true and 512 bit keys are generated.
-     */
-    private boolean setupEphemeralRSAKeys(boolean export) {
-        KeyPair kp = sslContext.getEphemeralKeyManager().
-                        getRSAKeyPair(export, sslContext.getSecureRandom());
-        if (kp == null) {
-            return false;
-        } else {
-            tempPublicKey = kp.getPublic();
-            tempPrivateKey = kp.getPrivate();
-            return true;
-        }
-    }
-
-    /*
-     * Acquire some "ephemeral" Diffie-Hellman  keys for this handshake.
-     * We don't reuse these, for improved forward secrecy.
-     */
-    private void setupEphemeralDHKeys(
-            NamedGroup namedGroup, boolean export, Key key) {
-        // Are the client and server willing to negotiate FFDHE groups?
-        if ((!useLegacyEphemeralDHKeys) && (!export) && (namedGroup != null)) {
-            dh = new DHCrypt(namedGroup, sslContext.getSecureRandom());
-
-            return;
-        }   // Otherwise, the client is not compatible with FFDHE extension.
-
-        /*
-         * 768 bits ephemeral DH private keys were used to be used in
-         * ServerKeyExchange except that exportable ciphers max out at 512
-         * bits modulus values. We still adhere to this behavior in legacy
-         * mode (system property "jdk.tls.ephemeralDHKeySize" is defined
-         * as "legacy").
-         *
-         * Old JDK (JDK 7 and previous) releases don't support DH keys bigger
-         * than 1024 bits. We have to consider the compatibility requirement.
-         * 1024 bits DH key is always used for non-exportable cipher suites
-         * in default mode (system property "jdk.tls.ephemeralDHKeySize"
-         * is not defined).
-         *
-         * However, if applications want more stronger strength, setting
-         * system property "jdk.tls.ephemeralDHKeySize" to "matched"
-         * is a workaround to use ephemeral DH key which size matches the
-         * corresponding authentication key. For example, if the public key
-         * size of an authentication certificate is 2048 bits, then the
-         * ephemeral DH key size should be 2048 bits accordingly unless
-         * the cipher suite is exportable.  This key sizing scheme keeps
-         * the cryptographic strength consistent between authentication
-         * keys and key-exchange keys.
-         *
-         * Applications may also want to customize the ephemeral DH key size
-         * to a fixed length for non-exportable cipher suites. This can be
-         * approached by setting system property "jdk.tls.ephemeralDHKeySize"
-         * to a valid positive integer between 1024 and 8192 bits, inclusive.
-         *
-         * Note that the minimum acceptable key size is 1024 bits except
-         * exportable cipher suites or legacy mode.
-         *
-         * Note that per RFC 2246, the key size limit of DH is 512 bits for
-         * exportable cipher suites.  Because of the weakness, exportable
-         * cipher suites are deprecated since TLS v1.1 and they are not
-         * enabled by default in Oracle provider. The legacy behavior is
-         * reserved and 512 bits DH key is always used for exportable
-         * cipher suites.
-         */
-        int keySize = export ? 512 : 1024;           // default mode
-        if (!export) {
-            if (useLegacyEphemeralDHKeys) {          // legacy mode
-                keySize = 768;
-            } else if (useSmartEphemeralDHKeys) {    // matched mode
-                if (key != null) {
-                    int ks = KeyUtil.getKeySize(key);
-
-                    // DH parameter generation can be extremely slow, make
-                    // sure to use one of the supported pre-computed DH
-                    // parameters (see DHCrypt class).
-                    //
-                    // Old deployed applications may not be ready to support
-                    // DH key sizes bigger than 2048 bits.  Please DON'T use
-                    // value other than 1024 and 2048 at present.  May improve
-                    // the underlying providers and key size limit in the
-                    // future when the compatibility and interoperability
-                    // impact is limited.
-                    //
-                    // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks);
-                    keySize = ks <= 1024 ? 1024 : 2048;
-                } // Otherwise, anonymous cipher suites, 1024-bit is used.
-            } else if (customizedDHKeySize > 0) {    // customized mode
-                keySize = customizedDHKeySize;
-            }
-        }
-
-        dh = new DHCrypt(keySize, sslContext.getSecureRandom());
-    }
-
-    /**
-     * Setup the ephemeral ECDH parameters.
-     */
-    private void setupEphemeralECDHKeys(NamedGroup namedGroup) {
-        ecdh = new ECDHCrypt(namedGroup, sslContext.getSecureRandom());
-    }
-
-    private void setupStaticECDHKeys() {
-        // don't need to check whether the curve is supported, already done
-        // in setupPrivateKeyAndChain().
-        ecdh = new ECDHCrypt(privateKey, certs[0].getPublicKey());
-    }
-
-    /**
-     * Retrieve the server key and certificate for the specified algorithm
-     * from the KeyManager and set the instance variables.
-     *
-     * @return true if successful, false if not available or invalid
-     */
-    private boolean setupPrivateKeyAndChain(String algorithm) {
-        X509ExtendedKeyManager km = sslContext.getX509KeyManager();
-        String alias;
-        if (conn != null) {
-            alias = km.chooseServerAlias(algorithm, null, conn);
-        } else {
-            alias = km.chooseEngineServerAlias(algorithm, null, engine);
-        }
-        if (alias == null) {
-            return false;
-        }
-        PrivateKey tempPrivateKey = km.getPrivateKey(alias);
-        if (tempPrivateKey == null) {
-            return false;
-        }
-        X509Certificate[] tempCerts = km.getCertificateChain(alias);
-        if ((tempCerts == null) || (tempCerts.length == 0)) {
-            return false;
-        }
-        String keyAlgorithm = algorithm.split("_")[0];
-        PublicKey publicKey = tempCerts[0].getPublicKey();
-        if ((tempPrivateKey.getAlgorithm().equals(keyAlgorithm) == false)
-                || (publicKey.getAlgorithm().equals(keyAlgorithm) == false)) {
-            return false;
-        }
-        // For ECC certs, check whether we support the EC domain parameters.
-        // If the client sent a SupportedEllipticCurves ClientHello extension,
-        // check against that too.
-        if (keyAlgorithm.equals("EC")) {
-            if (publicKey instanceof ECPublicKey == false) {
-                return false;
-            }
-            ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
-            NamedGroup namedGroup = NamedGroup.valueOf(params);
-            if ((namedGroup == null) ||
-                (!SupportedGroupsExtension.supports(namedGroup)) ||
-                ((requestedGroups != null) &&
-                        !requestedGroups.contains(namedGroup.id))) {
-                return false;
-            }
-        }
-        this.privateKey = tempPrivateKey;
-        this.certs = tempCerts;
-        return true;
-    }
-
-    /*
-     * Returns premaster secret for external key exchange services.
-     */
-    private SecretKey clientKeyExchange(ClientKeyExchange mesg)
-        throws IOException {
-
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        // Record the principals involved in exchange
-        session.setPeerPrincipal(mesg.getPeerPrincipal());
-        session.setLocalPrincipal(mesg.getLocalPrincipal());
-
-        return mesg.clientKeyExchange();
-    }
-
-    /*
-     * Diffie Hellman key exchange is used when the server presented
-     * D-H parameters in its certificate (signed using RSA or DSS/DSA),
-     * or else the server presented no certificate but sent D-H params
-     * in a ServerKeyExchange message.  Use of D-H is specified by the
-     * cipher suite chosen.
-     *
-     * The message optionally contains the client's D-H public key (if
-     * it wasn't not sent in a client certificate).  As always with D-H,
-     * if a client and a server have each other's D-H public keys and
-     * they use common algorithm parameters, they have a shared key
-     * that's derived via the D-H calculation.  That key becomes the
-     * pre-master secret.
-     */
-    private SecretKey clientKeyExchange(DHClientKeyExchange mesg)
-            throws IOException {
-
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        BigInteger publicKeyValue = mesg.getClientPublicKey();
-
-        // check algorithm constraints
-        dh.checkConstraints(algorithmConstraints, publicKeyValue);
-
-        return dh.getAgreedSecret(publicKeyValue, false);
-    }
-
-    private SecretKey clientKeyExchange(ECDHClientKeyExchange mesg)
-            throws IOException {
-
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        byte[] publicPoint = mesg.getEncodedPoint();
-
-        // check algorithm constraints
-        ecdh.checkConstraints(algorithmConstraints, publicPoint);
-
-        return ecdh.getAgreedSecret(publicPoint);
-    }
-
-    /*
-     * Client wrote a message to verify the certificate it sent earlier.
-     *
-     * Note that this certificate isn't involved in key exchange.  Client
-     * authentication messages are included in the checksums used to
-     * validate the handshake (e.g. Finished messages).  Other than that,
-     * the _exact_ identity of the client is less fundamental to protocol
-     * security than its role in selecting keys via the pre-master secret.
-     */
-    private void clientCertificateVerify(CertificateVerify mesg)
-            throws IOException {
-
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        if (protocolVersion.useTLS12PlusSpec()) {
-            SignatureAndHashAlgorithm signAlg =
-                mesg.getPreferableSignatureAlgorithm();
-            if (signAlg == null) {
-                throw new SSLHandshakeException(
-                        "Illegal CertificateVerify message");
-            }
-
-            String hashAlg =
-                SignatureAndHashAlgorithm.getHashAlgorithmName(signAlg);
-            if (hashAlg == null || hashAlg.length() == 0) {
-                throw new SSLHandshakeException(
-                        "No supported hash algorithm");
-            }
-        }
-
-        try {
-            PublicKey publicKey =
-                session.getPeerCertificates()[0].getPublicKey();
-
-            boolean valid = mesg.verify(protocolVersion, handshakeHash,
-                                        publicKey, session.getMasterSecret());
-            if (valid == false) {
-                fatalSE(Alerts.alert_bad_certificate,
-                            "certificate verify message signature error");
-            }
-        } catch (GeneralSecurityException e) {
-            fatalSE(Alerts.alert_bad_certificate,
-                "certificate verify format error", e);
-        }
-
-        // reset the flag for clientCertificateVerify message
-        needClientVerify = false;
-    }
-
-
-    /*
-     * Client writes "finished" at the end of its handshake, after cipher
-     * spec is changed.   We verify it and then send ours.
-     *
-     * When we're resuming a session, we'll have already sent our own
-     * Finished message so just the verification is needed.
-     */
-    private void clientFinished(Finished mesg) throws IOException {
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        /*
-         * Verify if client did send the certificate when client
-         * authentication was required, otherwise server should not proceed
-         */
-        if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUIRED) {
-           // get X500Principal of the end-entity certificate for X509-based
-           // ciphersuites, or Kerberos principal for Kerberos ciphersuites, etc
-           session.getPeerPrincipal();
-        }
-
-        /*
-         * Verify if client did send clientCertificateVerify message following
-         * the client Certificate, otherwise server should not proceed
-         */
-        if (needClientVerify) {
-                fatalSE(Alerts.alert_handshake_failure,
-                        "client did not send certificate verify message");
-        }
-
-        /*
-         * Verify the client's message with the "before" digest of messages,
-         * and forget about continuing to use that digest.
-         */
-        boolean verified = mesg.verify(handshakeHash, Finished.CLIENT,
-            session.getMasterSecret());
-
-        if (!verified) {
-            fatalSE(Alerts.alert_handshake_failure,
-                        "client 'finished' message doesn't verify");
-            // NOTREACHED
-        }
-
-        /*
-         * save client verify data for secure renegotiation
-         */
-        if (secureRenegotiation) {
-            clientVerifyData = mesg.getVerifyData();
-        }
-
-        /*
-         * OK, it verified.  If we're doing the full handshake, add that
-         * "Finished" message to the hash of handshake messages, then send
-         * the change_cipher_spec and Finished message.
-         */
-        if (!resumingSession) {
-            sendChangeCipherAndFinish(true);
-        } else {
-            handshakeFinished = true;
-        }
-
-        /*
-         * Update the session cache only after the handshake completed, else
-         * we're open to an attack against a partially completed handshake.
-         */
-        session.setLastAccessedTime(System.currentTimeMillis());
-        if (!resumingSession && session.isRejoinable()) {
-            ((SSLSessionContextImpl)sslContext.engineGetServerSessionContext())
-                .put(session);
-            if (debug != null && Debug.isOn("session")) {
-                System.out.println(
-                    "%% Cached server session: " + session);
-            }
-        } else if (!resumingSession &&
-                debug != null && Debug.isOn("session")) {
-            System.out.println(
-                "%% Didn't cache non-resumable server session: "
-                + session);
-        }
-    }
-
-    /*
-     * Compute finished message with the "server" digest (and then forget
-     * about that digest, it can't be used again).
-     */
-    private void sendChangeCipherAndFinish(boolean finishedTag)
-            throws IOException {
-
-        // Reload if this message has been reserved.
-        handshakeHash.reload();
-
-        Finished mesg = new Finished(protocolVersion, handshakeHash,
-            Finished.SERVER, session.getMasterSecret(), cipherSuite);
-
-        /*
-         * Send the change_cipher_spec record; then our Finished handshake
-         * message will be the last handshake message.  Flush, and now we
-         * are ready for application data!!
-         */
-        sendChangeCipherSpec(mesg, finishedTag);
-
-        /*
-         * save server verify data for secure renegotiation
-         */
-        if (secureRenegotiation) {
-            serverVerifyData = mesg.getVerifyData();
-        }
-    }
-
-
-    /*
-     * Returns a HelloRequest message to kickstart renegotiations
-     */
-    @Override
-    HandshakeMessage getKickstartMessage() {
-        return new HelloRequest();
-    }
-
-
-    /*
-     * Fault detected during handshake.
-     */
-    @Override
-    void handshakeAlert(byte description) throws SSLProtocolException {
-
-        String message = Alerts.alertDescription(description);
-
-        if (debug != null && Debug.isOn("handshake")) {
-            System.out.println("SSL -- handshake alert:  "
-                + message);
-        }
-
-        /*
-         * It's ok to get a no_certificate alert from a client of which
-         * we *requested* authentication information.
-         * However, if we *required* it, then this is not acceptable.
-         *
-         * Anyone calling getPeerCertificates() on the
-         * session will get an SSLPeerUnverifiedException.
-         */
-        if ((description == Alerts.alert_no_certificate) &&
-                (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED)) {
-            return;
-        }
-
-        throw new SSLProtocolException("handshake alert: " + message);
-    }
-
-    /*
-     * RSA key exchange is normally used.  The client encrypts a "pre-master
-     * secret" with the server's public key, from the Certificate (or else
-     * ServerKeyExchange) message that was sent to it by the server.  That's
-     * decrypted using the private key before we get here.
-     */
-    private SecretKey clientKeyExchange(RSAClientKeyExchange mesg)
-            throws IOException {
-
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-        return mesg.preMaster;
-    }
-
-    /*
-     * Verify the certificate sent by the client. We'll only get one if we
-     * sent a CertificateRequest to request client authentication. If we
-     * are in TLS mode, the client may send a message with no certificates
-     * to indicate it does not have an appropriate chain. (In SSLv3 mode,
-     * it would send a no certificate alert).
-     */
-    private void clientCertificate(CertificateMsg mesg) throws IOException {
-        if (debug != null && Debug.isOn("handshake")) {
-            mesg.print(System.out);
-        }
-
-        X509Certificate[] peerCerts = mesg.getCertificateChain();
-
-        if (peerCerts.length == 0) {
-            /*
-             * If the client authentication is only *REQUESTED* (e.g.
-             * not *REQUIRED*, this is an acceptable condition.)
-             */
-            if (doClientAuth == ClientAuthType.CLIENT_AUTH_REQUESTED) {
-                return;
-            } else {
-                fatalSE(Alerts.alert_bad_certificate,
-                    "null cert chain");
-            }
-        }
-
-        // ask the trust manager to verify the chain
-        X509TrustManager tm = sslContext.getX509TrustManager();
-
-        try {
-            // find out the types of client authentication used
-            PublicKey key = peerCerts[0].getPublicKey();
-            String keyAlgorithm = key.getAlgorithm();
-            String authType;
-            if (keyAlgorithm.equals("RSA")) {
-                authType = "RSA";
-            } else if (keyAlgorithm.equals("DSA")) {
-                authType = "DSA";
-            } else if (keyAlgorithm.equals("EC")) {
-                authType = "EC";
-            } else {
-                // unknown public key type
-                authType = "UNKNOWN";
-            }
-
-            if (tm instanceof X509ExtendedTrustManager) {
-                if (conn != null) {
-                    ((X509ExtendedTrustManager)tm).checkClientTrusted(
-                        peerCerts.clone(),
-                        authType,
-                        conn);
-                } else {
-                    ((X509ExtendedTrustManager)tm).checkClientTrusted(
-                        peerCerts.clone(),
-                        authType,
-                        engine);
-                }
-            } else {
-                // Unlikely to happen, because we have wrapped the old
-                // X509TrustManager with the new X509ExtendedTrustManager.
-                throw new CertificateException(
-                    "Improper X509TrustManager implementation");
-            }
-        } catch (CertificateException e) {
-            // This will throw an exception, so include the original error.
-            fatalSE(Alerts.alert_certificate_unknown, e);
-        }
-        // set the flag for clientCertificateVerify message
-        needClientVerify = true;
-
-        session.setPeerCertificates(peerCerts);
-    }
-
-    private StaplingParameters processStapling(ClientHello mesg) {
-        StaplingParameters params = null;
-        ExtensionType ext = null;
-        StatusRequestType type = null;
-        StatusRequest req = null;
-        Map<X509Certificate, byte[]> responses;
-
-        // If this feature has not been enabled, then no more processing
-        // is necessary.  Also we will only staple if we're doing a full
-        // handshake.
-        if (!sslContext.isStaplingEnabled(false) || resumingSession) {
-            return null;
-        }
-
-        // Check if the client has asserted the status_request[_v2] extension(s)
-        CertStatusReqExtension statReqExt = (CertStatusReqExtension)
-                    mesg.extensions.get(ExtensionType.EXT_STATUS_REQUEST);
-        CertStatusReqListV2Extension statReqExtV2 =
-                (CertStatusReqListV2Extension)mesg.extensions.get(
-                        ExtensionType.EXT_STATUS_REQUEST_V2);
-
-        // Determine which type of stapling we are doing and assert the
-        // proper extension in the server hello.
-        // Favor status_request_v2 over status_request and ocsp_multi
-        // over ocsp.
-        // If multiple ocsp or ocsp_multi types exist, select the first
-        // instance of a given type.  Also since we don't support ResponderId
-        // selection yet, only accept a request if the ResponderId field
-        // is empty.
-        if (statReqExtV2 != null) {             // RFC 6961 stapling
-            ext = ExtensionType.EXT_STATUS_REQUEST_V2;
-            List<CertStatusReqItemV2> reqItems =
-                    statReqExtV2.getRequestItems();
-            int ocspIdx = -1;
-            int ocspMultiIdx = -1;
-            for (int pos = 0; (pos < reqItems.size() &&
-                    (ocspIdx == -1 || ocspMultiIdx == -1)); pos++) {
-                CertStatusReqItemV2 item = reqItems.get(pos);
-                StatusRequestType curType = item.getType();
-                if (ocspIdx < 0 && curType == StatusRequestType.OCSP) {
-                    OCSPStatusRequest ocspReq =
-                            (OCSPStatusRequest)item.getRequest();
-                    if (ocspReq.getResponderIds().isEmpty()) {
-                        ocspIdx = pos;
-                    }
-                } else if (ocspMultiIdx < 0 &&
-                        curType == StatusRequestType.OCSP_MULTI) {
-                    // If the type is OCSP, then the request
-                    // is guaranteed to be OCSPStatusRequest
-                    OCSPStatusRequest ocspReq =
-                            (OCSPStatusRequest)item.getRequest();
-                    if (ocspReq.getResponderIds().isEmpty()) {
-                        ocspMultiIdx = pos;
-                    }
-                }
-            }
-            if (ocspMultiIdx >= 0) {
-                type = reqItems.get(ocspMultiIdx).getType();
-                req = reqItems.get(ocspMultiIdx).getRequest();
-            } else if (ocspIdx >= 0) {
-                type = reqItems.get(ocspIdx).getType();
-                req = reqItems.get(ocspIdx).getRequest();
-            } else {
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println("Warning: No suitable request " +
-                            "found in the status_request_v2 extension.");
-                }
-            }
-        }
-
-        // Only attempt to process a status_request extension if:
-        // * The status_request extension is set AND
-        // * either the status_request_v2 extension is not present OR
-        // * none of the underlying OCSPStatusRequest structures is suitable
-        // for stapling.
-        // If either of the latter two bullet items is true the ext, type and
-        // req variables should all be null.  If any are null we will try
-        // processing an asserted status_request.
-        if ((statReqExt != null) &&
-               (ext == null || type == null || req == null)) {
-            ext = ExtensionType.EXT_STATUS_REQUEST;
-            type = statReqExt.getType();
-            if (type == StatusRequestType.OCSP) {
-                // If the type is OCSP, then the request is guaranteed
-                // to be OCSPStatusRequest
-                OCSPStatusRequest ocspReq =
-                        (OCSPStatusRequest)statReqExt.getRequest();
-                if (ocspReq.getResponderIds().isEmpty()) {
-                    req = ocspReq;
-                } else {
-                    if (debug != null && Debug.isOn("handshake")) {
-                        req = null;
-                        System.out.println("Warning: No suitable request " +
-                                "found in the status_request extension.");
-                    }
-                }
-            }
-        }
-
-        // If, after walking through the extensions we were unable to
-        // find a suitable StatusRequest, then stapling is disabled.
-        // The ext, type and req variables must have been set to continue.
-        if (type == null || req == null || ext == null) {
-            return null;
-        }
-
-        // Get the OCSP responses from the StatusResponseManager
-        StatusResponseManager statRespMgr =
-                sslContext.getStatusResponseManager();
-        if (statRespMgr != null) {
-            responses = statRespMgr.get(type, req, certs, statusRespTimeout,
-                    TimeUnit.MILLISECONDS);
-            if (!responses.isEmpty()) {
-                // If this RFC 6066-style stapling (SSL cert only) then the
-                // response cannot be zero length
-                if (type == StatusRequestType.OCSP) {
-                    byte[] respDER = responses.get(certs[0]);
-                    if (respDER == null || respDER.length <= 0) {
-                        return null;
-                    }
-                }
-                params = new StaplingParameters(ext, type, req, responses);
-            }
-        } else {
-            // This should not happen, but if lazy initialization of the
-            // StatusResponseManager doesn't occur we should turn off stapling.
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println("Warning: lazy initialization " +
-                        "of the StatusResponseManager failed.  " +
-                        "Stapling has been disabled.");
-            }
-        }
-
-        return params;
-    }
-
-    /**
-     * Inner class used to hold stapling parameters needed by the handshaker
-     * when stapling is active.
-     */
-    private class StaplingParameters {
-        private final ExtensionType statusRespExt;
-        private final StatusRequestType statReqType;
-        private final StatusRequest statReqData;
-        private final Map<X509Certificate, byte[]> responseMap;
-
-        StaplingParameters(ExtensionType ext, StatusRequestType type,
-                StatusRequest req, Map<X509Certificate, byte[]> responses) {
-            statusRespExt = ext;
-            statReqType = type;
-            statReqData = req;
-            responseMap = responses;
-        }
-    }
-}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ServerHandshakeContext.java	2018-05-11 15:10:26.475013800 -0700
@@ -0,0 +1,83 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.security.AlgorithmConstraints;
+import java.security.AccessController;
+import sun.security.util.LegacyAlgorithmConstraints;
+import sun.security.action.GetPropertyAction;
+import sun.security.action.GetLongAction;
+
+class ServerHandshakeContext extends HandshakeContext {
+    // To prevent the TLS renegotiation issues, by setting system property
+    // "jdk.tls.rejectClientInitiatedRenegotiation" to true, applications in
+    // server side can disable all client initiated SSL renegotiations
+    // regardless of the support of TLS protocols.
+    //
+    // By default, allow client initiated renegotiations.
+    static final boolean rejectClientInitiatedRenego =
+            Utilities.getBooleanProperty(
+                "jdk.tls.rejectClientInitiatedRenegotiation", false);
+
+    // legacy algorithm constraints
+    static final AlgorithmConstraints legacyAlgorithmConstraints =
+            new LegacyAlgorithmConstraints(
+                    LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS,
+                    new SSLAlgorithmDecomposer());
+
+    // temporary authentication information
+    SSLPossession interimAuthn;
+
+    StatusResponseManager.StaplingParameters stapleParams;
+    CertificateMessage.CertificateEntry currentCertEntry;
+    private static final long DEFAULT_STATUS_RESP_DELAY = 5000L;
+    final long statusRespTimeout;
+
+
+    ServerHandshakeContext(SSLContextImpl sslContext,
+            TransportContext conContext) throws IOException {
+        super(sslContext, conContext);
+        long respTimeOut = AccessController.doPrivileged(
+                    new GetLongAction("jdk.tls.stapling.responseTimeout",
+                        DEFAULT_STATUS_RESP_DELAY));
+        statusRespTimeout = respTimeOut >= 0 ? respTimeOut :
+                DEFAULT_STATUS_RESP_DELAY;
+        handshakeConsumers.put(
+                SSLHandshake.CLIENT_HELLO.id, SSLHandshake.CLIENT_HELLO);
+    }
+
+    @Override
+    void kickstart() throws IOException {
+        if (!conContext.isNegotiated || kickstartMessageDelivered) {
+            return;
+        }
+
+        SSLHandshake.kickstart(this);
+        kickstartMessageDelivered = true;
+    }
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ServerHello.java	2018-05-11 15:10:28.409881600 -0700
@@ -0,0 +1,1449 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.security.AlgorithmConstraints;
+import java.security.GeneralSecurityException;
+import java.text.MessageFormat;
+import java.util.Arrays;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Optional;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.IvParameterSpec;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLHandshakeException;
+import sun.security.ssl.CipherSuite.KeyExchange;
+import sun.security.ssl.ClientHello.ClientHelloMessage;
+import sun.security.ssl.SSLCipher.SSLReadCipher;
+import sun.security.ssl.SSLCipher.SSLWriteCipher;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+import sun.security.ssl.SupportedVersionsExtension.SHSupportedVersionsSpec;
+
+/**
+ * Pack of the ServertHello/HelloRetryRequest handshake message.
+ */
+final class ServerHello {
+    static final SSLConsumer handshakeConsumer =
+        new ServerHelloConsumer();
+    static final HandshakeProducer t12HandshakeProducer =
+        new T12ServerHelloProducer();
+    static final HandshakeProducer t13HandshakeProducer =
+        new T13ServerHelloProducer();
+    static final HandshakeProducer hrrHandshakeProducer =
+        new T13HelloRetryRequestProducer();
+
+    static final HandshakeProducer hrrReproducer =
+        new T13HelloRetryRequestReproducer();
+
+    private static final HandshakeConsumer t12HandshakeConsumer =
+        new T12ServerHelloConsumer();
+    private static final HandshakeConsumer t13HandshakeConsumer =
+        new T13ServerHelloConsumer();
+
+    private static final HandshakeConsumer d12HandshakeConsumer =
+        new T12ServerHelloConsumer();
+    private static final HandshakeConsumer d13HandshakeConsumer =
+        new T13ServerHelloConsumer();
+
+    private static final HandshakeConsumer t13HrrHandshakeConsumer =
+        new T13HelloRetryRequestConsumer();
+    private static final HandshakeConsumer d13HrrHandshakeConsumer =
+        new T13HelloRetryRequestConsumer();
+
+    /**
+     * The ServertHello handshake message.
+     */
+    static final class ServerHelloMessage extends HandshakeMessage {
+        final ProtocolVersion           serverVersion;      // TLS 1.3 legacy
+        final RandomCookie              serverRandom;
+        final SessionId                 sessionId;          // TLS 1.3 legacy
+        final CipherSuite               cipherSuite;
+        final byte                      compressionMethod;  // TLS 1.3 legacy
+        final SSLExtensions             extensions;
+
+        // The HelloRetryRequest producer needs to use the ClientHello message
+        // for cookie generation.  Please don't use this field for other
+        // purpose unless it is really necessary.
+        final ClientHelloMessage        clientHello;
+
+        // Reserved for HelloRetryRequest consumer.  Please don't use this
+        // field for other purpose unless it is really necessary.
+        final ByteBuffer                handshakeRecord;
+
+        ServerHelloMessage(HandshakeContext context,
+                ProtocolVersion serverVersion, SessionId sessionId,
+                CipherSuite cipherSuite, RandomCookie serverRandom,
+                ClientHelloMessage clientHello) {
+            super(context);
+
+            this.serverVersion = serverVersion;
+            this.serverRandom = serverRandom;
+            this.sessionId = sessionId;
+            this.cipherSuite = cipherSuite;
+            this.compressionMethod = 0x00;      // Don't support compression.
+            this.extensions = new SSLExtensions(this);
+
+            // Reserve the ClientHello message for cookie generation.
+            this.clientHello = clientHello;
+
+            // The handshakeRecord field is used for HelloRetryRequest consumer
+            // only.  It's fine to set it to null for gnerating side of the
+            // ServerHello/HelloRetryRequest message.
+            this.handshakeRecord = null;
+        }
+
+        ServerHelloMessage(HandshakeContext context,
+                ByteBuffer m) throws IOException {
+            super(context);
+
+            // Reserve for HelloRetryRequest consumer if needed.
+            this.handshakeRecord = m.duplicate();
+
+            byte major = m.get();
+            byte minor = m.get();
+            this.serverVersion = ProtocolVersion.valueOf(major, minor);
+            if (this.serverVersion == null) {
+                // The client should only request for known protovol versions.
+                context.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    "Unsupported protocol version: " +
+                    ProtocolVersion.nameOf(major, minor));
+            }
+
+            this.serverRandom = new RandomCookie(m);
+            this.sessionId = new SessionId(Record.getBytes8(m));
+            sessionId.checkLength(serverVersion.id);
+
+
+            int cipherSuiteId = Record.getInt16(m);
+            this.cipherSuite = CipherSuite.valueOf(cipherSuiteId);
+            if (cipherSuite == null || !context.isNegotiable(cipherSuite)) {
+                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Server selected improper ciphersuite " +
+                    CipherSuite.nameOf(cipherSuiteId));
+            }
+
+            this.compressionMethod = m.get();
+            if (compressionMethod != 0) {
+                context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "compression type not supported, " + compressionMethod);
+            }
+
+            SSLExtension[] supportedExtensions;
+            if (serverRandom.isHelloRetryRequest()) {
+                supportedExtensions = context.sslConfig.getEnabledExtensions(
+                            SSLHandshake.HELLO_RETRY_REQUEST);
+            } else {
+                supportedExtensions = context.sslConfig.getEnabledExtensions(
+                            SSLHandshake.SERVER_HELLO);
+            }
+
+            if (m.hasRemaining()) {
+                this.extensions =
+                    new SSLExtensions(this, m, supportedExtensions);
+            } else {
+                this.extensions = new SSLExtensions(this);
+            }
+
+            // The clientHello field is used for HelloRetryRequest producer
+            // only.  It's fine to set it to null for receiving side of
+            // ServerHello/HelloRetryRequest message.
+            this.clientHello = null;        // not used, let it be null;
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return serverRandom.isHelloRetryRequest() ?
+                SSLHandshake.HELLO_RETRY_REQUEST : SSLHandshake.SERVER_HELLO;
+        }
+
+        @Override
+        public int messageLength() {
+            // almost fixed header size, except session ID and extensions:
+            //      major + minor = 2
+            //      random = 32
+            //      session ID len field = 1
+            //      cipher suite = 2
+            //      compression = 1
+            //      extensions: if present, 2 + length of extensions
+            // In TLS 1.3, use of certain extensions is mandatory.
+            return 38 + sessionId.length() + extensions.length();
+        }
+
+        @Override
+        public void send(HandshakeOutStream hos) throws IOException {
+            hos.putInt8(serverVersion.major);
+            hos.putInt8(serverVersion.minor);
+            hos.write(serverRandom.randomBytes);
+            hos.putBytes8(sessionId.getId());
+            hos.putInt8((cipherSuite.id >> 8) & 0xFF);
+            hos.putInt8(cipherSuite.id & 0xff);
+            hos.putInt8(compressionMethod);
+
+            extensions.send(hos);           // In TLS 1.3, use of certain
+                                            // extensions is mandatory.
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"{0}\": '{'\n" +
+                "  \"server version\"      : \"{1}\",\n" +
+                "  \"random\"              : \"{2}\",\n" +
+                "  \"session id\"          : \"{3}\",\n" +
+                "  \"cipher suite\"        : \"{4}\",\n" +
+                "  \"compression methods\" : \"{5}\",\n" +
+                "  \"extensions\"          : [\n" +
+                "{6}\n" +
+                "  ]\n" +
+                "'}'",
+                Locale.ENGLISH);
+            Object[] messageFields = {
+                serverRandom.isHelloRetryRequest() ?
+                    "HelloRetryRequest" : "ServerHello",
+                serverVersion.name,
+                Utilities.toHexString(serverRandom.randomBytes),
+                sessionId.toString(),
+                cipherSuite.name + "(" +
+                        Utilities.byte16HexString(cipherSuite.id) + ")",
+                Utilities.toHexString(compressionMethod),
+                Utilities.indent(extensions.toString(), "    ")
+            };
+
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    /**
+     * The "ServerHello" handshake message producer.
+     */
+    private static final class T12ServerHelloProducer
+            implements HandshakeProducer {
+
+        // Prevent instantiation of this class.
+        private T12ServerHelloProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            ClientHelloMessage clientHello = (ClientHelloMessage)message;
+
+            // If client hasn't specified a session we can resume, start a
+            // new one and choose its cipher suite and compression options,
+            // unless new session creation is disabled for this connection!
+            if (!shc.isResumption || shc.resumingSession == null) {
+                if (!shc.sslConfig.enableSessionCreation) {
+                    throw new SSLException(
+                        "Not resumption, and no new session is allowed");
+                }
+
+                if (shc.localSupportedSignAlgs == null) {
+                    shc.localSupportedSignAlgs =
+                        SignatureScheme.getSupportedAlgorithms(
+                                shc.algorithmConstraints, shc.activeProtocols);
+                }
+
+                SSLSessionImpl session =
+                        new SSLSessionImpl(shc, CipherSuite.C_NULL);
+                session.setMaximumPacketSize(shc.sslConfig.maximumPacketSize);
+                shc.handshakeSession = session;
+
+                // consider the handshake extension impact
+                SSLExtension[] enabledExtensions =
+                        shc.sslConfig.getEnabledExtensions(
+                            SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol);
+                clientHello.extensions.consumeOnTrade(shc, enabledExtensions);
+
+                // negotiate the cipher suite.
+                KeyExchangeProperties credentials =
+                        chooseCipherSuite(shc, clientHello);
+                if (credentials == null) {
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "no cipher suites in common");
+
+                    return null;    // make the compiler happy
+                }
+                shc.negotiatedCipherSuite = credentials.cipherSuite;
+                shc.handshakeKeyExchange = credentials.keyExchange;
+                shc.handshakeSession.setSuite(credentials.cipherSuite);
+                shc.handshakePossessions.addAll(
+                        Arrays.asList(credentials.possessions));
+                shc.handshakeHash.determine(
+                        shc.negotiatedProtocol, shc.negotiatedCipherSuite);
+
+                // Check the incoming OCSP stapling extensions and attempt
+                // to get responses.  If the resulting stapleParams is non
+                // null, it implies that stapling is enabled on the server side.
+                shc.stapleParams = StatusResponseManager.processStapling(shc);
+                shc.staplingActive = (shc.stapleParams != null);
+
+                // update the responders
+                SSLKeyExchange ke = credentials.keyExchange;
+                if (ke != null) {
+                    for (Map.Entry<Byte, HandshakeProducer> me :
+                            ke.getHandshakeProducers(shc)) {
+                        shc.handshakeProducers.put(
+                                me.getKey(), me.getValue());
+                    }
+                }
+
+                if ((ke != null) &&
+                        (shc.sslConfig.clientAuthType !=
+                                ClientAuthType.CLIENT_AUTH_NONE) &&
+                        !shc.negotiatedCipherSuite.isAnonymous()) {
+                    for (SSLHandshake hs :
+                            ke.getRelatedHandshakers(shc)) {
+                        if (hs == SSLHandshake.CERTIFICATE) {
+                            shc.handshakeProducers.put(
+                                    SSLHandshake.CERTIFICATE_REQUEST.id,
+                                    SSLHandshake.CERTIFICATE_REQUEST);
+                            break;
+                        }
+                    }
+                }
+                shc.handshakeProducers.put(SSLHandshake.SERVER_HELLO_DONE.id,
+                        SSLHandshake.SERVER_HELLO_DONE);
+            } else {
+                shc.handshakeSession = shc.resumingSession;
+                shc.negotiatedProtocol =
+                        shc.resumingSession.getProtocolVersion();
+                shc.negotiatedCipherSuite = shc.resumingSession.getSuite();
+                shc.handshakeHash.determine(
+                        shc.negotiatedProtocol, shc.negotiatedCipherSuite);
+            }
+
+            // Generate the ServerHello handshake message.
+            // TODO: not yet consider downgrade protection.
+            ServerHelloMessage shm = new ServerHelloMessage(shc,
+                    shc.negotiatedProtocol,
+                    shc.handshakeSession.getSessionId(),
+                    shc.negotiatedCipherSuite,
+                    new RandomCookie(shc.sslContext.getSecureRandom()),
+                    clientHello);
+            shc.serverHelloRandom = shm.serverRandom;
+
+            // Produce extensions for ServerHello handshake message.
+            SSLExtension[] serverHelloExtensions =
+                shc.sslConfig.getEnabledExtensions(
+                        SSLHandshake.SERVER_HELLO, shc.negotiatedProtocol);
+            shm.extensions.produce(shc, serverHelloExtensions);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Produced ServerHello handshake message", shm);
+            }
+
+            // Output the handshake message.
+            shm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            if (shc.isResumption && shc.resumingSession != null) {
+                SSLTrafficKeyDerivation kdg =
+                    SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
+                if (kdg == null) {
+                    // unlikely
+                    shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Not supported key derivation: " +
+                            shc.negotiatedProtocol);
+                } else {
+                    shc.handshakeKeyDerivation = kdg.createKeyDerivation(
+                            shc, shc.resumingSession.getMasterSecret());
+                }
+
+                // update the responders
+                shc.handshakeProducers.put(SSLHandshake.FINISHED.id,
+                        SSLHandshake.FINISHED);
+            }
+
+            // The handshake message has been delivered.
+            return null;
+        }
+
+        private static KeyExchangeProperties chooseCipherSuite(
+                ServerHandshakeContext shc,
+                ClientHelloMessage clientHello) throws IOException {
+            List<CipherSuite> prefered;
+            List<CipherSuite> proposed;
+            if (shc.sslConfig.preferLocalCipherSuites) {
+                prefered = shc.activeCipherSuites;
+                proposed = clientHello.cipherSuites;
+            } else {
+                prefered = clientHello.cipherSuites;
+                proposed = shc.activeCipherSuites;
+            }
+
+            List<CipherSuite> legacySuites = new LinkedList<>();
+            for (CipherSuite cs : prefered) {
+                if (!HandshakeContext.isNegotiable(
+                        proposed, shc.negotiatedProtocol, cs)) {
+                    continue;
+                }
+
+                if (shc.sslConfig.clientAuthType ==
+                        ClientAuthType.CLIENT_AUTH_REQUIRED) {
+                    if ((cs.keyExchange == KeyExchange.K_DH_ANON) ||
+                        (cs.keyExchange == KeyExchange.K_ECDH_ANON)) {
+                        continue;
+                    }
+                }
+
+                SSLKeyExchange ke = SSLKeyExchange.valueOf(cs.keyExchange);
+                if (ke == null) {
+                    continue;
+                }
+                if (!ServerHandshakeContext.legacyAlgorithmConstraints.permits(
+                        null, cs.name, null)) {
+                    legacySuites.add(cs);
+                    continue;
+                }
+
+                SSLPossession[] hcds = ke.createPossessions(shc);
+                if ((hcds == null) || (hcds.length == 0)) {
+                    continue;
+                }
+
+                // The cipher suite has been negotiated.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("use cipher suite " + cs.name);
+                }
+
+                return new KeyExchangeProperties(cs, ke, hcds);
+            }
+
+            for (CipherSuite cs : legacySuites) {
+                SSLKeyExchange ke = SSLKeyExchange.valueOf(cs.keyExchange);
+                if (ke != null) {
+                    SSLPossession[] hcds = ke.createPossessions(shc);
+                    if ((hcds != null) && (hcds.length != 0)) {
+                        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                            SSLLogger.warning(
+                                "use legacy cipher suite " + cs.name);
+                        }
+                        return new KeyExchangeProperties(cs, ke, hcds);
+                    }
+                }
+            }
+
+            shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "no cipher suites in common");
+
+            return null;    // make the compiler happy.
+        }
+
+        private static final class KeyExchangeProperties {
+            final CipherSuite cipherSuite;
+            final SSLKeyExchange keyExchange;
+            final SSLPossession[] possessions;
+
+            private KeyExchangeProperties(CipherSuite cipherSuite,
+                    SSLKeyExchange keyExchange, SSLPossession[] possessions) {
+                this.cipherSuite = cipherSuite;
+                this.keyExchange = keyExchange;
+                this.possessions = possessions;
+            }
+        }
+    }
+
+    /**
+     * The "ServerHello" handshake message producer.
+     */
+    private static final
+            class T13ServerHelloProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T13ServerHelloProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+            ClientHelloMessage clientHello = (ClientHelloMessage)message;
+
+            // If client hasn't specified a session we can resume, start a
+            // new one and choose its cipher suite and compression options,
+            // unless new session creation is disabled for this connection!
+            if (!shc.isResumption || shc.resumingSession == null) {
+                if (!shc.sslConfig.enableSessionCreation) {
+                    throw new SSLException(
+                        "Not resumption, and no new session is allowed");
+                }
+
+                if (shc.localSupportedSignAlgs == null) {
+                    shc.localSupportedSignAlgs =
+                        SignatureScheme.getSupportedAlgorithms(
+                                shc.algorithmConstraints, shc.activeProtocols);
+                }
+
+                SSLSessionImpl session =
+                        new SSLSessionImpl(shc, CipherSuite.C_NULL);
+                session.setMaximumPacketSize(shc.sslConfig.maximumPacketSize);
+                shc.handshakeSession = session;
+
+                // consider the handshake extension impact
+                SSLExtension[] enabledExtensions =
+                        shc.sslConfig.getEnabledExtensions(
+                            SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol);
+                clientHello.extensions.consumeOnTrade(shc, enabledExtensions);
+
+                // negotiate the cipher suite.
+                CipherSuite cipherSuite = chooseCipherSuite(shc, clientHello);
+                if (cipherSuite == null) {
+                    shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                            "no cipher suites in common");
+                    return null;    // make the compiler happy
+                }
+                shc.negotiatedCipherSuite = cipherSuite;
+                shc.handshakeSession.setSuite(cipherSuite);
+                shc.handshakeHash.determine(
+                        shc.negotiatedProtocol, shc.negotiatedCipherSuite);
+            } else {
+                shc.handshakeSession = shc.resumingSession;
+
+                // consider the handshake extension impact
+                SSLExtension[] enabledExtensions =
+                shc.sslConfig.getEnabledExtensions(
+                SSLHandshake.CLIENT_HELLO, shc.negotiatedProtocol);
+                clientHello.extensions.consumeOnTrade(shc, enabledExtensions);
+
+                shc.negotiatedProtocol =
+                        shc.resumingSession.getProtocolVersion();
+                shc.negotiatedCipherSuite = shc.resumingSession.getSuite();
+                shc.handshakeHash.determine(
+                        shc.negotiatedProtocol, shc.negotiatedCipherSuite);
+
+                setUpPskKD(shc, shc.resumingSession.consumePreSharedKey().get());
+
+                // The session can't be resumed again---remove it from cache
+                SSLSessionContextImpl sessionCache = (SSLSessionContextImpl)
+                    shc.sslContext.engineGetServerSessionContext();
+                sessionCache.remove(shc.resumingSession.getSessionId());
+            }
+
+            // update the responders
+            shc.handshakeProducers.put(SSLHandshake.ENCRYPTED_EXTENSIONS.id,
+                    SSLHandshake.ENCRYPTED_EXTENSIONS);
+            shc.handshakeProducers.put(SSLHandshake.FINISHED.id,
+                    SSLHandshake.FINISHED);
+
+            // TODO: not yet consider downgrade protection.
+            ServerHelloMessage shm = new ServerHelloMessage(shc,
+                    ProtocolVersion.TLS12,      // use legacy version
+                    clientHello.sessionId,      // echo back
+                    shc.negotiatedCipherSuite,
+                    new RandomCookie(shc.sslContext.getSecureRandom()),
+                    clientHello);
+            shc.serverHelloRandom = shm.serverRandom;
+
+            // Produce extensions for ServerHello handshake message.
+            SSLExtension[] serverHelloExtensions =
+                    shc.sslConfig.getEnabledExtensions(
+                        SSLHandshake.SERVER_HELLO, shc.negotiatedProtocol);
+            shm.extensions.produce(shc, serverHelloExtensions);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Produced ServerHello handshake message", shm);
+            }
+
+            // Output the handshake message.
+            shm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // Change client/server handshake traffic secrets.
+            // Refresh handshake hash
+            shc.handshakeHash.update();
+
+            // Change client/server handshake traffic secrets.
+            SSLKeyExchange ke = shc.handshakeKeyExchange;
+            if (ke == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not negotiated key shares");
+                return null;    // make the compiler happy
+            }
+
+            SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc);
+            SecretKey handshakeSecret = handshakeKD.deriveKey(
+                    "TlsHandshakeSecret", null);
+
+            SSLTrafficKeyDerivation kdg =
+                SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
+            if (kdg == null) {
+                // unlikely
+                shc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key derivation: " +
+                        shc.negotiatedProtocol);
+                return null;    // make the compiler happy
+            }
+
+            SSLKeyDerivation kd =
+                    new SSLSecretDerivation(shc, handshakeSecret);
+
+            // update the handshake traffic read keys.
+            SecretKey readSecret = kd.deriveKey(
+                    "TlsClientHandshakeTrafficSecret", null);
+            SSLKeyDerivation readKD =
+                    kdg.createKeyDerivation(shc, readSecret);
+            SecretKey readKey = readKD.deriveKey(
+                    "TlsKey", null);
+            SecretKey readIvSecret = readKD.deriveKey(
+                    "TlsIv", null);
+            IvParameterSpec readIv =
+                    new IvParameterSpec(readIvSecret.getEncoded());
+            SSLReadCipher readCipher;
+            try {
+                readCipher =
+                    shc.negotiatedCipherSuite.bulkCipher.createReadCipher(
+                        Authenticator.valueOf(shc.negotiatedProtocol),
+                        shc.negotiatedProtocol, readKey, readIv,
+                        shc.sslContext.getSecureRandom());
+            } catch (GeneralSecurityException gse) {
+                // unlikely
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Missing cipher algorithm", gse);
+                return null;    // make the compiler happy
+            }
+
+            shc.baseReadSecret = readSecret;
+            shc.conContext.inputRecord.changeReadCiphers(readCipher);
+
+            // update the handshake traffic write secret.
+            SecretKey writeSecret = kd.deriveKey(
+                    "TlsServerHandshakeTrafficSecret", null);
+            SSLKeyDerivation writeKD =
+                    kdg.createKeyDerivation(shc, writeSecret);
+            SecretKey writeKey = writeKD.deriveKey(
+                    "TlsKey", null);
+            SecretKey writeIvSecret = writeKD.deriveKey(
+                    "TlsIv", null);
+            IvParameterSpec writeIv =
+                    new IvParameterSpec(writeIvSecret.getEncoded());
+            SSLWriteCipher writeCipher;
+            try {
+                writeCipher =
+                    shc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
+                        Authenticator.valueOf(shc.negotiatedProtocol),
+                        shc.negotiatedProtocol, writeKey, writeIv,
+                        shc.sslContext.getSecureRandom());
+            } catch (GeneralSecurityException gse) {
+                // unlikely
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Missing cipher algorithm", gse);
+                return null;    //  make the compiler happy
+            }
+
+            shc.baseWriteSecret = writeSecret;
+            shc.conContext.outputRecord.changeWriteCiphers(
+                    writeCipher, (clientHello.sessionId.length() != 0));
+
+            // Update the context for master key derivation.
+            shc.handshakeKeyDerivation = kd;
+
+            // The handshake message has been delivered.
+            return null;
+        }
+
+        private static CipherSuite chooseCipherSuite(
+                ServerHandshakeContext shc,
+                ClientHelloMessage clientHello) throws IOException {
+            List<CipherSuite> prefered;
+            List<CipherSuite> proposed;
+            if (shc.sslConfig.preferLocalCipherSuites) {
+                prefered = shc.activeCipherSuites;
+                proposed = clientHello.cipherSuites;
+            } else {
+                prefered = clientHello.cipherSuites;
+                proposed = shc.activeCipherSuites;
+            }
+
+            CipherSuite legacySuite = null;
+            AlgorithmConstraints legacyConstraints =
+                    ServerHandshakeContext.legacyAlgorithmConstraints;
+            for (CipherSuite cs : prefered) {
+                if (!HandshakeContext.isNegotiable(
+                        proposed, shc.negotiatedProtocol, cs)) {
+                    continue;
+                }
+
+                if ((legacySuite == null) &&
+                        !legacyConstraints.permits(null, cs.name, null)) {
+                    legacySuite = cs;
+                    continue;
+                }
+
+                // The cipher suite has been negotiated.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine("use cipher suite " + cs.name);
+                }
+                return cs;
+            }
+
+            if (legacySuite != null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "use legacy cipher suite " + legacySuite.name);
+                }
+                return legacySuite;
+            }
+
+            // no cipher suites in common
+            return null;
+        }
+    }
+
+    /**
+     * The "HelloRetryRequest" handshake message producer.
+     */
+    private static final
+            class T13HelloRetryRequestProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T13HelloRetryRequestProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            ServerHandshakeContext shc = (ServerHandshakeContext) context;
+            ClientHelloMessage clientHello = (ClientHelloMessage) message;
+
+            // negotiate the cipher suite.
+            CipherSuite cipherSuite =
+                    T13ServerHelloProducer.chooseCipherSuite(shc, clientHello);
+            if (cipherSuite == null) {
+                shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "no cipher suites in common for hello retry request");
+                return null;    // make the compiler happy
+            }
+
+            ServerHelloMessage hhrm = new ServerHelloMessage(shc,
+                    ProtocolVersion.TLS12,      // use legacy version
+                    clientHello.sessionId,      //  echo back
+                    cipherSuite,
+                    RandomCookie.hrrRandom,
+                    clientHello
+            );
+
+            shc.negotiatedCipherSuite = cipherSuite;
+            shc.handshakeHash.determine(
+                    shc.negotiatedProtocol, shc.negotiatedCipherSuite);
+
+            // Produce extensions for HelloRetryRequest handshake message.
+            SSLExtension[] serverHelloExtensions =
+                shc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.HELLO_RETRY_REQUEST, shc.negotiatedProtocol);
+            hhrm.extensions.produce(shc, serverHelloExtensions);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Produced HelloRetryRequest handshake message", hhrm);
+            }
+
+            // Output the handshake message.
+            hhrm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            // TODO: stateless, clean up the handshake context?
+            shc.handshakeHash.finish();     // forgot about the handshake hash
+            shc.handshakeExtensions.clear();
+
+            // What's the expected response?
+            shc.handshakeConsumers.put(
+                    SSLHandshake.CLIENT_HELLO.id, SSLHandshake.CLIENT_HELLO);
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "HelloRetryRequest" handshake message reproducer.
+     */
+    private static final
+            class T13HelloRetryRequestReproducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private T13HelloRetryRequestReproducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            ServerHandshakeContext shc = (ServerHandshakeContext) context;
+            ClientHelloMessage clientHello = (ClientHelloMessage) message;
+
+            // negotiate the cipher suite.
+            CipherSuite cipherSuite = shc.negotiatedCipherSuite;
+            ServerHelloMessage hhrm = new ServerHelloMessage(shc,
+                    ProtocolVersion.TLS12,      // use legacy version
+                    clientHello.sessionId,      //  echo back
+                    cipherSuite,
+                    RandomCookie.hrrRandom,
+                    clientHello
+            );
+
+            // Produce extensions for HelloRetryRequest handshake message.
+            SSLExtension[] serverHelloExtensions =
+                shc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.MESSAGE_HASH, shc.negotiatedProtocol);
+            hhrm.extensions.produce(shc, serverHelloExtensions);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Reproduced HelloRetryRequest handshake message", hhrm);
+            }
+
+            HandshakeOutStream hos = new HandshakeOutStream(null);
+            hhrm.write(hos);
+
+            return hos.toByteArray();
+        }
+    }
+
+    /**
+     * The "ServerHello" handshake message consumer.
+     */
+    private static final
+            class ServerHelloConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private ServerHelloConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // clean up this consumer
+            chc.handshakeConsumers.remove(SSLHandshake.SERVER_HELLO.id);
+            if (!chc.handshakeConsumers.isEmpty()) {
+                // DTLS 1.0/1.2
+                chc.handshakeConsumers.remove(
+                        SSLHandshake.HELLO_VERIFY_REQUEST.id);
+            }
+            if (!chc.handshakeConsumers.isEmpty()) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                    "No more message expected before ServerHello is processed");
+            }
+
+            int startPos = message.position();
+            ServerHelloMessage shm = new ServerHelloMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine("Consuming ServerHello handshake message", shm);
+            }
+
+            if (shm.serverRandom.isHelloRetryRequest()) {
+                onHelloRetryRequest(chc, shm);
+            } else {
+                onServerHello(chc, shm);
+            }
+        }
+
+        private void onHelloRetryRequest(ClientHandshakeContext chc,
+                ServerHelloMessage helloRetryRequest) throws IOException {
+            // Negotiate protocol version.
+            //
+            // Check and lanuch SupportedVersions.
+            SSLExtension[] extTypes = new SSLExtension[] {
+                    SSLExtension.HRR_SUPPORTED_VERSIONS
+                };
+            helloRetryRequest.extensions.consumeOnLoad(chc, extTypes);
+
+            ProtocolVersion serverVersion;
+            SHSupportedVersionsSpec svs =
+                    (SHSupportedVersionsSpec)chc.handshakeExtensions.get(
+                            SSLExtension.HRR_SUPPORTED_VERSIONS);
+            if (svs != null) {
+                serverVersion =            // could be null
+                        ProtocolVersion.valueOf(svs.selectedVersion);
+            } else {
+                serverVersion = helloRetryRequest.serverVersion;
+            }
+
+            if (!chc.activeProtocols.contains(serverVersion)) {
+                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    "The server selected protocol version " + serverVersion +
+                    " is not accepted by client preferences " +
+                    chc.activeProtocols);
+            }
+
+            if (!serverVersion.useTLS13PlusSpec()) {
+                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    "Unexpected HelloRetryRequest for " + serverVersion.name);
+            }
+
+            chc.negotiatedProtocol = serverVersion;
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Negotiated protocol version: " + serverVersion.name);
+            }
+
+            // TLS 1.3 key share extension may have produced client
+            // possessions for TLS 1.3 key exchanges.
+            //
+            // Clean up before producing new client key share possessions.
+            chc.handshakePossessions.clear();
+
+            if (serverVersion.isDTLS) {
+                d13HrrHandshakeConsumer.consume(chc, helloRetryRequest);
+            } else {
+                t13HrrHandshakeConsumer.consume(chc, helloRetryRequest);
+            }
+        }
+
+        private void onServerHello(ClientHandshakeContext chc,
+                ServerHelloMessage serverHello) throws IOException {
+            // Negotiate protocol version.
+            //
+            // Check and lanuch SupportedVersions.
+            SSLExtension[] extTypes = new SSLExtension[] {
+                    SSLExtension.SH_SUPPORTED_VERSIONS
+                };
+            serverHello.extensions.consumeOnLoad(chc, extTypes);
+
+            ProtocolVersion serverVersion;
+            SHSupportedVersionsSpec svs =
+                    (SHSupportedVersionsSpec)chc.handshakeExtensions.get(
+                            SSLExtension.SH_SUPPORTED_VERSIONS);
+            if (svs != null) {
+                serverVersion =            // could be null
+                        ProtocolVersion.valueOf(svs.selectedVersion);
+            } else {
+                serverVersion = serverHello.serverVersion;
+            }
+
+            if (!chc.activeProtocols.contains(serverVersion)) {
+                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    "The server selected protocol version " + serverVersion +
+                    " is not accepted by client preferences " +
+                    chc.activeProtocols);
+            }
+
+            chc.negotiatedProtocol = serverVersion;
+            if (!chc.conContext.isNegotiated) {
+                chc.conContext.protocolVersion = chc.negotiatedProtocol;
+                chc.conContext.outputRecord.setVersion(chc.negotiatedProtocol);
+            }
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                    "Negotiated protocol version: " + serverVersion.name);
+            }
+
+            // Consume the handshake message for the specific protocol version.
+            if (serverVersion.isDTLS) {
+                if (serverVersion.useTLS13PlusSpec()) {
+                    d13HandshakeConsumer.consume(chc, serverHello);
+                } else {
+                    // TLS 1.3 key share extension may have produced client
+                    // possessions for TLS 1.3 key exchanges.
+                    chc.handshakePossessions.clear();
+
+                    d12HandshakeConsumer.consume(chc, serverHello);
+                }
+            } else {
+                if (serverVersion.useTLS13PlusSpec()) {
+                    t13HandshakeConsumer.consume(chc, serverHello);
+                } else {
+                    // TLS 1.3 key share extension may have produced client
+                    // possessions for TLS 1.3 key exchanges.
+                    chc.handshakePossessions.clear();
+
+                    t12HandshakeConsumer.consume(chc, serverHello);
+                }
+            }
+        }
+    }
+
+    private static final
+            class T12ServerHelloConsumer implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private T12ServerHelloConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            ServerHelloMessage serverHello = (ServerHelloMessage)message;
+            if (!chc.isNegotiable(serverHello.serverVersion)) {
+                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    "Server chose " + serverHello.serverVersion +
+                    ", but that protocol version is not enabled or " +
+                    "not supported by the client.");
+            }
+
+            // chc.negotiatedProtocol = serverHello.serverVersion;
+            chc.negotiatedCipherSuite = serverHello.cipherSuite;
+            chc.handshakeHash.determine(
+                    chc.negotiatedProtocol, chc.negotiatedCipherSuite);
+            chc.serverHelloRandom = serverHello.serverRandom;
+            if (chc.negotiatedCipherSuite.keyExchange == null) {
+                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    "TLS 1.2 or prior version does not support the " +
+                    "server cipher suite: " + chc.negotiatedCipherSuite.name);
+            }
+
+            //
+            // validate
+            //
+
+            // Check and lanuch the "renegotiation_info" extension.
+            SSLExtension[] extTypes = new SSLExtension[] {
+                    SSLExtension.SH_RENEGOTIATION_INFO
+                };
+            serverHello.extensions.consumeOnLoad(chc, extTypes);
+
+            // Is it session resuming?
+            if (chc.resumingSession != null) {
+                // we tried to resume, let's see what the server decided
+                if (serverHello.sessionId.equals(
+                        chc.resumingSession.getSessionId())) {
+                    // server resumed the session, let's make sure everything
+                    // checks out
+
+                    // Verify that the session ciphers are unchanged.
+                    CipherSuite sessionSuite = chc.resumingSession.getSuite();
+                    if (chc.negotiatedCipherSuite != sessionSuite) {
+                        chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                            "Server returned wrong cipher suite for session");
+                    }
+
+                    // verify protocol version match
+                    ProtocolVersion sessionVersion =
+                            chc.resumingSession.getProtocolVersion();
+                    if (chc.negotiatedProtocol != sessionVersion) {
+                        chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                            "Server resumed with wrong protocol version");
+                    }
+
+                    // looks fine;  resume it.
+                    chc.isResumption = true;
+                    chc.resumingSession.setAsSessionResumption(true);
+                    chc.handshakeSession = chc.resumingSession;
+                } else {
+                    // we wanted to resume, but the server refused
+                    //
+                    // Invalidate the session for initial handshake in case
+                    // of reusing next time.
+                    if (chc.resumingSession != null) {
+                        chc.resumingSession.invalidate();
+                        chc.resumingSession = null;
+                    }
+                    chc.isResumption = false;
+                    if (!chc.sslConfig.enableSessionCreation) {
+                        chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                            "New session creation is disabled");
+                    }
+                }
+            }
+
+            // Check and launch ClientHello extensions.
+            extTypes = chc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.SERVER_HELLO);
+            serverHello.extensions.consumeOnLoad(chc, extTypes);
+
+            if (!chc.isResumption) {
+                if (chc.resumingSession != null) {
+                    // in case the resumption happens next time.
+                    chc.resumingSession.invalidate();
+                    chc.resumingSession = null;
+                }
+
+                if (!chc.sslConfig.enableSessionCreation) {
+                    chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                        "New session creation is disabled");
+                }
+                chc.handshakeSession = new SSLSessionImpl(chc,
+                        chc.negotiatedCipherSuite,
+                        serverHello.sessionId);
+                chc.handshakeSession.setMaximumPacketSize(
+                        chc.sslConfig.maximumPacketSize);
+            }
+
+            //
+            // update
+            //
+            serverHello.extensions.consumeOnTrade(chc, extTypes);
+
+            // update the consumers and producers
+            if (chc.isResumption) {
+                SSLTrafficKeyDerivation kdg =
+                        SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
+                if (kdg == null) {
+                    // unlikely
+                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                            "Not supported key derivation: " +
+                            chc.negotiatedProtocol);
+                } else {
+                    chc.handshakeKeyDerivation = kdg.createKeyDerivation(
+                            chc, chc.resumingSession.getMasterSecret());
+                }
+
+                chc.conContext.consumers.putIfAbsent(
+                        ContentType.CHANGE_CIPHER_SPEC.id,
+                        ChangeCipherSpec.t10Consumer);
+                chc.handshakeConsumers.put(
+                        SSLHandshake.FINISHED.id,
+                        SSLHandshake.FINISHED);
+            } else {
+                SSLKeyExchange ke = SSLKeyExchange.valueOf(
+                        chc.negotiatedCipherSuite.keyExchange);
+                chc.handshakeKeyExchange = ke;
+                if (ke != null) {
+                    for (SSLHandshake handshake :
+                            ke.getRelatedHandshakers(chc)) {
+                        chc.handshakeConsumers.put(handshake.id, handshake);
+                    }
+                }
+
+                chc.handshakeConsumers.put(SSLHandshake.SERVER_HELLO_DONE.id,
+                        SSLHandshake.SERVER_HELLO_DONE);
+            }
+
+            //
+            // produce
+            //
+            // Need no new handshake message producers here.
+        }
+    }
+
+    private static void setUpPskKD(HandshakeContext hc,
+            SecretKey psk) throws SSLHandshakeException {
+
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+            SSLLogger.fine("Using PSK to derive early secret");
+        }
+
+        try {
+            CipherSuite.HashAlg hashAlg = hc.negotiatedCipherSuite.hashAlg;
+            HKDF hkdf = new HKDF(hashAlg.name);
+            byte[] zeros = new byte[hashAlg.hashLength];
+            SecretKey earlySecret = hkdf.extract(zeros, psk, "TlsEarlySecret");
+            hc.handshakeKeyDerivation = new SSLSecretDerivation(hc, earlySecret);
+        } catch  (GeneralSecurityException gse) {
+            throw (SSLHandshakeException) new SSLHandshakeException(
+                "Could not generate secret").initCause(gse);
+        }
+    }
+
+    private static final
+            class T13ServerHelloConsumer implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private T13ServerHelloConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            ServerHelloMessage serverHello = (ServerHelloMessage)message;
+            if (serverHello.serverVersion != ProtocolVersion.TLS12) {
+                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    "The ServerHello.legacy_version field is not TLS 1.2");
+            }
+
+            chc.negotiatedCipherSuite = serverHello.cipherSuite;
+            chc.handshakeHash.determine(
+                    chc.negotiatedProtocol, chc.negotiatedCipherSuite);
+            chc.serverHelloRandom = serverHello.serverRandom;
+
+            //
+            // validate
+            //
+
+            // Check and launch ServerHello extensions.
+            SSLExtension[] extTypes = chc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.SERVER_HELLO);
+            serverHello.extensions.consumeOnLoad(chc, extTypes);
+            if (!chc.isResumption) {
+                if (chc.resumingSession != null) {
+                    // in case the resumption happens next time.
+                    chc.resumingSession.invalidate();
+                    chc.resumingSession = null;
+                }
+
+                if (!chc.sslConfig.enableSessionCreation) {
+                    chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                        "New session creation is disabled");
+                }
+                chc.handshakeSession = new SSLSessionImpl(chc,
+                        chc.negotiatedCipherSuite,
+                        serverHello.sessionId);
+                chc.handshakeSession.setMaximumPacketSize(
+                        chc.sslConfig.maximumPacketSize);
+            } else {
+                // The PSK is consumed to allow it to be deleted
+                Optional<SecretKey> psk = chc.resumingSession.consumePreSharedKey();
+                if(!psk.isPresent()) {
+                    chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                    "No PSK available. Unable to resume.");
+                }
+
+                chc.handshakeSession = chc.resumingSession;
+
+                setUpPskKD(chc, psk.get());
+            }
+
+            //
+            // update
+            //
+            serverHello.extensions.consumeOnTrade(chc, extTypes);
+
+            // Change client/server handshake traffic secrets.
+            // Refresh handshake hash
+            chc.handshakeHash.update();
+
+            SSLKeyExchange ke = chc.handshakeKeyExchange;
+            if (ke == null) {
+                // unlikely
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not negotiated key shares");
+                return;     // make the compiler happy
+            }
+
+            SSLKeyDerivation handshakeKD = ke.createKeyDerivation(chc);
+            SecretKey handshakeSecret = handshakeKD.deriveKey(
+                    "TlsHandshakeSecret", null);
+            SSLTrafficKeyDerivation kdg =
+                SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
+            if (kdg == null) {
+                // unlikely
+                chc.conContext.fatal(Alert.INTERNAL_ERROR,
+                        "Not supported key derivation: " +
+                        chc.negotiatedProtocol);
+                return;     // make the compiler happy
+            }
+
+            SSLKeyDerivation secretKD =
+                    new SSLSecretDerivation(chc, handshakeSecret);
+
+            // update the handshake traffic read keys.
+            SecretKey readSecret = secretKD.deriveKey(
+                    "TlsServerHandshakeTrafficSecret", null);
+
+            SSLKeyDerivation readKD =
+                    kdg.createKeyDerivation(chc, readSecret);
+            SecretKey readKey = readKD.deriveKey(
+                    "TlsKey", null);
+            SecretKey readIvSecret = readKD.deriveKey(
+                    "TlsIv", null);
+            IvParameterSpec readIv =
+                    new IvParameterSpec(readIvSecret.getEncoded());
+            SSLReadCipher readCipher;
+            try {
+                readCipher =
+                    chc.negotiatedCipherSuite.bulkCipher.createReadCipher(
+                        Authenticator.valueOf(chc.negotiatedProtocol),
+                        chc.negotiatedProtocol, readKey, readIv,
+                        chc.sslContext.getSecureRandom());
+            } catch (GeneralSecurityException gse) {
+                // unlikely
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Missing cipher algorithm", gse);
+                return;     // make the compiler happy
+            }
+
+            chc.baseReadSecret = readSecret;
+            chc.conContext.inputRecord.changeReadCiphers(readCipher);
+
+            // update the handshake traffic write keys.
+            SecretKey writeSecret = secretKD.deriveKey(
+                    "TlsClientHandshakeTrafficSecret", null);
+            SSLKeyDerivation writeKD =
+                    kdg.createKeyDerivation(chc, writeSecret);
+            SecretKey writeKey = writeKD.deriveKey(
+                    "TlsKey", null);
+            SecretKey writeIvSecret = writeKD.deriveKey(
+                    "TlsIv", null);
+            IvParameterSpec writeIv =
+                    new IvParameterSpec(writeIvSecret.getEncoded());
+            SSLWriteCipher writeCipher;
+            try {
+                writeCipher =
+                    chc.negotiatedCipherSuite.bulkCipher.createWriteCipher(
+                        Authenticator.valueOf(chc.negotiatedProtocol),
+                        chc.negotiatedProtocol, writeKey, writeIv,
+                        chc.sslContext.getSecureRandom());
+            } catch (GeneralSecurityException gse) {
+                // unlikely
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                        "Missing cipher algorithm", gse);
+                return;     //  make the compiler happy
+            }
+
+            chc.baseWriteSecret = writeSecret;
+            chc.conContext.outputRecord.changeWriteCiphers(
+                    writeCipher, (serverHello.sessionId.length() != 0));
+
+            // Should use resumption_master_secret for TLS 1.3.
+            // chc.handshakeSession.setMasterSecret(masterSecret);
+
+            // Update the context for master key derivation.
+            chc.handshakeKeyDerivation = secretKD;
+
+            // update the consumers and producers
+            //
+            // The server sends a dummy change_cipher_spec record immediately
+            // after its first handshake message.  This may either be after a
+            // ServerHello or a HelloRetryRequest.
+            chc.conContext.consumers.putIfAbsent(
+                    ContentType.CHANGE_CIPHER_SPEC.id,
+                    ChangeCipherSpec.t13Consumer);
+
+            chc.handshakeConsumers.put(
+                    SSLHandshake.ENCRYPTED_EXTENSIONS.id,
+                    SSLHandshake.ENCRYPTED_EXTENSIONS);
+
+            // TODO: Optional cert authentication, when not PSK
+            chc.handshakeConsumers.put(
+                    SSLHandshake.CERTIFICATE_REQUEST.id,
+                    SSLHandshake.CERTIFICATE_REQUEST);
+            chc.handshakeConsumers.put(
+                    SSLHandshake.CERTIFICATE.id,
+                    SSLHandshake.CERTIFICATE);
+            chc.handshakeConsumers.put(
+                    SSLHandshake.CERTIFICATE_VERIFY.id,
+                    SSLHandshake.CERTIFICATE_VERIFY);
+
+            chc.handshakeConsumers.put(
+                    SSLHandshake.FINISHED.id,
+                    SSLHandshake.FINISHED);
+
+            //
+            // produce
+            //
+            // Need no new handshake message producers here.
+        }
+    }
+
+    private static final
+            class T13HelloRetryRequestConsumer implements HandshakeConsumer {
+        // Prevent instantiation of this class.
+        private T13HelloRetryRequestConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+            ServerHelloMessage helloRetryRequest = (ServerHelloMessage)message;
+            if (helloRetryRequest.serverVersion != ProtocolVersion.TLS12) {
+                chc.conContext.fatal(Alert.PROTOCOL_VERSION,
+                    "The HelloRetryRequest.legacy_version is not TLS 1.2");
+            }
+
+            chc.negotiatedCipherSuite = helloRetryRequest.cipherSuite;
+
+            //
+            // validate
+            //
+
+            // Check and launch ClientHello extensions.
+            SSLExtension[] extTypes = chc.sslConfig.getEnabledExtensions(
+                    SSLHandshake.HELLO_RETRY_REQUEST);
+            helloRetryRequest.extensions.consumeOnLoad(chc, extTypes);
+
+            //
+            // update
+            //
+            helloRetryRequest.extensions.consumeOnTrade(chc, extTypes);
+
+            // Change client/server handshake traffic secrets.
+            // Refresh handshake hash
+            chc.handshakeHash.finish();     // reset the handshake hash
+
+            // calculate the transcript hash of the 1st ClientHello message
+            HandshakeOutStream hos = new HandshakeOutStream(null);
+            try {
+                chc.initialClientHelloMsg.write(hos);
+            } catch (IOException ioe) {
+                // unlikely
+                chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "Failed to construct message hash", ioe);
+            }
+            chc.handshakeHash.deliver(hos.toByteArray());
+            chc.handshakeHash.determine(
+                    chc.negotiatedProtocol, chc.negotiatedCipherSuite);
+            byte[] clientHelloHash = chc.handshakeHash.digest();
+
+            // calculate the message_hash
+            //
+            // Transcript-Hash(ClientHello1, HelloRetryRequest, ... Mn) =
+            //   Hash(message_hash ||    /* Handshake type */
+            //     00 00 Hash.length ||  /* Handshake message length (bytes) */
+            //     Hash(ClientHello1) || /* Hash of ClientHello1 */
+            //     HelloRetryRequest || ... || Mn)
+            int hashLen = chc.negotiatedCipherSuite.hashAlg.hashLength;
+            byte[] hashedClientHello = new byte[4 + hashLen];
+            hashedClientHello[0] = SSLHandshake.MESSAGE_HASH.id;
+            hashedClientHello[1] = (byte)0x00;
+            hashedClientHello[2] = (byte)0x00;
+            hashedClientHello[3] = (byte)(hashLen & 0xFF);
+            System.arraycopy(clientHelloHash, 0,
+                    hashedClientHello, 4, hashLen);
+
+            chc.handshakeHash.finish();     // reset the handshake hash
+            chc.handshakeHash.deliver(hashedClientHello);
+
+            int hrrBodyLen = helloRetryRequest.handshakeRecord.remaining();
+            byte[] hrrMessage = new byte[4 + hrrBodyLen];
+            hrrMessage[0] = SSLHandshake.HELLO_RETRY_REQUEST.id;
+            hrrMessage[1] = (byte)((hrrBodyLen >> 16) & 0xFF);
+            hrrMessage[2] = (byte)((hrrBodyLen >> 8) & 0xFF);
+            hrrMessage[3] = (byte)(hrrBodyLen & 0xFF);
+
+            ByteBuffer hrrBody = helloRetryRequest.handshakeRecord.duplicate();
+            hrrBody.get(hrrMessage, 4, hrrBodyLen);
+
+            chc.handshakeHash.receive(hrrMessage);
+
+            // Update the initial ClientHello handshake message.
+            chc.initialClientHelloMsg.extensions.reproduce(chc,
+                    new SSLExtension[] {
+                        SSLExtension.CH_COOKIE,
+                        SSLExtension.CH_KEY_SHARE,
+                        SSLExtension.CH_PRE_SHARED_KEY
+                    });
+
+            //
+            // produce response handshake message
+            //
+            SSLHandshake.CLIENT_HELLO.produce(context, helloRetryRequest);
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java	2018-05-11 15:10:30.033608800 -0700
@@ -0,0 +1,179 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the ServerHelloDone handshake message.
+ */
+final class ServerHelloDone {
+    static final SSLConsumer handshakeConsumer =
+        new ServerHelloDoneConsumer();
+    static final HandshakeProducer handshakeProducer =
+        new ServerHelloDoneProducer();
+
+    /**
+     * The ServerHelloDone handshake message.
+     */
+    static final class ServerHelloDoneMessage extends HandshakeMessage {
+        ServerHelloDoneMessage(HandshakeContext handshakeContext) {
+            super(handshakeContext);
+        }
+
+        ServerHelloDoneMessage(HandshakeContext handshakeContext,
+                ByteBuffer m) throws IOException {
+            super(handshakeContext);
+            if (m.hasRemaining()) {
+                handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
+                    "Error parsing ServerHelloDone message: not empty");
+            }
+        }
+
+        @Override
+        public SSLHandshake handshakeType() {
+            return SSLHandshake.SERVER_HELLO_DONE;
+        }
+
+        @Override
+        public int messageLength() {
+            return 0;
+        }
+
+        @Override
+        public void send(HandshakeOutStream s) throws IOException {
+            // empty, nothing to send
+        }
+
+        @Override
+        public String toString() {
+            return "<empty>";
+        }
+    }
+
+    /**
+     * The "ServerHelloDone" handshake message producer.
+     */
+    private static final
+            class ServerHelloDoneProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private ServerHelloDoneProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            ServerHelloDoneMessage shdm = new ServerHelloDoneMessage(shc);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Produced ServerHelloDone handshake message", shdm);
+            }
+
+            // Output the handshake message.
+            shdm.write(shc.handshakeOutput);
+            shc.handshakeOutput.flush();
+
+            //
+            // update
+            //
+            shc.handshakeConsumers.put(SSLHandshake.CLIENT_KEY_EXCHANGE.id,
+                    SSLHandshake.CLIENT_KEY_EXCHANGE);
+            shc.conContext.consumers.put(ContentType.CHANGE_CIPHER_SPEC.id,
+                    ChangeCipherSpec.t10Consumer);
+            shc.handshakeConsumers.put(SSLHandshake.FINISHED.id,
+                    SSLHandshake.FINISHED);
+
+            // The handshake message has been delivered.
+            return null;
+        }
+    }
+
+    /**
+     * The "ServerHelloDone" handshake message consumer.
+     */
+    private static final
+            class ServerHelloDoneConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private ServerHelloDoneConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The consuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // clean up this consumer
+            // chc.handshakeConsumers.remove(SSLHandshake.SERVER_HELLO_DONE.id);
+            chc.handshakeConsumers.clear();
+
+            ServerHelloDoneMessage shdm =
+                    new ServerHelloDoneMessage(chc, message);
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                SSLLogger.fine(
+                        "Consuming ServerHelloDone handshake message", shdm);
+            }
+
+            //
+            // validate
+            //
+            // blank
+
+            //
+            // update
+            //
+            chc.handshakeProducers.put(SSLHandshake.CLIENT_KEY_EXCHANGE.id,
+                    SSLHandshake.CLIENT_KEY_EXCHANGE);
+            chc.handshakeProducers.put(SSLHandshake.FINISHED.id,
+                    SSLHandshake.FINISHED);
+            //
+            // produce
+            //
+            SSLHandshake[] probableHandshakeMessages = new SSLHandshake[] {
+                // full handshake messages
+                SSLHandshake.CERTIFICATE,
+                SSLHandshake.CLIENT_KEY_EXCHANGE,
+                SSLHandshake.CERTIFICATE_VERIFY,
+                SSLHandshake.FINISHED
+            };
+
+            for (SSLHandshake hs : probableHandshakeMessages) {
+                HandshakeProducer handshakeProducer =
+                        chc.handshakeProducers.remove(hs.id);
+                if (handshakeProducer != null) {
+                    handshakeProducer.produce(context, null);
+                }
+            }
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java	2018-05-11 15:10:31.628765000 -0700
@@ -0,0 +1,113 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.util.Map;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the ServerKeyExchange handshake message.
+ */
+final class ServerKeyExchange {
+    static final SSLConsumer handshakeConsumer =
+        new ServerKeyExchangeConsumer();
+    static final HandshakeProducer handshakeProducer =
+        new ServerKeyExchangeProducer();
+
+    /**
+     * The "ServerKeyExchange" handshake message producer.
+     */
+    private static final
+            class ServerKeyExchangeProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private ServerKeyExchangeProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            SSLKeyExchange ke =
+                SSLKeyExchange.valueOf(shc.negotiatedCipherSuite.keyExchange);
+            if (ke != null) {
+                for (Map.Entry<Byte, HandshakeProducer> hc :
+                        ke.getHandshakeProducers(shc)) {
+                    if (hc.getKey() == SSLHandshake.SERVER_KEY_EXCHANGE.id) {
+                        return hc.getValue().produce(context, message);
+                    }
+                }
+            }
+
+            // not producer defined.
+            shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
+                    "No ServerKeyExchange handshake message can be produced.");
+            return null;    // make the compiler happe
+        }
+    }
+
+    /**
+     * The "ServerKeyExchange" handshake message consumer.
+     */
+    private static final
+            class ServerKeyExchangeConsumer implements SSLConsumer {
+        // Prevent instantiation of this class.
+        private ServerKeyExchangeConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+                ByteBuffer message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // clean up this consumer
+            chc.handshakeConsumers.remove(SSLHandshake.SERVER_KEY_EXCHANGE.id);
+
+            SSLKeyExchange ke =
+                SSLKeyExchange.valueOf(chc.negotiatedCipherSuite.keyExchange);
+            if (ke != null) {
+                for (Map.Entry<Byte, SSLConsumer> hc :
+                        ke.getHandshakeConsumers(chc)) {
+                    if (hc.getKey() == SSLHandshake.SERVER_KEY_EXCHANGE.id) {
+                        hc.getValue().consume(context, message);
+                        return;
+                    }
+                }
+            }
+
+            // not comsumer defined.
+            chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected ServerKeyExchange handshake message.");
+        }
+    }
+}
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SignatureScheme.java	2018-05-11 15:10:33.228189100 -0700
@@ -0,0 +1,435 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.security.*;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.PSSParameterSpec;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+import sun.security.util.KeyUtil;
+
+enum SignatureScheme {
+    // EdDSA algorithms
+    ED25519                 (0x0807, "ed25519", "ed25519",
+                                    "ed25519",
+                                    ProtocolVersion.PROTOCOLS_OF_13),
+    ED448                   (0x0808, "ed448", "ed448",
+                                    "ed448",
+                                    ProtocolVersion.PROTOCOLS_OF_13),
+
+    // ECDSA algorithms
+    ECDSA_SECP256R1_SHA256  (0x0403, "ecdsa_secp256r1_sha256",
+                                    "SHA256withECDSA",
+                                    "EC",
+                                    ProtocolVersion.PROTOCOLS_TO_13),
+    ECDSA_SECP384R1_SHA384  (0x0503, "ecdsa_secp384r1_sha384",
+                                    "SHA384withECDSA",
+                                    "EC",
+                                    ProtocolVersion.PROTOCOLS_TO_13),
+    ECDSA_SECP512R1_SHA512  (0x0603, "ecdsa_secp512r1_sha512",
+                                    "SHA512withECDSA",
+                                    "EC",
+                                    ProtocolVersion.PROTOCOLS_TO_13),
+
+    // RSASSA-PSS algorithms with public key OID rsaEncryption
+    RSA_PSS_RSAE_SHA256     (0x0804, "rsa_pss_rsae_sha256",
+                                    "RSASSA-PSS", "RSA",
+                                    SigAlgParamSpec.RSA_PSS_SHA256, 512,
+                                    ProtocolVersion.PROTOCOLS_OF_13),
+    RSA_PSS_RSAE_SHA384     (0x0805, "rsa_pss_rsae_sha384",
+                                    "RSASSA-PSS", "RSA",
+                                    SigAlgParamSpec.RSA_PSS_SHA384, 768,
+                                    ProtocolVersion.PROTOCOLS_OF_13),
+    RSA_PSS_RSAE_SHA512     (0x0806, "rsa_pss_rsae_sha512",
+                                    "RSASSA-PSS", "RSA",
+                                    SigAlgParamSpec.RSA_PSS_SHA512, 768,
+                                    ProtocolVersion.PROTOCOLS_OF_13),
+
+    // RSASSA-PSS algorithms with public key OID RSASSA-PSS
+    RSA_PSS_PSS_SHA256      (0x0809, "rsa_pss_pss_sha256",
+                                    "RSASSA-PSS", "RSASSA-PSS",
+                                    SigAlgParamSpec.RSA_PSS_SHA256, 512,
+                                    ProtocolVersion.PROTOCOLS_OF_13),
+    RSA_PSS_PSS_SHA384      (0x080A, "rsa_pss_pss_sha384",
+                                    "RSASSA-PSS", "RSASSA-PSS",
+                                    SigAlgParamSpec.RSA_PSS_SHA384, 768,
+                                    ProtocolVersion.PROTOCOLS_OF_13),
+    RSA_PSS_PSS_SHA512      (0x080B, "rsa_pss_pss_sha512",
+                                    "RSASSA-PSS", "RSASSA-PSS",
+                                    SigAlgParamSpec.RSA_PSS_SHA512, 768,
+                                    ProtocolVersion.PROTOCOLS_OF_13),
+
+    // RSASSA-PKCS1-v1_5 algorithms
+    RSA_PKCS1_SHA256        (0x0401, "rsa_pkcs1_sha256", "SHA256withRSA",
+                                    "RSA", null, 512,
+                                    ProtocolVersion.PROTOCOLS_TO_13,
+                                    ProtocolVersion.PROTOCOLS_TO_12),
+    RSA_PKCS1_SHA384        (0x0501, "rsa_pkcs1_sha384", "SHA384withRSA",
+                                    "RSA", null, 768,
+                                    ProtocolVersion.PROTOCOLS_TO_13,
+                                    ProtocolVersion.PROTOCOLS_TO_12),
+    RSA_PKCS1_SHA512        (0x0601, "rsa_pkcs1_sha512", "SHA512withRSA",
+                                    "RSA", null, 768,
+                                    ProtocolVersion.PROTOCOLS_TO_13,
+                                    ProtocolVersion.PROTOCOLS_TO_12),
+
+    // Legacy algorithms
+    DSA_SHA256              (0x0402, "dsa_sha256", "SHA256withDSA",
+                                    "dsa",
+                                    ProtocolVersion.PROTOCOLS_TO_12),
+    ECDSA_SHA224            (0x0303, "ecdsa_sha224", "SHA224withECDSA",
+                                    "EC",
+                                    ProtocolVersion.PROTOCOLS_TO_12),
+    RSA_SHA224              (0x0301, "rsa_sha224", "SHA224withRSA",
+                                    "rsa", 768,
+                                    ProtocolVersion.PROTOCOLS_TO_12),
+    DSA_SHA224              (0x0302, "dsa_sha224", "SHA224withDSA",
+                                    "dsa",
+                                    ProtocolVersion.PROTOCOLS_TO_12),
+    ECDSA_SHA1              (0x0203, "ecdsa_sha1", "SHA1withECDSA",
+                                    "EC",
+                                    ProtocolVersion.PROTOCOLS_TO_13),
+    RSA_PKCS1_SHA1          (0x0201, "rsa_pkcs1_sha1", "SHA1withRSA",
+                                    "rsa", null, 512,
+                                    ProtocolVersion.PROTOCOLS_TO_13,
+                                    ProtocolVersion.PROTOCOLS_TO_12),
+    DSA_SHA1                (0x0202, "dsa_sha1", "SHA1withDSA",
+                                    "dsa",
+                                    ProtocolVersion.PROTOCOLS_TO_12),
+    RSA_MD5                 (0x0101, "rsa_md5", "MD5withRSA",
+                                    "rsa", 512,
+                                    ProtocolVersion.PROTOCOLS_TO_12);
+
+    final int id;                       // hash + signature
+    final String name;                  // literal name
+    private final String algorithm;     // signature algorithm
+    final String keyAlgorithm;          // signature key algorithm
+    private final AlgorithmParameterSpec signAlgParameter;
+
+    // The minial required key size in bits.
+    //
+    // Only need to check RSA algorithm at present. RSA keys of 512 bits
+    // have been shown to be practically breakable, it does not make much
+    // sense to use the strong hash algorithm for keys whose key size less
+    // than 512 bits.  So it is not necessary to caculate the minial
+    // required key size exactly for a hash algorithm.
+    final int minimalKeySize;
+    final List<ProtocolVersion> supportedProtocols;
+    // Some signature schemes are supported in different versions for handshake
+    // messages and certificates. This field holds the supported protocols
+    // for handshake messages.
+    final List<ProtocolVersion> handshakeSupportedProtocols;
+    final boolean isAvailable;
+
+    private static final String[] hashAlgorithms = new String[] {
+            "none",         "md5",      "sha1",     "sha224",
+            "sha256",       "sha384",   "sha512"
+        };
+
+    private static final String[] signatureAlgorithms = new String[] {
+            "anonymous",    "rsa",      "dsa",      "ecdsa",
+        };
+
+    static enum SigAlgParamSpec {   // support RSASSA-PSS only now
+        RSA_PSS_SHA256 ("SHA-256", 32),
+        RSA_PSS_SHA384 ("SHA-384", 48),
+        RSA_PSS_SHA512 ("SHA-512", 64);
+
+        final private AlgorithmParameterSpec parameterSpec;
+        final boolean isAvailable;
+
+        SigAlgParamSpec(String hash, int saltLength) {
+            // See RFC 8017
+            PSSParameterSpec pssParamSpec =
+                    new PSSParameterSpec(hash, "MGF1", null, saltLength, 1);
+
+            boolean mediator = true;
+            try {
+                Signature signer = JsseJce.getSignature("RSASSA-PSS");
+                signer.setParameter(pssParamSpec);
+            } catch (InvalidAlgorithmParameterException |
+                    NoSuchAlgorithmException exp) {
+                mediator = false;
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                        "RSASSA-PSS signature with " + hash +
+                        " is not supported by the underlying providers", exp);
+                }
+            }
+
+            this.isAvailable = mediator;
+            this.parameterSpec = mediator ? pssParamSpec : null;
+        }
+
+        AlgorithmParameterSpec getParameterSpec() {
+            return parameterSpec;
+        }
+    }
+
+    // performance optimization
+    private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
+        Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
+
+
+    private SignatureScheme(int id, String name,
+            String algorithm, String keyAlgorithm,
+            ProtocolVersion[] supportedProtocols) {
+        this(id, name, algorithm, keyAlgorithm, -1, supportedProtocols);
+    }
+
+    private SignatureScheme(int id, String name,
+            String algorithm, String keyAlgorithm,
+            int minimalKeySize,
+            ProtocolVersion[] supportedProtocols) {
+        this(id, name, algorithm, keyAlgorithm, null,
+                minimalKeySize, supportedProtocols);
+    }
+
+    private SignatureScheme(int id, String name,
+                            String algorithm, String keyAlgorithm,
+                            SigAlgParamSpec signAlgParamSpec, int minimalKeySize,
+                            ProtocolVersion[] supportedProtocols) {
+        this(id, name, algorithm, keyAlgorithm, signAlgParamSpec, minimalKeySize,
+            supportedProtocols, supportedProtocols);
+    }
+
+    private SignatureScheme(int id, String name,
+            String algorithm, String keyAlgorithm,
+            SigAlgParamSpec signAlgParamSpec, int minimalKeySize,
+            ProtocolVersion[] supportedProtocols,
+            ProtocolVersion[] handshakeSupportedProtocols) {
+        this.id = id;
+        this.name = name;
+        this.algorithm = algorithm;
+        this.keyAlgorithm = keyAlgorithm;
+        this.signAlgParameter =
+            signAlgParamSpec != null ? signAlgParamSpec.parameterSpec : null;
+        this.minimalKeySize = minimalKeySize;
+        this.supportedProtocols = Arrays.asList(supportedProtocols);
+        this.handshakeSupportedProtocols = Arrays.asList(handshakeSupportedProtocols);
+
+        boolean mediator = true;
+        if (signAlgParamSpec != null) {
+            mediator = signAlgParamSpec.isAvailable;
+        } else {
+            try {
+                JsseJce.getSignature(algorithm);
+            } catch (Exception e) {
+                mediator = false;
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                        "Signature algorithm, " + algorithm +
+                        ", is not supported by the underlying providers");
+                }
+            }
+        }
+
+        if (mediator && ((id >> 8) & 0xFF) == 0x03) {   // SHA224
+            // There are some problems to use SHA224 on Windows.
+            if (Security.getProvider("SunMSCAPI") != null) {
+                mediator = false;
+            }
+        }
+
+        this.isAvailable = mediator;
+    }
+
+    static SignatureScheme valueOf(int id) {
+        for (SignatureScheme ss: SignatureScheme.values()) {
+            if (ss.id == id) {
+                return ss;
+            }
+        }
+
+        return null;
+    }
+
+    static String nameOf(int id) {
+        for (SignatureScheme ss: SignatureScheme.values()) {
+            if (ss.id == id) {
+                return ss.name;
+            }
+        }
+
+        // Use TLS 1.2 style name for unknown signature scheme.
+        int hashId = ((id >> 8) & 0xFF);
+        int signId = (id & 0xFF);
+        String hashName = (hashId >= hashAlgorithms.length) ?
+            "UNDEFINED-HASH(" + hashId + ")" : hashAlgorithms[hashId];
+        String signName = (signId >= signatureAlgorithms.length) ?
+            "UNDEFINED-SIGNATURE(" + signId + ")" :
+            signatureAlgorithms[signId];
+
+        return signName + "_" + hashName;
+    }
+
+    // Return the size of a SignatureScheme structure in TLS record
+    static int sizeInRecord() {
+        return 2;
+    }
+
+    // Get local supported algorithm collection complying to algorithm
+    // constraints.
+    static List<SignatureScheme> getSupportedAlgorithms(
+            AlgorithmConstraints constraints,
+            List<ProtocolVersion> activeProtocols) {
+        List<SignatureScheme> supported = new LinkedList<>();
+        for (SignatureScheme ss: SignatureScheme.values()) {
+            if (!ss.isAvailable) {
+                continue;
+            }
+
+            boolean isMatch = false;
+            for (ProtocolVersion pv : activeProtocols) {
+                if (ss.supportedProtocols.contains(pv)) {
+                    isMatch = true;
+                    break;
+                }
+            }
+
+            if (isMatch) {
+                if (constraints.permits(
+                        SIGNATURE_PRIMITIVE_SET, ss.algorithm, null)) {
+                    supported.add(ss);
+                } else if (SSLLogger.isOn &&
+                        SSLLogger.isOn("ssl,handshake,verbose")) {
+                    SSLLogger.finest(
+                        "Ignore disabled signature sheme: " + ss.name);
+                }
+            } else if (SSLLogger.isOn &&
+                    SSLLogger.isOn("ssl,handshake,verbose")) {
+                SSLLogger.finest(
+                    "Ignore inactive signature sheme: " + ss.name);
+            }
+        }
+
+        return supported;
+    }
+
+    static List<SignatureScheme> getSupportedAlgorithms(
+            AlgorithmConstraints constraints,
+            ProtocolVersion protocolVersion, int[] algorithmIds) {
+        List<SignatureScheme> supported = new LinkedList<>();
+        for (int ssid : algorithmIds) {
+            SignatureScheme ss = SignatureScheme.valueOf(ssid);
+            if (ss == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "Unsupported signature scheme: " +
+                            SignatureScheme.nameOf(ssid));
+                }
+            } else if (ss.isAvailable &&
+                    ss.supportedProtocols.contains(protocolVersion) &&
+                    constraints.permits(SIGNATURE_PRIMITIVE_SET,
+                           ss.algorithm, null)) {
+                supported.add(ss);
+            } else {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "Unsupported signature scheme: " + ss.name);
+                }
+            }
+        }
+
+        return supported;
+    }
+
+    static SignatureScheme getPreferableAlgorithm(
+            List<SignatureScheme> schemes,
+            SignatureScheme certScheme,
+            ProtocolVersion version) {
+
+        for (SignatureScheme ss : schemes) {
+            if (ss.isAvailable &&
+            ss.handshakeSupportedProtocols.contains(version) &&
+            certScheme.keyAlgorithm.equalsIgnoreCase(ss.keyAlgorithm)) {
+
+                return ss;
+            }
+        }
+
+        return null;
+    }
+
+    static SignatureScheme getPreferableAlgorithm(
+            List<SignatureScheme> schemes,
+            PrivateKey signingKey,
+            ProtocolVersion version) {
+
+        String keyAlgorithm = signingKey.getAlgorithm();
+        int keySize;
+        // Only need to check RSA algorithm at present.
+        if (keyAlgorithm.equalsIgnoreCase("rsa")) {
+            keySize = KeyUtil.getKeySize(signingKey);
+        } else {
+            keySize = Integer.MAX_VALUE;
+        }
+        for (SignatureScheme ss : schemes) {
+            if (ss.isAvailable && (keySize >= ss.minimalKeySize) &&
+                ss.handshakeSupportedProtocols.contains(version) &&
+                keyAlgorithm.equalsIgnoreCase(ss.keyAlgorithm)) {
+
+                return ss;
+            }
+        }
+
+        return null;
+    }
+
+    static String[] getAlgorithmNames(Collection<SignatureScheme> schemes) {
+        if (schemes != null) {
+            ArrayList<String> names = new ArrayList<>(schemes.size());
+            for (SignatureScheme scheme : schemes) {
+                names.add(scheme.algorithm);
+            }
+
+            return names.toArray(new String[0]);
+        }
+
+        return new String[0];
+    }
+
+    Signature getSignature() throws NoSuchAlgorithmException,
+            InvalidAlgorithmParameterException {
+        if (!isAvailable) {
+            return null;
+        }
+
+        Signature signer = JsseJce.getSignature(algorithm);
+        if (signAlgParameter != null) {
+            signer.setParameter(signAlgParameter);
+        }
+
+        return signer;
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/SupportedVersionsExtension.java	2018-05-11 15:10:34.837983600 -0700
@@ -0,0 +1,511 @@
+/*
+ * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.nio.ByteBuffer;
+import java.text.MessageFormat;
+import java.util.Locale;
+import javax.net.ssl.SSLProtocolException;
+import static sun.security.ssl.SSLExtension.CH_SUPPORTED_VERSIONS;
+import sun.security.ssl.SSLExtension.ExtensionConsumer;
+import static sun.security.ssl.SSLExtension.HRR_SUPPORTED_VERSIONS;
+import static sun.security.ssl.SSLExtension.SH_SUPPORTED_VERSIONS;
+import sun.security.ssl.SSLExtension.SSLExtensionSpec;
+import sun.security.ssl.SSLHandshake.HandshakeMessage;
+
+/**
+ * Pack of the "supported_versions" extensions.
+ */
+final class SupportedVersionsExtension {
+    static final HandshakeProducer chNetworkProducer =
+            new CHSupportedVersionsProducer();
+    static final ExtensionConsumer chOnLoadConcumer =
+            new CHSupportedVersionsConsumer();
+    static final SSLStringize chStringize =
+            new CHSupportedVersionsStringize();
+
+    static final HandshakeProducer shNetworkProducer =
+            new SHSupportedVersionsProducer();
+    static final ExtensionConsumer shOnLoadConcumer =
+            new SHSupportedVersionsConsumer();
+    static final SSLStringize shStringize =
+            new SHSupportedVersionsStringize();
+
+    static final HandshakeProducer hrrNetworkProducer =
+            new HRRSupportedVersionsProducer();
+    static final ExtensionConsumer hrrOnLoadConcumer =
+            new HRRSupportedVersionsConsumer();
+    static final HandshakeProducer hrrReproducer =
+            new HRRSupportedVersionsReproducer();
+    static final SSLStringize hrrStringize =
+            new SHSupportedVersionsStringize();
+    /**
+     * The "supported_versions" extension in ClientHello.
+     */
+    static final class CHSupportedVersionsSpec implements SSLExtensionSpec {
+        final int[] requestedProtocols;
+
+        private CHSupportedVersionsSpec(int[] requestedProtocols) {
+            this.requestedProtocols = requestedProtocols;
+        }
+
+        private CHSupportedVersionsSpec(ByteBuffer m) throws IOException  {
+            if (m.remaining() < 3) {        //  1: the length of the list
+                                            // +2: one version at least
+                throw new SSLProtocolException(
+                    "Invalid supported_versions extension: insufficient data");
+            }
+
+            byte[] vbs = Record.getBytes8(m);   // Get the version bytes.
+            if (m.hasRemaining()) {
+                throw new SSLProtocolException(
+                    "Invalid supported_versions extension: unknown extra data");
+            }
+
+            if (vbs == null || vbs.length == 0 || (vbs.length & 0x01) != 0) {
+                throw new SSLProtocolException(
+                    "Invalid supported_versions extension: incomplete data");
+            }
+
+            int[] protocols = new int[vbs.length >> 1];
+            for (int i = 0, j = 0; i < vbs.length;) {
+                byte major = vbs[i++];
+                byte minor = vbs[i++];
+                protocols[j++] = ((major & 0xFF) << 8) | (minor & 0xFF);
+            }
+
+            this.requestedProtocols = protocols;
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"versions\": '['{0}']'", Locale.ENGLISH);
+
+            if (requestedProtocols == null || requestedProtocols.length == 0) {
+                Object[] messageFields = {
+                        "<no supported version specified>"
+                    };
+                return messageFormat.format(messageFields);
+            } else {
+                StringBuilder builder = new StringBuilder(512);
+                boolean isFirst = true;
+                for (int pv : requestedProtocols) {
+                    if (isFirst) {
+                        isFirst = false;
+                    } else {
+                        builder.append(", ");
+                    }
+
+                    builder.append(ProtocolVersion.nameOf(pv));
+                }
+
+                Object[] messageFields = {
+                        builder.toString()
+                    };
+
+                return messageFormat.format(messageFields);
+            }
+        }
+    }
+
+    private static final
+            class CHSupportedVersionsStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new CHSupportedVersionsSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    /**
+     * Network data producer of a "supported_versions" extension in ClientHello.
+     */
+    private static final
+            class CHSupportedVersionsProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private CHSupportedVersionsProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(CH_SUPPORTED_VERSIONS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable extension: " +
+                        CH_SUPPORTED_VERSIONS.name);
+                }
+                return null;
+            }
+
+            // Produce the extension.
+            //
+            // The activated protocols are used as the supported versions.
+            int[] protocols = new int[chc.activeProtocols.size()];
+            int verLen = protocols.length * 2;
+            byte[] extData = new byte[verLen + 1];      // 1: versions length
+            extData[0] = (byte)(verLen & 0xFF);
+            int i = 0, j = 1;
+            for (ProtocolVersion pv : chc.activeProtocols) {
+                protocols[i++] = pv.id;
+                extData[j++] = pv.major;
+                extData[j++] = pv.minor;
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(CH_SUPPORTED_VERSIONS,
+                    new CHSupportedVersionsSpec(protocols));
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of a "supported_versions" extension in ClientHello.
+     */
+    private static final
+            class CHSupportedVersionsConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private CHSupportedVersionsConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(CH_SUPPORTED_VERSIONS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable extension: " +
+                        CH_SUPPORTED_VERSIONS.name);
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            CHSupportedVersionsSpec spec;
+            try {
+                spec = new CHSupportedVersionsSpec(buffer);
+            } catch (IOException ioe) {
+                shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Update the context.
+            shc.handshakeExtensions.put(CH_SUPPORTED_VERSIONS, spec);
+
+            // No impact on session resumption.
+            //
+            // Note that the protocol version negotiation happens before the
+            // session resumption negotiation.  And the session resumption
+            // negotiation depends on the negotiated protocol version.
+        }
+    }
+
+    /**
+     * The "supported_versions" extension in ServerHello and HelloRetryRequest.
+     */
+    static final class SHSupportedVersionsSpec implements SSLExtensionSpec {
+        final int selectedVersion;
+
+        private SHSupportedVersionsSpec(ProtocolVersion selectedVersion) {
+            this.selectedVersion = selectedVersion.id;
+        }
+
+        private SHSupportedVersionsSpec(ByteBuffer m) throws IOException  {
+            if (m.remaining() != 2) {       // 2: the selected version
+                throw new SSLProtocolException(
+                    "Invalid supported_versions: insufficient data");
+            }
+
+            byte major = m.get();
+            byte minor = m.get();
+            this.selectedVersion = ((major & 0xFF) << 8) | (minor & 0xFF);
+        }
+
+        @Override
+        public String toString() {
+            MessageFormat messageFormat = new MessageFormat(
+                "\"selected version\": '['{0}']'", Locale.ENGLISH);
+
+            Object[] messageFields = {
+                    ProtocolVersion.nameOf(selectedVersion)
+                };
+            return messageFormat.format(messageFields);
+        }
+    }
+
+    private static final
+            class SHSupportedVersionsStringize implements SSLStringize {
+        @Override
+        public String toString(ByteBuffer buffer) {
+            try {
+                return (new SHSupportedVersionsSpec(buffer)).toString();
+            } catch (IOException ioe) {
+                // For debug logging only, so please swallow exceptions.
+                return ioe.getMessage();
+            }
+        }
+    }
+
+    /**
+     * Network data producer of a "supported_versions" extension in ServerHello.
+     */
+    private static final
+            class SHSupportedVersionsProducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private SHSupportedVersionsProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // In response to supported_versions request only
+            CHSupportedVersionsSpec svs = (CHSupportedVersionsSpec)
+                    shc.handshakeExtensions.get(CH_SUPPORTED_VERSIONS);
+            if (svs == null) {
+                // Unlikely, no key_share extension requested.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.warning(
+                            "Ignore unavailable supported_versions extension");
+                }
+                return null;
+            }
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(SH_SUPPORTED_VERSIONS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable extension: " +
+                        SH_SUPPORTED_VERSIONS.name);
+                }
+                return null;
+            }
+
+            // Produce the extension.
+            byte[] extData = new byte[2];
+            extData[0] = shc.negotiatedProtocol.major;
+            extData[1] = shc.negotiatedProtocol.minor;
+
+            // Update the context.
+            shc.handshakeExtensions.put(SH_SUPPORTED_VERSIONS,
+                    new SHSupportedVersionsSpec(shc.negotiatedProtocol));
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of a "supported_versions" extension in ServerHello.
+     */
+    private static final
+            class SHSupportedVersionsConsumer implements ExtensionConsumer {
+        // Prevent instantiation of this class.
+        private SHSupportedVersionsConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(SH_SUPPORTED_VERSIONS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable extension: " +
+                        SH_SUPPORTED_VERSIONS.name);
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            SHSupportedVersionsSpec spec;
+            try {
+                spec = new SHSupportedVersionsSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(SH_SUPPORTED_VERSIONS, spec);
+
+            // No impact on session resumption.
+            //
+            // Note that the protocol version negotiation happens before the
+            // session resumption negotiation.  And the session resumption
+            // negotiation depends on the negotiated protocol version.
+        }
+    }
+
+    /**
+     * Network data producer of a "supported_versions" extension in
+     * HelloRetryRequest.
+     */
+    private static final
+            class HRRSupportedVersionsProducer implements HandshakeProducer {
+
+        // Prevent instantiation of this class.
+        private HRRSupportedVersionsProducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(HRR_SUPPORTED_VERSIONS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable extension: " +
+                        HRR_SUPPORTED_VERSIONS.name);
+                }
+                return null;
+            }
+
+            // Produce the extension.
+            byte[] extData = new byte[2];
+            extData[0] = shc.negotiatedProtocol.major;
+            extData[1] = shc.negotiatedProtocol.minor;
+
+            // Update the context.
+            shc.handshakeExtensions.put(HRR_SUPPORTED_VERSIONS,
+                    new SHSupportedVersionsSpec(shc.negotiatedProtocol));
+
+            return extData;
+        }
+    }
+
+    /**
+     * Network data consumer of a "supported_versions" extension in
+     * HelloRetryRequest.
+     */
+    private static final
+            class HRRSupportedVersionsConsumer implements ExtensionConsumer {
+
+        // Prevent instantiation of this class.
+        private HRRSupportedVersionsConsumer() {
+            // blank
+        }
+
+        @Override
+        public void consume(ConnectionContext context,
+            HandshakeMessage message, ByteBuffer buffer) throws IOException {
+
+            // The comsuming happens in client side only.
+            ClientHandshakeContext chc = (ClientHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!chc.sslConfig.isAvailable(HRR_SUPPORTED_VERSIONS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "Ignore unavailable extension: " +
+                        HRR_SUPPORTED_VERSIONS.name);
+                }
+                return;     // ignore the extension
+            }
+
+            // Parse the extension.
+            SHSupportedVersionsSpec spec;
+            try {
+                spec = new SHSupportedVersionsSpec(buffer);
+            } catch (IOException ioe) {
+                chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
+                return;     // fatal() always throws, make the compiler happy.
+            }
+
+            // Update the context.
+            chc.handshakeExtensions.put(HRR_SUPPORTED_VERSIONS, spec);
+
+            // No impact on session resumption.
+            //
+            // Note that the protocol version negotiation happens before the
+            // session resumption negotiation.  And the session resumption
+            // negotiation depends on the negotiated protocol version.
+        }
+    }
+
+    /**
+     * Network data producer of a "supported_versions" extension for stateless
+     * HelloRetryRequest reconstruction.
+     */
+    private static final
+            class HRRSupportedVersionsReproducer implements HandshakeProducer {
+        // Prevent instantiation of this class.
+        private HRRSupportedVersionsReproducer() {
+            // blank
+        }
+
+        @Override
+        public byte[] produce(ConnectionContext context,
+                HandshakeMessage message) throws IOException {
+            // The producing happens in server side only.
+            ServerHandshakeContext shc = (ServerHandshakeContext)context;
+
+            // Is it a supported and enabled extension?
+            if (!shc.sslConfig.isAvailable(HRR_SUPPORTED_VERSIONS)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                    SSLLogger.fine(
+                        "[Reprocude] Ignore unavailable extension: " +
+                        HRR_SUPPORTED_VERSIONS.name);
+                }
+                return null;
+            }
+
+            // Produce the extension.
+            byte[] extData = new byte[2];
+            extData[0] = shc.negotiatedProtocol.major;
+            extData[1] = shc.negotiatedProtocol.minor;
+
+            return extData;
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/TransportContext.java	2018-05-11 15:10:36.453187000 -0700
@@ -0,0 +1,663 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.Closeable;
+import java.io.IOException;
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import javax.crypto.SecretKey;
+import javax.net.ssl.HandshakeCompletedEvent;
+import javax.net.ssl.HandshakeCompletedListener;
+import javax.net.ssl.SSLEngineResult.HandshakeStatus;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSocket;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+
+/**
+ * SSL/(D)TLS transportation context.
+ */
+class TransportContext implements ConnectionContext, Closeable {
+    final SSLTransport              transport;
+
+    // registered plaintext consumers
+    final Map<Byte, SSLConsumer>    consumers;
+    final AccessControlContext      acc;
+
+    final SSLContextImpl            sslContext;
+    final SSLConfiguration          sslConfig;
+    final InputRecord               inputRecord;
+    final OutputRecord              outputRecord;
+
+    // connection status
+    boolean                         isUnsureMode;
+    boolean                         isNegotiated;
+    boolean                         isBroken;
+    boolean                         isInputCloseNotified;
+    boolean                         isOutputCloseNotified;
+    Exception                       closeReason;    //SSLException or RuntimeException
+
+    // negotiated security parameters
+    SSLSessionImpl                  conSession;
+    ProtocolVersion                 protocolVersion;
+    String                          applicationProtocol;
+
+    // handshake context
+    HandshakeContext                handshakeContext;
+
+    // connection reserved status for handshake.
+    boolean                         secureRenegotiation;
+    byte[]                          clientVerifyData;
+    byte[]                          serverVerifyData;
+
+    // connection sensitive configuration
+    List<NamedGroup>                serverRequestedNamedGroups;
+
+    SecretKey baseWriteSecret, baseReadSecret;
+    CipherSuite cipherSuite;
+
+    // Please never use the transport parameter other than storing a
+    // reference to this object.
+    TransportContext(SSLContextImpl sslContext, SSLTransport transport,
+            InputRecord inputRecord, OutputRecord outputRecord) {
+        this.transport = transport;
+        this.sslContext = sslContext;
+        this.inputRecord = inputRecord;
+        this.outputRecord = outputRecord;
+        this.sslConfig = new SSLConfiguration(sslContext, true);
+        this.sslConfig.maximumPacketSize = outputRecord.getMaxPacketSize();
+        this.isUnsureMode = true;
+
+        initialize();
+
+        this.acc = AccessController.getContext();
+        this.consumers = new HashMap<>();
+    }
+
+    // Please never use the transport parameter other than storing a
+    // reference to this object.
+    TransportContext(SSLContextImpl sslContext, SSLTransport transport,
+            InputRecord inputRecord, OutputRecord outputRecord,
+            boolean isClientMode) {
+        this.transport = transport;
+        this.sslContext = sslContext;
+        this.inputRecord = inputRecord;
+        this.outputRecord = outputRecord;
+        this.sslConfig = new SSLConfiguration(sslContext, isClientMode);
+        this.sslConfig.maximumPacketSize = outputRecord.getMaxPacketSize();
+        this.isUnsureMode = false;
+
+        initialize();
+
+        this.acc = AccessController.getContext();
+        this.consumers = new HashMap<>();
+    }
+
+    // Please never use the transport parameter other than storing a
+    // reference to this object.
+    TransportContext(SSLContextImpl sslContext, SSLTransport transport,
+            SSLConfiguration sslConfig,
+            InputRecord inputRecord, OutputRecord outputRecord) {
+        this.transport = transport;
+        this.sslContext = sslContext;
+        this.inputRecord = inputRecord;
+        this.outputRecord = outputRecord;
+        this.sslConfig = (SSLConfiguration)sslConfig.clone();
+        if (this.sslConfig.maximumPacketSize == 0) {
+            this.sslConfig.maximumPacketSize = outputRecord.getMaxPacketSize();
+        }
+        this.isUnsureMode = false;
+
+        initialize();
+
+        this.acc = AccessController.getContext();
+        this.consumers = new HashMap<>();
+    }
+
+    // Initialize the non-final class variables.
+    private void initialize() {
+        // initial security parameters
+        this.conSession = SSLSessionImpl.nullSession;
+        this.protocolVersion = this.sslConfig.maximumProtocolVersion;
+        this.applicationProtocol = null;
+
+        // initial handshake context
+        this.handshakeContext = null;
+
+        // initial security parameters for secure renegotiation
+        this.secureRenegotiation = false;
+        this.clientVerifyData = new byte[0];
+        this.serverVerifyData = new byte[0];
+
+        this.isNegotiated = false;
+        this.isBroken = false;
+        this.isInputCloseNotified = false;
+        this.isOutputCloseNotified = false;
+        this.closeReason = null;
+    }
+
+    // Dispatch plaintext to a specific consumer.
+    void dispatch(Plaintext plaintext) throws IOException {
+        if (plaintext == null) {
+            return;
+        }
+
+        ContentType ct = ContentType.valueOf(plaintext.contentType);
+        if (ct == null) {
+            fatal(Alert.UNEXPECTED_MESSAGE,
+                "Unknown content type: " + plaintext.contentType);
+            return;     // make compiler happy
+        }
+
+        switch (ct) {
+            case HANDSHAKE:
+                if (handshakeContext == null) {
+                    handshakeContext = sslConfig.isClientMode ?
+                            new ClientHandshakeContext(sslContext, this) :
+                            new ServerHandshakeContext(sslContext, this);
+                    outputRecord.initHandshaker();
+                }
+                handshakeContext.dispatch(plaintext);
+                break;
+            case ALERT:
+                Alert.alertConsumer.consume(this, plaintext.fragment);
+                break;
+            default:
+                SSLConsumer consumer = consumers.get(plaintext.contentType);
+                if (consumer != null) {
+                    consumer.consume(this, plaintext.fragment);
+                } else {
+                    fatal(Alert.UNEXPECTED_MESSAGE,
+                        "Unexpected content: " + plaintext.contentType);
+                }
+        }
+    }
+
+    void kickstart() throws IOException {
+        if (isUnsureMode) {
+            throw new IllegalStateException("Client/Server mode not yet set.");
+        }
+
+        // initialize the handshaker if necessary
+        if (handshakeContext == null) {
+            handshakeContext = sslConfig.isClientMode ?
+                    new ClientHandshakeContext(sslContext, this) :
+                    new ServerHandshakeContext(sslContext, this);
+            outputRecord.initHandshaker();
+        }
+
+        // kickstart the handshake if needed
+        //
+        // Need no kickstart message on server side unless the connection
+        // has been estabilished.
+        if(isNegotiated || sslConfig.isClientMode) {
+           handshakeContext.kickstart();
+        }
+    }
+
+    void keyUpdate() throws IOException {
+        // TODO: TLS 1.3
+        kickstart();
+    }
+
+    // Note: close_notify is delivered as awarning alert.
+    void warning(Alert alert) {
+        // For initial handshaking, don't send awarning alert message to peer
+        // if handshaker has not started.
+        if (isNegotiated || handshakeContext != null) {
+            try {
+                outputRecord.encodeAlert(Alert.Level.WARNING.level, alert.id);
+            } catch (IOException ioe) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.warning(
+                        "Warning: failed to send warning alert " + alert, ioe);
+                }
+            }
+        }
+    }
+
+    void fatal(Alert alert,
+            String diagnostic) throws SSLException {
+        fatal(alert, diagnostic, null);
+    }
+
+    void fatal(Alert alert, Throwable cause) throws SSLException {
+        fatal(alert, null, cause);
+    }
+
+    void fatal(Alert alert,
+            String diagnostic, Throwable cause) throws SSLException {
+        fatal(alert, diagnostic, false, cause);
+    }
+
+    // Note: close_notify is not delivered via fatal() methods.
+    void fatal(Alert alert, String diagnostic,
+            boolean recvFatalAlert, Throwable cause) throws SSLException {
+        // If we've already shutdown because of an error, there is nothing we
+        // can do except rethrow the exception.
+        //
+        // Most exceptions seen here will be SSLExceptions. We may find the
+        // occasional Exception which hasn't been converted to a SSLException,
+        // so we'll do it here.
+        if (closeReason != null) {
+            if (cause == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.warning(
+                            "Closed transport, general or untracked problem");
+                }
+                throw alert.createSSLException(
+                        "Closed transport, general or untracked problem");
+            }
+
+            if (cause instanceof SSLException) {
+                throw (SSLException)cause;
+            } else {    // unlikely, but just in case.
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.warning(
+                            "Closed transport, rethrowing (unexpected)", cause);
+                }
+                throw alert.createSSLException("Unexpected rethrowing", cause);
+            }
+        }
+
+        // If we have no further information, make a general-purpose
+        // message for folks to see.  We generally have one or the other.
+        if (diagnostic == null) {
+            if (cause == null) {
+                diagnostic = "General/Untracked problem";
+            } else {
+                diagnostic = cause.getMessage();
+            }
+        }
+
+        if (cause == null) {
+            cause = alert.createSSLException(diagnostic);
+        }
+
+        // shutdown the transport
+        if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+            SSLLogger.severe("Fatal (" + alert + "): " + diagnostic, cause);
+        }
+
+        // remember the close reason
+        if (cause instanceof SSLException) {
+            closeReason = (SSLException)cause;
+        } else {
+            // Including RuntimeException, but we'll throw those down below.
+            closeReason = alert.createSSLException(diagnostic, cause);
+        }
+
+        // close inbound
+        try {
+            inputRecord.close();
+        } catch (IOException ioe) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.warning("Fatal: input record closure failed", ioe);
+            }
+        }
+
+        // invalidate the session
+        if (conSession != null) {
+            conSession.invalidate();
+        }
+
+        if (handshakeContext != null &&
+                handshakeContext.handshakeSession != null) {
+            handshakeContext.handshakeSession.invalidate();
+        }
+
+        // send fatal alert
+        //
+        // If we haven't even started handshaking yet, or we are the recipient
+        // of a fatal alert, no need to generate a fatal close alert.
+        if (!recvFatalAlert && !isOutboundDone() && !isBroken &&
+                (isNegotiated || handshakeContext != null)) {
+            try {
+                outputRecord.encodeAlert(Alert.Level.FATAL.level, alert.id);
+            } catch (IOException ioe) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.warning(
+                        "Fatal: failed to send fatal alert " + alert, ioe);
+                }
+            }
+        }
+
+        // close outbound
+        try {
+            outputRecord.close();
+        } catch (IOException ioe) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.warning("Fatal: ouput record closure failed", ioe);
+            }
+        }
+
+        // terminal handshake context
+        if (handshakeContext != null) {
+            handshakeContext = null;
+        }
+
+        // terminal the transport
+        try {
+            transport.shutdown();
+        } catch (IOException ioe) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.warning("Fatal: transport closure failed", ioe);
+            }
+        } finally {
+            isBroken = true;
+        }
+
+        if (closeReason instanceof SSLException) {
+            throw (SSLException)closeReason;
+        } else {
+            throw (RuntimeException)closeReason;
+        }
+    }
+
+    void setUseClientMode(boolean useClientMode) {
+        /*
+         * If we need to change the client mode and the enabled
+         * protocols and cipher suites haven't specifically been
+         * set by the user, change them to the corresponding
+         * default ones.
+         */
+        if (sslConfig.isClientMode != useClientMode) {
+            // Once handshaking has begun, the mode can not be reset for the
+            // life of this engine.
+            if (handshakeContext != null || isNegotiated) {
+                throw new IllegalArgumentException(
+                    "Cannot change mode after SSL traffic has started");
+            }
+
+            if (sslContext.isDefaultProtocolVesions(
+                    sslConfig.enabledProtocols)) {
+                sslConfig.enabledProtocols =
+                        sslContext.getDefaultProtocolVersions(!useClientMode);
+            }
+
+            if (sslContext.isDefaultCipherSuiteList(
+                    sslConfig.enabledCipherSuites)) {
+                sslConfig.enabledCipherSuites =
+                        sslContext.getDefaultCipherSuites(!useClientMode);
+            }
+
+            sslConfig.isClientMode = useClientMode;
+        }
+
+        isUnsureMode = false;
+    }
+
+    boolean isOutboundDone() {
+        return outputRecord.isClosed();
+    }
+
+    boolean isInboundDone() {
+        return inputRecord.isClosed();
+    }
+
+    boolean isClosed() {
+        return isOutboundDone() && isInboundDone();
+    }
+
+    @Override
+    public void close() throws IOException {
+        if (!isOutboundDone()) {
+            closeOutbound();
+        }
+
+        if (!isInboundDone()) {
+            closeInbound();
+        }
+    }
+
+    void closeInbound() throws SSLException {
+        if (isInboundDone()) {
+            return;
+        }
+
+        try {
+            if (isInputCloseNotified) {     // passive close
+                passiveInboundClose();
+            } else {                        // initiative close
+                initiateInboundClose();
+            }
+        } catch (IOException ioe) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.warning("inbound closure failed", ioe);
+            }
+        }
+    }
+
+    void closeOutbound() {
+        if (isOutboundDone()) {
+            return;
+        }
+
+        try {
+             initiateOutboundClose();
+        } catch (IOException ioe) {
+            if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                SSLLogger.warning("outbound closure failed", ioe);
+            }
+        }
+    }
+
+    // Close the connection passively.  The closure could be kickoff by
+    // receiving a close_notify alert or reaching end_of_file of the socket.
+    private void passiveInboundClose() throws IOException {
+        if (!isInboundDone()) {
+            inputRecord.close();
+        }
+
+        // For TLS 1.3, output closure is independent from input closure.
+//      if (isNegotiated && protocolVersion.useTLS13PlusSpec()) {
+//          return;
+//      }
+
+        // For TLS 1.2 and prior version, it is required to respond with
+        // a close_notify alert of its own and close down the connection
+        // immediately, discarding any pending writes.
+        if (!isOutboundDone() && !isOutputCloseNotified) {
+            try {
+                // send a close_notify alert
+                warning(Alert.CLOSE_NOTIFY);
+            } finally {
+                // any data received after a closure alert is ignored.
+                isOutputCloseNotified = true;
+                outputRecord.close();
+            }
+        }
+
+        transport.shutdown();
+    }
+
+    // Initiate a close by sending a close_notify alert.
+    private void initiateInboundClose() throws IOException {
+        // TLS 1.3 does not define how to initiate and close a TLS connection
+        // gracefully.  We will always send a close_notify alert, and close
+        // the underlying transportation layer if needed.
+        if (!isOutboundDone() && !isOutputCloseNotified) {
+            try {
+                // send a close_notify alert
+                warning(Alert.CLOSE_NOTIFY);
+            } finally {
+                // any data received after a closure alert is ignored.
+                isOutputCloseNotified = true;
+                outputRecord.close();
+            }
+        }
+
+        // For TLS 1.3, input closure is independent from output closure. Both
+        // parties need not wait to receive a "close_notify" alert before
+        // closing their read side of the connection.
+        //
+        // For TLS 1.2 and prior version, it is not required for the initiator
+        // of the close to wait for the responding close_notify alert before
+        // closing the read side of the connection.
+        try {
+            transport.shutdown();
+        } finally {
+            if (!isInboundDone()) {
+                inputRecord.close();
+            }
+        }
+    }
+
+    // Initiate a close by sending a close_notify alert.
+    private void initiateOutboundClose() throws IOException {
+        if (!isOutboundDone() && !isOutputCloseNotified) {
+            try {     // close outputRecord
+                // send a close_notify alert
+                warning(Alert.CLOSE_NOTIFY);
+            } finally {
+                // any data received after a closure alert is ignored.
+                isOutputCloseNotified = true;
+                outputRecord.close();
+            }
+        }
+
+        // For TLS 1.3, output closure is independent from input closure.
+//
+//      if (isNegotiated && protocolVersion.useTLS13PlusSpec()) {
+//          return;
+//      }
+//
+
+        // It is not required for the initiator of the close to wait for the
+        // responding close_notify alert before closing the read side of the
+        // connection.  However, if the application protocol using TLS
+        // provides that any data may be carried over the underlying transport
+        // after the TLS connection is closed, the TLS implementation MUST
+        // receive a "close_notify" alert before indicating end-of-data to the
+        // application-layer.
+        try {
+            transport.shutdown();
+        } finally {
+            if (!isInboundDone()) {
+                inputRecord.close();
+            }
+        }
+    }
+
+    // Note; HandshakeStatus.FINISHED status is retrieved in other places.
+    HandshakeStatus getHandshakeStatus() {
+        if (!outputRecord.isEmpty()) {
+            // If no handshaking, special case to wrap alters.
+            return HandshakeStatus.NEED_WRAP;
+        } else if (handshakeContext != null) {
+            if (!handshakeContext.delegatedActions.isEmpty()) {
+                return HandshakeStatus.NEED_TASK;
+            } else if (sslContext.isDTLS() &&
+                    !inputRecord.isEmpty()) {
+                return HandshakeStatus.NEED_UNWRAP_AGAIN;
+            } else {
+                return HandshakeStatus.NEED_UNWRAP;
+            }
+        } else if (isOutboundDone() && !isInboundDone()) {
+            /*
+             * Special case where we're closing, but
+             * still need the close_notify before we
+             * can officially be closed.
+             *
+             * Note isOutboundDone is taken care of by
+             * hasOutboundData() above.
+             */
+            return HandshakeStatus.NEED_UNWRAP;
+        }
+
+        return HandshakeStatus.NOT_HANDSHAKING;
+    }
+
+    HandshakeStatus finishHandshake() {
+        if (protocolVersion.useTLS13PlusSpec()) {
+            outputRecord.tc = this;
+            cipherSuite = handshakeContext.negotiatedCipherSuite;
+            inputRecord.readCipher.baseSecret = handshakeContext.baseReadSecret;
+            outputRecord.writeCipher.baseSecret = handshakeContext.baseWriteSecret;
+        }
+        handshakeContext = null;
+        // inputRecord and outputRecord shares the same handshakeHash
+        // inputRecord.handshakeHash.finish();
+        outputRecord.handshakeHash.finish();
+        inputRecord.finishHandshake();
+        outputRecord.finishHandshake();
+        isNegotiated = true;
+
+        // Tell folk about handshake completion, but do it in a separate thread.
+        if (transport instanceof SSLSocket &&
+                sslConfig.handshakeListeners != null &&
+                !sslConfig.handshakeListeners.isEmpty()) {
+            HandshakeCompletedEvent hce =
+                new HandshakeCompletedEvent((SSLSocket)transport, conSession);
+            Thread thread = new Thread(
+                null,
+                new NotifyHandshake(sslConfig.handshakeListeners, hce),
+                "HandshakeCompletedNotify-Thread",
+                0,
+                false);
+            thread.start();
+        }
+        return HandshakeStatus.FINISHED;
+    }
+
+    // A separate thread is allocated to deliver handshake completion
+    // events.
+    private static class NotifyHandshake implements Runnable {
+        private Set<Map.Entry<HandshakeCompletedListener,
+                AccessControlContext>> targets;         // who gets notified
+        private HandshakeCompletedEvent event;          // the notification
+
+        NotifyHandshake(
+                Map<HandshakeCompletedListener,AccessControlContext> listeners,
+                HandshakeCompletedEvent event) {
+            this.targets = new HashSet<>(listeners.entrySet());     // clone
+            this.event = event;
+        }
+
+        @Override
+        public void run() {
+            // Don't need to synchronize, as it only runs in one thread.
+            for (Map.Entry<HandshakeCompletedListener,
+                    AccessControlContext> entry : targets) {
+                final HandshakeCompletedListener listener = entry.getKey();
+                AccessControlContext acc = entry.getValue();
+                AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                    @Override
+                    public Void run() {
+                        listener.handshakeCompleted(event);
+                        return null;
+                    }
+                }, acc);
+            }
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/ssl/X509Authentication.java	2018-05-11 15:10:38.047008600 -0700
@@ -0,0 +1,278 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.ECPublicKey;
+import java.security.spec.ECParameterSpec;
+import java.util.AbstractMap.SimpleImmutableEntry;
+import java.util.Map;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.X509ExtendedKeyManager;
+import sun.security.ssl.SupportedGroupsExtension.NamedGroup;
+import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
+
+enum X509Authentication implements SSLAuthentication {
+    RSA     ("RSA",        new X509PossessionGenerator("RSA")),
+    RSA_PSS ("RSASSA-PSS", new X509PossessionGenerator("RSASSA-PSS")),
+    DSA     ("DSA",        new X509PossessionGenerator("DSA")),
+    EC      ("EC",         new X509PossessionGenerator("EC"));
+
+    final String keyType;
+    final SSLPossessionGenerator possessionGenerator;
+
+    X509Authentication(String keyType,
+            SSLPossessionGenerator possessionGenerator) {
+        this.keyType = keyType;
+        this.possessionGenerator = possessionGenerator;
+    }
+
+    static X509Authentication nameOf(String keyType) {
+        for (X509Authentication au: X509Authentication.values()) {
+            if (au.keyType.equals(keyType)) {
+                return au;
+            }
+        }
+
+        return null;
+    }
+
+    @Override
+    public SSLPossession createPossession(HandshakeContext handshakeContext) {
+        return possessionGenerator.createPossession(handshakeContext);
+    }
+
+    @Override
+    public SSLHandshake[] getRelatedHandshakers(
+            HandshakeContext handshakeContext) {
+        if (!handshakeContext.negotiatedProtocol.useTLS13PlusSpec()) {
+            return new SSLHandshake[] {
+                    SSLHandshake.CERTIFICATE,
+                    SSLHandshake.CERTIFICATE_REQUEST
+                };
+        }   // Otherwise, TLS 1.3 does not use this method.
+
+        return new SSLHandshake[0];
+    }
+
+    @SuppressWarnings({"unchecked", "rawtypes"})
+    @Override
+    public Map.Entry<Byte, HandshakeProducer>[] getHandshakeProducers(
+            HandshakeContext handshakeContext) {
+        if (!handshakeContext.negotiatedProtocol.useTLS13PlusSpec()) {
+            return (Map.Entry<Byte, HandshakeProducer>[])(new Map.Entry[] {
+                    new SimpleImmutableEntry<Byte, HandshakeProducer>(
+                        SSLHandshake.CERTIFICATE.id,
+                        SSLHandshake.CERTIFICATE
+                    )
+                });
+        }   // Otherwise, TLS 1.3 does not use this method.
+
+        return (Map.Entry<Byte, HandshakeProducer>[])(new Map.Entry[0]);
+    }
+
+    static final class X509Possession implements SSLPossession {
+        // Proof of possession of the private key corresponding to the public
+        // key for which a certificate is being provided for authentication.
+        final X509Certificate[]   popCerts;
+        final PrivateKey          popPrivateKey;
+
+        X509Possession(PrivateKey popPrivateKey,
+                X509Certificate[] popCerts) {
+            this.popCerts = popCerts;
+            this.popPrivateKey = popPrivateKey;
+        }
+    }
+
+    static final class X509Credentials implements SSLCredentials {
+        final X509Certificate[]   popCerts;
+        final PublicKey           popPublicKey;
+
+        X509Credentials(PublicKey popPublicKey, X509Certificate[] popCerts) {
+            this.popCerts = popCerts;
+            this.popPublicKey = popPublicKey;
+        }
+    }
+
+    private static final
+            class X509PossessionGenerator implements SSLPossessionGenerator {
+        final String keyType;
+
+        private X509PossessionGenerator(String keyType) {
+            this.keyType = keyType;
+        }
+
+        @Override
+        public SSLPossession createPossession(HandshakeContext context) {
+            if (context.sslConfig.isClientMode) {
+                return createClientPossession((ClientHandshakeContext)context);
+            } else {
+                return createServerPossession((ServerHandshakeContext)context);
+            }
+        }
+
+        // Used by TLS 1.3 only.
+        private SSLPossession createClientPossession(
+                ClientHandshakeContext chc) {
+            X509ExtendedKeyManager km = chc.sslContext.getX509KeyManager();
+            String clientAlias = null;
+            if (chc.conContext.transport instanceof SSLSocketImpl) {
+                clientAlias = km.chooseClientAlias(
+                        new String[] { keyType },
+                        null, (SSLSocket)chc.conContext.transport);
+            } else if (chc.conContext.transport instanceof SSLEngineImpl) {
+                clientAlias = km.chooseEngineClientAlias(
+                        new String[] { keyType },
+                        null, (SSLEngine)chc.conContext.transport);
+            }
+
+            if (clientAlias == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.finest("No X.509 cert selected for " + keyType);
+                }
+                return null;
+            }
+
+            PrivateKey clientPrivateKey = km.getPrivateKey(clientAlias);
+            if (clientPrivateKey == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.finest(
+                            clientAlias + " is not a private key entry");
+                }
+                return null;
+            }
+
+            X509Certificate[] clientCerts = km.getCertificateChain(clientAlias);
+            if ((clientCerts == null) || (clientCerts.length == 0)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.finest(
+                            clientAlias + " is not a certificate entry");
+                }
+                return null;
+            }
+
+            PublicKey clientPublicKey = clientCerts[0].getPublicKey();
+            if ((!clientPrivateKey.getAlgorithm().equals(keyType))
+                    || (!clientPublicKey.getAlgorithm().equals(keyType))) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.fine(
+                            clientAlias + " private or public key is not of " +
+                            keyType + " algorithm");
+                }
+                return null;
+            }
+
+            return new X509Possession(clientPrivateKey, clientCerts);
+        }
+
+        private SSLPossession createServerPossession(
+                ServerHandshakeContext shc) {
+            X509ExtendedKeyManager km = shc.sslContext.getX509KeyManager();
+            String serverAlias = null;
+            if (shc.conContext.transport instanceof SSLSocketImpl) {
+                serverAlias = km.chooseServerAlias(keyType,
+                        null, (SSLSocket)shc.conContext.transport);
+            } else if (shc.conContext.transport instanceof SSLEngineImpl) {
+                serverAlias = km.chooseEngineServerAlias(keyType,
+                        null, (SSLEngine)shc.conContext.transport);
+            }
+
+            if (serverAlias == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.finest("No X.509 cert selected for " + keyType);
+                }
+                return null;
+            }
+
+            PrivateKey serverPrivateKey = km.getPrivateKey(serverAlias);
+            if (serverPrivateKey == null) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.finest(
+                            serverAlias + " is not a private key entry");
+                }
+                return null;
+            }
+
+            X509Certificate[] serverCerts = km.getCertificateChain(serverAlias);
+            if ((serverCerts == null) || (serverCerts.length == 0)) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.finest(
+                            serverAlias + " is not a certificate entry");
+                }
+                return null;
+            }
+
+            PublicKey serverPublicKey = serverCerts[0].getPublicKey();
+            if ((!serverPrivateKey.getAlgorithm().equals(keyType))
+                    || (!serverPublicKey.getAlgorithm().equals(keyType))) {
+                if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                    SSLLogger.fine(
+                            serverAlias + " private or public key is not of " +
+                            keyType + " algorithm");
+                }
+                return null;
+            }
+
+            // For ECC certs, check whether we support the EC domain
+            // parameters.  If the client sent a SupportedEllipticCurves
+            // ClientHello extension, check against that too.
+            if (keyType.equals("EC")) {
+                if (!(serverPublicKey instanceof ECPublicKey)) {
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                        SSLLogger.warning(serverAlias +
+                            " public key is not an instance of ECPublicKey");
+                    }
+                    return null;
+                }
+
+                // For ECC certs, check whether we support the EC domain
+                // parameters. If the client sent a SupportedEllipticCurves
+                // ClientHello extension, check against that too.
+                ECParameterSpec params =
+                        ((ECPublicKey)serverPublicKey).getParams();
+                NamedGroup namedGroup = NamedGroup.valueOf(params);
+                if ((namedGroup == null) ||
+                    (!SupportedGroups.isSupported(namedGroup)) ||
+                    ((shc.clientRequestedNamedGroups != null) &&
+                    !shc.clientRequestedNamedGroups.contains(namedGroup))) {
+
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
+                        SSLLogger.warning(
+                            "Unsupported named group (" + namedGroup +
+                            ") used in the " + serverAlias + " certificate");
+                    }
+
+                    return null;
+                }
+            }
+
+            return new X509Possession(serverPrivateKey, serverCerts);
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/src/java.base/share/classes/sun/security/util/SignatureUtil.java	2018-05-11 15:10:39.650753100 -0700
@@ -0,0 +1,115 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.io.IOException;
+import java.security.*;
+import java.security.spec.*;
+import sun.security.util.ObjectIdentifier;
+import sun.security.x509.AlgorithmId;
+import sun.security.rsa.RSAUtil;
+
+/**
+ * Utility class for Signature related operations. Currently used by various
+ * internal PKI classes such as sun.security.x509.X509CertImpl,
+ * sun.security.pkcs.SignerInfo, for setting signature parameters.
+ *
+ * @since   11
+ */
+public class SignatureUtil {
+
+    // Utility method of creating an AlgorithmParameters object with
+    // the specified algorithm name and encoding
+    private static AlgorithmParameters createAlgorithmParameters(String algName,
+            byte[] paramBytes) throws ProviderException {
+
+        try {
+            AlgorithmParameters result =
+                AlgorithmParameters.getInstance(algName);
+            result.init(paramBytes);
+            return result;
+        } catch (NoSuchAlgorithmException | IOException e) {
+            throw new ProviderException(e);
+        }
+    }
+
+    private static AlgorithmParameterSpec getParamSpec(String sigName,
+            AlgorithmParameters params)
+            throws InvalidAlgorithmParameterException, ProviderException {
+
+        if (params == null) return null;
+
+        if (sigName.toUpperCase().indexOf("RSA") == -1) {
+            throw new ProviderException
+                 ("Unrecognized algorithm for signature parameters " +
+                  sigName);
+        }
+        // AlgorithmParameters.getAlgorithm() may returns oid if it's
+        // created during DER decoding. Convert to use the standard name
+        // before passing it to RSAUtil
+        String alg = params.getAlgorithm();
+        if (alg.equalsIgnoreCase(sigName) || alg.indexOf(".") != -1) {
+            try {
+                params = createAlgorithmParameters(sigName,
+                    params.getEncoded());
+            } catch (IOException e) {
+                throw new ProviderException(e);
+            }
+        }
+        return RSAUtil.getParamSpec(params);
+    }
+
+    // Special method for setting the specified parameter bytes into the
+    // specified Signature object as signature parameters.
+    public static void specialSetParameter(Signature sig, byte[] paramBytes)
+            throws InvalidAlgorithmParameterException, ProviderException {
+
+        AlgorithmParameters params = null;
+        if (paramBytes != null) {
+            String sigName = sig.getAlgorithm();
+            params = createAlgorithmParameters(sigName, paramBytes);
+        }
+        specialSetParameter(sig, params);
+    }
+
+    // Special method for setting the specified AlgorithmParameter object
+    // into the specified Signature object as signature parameters.
+    public static void specialSetParameter(Signature sig,
+            AlgorithmParameters params)
+            throws InvalidAlgorithmParameterException, ProviderException {
+
+        String sigName = sig.getAlgorithm();
+        if (params != null) {
+            sig.setParameter(getParamSpec(sigName, params));
+        } else {
+            try { 
+                sig.setParameter(null);
+            } catch (UnsupportedOperationException e) {
+                // ignore for maintaining backward compatibility
+            }
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/javax/net/ssl/TLSCommon/CipherSuite.java	2018-05-11 15:10:41.262275600 -0700
@@ -0,0 +1,238 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+public enum CipherSuite {
+
+    TLS_AES_256_GCM_SHA384(
+            0x1302, Protocol.TLSV1_3, Protocol.TLSV1_3),
+    TLS_AES_128_GCM_SHA256(
+            0x1301, Protocol.TLSV1_3, Protocol.TLSV1_3),
+    TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(
+            0xCCAA, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(
+            0xCCA9, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(
+            0xCCA8, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384(
+            0xC032, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256(
+            0xC031, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(
+            0xC030, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(
+            0xC02F, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384(
+            0xC02E, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256(
+            0xC02D, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(
+            0xC02C, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(
+            0xC02B, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384(
+            0xC02A, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256(
+            0xC029, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(
+            0xC028, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(
+            0xC027, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384(
+            0xC026, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA(
+            0xC025, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256(
+            0xC025, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(
+            0xC024, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(
+            0xC023, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDH_anon_WITH_AES_256_CBC_SHA(
+            0xC019, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_anon_WITH_AES_128_CBC_SHA(
+            0xC018, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA(
+            0xC017, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_anon_WITH_RC4_128_SHA(
+            0xC016, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_anon_WITH_NULL_SHA(
+            0xC015, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(
+            0xC014, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(
+            0xC013, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA(
+            0xC012, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDHE_RSA_WITH_RC4_128_SHA(
+            0xC011, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDHE_RSA_WITH_NULL_SHA(
+            0xC010, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_RSA_WITH_AES_256_CBC_SHA(
+            0xC00F, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_RSA_WITH_AES_128_CBC_SHA(
+            0xC00E, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA(
+            0xC00D, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_RSA_WITH_RC4_128_SHA(
+            0xC00C, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_RSA_WITH_NULL_SHA(
+            0xC00B, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(
+            0xC00A, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(
+            0xC009, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA(
+            0xC008, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDHE_ECDSA_WITH_RC4_128_SHA(
+            0xC007, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDHE_ECDSA_WITH_NULL_SHA(
+            0xC006, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA(
+            0xC003, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_ECDSA_WITH_RC4_128_SHA(
+            0xC002, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_ECDH_ECDSA_WITH_NULL_SHA(
+            0xC001, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_EMPTY_RENEGOTIATION_INFO_SCSV(
+            0x00FF, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_DH_anon_WITH_AES_256_GCM_SHA384(
+            0x00A7, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_DH_anon_WITH_AES_128_GCM_SHA256(
+            0x00A6, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(
+            0x00A3, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(
+            0x00A2, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(
+            0x009F, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(
+            0x009E, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_RSA_WITH_AES_256_GCM_SHA384(
+            0x009D, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_RSA_WITH_AES_128_GCM_SHA256(
+            0x009C, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_DH_anon_WITH_AES_256_CBC_SHA256(
+            0x006D, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_DH_anon_WITH_AES_128_CBC_SHA256(
+            0x006C, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(
+            0x006B, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(
+            0x006A, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(
+            0x0067, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA(
+            0x004C, Protocol.TLSV1, Protocol.TLSV1_2),
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(
+            0x0040, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_RSA_WITH_AES_256_CBC_SHA256(
+            0x003D, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_RSA_WITH_AES_128_CBC_SHA256(
+            0x003C, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_RSA_WITH_NULL_SHA256(
+            0x003B, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_DH_anon_WITH_AES_256_CBC_SHA(
+            0x003A, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_DHE_RSA_WITH_AES_256_CBC_SHA(
+            0x0039, Protocol.TLSV1, Protocol.TLSV1_2),
+    TLS_DHE_DSS_WITH_AES_256_CBC_SHA(
+            0x0038, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_RSA_WITH_AES_256_CBC_SHA(
+            0x0035, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_DH_anon_WITH_AES_128_CBC_SHA(
+            0x0034, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_DHE_RSA_WITH_AES_128_CBC_SHA(
+            0x0033, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_DHE_DSS_WITH_AES_128_CBC_SHA(
+            0x0032, Protocol.TLSV1_2, Protocol.TLSV1_2),
+    TLS_RSA_WITH_AES_128_CBC_SHA(
+            0x002F, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_KRB5_WITH_3DES_EDE_CBC_MD5(
+            0x0023, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_KRB5_WITH_DES_CBC_MD5(
+            0x0022, Protocol.SSLV3, Protocol.TLSV1_1),
+    TLS_KRB5_WITH_3DES_EDE_CBC_SHA(
+            0x001F, Protocol.SSLV3, Protocol.TLSV1_2),
+    TLS_KRB5_WITH_DES_CBC_SHA(
+            0x001E, Protocol.SSLV3, Protocol.TLSV1_2),
+    SSL_DH_anon_WITH_3DES_EDE_CBC_SHA(
+            0x001B, Protocol.SSLV3, Protocol.TLSV1_2),
+    SSL_DH_anon_WITH_DES_CBC_SHA(
+            0x001A, Protocol.SSLV3, Protocol.TLSV1_1),
+    SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA(
+            0x0019, Protocol.SSLV3, Protocol.TLSV1),
+    SSL_DH_anon_WITH_RC4_128_MD5(
+            0x0018, Protocol.SSLV3, Protocol.TLSV1_2),
+    SSL_DH_anon_EXPORT_WITH_RC4_40_MD5(
+            0x0017, Protocol.SSLV3, Protocol.TLSV1),
+    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA(
+            0x0016, Protocol.SSLV3, Protocol.TLSV1_2),
+    SSL_DHE_RSA_WITH_DES_CBC_SHA(
+            0x0015, Protocol.SSLV3, Protocol.TLSV1_1),
+    SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA(
+            0x0014, Protocol.SSLV3, Protocol.TLSV1),
+    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA(
+            0x0013, Protocol.SSLV3, Protocol.TLSV1_2),
+    SSL_DHE_DSS_WITH_DES_CBC_SHA(
+            0x0012, Protocol.SSLV3, Protocol.TLSV1_1),
+    SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA(
+            0x0011, Protocol.SSLV3, Protocol.TLSV1),
+    SSL_RSA_WITH_3DES_EDE_CBC_SHA(
+            0x000A, Protocol.SSLV3, Protocol.TLSV1_2),
+    SSL_RSA_WITH_DES_CBC_SHA(
+            0x0009, Protocol.SSLV3, Protocol.TLSV1_1),
+    SSL_RSA_EXPORT_WITH_DES40_CBC_SHA(
+            0x0008, Protocol.SSLV3, Protocol.TLSV1),
+    SSL_RSA_WITH_RC4_128_SHA(
+            0x0005, Protocol.SSLV3, Protocol.TLSV1_2),
+    SSL_RSA_WITH_RC4_128_MD5(
+            0x0004, Protocol.SSLV3, Protocol.TLSV1_2),
+    SSL_RSA_EXPORT_WITH_RC4_40_MD5(
+            0x0003, Protocol.SSLV3, Protocol.TLSV1),
+    SSL_RSA_WITH_NULL_SHA(
+            0x0002, Protocol.SSLV3, Protocol.TLSV1_2),
+    SSL_RSA_WITH_NULL_MD5(
+            0x0001, Protocol.SSLV3, Protocol.TLSV1_2);
+
+    public final int id;
+    public final Protocol startProtocol;
+    public final Protocol endProtocol;
+
+    private CipherSuite(
+            int id,
+            Protocol startProtocol,
+            Protocol endProtocol) {
+        this.id = id;
+        this.startProtocol = startProtocol;
+        this.endProtocol = endProtocol;
+    }
+
+    public boolean supportedByProtocol(Protocol protocol) {
+        return startProtocol.id <= protocol.id
+                && protocol.id <= endProtocol.id;
+    }
+
+    public static CipherSuite cipherSuite(String name) {
+        return CipherSuite.valueOf(CipherSuite.class, name);
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/javax/net/ssl/TLSCommon/Protocol.java	2018-05-11 15:10:42.930045100 -0700
@@ -0,0 +1,58 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+public enum Protocol {
+
+    SSLV2HELLO(0x0002, "SSLv2Hello"),
+    SSLV3     (0x0300, "SSLv3"),
+    TLSV1     (0x0301, "TLSv1"),
+    TLSV1_1   (0x0302, "TLSv1.1"),
+    TLSV1_2   (0x0303, "TLSv1.2"),
+    TLSV1_3   (0x0304, "TLSv1.3"),
+
+    DTLS1_3   (0xFEFC, "DTLSv1.3"),
+    DTLS1_2   (0xFEFD, "DTLSv1.2"),
+    DTLS1_0   (0xFEFF, "DTLSv1.0");
+
+    public final int id;
+    public final String name;
+
+    private Protocol(int id, String name) {
+        this.id = id;
+        this.name = name;
+    }
+
+    public String toString() {
+        return name;
+    }
+
+    public static Protocol protocol(String name) {
+        for (Protocol protocol : values()) {
+            if (protocol.name.equals(name)) {
+                return protocol;
+            }
+        }
+
+        return null;
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/SigGen15_186-3.txt	2018-05-11 15:10:44.638721500 -0700
@@ -0,0 +1,341 @@
+# CAVS 11.4
+# "SigGen PKCS#1 Ver1.5" information
+# Combinations selected:Mod Size 2048 with SHA-224 SHA-256 SHA-384 SHA-512; Mod Size 3072 with SHA-224 SHA-256 SHA-384 SHA-512
+
+
+[mod = 2048]
+
+n = cea80475324c1dc8347827818da58bac069d3419c614a6ea1ac6a3b510dcd72cc516954905e9fef908d45e13006adf27d467a7d83c111d1a5df15ef293771aefb920032a5bb989f8e4f5e1b05093d3f130f984c07a772a3683f4dc6fb28a96815b32123ccdd13954f19d5b8b24a103e771a34c328755c65ed64e1924ffd04d30b2142cc262f6e0048fef6dbc652f21479ea1c4b1d66d28f4d46ef7185e390cbfa2e02380582f3188bb94ebbf05d31487a09aff01fcbb4cd4bfd1f0a833b38c11813c84360bb53c7d4481031c40bad8713bb6b835cb08098ed15ba31ee4ba728a8c8e10f7294e1b4163b7aee57277bfd881a6f9d43e02c6925aa3a043fb7fb78d
+
+e = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000260445
+d = 0997634c477c1a039d44c810b2aaa3c7862b0b88d3708272e1e15f66fc9389709f8a11f3ea6a5af7effa2d01c189c50f0d5bcbe3fa272e56cfc4a4e1d388a9dcd65df8628902556c8b6bb6a641709b5a35dd2622c73d4640bfa1359d0e76e1f219f8e33eb9bd0b59ec198eb2fccaae0346bd8b401e12e3c67cb629569c185a2e0f35a2f741644c1cca5ebb139d77a89a2953fc5e30048c0e619f07c8d21d1e56b8af07193d0fdf3f49cd49f2ef3138b5138862f1470bd2d16e34a2b9e7777a6c8c8d4cb94b4e8b5d616cd5393753e7b0f31cc7da559ba8e98d888914e334773baf498ad88d9631eb5fe32e53a4145bf0ba548bf2b0a50c63f67b14e398a34b0d
+
+
+SHAAlg = SHA224
+Msg = 74230447bcd492f2f8a8c594a04379271690bf0c8a13ddfc1b7b96413e77ab2664cba1acd7a3c57ee5276e27414f8283a6f93b73bd392bd541f07eb461a080bb667e5ff095c9319f575b3893977e658c6c001ceef88a37b7902d4db31c3e34f3c164c47bbeefde3b946bad416a752c2cafcee9e401ae08884e5b8aa839f9d0b5
+S = 27da4104eace1991e08bd8e7cfccd97ec48b896a0e156ce7bdc23fd570aaa9a00ed015101f0c6261c7371ceca327a73c3cecfcf6b2d9ed920c9698046e25c89adb2360887d99983bf632f9e6eb0e5df60715902b9aeaa74bf5027aa246510891c74ae366a16f397e2c8ccdc8bd56aa10e0d01585e69f8c4856e76b53acfd3d782b8171529008fa5eff030f46956704a3f5d9167348f37021fc277c6c0a8f93b8a23cfbf918990f982a56d0ed2aa08161560755adc0ce2c3e2ab2929f79bfc0b24ff3e0ff352e6445d8a617f1785d66c32295bb365d61cfb107e9993bbd93421f2d344a86e4127827fa0d0b2535f9b1d547de12ba2868acdecf2cb5f92a6a159a
+
+SHAAlg = SHA224
+Msg = 9af2c5a919e5dadc668799f365fc23da6231437ea51ca5314645425043851f23d00d3704eeabb5c43f49674a19b7707dd9aa3d657a04ba8c6655c5ab8ba2e382b26631080cd79ec40e6a587b7f99840bd0e43297ab1690e4cec95d031a2ca131e7049cfb9bf1fca67bf353cdc12cc74ceee80c5d61da8f0129a8f4a218abc3f6
+S = c5dfbefd35cec846e2c7b2434dc9c46a5a9b1b6ce65b2b18665aedb1404de1f466e024f849eec308c2d2f2f0193df1898a581c9ea32581185553b171b6507082617c5c018afe0c3af64d2ec5a563795aa585e77753cd18836f6f0c29535f6200ca899928fe78e949b0a216ec47a6adf2223e17236cfc167cf00ed6136f03cf6ffd4f3f7787aeb005840978d8d6ba593d4f4cfe6920be102b9847d10140dff86b0db14ffccc9a96e673c672c1128ae45489d2cbfe6e195ca5206eda519cad3d6e0abf4653e36b5a264e87494a4d63ee91ff7c35a6ab12adfa3bb537f6198b06f5de0717076b0ec83ae0da9ea419cc0c96669d1d7c9e529271428401e09e04888a
+
+SHAAlg = SHA224
+Msg = 59b5b85b9dc246d30a3fc8a2de3c9dfa971643b0c1f7c9e40c9c87e4a15b0c4eb664587560474c06a9b65eece38c91703c0fa5a592728a03889f1b52d93309caecc91578a97b83e38ca6cbf0f7ee9103cd82d7673ca172f0da5ebadef4a08605226c582b1f67d4b2d8967777c36985f972f843be688c67f22b61cd529baa6b48
+S = 29b5ac417226444bc8570a279e0e561a4c39707bdbea936064ed603ba96889eb3d786b1999b5180cd5d0611788837a9df1496bacea31cbf8f24a1a2232d4158913c963f5066aad4b65e617d0903359696d759d84c1392e22c246d5f5bed4b806f4091d5e8f71a513f1319bb4e56971cd3e168c9a7e2789832293991a73d3027072ecee6863514549029fb3553478c8f4103bf62d7de1fb53fe76ce9778ada3bb9efa62da44cd00d02bb0eb7488ac24da3814c653cba612301373837a0c3f11885493cbf3024c3572eaed396d0ebb8039ddf843c218d8bc7783549046c33586fb3428562cb8046090040c0e4eea50a19a428bde34626277ff48a84faa189b5440
+
+SHAAlg = SHA224
+Msg = 49a5f3930ad45aca5e22caac6646f0bede1228838d49f8f2e0b2dd27d26a4b590e7eef0c58b9378829bb1489994bff3882ef3a5ae3b958c88263ff1fd69fedb823a839dbe71ddb2f750f6f75e05936761a2f5e3a5dfa837bca63755951ae3c50d04a59667fa64fa98b4662d801159f61eefd1c8bc5b581f500dac73f0a424007
+S = 604eb637ca54bea5ad1fd3165911f3baa2e06c859dc73945a38bca7ff9bfa9ed39435348623d3e60f1ce487443840c6b2c000f1582e8526067a5e8923f1a1bdaabb1a40c0f49ee6906a4c8fc9b8cfa6d07c2cc5bdf2ada65c53d79548089c524fa364319a90d46213febdce6db795914cbda04d7bbbf26bbb299fc7d1449dcc81d139e3c33d4c1de96473994730a4b639633d677db25695ffd157e591bddead03dd2f1c1b8f5c8a213b785879bf7c9a992bb11dd5e91df3aff0931ca76c406230a19e307f33419c9d9d3f6f64bf8881c0ddf74a5716cbc433329368d6e55f1f751d7b9f9b0a26eb5811772f5f698530efc1eaceee6e1dc6839b2133c2fccfa8c
+
+SHAAlg = SHA224
+Msg = 9bfc4dac8c2232387216a532ce62d98c1aafa35c65dc388e3d4d37d6d186eae957f8c9edac1a3f2e3abcb1121f99bd4f8c2bbf5b6ac39a2544d8b502619f43ea30ddc8e4eafad8bf7256220380e0ae27fee46304b224cc8a1e2b1cb2a4de6fb3ee5452798de78653e08b01ec385f367c3982963f8428572793ed74cee369f5ae
+S = 444f7efbfef586fad431e17fea1a2d59f19b3d619bb6fa3664301833a4db1243459e31aa6a703b22572f0912754e56f7231a55ac7abca514c79d9fb3564214b4af835d7d1eaf2b58ceb6a344f1c36890f5e83b50188c0147d6d1156da289ccf4bdb0b9a66f1e4a1f2643591d5ffb53702cf70ddf351592575488f1929010aca37714b234eeb5b952b9323ae26533e9ecd516df26392d1254228bd9ca21a369bb6ab0a33d5eb44cee92b0ea7471ffe5fa43c21de2a8975d4c5c8e185fcb7aab33d88a8365ddf0119c108803c56288643a056e781abd4a0242a92e2529d405efcfd4248662cfbb332d6e6fad6aceb90b5b58a5541abe07bef25d9d89215e398426
+
+SHAAlg = SHA224
+Msg = bf5ff1968a39f809de73e6a8014fc6e8df159367f46340da6cc5fb468985b37446c5d89f3aca626fbe9b142b52cb022a3d93518a74243e25bd3a61c114f533874ee5cfb7fc63f599922854b7c9180949415f63f16bbfe9a8a6289ef8a88a836d20e75e4699acba6fa2412fb42cdfe32f33a25102a1df494c6fb738550decaa0c
+S = 017e053d1ef85c43193a0009a903952aaf400fbcfee9c028975777ab540d2d22ab5c25f4cf1d3794afac6697e1f243829052a84e2843cc0e254dbac1021572999f2dcafab58b9dfef2fcaf701e431bdcd16dbef110095bcfba501059d7994dad5b0b54d0812a4380a1f0ba8ec2bcba768bf5b544695626a5f395e784d4b2962fb7533818de1d6ec686edc9f66868ad03ee64361a6cb91fd8ef536ca6454d16c537c07aa42923e62057df9dd9e7fa4ad0384f35721f6eb3b816d352a095c605d5c10e0a7a2e8640e27307cd44b9d71ac50c0043caca28ae8d6f8fa5bb483158a4e415ef6cfad47f34c0042a2d588ace0f1371d93865397bd21516da2cc15e909c
+
+SHAAlg = SHA224
+Msg = 2ff4fcd0be260bf4a0d73112d0e5649c0bef5bbcdf15423a05ffb2a1f021e09da63d15a8cf295ee50bd2844c89813e08d65da61df232ea4ea970443e20772cd5af11cce5ee40b40e133bcfdf7bb3953d865a8309a8a6c8fdbdd242d79d27a8baf17909d145f475355e19fa11cd03d204c4efdac629fb460fe92e93b48fb9be13
+S = abee5c868f850c17794f021ee9709cc2301320dd246fb3eadb7802a300a98a67083a2e4e250df13314c25453b898110801f7e7acb9b694644e5c4a2623dff1884913c05e636fe77ed5155d954ee38f1262c6c2e38d1114cf6cc5143c7277c8649f5a423f83dfd5f829d9dc74aa4b2fcdc8960cde5ce146b289136064b13bd0d36a1e64a261d680fb7e23d2ae92efb743c3db54609eca7a1be0e47e6f724dc5cf61cb2a369c2bb173f2c6cfecb9a887d583d277b8e30b24ec8549c4d53ba3988642a61f1f939f0f3898005c5d13aaaa54bcb8ae83b72b3cb644b9439d1d2accc800271d23e52f98480d270fad6aced512252ee98332af903563d982d8cbdefb7d
+
+SHAAlg = SHA224
+Msg = b5dca1532dffda0831cb2d21ebd1bdca23c9319c6427fdcc5aefe3a27fc9b92df7586c36b7c84572eda66bfb9cf5aa01877e72bd516723a7e20787e90df9a0136f6fa5109ac9475973673868d8bbee7086a2a54b3af4a3b41759bfb6485f2464e6ca53cb1c2c672589b59d50e54b137ee8ddd02d67f5055ac18d92f17924cc89
+S = 9ae5b9633f9adc7ff923d8875748bc6220dd8f6781b3d46d6008ae69fda072d205f87a12d54c3c7ecc85b88b6ef4770eeb4b71debeff8401e329f6b3e8dc8a9af13a533b60b962930bc0ce3d65d0b5a276e85a0c74f459fb072992991ba96849023478ab28d381aa67d22c9c3b092a023f06c96e11fd2f1b4d9daf0f3449de1797612a8113d6e626cc3f995e1c110e65d17c636c92929f913639a97cd049155830dc0f76049123be3d3d79159fc2b4258e94b8bf808d7c46beefe6df0a83037d15a72a581d8adedd8f013b38f5502d736d1d2f04b0e5dc22eb1a414e52b1a9e8735e0592288c9e5a0a78531e95974a5d48860f8e5b04ebd3eb56ad12adc46ec7
+
+SHAAlg = SHA224
+Msg = 1e563fc3ad027a9cc606be19b258bf70dd8b5273e296236ee8d7a65331585014f05006515bedd6330250e5985fdaa870aea65766ff569fc48913989041cff6fbabcd83fdf064cd3932001b261c69a670bd48069c96e7ebecf1380d82751966c7f8d69e0e94efc775fd1c4a0c118f213ab179475cd0cf6daec94eef6ff6bd0640
+S = 80d3ff1f74a81095d0baa2e9de248c0312ca5a817bc9f5156a293d80896adec5507ee8f2df417afe8779668e25b46f49e4357a7170531ed30761103dbb994135b510d91db9fe1f1268f437e0f3a7a4ba6a4d0b9eb70dfc09fed4b44b35608501c2dfd7a230a28dad14926da4600ba785e496212e57738dd575b40c23347b1635ecdf2b9194d96b1450a6876aa76d04aa5947cce71d85121e0bf578e81cf78c6a047e30fc1d87cfd3019de4bb48294c25860b450355bc2662aa36d6e33f00ad79257d2d8b91f73f27c32a9afcb1e1f015f77cb6b0df51fb39ee1bd76ac42c20791d79cf3f363fb324db30ee82bcc1df1a9564330c12a549659bd3010001573133
+
+SHAAlg = SHA224
+Msg = 900ae7e2e7e5f615750c4ee4c13cca8f9f450714a6b273f2e4aca632d11cf6a8821045771f601ed39791010b92f9fac6a824788cd0775d891b13528ea2fd5d59bc7bb51675c1d5263ccccf1edc8fe313ae4d50150c466af90895ed5c5e5991e4a813dec9d14f4294cc8761278644acfe198635b44266c1c915fa1fa2ef79b9d1
+S = 39c64891d9ac4741a57dd8aec7f7243613d155df4492814b40ceabee79eadb8d8bc5fa611bdebe0e0d9714c43d6d29ef309f782bc8e68a4d317ce1ece468552305a73db9d0d2891e2804f4201b1bf8a3246fa082adde1fc9b3d299f88cb93b7b47fe9f73137096c2b8c59ec0612a085363c04cc374769a964feaf1f8e491381e16d7ae2a0c672e69a3667310feed012156dca630a68d339ec80496c6b594fed17091d3a1c6ac3e4da1419b05d589cb32468288f7df4daaceff5a39bcf297dc508ce9549f602e973edbc2aa44332ec3661b19c8c58c5616924beb892f77b5e200d6fb3fc759263a749d157eff9f736798d281b25b71fb470bdb700f211f841db7
+
+SHAAlg = SHA256
+Msg = 5af283b1b76ab2a695d794c23b35ca7371fc779e92ebf589e304c7f923d8cf976304c19818fcd89d6f07c8d8e08bf371068bdf28ae6ee83b2e02328af8c0e2f96e528e16f852f1fc5455e4772e288a68f159ca6bdcf902b858a1f94789b3163823e2d0717ff56689eec7d0e54d93f520d96e1eb04515abc70ae90578ff38d31b
+S = 6b8be97d9e518a2ede746ff4a7d91a84a1fc665b52f154a927650db6e7348c69f8c8881f7bcf9b1a6d3366eed30c3aed4e93c203c43f5528a45de791895747ade9c5fa5eee81427edee02082147aa311712a6ad5fb1732e93b3d6cd23ffd46a0b3caf62a8b69957cc68ae39f9993c1a779599cdda949bdaababb77f248fcfeaa44059be5459fb9b899278e929528ee130facd53372ecbc42f3e8de2998425860406440f248d817432de687112e504d734028e6c5620fa282ca07647006cf0a2ff83e19a916554cc61810c2e855305db4e5cf893a6a96767365794556ff033359084d7e38a8456e68e21155b76151314a29875feee09557161cbc654541e89e42
+
+SHAAlg = SHA256
+Msg = c43011f3ee88c9c9adcac8bf37221afa31769d347dec705e53aca98993e74606591867ccd289ba1b4f19365f983e0c578346da76c5e2228a07e4fc9b3d4807163371a52b68b66873201dc7d6b56616ac2e4cb522120787df7f15a5e8763a54c179c635d65816bc19485de3eb35a52040591094fe0e6485a7e0c60e38e7c61551
+S = aa3a4e12eb87596c711c9a22bcabcb9dadffcabcecbd16228889e9bb457d5d22571a72f034be4783384f43ce6fffc60534b8331cdd5d7c77f49180bfd194b5fd43a508c66d786c558876735894e6a9300952de792f747045e74d87fd50980230707a34a4df013ce050bbff0d6f570885c9c7bf8dc499132caee071b41d81ff91b8ce21aa2f282cbf52389f239afe1490890be21f9d808b3d70b97efd59c0b60e466088bb42714f212bc90db7e942ebcee60e7b107fff44fb3564ff07d6d02850215fd357d897c4d32bef8661689f2d84ff897637fb6d5568a7270e783426b74b7037493e5155fd7cb3ddddfd36bd8a9c877d71d2a966057c08263d2939c84987
+
+SHAAlg = SHA256
+Msg = 61d7b3150131351e7b4c8e5645d38be9335b40289af34cc6b6fc5e48493bf8b7852c73982c99441ef66c7d9d33c29742b1406e02e0aa8dd034b1ac13cb0d775750cc91421fead9caa921eca61a02eb023a457e77915e183acf517d946bc68292896014fd214b7c8c5e14e15944be0f9296127771f736766e4f81dab3708ea2d0
+S = 84e92a145ae6be1ff9242d9ed2d68de668e802524e8ac0a79de62fe74048c35491fd2ffdb185057e666dbfaac84c34fde7891263f8b2bc74746230320f67a7bd7319c9b9de4190547014e2d7a2a5060d6200aadc3a44bac029ff3992edd30ec53ab0d9123eaa6b147352a073a98161e64f394bb99492c6977e24f445c7125bfb90f87faf262272134acb18823a99a5228d1495463297fd774877fb63d4918106347e6f29315e48363f39b33299eaa32d8da71b229d8ffee5f66f722ad3aa4175d3f84ece9cc8eca8d6f2f356a85c1524896c18f7b5c8f9bcdef45c496d539179891ddc76e5208ad8353d48c624054f3440eeba4432a10654a11ef53783bd116f
+
+SHAAlg = SHA256
+Msg = b6771ab0e128b41b32b8b05e05add23ce0fb877b40bfcc3b992f4c8698d1c828abecbcc1c33d401859ea2cb2afbc7fa4588802a5faee2867534639287ad8af84674be18db661de1da8e19c6b6bd452dd9bf3221d0861fb6fba96be42329b9f04f37dcf3b41fc58d2298348b0c15d1190b125300cf27e0dfad60522fc49846053
+S = 6276925568626f0cbe6f5150b050e1702582f8daf99a6f880ef75cd96c2d4208fb6e91b01ba6aba2a816b2d3cb975df850b1d268c4662dd1ea3a300c1d7171c633dd2efbac3000c56ab80f989dbc18243e636ba5d4d26a7d3f1965ad3cb0f1a8513f998003f7b67e2ac5c718cb688b3201d56e68f0b9f86257b84794cdffbc1fe3ea24b7bb6e9ef0539bd4fbc1afb55bc1dca39996ea8a63769f6e225707f69047555e1a4ef3c639c5f2a497b889424a90148639bb64df0a06e0b7f0e8ed466a977baca32f482337b2abe3983eaec3fe1075016e5867521760fd0607d799f1766b3ff6e2ae155d69250f8bf08c8edca0b4f31d0f838cfd298cb7312df93f0997
+
+SHAAlg = SHA256
+Msg = 6a81cb6c7b268f4b9fb9172adbbb36a237a0dcf1c3c83a95dcb0271aac6ac330f04a5a00fee38bc00631a98598186159660d9d8e4c14a9528dea94836083dac4abb73fd00e38fe0e23c7236604a736540e52193ae56c33fbb8f5cfc5c7c2be2e222e4483b30d325c7ee14f742851fcb8b6d6189e98b822b8e6399d89e90fb997
+S = b67991050c083e645097db03fff34758868beb19e9c0c48475f0f913361e71d3d6f27a8c4f0b269b49e8534039e53ad3bab9a3e62abe078ee75e7fb5959006fbfb014ca7b81b3d5afe0ee5f6fc2dfbc450f2839543002f33f4f354f827278c76c041686eea7886ebb2a7afa5995c6cddb1c0b58066ddb8dc54a6927c146c3b2a0fa7cef28903c6c672bc20ef68ffbfab247eb688ab4bde7106d9c59d2153096dc9e5207267038d88e2174e76adc1508ae24eb602332e53c0c2e33154a66a97a0f12f66c61258c7bf6bbf3f1dcbe9caf2fd30ec68c0a9d09f4fd776304b540e62fc8512beaabc4be2107a1ec18e87f61f9db25e871dc0693cef17c2a687fc854f
+
+SHAAlg = SHA256
+Msg = 056c1e4644599e3183dd8d2f64e4bb2352ff00d012ab763f9ad6e560279f7ff38a5ecea9c2e4ea87d004ef8cc752ae93232aa37b5bf42884baa7e7fc6a8c951cd245de2d220d9bee2b414b3a7520c1e68bcf1ae99a9ff2bf3a93d80f8c1dfe8b85293517895c192e3c9e898295d65be334f44d62f5353eb6c5a29edfb4db2309
+S = ae05204e409d727eb9e4dc24be8f863328c2813da4fcef28866e21a5dab21a485321b735274af06bf17e271518e11164d722ab073548f02e1b441923db6f1cee65a017edfbaf3361c67fbc2b39fe038cb5cb65a640f95887389ce8a5ad2ec6e69d3d603505b025f6d6330c8b648802caf7e6fa3fe7b38141659986cb89e6232f106222564d5e5195eda6a25f99068572c2fafe97f147f7f2f4119f21385af1fced97f78632d8bf4fd9a9054d8b9aa2a9f4ded587847a91d42c6391125f103ae288547e8489693ae8686b84891b772b10c4796883f66cd459a8c1a6a4187bd6b387d349e92d7b604953727c9e9fdc449e7345e7ca6b339e26b086f5548898cbe9
+
+SHAAlg = SHA256
+Msg = cec5c9b6f84497ac327f68ef886641fec995178b307192304374115efcc5ee96270c03db0b846d674c528f9d10155a3f61becce1d3a2b79d66cdc409ad99b7663080f51a102f4361e9dbd03ffcd876b98e683d448bd1217e6fb2151c66964723b2caa65c4e6ca201d1c532bd94d91cd4173b719da126563927ca0a7f6fe42536
+S = c48a8e01d4bbfe0f2f05659337ea71d21f38d7f7a10b00b06e1f899eaf40a8e97ead64bca37f13a55ef1cf3fb52cee279cdcb096085a467afa97b03d78d6076e472b12d6be9647cec32d8d91a26247693771687460ba5269de18e1edef6022533a9579f91d584f9e0cee1100c447b77576b1b4ee163ed4700147a9aa61bdc4e2316d2d818c1028ed1c3e372c9f6a1745572444637248091b83f7b539f9bd58b7675676034c20e4ca119b91c4ca5dc76acbff3d0462898352c591c2ca6f2d8b09e2e6338a84336e06f0cc020e9eb8da785889b497f3b98e827ee7a7d3f1b0b73c1958e16aa97861e6675970ce31d9d119bb340be80fd0f43c3dbe64f2a59d629d
+
+SHAAlg = SHA256
+Msg = 9193f8b914dfe0e62521f35afa4fa5d42835e198af673809377a3e7a99733142a180dc0e13e6bb7ceb3b60e5e9d515794d82c392e07913423391d22e2bb19aa0bd88afd7f77e27a240ea4e2de085481ac31ff8d37990211f82f2cbf4c90de98d6e1338bbc88e6a80ab9684dae64785dd107248048593abc9ab03f1737a6f6530
+S = 5c2fe453a8b08c90b02eb2c9994242d518f3f21b368895cffd624050e48aa714005ae675fe79aa3cadd4df55bdf12bec5be8a41d87538f7e031b782e34d392468e5f14bc613b8f4d28c8fb79a2537e1e601031da720acd7b2c8dcbe9858624a7a9a92a06f91845f732370d67365c6464f7b68f22eb3edfeec97e3285024d7f6943b6d50a16cc96d60f680351deaa25f0bc868948607a6ba7f1949b85943c6a92bd6172e81bcc055014b78a733972e3f39d14099d1607a20ff8681c29ae1ef99ef115ed6a1084b514b81a69d4a15ce1e2576fdcf2b2af615b52fec70132112dcc5bc19ec17f32281460623420317353e8a255fda502bd1fb11a58832ae2c04f9a
+
+SHAAlg = SHA256
+Msg = 0e57ef40b021bf87f642c5756b6515a0e06c15a01856d716c566a6edb381dfdf44d9033b1cc809e61dfef9a096dfb689b7271be449d04a1a9c354102c077af5ff72005ab6b06cf131d7345c21e821d6201cca4e090440d70be6009d2dd7a98d311751e1605a3b914dce6d2626b16f233a5a3d71d567cc820152f25e473514242
+S = 7643aa3fe63e66f79d6b409d145ea820c9f7356f71b4acdcbd43fe1e99f8802cd1662b16240f5cfd94a769b0b3f2cb0b11887e886e5ba43733367490b3fc188f2fb3a0c0c8a68b5d2726c8f7a31902b6b86cd402287d385c3e3c06503ce17fd6e54e582f4a907a91f952d2a360e2fba00028e4d3b02aabf7d220b31d1f8ee7faa070147682ccc8bcc756ca6a68fc20954550c317e87918781a3d1f1923503091090c3c60ca1c0b1c699906fbf85aa70ad9ae48709ff743b82dcc31074cfcea623ea45e48644b19a21772ca107ed64239c56574a087f1a6aadf0f4b00ffe581c1410274c875e4599063e46e5168803f0d28d21fcd3509b4c6222995add7753bf3
+
+SHAAlg = SHA256
+Msg = 0c8491fc348d341fe85c46a56115f26035c59e6a2be765c44e2ec83d407ea096d13b57e3d0c758342246c47510a56793e5daeae1b96d4ab988378966876aa341b7d1c31bba59b7dbe6d1a16898eef0caca928f8ce84d5c64e025dc1679922d95e5cd3c6b994a385c5c8346469ef8764c0c74f5336191850c7f7e2b14be0027d8
+S = cacc8d9f5ecd34c143488461135c4951676145c6e472b92f12f758046f172142fa388f285f3fff068242028829047e248059ed4fd39d2c5ade469dc7c39345e5114950d2031cc7465fe712c4041d05c756d3f2d88a46ceb99f2e24a52e958a03cd2519a9b137e62d5ca2b353f7b047b625c3602313fdb53c8db23d83951a599db328fedc4ae06da89ce7f56259b5c8222f7bd3d9740478fd28e5810db78aee8623fdd39f603f8ddf98081d7873980c4eb0e22a9cd408f7c4134c12d2049a2d120f4b62e6b382b997fc375ef7ac955fcf80b045c3d6385ff422dad350c68870539068a162a2edbb93ceefed9677939b90bd3dfa0dc053460b4e2332efa692179a
+
+SHAAlg = SHA384
+Msg = 6cd59fdd3efd893d091afdc3155d354f10d6d88167427a2cf7246207e51791a6ca6200a914cd2834a9b3c79fcd59e26e457e0683bc33d49267edbdd6e5d90902696f1e7b1a4affc4ba371339868c28015ebbb73e262669866c35db974ba69e468f2583b9191d15d686cd66fb0b9e0ff0a3b4721a6dc342f14f2446b4e028595b
+S = 3974900bec3fcb081f0e5a299adf30d087aabaa633911410e87a4979bbe3fa80c3abcf221686399a49bc2f1e5ac40c35df1700e4b9cb7c805a896646573f4a570a9704d2a2e6baee4b43d916906884ad3cf283529ea265e8fcb5cc1bdf7b7dee85941e4b4fb25c1fc7b951fb129ab393cb069be271c1d954da3c43674309f1d212826fabb8e812de2d53d12597de040d32cb28c9f813159cb18c1b51f7a874cbf229cc222caeb98e35ec5e4bf5c5e22cc8528631f15117e8c2be6eac91f4070eecdd07ecc6db6c46eaa65f472f2006988efef0b51c538c6e04d7519c8e3da4b172b1e2761089ed3ad1197992ef37c168dc881c8b5f8bbfee919f7c7afd25b8fc
+
+SHAAlg = SHA384
+Msg = acb30be9092b2f18f25934a0d678b6bcd6b67c2b88e75884f47b4fcae3adfa405afe2c7e61e2d6c508b92790ac00f76b77c965082668bf900f70a33762de6413af93af2ea8086fda293ded4475f23c4cc31ad494f98d7dd7b7fd6f7d972bb76cb35adc206804c3fe5acdd0e5b8b54e07c29111f788bc5902f40afac30afdbaf2
+S = b5c60d8da9b3943878cb2359cf65e4817c0794f950453ca77c81a5a1c1585591aa50a67468e3b399e4faf1d606bea0d9e6cc1d2d70db8063739e0c27d3dc9f9afe88dea52e73298a07d05c7d9707002efa537c389e38bd37bca74eb0af6261a5da06136202c8ad487eebd50bef74767089c70870be1d8fab9156f9fdbc2f2e9cc330a95018ce7943984becc25621bfa66018ef8320b60059f941156e9cdd87ff0d82cf7be77465e0203e7120aaeced84abd8186947d4ac3daf3f993902aec47c3090475c857b5d359f0a5572d4688e5a76a4653868ff54ce9f999e6bb559d1c11c67c15be9d7fe5f8c1704301d055f3d2907722779d6012036084e950de36f4f
+
+SHAAlg = SHA384
+Msg = 601a6aad3faa7988d5ae528a6969031b10a6f39216946aa89fd4532c8ed141f9a650b126ef488f7c5cf3fb2daa254cc28bdd55560419e80214ef999896dac4946852d24fcd9fb77610eebfbb6ba58bca26f4567f03ac7e56da553f23817bc103ee485592a058fb5e3bc8299c7290c71a29137e75dbf5328c3a2dcd34165b3f2e
+S = 301d60d56576f3663a7fbe8036bbe4fbc0fbd82cd6a42e36d7bbc8b206543dc2d56d3198e7911ad138cad222dd99050dd1f85fe19c8a88bf67135e7f8f11b5f5e485c91fc7d478069b72f46ebcdcf2d2ae7de6ac8fe53bb6c04911d122cc231dc210b2147ebe8b052e8b2ccc09f338b349de2025cc87b2619a7b163347ca66a34791a2e46b4e2ac57eb9f6029cdbe024e896d57f7d0491f7783312f8f06c790770150cd139f61fd2b3e7041b37261c6e7ea86d4e06d9300b1a5667cb0288c550b2afb355944834b461cead13794276bb46e5e20aec7b63aaca4d491a500facd59a37c52779cf467d74af1e62b1ebe0fd0be1cacb7ce6d050d86e4eb76cde0693
+
+SHAAlg = SHA384
+Msg = 44d3e0fc90100a1c9316063f26b180326cc2e3834ce56e4324528a0bbb015b3d7812958cd26b91bf08a3a0b1121f9f9dd77acb98a02ad75fcd613c53c732d1c235f59b6873ece6363f279452b6a4b65e80bb59fd47b9a2936dcc1e4dfe1f5362e3459b9859db3209a2698d27fa8aedfecd4d35b927daf8686c59d700490f0aa3
+S = af2229e94a857b89e0e890daca3a8fe12ebdba04948d1883a7d7816a3b682f7da3032540a8769f9ccac9586cf24e8c204b45b85d1bdcc5a5450a215b4048ea42983b3456fa8c76c6786e024f705e088d694559d668caa8684cad0fc57850fcaf34e458aee8fad4e09e6f196557d4e8860284d982c0105d98ce4912e96c3550e2a0c7e8bad5abc29a9a542f57a8c60579038067b3d5391abc21b4f9deb024ca58f9b0c38c0d1f82373f528e939bd73a24d501c591168814c872c525db0e56cae47df00fa3728dc3a0976965323ce8d2dee2b138b50ab7afd48495114673e91bb3ed2205e26a8455474c3d4ec8739bbff6df39b2b72ee050410930423b1472b6ed
+
+SHAAlg = SHA384
+Msg = 5af09077a1f534b89822b26c3272adf8500d3c6bd90f9b5e0d8b211f16d0720ee0eaf6462b6c8a80df6d75359fd19d03a0cafb52bc9d4c37c2aa099911a79a92652cc717f0746fdcad627c72f1c216b243d2175f6d00bf07d3f6aa2a04d4fe9f8fbce93218944b92aa07af6b4fcd80cfde2d7ada15c05e96e777ea1c17df08fc
+S = a56823fa577e8946f1d2f6e351b738b53592544358528af88807ea4f19017dfe81a3d69f62fbff649550d9b310faf27a041fe624f0a02bdcddb79bfb0a465739ec8b64b748cc29e5a02c777e1826d3e2f1eee6fe2edee4a8bcac519c7c7ca5c039e76d630668945a1e5e8618e235864561a440e73e39f6d6842ad7da64ef5b0ce1c4ab88db157b68107174ad7d5c9a6065068768c11c4c96ff67050b5d07b8cd027fcd0d347ec79a197cf43435985bc1aeb479db0022289e8dd3b31bb7c62d8831cfe6952f41d24f89d753789535f918ff68b36950af6fd31dee1ac476a0cf93afe9f4a766f3c4d2c0c3f92825d5572eb2eb8a2b644e329eea1683f90810ed77
+
+SHAAlg = SHA384
+Msg = f60a3a543768fabe37f003009a8c26f7dc91f1422d4429ed7f9d744cdd4b552afef75d241acda04ffc39672159ee248e602dab7192449e2ed4552995c258f00a476346e36a29a0126bc249040faa57c9380bdd74b83f62c56790920574433432f8d65c5cd185e24fad13127265c6a5ef8db4f114493d5cfa61d91664981408e9
+S = 08d396481deef18cb0bef7c3e826fe6e5c9ecc85e5230d35d66772b8d2d015d4e5f5794fbe0550df2f745730d6f8d1d3b850d164fce4630805e711b59308f8608506b7e01e8e9294ed8b7e7582165677f180e965169dca81b3daf24d7b92fe32d6a9ac63821d48b1a0a144fc7a04b0bfc63a3bc16a0fd837b02037ed76e50d46cbfa3857e658e370c586ab1eed825076321ac8e82be374bacb295e4d3408f0cc1fc4c300b84275a51c3573e9cabfdbe3dc51e4a6f5811d860d725aaf8fd0af19a2437b0f1c80f5ac222f6b25f1fa09e93399a6976b1b3ca76afe6086e9b232aae6c7b818255bf963f31c04ae3fa2136c0a442997d4cf12f395fb804a4755b56b
+
+SHAAlg = SHA384
+Msg = 2c07a81de58955b676fec0572d48d1955b4875ff62a44b0010c7a1072b299ee44dd0c076f2178a83d0ae76e767e231f1d81e070afab29c97abd4de2164e437b311f507841f8851d6d69ab51ee9e29e654b54bcee45e9b519c6a21787facb927f1d7d6491926614792fcc6346dcd080bb5cf07bf56ad0fc4e083a358214631510
+S = 9aa391e7c2f0e920aac27ed9fc2081d3c9caa3735883d01ad7a7e3b11867d0ad624156477bbbdde659f474682d0d774489e2b5b039d1eb35454c9e3eed78cff9c4262e3aecfca1d817542b486096598e1114bfc03f20a45de36f6df70d144d01dc4866a0f83319e7c2b8530f8c27a41b7add9f692d8a8e646455b67c9ec47a4d2ce3dfe35d6a2e89d9be50c5b6da39bb0254bd23a809ab97b2b48a068a87abde6b6a6e35955fc92a9626f9607d5b3f401517271594bef73859812b6a621ed6bdaf3c5f2a90b1e1680f68dcfccacb65e0081f1ccb6a2073709d1ba067065016ed73ebd7ebe9e7a7b60c8c9dd04a56fab30702c8a6df6a353a301047df4c7aff62
+
+SHAAlg = SHA384
+Msg = 35ec92afdbc2fcefe48f1e2f6e4829ae53b3da0459cc4ea8a96818b5831891ee2f506fff37c89906d3233a51a5cf1469a62c185061f033085fca6a54e24529c3d6f0d8e904bcb0f089a5cd50869484da1a84f6fb8de4e53fce3dc714201519d11013f6f6aa64e8b5ec5cfeb27b611f0895059d8c47720d55e00b577ca5500920
+S = 6b0f5b50e678da083ed0f1b64e943e8c6279c7246af5ad079cdbf223e42a0d471e56314bc0d58f202aa6c5e1e5255985b0795d48eb3d4b8e3fc92240ae02b4088c6ce8ab0e8c79c68dfdc48657d6a28295391b9a5a5f35255126bf8ca53cbcc0082eab52ec109d22a1185f6dc792fc290aa8dbaebb2fbe404f1d039aa6343cd7af9fcb2d1e05def48096c237e10daa7cfac5ae9b3b3022005d0d2d5c9c5c502b2f23594e80d1604bbb8f5dec07cd3afe1f777743b0b58a4e0e4e5caa148830eee047968e7f40661f9f1a02e1a7fd2b6caf19326a75e9565efdc0114bcecb14dda06c329cf322a5bd3e6ab48d95f2d2a9c1c1233a0aa015a738f901f13148b454
+
+SHAAlg = SHA384
+Msg = 80c9debdf93174d75750a6cf09af71fc18fd513bff9cb491be60af112a93f000873cf43858a07aca760a37e760c8cb01d276f42d997f01cca5e08a6a602f5fe63edcbed395b8c91fb0b336f21fea49d950e1ff24640c8d8d3b95081ad1596644ce34a558587e4a1e2cd50db9ed1dd3cebbc6dce8084d3e1ba70692e82618ed61
+S = 4a15a783adbf274622d5a610bb6fc73337999e445dc2133accb788d6203d70f3cdc63e67daa4171a7952a4986456fab3c077a8941fb259e37a5c0cbb20c408fa24ad0ec850e9bf028c3604609941f5ae2f18bf1ac37a24f755abb9c85ddcd0bf4a12fabd9d253029e081f628e2bbe9f9afe9224954d8315db86c2125512bb98ce9b36930994b091a8a1d7d4e2f4a0e58d0a35876adad14300530b39c8dc11ded3ef2fa95d5f22e67cae34cc21ad5e23f9122b53dfb79f1a2ac63c1844e9ef069a2e41f178d6dcedc518aafcf81e0ebd882556e731cb0ab41d957274a3fbbb7cef2608791000c6b860868cb7393e7d03d945689ffb77555efe08f461451d33c11
+
+SHAAlg = SHA384
+Msg = 31395cef349551343a49271a8d812b4c7b65b455b7eda811fcf74161f397112357ae446257be26c93cfce55e4ba7976ded997ec10d1c8b1ac2fe22dc2ee81d05a6eb1361125cda0197e24ae974cd44092aa9f36fe01352ba05ccefd2370ceed6641950562f1776c39522e023d09a3b097bbe9bc5f87d05d80f8830abd7ac8c80
+S = 162f387695cf9d82dda89c749318e46c9be895ec364ea4aece97ccfa63925af3710894da2b7b5967e46f4efa80ca25d2a965a7e15f75e0aa1bd4250f8f41099e6e9714c3fc4311077ae9bddfe35ba4727531529c239d546ab1c298187f165f708ccc0ae3979a8da193e34859a59c2c3bc42253c8346688e6bba6fb1b01b10c1ec2c6493dedcc2696269d851bde63e27e37bed357455c8fee5629f94afa7a986695cfd5b99212657a6c884644596086b89e0c7c05e819faebebef745fd295af8866e0750f5479baed50cbb3d059f8a5eb7e0e61e2733ae50f0c1ec42be71f5dff324195cb4f0e941a21561513c3037db92fec9556b772ccab239e34b1876c56b1
+
+SHAAlg = SHA512
+Msg = a7c309d44a57188bbd7b726b98b98ce12582228e1415864870a23961d2afb82cd5bc98bec922d5f2ac4168b056da176ef3ba91f6b699ba6acc4144868ff37f26fd06720868d12ad26ecb52572cf10416af68df03ab645a8b704857d2190ffc3f07eabe3a8e2abe34ed6159e884c4fae141d4333d5c3e0db044ff9cccd9cbd67f
+S = 148af61ed5ea8a87a08b3f403929bf8031db4fd3999b64409ba489f97a3ee5208ea4202d2ec18734f615003a51f77441085be6ac0f11810ffa2dad58f0e186d5520ac2b8a5d3966e8d2abb8074e13b50a4e7de83be10a66fdc7ca18118c5774f781212de9efebc6376fcdddc65a3b1b8f1ab31492fe478259ce719b3db587498d879a01dec96e8eabeb07ff7073f3f3eb446084955ca26329a791315a2c259d225e26b2154b2047b21faba68115bfd962e5e24ec52d7c5d231e3044cbcd8c8804855703cbaa622b15b6ef78c7421a367166f1b02576c87360593da75b7189efafd1082bd59f6857f1701f646c24d70c95273c49d5b11e6afe258821b55c1680c
+
+SHAAlg = SHA512
+Msg = ca505d4591121664990747d95d9555cc75bfc3fdaeeceeaa60eafab3fc320cfce56eb9138138bf138f25f3c8bb027b136f5d3d90ed4897779b5951c09df5d08ba9ce8cbe17abc4f038687086e93d771b684322266633d0d65d71ec41234a1dbec07abc8f7df28bc43dd8a45b10ceafac06775805413701914e3bb37eb6ba5b5e
+S = 589ccd4ebf9764f87e6afa7f13c4062579b02228117b15a8738ab39cd64477069cb4f52cd8d5f4574c657b453835ca3cedb824f03b92a573d6d3d91361313f11bdcb34d2059fe2e6ce2b854461af58a9294c88cbfb2a639976b56e4748026f3040e2fd7112d6ad44500689ac777c071d17391969762e186417c4400abdda5c16dce0077642f1fc1354e0e8c14e558c923c1bfb85488b8350f415866a60871ed7151f5fbc5b880500011977c778e17fe8918c5d343f70b00d58f718956125fe28b3a5e2d07604a2b8a877204434ce903b35a030936bc71951ca593df97d24e8e8ad8f2dc9b78f76ef13a1d386ca857ced48f19f3ebe39108f9b33ff59eb0556b1
+
+SHAAlg = SHA512
+Msg = 237a7e44b0a6c268bb63364b958ae02b95e7eed36b3ea5bfb18b9b81c38e2663d187144e323f9ceafb479507d184e63cfbec3ecdbb8a05d2dfc8929693ed9e3e79e5f8abfc417ba1e17e3e281e8a0a32f084117f28c3dcbec51b86f5c85b2822441a9423b5b446d3928f977626a334579b39cfaf58f214c98d0cdf640be1ac59
+S = af076bc213caf75619f4bd1d787cc198f7df3324a0dd87a88416e0a4b81c2fb9a9db5f98aed43bc15fe2357143a6e4ff701d9c48f51de9eb803670bbc4b0aea7220be2f84b8300318c77a9f615986c4980abda85e3ad0089564dbaf7f44d81b6664eec0311adb194d46de96bb17d5a5d47426845802ca0f49a169eb82b75afa191027a0cc8fce9dd16055350df9745fc7200ff9f4ea3cfbfc66c42848113e3be3293d510382d0999f032515527bd99f66efa2a755e011247b223a68e51258b6bc319a7cdef4aec533e9dcd8ae26e349e5b33c79121907de509a1cb83c2e59a47c1a884bf68e7229316a62e3c49d1f542ebe7105cfc27099268120a7743908471
+
+SHAAlg = SHA512
+Msg = ab18939230b096646a37a781629fbd9270f3891a5ceab4a8c3bc6851bc34115dbc066541b764a2ce88cc16a79324e5f8a90807652c639041733c34016fd30af08fed9024e26cf0b07c22811b1ae7911109e9625943447207dcd3fff39c45cb69ee731d22f8f008730ce2efc53f114945573ea2ddebb6e262c527d20f8bb1dc32
+S = 95bd0bf2362f34b2e04075b2934f404798703ea472b81ac3cc223aec486e4c3d9c5d1c2f9ee22417132964ed58e49937f5b257d316ca7fffe290b19f5b58103836812bef30ca0327039d8b9ea91295392fc394b881e2d2ac9e30c5a44256700fc9de0dba298273aec30c4f778d2e7127e8b8a88b0274fce04081cc13adbefe555014e1b5d5dcf6224c5ae2775423a66c81818eec014a3faf9ee75a3f6c3e51c556b0a288e8c262946684eb628b88e3f875e62ef6e801cae75f61cee404971c39d24a9712eb342ddc663515dec103b18d97d78ed68212f27900e77c049b60c853002b08022df56f707efa71027589e1a3ca6e415ba5f4437e978b07af3b73ba0d
+
+SHAAlg = SHA512
+Msg = a280e89ceb2c8cf26297191baf9a955d0d52375da023633e0afcdb0d39dc335d8295852ef4d06714e6511a95d37c04d26818606ada54359b7d0784aa933cc68561ee96a88910aa3d93d10787cd1d7580556731c174a6e3a32d9dcfa416604f0c671481d051f63db6919f4aba4486d1b0fdc6112c1521559f424523c26b4fb738
+S = cd60de3b4a1289a84ca761f90fa63f4d5688bd885f4b531c8515add2de1251f993ff7f986bef3fba692ecdebc81942d7429c7a59c5d3f1fb872fc1da1915e94586a5c3d963603619008f7efeded1d70b0a11ce2cd81b5b0d86b3760c9483674f55e9fa47f2f310d588fb2160e8b5c32be4e7a968d5a8d4ac6576b71a2b91cd6af0016cbc816d4aae8c70649e08dce90b3ce52ab49ce2cb5b0ed8a45e33d94cf2d4cfdee1151270b2073aeffeaf717d39e04192b8b693c53f21a6123813280806920b7dc582201c9d117050320671e86139a027976b7ecf413369a9fc28e0bd719ceb5e107de799f1bc2e255a9f29476d4574d1332f66468afb9004ff7b535302
+
+SHAAlg = SHA512
+Msg = 85ed1e3dfcd5bca24cad1d01ebe192b7d059ec9b884436e18714a43fbcc9c64f687301352ff240817001e757d27309cd1fbbda9456b267dbfb958470b24d06280cf43382a19477875f3259f4210bac9b831d0a07f5e97e5f0f78818c259c289e1a789b6c7942c97bc1485a220131e5eba586643b9071e5366bc482dd3c3c9279
+S = 138134bbecefafc7ca8b102cbe87b012f8aada8878995002cf1887694b5be3b8f0bb616bc6e07962d5482d3a52c52ab91b3ee0064d24558e13c75c80f6a95b7dc498442879d5baf8ffa7e2f638808b97ff70136bb645e30944dd97a997a0205169553a5b9e874c5a9441e18c15ebed76043b639dfd64db79e174847a102724a2a05c649473cc7dacd39e2e1d5666bbb5f01246747048fffcdfcddf782da24a6dcc022b2695f70781bd9f8ff7d03be22eb8fc793f5c071a66d9a6ea46c6a2cf0556526ba8b085073546448081732ac15f12833c1db1701ff7f68344ca65dff86211a003adbf5189cfae79eaa8c8b7141ea378e44cc9c5bf024d2c710ff5cd68af
+
+SHAAlg = SHA512
+Msg = 0bdba34e35fca65a1781d4d7c933a5f210d3a59483aebc95ec71b32df13ff4abf401916937fd88ff44ab46b78cc369414e9bcaa8bab0bb8557828d73a2a656c2f816f070b5cb45549e8eca9d7c0b4a7b0a27e51c119358dad2a17fb3a45718f9dec3c94af78d65c3ecd36b71e230cf080d1efdd8d07f1cfc26768fd5407bc2b7
+S = 9f48deb96bec0b72fbc4f12f08afb46bccf19d9e0cd0368ebeb312d83872626380ac928b612c5cd77438d47aa9ceea905a9de7182c8ef76e8a7a03d6efec8400b6496362bf6a30ceb1ced2185fc7c2117b6a6d888ac20c1687b0f2aa9b76705fd3154889b6acaf4e63be25880c71e6c239ecfb965004cd6321257f846afd2a6590c72ad83146eefc7b0dc4796339a7f64da0fbe359f94ace1fd151c5ac7bb5707b32eacf564fe1622e66e1844e639602ca36274ae01f93e6b2bd1effd34ab63d852cc9caf3ce8446c29c8ae3c6110fb7538cc8371c2a3981249cdc1be2b24b6a0c951764d0b7efa92a22cd8ed165e182863579377997a9ee50c8ac3aa4df1aca
+
+SHAAlg = SHA512
+Msg = 9aeed85b40ba7f86a228b5a1515ba190b2efff66993a5ece19d18baa9b4e4df92e5152fe1ec56a9fc865f30bac7e949fc4f62f0b158d10b083636b4de9bb05db69fe31b50103fefc5f8daf3af7156b4552ca3667a9d720bbb2e4bcdabadfd4b7f4fc5bc811faa36710a9d17758a98d4a0474fec27e9ef5b74f5c689935442357
+S = 9eecdbd7fbf618ddddfb6e75d64440f60445b853c542fe0fbaaa6a431294e6cb6683ae1a71ea055eb49cd2a3cb5154dc93d9aa166399f4e6294f0eb0652800d71e041c1ce1ad849c03c963bc0929dcdd11be5d67a050d02b64b29eaba655642b6436fbfb163690bf432fdceedd106c2f4972ecbf3077ed8b753bb605ec1ea03020839a318a24f8d4c1d7d8df99a7f0010ae41a8b068e2888531056a7dabbe921878dcd3c7d69416867f4012a606ae86855f15aed0da1250e59687706e89c9494baf37f61fb1703b79928795f90ccbe293a1e9472f6e0f4b890fdda3ea2522e3d11d5abdf0069519424d147b5646a5a601f19ec89729a8b48461e71c08bbe9cda
+
+SHAAlg = SHA512
+Msg = 654e189f06c7d42d5539a5872184f8336cf100691f190818fd02082ad68a7609fd095e62fc32b529853aebddac3dbf0d54dd571be72c90404bcc93d01154a9bfeff65065705f8e7eeadf8575b1ca48e28a1eed516265e34540dd867c79d7f175235d1330cb1706356b709bd796f43abaf6fce993f88eaa2fc67f0ab776daf732
+S = af90298bcef615309f235d5c3360f0df11f5fb988789f213d4c46134fee5eb104aa1fabb1307c9a904709de88673ed9951cba93167c67c09d827021b08a22c0505828ab4beb42e59a38832cb4da24ecf91f470a3b412c0712a8a59f6f2739d4e9eb4cc58d2c52592f1452dc65759abe43e8d2bc804e2efb3efc9b23cc1734ff7caefa46b03ba4b397d0714cdb8501a812c1b9f47411c91cba53a3d3b139edbd7cbb543f5bf3829ba7f5fafd8a712c0b111943f53209353afaba176b3f5dc060339d09b1fb3c213dae5d0f004d302828560fb5debf9fe491eaa66f597aa4de23eeef9176358755c952ef96e3672583b6ecd95a02e8ca7b21d7c20cbb7a757af71
+
+SHAAlg = SHA512
+Msg = 121f80b43f9757b3fa80906aeab232195f0e2c41e5bf8c091ac0f1e0bc9e43640680a1823d649bdf86aba277fad8bc85fc957da2caf7323053025ff949706c1476ae9b0953283d34d7c6266f8db65eebe96d195fdce8e965a6383320ec3de0230ab2548eaa69a47a96d80398cad57e14ce9eeac0421c1a6eba69559dcd8f0659
+S = 06a2d74585f12ea7a80527b8c635a21cc11b45dbb0885a12722126811dd25d657bfa9fda774301ca3498d05dfdfb78a6aa16a9f8a95f40f1f04bd354a522f6a2d62b324efa3c006c22c2314b01fa0e91a3dba49aa35b46b19804b07ad98fe4bc990393a4a273ce8f1c85fc19cd5eae9af0b7d1957bb23409778a010b00c6959e1b67066fdb9f8495b4de4dcbb987358145b1ff6a39ef6fc588cda1744e0ab9e7eb002c29a78531d25157c5c2cd6470551560a02845db6dbee242f965a255406f6ef47b3221a5110edb44d38b94191aeaf433c0ece3480b9d1b06d8b8b6c0a232a04c567888e6372f2e94bc2be6b827f8712af48c6f1e4f223f5528fcf348799d
+
+[mod = 3072]
+
+n = dca98304b729e819b340e26cecb730aecbd8930e334c731493b180de970e6d3bc579f86c8d5d032f8cd33c4397ee7ffd019d51b0a7dbe4f52505a1a34ae35d23cfaaf594419d509f469b1369589f9c8616a7d698513bc1d423d70070d3d72b996c23abe68b22ccc39aabd16507124042c88d4da6a7451288ec87c9244be226aac02d1817682f80cc34c6eaf37ec84d247aaedebb56c3bbcaffb5cf42f61fe1b7f3fc89748e213973bf5f679d8b8b42a47ac4afd9e51e1d1214dfe1a7e1169080bd9ad91758f6c0f9b22ae40af6b41403d8f2d96db5a088daa5ef8683f86f501f7ad3f358b6337da55c6cfc003197420c1c75abdb7be1403ea4f3e64259f5c6da3325bb87d605b6e14b5350e6e1455c9d497d81046608e38795dc85aba406c9de1f4f9990d5153b98bbabbdcbd6bb18854312b2da48b411e838f26ae3109f104dfd1619f991824ec819861e5199f26bb9b3b299bfa9ec2fd691271b58a8adecbf0ff627b54336f3df7003d70e37d11ddbd930d9aba7e88ed401acb44092fd53d5
+
+e = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000eaf05d
+d = 2d6db91eb32e36e5d5127deb034d14072fe60c1cd13c8c3dd9adbc87140b5e7136f4f89e61bbee7826f45ac1d99194fbaa8c5a0bb94db31d93723b51419d9c6f6eeb5f3610b67f4b4e2ade05cc6b8990e8832cf4cd40f2df0388c9a52072e27efebae20b4ad5951f4d20dd18943e58b786d8797652b2bb759c319d2b0046dbf69c53c075d00c287b876042fafa23fe4dd705e4e423277c9000311e94ea3f7456e32fd12afe4a2bde358a65824f1055064823c893fc93be3b8c658bb441d7f0b00ac246bf043a9c0053d319f003ef5a5533f74d630d8ce93bab416a82951e05b82c6036593eca89f0ebacd7d51ed9610af43537fcd266e5e47c0d25fedad6d047a1a1ee3eb444367e3eff7c7520ca4f779f2027fe45036204168454df4918b547a4d19e938f3c6db6ca2702ad9bbda1261c64d00b578285bdcfc9851f96a4f2cd14d66b9c1f65742a1344948c9f1da8d338ed4e3deb1ebadf11f8c281944e8849823496f86111f378bdd084c99f65fb9b4ee6271b1d1be424c294d185d9fd9cdf
+
+
+SHAAlg = SHA224
+Msg = 254ce36e8ed62e0887d4be00eefa82515acef956540cff45c448e7f9a9d5c9f40de61da439f389e5255ef8c83257ec921bfd150829c522eaa720d7be965860cea2bbe57454fc5e9588d6a96c22f2d989fd0bd21924501367450ad2a3627e4ee3ca15616748ba54219a84f8742495f23de6425710ac7479c4844d0031750f3c38
+S = 9dfd3f32091b916a56f4f357a961a525a527fd29b114b3f03829df1b25c0c5973b1c51af36633116f4c77aa2f677a3b0f82368a538bdb33e49db9fa704bd5123edefbd3a86dcc39283c2a03c96c69030f04c648417f544f08a9b4e01ae4d429ef21422ddfe76834f925c5653b1227835a9a4413da7942b0a015196faec31504111c9f084d6dd6d5a6956c55412c1bd14aaf95d828e844961fdd60cc078f169f6e1186cb0cb6ba3d21168c5bfd067dc6e460784e7c6a76ee3d8b332acfa97e5d4b656ec8c611ebd896fe90e619b588d0c615492464a1b3d05d3a963f451051c65d8f81feea925bcbee9ce7a39ba3c915a18a24a451e470e761d09855a965e83edae3fca41678cc9d098ba9928b525b50e48cb030c510c4ce727c6b93bd091b7d20b4b961165ae0e2848aa995bb73abe9a2634378d224128541ab056a31b784885aef8034dedac13167402f9f62b55741220df8aff5defb69c035d9a31e2a5b8817057241bcf854932f5edee7ee66e8917aa4a718b6c446bddf084f5cd769caeff
+
+SHAAlg = SHA224
+Msg = 35adcd3f24b6725518815cf4606f7b1d940c396384370a376e84456974de32ec4c7164da3ac749b73b30fffa836869c92a74830523cdf2866dc0e0a88d1506063bef0a855cf30c9530ac7cb3cd2e2e32ccfab03c4222db14f2aea89dc03d452069f0684a7283e4745ebd7a28240bf1e0e0686810c97fec6763144652f6a016c3
+S = b5120be98bcdfdc1e1e3312dd7b5910f073132a42776c4da75690c641f32d2899187d9b39b55f99ebe6ca0a08036372749816706664f39b27312135c50339f2bb17b2ceee25768c2bc0ac37d6ca6ee903c84e82e2f4d005d73bdc335f135399c49123662e8908119918437edb615b14e906c9f8ba1b85d5b45909f439cc8992951be1684a99eba04ecb0f6df923353516977774f69e826651190affa86a40be75b06a4128e5509c51557ae4fb410c7e5841ac9fdc4bc1f97e2862429f371aaaf99824dacfee0bc3961fb98b3ffc091f77956223ebf5bb546552358208a32ef9c37825e81668fd2c230f788ca16ffbcc0f1d884b30fe8efe6498295004ca7c7f2b173e5666b8b0fdf9d32756559f99d105c1e8042a7aed7262ca9a17025aa096075fe4433f34db6b0f197776c21fbe00e832eba028e6652653018079fee04eb3e3c12803c39830d072ab4971bcab4b79758694b5d3d8ab21ce874b7c42bedd52652219ff516fd694c3d7cb0bef0181bb85eb4b13184ea3aefe3cceea5c57596f7
+
+SHAAlg = SHA224
+Msg = 0ba573a9dbb7f62e5a4d3d841bfd9298e8bb299eb4fdb256d11d2f8d64fe03e615f24cda0bdb73fe179102842f84b5051fa3d37e7b7cbe98d8a4c92c3b594b06d266f2e9e24759d4018edc848585ab3a3c151dbe5ee647a4bfc8cece4952f932aac80add4a42cf38800b748b05489bbfa9daae6844857403f051e37b753036f3
+S = 36fd6813ab411c4dcb2d7be1ed616c1e40de291a00acd87d2b4d9d4b73c8864a44413c51f09b37844a9804f823b27a9094627aaaf00a6be942d7558be11b84a73d98029c2e26eb8f650580ecb11b4ec2363597333444569634351600212962fef5352bdba367832899d3188a747236f08528f086d93ca33a06b10392bbbd625c867ddba74bb151dcc6afdd4ce41016dc2ef0ceea2ca20917fbdb0777e23503464d0bb59cd4e12c10945250889bae2ed839b70964b2c9d957eac6222a49b337730411984448e58c027371bcf9c2c7d686de3bdae16738db5276e0f538d15b3541c0ed86d318b423d8c7f1859602108a4b11c2772941396a14a2a88ec7971297c18633020998ee02b3114d19012a09a181d01f11cb8f8cb5f438e82fb45e7678bc8df9a26f1a3495439a7ac1f1bda6fb86c9b3ed6cb5f788634946348b7e24b0894c39c506ced2da657a335e54e8f997384e40c56a17a28a9bb64875a159cada5a644ab3bd6ea7bc4ccaed43dd0955f6be6e459e2e6a7ba652f1e9a3f8a83e4795
+
+SHAAlg = SHA224
+Msg = 89530f816a5e2abd4b422fdf968ffd964e0ccf82a4fc6d9ac5a1a4cbf7fff3e1e4e287ab35226a5a6326f72bcaa7914600b694e564018cb8fa52a5897658631c96aa9359b50982ac9ee56cad9e2337fcdd1e616fedec3870a4e249a0275a1ac148b31cd2129adb7ba18878ac388c59828d4b1f6a6745d8886b5a765a338c8198
+S = 27c796caeee6b4bcd750d8df13cbe5164fd726f91baa575f702fe2966744cf2bef38c93efa1111c9277d77f3ecf697d02030f01e3d964c3125533d408834b7ce652824303eb278dca61023a2f9280352f89b5d03d008c103032b2b5c6b8cf7befc1ffffa9b559a995759a8d33c6f49ae574a2d31805ab055e646abed71b30ecf7367030bf26b962d41a2c7d7735ddc0e5f1eda30b1ae6efeaae9a4cf50b68506c21b12e3df2b993feaee448a6443e613cf536e2a711aa526487187b4fcd1fa684e99478c28b84d9af0eb6a4956c0377d08ee26ebd2d8d2f4ce7e66048da3c09c0538ff8efa178690d42f0341b28a8fcb649b531a07af1f21c4243242e045b194a04ad0f92edce482f355f66969cd90254ab159ff9d9c0c6680f78c996d7048e2c5f007ad36219d672a0e76f1bf8bc890faa56e493f0c52d09fa1265ce538e166709a00a2cd64e45b9e5acae2b95dcb22bcfe9630e32f37d0bb529efc8d298c0ba7b8d65e16dee99ad7446a393946258724d08d8476e7f16ccbc0e42638381a58
+
+SHAAlg = SHA224
+Msg = e37656defdeedfb46b14628dff3f6917b8420e5a97ef6c54afda55e07c6043dd75e7908be466e938f629001d0ece81835f94482abad5d1eaa4d0ef9bacacc133fcbae22e2dfbe13360e2f1f48a5ae1560f0b4ed293d9171a0cae11001c7afc949f78b68d80b2afebd0c79dda19ec71d8ef31891ac906272c0ffd22d974d1db4a
+S = a927ec4ceb2ec147cc457e66c12a646fdc412d9eeb1d51f3b5a3e5a8f4b0d36deba3a71914cc6f2321c39d834addb4857c82abe9280c7c8231893904bd27474cb2cce1012b921f0a4d6380aaed614356d653653388ce86ac71a27c976747c9213cf297e759fc3e2d7b1ad5ba8cb3106c0a67624479ce55d0cd67c24b5a45c180efb5830fc20d87ad3b1515e90b77af87f06c6b0e7129718a2f93aefbd1028b1ac63f6bd7eca0a00269c0473eaac55797511950b11525c24141cb5ac4cfe2d9fdbffcbddf8412a70eb1b8f45648553b7067581bc8ee2d6aa089b97e40dfe61c33faf9fcd5650f61078571f03c6df94e01dd7f90f1dbeaf042d9bbc8b3635c4c89932852b311f63ff619550aaba00f061418886224f8478708f9ecdbd96f0f2515353192ad93d46cfa8a4b3ac3eaf7ab9d1a3c4dfc62746ceb089ed3ab4051ae09274f54f2a9c379ffe8c8c0109487b6883a4849415c6a0cccc68b3096938d6e54669edaf7b82ec901c05333e6c3105541f031ab590461e7f1f776a293e593d00d
+
+SHAAlg = SHA224
+Msg = 99ea30dfbb1eff6f56ad6e0b055989a2cba11fd39e386b0026b5f3a4c28cb1e6cc3d716e1ecb7a77d4707025548f79198cea9f447b1576f8f32bfe459dbfca823d15622a3792e7ea5372f5f7bdb9cda5506cb436130096ef0413ef72155aec4775dbcdbc105c8def591bc52947bfce6d9d8f25516fe2140de2d68fd233455d5d
+S = 69210ee27a00dfbfcd50aaf2eb502c5706ddff6d9d23fb38d1112f25c047eaac57dc90a6da673876319d5c04494ece8037c2fb60203c9f23322e2c2063fa7d19165eddd89e1b91935a2b50021e626825bf19cc46aaebfab09b4904dedef8c4632aaedb429feb687bbac2b406f923ff1e844941b0c02b08dc2d8b4265fceb61a82fcef0624f28eef3a9193b86f15f7ac470df590ae855a7aa7540499dd46a67855a5bae6ec5dca8b0c16bcc69c0a1f9218ec7ccae217ac9b47e8f7caefc1e102e3bdb42a677fabe18274a5e69447b33414df5bb29cceb2abd35c94d369eed256302d758df9948bee4efbdcc4ae356e78be735f7425b6443cbff7e85c653a666ded2e74ec7f61103d6e8bac110b157aebf61ce32f8b6f567acbe92f6e3e26efdd3942af6c279c2c7b4f18398cc0ab4e276881b6046cc552594cd9656f22c3ee49807cce0f09f2bfa7abb879727b734dc19c468f4af4d720da8ffd650cdd6938249b6a4c847a51383888d1292a6163222126d5a42dca6fb2283e7bbb6c20d7b60b1
+
+SHAAlg = SHA224
+Msg = 1ee43de2d8797e65bfaf52c25a0b00b6c04e0e40469205565a9674d6af5737bf9be0f9a1bd62f852e28708e32904dbd2666e7f81c54e28e7b0773086f2975c9d1c0d619e27faa7e25c9b4c9c71d66c0cf512a0f5ee4cc450c067fe4250c4fb4c6a137cc26069127ef49225d578a83bca34e4778208b560f8530fe5f213069d34
+S = 3dd722d2f0543e66743f8cdb60341d61fd7b6ef8cb23a9e9f34057d7a0af49e30826aa0aaf1fd34efebdbfc93ae5212711a160f2b8786f4f5becc49209bd05ddf8de9fecd00af5304d6615272f2e4940bc8c39c2fbc636f8c105565ec0f15700cdb066c5ca1fd0e3e3f49452e4f6715a582227d59ec104575c174f8cd13ecabc4d5899e02ebd3e81bd2c003242738b3b95b0e0cf0ef02f8ee02896df646068ae233ffc4436f1e97d37d45d497e1a54a0d6fc5aaf275ec50cbf0b402052200f6bc35373828bcdb48a178c9688658a2363a8683ab9eafa9790eef2c79da148a9d995395d9f6a7b310f6f7141d3cb0f206e8baa82a338d519ee881cf61d5e1f906d42c2e85f25cd19d9864ab54a32969c8edf29e5ac52f62006d9219c21140007b05c63e3ba4c04ece5d8805026dbe8ff665252d537d013f709d84999f84b4382a894c1ba0318493783a598f637bc2d8d5678cf65d0383380ada0db5a510737a8b70c3baeeee47085088e96d99438ba5e988788f2886aa7e295d8578eb27f1d6838
+
+SHAAlg = SHA224
+Msg = 740322953bfc8e840cecd9963f58bea70d2bd20a506366d78a0bad86296922bd097824673b99e3060585804a298670e26ae722924da8e1861d77fbe631dc23aa72b414b017e0770bb33e079f72d8f3eb9f5c83256acdff8ce977cdfa5c28d9b8b59d3a97583b123c1f00b5bca1b80e69b4743feb30388892f6f46aea31b50c90
+S = 7c414840910ca08fecd23ff12ceebcd48b7afa4e6a87a40654baaec6c9050087b1f0b6fa04e36cd595ad293d0827e9e1c94fe033ec42bbd021f7ce2e75da6dd206b99151768d6d5ae7b1f04416804c2ad7c6744c7343c8f01be259361c116810f0ada1c64348055b2594a06bdc08db390d750e4aeea5435932a04d0e69d5906304c84e19d5fb8688ca2598b6fae6d169593fac2909238c553c664de92cba6d8915e01a6e99d8d92fecbc6eaefd93151c61fbbde2eacf2634e7b6116ad2fe8859b65a7066d7b5b77638650b60a43d8277dab0aca145065b3cf00d963b7f818ddadd7c54be5b4ba769ae013446a574dbbb8f7c22b2d1543e7b5ec08dfde38ef9ad843c1bb6d9558aefcd45d3b12c8206b792ca72bf4950befbeec04fc1a28c3720588513a29af9691d2f31dd7d39a56bcb5f499fb14ca47fa541e2ea67843399e0c8ab89c81e5893415942bfe4e470a678c0e561ed64554711b16be3350c985b61f29219c5274d879308dd25fc033f819c385904654399e5438fd9c8cf1ec76ecc
+
+SHAAlg = SHA224
+Msg = f7e37820a19d5f6a05eb4779c240e7fb586ae8c3df713bcdf9c2af7c058cc327956bb8d42244eb43ff70622f8c1ca5d0acefcfa479eee46f369d658184672237d94050c42f89db31f934fea35b2810dd9ae7a105d26ec5abe75db007bd578382acac66792e35d73ddb80415e982dd1290b98856f52b98688f448b79817248e11
+S = 563e22617dd889e7be8dd26a176ee9f67b9b3eb040ad7a7fabc089b27ed4e7a782f1522b446f42a567492137770c612dc5e428ec28a3c502aa2508fb46b703d79d1fde8e1a507d7062e26440b3a3ff16bc82fcc9b301f2b58fa81852b57f951d925164be0c70bd281d726c9a71b984280352289f8c1b394a85df9e1732a4539a30a759e8f126096bf73f7b25a5ed34c32af345bc32e412e08b6ca9b656a6928519655ec9769cf1dae7c985505a812ee44bb3b42ecbec911beced8fe87365f113aac00a659c0eb37bfe7536f9176afe9c459a08ae23600d4c8543ef3c3af4cd1011e08fdcf199ba49024f08808c475986870561d6a088b79c38ae8ce0e6ec40268bc9fb7a3b618587f55fbcd31cea9370243865492e5f13c9fdad61f40b32d3a915194244949add15026c0ae19f52ad5b70365e77f2cf53298c9e2bad06171b0908df26b22ef1c737c3b321395ffcdb71c8228fe9de027f0d310686b1683a67419ea08971cf0bf1a3e5a1072724834601d5f944fa23f77d8e77e887f88ddbeeb1
+
+SHAAlg = SHA224
+Msg = 8710a877b7a4c2e578793bd3e4d19cb56de97fcd1f2af5fb25a326d68fb737fb521371a690e49f7f1a46b7b634ffbd51986de5c5bdbdf8c4585ef85724b5072cde13853194e47962202932def0282e4108613a2e49c5db2bf323edb269e38a8434f62d414b0d17369109f276a0b3b52cc5aec72f4baa67d7fdd94b10e6a787ac
+S = a78358ef28303deba1bf1bc3cae59ab0ff6614c520eeb7d8c8fd5ced34da7454ad140b539ef75e2d65dd891ebf899a88ada25bcc35726053da68e2e02b6acd2e7e21cb8b37355d19bd4c3e36a8c1647e1a384c8ad2ab39bd22f3d30f0f9dd685fe4dd7f836ec46bbcef0805d08a784a6964cd50f58071ed79f882491a331b445390b43f2a295a13a28ce0f44bb6d63f319d8de90e39017f4cbc14533da33380f553f097e796a671ba29c94582cd519f1f64db3be894b6615f6844ff2fc62101382b044f5856b9bb97871cf137c4e9e484e84a3cd2daea8e1c6358d66cd8326c1925ce1f7d2d2e90457adaa65ec3a67f4865bf6120effa06a79deb6b6ca9f85c9dd967f2f31a22d5db25b15530a9e850aca486bc0cac2be6b0af66ecb568c0955a30495bdd5d05a220cd06cb06f04f216076aaad4382a94040dccda68a19d55b49338c9315aa802910655fe9394aa73590a6b2a0439bbef5ec7ccb520f2c5cb71d393a6cce25bf77d8033444fb3da8ac861c63dc2561ffdcce8c2065b35b5c83b
+
+SHAAlg = SHA256
+Msg = bcf6074333a7ede592ffc9ecf1c51181287e0a69363f467de4bf6b5aa5b03759c150c1c2b23b023cce8393882702b86fb0ef9ef9a1b0e1e01cef514410f0f6a05e2252fd3af4e566d4e9f79b38ef910a73edcdfaf89b4f0a429614dabab46b08da94405e937aa049ec5a7a8ded33a338bb9f1dd404a799e19ddb3a836aa39c77
+S = d1d21b8dfa55f0681e8fa86135cf292d71b7669713c291d8f8dc246464de3bbb961b596dfc8fda6c823c384008d05bcb3dccc36accf1b2bede1a95e52258d7d1bdf1fc44e18072abd45c1392015ee71692690ef8cdaaed337dd8546783f961bb9620eb5c7b8b6716e8c600351fab7765ee38a15d32d8a2c0949825c49a7f25eedd9be7b807bbfd517913786620d249823dae6fe2fd39ac639dd74821b0c120b42f31c2c639d2c61b395f09f86851bc809b34c4981ac65cf25b2e8adcbce190ef2ef67a0189039c9110f26701c3eed731c8d9ead178220ffcac7f0f678aa22268e1d01942ec51e80eef06e2112830855e87bafe8cc9c22fd737c7abbca5eb7a221d3835a86610d24b507b5dcb4618aa421f63a5609ef5d68f5760fddf970135602efad0851bbff98fe87fa58bc365f38ee7ec8ef5aab17fd11d89d91ef4c604e0d1f001d0e08869df9225e3b4cef52ff86815e13b3efdf45776f9353769a8a51fe7d891a7ef7035eecfa259848738376886edc91cc78f6da31c2f07ee362c3d82
+
+SHAAlg = SHA256
+Msg = 2bcad6e744f2490ba6a6e0722832417ebd910f9146eb62baaa5c749529f79d6ced0b81a2e2a48852c8558e338735dcbfc2285794ae60f81a25237c66f6ce5d5e801a001e7f9e309b2595cb866de2bb74ac51283b6820ec9f6ebe482e1fd2d5680b7fbd23c1e62a2ee4edff35823fc7e4a295ea4f1c332792aeb53eb44b0bedd2
+S = 37d960fe391298bbdc223fa1eb1d3cd9a46ba8c62e1da8c563c89a8f0e67b864fc89837ffc08aab7122b84c435c7f9406e165a1029857c1e4dea653569277273b1d9b0a9f5b0dc24afdd214476d47208ad5221a7d793cab80671fb4987c86bd6144880c59d24871400f64bdc6d496dbd497f3dbf642864fe49af3e21515e62d60f0071db4884f49670eaa9e4e4982f269abe724244288859c2adf60a09faaabb07990e09e56de254babbee14be7eb6eda0cdb22f3d0de8724804673fb99f86efb4263dcc5017abc91bd9cd833679475bfac50a2be8db86296bbf8017889357371314604e83d68b6efecd4b79f0a8afa0dffa448fb7fce6d344709a670e0cff432c3e187bcff7fdc4f4e9abe1095c46b01d88b6044bb950e92859010d9a0e3b2d1f27a096eacaa24263a2a0523d6e0da1fba8af768196f7a51f92fdf152bef062dd1f8327cee1d344c200c2115ac6ec1dd8514cef9e36d0ce8c32e58783c4fcba901aa70c2b42966488002ff171d36414a144bf46775183a8815de9ee3e81f31b
+
+SHAAlg = SHA256
+Msg = c3978bd050d46da4a79227d8270a2202953482875930fb1aeae4e67f87e79495289de293b4a40d92746fc84cc8318c2318fd30650e2bb9ce02fd734eb683410d44bb31ad54fd53cf9296ccd860b426f5c782ea5cb49371d56184f77911ddf1ba0039a0a49aa7e763eb4f5a04575997808b0ad9f6b330ca38edc19989febf4da5
+S = 9aed20a8bdaf26f1f119020d8f3ea6ce915138d4c87dce025e7f4e49536c8ec079edc6caf0d603bf42bd6a454a6d52d0d99fd0f59ffb3b22e9e67b3d0bb2d275d9aedc6da96a72cbff35c43e7f39a996fa8a6d338a0725f785254fe91a20834ba557fedfe7152b9956feddfd941741eff9177c2fbb55e200bbe42162b32a940cc300ab375557dffd48dfa539f50edd52df158d9072d14982e96303bc612c2c2506dbca3a939d626d2e7fb444c6ad7d8d9f3bba8210b2ac2f696783c349fc5280c105402a4b3d86bef5026c3dd999e3b22380f9dcce40e3a9cc9f1d7bc38ef3dd7e9413bb579800c0e6c3e9ab912da8fec1a4ab21398e9680ba0d04f3b4c8d53c02f05c7ae49b70a5611cf82e38de84aa8c2426f0b63ea01b289f201d3af40dad5d6e5bccc75b9959e5c9758e79105af7a9afb12aee577cb3991879db0fd8662c5bc49022752498a301d95f4b1d08c01ebc313f89c00b1ec2735a07983fd528e6388245036f0ed4a2dbb65dd33ab7f124c014ec1679f1c2f11edffb93fa2d1d73
+
+SHAAlg = SHA256
+Msg = 0c119502c2a01920a090e43357e7b28e33c7ee858b4330e05c71048931c0ed88468ca931ecf0b79c2fdc1756b7675156ec66b8335e3df09463f5aee7028fbf560f984cf698fe5c4280229ac96a2e5923d8a9d5299449bb665008ecc889797e9bb15d04b88c7210fadb8bf6f238e5d2dc41b9ccd1f80e9a3e6ad147948f273341
+S = 8abf2a30774e6e7338eca09cccaca3684399940492fb94b23b5ad62ce3e11d2dbef8966ba5269979eb9653baad719516d3e8399079a2f670275a2ed42c820a9a31fcd703a76637e0d713f32d792b9ae36d7288f60c2d1ae52683bb15941b1cd890d2cd64998b772585e76032a1702e0652cbf259a1ceae695d40cf2f4f6d81341c8bc9082cb96c752c355dfbe296dd21d69846fa37613e73817b2a07046658c9e3fc6d091e17591bb1a4fb6e2ac00a3194c1488e16a9d2903786db86ae90e96acb4de9901aaf1b0651fb76a58dcb3db473efbfb831ef8e30f89967ddd3a6c2f18979a0450657cdaeef6e59377c6db1ec46065f614024a69c518a559942594a46266e0d3ca1334296b968a23a4b11c63a97e29eb16b24c02d545d5b427e6aa585333318e63a204524e0e42ac1edb70d3456780dbead31f785f0b2a77ffeb0d37384cb5f65b4e36ca241f3b2b059105faaa3222d6c135ea5a36651aea396d22fc4ea1b404d7e834b6df1fb838bb5ba0d784a96e2ae2843db3eeea496c7ad2b4241
+
+SHAAlg = SHA256
+Msg = ddbd8468bdb036f4799f428bc8b4374ed9b7cde541337ac439d441ac0614cb75b816b80c17d237b8db73d4a11bfd929208333afedbb8f2410c741129c53932b596a7881c6a4d7111ba104d4600d1902f6f4a1608e139b71911c11c390a0dd091df369aa29d670b8a7e3f53825f7659ac74c40a0c3bfef0d3ae8307e4bdd6cd91
+S = 4e377e2459815d5b33915fa63cd477b5be7c6b7f7814d1350034ce710be67ed69139db622ef60ec6b7638e94b202368bac631e057702b0e6487b324a6b98ed7e03d1f3f20a9814b00e217a4648e4bbc449a2af405ca4b59f8438ddfd75d34d1064e58bfb325c55bd54ea6cdf7712ba807c3e4c665d620cd59513d7bc0855247eb670ecc292509661812702703275d9b2f87ef279d7700e69d995db98144a14c81774a4cd890ec03d13f858f3769e5048ed55caa81201e8785d3771ce6da51175d017d211fa703794416f469b1129d731abde744da5b2facd7a9b093d6c9743509b0103bab9c81c6e5f38bc9718e3e4faa86475d13725a829ac61df8d15f0b27cb40d0eba0b246b9c360b569b81b3abf380eec27492316bc292e5150ee0607219a2bd80ba984c7e3f1989bc51e4c5da3ae5070676e0c150d037a86a0f91bfc07cde64c19f9c7a7af44d6929970041448d3b17c249d5e0b5862e9a25209e8f97d7a0f030181504fead2266c873fd235983df3d0657b92096e2b490df33ca115733
+
+SHAAlg = SHA256
+Msg = f996f3adc2aba505ad4ae52bc5a43371a33d0f28e1950b66d208240670f352ef96185e9a7044f4ce2f2ff9ae01a31ef640e0b682e940c5105117594613dd1df74d8f2ba20c52223b045a782e850a12a2aa5c12fad484f1a256d0cd0872d304e885c201cd7e1e56d594930bb4392136fb4979cc9b88aab7a44bfc2953751c2f4c
+S = 30b348624faa9985fcd95f9c7ead3afe6456badf8c0fedbdadb3a9003a6702973acdb4e86652367db23e0a8141880d6631834f9f171c94a8fe9c315bcb8680ecfb5a4f59b45d4e4c3c05828b7faaa8e4234aada4e766646cc510d07b42bd3883a83b5bcb92d9e7cc1ddf590a690111bfc62a51af7e55543ea5188c92453d41d3e8fdabee3e1defa9d0afdb85c8153a5019ae45563ea3080a3022668168f0c273a6db1afadcd5edbca5021c2e53f4d951c604206ae10f287f451867271d370482791cdfdcb6a4010f6b3d9b928563d168da19f1c1e570f8c158f3d490b29aa23abd1ffdf20866c34c6e63b9e8a9a02d7a1b196d055f4c53ce82b400e4ab9e1b9d70d0049d6d57cf0a4949cfc68d633882882dcfdfc50cf449df10acf20305c2aa43bda10fd8a10b4ecaa23100aa47e92936dce1bfb8d6595235bbfe2c8585cb1647b2beacb1e1d4b6cef758811a68330fa9c3a82573c08fa2cda5a03f3425554e45d98c1645c5bd27d12e6c20b2c462a746e882a3421a7b1b1e25b4c36c8b16a1
+
+SHAAlg = SHA256
+Msg = 6ace052d7e99cd973bb5c9f6679b1c305e07208965fe58c63b10a692f1dbbe22fcd0db15893ab19e107ba2e42c9934a9aafac32adf6c73473f6969e42c983b8f0c96a4639ef77d2c8e88e8cc47d7cfdd08f68d973a7beaf401cb4d1311992ddac3a9c9e067da198adc6304745f5dd312a182e6971c34a515a6c1bae647e57e4c
+S = 5f0e74f454754a3074faafc605f3c9af47604a8983650a9b6211fb191d9afa5315df4db4501fd4f04c741d764656d4a5d006388ad8fdb219ec6b756908e23b30cb639ffa7bbf2874713bfd5a1062c19d04e0e4a74b14446a7fdf5cb812e9ac7b6012d9ae991c47656d2aded24074bb8a38b1a88b1c2b131e5b09c93757fdb2d6b69aa8265a435fba00aeb36a1f629bc34b876089d28a948dd6ab4c899430da60a26f6c13603fc889c7b2936ca3c5156bd7fa6e34eac9e04800833ef0cb9b6eef788c0ef0021a4536fb8371fa3e2c8bb8befac16e8092d69c571c1e15fd255ec0a07acf9ae9953831efd3dcbef44e0fccebb1af959d71f50130e8acb4fa2319261fba12f2715def82bfafbf40e345ec5dcdab5c1bf5f66b1d0e9f7a9c62c9375746e1ae0c8f14a489184383e81dce2070ad4b525df76b446b1f22921d424d9ba3ce21577501df6280fdc69f0239ae1127b69950759d5f0b693f54e87e0763623bf5d3ff69430081b9c9e2445a05e115675e090bcab2aa1d75ceee2ad619ec8b80
+
+SHAAlg = SHA256
+Msg = 0e49740fdcca6bfce294c11f45407805b3da412b01ef3fb513e70e62fd9504c0670db69c36b6bebd69a0bcd240179ba8a47816a0c3437a61fb72adcaf9096f2a22efe0b431fc422d225301e850f2f0f4da87d6944a8529ef79781909ad96d1f20596f93e17c57fb4d756974bbbf900521cb089eee0ded5c956a15b096162b07f
+S = 7bbb3ddd17a42be7cc4e7eaf456509a4ba58d40c49a3d99573b733e1942f9fca20ba8b910708d6e750367e847302fc603b8063c19af883e7507fb0d9cc2be37479a37cca25b8c7c46f6bf661dc6a3232f88b483f1b8f41b46d49ba3f1795d68eaad4a2556fb5d7873bbb6501ecf06ac558235ed13990b0e16f67965b09366bcb362cfc6fb978f4f68d8146dc8b819804df424e8ca5b63cf1fcf97bbf300d0b998860798a63424383fcd81d37773d59bb13b4fa5d468cd128bbab18a8ce5173be5d9d54d3177f0245788409973df4a9016b944baefbf3bf1146a9393d22e35ec2be0ae6f4c31dc4981f40fc1baf382600699eafcea92cbe24e26ee846fa23bc193b6e721401b7ac3f5f4ebeb633979f8ef35f4ab1117a869d5b9dbb7482f0d5a59e4163548d2512ae067205b57d030c483f720d2c44350428f5268943fc5f6ea1c88e2ec13ab3dc1456e96a3b8e7c121af4d6a5fe4ee55e99fbc3592a487c194bc2f2bf6e79fb79c2876cf3365e075beeacc7db4db7ee69e7f1fe12a327e6cb0f
+
+SHAAlg = SHA256
+Msg = 0e675dac9aec910106a6ab219b4cceb52ded2549e899c9a24d5ee55177761888a3be1a2def6aa32d62f788132d6227d9309806fdc02db7d8a850ff2c6dff37fcd777f1a0acefdf18bf85f1a12979be86d799253945fc34a288f348b7923d764db27a2a2d5ae20e6b25372ef318f8596529d8ca23fd6f08a8f62e0a1b6d989f23
+S = 8052d95f12ce0e6e53a5a356a0eb353bdcc1a66514d6cfb3a3d96155310bdda0a0d1795f97643f3a4496634f2dd9b95a2138ee390e1e74be3134f3f47a919ee7b59f8ecd272ab88c82cbce7c217e5f92d057a5b00fbf0575cdaecd7dc285a4218c8a955216598f0742671e018e8e4e76839a575f50b2102a8b77d1b84f6dce98d78e5758e0a6f92bf35d6a2f18ad400925d7880f9efc774a8c7ebf64885cd2f6f629b54a7c12ec91d39b3c2518241fdc322d9b235a8ea44f77e82f3dc4f728f620c07d1e7ff4094f29c674ab0f0802efa1c9e6481ebb84e0bf13ef468d8cca114570b9edcddf98ac4a834fe7a0d5c6fae8a60a48399f3c8af42ff4026e42a81aac36114ffc053f3f729b7cf9a97a56848ebea0115aa8298341aa226963ebdf57ab2d8e4b9000dd051a6c5d69f60e1dc1b33f2094fdbf8e5b627bc0764db9522cbbc081dbf38c21b13f980813bd2b00c757ebb8c0b21213152e694039f306f7342857651f722bdda01212a8552799bda6ef07c5207dc744ef7969afd5af2e6f12
+
+SHAAlg = SHA256
+Msg = f6a7a6e52659125fbbc8727417283b9a64441f87121e27f386d5019f10cc9b961e09f1b3b0db23630cc0caacb3858c6f93afeeea7e1a6a80dbe0c2bd9c7c939570302dec39a4a25cc0cf1d32a71a75b9a0c302bcdd80b046c86651acf30838cd52e30399a8fab8d03fbd140cdc2f1f02f2480405169820ccb32e5974ffb8b1c8
+S = 84603acbfe1f2f769f1a62b0f287f306940b225476714a4b6827c02d7bd052f303f30a5fa6da83e60615305669ca9ec177c5b32b1415eebef78620296ebad6dbbd520839d3aacc9781ac8602ddce0736dcfa7290b45f155b8e924d0afdf7dfc8d199bf09509d0176a68b145756eef53de456e17078859849a352a5bb654239d8ebaf8800ca8263d34a868d52bf8f22644dd9f3c05bd891cd92f263530c5896023c6b213ddb64ede1770ff1686c34036e281e911d9dc960354fd844cb7b22dc0cd81a96203ba818401ccc225f857e59a5cb7ba6dfc7f5135ea32781e63daa14fbda1bacc18ebc50824d4028b8fdecda49e810bae5acc8adc0dca2e236fc832a97330a1214fa0aed15cd10c049efb65ce855c060f05befb317b8065843c4eb5a0371fc6f209f6ffb948c881f2f2091caf0f59f60b72c5f67271bae96b913fd21fa1dfa975d5ecd62b0d50873b686d29c880d36edcad33ec3e2216c9cfcfb4f984c23fde815e280a802428608bed3739af9200de1f85edee2834c04942c068aacd2
+
+SHAAlg = SHA384
+Msg = bb294b95d913005b110987cde45887484ae6df794873dfc5c41fb7e8992c2fdce70699fcac8004699961b3ad1e1fce9ec8ea5685ccec5e80e4d0792559816f68613434bfaca81a843aac459a6fe35f5369c48e9191e4a32c70789594c5152db8d4bb02260012a8739cf325ddff2aa42fd67b6ee5bfe31591131ff27d0273d292
+S = 32637c60798b450bff100bff12838357deff281d5b31e4f4c2cfc96eb779ce6d31b1ce8bd7aa7fa88ddc4279c8c3280604b018ccf452004a1488ed4750181c5025636511ac6724fe51761c27d7cf9a0c8782ea2231268853c4b1f7acb0005e5687c8f3df16c962f02ce56b23d387a2baadc8bec94229c3557526e61707a8b59293a976e32c7fa133285088f3ce3e677788aaa947e7622c757e844b117592be99fe45376f8b3013e8772ec92c5bb0b9fa301b95544599690ad93668d83b2daa7df05c66214e275014780a912d8b1932d7a655058e743f50b074b1d9691ca23a2f95f6affbd516d64ccb2aa43c236eb95d36d272545e3beb8ff5aacd95b30f7f1d6418af042cd9a0cf0189846262322a18875ae4c3e68e4e8ffaa0276cdd99a0047c86c0f71d2deefd50642d29c195e6d14fb46fbac33a508c1f03a232de08aae09faf1da8ed2ba2ae84bcca88b78dccbde9afde08a3beb322dc79356b29c84841698914b050beb75a7b2f6701aa8101a5a4955ee27bafe81b21d03b43e3c77398
+
+SHAAlg = SHA384
+Msg = f946c6bd5e1d6b89092f3c487c0568fa07c356fae9b8e831b8320289039746a435b122cfbc4a0d316bf90d481d3b7d979cc50d98c1190af8dc58e0035557dd5e94f437f41fab513202643a77748f76c6b77302bf40c392cd18731da082c99bdedeb70e15cd68bff59619cabcc92adcf122753c55afde0817352bc247d1170b8d
+S = 50706ba49d9a316688a3ee80a0bd986757d43ec83285af9e78196bd52c900d40b280fa0de54e35ace7d6660012f1a66204092f0e634b97e0e51665b4075e36f1422266c7cad7b2d9981b913df3fa3e6a5a1cadfc6378a8540e0faa26f1cc6fb2fb492a80d0a6945bce5bbc23ddb3b10701f0249b27407a6700802e8842ef3cc761c4823acb5d1453508dcdbb979e7bd8d00128e60a9b3789167c91417d93f0e9fbb00c9af1498e09eb6485eb94cea4883f6a256eab2caa826de4fdac01baca3a216e3d204a3d837ffd4d0be2b2cef711909054c4da1d5b93a8f98451c7002ae84a5e7080d98671c50e3c91c4087d0477b104f916010e742f2d207fb40d122d8f211af6d7c5eca49542d9acb0f166e36abc37155070c12e9f28b907d67a2ca70bfce554e1c44c91520e98fc9ad0c0ee477f750516476a94168066ce47000030a99c23e2c38755de946d5edf0d6aa94212f992315b248c1f82723b29c42216c78cdcb668f11278261cee9252c8fd0ed37d0a8580ca9b9fde7505615943712da19a
+
+SHAAlg = SHA384
+Msg = 9a337d4c0bb9a005b47f4765d696d19dec58bc8482f2173a4a203a0b6d38b4961f6a852e76468e807c7e457683eead5cb8d98642fb76c0a1eeab36414c1899597d57aaf96782ada586f61a423f57953771d520cc4ead90d569f23d950f8dfedddb8355748576e6bbfb6f2e91b3da71753fd2f4ea229f6d20e27db8d05e9fcb68
+S = cff7aa7f875642fb9343e07ef5e7303bbf5f069b44c19fbf83e59d422e25267ef9307414b6b1ef61711ed0013276d1a2ad98390474027a0a703bfe8a6e87706059d89c060980c9c9e60dc7e1fb9f777a41785ab4d2b663ba0e3c1921545c479c2a383a50da8e489cb22b71101d0ec148ac70928732a772195a140d080152762a9c40803a39fa2a6978c2a75ac4d8bd1bccaa1f4204ba65edddf32fedf2d9d0a3aed9b06c47e717733c577812d723dba74a852b2905235c812dc5f1d0df0f0de73dfb86221c6ffdd1eda119bbe98d148add36a4fe50489b06aaeefcb5c2066d90fa79738706cd18e474d69609ff1210c77de7cd23ba2a775a4329cb271a826d602c401a71439019cec10cd9f184c4d04584211827b19eadac3258d8a0f2631613f051aae0c613050cb24442f15ed4fe0dbd290e42629141bd2cd56d20584a1d10e1f2c2a9ec731433d5bcd1d318bed5243b4b7d0f9a7982061c55dfaa86b2c01845c021fdd2a978d42034212f43b3351b6adeb03bdd6caf7de059502f16d77348
+
+SHAAlg = SHA384
+Msg = 32fd45e73f6f6949f20cab78c0cc31d814baea6389546a365d35f54f23f1d995b74101187760c89bb0b40b5057b182e2fafb50b8f5cad879e993d3cb6ae59f61f891da34310d3010441a7153a9a5e7f210ebe6bc97e1a4e33fd34bb8a14b4db6dd34f8c2d43f4ab19786060b1e70070e3ed4d5f6d561767c483d879d2fec8b9c
+S = c389613717ec7476ecda2144d0e8c8f9d66fb469c167c4209ec0bdeebfb471665d33dad47b8f3c319a76fe8a8a9f662b6c690b74903d17f61e2314e5ea8d26670ee4db4dad295b277ca08ade880de2e42d12b92952764c1dc808c266dbbedb670158eef36e896f55a203fb99556ded0597410ba37486b1d841f3d6d5c0b39f2f49f0c5794824fba94a8ec7c2b2c91eadd5c8cbe44895fe3be3bc1727d6fc0e5364f53578639d3b3af696b750a07853694ffe145a28c03620c78dd7377d094d92c3e09546883d4703e62a98ddf81fd01fcdf3c4b215224fe2b1b4992abf31f20d12afa868202390de334a846b2d58b253ea8ab3c5265d84773a659e8bac7af44123d9ea15062e65d4d419cf2d97077d0624f8e5c36f2c7b35ccf95435d5c36886ff9105a6c1ea225e15ea8cbc7b6bf6856151cd76fbb75b5b98f0e3db516a8e218189fcb1cd5de3cafeaa33ef135c5d8b8aa5f881afaacaf4c08bd7281255bc2a33b76d4a36e0b170c45588239e5b38c679b08cf802af73b6d79b3935949461e7
+
+SHAAlg = SHA384
+Msg = ab66cc487ec951f2119d6e0fa17a6d8feb7d07149bec7db20718e4f31d88c01f9a53d5ba7ece3a4dbc67af6a35d130eae762cb7962b9ae557ca38452464002223f61bcd3c7353e99d62558ceedfcb9374d4bbf89680c8e2b9585603e076f1cdb0058299b4246845dc79d1043b1422efe84018e4c932c45beb8851fbf485e36d2
+S = b51331552b08be35a1698aa6203d84dbfff9001ed5dd776f2be4ddfc07dd4620e9654e82a33465bd20f11863c0ed02a0aea27a44d414c328a938bf877e15838ab99d670d01414262e8865dc1d9fc30fd0812699fa690c34f302f637ec802cd40ac8591e976c0b8bccb1b0137af64a2870210e8fa3dc431fe0956b8addff1e4b18cf07e078aa93af81bb3023c9e594e66595fd92b10226ea126005f4724427352c38e9e85fc2e0723f80af1f61599550b5ef54c5b38ca405738017b89cb9468d9741cd6bdf7112162251ba1d083cc370a4a8261c39b6b94bf21a53b7564531ae9ebc4ccea7ebb8bd314b2e13b58ed1018ae5b415e0f9e3e19a5ead3a44603f90674a190febde25f8ad8778aeead4d0f64fbae37166a54e3a763e35559bf8c3f173f19ff7bab98f3ef803dd56c07628399aff87485ee73dbc3db34ecc7bff3a53226cf87bc81d256e80c09520c8f38e9bcda095e3635128e1bedd9970600546a751eb11dab42e289d6fdfea04bd58d4571a79d24bce4508c54e1ec4cf75b985fd3
+
+SHAAlg = SHA384
+Msg = fef7fe89b9a59902a70a1d9caad09ced8bee4145edcbe3ef7fa6dab37635129f3b8c5e0860410ecbd9cec3d8693682f25aec08b071f05dc8213bac8cff5d52b576653560bc01575604e6ab90f67227fb5c901a781eddc027700913e54a7fe51318482c9ab42c9d2b911b7ccc39ccb290f9a420a5dad93394d4d7b8c53fe3f242
+S = 45068ca6d82f2c123925cde11971215d8fa4a4df6848bb7654868700978764854638921bea5869280dc6ad9581ab43ff7012969948a5677fa0a66136a316a4bfecb89adf4131b5bedf3d4693b780d133af9bf9c133305be78374afda3ba3854203324481a9d10b9ca9b92dc7d74df531872ddfc76caa82de020e2c415643cbcc4280e6d2f4371fda7d9249314a8f437648991a9b03d71b5839ad38a1555ad34526994ba56870b6ea18011295f2ca2b0713b2e92ad77680c0dc5bed8d3b9b31ac14df769949c4a43ea67f6deeb3dc9ed589ea4e8a2cf6695df46f946f1467b28e875477ae4e645080fafda6dd551d2c02fd6b2b194fc0bdb050e06d4c784105f5a33b53e73098055963071efc1bf397fd325f3a6f4e10d76f0411a001e62ec73729018316f56310f893a59363d1f6fe5c17444b6c728a4933b75212fdfa258e4018b7763951ab4e5096411df9e5bc16df3896e46c973d32ac9276a4e2b5b80e3d8d798dc0470b45096b4d738669ce052ed818e560af1e92c915187d66cc308b70
+
+SHAAlg = SHA384
+Msg = 82b3840eeb95c9c57724c70f112b6c2dc617c31785acd0c823f8bcdda285325eb3d308dc790522bc90db93d24ee0063249e55d4219ad97145feaf7f30668623cc8890a70f4f149866f82cf86f98b0053b23c98c8dd5e9107e341460e9bf5d88cc8bcd1f2e4c007cc1c02c4529b93233a0b06bdd15925854ab9e3f156eb925bf5
+S = 0593b9fd4421452376d27bc7a280101cfd6e88a6727d7d77cf65ceb723ecd257f32fe10277e85798e0da75917736da1a3bfc22adc7658fbb84da6ebea0b07d1cc405732fb040b585c1b63c8034069bffb8220656f1ac54ce693720d6fb1b5aec67b03c887c8077da148d10f48af7c028f992b18f13c0e57530c086d775483da5f66f3a6a19187868340ac63c6212bcbd6cbb7beda8620afd9b66de47473ef24d1b6a36f4ece9add49514fdf1d84c7a785b7f0e00f382235899790f472d13f48558a4314742f376808dec96edd2e229e943f7b983bea5ec6edfa5e9bb37f588e55ef62ebc9214beaf9da502434e1088df272c6c77c1e1d897c47beab77e3bbe317f8d43d21fd7e94337c7e263e2867bf580a2a8ecb9e36ab7d3e1d5cf9a23230953d59df0d7e23558fb612b7918abba31b164ce178818a1a9e6b6687f4de685d70e16bef6e192faedfe0b2b95477d37b0a3a2d002f33ef4321cb905040ce06fda1c98a008767fbc781a1eaf3375dab8664b590336b99e157b8687a6602fef6a3b
+
+SHAAlg = SHA384
+Msg = e153cca4431ed9713f4744ba054f5f191cb37b280108ae3a114ad349a872d1308b46211a83758a3b4be32fbeac42ccfee7e23df853ca400147077bb43a44c12f299b917f3aabdf589eeb1709bb3d60b08bc71eaa3ffeba4e2903a5dbd8339aae85fa24b9aee76130000605857a6aa197d00926270dcda58b7de758a6ca67e617
+S = a835cd4146bef465642d494936268a311a5490d2c9f9166c6ce98216a9a23a643597300a0050e6445abd5a9bfc7a2d9b70726c824c383bf5acaddddc34d434a31e5314d25fb58e258f518866c136e52855c16fe64ff8f1c4d66c4e9e39b8cb1196d80944d0746c0a3e1769cd4167df72ab5e4c9dbae9cb35f4828e12099f9b36a5a70c48d4aec9872d7b19e1291b33cbdf08a2263d500c0a83b5237ef6ce92de344b3b41d0d07404fcd5467b046b52b8f85fc6b5d7afc437f1ee9e78390ca9bb6cec618885ece29758f2fd6f4e5f4f896935de5f67cc04055a4c4c0fba5def8d2caa179331a85501ed25822ae79da9bc815cc39c6a979211083e8683136c942e1e17e9eb8f84aacf091aa1e51665fae446bc48c304af65391f279afb98b92e04c2b73d9d94e991198fe7781f0f9696fcba2c03485f76e6de30b9535cf3903db2f3afa851a47bcde72d4ed2e8fabf9bb7d4696cb4ab8c289b0c21e1f979ebc532e280cd9010df4ee72f84bb9e82752828f167030c0fe348ebc31ec17b8f07d94b
+
+SHAAlg = SHA384
+Msg = 9c63899dfc7bdc0db384727244caf71ecfb9b8792b9f57e936b3c2f5695565a9b0979f3c78fd73f00981813a16da342392fe3ceec6e63ffba191cbeb4f4b90050d2fccd83beb0622b2c3fff159d9e608f3abcb843bdd56c03339b975b9f4e3265b32f6bb6ccdfc6c5752d6e0344d749699c74c85b30c04ff95b272dbcfd6c7d3
+S = 4d38a297302ad0770d9729ce5b7212eef287ce0250f403e32b4acc3617dc0d2edcccc2d580ddbdbca5722b70704058a3b807f592e400bd563fcaa8b066a614b4906f1433968ed2f520a2f6b034d4b2d6890a241afd1adb8639a6cad9dbfd2e278dfebf79740d75f295759d29130b19ab19983dd68f779de41ffefd4e82b5e62f72f90efb73437f08a2503dd9819dae20ba9706c199de9cf884433eeb756286a85eae14bf9f6dbeb705461d91822282f18efbb10589a578f2c9c345b079a7e9dd07fd4b34051b27119729906c77dfb7d2f8fa6bdd5faa1e132bfba9d391e66395e67f01353fa275eace8b53aa91cb6fb693e19191d42a4c1a85a0c504b1c85f49a4d60936dee4646aca62a94aa4bc7828c1ffafde8be656317d506abec179cc90191d12356ff50644d3e01aa5bcfdd71d3c828dc3539dc0cf3fe8b9b91e0c2524f6a3710379c90affd0d0a50d74387f9ca88b46463ef1bdba58cc9a36e5c2c435a20d968350d15d941c3212cdce815592b310d259860de1dc1a3d70ac22302a51
+
+SHAAlg = SHA384
+Msg = 04846c2e676ac73160bf4e45652bdc6cc4d4c9284577b4320ab77f6ebbb59a1fe0e085588e0f90b346cde6441af3c9d0117d1f3bcd962e406bf5a465ab6cda2d51be598fcbb29ea713651aacd7e47d22d8fa3450904730f51792ea374761a4dc1fc6f1bc657b77768f31f463e4267fc8dff61150d4b343b9d53759cdd7b98094
+S = 103bee57e25be8c3a2f774e739b47f93435e414932c0494b6b6aa2475bf7c9305c73747e0adf82c2032007b3f75a69c93112617a62566c5a2deaa25fb95209da49fe9c161cb2ffa40fd9d77f1ff660c8b6cd3b54e3e79a759c57c5719802c9311db704ba3c67b4a3113754a41b8da59c645be3909e7db7e7cf7294dab44f74240f81a281eecd6ef31c7cf18b1a19c7d02a312b91d6edfaa954462d34740af5ab708db5a10b00c542be82fa2b2026b09ef38a4001457e27a6023770e4b4d5003267c85c9eea1d5f8d770bd40b554d5b4daf146dccabac3ea8a13a05c3bddfc971c5158fac027ca19b7232621e9d2e37b6a655af545e44a298be78cd475c22a48bff7c3494a5f8a6abdf1a46f9de082e374fd598867d61e4d51daed84152e43cc6a2affae205edc52613480d411aba84fcc9b69d1c28f16f76836901a7c5b3eb2f2c940d0a3fad38a8efab968a0c85eb22e11d3d0861136ced5f06734fdf8d4f151d23861b1cba9b9c580d3350c76d4dc808461d5f872ec548b2b427dff74b1d1a
+
+SHAAlg = SHA512
+Msg = db6c9d4badb1d9b74d68346448b4d5340631783b5a35ac2458563ed0672cf54197587fb734c4ac189b2dda954cdfb18b41c010a77e90464eea6f863c5da0956bfa8cc636bf0a28be5addfe8d3e7e6f79f71d7fcbbae23ea141783f91d6cc4c8fad125811760ab57133818892471a79c6d04eafef37b2fbe506785318f9398377
+S = d480d5a979ad1a0c4ca329ebd88a4aa6948a8cf66a3c0bfee2254409c53054d6fff59f72a46f02c668146a144f8f2ba7c4e6b4de31400eba00ae3ee87589dcb6ea139e70f7704f691bc37d722f62bb3b2cd303a34d92fde4deb54a64dd39184382d59ccaf0c07a7ea4107d0808260ed8d421cb8b1407cdf9e915159282b9f7bffdbf40d877885da7399edebd300a7e77a908f756659a1824f95c8a812aa540ebaa64ab54a233723db55caa8b4466ea9ae6614ad1bb869e9d8e0d032f3901671e94c0b673be6537cd54278ed3da2e1edbc04ee3a9e8070d73ba0ffb93e60f30b87ff3862e9c53908f2c8e99915668c1f46635e05bf7163051ff9d92bc71a626553c69dfdd06a49f7ff1ed51e918f3ed801dae62ca276d7063d72a6ebc136ba06cfedf5aa23277e81008c63b2e0083d0fd6814f6d4b4b40a42e8c0206f3c356a5ec709b7c8a4b74b7b48d53c9d8694d27359c2c7701938d2f0161721a57313bb1a2e11da215872498182493d8517043b4c03f93446aac93830276542026ce83055
+
+SHAAlg = SHA512
+Msg = d5dd3b6ce9772d9a97fe21648497783bac5bb5254aad82b6f7cbf43b15a40f386eea8d151967db149e9465865968133f246e1347301adad2345d6572ca77c58c150dda09a87b5f4da36b266d1fa7a59ccd2bb2e7d97f8b2315431923530b762e126eacaf5e5ac02ff1aaef819efb373cf0bb196f0e829e8fe1a698b4790a2a05
+S = bf9e8b4f2ae513f73d788958003733dbe20957b147b17c3f4fd6d024e8e83f07b65d9f3dbc3b1fe84da021ceabfccd8c57a014fbe5a2bce3e4051b7d03e09fc0350b6a21fad214ae7a073277c77a40dc44a5aeea5194a756b69c93977b69ee9294360eaa73a574548fa6a974a7cd5a6adcf09e80631156af85a8e5c5317e189eead47e2ead65c381396b5cacde260e937284a8e90eff2cbcb9dee22925f2f7256f74c67cf3ffc7b8ce657e8d135f0f376d9d936a79792c981614d98e3f7d662a4fd46dcda96916b32f366ed27dab188f184b984df0b559710d8ff2040be462f91943501bda4840fdd5c8ec15d189064def756e545db319e007c433f0468a6723357ba47d156ab7652b06ae2b18874f0771c626466dbd6423e6cbc518b5e4ae7b8f15e0f2d0471a9516dfa9591697f742862324d8d103fb631d6c2073d406b65cdee7bda543e2e9ebff9906985d1cb365172ea623ed7aa4c7a322f0984680e34e99bc6231b02e3d14581608bc55bca7fbe22d7f03e904da4552e009e5607f0418
+
+SHAAlg = SHA512
+Msg = 591652b6eb1b52c9bebd583256c2228680110b878917dea5ad69e8c5d2ab514277b0ac31e7e2cceab2e5d9c45d77a41f599b38a832f6b2d8097952be4440d1ff84baf51bd70b64f130aeb686145fcd02953869fb841af7f6e34eaa2b996ccd89697c58fa255cc1e81f621400e14146361e31c709e84a56082231199539f7ede9
+S = 1de79d7216dde125deb77c34d90ab321a4de5fb11c296656ad9bf9a24653591117ace415e18eadce92823f31afe56fc8e29494e37cf2ba85abc3bac66e019584799aee234ad5559e21c7fd4ffd24d82649f679b4c05d8c15d3d4574a2e76b1f3ee9f8dec0af60b0ced1be8a19c2fa71bcbc1fb190899ec8556958e0782ace7196b36658656cf364d3773de86260fd8987604ef35eae8f38ec2cb0da864cca719219c2ad71c08506c412ec77995f37439c856977b71dfb9647990ef70faf43273ae60839cd0679ec9aa42bf914e421b797cba218a400ff9dbaa206cb9c2b0596c709a322b73cb82721d79f9db24211bf075a1cef74e8f6d2ba07fe0dc8a60f48af511ad469dcd06e07a4ce68072139c46d8be5e721253c3b18b3c94485ce55c0e7c1cbc39b77bc6bb7e5e9f42b1539e442da857658c9e771ccb86be7397647efbc0ccb2c3ad31ac4e32bf248cc0ced3a4f094526b25631cb50247096129b08a9c2cdfb775978b0feee265a6c41991c1dc4452615b78c906c7ed1bd207969d98d0
+
+SHAAlg = SHA512
+Msg = 8dffaa9151271ad22622f228c892e1d9748b3c394397f2cbb6febeaa9244a027eef28db48a9a660162152764830f617e1ec6ea1cdb0ed25b6f999a107175a16669d6dfc92b16d50363fac4a570371ea976343a55ae124b6301ea935ed655d44f28320899dba35122505933b3371201a2a45f95ae65ab442a9479125e68ed212a
+S = b329aef83a56ddc57cd9a0e15eb0b0b7aea7d78d5e8ca3982bd31cc825a0cd1c444d9f7bea9e7a27f3bbb3761060ff95fee1a3e864d2108fc40b64786a96a6d62d201217e03a8ba2c07ee94c267149d1e72cc5779b737e8547acd6aa4bba3ff38bf9687e9e82f511b597ad7ec1d795c36a98bf83a90fc86b0cad41953360738921936a458674b2e9a7012ac3029fdb0a9d12318202d2544a0d976ee536e03b7e8d894b3b9c762dab0110849cc1eaad747e3d88d7dcf49f824df027e645c0b9294e655d9fc9e1ef95eb53aaff5775c349486d4b5d67dba29b6217f8b9976612b57e16fc1f99983f2af04579938606879b7c7253e870714b4f0f24e26dc8c7a6fceffb5f98e3b2fb5db949d2f98cd1ae1aa552696b48c39f678e154351cc756d3e9a97f79279853ebd0db9ae6859fb2d5721385d06f5565a3a8ff0992d517acda1af69a92854a1b32a79cb9e442a90b055bb2ec3af8d9926a0d857e3cb1e7e4a7300d1accb9492ec7832af453529ff0f4a6ad3259757f707f713aaa5df231f7487
+
+SHAAlg = SHA512
+Msg = 71d4163e708c121e931bb9692b217dddd35c7346f61cfc9591f7a4313abd4a9262af820bd7eb37e78c2b95b89daf25ec8e783aa1d4b78dbb96852433b4d478b109a6d65eed7d06f3fe122b172149eae7c365ced66578ebb7571ec218c36b65d2ee22dcdebb28c66a7138432cbdd712f7fb8bf78cb14860b25c2b4789706b5a1b
+S = 2522ee3bda30c0434e54b199da8c9733964fd402b707f5b330f4f754a0502c7a713c7814f0e851a4a4db72690db96ea8b8813bd8629a948bb30c1b8272a816b30a755fc6fb1754167c3eb1f194395907a56cf5a73b4154383a05b78b731fedd9077f3c2267a5cf926697871fe0a4bed9c219552dd1c87aff50613094bcaa2dec42a35380a6bac673da2594f824a8f32f21d7593a3e49c78ee280193a478621d3b095c16dce72935314d4a2323eebe7855ca4738a19b5a31a5f95ab91fbe1289c02fea7a65b91327b7b9790556289e1b988e45d50eb8cea1581de5d5dfd21001c73b43921d8b21b9644b0f2b96ee6b09d73709c33338143d6a2fec559a436c5ec865d3acca5fee654f1325ae57255dfd42188c84dcb1f7c1e86028a74e31d736078741ee97c39a56e4de00fc12b8051835bbd0d8fcae737322099adc1017107022dd15c114da57e78b95681ba9945615b59da90f5a2a99a252eb42b2006eedd6e78476c2905473ee6b4f23c1c5cf0b80451c5426ea009141cb3fcb0df2ded92be
+
+SHAAlg = SHA512
+Msg = d00e1529228c79a20a1c3668ffa4a54140bb170bc5c669fd7560d9309900175e91d5a0e9c5f5471fdfb714bc385d52b08ff7e4230184d8b735593f0dd8c73b8a49f8595b951a21b6a5bfec63b684f67c0af1b471dda1684e9ba3f241501fe957603dea86784230f0c4fd65666361b82b187330fb4267404c0e059bd4eb52494b
+S = 1835dd97e5093a33ce1e62d683863f6b3507f358a62fc879b524350fbc7330681cb0c682eef4330419caf8543bd9269b6d91d8e107ec38b6e9c6eaabf906457205d52a900e05579aa11fc581375264e69a925798e5a348e5a16f1567d5d0e40853380b34deac93ad7377aae8a27b090d0d3a92bf7a824d926e2e35a0c3bd0e990b591120d74dd9b052a73568e3c3f29c5a77fb1c921bce9c1e7f764aa67bac119f5839a5303860edeb634814c2386c831fee6200cf55b6bfea058b795a0fcf26eb7216ae1b7587c82e5685e584170cbddc89a77e0989d4ce5c3c7fdb664aaeaadbce1f231e64798f6f9a85456b5a93a502126a80e2d21f46921cc3601f5ecdbd56998a63b865fce7eb299f76af40e91281bfc019f40e0d46811e383691e4024c94566f18024ff2b22aa7e1270233ff16e92f89c68509ea0be2d34511581d472207d1b65f7ede45133de87a5ffb9262c1ff84088ff04c0183f48467996a94d82ba7510cb0b36cf2548209a50603375cb82e678f51493345ca33f9345ffdf54be9
+
+SHAAlg = SHA512
+Msg = a35926685561f09f30925e94d74e5661892a2ddd524f751f8321163d611ea1591a08e0dffd46b208e98815a306aa8514b4db859dc1fe7bdcdf50c095554bf8b2f4cb9f884d70e55c2143bc26199c2f94b743f5528dd54689ad69eda660749f5c1bea8becaea632a4bf0c79a577edfcea7baaa6861e9d7f2dd5b4c4f6eb5f3d5f
+S = b1a9c45a264d2c9af441a7b2d330dd788089ccef205d5d666bfe864367be9738124e9d74648ad99160bd3af81a81858babe667a5d95c980fe2f6ac34861eb2ec9b4b4e8b642ef3820f56ca388a556530d42754c47212e9b2f25238a1ef5afe29be63408cf38caa2d23a78824ae0b925975d3e983558df6d2e9b1d34a18b1d973ffaccc745e527ce76c663e903719355e45cd6d118ed0b85b70cbb8e496411353f84f8866a01fadc819ca0ff95bbe2cc68c8cf78da5581becc96247b911d185ed1fae36c4cad26208eb80883f42a08123dac68d88f2f9893cde02ef5a57661db2b3e1e9269cbb0e15c407bcf55d92e679383c90802cd0bffd469646dcb60ca01a1dead43228934018391dd81f8b7e797e527fbe1815b91bf3cd6a1f2ffbf5dd166acd5526761ca8bab5d463fb9fb820659f5cd50f8150f12f7e8d52e77773c1e6480c2cc184d411d641f71a9dedc2c5fc2ec37a2770a9383bfbf6a489cf32b56a12cf99378e39b50bdadb9f0591b2065f9d44e511c9dfb6158fddddd1bc2cece6
+
+SHAAlg = SHA512
+Msg = 1271a0ddb99a0e1e9a501ca33c131b0a1c7820a397790869090fba373703ac38ea00a9a0ddeed199d97be1801ffab45206710a61e5ed894c3319012ded0ff414386e56b548ad915d80afcc2bdb976d7c8adddca7dfa28aeb694033a5612660c644e32f85c2805651d713660a38914d70f0e41fdc4b3d162ef3acd70659eef637
+S = bffd010b2ec4e4a32777b77619b87622f8921dab56e102c8d824fe52b5df7a203fe71799eeafdcc0c8872dba6a374407b5639aeb5a30a904712f15097dba0f2d62e845412395cf09540abd6e10c1a2e23dbf2fe1dfd2b02af4eea47515957fa3738b06411a551f8f8dc4b85ea7f5a3a1e26ccc4498bd64af8038c1da5cbd8e80b3cbacdef1a41ec5af205566c8dd80b2eadaf97dd0aa9833ba3fd0e4b673e2f8960b04eda76161643914242b961e74deae497caf005b00515d78492ec2c2deb60a57b9dce36e68dd82007d942ae7c023e1210f0be8a3eb3f004824074b8f725eaf8ac773e60fbbb7cba9630e88b69c8bcb2d74dbdb29bfff8b22545b80bb634e4c05f73e002a928efd5a6aa45621ce1b032a2244de48f4df4358156678cbe039c9ebe4cee945a25b9038469fe00c3092936a8cff9369045f906733a9d2ab3660182069b157ca8f9b99a71fc153c68301e97a38fc3a87ae2b6f03754e6da82d0b0726e0703979c9320289feefbcddcd9d706b71b51e9a1b9dc1412e6ed4b56676
+
+SHAAlg = SHA512
+Msg = f30c783b4eaeb465767fa1b96d0af52435d85fab912b6aba10efa5b946ed01e15d427a4ecd0ff9556773791798b66956ecc75288d1e9ba2a9ea94857d3132999a225b1ffaf844670156e7a3ea9f077fe8259a098b9ee759a6ddfb7d20a7acd1bcb9f67777e74615e8859ea56281fe5c400748f02d1a263b1867a3b51748ab70f
+S = 345e2f60f7c82c89ef7dfd7dff2bc2348bab020479330899d4410213b35e98d9bac92fd8ae806b5bce8a6c4bd8275b0facb4dd13f9d68ba67141fa5085264da6dd685a6d212170a2c9cbf2cf5930180effc250868c984bf50ff69d6069ea28f5bc1b63705d0732416fd829a5f5d6217462c22a33fd4652f7c1d198794646c08406024e8163a7ebe39cfb514c5443897b5894dd19a213e037f27e0ffbd6c5447a805a54dfdf4f65819d4e0fbee25e3dac47fb6b636e8de6190adccbcee937d0977b35b973606b0ca348758b50cdbba028b73d0ef01c56014c031c598fe8db87d2ca4644770aaa0451c376ded82ff5c6b8e7d2ed9d1c8a17c3122c128273c60fd1b0088dfbc9c927f162e43879405964cb11ef7899123feb8f88dd2734df98aa696d936a8df07000e84af90101f7006a9bd2549fdd0ad3f9de093012d32d2afaa828017ee9c607cbf5b54f223666d4b5f3e26e0dfec003961b83d83de39ff6a0e81e1883c1db4aaaf082fec5aa30a7e578553d89774c67907790c96dc4f5be4c8c
+
+SHAAlg = SHA512
+Msg = 132cf50c66ac4cc54339751a0ebb865e1d3d320562fc905c4abd1e78e464066c46c3a0c02db0371ee35a104d66dda864c6133e37cfad9116e883ebb73b295e7016c34ea9911a309272ef90114d8f59fff0a75193fe5ae31ed99121f9c59209bc4bd507b1dc12bc89b79ffe4d0df9209762a1730136290cdee58ec828ccc88eba
+S = b12503b7b2f783618884174bcb9be10877960431ed6363c807e12db71b8b6bd9d6401d064e253740158e8b900152d37faf20333a7d80b3d47c7c7a3fa12091ce31cd8aae272a4da15fe2cb5cfdea541195a469c96bcf695e0b526dfa48a59003c6763af8136392c4b8d24db314746f42aca550acc65e074913ab82232eb8593509158a8ba34bc0f0e3125a834a3ed2d6a8cb1d085f234ae868b86aea8d6f82e13a08842485066e48aae4837873150f44475e12602b552dcb34d1f9fdaadbc6bff5134c6fc76263888be67efe63ee1840fa08c49938858a9d48b1058d18976bf2e3bfc625552f75b3ea44eb91dd366865f240a0c336a0110e0fa09d09cd94c70cbc8895ae3d44ae3dff545f0e8c8cc662ecd40f9099a952494396c6b423ebb463409969281cdd54ad87a308e487ce19745b30d5da76b98d2aa9a007a55783b3037e5b8662322810bdd11d86dc3f61451149391fb2f14ed9c17c751623a4042ce7edb875ee27bcd1f19d6dc9283ad06d15e097e2b0b15a7eb7128adbca0aa6adcc
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/SigGen15_186-3_TruncatedSHAs.txt	2018-05-11 15:10:46.384876500 -0700
@@ -0,0 +1,233 @@
+# CAVS 17.6
+# "FIPS186-4 - SigGen RSA PKCS#1 Ver 1.5" information for "testverforgen"
+# Combinations selected:Mod Size 2048 with SHA-512/224 SHA-512/256; Mod Size 3072 with SHA-512/224 SHA-512/256
+# Generated on Mon May 11 12:12:05 2015
+
+[mod = 2048]
+
+n = d39a426f8b81cd954f3df5512d6fcdb796457c172b6d510247e45ebecd1e0f7e8aa3253a61293a7b70094b70d65d73828719ef6aaabbb24e083b943be775b0bf3b5a0dc8388433de78e0c113ef7763f767ddd1542bcbdd9845919886ce20e28922754af2a733204bce9b5bd50140e18e5ba91e4800b50ef30ecd48b4ecded67a2f7be8bf7d7f14378a8c9ba0e6103d02f1685a334e46713033c89908da2e9f8bf72cb2a529281d4dc66799cc2a63c872b6bd5ffc1fa9ada236e7f8d5796dd9724e5e4ccadaf160de7f2d69c84009d31e952ac808c89a784be70cf60f42811928abdec6f896a0fa5fb164f9f4298a5a8831f6684dae31f2e76146d6be14c3ea7d
+
+e = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000101957
+d = 057076fbab758efba2945f16d3456c21df4b7cfe1a8a762af8389e42e0b648f4d452d8bdffdf2097f75bc661efe939dd99c170c1672c9a0f21ad450347333fdc52f350d02ca1e6516cdbee38d3eb56b15f3f062b0d4f0901ed9a05a566917c5c108b20e0da091b8ca9da43b7b066d8c28d849068f6eb803d8e84ff243172c258cd7bd18858d2648dd7a55a2cb4db3feaf3171846e3e2c883f50a192be5ab4c79dd330584adcae17f1458bcb2ab43e3929cbef840e9999bf0eb5601e88ff8758db564a756346d65d8c55f1b11b9b092fca7f6b2394ebc3109b3d02ec5a0967ea645d127fe0fb9f9fa71637ac6f0b92671809f4aad1278a6cb5e8a7247fe53afdf
+
+SHAAlg = SHA512/224
+Msg = 2ed1a4a7188b534678ece3b40ecca29e2359d2c8b5aff149d4a93ef84cf67822846fe97ea6a7a36200c40a36ab8e922a6ac6ca24d4b99afcb615c8ecb3fac1422d549758696946c6edae3bd62ddf1739674eb0f8cc7c58ade0e663f22321e31af129b61fa7f7c3dc0751807cdee6b833e39a8b2ce31fb6c21bc514f2e6936510
+S = bb2969df7eac0f17e07992c00c8b561d1c21482f042a4fc95b739aace629a12f6086e399bff9aa71268203c1656ddfc890570bf49dc75d8a7bc510413135ef931473b0ba77af4e5691970466bc2a5ef811b4eb94269173bb365ed28688c0078a11e0776ed7f539717209536079dc7af515386698c1e539dcf0b3c08e584e3bef987702aa02e5ab329725026dcf3fe64193a4e27451e5e77713908f07c742af0a2583a04c1f1a0ac4e9af5878a9c8e53ac1eba469ceef836f3f6eb9ee2625feaf933905c308c21aa75a76cde1d8bc41cf77beeed6919dd75d3834b3135a781cce01a04b468f339bbd21c74a323793c8f439e6df0f3dd4226e5ba8c712b29f7acc
+
+SHAAlg = SHA512/224
+Msg = 0553550199e9dfb9ac4260d6b44e1376e7b9083af2ca764bef8b529b912a206ea29f0a18b08f2f0803703d05d2ef42b8b68ebf6b5e92ff10851ca68521968d16dd50cd44ca6b1ac451f753cb6d58568917ee19f301f5f7c686a947c9e1ae33529eb0c80b4f4749f6801dc9afed52f8f2f21f3e5c42ba0676dc7a5def3b3cbb29
+S = 7cd30a88ee2da986e79b74a23a1831e4a95f9cbe665c9ee2e87b55dd13cc71791377c532a55a437dd4c473aec38bb094c876f67b62b03d473cbf868eb56add83981ced4e4aac6deef6835378e8916a434b9119d5d89204b858913889a4a1682c711bd1b951d354902758d0ef78cfd63b6b45d7d5433f3d4dd52e945be9d9d86c620585df3592a51b5855fa412ace6131c14be6ecd77f15ab7e77f55255bd5ad2edfdf8a1830b4be0836b21f806920c6998ccc3262b971cd4ee0ca48a60fb90606fa0c16d7141a92cac3c3c561d0673d700b0539e8b512d4764e5be5a9ab41d295d1a1e80f342a4ae2df75ac5dfc7d5f44d3e9bdee9cf25e7d2f04fc707b92cdf
+
+
+SHAAlg = SHA512/224
+Msg = 63f2e16f20af0c0366156f5c16138b075bb7879f30a1d2e523b60a1358191d6ed057ae1bebe1ba332cc07b1a3d848c0c337d4ff8122e8c9294ff5aa4263243a43418a38ca68551e6ab818126b540e93dc555236be822535501930957ca0c691b169f896b59831a4369c14b2b8631eac399a5cca0b9647056f3dadfd64b8dd6fb
+S = 796cba47cc498f03e78aca4b5919b6f0df5ed22e8d62b1124a6633033dbccd2a54aa9721d00a1e6854c1fc348686ad5cc86055e0454ab55365cd871d1fb6be5575eeecc10f1b66e4d4e4930bcadce6cd2d8bd4af1abb2ff7d905475e29e4e2eefb71d6ac7da59ba2efdc8ea16c2fe5d130fb6d002a7ed81e88a29c08010766c74f192c8741bf36f739198bbcce1e44a86d09251f8737b3089fe145e110bd2ed116635d7a6ee09590a390ff4599dd08a50900f283e2dd1c1760bd9b0eb8603fc17c6f8bb58aedf985b5a58784b1b0162d8532244835092afe4f647ce3110beb934192c8fa80c202e1777511f74734d8ac138c3d18a605b4c7250757738e2c86f8
+
+
+SHAAlg = SHA512/224
+Msg = 4b94be1d97d9b71f112bbc5abc55fe9160cab66726e65cc462771a7ab07c8029422d7960783b7e04b15809f662fa4df0655c24b093c64959940fc716f660b1007d3a1442babb2a7adf1dd063d27f3ab280e8e63d7489ce62a842e2a79b68b59ea3c6770c85e123494381f9ea356c2f9e5b75e456f2b555a945195376c61df5cb
+S = ac4dd101f9d7afc504da2d6f920a4b0075eb04604bab6fb9602eed006b3cb19ec14ff9ecd175df7ced0a06f0c2b6270b9fb022eb4950c570f636dbe134070c8b2b3b4a3f47f843c3a9ef27806b5ce8d857807491771134ca4df42b68c51d2181c788ab78916b296b75796b7b8e65487e962fca3f1ef941748cafecb184cd1ce5e0a7a9af1c4c11b08b0f78f287c9e4227621da2d5040424645c9613b0630a239cc46977e9bcc92099d471a696955b939831454b4896cf0e453d2daafb56793adda28fd5667e7448f594a4c7c080f2707dcffceb739e431e0309fdcdc6129167c083ac223d1d5490fe6c9f6b46338b6482589850cc5815777099d48432155d39c
+
+
+SHAAlg = SHA512/224
+Msg = eda30ca60e21329172c70ed55f113a716b911222ec91c629b0faad4eee75dc257dcff89044a24885f2320e11ef95189d9217927194dc1e76c4c72740fd9b714b5560f5859809ed0df5532b3bf6f0aee0b6e577cf4e31999c90af90a3f83dd34cdf1ead8ef29d48b2e3f30b5a5e6b25c13fc46a4402d75f227a7a9080c6a32ab0
+S = 5f7c8326b43a402c8593c4972a127b6573fe9f482ccda74c476981ba329da45d4d4c5b1b5030f6b9bfee4f5d8baad7c09f0e25b69b938fb61519ee37fe8f3b9ac22b8dc34fa30d02d5ce942ddef0bbdc0d1a340ca06d0433ff319eed5963c0e647acfdb772623e743334ba2514dc67095cb4c3ded5ea0236ace1104cb9092b9bdd1dc9e730ef5d2f8b2a34735d33ca86b57fff5340e0e7ef4693e6cb0c178b26524e250376f7eb0a52c33891f7e19aae2b2647f5104606b7f6638c0782f6daef8186e22d35de9329447eaf4a61e8411edcfaa19c2d39332671ba402b96e1769001278aa1218589b15b6cb154e6283b43e2537db37a8080583b09a4788a5cbb7e
+
+
+SHAAlg = SHA512/224
+Msg = 0219c1b20f988cb51c781ea982b5528ca14810363af7ced31a715696f99acaaca124e66f535f86dd66526848310a324e2b32b70c51e4768fc8bf638bc43aeb50a83732f96fdc9fe74a9e9a6e8a9e94cdc139486424da412134139d3c9eed10245f7c2cb92bb6dfbb10853d82571a7ff0ab854ca57d823871a6968b0f4e5b4310
+S = 858b91cc53411dbed6483fd904ab75820f8c8c9519297c472438492a2bda440aa6ae35dcdfdcefd26641a85f33540e0880da323f09af8787cdf5e160e793de127882edeb1eb045f29146616cdad622abd183b60c051b54adf8fa20726f4e88cc54c0bd9723d3553eb7d0687ce0fbc43e53e2e8eeba009b7545e97de3a457a8e7516d3d5ac4f18a98cf678e076d3a8e3644919afebc2a785567abec9f8de54e5ba051620a709d2bfddf0679666ae17b1cb6d7cdc5164728d2d77a7013392b418c0e87a4a89d396ea955cbc347365f67a5e711504fbe499715ff0764feb75dc0956eacd964ad41d399bf17825a2f4c33b710783903367d3f50994e3eebc634caf0
+
+
+SHAAlg = SHA512/224
+Msg = 8bf4a151ce9d8b24dc1a65e006c04024ffcb7c9d4cfddecef688e210822e53d722a718382d4351a8cdd0a307f8becfdda1818ae32f3789c52e8bdb2644d97be46793269e4ee36a742591000e85285be0a35481acc88f1a4801fcc6a11793b400c17f718c19c4fd114d2524ff97450bb66f0c0a00ff4cb9dfd7a54e8ae2a626b2
+S = 2da985add2123356dbac7b673198cedf499d7f0fd0db13dfd4e56ffee3f267d82e0c4dc0e64696817255b8dc6db336ef0be6a170dc30ada05466edefc04f5e36afe144debce14be4500bfbf87619c0968283b2d2e4b8068f10db18b64668d1d0345befac543971a2c2fa9f1a41fc2dbf6a4ab0f649b6c639af54b52a39d7d1af0da135e0414ae89a1cccb3a944a99a719e4fa6461757e0d1ae26f551a9337c557435832b30a3a42dafdbd43294d3aeaf52e7086ec8e47509e0a281207a3d4980240d2c11a5a577dee6e8fd61b9b90e91c4bc8f5157d004d5e4cf6c42c2dd8bfa253742f27d36d709cb2382e54103d911ba9230e4e348c822f9468525d46abb5a
+
+
+SHAAlg = SHA512/224
+Msg = f1de99141084e4bbbdd13b3ce88c97bdec31d9a8599fb000f611bcf6064ff4b7cb26458949157b164c496507accc34d5d0f925dc713360b2a0d61fb60b6e12ec7c270308a285b6c81455138793e486108f6ea7b0edd9168f08a3a93ff61aca960ccb1ab9a43c5b7a1dde8ce4243d5513327aa64a56fb9c3f3561a4b94fbae25d
+S = c6201050e62d28500cce52aaebdebf30a008c6f491715d75cd60a3e9b5230e88e902120e536fa269b391e824f262457529e744f13e098e8c43832dc1db1432235b58d88fc35edb4c5de8854d2198a708dcdd274f267d40079169b29b78edc969462fc623cc04269f6eef15b1e6fffda09d618eba04512371a855225ae5cb95b3ad455373ba2734879ef6e711c3cc7cdad9b107bed385a29124307e8e3b2bc506923f08802446d1c0e6d91208b5242f20ed2637cd47a20f7e1839de8fb77109467f4cfd6e04080d5d8fbcf2c3ba7e7324c2d26ded80b90b053d8b431879ab73fc587c0383f59ad7382fc20589a740d139b8b60aebddaed1866a6c47788207b782
+
+
+SHAAlg = SHA512/224
+Msg = daa7f32aa297904a9cd29e24437efa2f02e611393c73fefd8fd8f2f75a8cd9777c7d3af55f035fa43612b74982b5784edbb78812eda39e84c1f0a5f03e756119ef23548706f2e322a11cb5004d8a5c7cc88b37880ccc9644888520cfb1f0725cb9ff09899e4e62ed67575ff0abe5ede052cbe4419fd52f646fff2c3bbbe5556b
+S = 1a38bf4fdb86d3838b7ec493930b8833a65aeec2cff022f24cbdcef0687e00043d815bb680a394bb64922a97f92b908a028698dac233219801cb353406b5dbe638d0e03865916905b124b88c58dd349b7cae77964a54ce019e9f98cf3fc48f9f735b28d4ac471a423851e13cddc377997b33337f0496720b3bcc628ff33d1f710b6880f19957c144748d0c189a9c3502697c0f06f5e29271cf52c3a3f8ff489abb55eb26cfdda242b0e7f9fe2c9e8cfba5fc20dab7220a62b391f61d8d95f7d4d623f6c39951f07f071918b462f971c70937674abfdd2c4eff79e7953d4214b217f972e0a2ea6fabeea818d830d723af1c07c23cefd7b55a30c0be2d452d1f02
+
+
+SHAAlg = SHA512/224
+Msg = e46df524b45b52dc601c061ad57317e1d6acf4eefd8ca04cfc8413232929ded13ae90d3b4cf651652b875f41cd4093c51feed9400578cdee9b1321cac2b43fa3d8cb3072c62ebdeb4053d45248c32d90f4cb2c8672750aa149b730afe1e9e3f1467c267129eadc9528e92ef54fe42c6adeabb7674c6a9e8d8dd8077991b011e1
+S = c66d6dd789496caa62af318c023b24fe99444c0a2f179414c03c03aa3bcfd547d74e56cbc2c48a4678ffa3904964c0b836717d115538d386138096dec8e5a329e16183a2096dddc6a0e3c559c3d273568eefdf3d75e5af3bd433e3657892700b95fdb408f8e5653c48cf5672cf9d838a9a75fbffeb5b85fa8453198f566195a3bc2e2bd900d15b752b5395b8f79226748fa2e39d6d2efd701bc86d18f6e1582b2129bc7b961d8fc0d00f464c7922b8ab3d860d021ecc40df63bd8844d47a8f9d1c4d919f85da59c0c048db5b5fb64057be25fee66966c7486a796fe94f6c32b5464e87b6b59e30cb63253f5896a03ba55866ed2e8c8414af2823b11b43446a8b
+
+
+SHAAlg = SHA512/256
+Msg = ebd3a776554384912b8b900160a07c024f3ca4d05229411090bce06b16a0137c2ad466ecdbf794dbddc4fb8294d94e176fbc8af1771f2bed28639f107f5cfb6e5454ed4aea52f17ec59cc81ebb7a27584e3dac9e3980150849aeb4f36ec41eef125824d8a9db04428a1be01afd0b6e8b95c7f21fc0d369279ca3075c0c61e4c6
+S = 802fed875ef06dd2fad2ef123f14b360c0ed51eada42b4db56d8e62627a85a18fc15eacd2467d76e84efd1245e4e62ff9dd7c5dbcfb3c83d9cad6e0be064a3cb0100f3ffcd4c4025d654174a91a0b13767f5f8352305e61d54cfc61b9b801c57e1287e759ea1599b68bfcbba043d776e3f1e75887a1cc5d1ab878418bc15a356b479e6b4d12b7d49de850b2976b8113135c0df094ee476a5d6ba3b2a3a03ecf1f6e97f1e0c3ad17245221449a1e0b69b9441d97f596cffdbd93041b11757d19d6a3a07c7d204eb0f53ac94a5e3bc69d8c49cf1bfa4ee9c1e4c077c5a18296bef3a0db41524feee3cc83c2c2642c633436e635f11b43056c8c590f02ba3d2dfae
+
+
+SHAAlg = SHA512/256
+Msg = 266070328b55680fe6ae6154c257ea69b71cf487eb177bcad96a69875134b7dfc0bdd594b2f44c1c951ca2f4c0c27d37b4f20c6fa1aaa3ab2c8fa5d26fdfa73641a7d26cb836895cedd14c94ffa8dde25b09a1213ad448536b2fb1f0527a077e31863162a60169f675352adb88f3509134c97b44be7bb4e91eb1538a02ee1fde
+S = c0ac3e5e77fedc499caa520f186135588f3e49e2034c22ca5b74951d41f73bc656ee958bc43e9fc460db006c94e46b03f05c5a730b16e6f0ee78ae32cc6fdf40994fdc978529f97452db1f7acea4b8eed5aca0a29d7e27e5625aefff258b8f1468590445202cac19d47fca0b0f51e1f4d6dbe53d9e5abd26f889354ec2ab369782f4f1974f6a96141d509cec6e575e83dd7175c61923bde8c022242c089e080eb209604d90aaf8e75771b13497236ab10c37fb9eccb13ca8ced8f54ece38b0ee40938464d9a423bed7d99a2d5ba186bd0950b201511bcd79e379fc3bf254bc519f61beb06ab3bb1e1efaefa185fb9db286043752cfd9590a292650bc86e3f8b8
+
+
+SHAAlg = SHA512/256
+Msg = 379c93ef037a702fff952ffcb463419aa861f99682aadbfc6ec816cac3ca4fa5e496a0cb6481e1496d1d266e6252887fc3b129ac51047243732a9f24d9227e755f6573963479c0573bc30369b19d001311a8a12634633b33bdfd13fbb468212771af143abc8996c3322ed0d7eb6931be59ef6bed73efbf3413ea7b399dc5c125
+S = 4f11c9706aadddb4e1b7eb2bb3bb103622e196f1910263051797eb50144be64bff13e9ed98a0359010fbba008b326b2b32b576d027dd27f72b25309af9f9ed7055ba450bed042aa6139c7267bdb0a2e7ce42825e85a408c436cb34777229709d1002e8cc674bac7181de213976a204c34aacb705c09d113df285a3033f8d613efc0a1b76c323931c9ad57ece6c92ee5943d3f25edce1c909b2abe53421df9617acf1eb954957feec82270d75818710d0e6902ea907b8ec7b7c46bbd02d5dfca53f7d7638dd600eaadee55d897d03f3be1305f2b55d75df913d2954f0076c622d79a1f6d64e7a010b0c4ce4243869375be5348a330c79d6f23ea022db1848b73e
+
+
+SHAAlg = SHA512/256
+Msg = 5621976367502d7cca6282203b39be61d495771076e3322f6a5627a548394535188476b1b8ad246b7ec0fced1db2f2eacdf38574a642446e4dc59145d359a5dbda27d4c4fa7812b563cab739c3227fa66aa5d550ac6251fc86737f988544e229e4323804f4580041c1a53a6df3326e7ff2d3ef0d4eed61c05d87790626a30406
+S = c7af1eda2595e00132dddaa70c0c661175446cbd0408c22d63e6c3deb0beb7788ea2980996c3bf9ac54237e453ff0c17e50972b1a9ed6edbf36beead7c95b448b6d071595bc768d67813c94da0ad60e0234520db54e8d7c0f1830345d5f69a42fc25f0e4bfb0fc2ab3cc16d6bc1326be091f60f94f4c5329080b4946907b5e65dbb9469da47b6acc0e91784491de3118916837d34f20d6370111c31ac9435f31957c2e11aacf0d8bd035a5babcd24b9c86eb063d60aaba2d82dd2a3b0a9a9d6ae1e00587e10062f9b9e79abc70786ce5f236f76edd3844e094aef5b545e9a1491615a15908e1dd462f0464c2eeaf65bfca63b16e41639bf6329feb1a23f9d4d7
+
+
+SHAAlg = SHA512/256
+Msg = 320844c2661569bb86cc39aadca462569e49f26865406a2ae0ca148eca0c9772196cc922793ec41ff8a03c1f03a2105491ab1ef19e185cebdb2525fca411d0ee327d87161216561fd57383090a401e70699dd81251c1198c75e34c64d25a7e4ce40327a519e34743860db570d8c6b4338ee8c8d26684c89515cb33cd3b2fc715
+S = 9895bac5cc4c597b67fa64d2fdfa04a80f939aeaf2a77008ee3640aabeb7f4c9c9985180943ca6b1f5c69c2a80b82481203a273a097ab695dcb34e5156c2dbc91f8130bb7ad5c41611896f765e9dc00403864f1e0b356ed033dc2bc1ce80af7c5a4db8b5adc46291c1296b4bd07b9b8939b251d6b16e7c381bd9d15679216fdf26d70caef87e98d5626040e6330a1403175ff486fcbd193e490b68874231f286a41ae8d4064746b56d05dbb44606544b826c1a2a640311fea0da8c334700cd24f23dcf04cca02b1ccc926660a40eee4ef52b499e1e6d621adc5d5fba3dd1ad8ec821cce5fdc4f483b37d034b1e43c75260b6e8279aa19368ed11caef97767645
+
+
+SHAAlg = SHA512/256
+Msg = 27ca9976ae87ae9965460706f263a58e73d5b08a6f560b1c0cc52cb783c82be1d2b51837b1b392b2c61c952a1c269418d2c3c8a010c5c7cf3f4658217a4786463f97f3256bf76f22657bc99c9933e5ba280b0f68ddf08f9c64347edeb634d807d838d249c59a6d6fa92b4b664fd2c1fddd762fe9bf1e8c0ce15745f721d748ad
+S = 55e970eeb2e59d99e8dd99624e17dbc6fcd116440a3c52f3ccbe44a1cff830da6ca689eecface8d741f75caf86d32a6c39f40c03fc5c139bac8534c58f110843b7c3be2029077c03c2bba8141f9d3c6ab6bfbc9b50e1e9f01b86c025e8e53dfb08945a9bfebe21d92eca4d6ba17e9287887870aa6128862536b8edec77ef67f7a487cf3efe1abef05c0f91c7bc754a9eaa76f6c52164f603ddac34fcaa48e4b108f1510d0cc07865fcdcce9137fb6e5e9b6056783ae28c85078ccbe79ef13e17bcfb9e144887f7f12e465331ec1aaab017881d7d8535852814a30ce30cc8f43abd8ac1221c3b9075e21a0c7b0b403adba4ff4f03fde2d453fb7982aa045e10fc
+
+
+SHAAlg = SHA512/256
+Msg = f807793110d50bc5b9e8e63f6ea36cc6c60a231c9184677e24de5cccf19427ea5b4c5e66c8a4bc5bf72d1a9594b79af509d0261798871933a6763b415afff36167d5b87926bec920e8981ebb8a9a9ee54add9215d81b5a7ab1b65e2aa8fc487cc5a971b253ad98dc3530daf979d4de5e303a515c7cc7921deaa8aecf02138e04
+S = bc1b30f08663959cc99613a77fbd5fb4708601f3ccb0ea60e8e4097d841dbcee0ccde9c981439f7bc57e4e731b824206c9fc112bacbe1202f241e3e304348ebfe4e1c5fb1ce2f7b8ca13d951b159632743c31bcef015f5b1721adef6dcc8272314e04ff6132aec675899062d22017cebdf9f137c46d8e60136364ae3c1a6ebe162e61e94345b5f01c383a1d0d0e8b40638aa799c2c9232aec1cff1a335b3ca81eea40810ceae8ba0861cc1c58c7167c62e71e2348cbc975cb6d544b11bb18e9126677ff08ef2dda191da6a6b0335830fcd497cbdbc0e93f1af6e76a3d04f0fdb00ccaccf433e395acc3f46a33656a36bf19738e055ab700ac6bf7bf340c3bb15
+
+
+SHAAlg = SHA512/256
+Msg = 6dd9bf3b2c5d312ad15baf8a61d6ff9a751126d8e0a42fb892d0279cbc106c0135f028f61d2218d3c0cf9227bc2bc6f2674c44156b3cbe06b34d0fc88bac7d1b02393bf09396321f057e025c90594368410d1084a016c62b8fd90900753508069c5c020fd8e10a776a1207112387fe62cdfb940dc65bce8fee1d1c2cc3d39629
+S = 0a77f1a9adbecac036af4ac6d9cbb3174cece1e49bda029f488293c560965ee5d4da14739a91f5592363e4e48524e4da509ef42cf89ec1dc0ac15228e7cfcad359294ec054552fe8b4f3b326ae4a423cfbda45035ac60d253c0fc3b8a4f97b1e2868d32ed3d328fa3720ec6930953538ebfdf2ab152df1b7a4d759eeb75a9dad89612819100d60491e0f5df6db1823f6129029a97d3b1b83d167cb5cffde87eede6c866b4c1527b710628c15c9d2506082efe7f3ca29a27853c2b8cf3ed38f95c119c534c69b67d42fc84bfa26410d9954a70a0845bc6a7a360126346861eba3c01a88191c1153892c253f2b9f94848735767abba4cd61b606fe98209b1839a3
+
+
+SHAAlg = SHA512/256
+Msg = 1120ebd1bed0fe7773fbdef2f2eb01f1feebd5381cfca7f297c9c549c6dddf359114b391324fea74396c3cbed376dbf14b180f43d1581df17b826ed58961ed3bedb5b1f10be2dc9dbde6c3539a8d4f6778e8a3802ffbfeeea0b6e33ef627780b2ced2d17d0f09d9a064fb9d9cf9a23fb8b42d818bd4d12940f4e6dab9695484c
+S = b6d865ecf7a530f44db0ec48c9cbc3344fca90f3f995a797721690064481430f70d1c4895792fa96cf30538399bf0d72fd72cad522a0bd8844711767be2ec124afd6721ac1da69b27ab82299e9a04e727114bc18aa7926e2c5d023e9dcae02aefe0dfc6558af44cef4bc2743767f883c61402f6340111610c22fb0bac98bf4ce59f3a68f7bf3b972ab96ede3929a0fc6de4d1ff345fd240554a4a94b9ff1dda1e9f201cc76a68ddbe81a869cbc308051b4d23f4364504c29242c0106a9ffb86c185f70759086a176a0b02387ee274ac7663eeeb7e90125c3c3a939e63b2c6aa7009af62ceae5985e05e8aa9da33f7dda6afe2b2dacf7c67627e1fbb7f627ad0a
+
+
+SHAAlg = SHA512/256
+Msg = 5c8c2f1d7fc7da4e9ba6e5758be726e6e227d7bddb0332228f7e3ecb6ba2e8c3e06b556a5ce077be7a83ded876ebd1b9e3b09e47a0872e9308aedc5d698b87dab790e6b582611c5326398d5b428aef766be3a453211747ef019c85133d312e1e4ac38b04d892f39707909905d809a8a2e18992e846fba4bce40edff3cfdd0315
+S = d1c062a5caade51ffc1b5da0f5aba1c737b5b7b745c8a3afbf8d14806cad6e2707d664aa89266dbc1ed6815659d8481fca830e0191119670f386951420d7347d40f2e94bda8e74db2d169ca4c169fcf63e49d062f96e7fa843f85042a9e291a1c2f1460c6169a529355dd951fc1ad312d6a74d95ab38bce753328f181bfd6973787910b17b31c819b2fa02765ff7567fb99741e1f26a400e754ae01ffc2b1c1cde69b019982697c471fc3091a67c2f08f6728180b22f793cdded0c5ec15ce611ea353886c97bc45779fcb2ac07a40877c1771bba6b337c706f6718d40e1e7591d5a0371d2ee7003c087ce9244f56381a9431ff56ba8d60b170c19e02d65cd226
+
+
+[mod = 3072]
+
+n = a5e68e379f3c4c3c908a04ce63c460423a7a10a16df4da6166fcd8b141000b14c113b216fe4f5f174a5935c937e0c6d83286ba13b137c4d0be7d7b415ced1d6dc0951098a477dac41df6382b9a50108f57455d853d4d8663fefdd5017a533cb71a8707ae4803dc2cb93e5453573652485eaf9e175e095c7fe72df7dbae96902c15ed0ef968835e72cfbd5290d2e3ea35ace7a2d30e58687d388a3a6540cb4706a6e596a8a7cb9e18741c6eab632a2300453fb47d3b543381519b7c727913dbd6e037af5bc8d013c3fd16c04ad2ca464041898c54b0067db757b88dda0a2986b4520c514caa0739b30d1da85c0c84188507ed3979bafb9f8cca0b2d6dde20c6ac06eda11e6a69bd9e9bfc3c35a1d4b52b85568105ed694c33ddc810b1d4a506538cf9f4b3de2fca2bf899c9b8b8911466fc0830cc1f3a9c70356fb9b2cb9a62021674e80e024b89bcfff00e633c548852d4eea21a5e5ffe7f7ff86ace07926f4cd9ebdcfeb90fb2cbaa9152f79223aac5fbcce9e66b6ca9d721f0714e6def0699
+
+
+e = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004c9c53
+d = 06903d86fc4b1351727ec45d3bae17c70b180f8824a087e8afd452850ee2803afaaf599b71c07982c23cd8b09713cd1e93526ba803898a2674fdb2d8c2716b8da670116ca4aa4fc5f6c020796ad5c27a6d1a27afe8c2806794623116494e6374e773c9b2686f2453da69747ad2e0b68a490e7e513289ace6f6d1a0dd990b222cfadb6a800f9dce7bd3995cda61e1f590e412555515af9b919bb3823da1b5d6beb47fff2a28acf8d7f40dbae7263038680a4b642d8a28048509e2db9d41c65c23eb605a4d1cc64f140ff5ec7d46afaef5532ae140f9a50f9d2763f2d25080b9afc7d35bec13a11d34c4ab95ceebfedf0ceac76e7ab1d66b9dab618aa00667715e6054a06add76a73ac5b9a0fbb7f14015757b9d07c70114f4d3759fac34c22ea8ea1cc9af9761b688fdfdb0f481615675c5b70759a202ed80eac1f60259653537d132bf2edf7770fb376f513056594a558ea9ff66df859ca4cfad1447cde2299fd2658f8db01bdd15abfcef391a1ce4e0d6127dd9464048b2f92a185da88abc6d
+
+SHAAlg = SHA512/224
+Msg = 1480473f19360f666e20dba9f0f29b073932ced8cf9b50529ac473529cfd525adc7962d5a3b34aa3eb0af5d115aee5a8dac0caea84b553585efc447769e0c99450af09069e1cffb32fe285d6e4aab2ff9b2f665b5fa02335db461fbd1566970859696559723ad59f21f0b53ec7adab1265c5ccb1c62369f1fbe92cab085764be
+S = 1f954da53b48fdcf3dc3e82c623881756a17bd938fe0c3610defb7b648b7ca0c274df369a5548edcde37ac77e8ff0703e238a11881e7a9da5b62bdc6147c29526126de03fe75d5e8602cf32936a205c26928d6b590cb10d4d0982f2b7201bbdbeececb9e8bf55ad67012b722243c4aa721ce8370968316fe9326fce6c89c5951ebfdd7c3ce847532a4388a980495af4a6733d823f9dfcd0c19c15332946282f998d38e1992ba4b721c45fca9e51289a9693421206a968a49b14911d89a2fb030e6cb4b949b0a3d6b2486807c8e2f6be81ac4369cce00d600009880503dd4f5635cdeb056b20ed320e9e9eb4432e9c13cc2d091f2be459b3900cff12b2c270d56775ca61b2d80b83528c02d9ce35e42bc36b1a56b3dd6ce4e334b331034e6fc0ba07831905e83d0231e3468db4c04918b5a90d508f597573caa1f265c5e9a25e21801aa6c39ad95b56dd024b3818f82a72892f9827f65e9f5f1346eb71baca0c2f4f2f1ae5f7f249286a4f301e5e32c5746220d41335078cfbc511c19b2ad5ec0
+
+
+
+SHAAlg = SHA512/224
+Msg = 8a09fb05b7e6779636123ac0a347603aa71f6d8f7787ed2a9d7157affbca37920dac8ce26ed46f659e56f6ea028f58db2c5c52125d89c9ed488db0a519742cdbb61cf67445a402a7ee225e54e2945c989c1af39e676263b8206318ae3d4ed1560ec10164433e7584afdd38a64b3db4997ec019dc9bf803b1ac5c57726e406d28
+S = a3baa7ce193ca98c05aeb3defde2820bea072d4dc02737fe8e3492ae4b329a7b1631c9ab4ffb6180d33aa6ca27b639d04fca9dd46ea82f0ce060ae56ac15b52e5116432184ab009e57df080c2ae17ec7a4f33613b846b1609766b084de34c0080d3695eac5dd3eee83ee57bf70b303d5ea7b1a96de0b32578008d6149069767125fa1afd05a54b734c70dd8c58b07d46e7e0d065717a2b445dce21b115522d5c0598504e1fa69a633228b713e4ad280d4d855fd1caefbdc0ff877a003584acc57fa62e791d165f5d63d33d8087c302311d7889c59443406708566bd2446bebbdf975dec7d42af661f75ea9b37a0e85de3e7d59fa53a62ffdcae04b1ed6d9cb69ac586b948dcb645bc6cde6789d465a1b723d8504cbbff1c27aa7c9fc0e8e8c697e253ad1d81ca6f56e6c7305b7b51ea93081a75b5d8588357f6afe8919122f79e63ef7ecee572bc1d016e68ba1ad93c5d4aa26faf638abe09a34b1afcbafaf4c32d15998119350a39df6b48affbda59ea642bc4aeb869a8dbcbd2a5a31e68f8b
+
+
+
+SHAAlg = SHA512/224
+Msg = d3472740773ed7b3d637edab7ed397711e591121f758bc688d8e6f8da20911ae648c684de6342c0bcd5b60b24cbde27952d94084019bcdab6337f47c5858cd83d37aeec94694849a5bfba28be583d8bc16e7085bf26b756903bf1dc14f27495687d962bc81a606eae8dd5b3e336da3c1d34911adb111db2cd7ee91636dbeadaf
+S = 9289ade35270d2b5081036fce186ae1dfbfccd4bbddfe1ea5e685fbc47d6705f02122be8633370735ec308676ccb8b969353faf5fc01b8a30b35fd6db088d216380bc0076f54e77eed258b382bc051d8ea37b986074ad2bdfc51faf4facfb33f9d5b007836b9edbc857e4ffdd13fd54a167d54492cc4a5b808a5cf23d31639ae195390ebfc8b722014f1c1a1806ce6d7ad9432f706a55cf6184737e99beb5880e70078b821ff414c0c65506da170b2613418dcf2d1dffc51fb9e4a109382c4c5661201cd3a696b64186f184b5ac1ac3fa50fcfef1f87757d01685d3929e997a3a23ef35f2bfab09c605cdc82dc322c290741f76b4561f1dd388a1b916030f00a4ced805c68b833fba956413f77aaf4ba08cf2cd04f2d91f5cbdd4b6555b8bd4960b43dbd244464d6efb5e35ecd19102b4bc27b43e40e624505768900c165a23f4074d54206c2e116f1576529b29bd8385c1cd91b83aeb520cc4ba9d08e133f224bbb0dffa95d9ff5b60504ba9b3c008a90b0e49521570d586c4ae96f89892095
+
+
+
+SHAAlg = SHA512/224
+Msg = c4db70981a925eccc116a6bbd9597e9763a80eb1f68cc984b3f3fcf57b8ba7d95f6f8db8570587d037261d5de0805718b339d1fe4cd50e526c5a0ee536b223959f500014201713ebad7715beebd9dfd19e3d7fcb60218bba99a5b558abeea08d6dc8f234db8fab220c4fb564642abbc90afa3fa19c38e7c3221d18d54106c6c7
+S = a58c3f480e1871ea4981352e8501f69c91fe6c8674bed6be0129eda5d86f1425584bb4c1a0399e5e1a8feff2190e8cfcc9945236f527c34a35fdc3448535c8287ff7ace9994519f78ca5304984c449165f37172b99bf2095b12c8e58f57faadb77ffcf76a3d5329cedcfcf825edd254d379fa8c4abbb5cedf75aadf04e841f8d0f4bd4a170c3f6ca6aaea4ec6a2eef57f402f02b99aa454af1916a8b117a48a8743c2be2642d8bc9b51bc044ea661dc7a0985772346c1f05355e03fd16f12af24e4baebc28538537b8b79f0c81e4777aa7afc7b82ae76a0b8ee96185015d6586e2d7db07cf503ff41ff43eaa97ccb7a1c48e45d2dd45cd0c531ddf1a34244a1fb155d9bc4990099c4b2f692f951d5992afe88dcc98fd18f32af13c479dbd6a725a01fb2f4a82a7957ee2896f384ecb3d19c5c1c802e9e1dd97ff2f8bc67031225aec773d5d52cc9b9079f3543aa0d053e9122f6b68a2224b8727189038fdaf439a1d03671891c3c7c13b30643672ceb7cfeeddf79bb5063004221ecb284fb6f1
+
+
+
+SHAAlg = SHA512/224
+Msg = 4c4d20122e7676d8be5f347b853a4d6b41a08e96388e8b8ccdadd9e151d67dd31bd5a52ddb6d966c2b9de61f6722eb94bf3d73b08ab6b51fdd2188ae5d60d3f451694538fc4a468f296a2d450711b37e372aa71d2448e4e593e881de7bf647fb169268f938136d8ae04c71b30c0f8d73d2f093a5ad4bff2715892a3c529ec12f
+S = a2793a4988185c97755437fb1f0bc536f5f2d913ccffbbab02c4c61c96795d5d6d3229607576ff902f2314a3347e89b31c9ab74c102e7a3e6f6bb09a405fc7d210d3dd707a8330127ee437d498946680e0e37eec8318a06aebb72eb77006de51bb43661190c0a06454e72fa811b6208b17222169b0834b2adaffe35b5f9ff1f2a55ae94e9680ae1596e28a9d9a7067a7a1858b5b8ffd1e94b3274520e14beed4f8ac3eddb161b3fe8afc2eee5dc203814b665d6252901717d6de61dbb86c74b82134adec317e19f7456d22ed40acd41674bdde76be7da452349ce9cb5211489ba9b42e3af4a0e6b6ae6ff345a4c4c89f7ebf5d88c610cb87d6cac609a1e32fa9d613f4f2cde329984766cbc066a5f61a015e7cd7e08c61ff2b9ceb5ddcabac7c5c41a57f56829c5a3b86e85eefac304406047ef6ec320e1d27c237f59b456f5dc2fe4a351e56283da7da6b41e5be7e9552a2d41fd1a564be8ddc3e9cea9f1cff9f76fd808f9e9d73354217ccd93244682ee006aaa465754bc6d1ea936aa68d47
+
+
+
+SHAAlg = SHA512/224
+Msg = 5dc60e1fe596a96be814d8232d3cb5ccb65d64c5f07becd02cf145ce525ab3cad4b25239e2b9f180dd9823b70dc794ad962e9a2ca88b0c7ef713572f6b5cce15187a428e7069d309b7ab05c8b83117e4b77f9091a60c1aa39ce7935182a06239106607a5f86df60d6093a6dd9642e577ff986e7c51c5bd4802b522bb01f0153f
+S = 556080ed70dfd893ef304bce1e8eb40d1c1542f76fd95b9923211bdba627eeb11f686ef91518cb9c8416d1bdb2b4a5c539a8fc729ef4a7512d75ec14fb70c877341c9f85d34e439af1f6669af16f47a62c5a45a3c005933221af60bd36cd2874a00f09d0fa85e615b3322ee6b53829803634e65bd122e41ee97df1ec69959dc29702f323a7b445aa4acbc778304ca5658661c38e078027ec5b28315762a963b82efd4dcbb68793e41e271d4f374004dba5edcae3039c92e02f97e50f0e7bb1150726895eaec38214e654dbab1426ba280ce4cfdd549f47cde618025e741dbe469ccabe3ed341deae95003da5503e232dae9a27e3a8a198f2c7653ba867cb37c983b29e66eccefa746821670bb5657d6ed8bccaf4f6612402da4362f7e6dc9c1643ff796572d00f17fb3783e6c532ebcc42ad36008656584844b69a25db5f77ca9b234e45587eacd67c49635d6ac7d24721b3fa61a67e40fa65941e6ae45b2b4c6b5af86c1729c5be6ed979c2be035ae2ba285692b5d5f5e558ce9866a7fdc329
+
+
+
+SHAAlg = SHA512/224
+Msg = c37ec28ba564ae2cd1f7fa7e76747b552aee89f23a4efb263e9953bbf171350f40df1e02a14f5212a6dc16c5d2ce2048ab614c5510c99059cd7232d76d8c380750c721c4fd5bd2a5b84cd36958ecbb9853a1e9671be875dcad9a6634666f268219c033986091162a2fce9931afd5358e4935caf000b593f70599589a8520e5c6
+S = a4d5891dba2e4fdb5626d2c92a3874c8d378c8725b510041b3234af3ccd1d3744469ab4f9705ff9e16fea91922f02cb0e816b65c19f4ac5abff1d18871d8086e5d8c846f43e6cb6e8817c99ecdb94f5f2fc9c43091193bca25127670eb2c006b20e5f27f32d4a1cc8ffa14dfe910a3b3813a8bffd2eb656753ca667cfaab81f9ad7e6a48184ea05ddb980aca5731171bb7cb58dc30c379dd40186e689fbde378aa9d76ea5a4128cf58e4440c1a6929ac1ade86fed75a4a10f61ae7892f6961db17b0e2ca99d24ef3fe72d647b98ed83c743ce004b70863a35cd35616358ea2342288e74b5e4b229ff569ed47f97e57af8b55e8968c8d0315600b0bc049ccdfeed4904cd5aba05538361febad22926469e44acda42b4663a2c2755fe26041a5b8491f824a405ea377b55d4d86951736b699a1537d24f99fb9b72f142c25a49b62165691d6202c9ccf2b149005364b7d455f6b235a953097fd6aa2f5b9c5f4297a473f1fb883bd74b9a48f71fad4376737ac3906d6e1b14c53a3c035b585798711
+
+
+
+SHAAlg = SHA512/224
+Msg = 8aa66795a6d68e37bae9a93420e276de2ed29bd45c61eb30a4aae5022f4c7dfe2dbd207105e2f27aaedd5a765c27c0bc60de958b49609440501848ccf398cf66dfe8dd7d131e04f1432f32827a057b8904d218e68ba3b0398038d755bd13d5f168cfa8a11ab34c0540873940c2a62eace3552dcd6953c683fdb29983d4e41707
+S = 3976c37b7625b02d799594d2cb853419ee714d72e895a107d49e26a356409f9d8470d437a248296ea4c141d4ad3a3fdcaab0cc1c84714550567c1a9a3009234b8786f5912e9c4f6c02470e665f71638d5599ed8c1d66645ab56ea11211dfaedf53dd4ba64e26492b4e83cfa7ea7b9af3da713e8ecbf90b6dd8b4ca35a29ccda80e337a40e67111e266586593a67ade79104d51fadc33506177fddada9ec9bb6908f5d25ff85423694ad66fdc2c4a34ba13bf0f25f096ac2847263aad34e917cc0fc3142c237f073922a76332598ee49aaa1816ebb88d054f35e03a25295d6f5f320a949c73428ee9ebde930ece4de633aed10f1d502086cb4666d06384d84f4fb0f60558278713c49cf007268b9870734ada1ce820fce3c5ac3b95d3956c2a38b03c07b16009ff673e2f3f29f8cc3d92eb53f138f1d4653e4203f7fd05e0e1aed0ecd7d4bcab95e5296ac63b58aee6164fcb74d7a222eae82cc5b5050620fa26171ee0ccfeb5377ee52758905a4cd759a8b2da02e15401afab3b56f345fb59ce
+
+
+
+SHAAlg = SHA512/224
+Msg = 10f58ddbd998e26004300e4079d656fcc6a9eb55b91619b22d56c0c324370864162051c4894f69c6e26602a77b2663e2f57a5d50d0b78194382290b622b3330e9818ec6451fd4d55858b68f8ff2e86c2749c1ca71313fa825de1c6b7372aa9173ee648045a29f6d596a7277c2f772865ea170ea2abb1ed46449c4a0e8b26d247
+S = 8e3a05bae94408530cc00a60fdfb33405b2a087fb2613b30f446ea5520c29c6615f5122fb5c1d29a2e45b488ca118b97088560fa1a7d86e11cccfad237264d4fbb951a3a4fecc4a1171a508e1b7ca4619047d6d216e97c1955ab73ac77942e005c07b2ee95dca824e13545f67d79847a53bcf0d4222e70e2e26b2b28c1be915141c638e77bc93e8f1d4793fdce77507ab710007e07c1b553f57e599d7fd9d4ffe208312d8447281d1ebada5c517a7735a46768213e856ea1129ad326f7c15124223c33ce136ceff3e6715a47b4ae7cf8e95be94317142d12ead5ed59fa91ce157db293f5f2bd3042500e7f0a7a281cf825171d6620d61b5188e0951c53c17bd22b72e7d7520b490781a846e50ee21aed2f3262b6369f59de19d0888434180d367b553c0eb47bcfd085ba1b8cc2b5e48a11758fcbfc8f5adba95b0658107997d53207d2205fd33f0e7891c54eb5a8cac031c7f138824b15e5a1d276ad9c642005442c6ada0b2161ad5ba6dd339a38946475e2efd0a5c01a6b6a93360f2698e34d
+
+
+
+SHAAlg = SHA512/224
+Msg = 013d90b2699ceb79cb94edfaf8418f565bee415080898c5bd855f6f7b6df263e9e3348babf4fb37abed8c965b50c1fce7cf8df4827eb6abbcf2a41b796e52509e56a7d8cf899f9429d9875a338c820350bf7dd5db4d7e975f7aebe1ebe5038d85e4bf7d01c6104f8f03bb75d895bd8b690530438313452b2d84a37d53806a7d3
+S = 21e65d04c41bfb837cb9b9f26bd1d920f6c16f1178980adf3db297c16a7675f9e1ad15e00e1c86b397250e1c5fabd7bfe69155b8db4b5e18c5c8b16948348f8b73dba274c9a47d7a35329e4d6ac3601a08af34fb6272264e4ae5268c1e59a73fe4abde5be02cc14ab33e3de77ab06446fc4f320f0805279d74733645bc2de6b6f518b841350048e1078c07521a02d7569f5e700e80099b69b8c4dcf6d4aa896a644754a3a97492f82a9664b9fef041f6fda2967ddf88da8482158a1797856bf6b8d071a1eef50df83d6f6484e2a3db02c652531d8c04466a55e79f467fbaced5670d65325b87885abd6d16c78cb424c19a090b4dbdacb1fa8eebfde97ba4faf51e576521756be3c761cdfa85dab3d4ba89f276fff9436f176b839fa5934c88612d7a775ccdbac8ea59e3b6f7e2479022172f17f1ad749ac6fca28d698aa50bc4ab92d8ea36e4b3409dd4b671cb00cd2f7d3e544b96d74953d0509a15bcb0b52aa6671a5e132814d18908b7da88fc9e3a7ee843957f6bcd0a793f41ef9054823d
+
+
+SHAAlg = SHA512/256
+Msg = f23660b33375dade2f5119ecdfee7c53397a4ace54c0f59bccfa9be768e7d287fa1ea5e887a2da49a8b6772730f384f90f97111e77207b143d1aecea813521f8919a70cd0b7f096942f97cade3127b0fd91ce1926d45f4f6b26be72b2031a40c7f52c84a0735eea6c5c230644075ebfc5db0c3128056e7a8f49596938d03e32b
+S = 31f3551b299c1ebcf1a67111e64e56ba6361a0fcf6ad813fcc3f7bbc937bfcb991da384b7c6b5e6a110dbd6c4c9d94de2145437855442d1eca3a4bcbf421de8d7b5a8d54525abb1df6095d52fff33d4d74ed2fb4c3af430fc0cc3bde9fd05f1021ca267e95bc82f09cd50bd5cc7ec7ede63f3e5b8eefb3d024fff0ec7479de983bea9ed36ed871ef5c65389d833264382bbb6c48a6dc5bde540a4ba8d94163e66d93c415c34b5c06b965626e850d1ec794540db27c551801177a781aaa321f77124e63c63b428ae8816c5f14505b33e4f10a93060cb4105b034b54575c6252d1561bbe242fb9be1371e47261472f91472f81f602942357cde641cf73015e161d03fcce0755ab6a7c9278a535b27a9da4c002f6f61231221543be579e9bc9d0d5239e2fce7fcd1dd6ea0ac1954aaf27d7d804f549256e957b7e8266eef02b6b905f5fe6ecb47288a5f3d97449846ccb3ac564046697dacd05f1b6357637e000052e4431d42a484afe7db85d821b1ccd37eaa0131f8d1667af940f32f2c2fe969b
+
+
+
+SHAAlg = SHA512/256
+Msg = 43e2cc2a6a8ea64565ff6ce2fd2c4f43fc02926ee44ee02fe1dce25cfde0115c9396c9ea06269f17b2caf58e2332cc1c8528d9705c70da1f76f22aeb1d1b93449180640fb5c4c4a708bc4621d7d2bed5b1a752191cfdd45086d34f247ed1df0f24e7c620de32bdfc4d1f882380d2cd7467c926f48abc75cbfac8788f88cd9dc5
+S = 85f3e1c60a2d06290b0c8ad0b2d92194048e3ad17bd0a1f2271f5cb1457513db2d0601186508cd151a7a86c238cdbba8d451eebec42f3c7bae0317e02ae9fbe29a0451ee7dc23be3185f76c2b3c8f302b205958d3211d244a3b021e6a703f0bb346512c73d0a2b656798471da493e1813e1317b198d4852bf2e865fb53c1eddc4ce8f446a7b32bec755c0c570dc1decc62fc051d2729226db93f39a01499f945e85c0723e919c1d0a00401dfa0d1c21f4a19db8174aca10b07dc70bdf0914e15235f1483c25139932a8eb33364e7ee7956cb2fdc5f6747898b808f0d72276793e7ab7982283d0721d7d560fe36db6fc8e6761245f964a04cb49abfbef8d2ab330a0d507c7a147f0ab17ac1ac6f8ddf97a74b7f63df61f6c690d5c5209c788201a0f22c429f8f0524861f3b780ba03facf9949b570fe620db18c556b2ca8379295248994d6a4ae8e593751dc0bc908bef26169f48b25d16ad634ad13bd3a0d9f87e2d0113680996c84722a6f4c87e4693146901e94e0793e1e1eccff336adf697
+
+
+
+SHAAlg = SHA512/256
+Msg = 6e3280f4edb24513845083560a176549a81b04b1df668b1fcc3599c5ab65e6899b282a58a0fc3abdeede74b265ba5eb658278a1f9251bdb29b364f713716d5b43024fe7b5582bb03c36ca39763b495a9b46e9f21cbec1ef598ed27fa6a1126fab590c506142c100d8a64d6ae0deb524b45580a5f911ff8114bc0e8094d3e2182
+S = 2b146c0a9963500795dcc7fccd53ce8ad223ba899a980726c1d08040688ecdd3cbd7f648fc7e8865da6b12e743c4f34a544a746b1c902cf5f2f130245cca3c500675d1786efc2f6685bd6c82f9c06dfea9840a172de27be6788caae3ffc5365eacc7506f88f60bdf9b9e95d78df1020ff897ceadb35d006dcf080a25f45e65d74880d5a005a234146277332283f575bbab122789dcb62b685290648d1e240f471e8ea036c4b2064efa533d5887670b8eb6067e1b99fc2d44d2afd134f26b716811767e8de06963f84988a6247aeb58d9c86a860cbe48e997848cb5aa7d42d833d4e72826ec67a822ae618796f51397f42ffe559db9cd33140e482586c8142b4341392839d41ec1b5e9e5c83eb35b5f53ccc79086fa4e71deda678db71130a73f7f68d45c1354f1536da781aa5c17575f78cb58a456fece8d9d9755e6b8d5b8c82c42b037996a30fc823ccfb4c1d06f6a5897bd64d2a4912ddadb7d247eb1b56140cf8b435788d6cac7c9563f019da5afe350efdccf5545e882ec59fc7660be83
+
+
+
+SHAAlg = SHA512/256
+Msg = 59dcada047c130bd4026539fed6023f7d037576e7b4b242d00b059a3a8dca782e8c3400b9040a58c46b7b82733f919d4fc67afa9f45b855a90c3d8fc1b0f6e0eaa4e29b95393db579a9e5c332cb8da8fd0df71ec9a23fb8561502a1d74cdd4fa89c48d32f6837b252423664b40670f3033e6c3bcd56d2fb85d9f768e1dde8150
+S = 84ccaa672f52af4f285e81153df426883f535021e89716c307706c35d93fd61be14131753c8bb5932fe1236e9ada13765fa74be339796a7501e3fdf153c4142fbe4248fbd91048c4ac76645715b991490c0f463febf4893c02b542a655f073c64efe20ab2b5cb77c8ecd41c39a7388a5b530f6ebf822e263b88cdd312964e85c7588c8720b7fcdcf2b5289b044949640036249fed30e347c1a40d9574601ad8637faa4acf92959729664c41103da6bb66edf95d1a20dab6dc6a4010de76f0ccd8ee6129696b2e14053da514943685d6f52700389d931bead03af43d6fc31fa281b1e41da244c1b69f377e4d7b1d75d1fa5f1e63af83a39b8c59b2a19281e6f65af83568d04e283a5e744cecfd4a261db48d2159b0b7f0c8a3416d873eb72c76898a11bf9ada070f4b9d3762f942ffa74a5b57d26dd527e95d762e1d62f38e1693c1688e30b6e56812f0e01e425bf4cc2a297deb14319e5a3f0ec244cd050437d9301268fd55a9f758123985d4a0ad596fd456b4b24c09572c0781ae21364e0c3
+
+
+
+SHAAlg = SHA512/256
+Msg = 073b071975d8b6b8cf609fc0b307f22e74e33fe3bffe38587faab98dfd1405424c1c536ae46489dd8da7474d7f4d277bc73c43aaecf0f854d3ceea1de0b548055ed752e121c7180c69d2845a0a939a4dcac2ff8c0b4db890aaaa35a1266b8e0105130c677328ebae2d895ecf9d02d40d461e7a6f633c0173cbe5a101185d5e9e
+S = 099d03209073b4009482911b6dc9a2a9d938397cee5694b61de28178e40fd07435121323b36d1074b9debd50386c0bdd63e1f26bd1f29c7beec2be3e4e0233bb88552319daca3d35f4602a6eb653e22926315a95231d9cfd7aef40e280ac1ac572d45f11d11539b858bdf2bf785cb31cb38dbccbd707b63eafcb0ca1626448ba810caaf1edd6faf3d53a0229c1effa6256e41d3eb7962fb93bf4adc0dc835b6c460e4db28a3dd7ea6e818cab8dc0fe3c3525aeec5fa6f64ded105ef90c46b5598f39e8263e20268d072ead3cfe07bc73dfee40cb257b55938ce1b7dd402367710a18b505d58326d2def24e1b76b342c5b996a5991d9dad6f369b9158eb603d7a9d783eef6bc8f16c1c458c4ee11127096fb3e78261e3965e0be037aa02fee083a2c661739faf44c1017a225f6d7e1b9fb68608007fa93fd5604e4c0c0ade97834f102bfdad72fbe32dd7ea070ec4d0a7345d2ebb2eb405285ab4a4c9c6e6a1153f1da84202752e4ecac38c809ae2b7589979cc624d683d054c17ac336ac18f83
+
+
+
+SHAAlg = SHA512/256
+Msg = d3c6aa33a80cc85035fc721da56357652cf85b48f58830835b5026f15bab445249ed974cc38ecaafe48bf7fdb909bd2af93b93a0f0875b86bde43b42bd87a83c47bec3e59a1ce9f913d68501a46d291b818ddefd1c36b8385419adbae945a6973402d70915fd4cb52ca6c52f4cd7c4c12cb6e46860dc6c2088b72461c82c68ea
+S = 9befb09cfdd96b3e4232e66eadb8858065f15e5e6ef00b6c1fe66defe61696bf05766a81830ec88d875f33062845905591eea0dacb004cc0227a497ad62d89a12cc2cd3fd1f8d03a744dae9129e8382d9cb35ee04213bd02de5f4c7fc7b2ac0bea68bc03ebcb9e77c2ad3c624b5bb3a969960b1ebafc70f226cdd6daa2dea5f8475b77706e3f341fb428833c4485127a078785500408dae6bef791c839d8a0e1a935f5434777d52a47b8b8bd6bd14244d6129dd63f0ed53426d6b0344714ed68773b59eb3a4e2c39fa0907969c40be6618c8355aeb5269f5ab328aeb355211c8eee72fe8141cfacc8b22ae1e1d6b45443faa7c6f8909385f785db074b317b37a7e9460148f7f440f142ce03bbcd7dcbc2539031a4e334d5dd9fb6ca6ecb367e0a78a2153dd9bb9aead009578fef558dd618c022548ff5bfd63bc2a401237d48b565bb02bc55c92466ef29a754573e146d8b02effd116a5175063395bcbdefdc9dfb58027e6a3f61a323c73670075004f3e53979074f99fcbf2dba3fe0e47f030
+
+
+
+SHAAlg = SHA512/256
+Msg = 849e5d6b17802aea210dc2a5ab7b9418d4bcdc63c6a22f96ea47542c58ac56d592a0d77971e4a7795f8c9638c7a886daca24c44b34ed9883ae551a0935b948b6ca6156bc6ba745e7435cb7221e67023c1faf83ecb53c3513cb9981423f7c587c96a8803dee132bba3344ce6b960030c73b25c24f32d62ecda9d832de603cafae
+S = 7a2f7a8a22dae7021167b40af37fc2793602b34f1bef039bff7ebfdbb8d89c326bf92957d8e4218cb15839128e6f6c71f9cfcc52132a320057b0415f831762aaaef1b19175d5186366df74963dbbc402023aa416d17e2aa515e04c8eb0b26e8d8c00f1a74610fbea45747fefc6fa9a9002b82028e444eb45302e2ae93a4bd4a126e413c701226a234382c92d38d846acd663b5ac99f2d3374c1a34cafa8cf4db8fadf8d6ac6f84c8c1e82a34cb948e3c21bac80587ffe8864c7bd106a4572f1feb1dbe8bf47bea91c5b4f8ecbd5c3a0391c35a2429ef66184ef7649192b961005cfe96572ab1f1479fed569b9dada7cde74a0329eb63f6e91e1647c424aca2a4be2c106eb9e67b8192021fa23f3eb17595d5b0e6bd3ce5d9c9939192b786acab778a456b4ace7bc8aa96f80c1f407607d3fe0130d82193a4f63080800de10ddff692e385489e67dba5fb33a877860aa1f300376220c57117a3f411dd18ec603cd2b66a56e57ff4b9c4431267643f3f99ae6b769d860999bae7b74303583e8b1c
+
+
+SHAAlg = SHA512/256
+Msg = d7f95e001d6a826e7f7ce4c05f9995d3f6a737d0993762003aff46e1318a91793d2e93eac53f9f476482b5a6a5e45f760b6cd913556f7498ff033cf50cb5d941037fb35138f45a894cbe24f2f74a188d05c20ae79f3c08eecc31f5033830745033d3085cfcf379dc401879cdde3387bfed9014740006e4a9a871b8343b622a4f
+S = 72364e031cd57ceb29a47bb0685b1213d7e0e971728673fd19c0265879c5896958e3d78ac90a398f636c093f979bee99f5ff70539830e4ad44e988b63bced427728ad43f8df064c82e9fb682185f2abcde5c52b29a5918173c13e9890eff41f7a15bd9efd4b65b2ff5a2f706821e38f627805142e6f5ce527641ae7b46c1e9405e6faa7848ac7da98d00ab2196074b1c092018337a0a25473139ff0cb71e6880e7aa6ea2ea0d6b25966de48589dfde90e49a741134e0489406839abf97a2e378def59df53862878305699063052001a4297ee1dc9938c4db686c9bedab9a8d95ee84e016365c812c407d915dd1eaf38fae32fa40ce0bfef6c092f30c4b9e9edd7741e3a4a1f2c79b52d3e75c23bcb641ff1e81d863a941902aeb87b7d9e8d17576620a35d75e23e56e3c2e23146324ac31740c1bbd30aaf427efb1a3b850589cae305a9e516ee21f0045c213661394674d589b2e66534992d9bd0938cec8289167c824a49cb095d7de57ee8e5ec7bbf107888759d4d13d81243018c62d60efa8
+
+
+SHAAlg = SHA512/256
+Msg = 0074ba726144b96dc93c7b68575723c968c629f853dbae6657250ccfd1ddb2bcb2802f4b31be8c32bd93df0236b41da95c2c303b884749f29aaf787332d57a522392d2d9240f1b05c9e29cd2b2791db803bcf97613ee750e69d45011e41a9b1c39f2cba3a3fe0dedd570d9603470caff43bead315e98d8c4acdebd314f74be22
+S = 99eb491965dc7dac3793cff573bf1178a03134ad9977db883c4b4188fa574e7ea892969c6a0e084bf03cacb4d2a756e5adc82a8b8db7af9f3cee6f77f1ab23f0a5dc40c1450d2d23539ca29336558a5201b67432a22e881fa3c304ee5e796dbdec9dd5e9aca63e99c4b2e52baf292bd278b4c131efbd54ee953b7e849eb835cd17b9f0df4a1b869c0313df23551aa60f570515c6c186aeda72135aa8c1ff5a42e8bf312f14b0d9f4f042d5e69c4467e9ba8715f0d206eab291a288981109bc3cb7512f1998f5d2ddfc99040b108f15c7d4f70620fc4882f8b17654dc70cff93c5d4ff83480e305683c73b038e10bf5f0c4ea56f03edf38d5e84e0ae6c9364846acbaeaa2729314064666f1d93f6351e610edbe30e2952796dc01ed8e7727dad32ecfb40d78ca23e526be97ff070c919f61a2b9dcfe10d8e35442ee76cc1b3c22d60af7b7c23dc2fea3b0a89d1eded7c7fcf89826011bcab7430c31ac86f7b0b9c857066a6b7d1f4cbfcc64b4a14f7156d3d69dcd3b9fa6e2a468fe13861624a3
+
+
+SHAAlg = SHA512/256
+Msg = b6b26aae4d1fcbd43d6205595758939917dfeffad637607441af13500a7d6e2fdeeda14f96be7e0ab1c88a9f02e35435a605051d39aa395849790d590b24790b4d90e116ac36e65f07c982cd34185453f137382b1dd91b5f28010e8ec8da98edede2518cf84eacdb27ab156c54c13cfae0bcb0abea8eaf92c48f3d78a76673dc
+S = 460876efb3ade4c119b9a1ac22c7f3fa7278af8fb0656292d03453c68352c5a462bc720af460add40fe28078d9dda46922ddb9b78c858feff5c2433688902bdd3447850dc88f9d8c1b003891bda081116800e2bb32f9795427db84ed1084342283f5903ea9b898bc8ee083d069da457333c26f4c4dc75682dd0be73c685d9acdabe5a59de8d12c4d8e7d62cfd4299238f849325e1abeaa7763e392a5019059e33f31b0a6a4cad36b3b5801c23358e7b9d055cc4dd0c9b1991169edf61480e05f74f4388145afc447f1704114818205096c117d2ae8ee747efe03b6213a6f8cfb6aabed9f85902fb9682c17bc92df250bbfcf57a94fd9cea74c90f1bb92a77dba5f318cdb0950fbce14f4d82ca09704222d01c8d6f08c31b11e11d55cb99856cbe6f199da4a41a34ce878a3b3641a1f4b6921977025f4d2297823f773dabbb8b587a280bf87f3045a6609090b925cea7676a4f1c63d4fd8efaa6e8c3be7dde035d8e9433499cd1935423db18e92add2d7a595ee6f80c1a233d10de1a3febaebac
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/SigRecord.java	2018-05-11 15:10:48.002151600 -0700
@@ -0,0 +1,198 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.math.BigInteger;
+import java.security.*;
+import java.security.spec.*;
+import java.util.ArrayList;
+import java.util.List;
+
+public final class SigRecord {
+
+    static final String TEST_SRC = System.getProperty("test.src", ".");
+
+    // utility method for converting byte array to hex string
+    static String toHexString(byte[] array) {
+        StringBuilder sb = new StringBuilder(array.length * 2);
+        for (byte b : array) {
+            // The single digits 0123456789abcdef get a leading 0
+            if ((b >= 0x00) && (b < 0x10)) {
+                sb.append('0');
+            }
+            sb.append(Integer.toHexString(b & 0xff));
+        }
+        return sb.toString();
+    }
+
+    // utility method for converting hex string to byte array
+    static byte[] toByteArray(String s) {
+        byte[] bytes = new byte[s.length() / 2];
+        for (int i = 0; i < bytes.length; i++) {
+            int index = i * 2;
+            int v = Integer.parseInt(s.substring(index, index + 2), 16);
+            bytes[i] = (byte) v;
+        }
+        return bytes;
+    }
+
+    public static final class SigVector {
+        // digest algorithm to use
+        final String mdAlg;
+
+        // message to test
+        final String msg;
+
+        // expected signature
+        final String sig;
+
+        public SigVector(String mdAlg, String msg, String sig) {
+            if (mdAlg == null || mdAlg.isEmpty()) {
+                throw new IllegalArgumentException("Digest algo must be specified");
+            }
+            if (msg == null || mdAlg.isEmpty()) {
+                throw new IllegalArgumentException("Message must be specified");
+            }
+            if (sig == null || mdAlg.isEmpty()) {
+                throw new IllegalArgumentException("Signature must be specified");
+            }
+            this.mdAlg = mdAlg;
+            this.msg = msg;
+            this.sig = sig;
+        }
+
+        @Override
+        public String toString() {
+            return (mdAlg + ": msg=" + msg + ": sig=" + sig);
+        }
+    }
+
+    final String id;
+    // RSA private key value associated with the corresponding test vectors
+    final RSAPrivateKeySpec privKeySpec;
+
+    // RSA public key value associated with the corresponding test vectors
+    final RSAPublicKeySpec pubKeySpec;
+
+    // set of test vectors
+    final List<SigVector> testVectors;
+
+    SigRecord(String mod, String pubExp, String privExp, List<SigVector> testVectors) {
+        if (mod == null || mod.isEmpty()) {
+            throw new IllegalArgumentException("Modulus n must be specified");
+        }
+        if (pubExp == null || pubExp.isEmpty()) {
+            throw new IllegalArgumentException("Public Exponent e must be specified");
+        }
+        if (privExp == null || privExp.isEmpty()) {
+            throw new IllegalArgumentException("Private Exponent d must be specified");
+        }
+        if (testVectors == null || (testVectors.size() == 0)) {
+            throw new IllegalArgumentException("One or more test vectors must be specified");
+        }
+
+        BigInteger n = new BigInteger(1, toByteArray(mod));
+        BigInteger e = new BigInteger(1, toByteArray(pubExp));
+        BigInteger d = new BigInteger(1, toByteArray(privExp));
+        this.id = ("n=" + mod + ", e=" + pubExp);
+        this.pubKeySpec = new RSAPublicKeySpec(n, e);
+        this.privKeySpec = new RSAPrivateKeySpec(n, d);
+        this.testVectors = testVectors;
+    }
+
+    /*
+     * Read a data file into an ArrayList.
+     * This function will exit the program if reading the file fails
+     * or if the file is not in the expected format.
+     */
+    public static List<SigRecord> read(String filename)
+            throws IOException {
+
+        List<SigRecord> data = new ArrayList<>();
+        try (BufferedReader br = new BufferedReader(
+                new InputStreamReader(new FileInputStream(
+                        TEST_SRC + File.separator + filename)))) {
+            String line;
+            String mod = null;
+            String pubExp = null;
+            String privExp = null;
+            List<SigVector> testVectors = new ArrayList<>();
+            while ((line = br.readLine()) != null) {
+                if (line.startsWith("n =")) {
+                    mod = line.split("=")[1].trim();
+                } else if (line.startsWith("e =")) {
+                    pubExp = line.split("=")[1].trim();
+                } else if (line.startsWith("d =")) {
+                    privExp = line.split("=")[1].trim();
+
+                    // now should start parsing for test vectors
+                    String mdAlg = null;
+                    String msg = null;
+                    String sig = null;
+                    boolean sigVectorDone = false;
+                    while ((line = br.readLine()) != null) {
+                        // we only care for lines starting with
+                        // SHAALG, Msg, S
+                        if (line.startsWith("SHAAlg =")) {
+                            mdAlg = line.split(" = ")[1].trim();
+                        } else if (line.startsWith("Msg =")) {
+                            msg = line.split(" = ")[1].trim();
+                        } else if (line.startsWith("S =")) {
+                            sig = line.split(" = ")[1].trim();
+                        } else if (line.startsWith("[mod")) {
+                            sigVectorDone = true;
+                        }
+
+                        if ((mdAlg != null) && (msg != null) && (sig != null)) {
+                            // finish off current SigVector
+                            testVectors.add(new SigVector(mdAlg, msg, sig));
+                            mdAlg = msg = sig = null;
+                        }
+                        if (sigVectorDone) {
+                            break;
+                        }
+                    }
+                    // finish off current SigRecord and clear data for next SigRecord
+                    data.add(new SigRecord(mod, pubExp, privExp, testVectors));
+                    mod = pubExp = privExp = null;
+                    testVectors = new ArrayList<>();
+                }
+            }
+
+            if (data.isEmpty()) {
+                throw new RuntimeException("Nothing read from file "
+                        + filename);
+            }
+        }
+        return data;
+    }
+
+    @Override
+    public String toString() {
+        return (id + ", " + testVectors.size() + " test vectors");
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/TestSigGen15.java	2018-05-11 15:10:49.624801100 -0700
@@ -0,0 +1,125 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.security.*;
+import java.security.spec.*;
+import java.security.interfaces.*;
+import java.util.ArrayList;
+import java.util.List;
+
+/*
+ * @test
+ * @bug 8146293
+ * @summary Known Answer Tests based on NIST 186-3 at:
+ * @compile SigRecord.java
+ * @run main/othervm TestSigGen15
+ */
+public class TestSigGen15 {
+
+    private static final String[] testFiles = {
+        "SigGen15_186-3.txt", "SigGen15_186-3_TruncatedSHAs.txt"
+    };
+
+    public static void main(String[] args) throws Exception {
+        boolean success = true;
+        for (String f : testFiles) {
+            System.out.println("[INPUT FILE " + f + "]");
+            try {
+                success &= runTest(SigRecord.read(f));
+            } catch (IOException e) {
+                System.out.println("Unexpected exception: " + e);
+                e.printStackTrace(System.out);
+                success = false;
+            }
+        }
+
+        if (!success) {
+            throw new RuntimeException("One or more test failed");
+        }
+        System.out.println("Test passed");
+    }
+
+    /*
+     * Run all the tests in the data list with specified algorithm
+     */
+    static boolean runTest(List<SigRecord> records) throws Exception {
+        boolean success = true;
+        //for (Provider provider : Security.getProviders()) {
+        Provider p = Security.getProvider("SunRsaSign");
+        KeyFactory kf = KeyFactory.getInstance("RSA", p);
+        for (SigRecord sr : records) {
+            System.out.println("==Testing Record : " + sr + "==");
+            PrivateKey privKey = kf.generatePrivate(sr.privKeySpec);
+            PublicKey pubKey = kf.generatePublic(sr.pubKeySpec);
+            success &= check(privKey, pubKey, sr.testVectors, p);
+            System.out.println("==Done==");
+        }
+        return success;
+    }
+
+    /*
+     * Generate the signature, check against known values and verify.
+     */
+    static boolean check(PrivateKey privKey, PublicKey pubKey,
+        List<SigRecord.SigVector> vectors, Provider p) throws Exception {
+
+        boolean success = true;
+        for (SigRecord.SigVector v : vectors) {
+            System.out.println("\tAgainst " + v.mdAlg);
+            String sigAlgo = v.mdAlg + "withRSA";
+            Signature sig;
+            try {
+                sig = Signature.getInstance(sigAlgo, p);
+            } catch (NoSuchAlgorithmException e) {
+                System.out.println("\tSkip " + sigAlgo +
+                    " due to no support");
+                continue;
+            }
+            byte[] msgBytes = SigRecord.toByteArray(v.msg);
+            byte[] expSigBytes = SigRecord.toByteArray(v.sig);
+
+            sig.initSign(privKey);
+            sig.update(msgBytes);
+            byte[] actualSigBytes = sig.sign();
+
+            success &= MessageDigest.isEqual(actualSigBytes, expSigBytes);
+
+            if (!success) {
+                System.out.println("\tFailed:");
+                System.out.println("\tSHAALG       = " + v.mdAlg);
+                System.out.println("\tMsg          = " + v.msg);
+                System.out.println("\tExpected Sig = " + v.sig);
+                System.out.println("\tActual Sig   = " + SigRecord.toHexString(actualSigBytes));
+            } else {
+                System.out.println("\t" + v.mdAlg + " Test Vector Passed");
+            }
+        }
+
+        return success;
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/pss/PSSParametersTest.java	2018-05-11 15:10:51.222098400 -0700
@@ -0,0 +1,123 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+import java.security.*;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.*;
+import java.util.Arrays;
+import java.util.stream.IntStream;
+import static javax.crypto.Cipher.PRIVATE_KEY;
+import static javax.crypto.Cipher.PUBLIC_KEY;
+
+/**
+ * @test
+ * @bug 8146293
+ * @summary Test RSASSA-PSS AlgorithmParameters impl of SunRsaSign provider.
+ * @run main PSSParametersTest
+ */
+public class PSSParametersTest {
+    /**
+     * JDK default RSA Provider.
+     */
+    private static final String PROVIDER = "SunRsaSign";
+
+    private static final String ALGO = "RSASSA-PSS";
+
+    public static void main(String[] args) throws Exception {
+        System.out.println("Testing against DEFAULT parameters");
+        test(PSSParameterSpec.DEFAULT);
+        System.out.println("Testing against custom parameters");
+        test(new PSSParameterSpec("SHA-512/224", "MGF1", MGF1ParameterSpec.SHA384,
+            100, 1));
+        System.out.println("Test Passed");
+    }
+
+    // test against the given spec by initializing w/ it, generate the DER bytes,
+    // then initialize another instance w/ the DER bytes, retrieve the spec.
+    // compare both spec for equality and throw exception if the comparison failed.
+    private static void test(PSSParameterSpec spec) throws Exception {
+        AlgorithmParameters params = AlgorithmParameters.getInstance(ALGO, PROVIDER);
+        params.init(spec);
+        byte[] encoded = params.getEncoded();
+        AlgorithmParameters params2 = AlgorithmParameters.getInstance(ALGO, PROVIDER);
+        params2.init(encoded);
+        PSSParameterSpec spec2 = params2.getParameterSpec(PSSParameterSpec.class);
+        if (!isEqual(spec, spec2)) {
+            throw new RuntimeException("Spec check Failed");
+        }
+    }
+
+    private static boolean isEqual(PSSParameterSpec spec, PSSParameterSpec spec2)
+        throws Exception {
+        if (spec == spec2) return true;
+        if (spec == null || spec2 == null) return false;
+
+        if (!spec.getDigestAlgorithm().equals(spec2.getDigestAlgorithm())) {
+            System.out.println("Different digest algorithms: " +
+                spec.getDigestAlgorithm() + " vs " + spec2.getDigestAlgorithm());
+            return false;
+        }
+        if (!spec.getMGFAlgorithm().equals(spec2.getMGFAlgorithm())) {
+            System.out.println("Different MGF algorithms: " +
+                spec.getMGFAlgorithm() + " vs " + spec2.getMGFAlgorithm());
+            return false;
+        }
+        if (spec.getSaltLength() != spec2.getSaltLength()) {
+            System.out.println("Different Salt Length: " +
+                spec.getSaltLength() + " vs " + spec2.getSaltLength());
+            return false;
+        }
+        if (spec.getTrailerField() != spec2.getTrailerField()) {
+            System.out.println("Different TrailerField: " +
+                spec.getTrailerField() + " vs " + spec2.getTrailerField());
+            return false;
+        }
+        // continue checking MGF Parameters
+        AlgorithmParameterSpec mgfParams = spec.getMGFParameters();
+        AlgorithmParameterSpec mgfParams2 = spec2.getMGFParameters();
+        if (mgfParams == mgfParams2) return true;
+        if (mgfParams == null || mgfParams2 == null) {
+            System.out.println("Different MGF Parameters: " +
+                mgfParams + " vs " + mgfParams2);
+            return false;
+        }
+        if (mgfParams instanceof MGF1ParameterSpec) {
+            if (mgfParams2 instanceof MGF1ParameterSpec) {
+                boolean result =
+                    ((MGF1ParameterSpec)mgfParams).getDigestAlgorithm().equals
+                         (((MGF1ParameterSpec)mgfParams2).getDigestAlgorithm());
+                if (!result) {
+                    System.out.println("Different Digest algo in MGF Parameters: " +
+                        ((MGF1ParameterSpec)mgfParams).getDigestAlgorithm() + " vs " +
+                        ((MGF1ParameterSpec)mgfParams2).getDigestAlgorithm());
+                }
+                return result;
+            } else {
+                System.out.println("Different MGF Parameters types: " +
+                    mgfParams.getClass() + " vs " + mgfParams2.getClass());
+                return false;
+            }
+        }
+        throw new RuntimeException("Unrecognized MGFParameters: " + mgfParams);
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/pss/SigGenPSS_186-3.txt	2018-05-11 15:10:52.812125200 -0700
@@ -0,0 +1,420 @@
+# CAVS 11.4
+# "FIPS186-3 - SigGen RSA PKCS#1 RSASSA-PSS" information
+# Combinations selected:Mod Size 2048 with SHA-224(Salt len: 15); SHA-256(Salt len: 20); SHA-384(Salt len: 25); SHA-512(Salt len: 30);; Mod Size 3072 with SHA-224(Salt len: 28); SHA-256(Salt len: 32); SHA-384(Salt len: 48); SHA-512(Salt len: 62);
+
+
+[mod = 2048]
+
+n = c5062b58d8539c765e1e5dbaf14cf75dd56c2e13105fecfd1a930bbb5948ff328f126abe779359ca59bca752c308d281573bc6178b6c0fef7dc445e4f826430437b9f9d790581de5749c2cb9cb26d42b2fee15b6b26f09c99670336423b86bc5bec71113157be2d944d7ff3eebffb28413143ea36755db0ae62ff5b724eecb3d316b6bac67e89cacd8171937e2ab19bd353a89acea8c36f81c89a620d5fd2effea896601c7f9daca7f033f635a3a943331d1b1b4f5288790b53af352f1121ca1bef205f40dc012c412b40bdd27585b946466d75f7ee0a7f9d549b4bece6f43ac3ee65fe7fd37123359d9f1a850ad450aaf5c94eb11dea3fc0fc6e9856b1805ef
+
+e = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000086c94f
+d = 49e5786bb4d332f94586327bde088875379b75d128488f08e574ab4715302a87eea52d4c4a23d8b97af7944804337c5f55e16ba9ffafc0c9fd9b88eca443f39b7967170ddb8ce7ddb93c6087c8066c4a95538a441b9dc80dc9f7810054fd1e5c9d0250c978bb2d748abe1e9465d71a8165d3126dce5db2adacc003e9062ba37a54b63e5f49a4eafebd7e4bf5b0a796c2b3a950fa09c798d3fa3e86c4b62c33ba9365eda054e5fe74a41f21b595026acf1093c90a8c71722f91af1ed29a41a2449a320fc7ba3120e3e8c3e4240c04925cc698ecd66c7c906bdf240adad972b4dff4869d400b5d13e33eeba38e075e872b0ed3e91cc9c283867a4ffc3901d2069f
+
+
+SHAAlg = SHA-224
+Msg = 37ddd9901478ae5c16878702cea4a19e786d35582de44ae65a16cd5370fbe3ffdd9e7ee83c7d2f27c8333bbe1754f090059939b1ee3d71e020a675528f48fdb2cbc72c65305b65125c796162e7b07e044ed15af52f52a1febcf4237e6aa42a69e99f0a9159daf924bba12176a57ef4013a5cc0ab5aec83471648005d67d7122e
+S = 7e628bcbe6ff83a937b8961197d8bdbb322818aa8bdf30cdfb67ca6bf025ef6f09a99dba4c3ee2807d0b7c77776cfeff33b68d7e3fa859c4688626b2441897d26e5d6b559dd72a596e7dad7def9278419db375f7c67cee0740394502212ebdd4a6c8d3af6ee2fd696d8523de6908492b7cbf2254f15a348956c19840dc15a3d732ef862b62ede022290de3af11ca5e79a3392fff06f75aca8c88a2de1858b35a216d8f73fd70e9d67958ed39a6f8976fb94ec6e61f238a52f9d42241e8354f89e3ece94d6fa5bfbba1eeb70e1698bff31a685fbe799fb44efe21338ed6eea2129155aabc0943bc9f69a8e58897db6a8abcc2879d5d0c5d3e6dc5eb48cf16dac8
+SaltVal = 463729b3eaf43502d9cff129925681
+
+SHAAlg = SHA-224
+Msg = 5c61546b848a36e8e51f8beb1140823dbd95b06660924d16fdf9a1c33ca0b994c0745e7eb5be48ada8a58e259cf461a95a1efadb0880d1a6fde510d9d44f4714bff561e81e88d73a51ba23e8ca0178b06698b04dfdc886e23865059ca29b409302eb44f2e9704b588767327ec2ee2d198a0cba0266f2d39453806855cf0b0cd9
+S = 134e6acd94b76a86e7ff730f064a3d480d1cff1687b993163ce09f21d494a4a15e6d92758a93f7c83ead21c4ca290f9478241c9811c231f32d9d17e0b479a9b34cad02e5bbdde6c8e4ec4f35f93524f8afde49e6a4740bab2f2fdeff3fc5d92a1b50adc7af964eec82fb80be24092ab28791807c664a9106b5df3296747c014b75d69d181f2e58dafbbf9127164f88c862a48d5e9edcd6d2b2cbc20abceb0e98c7e731d27c8d04fad95ff50dd64af20e6388ed74b9b3cf33b4a316b0c752f33697e5a7445ae2f726f30333f107928872776225a3e0b1b14a7e84f9a695c7b3910330d225b4834110b54d6b05e69df6b7a2c9dc352942e3bce970cec677253230
+SaltVal = 463729b3eaf43502d9cff129925681
+
+SHAAlg = SHA-224
+Msg = 7540edea54a4fa579684a5b59c51eb20e61106f82157917c6173ee9babe6e506b6198d8af24e709dcad6ea372684d2e335635c1569a43ebec3da121e506afcd9f43c8c4e66b7e6247ced2025a912eb50c43376290a248f5467bb0c62f13b69ebb513b2ddb7c9a31334310f2a2ae27e901bea1add0dc1cc67d57ca21095437463
+S = 45541aa65fbb0773b1434c4fdaafe23fe800f78eba900c6104a6f0e76dc08daedc28a3380c8078f82055cd4a20cf30541c32d9ac625378355c156880b35a29645325d488f7a0d2de7df92cf9bccdf851445c2b834ad0e6849a6549db72affa7ce66fbbfc5bc0194504a5fb031267b6ca9b57f583e7e11c927e3dc203f7d6d4b9df675d2a302231400008fbbd4a05e17f88bea074de9ab8211a18dcceae6c9fd8fad96ce0626eb25c9ab81df55ba4d0a6ae01eb25a2529e16c98ded286cb345d4fd59124297ba9b3efcb67884ed853ea96d74e00951987bcda54d404d08f2baf7f0d7ff13d81d1fa20cde1d21663684c13ffc7164448f4e85a6c811a850a3faed
+SaltVal = 463729b3eaf43502d9cff129925681
+
+SHAAlg = SHA-224
+Msg = 840ff32993223efe341eeb55558e6ab1fbae15d17bcf0731edfd32d4dee0ac4145e04accb88c7016e03d27d72bf670dbc08fd94bb8134d2e8b66302fc82baca10ae445c0275bb43aaa42f2ee841693f3fe4955dcf29ff93a3bd951636a919b72ba650d8f4757b1717a747320c8b479009c22b20b913cb25ee59dbdf72bd921bd
+S = 07f07ef5e793d59b0c3f899dc846bb831d88dd4d2d8345ad2d726c5c532d13e05b26f0fd03b2b9bde7b6d5b6febc8fe5d3228887eac443c99ec39fffeb939785f87be8a93e497cfdea3d8d06356518a5254c5946236458b29f1cd47e97718c805b167791d10f9304328635330116a2aeae1e0ecc16bfd5a31356d06892b8ca04aec27a417320be7bf6fc1083d70fa522c23850f5d6beda1a251d1a5e71762bc8fd5f16ef0c7a961f4858a5b760a8032f3fd6bdce2ed26351f2beab8b89d9312d88736ee5253a9da6753283e5b3d0d9cdd3e19ca0b60b9fae3e3dfd67831df72ed9611d5f2b3ac256052a207a5245d2cdeaad0d1266c7177b1a0844d5974a8a41
+SaltVal = 463729b3eaf43502d9cff129925681
+
+SHAAlg = SHA-224
+Msg = a5fb396eee4045f886191f7ff9ea68aaa1bcd8e781903b6071f3ba2b7cd35cc08691cdb131575d9502ac4b45c046444c1d1f279899cb0b76a20883bd00972148704a38aa8f5fe61efa0c52bdb45b33f4c83892342fc8d0ebf3fdeab49568fccaad4e04c3d0fde97bb660bc4e9cd23d8ae830a1230c3292a9acfb787803eef72f
+S = 4428c389d0c80a9320e4859e41cbd4a47f78e4da5d1c0644ff50bad172de9ffe74d84a76d6de4f72bbe34d7dccaa03e1324041cb98308d73dcff0bcf7ffc35936473cf3ec53c66ea8a6135742e0ea9056a4897a7cbd2b0654b344786bf3047d122dcbbc4bea1840e84bce066c3385dccb021a79e8de18dc114a40d824141d8331a4df6901b3409c30552519b097a96ded6793cbb9ae18bb9a4185b6f4e83aad6dce878c689bf595d272719b9f50b3ede1803dfae6dd3f54e4ca9c458c14463f4f19af6cc8127bec80a6a9e5a5fe0d3e14dfcc6ba052750ebbf84a652adde9d6be68d5b134cd09bb94d0875e5527fe3f3fa2a516dc05c14fd5516dff2d434f0c4
+SaltVal = 463729b3eaf43502d9cff129925681
+
+SHAAlg = SHA-224
+Msg = 6e891589d71d2eff6cb986b071a31e2696d8ce671fa18c244267eb33d0c8e24018ebcfbf0910bb24966be0575f3268628df5786dfd2e6deda219661824c5029ccd6b6b90a60093abdd06bdb46aa74039f2048784eccb5dcb020767a7ba3df2c755b4f0e6f8143cfa093326afdc2b2b138fb0049332a0e3262bdcf9c8d9573b2a
+S = 01909328c24dd0ef912040f61492e3711243f8ca1262067cca6bdab165efe4157982323f13152999e9f21e6852d8c2efc4130e2c46a38446aacfc59fbca5d1a38946923b7e08be397fb787bc79a71ba08fc2b693d1bcbe897d1dface2858ba80a086a0e0a45efe66fd5350add819fd0dc1931d3eba2765f84f147422f5330d0efa0cd827197a5d89e2dd62db9051d5df8b9680169f349086dd038a9ac62f9941565b3f747d528ec4c36e9c948ad3a73240d07ef14b354ffef1b1965a9aafb13d0fc88a09707c6a0ad3028d5a5c6efaab50aad05304b1d5b2930abb8f58c0188b6a94231f8698c96ddd614343a0218494dfff9a293dfc7d5c3b5afbed8f079458
+SaltVal = 463729b3eaf43502d9cff129925681
+
+SHAAlg = SHA-224
+Msg = d66747638d8276920352b215158cefe0727a5e2b079d892cbb969f265d470ca2da354dfcb4300322af374699ce963bc17d51e95910c548456c8d9b8f04a300ad08c74602d825fea7bf32d56aded7211766d1b9f70b580a97b5fe67ca78dba1f1c6e7d87ae3a790a79a0c07912f98c76c94c2770cdf9cf6a8fcb3abdf9f3616f8
+S = 85f296084bda823556aa369e5cb19e10ce6e982a6d10a85ba6af6d3fed8f2c05599faed069215cc9eed9e72a4fe510a6c09ff721cf1a860e48cf645438c92c5c86d0885e7d246ccf9d0cfd8c56ca8d673b7094a3daa77db272d716f31b1380f72b50378f595471e4e481851c57a6b574bfb3fc7aa03636632045fcc8e9cc54594759f6014b527877e605ef60cf109b4ca71e772a99acfc7243318655ec50f74e48485668ed42859ff2c5934581ba184d926c8467d7c35257dce9964049568a990f65d591c2db86b48a7256da947fd7d978dd6734bd8685025d1a87e32f52a0299394c93e6d518b18e0b8db1d763f46905f405df0cbc8455e039f173e2b68c9de
+SaltVal = 463729b3eaf43502d9cff129925681
+
+SHAAlg = SHA-224
+Msg = 23d92665e88a4f6f732de384034d493d5df37b767a8260557de05688e8d60dcd0eba9cb8cc4bceb174dcbd3c0ab5a37db3b6ecfb6a3d90a4f54a9f1117e11e0c08b0114f22f2d98fdd93c0b9fd95d37c0ab2f00701431f1449602525e849570df704adb353481713969a148546b680424c30ad24a75bb6ad616a104bc2d562da
+S = 8beeb201aedb9fe7d535fc7989713062497a03e18ef9977b98a93f18f37545c38f5e5206e2b5df7f4a41ab9e0675f7d46d172dc3af90fb7b1a6fa6c986b803a7f2ea4ed217872cc686165b1278450c23c329ee2855f65e651c3db085e407bf3e3a96eaa833ba2056a084031546cea2f454f7acf84c3b90fd7b6210ef6d1ad71ed1b0049262f5b4e3ca99d10a3307752b2ad8e8fbba3a3e8432bc966553901e87150738aac9170fab1d27219274ec528299f8afbbd861ee837f2c86ecce7e73c9b7bd6f6661d1efe3fd2ff7b3efa0d1fc7b84fefffa14b55a2c5fe3252cae0cf0da6e50e3d615f86ae6721aa5e29ed3a1c71c243c2529eef483c56b902e93718c
+SaltVal = 463729b3eaf43502d9cff129925681
+
+SHAAlg = SHA-224
+Msg = 40abb42db34067fadb5aacbb2fdedd2d0324030bb75ca58f2e2ade378194b2c5f51ea2892b337ee297c77b03333b86f37581d7d77e80c87494bae8f0d22c4bd81e7525685c3b9706e1cbc90f2bff39d6cf6553eab29d41987c0304b14a8fc48ea4f96450ae205a6ca2acbe687df2a0dff9199fcbbc7bb704cf4e5b035184c4ec
+S = 54bec66241dc197ad92e695526b3b6a030216b48af90d93c36b2d70644e40cda2cb259f27ca9d141e5753f938497e84208b380ffe1788701c71d89bbea3edd352dabd32d9425edcf9a33e185cbc4031aa6069863fe47d499536a59da12a8bdbbf2a3a9f0039318d066f5117bbf6fce4f6752088ccc3a081d85da461a8bdcaf349fd4054f76384e668d00a6f747688c8420c7e452b0736ad62e1738a3f10cb62bc7ddc12fa670f858b2d5def9a42ac8f2fc91d488738a7c23168f51ddfbdae6a5d8ee1fc561cc3add4a7e14eb103bf9593cebf391c1f7a07d262faf03d47d07424ffb3a916a9564652a1be020a0e922e99a57da1abf931f74cfbdd484c0a9568f
+SaltVal = 463729b3eaf43502d9cff129925681
+
+SHAAlg = SHA-224
+Msg = ef10b03c04578bd5f783358df367456a73de38c6fab2c35405bc685e3d4c4850f2cb387ac59e1612a44e5e78fce6f8be299d546832b5b970b3a3da8e1a70abb6165f72e14dd021104e64e38ec662f576f65ab776640803d2d17abdac6c75ab82451687f804b553d8db0eed57b9a3e39ac15c8878fa714882488938409b24f1be
+S = 4a183b82616f3bbc27a146710b28729161feb17900be62e69eed5d254d15f34bce52d6f3deba89a787ebeb0611e240cc23e16add3796d4a29783e2cbe8797e066cecbd66059c394f0e2f9e377f1ffa194fcb895e1c48874b9b6430a13c779f5ca29e3f42bca4b916710590ab6501809d645a4885b058dba0647971f04f6f2f4a296c45d89dd848b7c2f8777ec50846c97d35c12d54ebb6ff167327b1d4daedf4468031b59057d57ceddb79fdd013167ee6e46d9130693322c3ae6702901a1e90bd4b621d141977d0680acd524921bc540e34ac640ace02f89d5436808283e026e138ba3a5a4310fe1e048833f9b581baef5f891f9cdb2f0673bafa11ceabc7d7
+SaltVal = 463729b3eaf43502d9cff129925681
+
+SHAAlg = SHA-256
+Msg = dfc22604b95d15328059745c6c98eb9dfb347cf9f170aff19deeec555f22285a6706c4ecbf0fb1458c60d9bf913fbae6f4c554d245d946b4bc5f34aec2ac6be8b33dc8e0e3a9d601dfd53678f5674443f67df78a3a9e0933e5f158b169ac8d1c4cd0fb872c14ca8e001e542ea0f9cfda88c42dcad8a74097a00c22055b0bd41f
+S = 8b46f2c889d819f860af0a6c4c889e4d1436c6ca174464d22ae11b9ccc265d743c67e569accbc5a80d4dd5f1bf4039e23de52aece40291c75f8936c58c9a2f77a780bbe7ad31eb76742f7b2b8b14ca1a7196af7e673a3cfc237d50f615b75cf4a7ea78a948bedaf9242494b41e1db51f437f15fd2551bb5d24eefb1c3e60f03694d0033a1e0a9b9f5e4ab97d457dff9b9da516dc226d6d6529500308ed74a2e6d9f3c10595788a52a1bc0664aedf33efc8badd037eb7b880772bdb04a6046e9edeee4197c25507fb0f11ab1c9f63f53c8820ea8405cfd7721692475b4d72355fa9a3804f29e6b6a7b059c4441d54b28e4eed2529c6103b5432c71332ce742bcc
+SaltVal = e1256fc1eeef81773fdd54657e4007fde6bcb9b1
+
+SHAAlg = SHA-256
+Msg = fd6a063e61c2b354fe8cb37a5f3788b5c01ff15a725f6b8181e6f6b795ce1cf316e930cc939cd4e865f0bdb88fe6bb62e90bf3ff7e4d6f07320dda09a87584a0620cada22a87ff9ab1e35c7977b0da88eab00ca1d2a0849fec569513d50c5e392afc032aee2d3e522c8c1725dd3eef0e0b35c3a83701af31f9e9b13ce63bb0a5
+S = 492b6f6884df461fe10516b6b8cc205385c20108ec47d5db69283f4a7688e318cfdc3c491fb29225325aeb46efc75e855840910bbaf0d1c8d4784542b970754aaa84bfe47c77b3a1b5037d4d79759471e96cc7a527a0ed067e21709ef7f4c4111b60b8c08082c8180c7c96b61c0f7102ed9b90e24de11e6298bb244518f9b446ce641fe995e9cc299ed411b65eb25eaae9e553484a0a7e956eadf0840888c70e5ca6ebc3e479f8c69c53cf31370ab385e8b673dc45a0c1964ec49468d18246213a8f93a2a96aad5a2701c191a14a31519e4f36544d668708ff37be5481cb0ffa2b0e1f145e29f8575dfa9ec30c6cb41c393439292210ea806a505598ebdf0833
+SaltVal = e1256fc1eeef81773fdd54657e4007fde6bcb9b1
+
+SHAAlg = SHA-256
+Msg = 7e6690203cb068b8530cb1ff4eeaf0fc69a4e304f556072dfeef5c052c886c83e7f58a3dbe9a58dc0a808ccdcea9f33ae2a0b6395153dc43ff2510e78f40a4bf8328d7a4a596531ea683fa1e0683e2f033549e6bf5b7c06b097e9b810de74ee89c28febbb94b6266713c855bbc21c706a5e92502aa28bb8d662287396d2570e5
+S = 509a01bb0360d1160ed3ff33432291cfbb63daa2933819600db7dd825aef13dd1e9a888a9fb6fea93debd4cf4bc77129b06dd4727193d7e8a2e5aa5a6020b64524e93abb0406f5a18f74ff0aa804919df4072e319ce8234431c94e8eef8c5ce813a07b2f66dd6a032c3e69a3c58c6b54acf08bbbb019df15f3abd22c67f3e2cbffe99887adee58a39cc30ac45a6e6e59283ee0890aa87072a857845f5cf3ddacdc776e58e50b66e95eb13dec49ce45505c378734e964e8095d34a01317768b7b9fbef6eb24b08b1bf0312ab51e0acea4a3dfdfa6fa7bb115b8b685d354841d1901bc73cc655ae246a5453ea8d160610425c2c14969bf22a7e11e663cff1501f1
+SaltVal = e1256fc1eeef81773fdd54657e4007fde6bcb9b1
+
+SHAAlg = SHA-256
+Msg = 1dce34c62e4aef45e1e738497b602e82c1fe469f730cf164178b79fdf7272c926d69bd1b5e2de776055753b6f2c2bcbf52795110702a5bdf7cd71f6b8ccf068ee0ddfb916abf15458dd9764f262b73c4c981f5f64de91e8d8a6a30d961f3ab66fd92b6d159e6c0db02d767bc1f8499baae7df9f910338495c8ad74ee807c6443
+S = 1bd79d25ac6b0f242f39555c85d858c23680e1ebf9590d05463ebc58454a7822cf0e0c2ab9872b6eac5ae8ce3da773d6b2039e9b26ce751dadc48579320ea63b978b0df038191d9128102128a365c01d9e2b43fe2b5ef1ce9ee8f4a1e12caef1bbe7f3a8d1a93c9f399753bbfd60d22d8f39206a511ea448dc23cc0e4fcf0b77d3f3fbd9188b740de3f85009de94ee157dbf7edc3165e9f69b59db37f7fdc507496de8941a2a2628774b06c8cab034bbe3d2c04d253b5948d6e5712373ada99b7f860612440c5eed81efeea18d76329dc30bd9fcc500e92315677142d5e1b6b45ae0e6e725122f046c9a544ad1ef1ddc7c6b2a7809715ab75ef870ee6670627a
+SaltVal = e1256fc1eeef81773fdd54657e4007fde6bcb9b1
+
+SHAAlg = SHA-256
+Msg = c32976432e240d23df6594f2885f00db7fa7e53b7aa84ef89798ec149fab74828b86423847f64285b7e210a5f87e5e93e8c2971ee81bc13fe060a8aa840739a3d6992c13ec63e6dbf46f9d6875b2bd87d8878a7b265c074e13ab17643c2de356ad4a7bfda6d3c0cc9ff381638963e46257de087bbdd5e8cc3763836b4e833a42
+S = be69c54dad9d8b6db7676fe74321a0aeb08d1cc17f6607e87982f99489344e99378c38341e0e605b8ff903c74a973872a9880e05a8ef0bd3e6049931acf152dd54fec9105a57b73f77631db736b427f1bd83275e0173d4e09cd4f8c382e8b502a3b0adbd0c68911d02de17fff3d927e250e1826762efc0b895dfa502f18dc334b4c573f99b51b74fdd23009861028f1eed6875bf31d557acd6de8f63fa1274f7bed7a1b4c079f5a9b85bfab29f552c7f647d6c9241563fac123a739674b0ad09c3f94208795d9a50529d799afc597e025f1254995f043234891620b10d5c5569be14b0f463a495f416024618486c7ff5ec775cfb46fbdff5379c5e09150b81a3
+SaltVal = e1256fc1eeef81773fdd54657e4007fde6bcb9b1
+
+SHAAlg = SHA-256
+Msg = 218551f425b3557d09ccfdecc9ab499085bd7fe7d60820be626c1a9aae293f5734a2f60fb661313dd15a9f22d5742268d4458306f91d65631b4777be928beecd4af733a416e0d8d94623d1e67bb0e1ceba4a5204c088e98895201953646477f58a0d6e7ded3834998faefcfe63686e0a5f5354a8d2509675f87f6821cbbdc217
+S = 96a269e0ca4af626aa8b7f45acdaa76d5dabfea5a7d762ab39b138dc7575fe196aeb182bee5b18503969b5ba111f057ccdbf292d7488173a4a4dd04e62c254d502673d5a076d326c66c9a71a3b83b1005c6366f8a0902987dbf08cee7562d0abffbdd661c3525be8e12dfd73ed31efaa817f61e7fef700a3215e77b6231d59c098fa455b69ec6e658a66cca2e8f2e090ef704270995170ba9a1f561b848676804413645a943d883191d95b024d6ffc9cb611c68f3319403bd7c07ac6694501368e8147a256e928604b63d50e2c65f3b2c30df1eb0363e29fe448f94b6907cdf42fbc9c27b31a43a8f5c15ce813f9b20d16da6c298843f052ed37678b4ef1d78e
+SaltVal = e1256fc1eeef81773fdd54657e4007fde6bcb9b1
+
+SHAAlg = SHA-256
+Msg = 06b76aaeb946fe6867e4716a8f1ee8d61c483ab345cbf8e5b2bfab5ce0bd5c8bc6ee5a1cb96837e28dbb140ffdc61ea74cd059342dd49dbce11bdef09f10b0a638510989fb02490fd66679acbfb0d04652167ce8bc289fbad760973196fa8283a405015e48bb3dd98c0e28ab9e83069a76432b37b97006c9deb55e878f21dc0a
+S = 65e2358bafc9fcb65536a19d27f710596cc31f9a8328cf9de21257506047ab1340a74505581a54f258bcbe0c1520f84ebd2e36913560dbd71574e3738428097d6b819e6900f27df159dcaf08c6e1591b073bfefe3da6bc827a649e0bae9c52fe9ae180d1efc01e5a38adef102c6d106af12163b1a0f6d1543ffce3980ca0f8b70d38007288d47bc565e995b8c21da2f959c928aa2f8574a660226048dc9dba59526a30e3274808683b41c0cf086ea5afc48eb294a88c4b8b7383dae6469e8483345b1daf1d2801bda93ff91ca75dfaa8dd5d47e73cecf0efb0629fda16c601070bee2e8cc0695150739202e3be270b9801d085e11e1df07f9a4cab54fda23da6
+SaltVal = e1256fc1eeef81773fdd54657e4007fde6bcb9b1
+
+SHAAlg = SHA-256
+Msg = f91670bf6b8bf5c8c75056d844168fc6ec0c28d09400c1df11c7ef0da9e04664c854b7e8f4e01dd8035612328c4107759bc894aaa9d50ca5cb7655892983f68ab28172f70ec6d577d4de8c93fe2e79749ad747eec2ddfbbecd89cc10c70b35451f6448f2a083452ca2ae6b0382240e4c4f01eaa4c661b7b181c8feab6bc22a1b
+S = 2eac03233c4e24b3328447cc09661c259676b569e6a0848b5a193065296a59e3b6d35a2ecd91c6cefda4f2bf9f2252a27334fbbc2d79e450d44bc282f7d7321b46f82028c154f30f6d62edf3672a1019d914ec617aab2d007f844e63e295bbd8f66163deb278d99d66fddc58cca2b911ce0af95265134af55a4b786cc214fa11ffa29bcdfbed12c5ce6438e9b6beaeffa3587978a83409c29f115423174c05cb8c30198da8b193f9446b9b49f7e3e2862ec9a350e8441ba4e5550e87db54712865fc2690a5938aebb28409b88cf0d172111a74f678ee0819ff8bdc22b08fc6fed37b676d0705396f3247a267c60f7ccf1fb260c0c2e924c1ef5540eb6125f3b1
+SaltVal = e1256fc1eeef81773fdd54657e4007fde6bcb9b1
+
+SHAAlg = SHA-256
+Msg = 64e3f541453170db952c09b93f98bcf5cb77d8b4983861fa652cb2c31639664fb5d279bdb826abdb8298253d2c705f8c84d0412156e989d2eb6e6c0cd0498023d88ed9e564ad7275e2ebcf579413e1c793682a4f13df2298e88bd8814a59dc6ed5fd5de2d32c8f51be0c4f2f01e90a4dff29db655682f3f4656a3e470ccf44d9
+S = 76c297fbe302f686377cb155ae8a2b65a6c577af303035c4a755fe67014c560476e7a789b8f2195b0f80416f5f33b7fdccc380f988cebadb640e354bf5679ee973a1e1485b68be432b446ff5949504515a65cddb0faf6dcd1e1188656ce941af3ddc8600cf0e4087ac8382f0d5061d3d05f58c9362eb88f30a724d18a15ee68a60c5e4dedb4084c9d01522999092094c85622e67a66ed034564ac286b0ff8791e9933a23f83b4a88d2e79e3a29d6a3f87e63bb1a96a6bfd6898edaa938f74c72d6c10cb94d055ef3fda9e6dd097d52738754800ed403b1444195a311fd6962007999e31edcf2870d1c3ae3b3646bc7da55e5f1e6627e6248839e8f70b997fc1e
+SaltVal = e1256fc1eeef81773fdd54657e4007fde6bcb9b1
+
+SHAAlg = SHA-256
+Msg = 33ba932aaf388458639f06eb9d5201fca5d106aaa8dedf61f5de6b5d6c81a96932a512edaa782c27a1dd5cb9c912fb64698fad135231ee1b1597eec173cd9ffd15270c7d7e70eced3d44777667bb78844448a4cd49e02a8f465e8b18e126ac8c43082ae31168ed319e9c002a5f969fe59fc392e07332ba45f1f9ea6b9dd5f8a0
+S = 2891cbe23ccf10c396ef76a5840adaad6498b6fc8c6a2f6c26496cb428a9221ed59b3645f9a25f5747feda0f51b45319e0978f22ac4facbc15db9a4e5849ac2a1404aeb6c00e5eed3c07eeeee2435668fd17f16ab244c9d38f9ba0de9d3f3ef0d994094e92e327948f1409ef827752344a1375f608dc3cafe74970745a023b320b3bd3171b62a68a5ccaadbc64b82cee4b8a81840ed8b751ac66a29eb81fb819ec54c76b01c7b412a43ea057a80202f1c3c06a4ee60547c13c6c2fac34a5d5aae982b9dabd119b470829bd77a560e0973409115bd1ab5bdc6bb46fe4048022b0cf4fc6aad4184c28621ec6f82edb54733c902620bf45f2517f24902e56d58038
+SaltVal = e1256fc1eeef81773fdd54657e4007fde6bcb9b1
+
+SHAAlg = SHA-384
+Msg = 833aa2b1dcc77607a44e804ee77d45408586c536861f6648adcd2fb65063368767c55c6fe2f237f6404250d75dec8fa68bcaf3b6e561863ae01c91aa23d80c6999a558a4c4cb317d540cde69f829aad674a89812f4d353689f04648c7020a73941620018295a4ae4083590cc603e801867a51c105a7fb319130f1022de44f13e
+S = 2ca37a3d6abd28c1eaf9bde5e7ac17f1fa799ce1b4b899d19985c2ff7c8ba959fe54e5afb8bc4021a1f1c687eebb8cba800d1c51636b1f68dc3e48f63e2da6bc6d09c6668f68e508c5d8c19bef154759e2f89ade152717370a8944f537578296380d1fe6be809e8b113d2b9d89e6a46f5c333d4fd48770fc1ea1c548104575b84cf071042bfe5acf496392be8351a41c46a2cab0864c4c1c5b5e0c7b27e7b88c69f37ffa7e1a8cd98f343ac84a4ad67025a40ed8f664e9d630337de6e48bb2125e2552123609491f183afd92634487f0b2cf971f2626e88858879d45a29b0fefb66cd41b2e4e968385bd9fc8c7211976bc6bd3e1ad6df60856985a825f4726d2
+SaltVal = b750587671afd76886e8ffb7865e78f706641b2e4251b48706
+
+SHAAlg = SHA-384
+Msg = 8925b87e9d1d739d8f975450b79d0919dde63e8a9eaa1cb511b40fe3abb9cd8960e894770bc2b253102c4b4640c357f5fd6feab39e3bb8f41564d805ceafc8fbdb00b2ea4f29ed57e700c7eff0b4827964619c0957e1547691e6690f7d45258a42959a3d2ff92c915c3a4fb38e19928c5ce3ddf49045f622d0624a677e23eb1d
+S = 43ef93d14e89b05d5e0db2dbd57a12403910646b4b0a24d9b80d947954591afa6e9809e96d7d3e711003ee0a9186ab3d8e0b4d3425c6da4b5f7899537e737b71df9ed6355529aace77a7cba96b5b0a86399252f1286a6fcab180b598455dfe1de4b80470d06318d5f7a52e45b6d0bcc00bd365819a4a142b83072775f485f63c8004f53378a9a0d2345d07b1b326238ed070d1e69fc0b5cf853a807cfb723562d1f5682482e8a4840588bcc7154ce0740c768616cf04d7aa103642917ec5b4b514a3734d9e0c58427cff42f27f43fdfc85991e045acd17af6fba7bdab818e90eb4117684e89f9163dff7b98b82a08baa2b49acde480c5702c335237d1be771b7
+SaltVal = b750587671afd76886e8ffb7865e78f706641b2e4251b48706
+
+SHAAlg = SHA-384
+Msg = d0eb4623eedbd97ee03672f8e4174d2e30a68323ce9980e2aafbb864ea2c96b37d2ab550f70e53d29cda03d1ba71a1023de78ba37dfb0e1a5ae21fd98b474c84338ff256b561afc1ca661a54d14db2e2661315e13581731010f6415d4066320519a363fdd2dbd5919362214bceb26716d3b188a39f32950cf5bd87b7b193307e
+S = 213ea3fb11cdd71bd5b839de8a598b6a142023825e24db7cb1a4459e78092b32b07643c7270839f247870efbd320b419ff3b1914c41b6ca4bc3cf17017d9a94d86f0f022f4495666c4a89f08e216a161d4664f2d616fa4bb2a17ccb85004e63f488ba29564ca136aa3a6f9561f85cb550b8cf8b0a85afbc8aee2c76891a53e7cb66e36f8709e7990d8de8d0c73865c1cb44727f18c0faf25c53f15e070c430e73f77b1e9c8f8ec13114d7e7ac790ade4ec6f1de0cec13f25a48d534965a8ede12090a928a91d5a1f214aefe6cee576ad43eaeccf635409a8646853d9cef93c9c04a884253380a49e682bff0750577c5a80becdef21a4a9793fabb579eb50e3fa
+SaltVal = b750587671afd76886e8ffb7865e78f706641b2e4251b48706
+
+SHAAlg = SHA-384
+Msg = d58e0997224d12e635586e9cedd82dddf6a268aa5570774c417163f635059ea643c1f24cabbab82eac004a8b9a68bb7e318fc526291b02040a445fa44294cf8075ea3c2114c5c38731bf20cb9258670304f5f666f129a7b135324ac92ec752a11211ce5e86f79bb96c9ed8a5fc309b3216dde2b2d620cd1a6a440aab202690d1
+S = 4385e67819283d81eab2b59357c51ce37b5ea32b76af345a457e5aa2dd61113865a587d2c8a8f1c8825281c052a88fc67797adb6251d28efb911564671affcbfc7e1a3c055dce8d93497fe80da459647ac71f17e9aa07d1aafd5260ac284d622a03b6670c55b0d40696d436c638f9b48bd08f37db4eaf1d9746d2c24de347dcca0a62df244bd2a554bd08d047efe52cb1266ee5988447e1b2740f960d22e9ed3f2573ea8753a60d306d654a26503a5416a4439ee44aefe08cfebbed56585eaa01a64bc812f589da9e9d51849b4d4feea04e2b03c4d4fe516decea1e3d9e7e35bfec17d7b2c218d8553bab921eab6410ad30cc131579497d186fa25cf62521fe9
+SaltVal = b750587671afd76886e8ffb7865e78f706641b2e4251b48706
+
+SHAAlg = SHA-384
+Msg = 3b9dc97a36492a68816aff839c135da2d7dec5505ddf496670dbf0e0f6b65ce9352baa38dbc09a9f41f8f0e1f0ca1ac56552126811c786d7a4ad37dd8b4b9f1ab760d655a112b6148b273e690877340ebea10eb46bfe139926d3be59e8cb63064aa4147a9028c6ece75fb0c2eb03f4a66c3481dc726d38d37eb74efa131cf1d4
+S = 3fc0e79913fc234e4f271cd6f5aa63bcd00e0c4fe2242815645d384781d5a00485076bc011f4412457bb7a2cb2695abfa18471ff6087038d585f802995159c8beee7607330759f310107c35b4a6a9a48fc910f45f70bffed1281f2215af34759ab08b68acd539ddd37f98a528434cf11ae0e85ef221f7117c757d970f3181e9ccda927469aa88de59ceae91c270818137761e56d75a3c01ac128b65818f28dbf7dd268337356e97bd104df6218db3b1292ec2652b62e5aeaafd905ec8fe67d6ed42e805048deb55cd9d75f818236687bc5b2cf33e17678c45a9b2144d58a4c77c163e57c1ee42cbd92bab46678092aef867968d8e6a387f7cef3920e4ee046eb
+SaltVal = b750587671afd76886e8ffb7865e78f706641b2e4251b48706
+
+SHAAlg = SHA-384
+Msg = 93ebc05837d0d50897a1d10bf1b08a6a767e52bfaa887da40d631d6cfb0b1011d1793d6e51731aae48a872056dfc659e8d21b0d4e5672ea4d0d59f62a278a9acd3fb1c9d60787a426e8eb75230b43d190ccc33b6f9fcff862cb909e0f324c203e19ae64c2b86fead527a285a027f1ac53ba965cdaeeef7326a37e44db7b866fe
+S = 19b1bbc3e4a23b44ec429dc4479f3fa45da87037136ada535bb325c0c03193a2ed8216a9621e9f48ad2c53af330570fdfc85fc1dbb077105af39e8e3a9faba4a79ffe987e1a37e5a49c60320d086e9292060e9fe671f1bfa18ad79f1ae559551a1d5520f8164a877b3fe1938fa51cbe8b5110a332c500585d288d8b30855afdddd233254f62e56eda75ea6854b84bb05e5b4497aca3d20baaf2d6d228a400135ecc45161c3f2e7258f8e4742aa687bd9f7a4468a61558fa0ddf79e5e0ca51ffaf0151bb255152219c76a08c3e46557ed6b1415622bdfd94f733ac10d8f388c0ef646d8f5d71a3205307db703d627287e2b7be15c33fff19147e5daa36d4252b1
+SaltVal = b750587671afd76886e8ffb7865e78f706641b2e4251b48706
+
+SHAAlg = SHA-384
+Msg = 8bb56404897a19140d112d939f73fd7d18a5d107aaa20332209664a0674cdba64eea4fa48adcc791fd0ed0da385e206d3e5178108a04cff85466ac9711a5d4b539e625c24c39c26b17cc706b345f40a4d0f76f6eb0d78a2f76acd52c2108ee9ed411ae09d87b50c9e3b3d5ed9b5da64956017cc724017dfe0fcfa806a15c728a
+S = 12f03c6f02b34f921831df384cc6e30d0b64f8ed133133ff190caca2503f1a4f4f721de6824ffde125bf41ae216e5feb8510e4d6337cec56f18550e78c69b1618457bc1b604d109e526c788628391ad8c29ad6c5da268922a55e4eb3053415a9de109112b5fac1f996236f46ed3a6c2f845c36bab09a4c21da20b17d2590c7b058fec130fbec4856ade373b6b0773994bed5ac7a420a09df8c1de246ad453dc8a62310accc9f0bdff16104dfd74c7752c33df20ef08c52d0bcdeacdf2a31298a3c72bb7397c3f9306fdbec45287688877fd6c965b8dcc513c9bdefc2f9ee7e92bac62438e4d80bd3ee2ca50a024d6fdedf39266480b2ec77eedea6b64a9c58ad
+SaltVal = b750587671afd76886e8ffb7865e78f706641b2e4251b48706
+
+SHAAlg = SHA-384
+Msg = 35ef7f038e9b98a421b9f6a129ebc641596380ea1648bf9fe35c50c71ddd8930e8a9dc5369a5acda365e5e5f0af1b477be2956ef74e8b25516c806baff01bbb7f78ef5ae658b6852c0e26d6a472655d2f2bffdc2a848a252b235f73e70b975e74ae7f39bea177616a88b4a494652525ade6d9ceb1831389fa0ec4bdad8cb5fc9
+S = af809f10fd160a88d42dc9d92285e2b2afd8162c38eb91a6b6273a66c30c79d7caec94a00fa732710d9f751219767185da5064ce26fec0647cb0670ecc68f2a601390dff07ff0237f284dd4fcb0b11148835c8114c5a15c513713dbc16286707eecaf2c450f588fc96217d34f59e0c716c7348270041b2c4386f5a5877f7fa48510cca8b07b70490f9eee957ec0a52ab955a3f1054695a7f5806f705fe3e9802770d591eddf2a83fe03d8adbf553ae59528051218db1f3fd070f8e1d3d4b4083588cf2710271ecca5d9369468d045b0f2e0ef285f9cfa65a04cd223fd84c01b8c740a4e95b9fb675c0d7c470b3598d06489bb7d6722eb72ab8120d7f0ae29a06
+SaltVal = b750587671afd76886e8ffb7865e78f706641b2e4251b48706
+
+SHAAlg = SHA-384
+Msg = b4422216f1e75f1cea1e971e29d945b9a2c7aa3d3cca70bc8dab8e61e50d6b038f9f46fa5396d5323f5b2c7ea880e12e6bf96ee37889d6a2927a8c285091907d6841dbcc2c1ffd725596055500dca177f62486cb301612479b7c303a183e7de0c790a933856a1f05b338e84c3ad4ccbdcbb1bb9c6c596cd23019444045fa7953
+S = 0f31c8fb4cef7233cc20bca20eaa5b42a9aed4a4f40855e2c518501ae1cfd71f98bf9ffdec1a74bea75bdf90b9c67c5824a7054ae57ef49806359ed64b2c5efdaf52829395fe426c802665bd7530ca3cbb40d5f29367ea55eba29903e8eba5df7556b5527335ac06a211c597e916fd6978ea5bc6daadccd4fcbc61ee64aacc902f652e545ef48579cd523944461d9161a542e2e7bd2a1da72ec9a751651d184fb75b16951e1b5a98107ab3ba680df0dd06131a9318e47e15326f27fc34dddeeac89b11236fdc9b8f799828dfa9714e6ca3982d8f79efa2a455e6d73421a1c933c92902790eb79adf0e4fb6202b6a0868aecac2208ab673b249a826646518aabc
+SaltVal = b750587671afd76886e8ffb7865e78f706641b2e4251b48706
+
+SHAAlg = SHA-384
+Msg = 882c97fad763ca235b162fba88fd714d023bf7380133681cfa9e6a8d7cdab00b58853334044bbf3741fcb28cfce201e372517b5a987f52f2ba96d744620885707b234157b6e5e00a2d11ea8147829d91dbc0351898d16b7ba4523c5283c6eb613b2d49cbb5d93482677d5e023087503f83afaedbc8d0bc9dfff7211fa7baebc6
+S = 0c4850b815169cda5c11f77bee14ff2fa1399af8dba09fb9485211ddd458e4152f966b2162cced299e496ca0c6cc891fce52fde9be554aa213c9f9dcce053452fe0702bf2e953ac6490c97660d8dae7ae557d94e4de409100951bd3f8be77ad5e6a7f8551190a1f2ede40fa5a12e5d995c7739221fd9be3970c05dfc990a103db1e9dff25e37234be4f70b372a4071a9c921a34de8f6c56f1106a2431b2fc2d60026c7f2cfab11ee75afaab90d72dc8e15c6d6ddee0d4302341f107c541b23368995b6e95a0efb3624e70e7980533a4d6cd823e26072a4bc88f2c01349222472ee394b86ec83f4fb9df8fd105fedc77d28b7a7e9d71451219eb42c25764bfec6
+SaltVal = b750587671afd76886e8ffb7865e78f706641b2e4251b48706
+
+SHAAlg = SHA-512
+Msg = 5f0fe2afa61b628c43ea3b6ba60567b1ae95f682076f01dfb64de011f25e9c4b3602a78b94cecbc14cd761339d2dc320dba504a3c2dcdedb0a78eb493bb11879c31158e5467795163562ec0ca26c19e0531530a815c28f9b52061076e61f831e2fc45b86631ea7d3271444be5dcb513a3d6de457a72afb67b77db65f9bb1c380
+S = 5e0712bb363e5034ef6b23c119e3b498644445faab5a4c0b4e217e4c832ab34c142d7f81dbf8affdb2dacefabb2f83524c5aa883fc5f06e528b232d90fbea9ca08ae5ac180d477eaed27d137e2b51bd613b69c543d555bfc7cd81a4f795753c8c64c6b5d2acd9e26d6225f5b26e4e66a945fd6477a277b580dbeaa46d0be498df9a093392926c905641945ec5b9597525e449af3743f80554788fc358bc0401a968ff98aaf34e50b352751f32274750ff5c1fba503050204cec9c77deede7f8fa20845d95f5177030bc91d51f26f29d2a65b870dc72b81e5ef9eeef990d7c7145bbf1a3bc7aedd19fa7cbb020756525f1802216c13296fd6aac11bf2d2d90494
+SaltVal = aa10fec3f83b7a97e092877a5bf9081283f502a0a46b50e395ab983a49ac
+
+SHAAlg = SHA-512
+Msg = 9e880ce59f547d592c309c22a2974ba5a52cf1c164f2d8a81ebbd4ede6e326dea33d9f135a4e0947b0b9c267aafbaae9b8583f5ff215074ca1e82f3601ad71fc455a3b6adc350d0bf345223e3b06548cec613a390ada9319e70ce7a5e9526b4e8dc82612ac72524cfdba05d0dc201037492d277834a843b9f80d4564253bdc7c
+S = 8c4f819e682081bb16ddd459662a8078bca4793e18110033539460b408c0af747ea5d941f712691f5d9ddb643166fd965f5b51b819d55141d67c1553b27a4682e67d5555b64d7cd3db7fc5c2e701dd26e422af8a1fb52cd5f5a09e0d6db900a992f318deeb6f6e39dfd6af44cb217c6854089ceaa16e3f9b100ef8e78f6b453458b8ef6d71493e7c6e45282c617fa87ccdd4a0f2f9f7166281806fb41d0fe188e00c40afeaa07d2da09a2cd78052f8d56b7af40d4c7314ccf02e490d5e2123bf676f2bcbdabeffcf58792998dd0f67ed24e483d8976b00d6151a6e0ba740bdb57c9bc27fe5df9126a47020075eb222d5ca2470724460c5adf067b5750287cd00
+SaltVal = aa10fec3f83b7a97e092877a5bf9081283f502a0a46b50e395ab983a49ac
+
+SHAAlg = SHA-512
+Msg = a6133ca436d3f2e0a6562f138975bcf785cd0c3b58b7671d197b483bc0c003a6e947aa39d5d93229b27ed2dc1cf0acffe34fafd30f16bcc7214e074c9c02c1e5c4f2f47da68baefe5817611f82328a7e1d7d91ee7b96f0128847982b4ffd902ec07ce01ab0d2ad882189a583c4219e9bbcbe7935a51d4d25d5ccc27fe19bbaa9
+S = 20ceee0fd620160ef6a40966fa4ef3d8f68c002a66d0103eb62a868a7ad7dce9523a5b83607b8cd0ca54f833f3a68c9fafa1de7fd723e22a0f724dfca1fb6bd1a88a7dbd17255ba1e06102c2cddf584f511bdd09e132b016f867896a592a28c53c70752a0b10d86bdbae9503928d2e0203ab8f845c1f77adef2bd2f4e126066fe15af4a5282d5d9fa73bec18d2e6a5969d766eba55c0bb95e13671f82646c35b31d894e7f95f2fd35f60d88c3e70b20f6f387326400f0a825bb9517df88bbcc4798861144782dd92ccaed36aec47d5365d3b61a495339ed58e2553b74f06a295ae47a309d8477b9ca838e77094718565903432ce243c9dffe6dad464cd5ee279
+SaltVal = aa10fec3f83b7a97e092877a5bf9081283f502a0a46b50e395ab983a49ac
+
+SHAAlg = SHA-512
+Msg = 6d60a4ee806bf0fdb5e3848f58342c0dbab5ee3929d2996e1f6aa029ba7629c96cec6293f4e314f98df77a1c65ef538f509d365ebe06264febc3666755a78eb073a2df3aa4e5d4606647f94cc8e800be22141208036a635e6b3d094c3a3a0e88e94bc4ea78bc58b9a79daa2869675c2096e22a40e0457923089f32e15277d0d8
+S = 912fdcc5719a8af7389db8756bb0f630a4c78a1bd1fec7c4a6f3e50924a9818c9eca4a4efbaf9e8bad55d6468d83c54d0450b53a267a50685e7fb93550c2ef3554f69b4e49d3be359bc0b88f3e753714684ac047b4dfb436140b13129fc4bbfeed86548500d487094d222ed4e249db0a46b34ba5247c1b86e8650a703c9d3e0374433d3af52578d35f0f9108439df0701188da206b579e1712811c1e33b3da32f33acc9cd0bed60cfe977a4a6c6aa6498ecebab9be86c216a7214eecb13c2b7d4d309f5488012056905060c3eabe90f36b01588acb328869034e00bd19bf5c1a44d8ea2a89b747b2875d97047c53f2903f67b5a60aa87aa70a9479735198a508
+SaltVal = aa10fec3f83b7a97e092877a5bf9081283f502a0a46b50e395ab983a49ac
+
+SHAAlg = SHA-512
+Msg = 1aa215c9f16050f31f0ce5adc8cfa594e44ef29087dc23ac65ed2a2595ce73c0959410618f5314dada903c01c4f8d5058f52d902b9b25cd281ef2627a658a2d672a3f776f726742a994a31bbcc3cf3ea1fe551047a1d15b6a31be52307302334b8b6112fb243398c62220c046903c9ea9df1a0be50851800d659ae4241c0be81
+S = 6ba800b8692ae568344c448094e3e16f50dc2c53edcfbbc9c7be9c07461c0e0686fcfed607af2a66291fcf8e9653fb3e9857b208ba210100df9e6c0495ab4d13f1029089cfea49a6be8b62036f30e0d4e4c1d95a5eb9580397d3bcf65a9311c2d8de249c2d1d7472369537cccedf8a7feb0c170eef41341f05e7d17caac4261b62498776a5eb1d9ce7e4746b4849f9021f0aff917179750253c719017fb5dd6855672eeb0847ca075e589e320f356f49872455b30f8cc1a3a7e1a4276ed6a909be06bd9f89c3494ff7db432d0d4d3f3ccb0be71b0bda4f66ff79773004905c6102d964b3b5a5e28e4578840c0e488b7f2b4f31066b61e13821e88a0ddd2b1c2e
+SaltVal = aa10fec3f83b7a97e092877a5bf9081283f502a0a46b50e395ab983a49ac
+
+SHAAlg = SHA-512
+Msg = cce6ea5a46bdd6805160dce409d1023cd71d3893303ca0497f392d5c5f936fe50ee2ade61ebd35426edcf00d597a39062dfdef62dfd9c9ccfdb2eaa9e3c1b6a03278e35a7e69d386476421212bdf7af4599bae5e49850653abdbd9a59d8f5a8220f0b43fcd875953c43f96a7e6ca6c0d443f9b0dd608ffe871fb1fd7f3c70494
+S = 9a465479c1474c1a54f16f309bd87b0c641a458d86173a4f29c2829fea0410787a81b3c1360cfc525d133dfdecc13acdd5199954dd8440739608545724cf1270caa39a221e9c6bfba399b9b05e55708875bac1578642ba7211260662299bf5ef68a39594e38faee14989ac5b2daa13211ece394cde46afa1b110bb55f631bdae5b848dfdb8920d7c74eff82ecdf59f2c6ed9b818c2336364b2a56d34a22ac42089dc5730e8e57b356cc4822c1e646268dc6a423e034b8b1512d41b88c70b27e431d68151e61a4fa5c89f1e90d621e07228c0346ca46f767a989f1b0d007237645d448030a7fe45ee0f46521272a8cc453a835984f8268752bef801b6226140b5
+SaltVal = aa10fec3f83b7a97e092877a5bf9081283f502a0a46b50e395ab983a49ac
+
+SHAAlg = SHA-512
+Msg = cb79cee1e7c3546750dd49fb760546e651e2a42ba4bbe16083e744bd1385c473916d273e9566673e98995903b44590e7acb580a02c6fdf1552af51716c134376049817151ac5823bb02633ed8cfcb697393397a14f94ca44f43c4a9ca34d01fe2ce3e88bfc4a6f059f6e1fe283927e9fff45335793926a9472787a653d9ac5b1
+S = 7cfcc23518bc137b94dbc87e83e5c942a5297ab4f70a4ad797b1dfa931c9cfcb30449ba3b443fd3abf4d350b80feaa9687b39e7b5b524ffa35063ae6b4e12a41fd734a24f89c3652b449c2154099a1c7739d5db77ba9de0358a69ec99bcc626f657213a256732631461851c919a93b04ad39800f02d0e627cd01d4b80697a9a1fb0d71df4f32ecaad3f1d5c80cac67a58c71ce81e23fc8a05ec840019c834d78ee1955c5e41065b323d01fdbe81b768448b4a7388886c9740b1541ecd8454f73ab64f90dd46cce6a2329beae9f3ee0bf567b507440ab3ca9de2e855374ddf6e105b3d0b33a138d716d138ce9f9570797a82eae557cf321fa09b862e31ee8d85b
+SaltVal = aa10fec3f83b7a97e092877a5bf9081283f502a0a46b50e395ab983a49ac
+
+SHAAlg = SHA-512
+Msg = 3ddc491798c6d8c2d6932502e14ca0d6cd90016c219438427268a38b377c84d4d862b2e708d58ff055fb39defde7050c0462292183ebb83543fcd4358a8f1f8835e172f20776d2b9415d9f0773b50f909170db7449573867944e090f8cda53ad7de0f1003eb08967c241be45eabea7a99d42802f1be1a0218ee7abe2e364098d
+S = 68a46140382dbf84b1794ce86937812d8220fc59e83dd1afa087efc41883616bfffb8283bd6dd5ee1930337951ded3be23fdc657e1bc07f41b539eb779ec98f436b367259b6841e495bf84555aff07674c9fb705c85a9cc1fde4bad40506e3373cc3a490daada1c10705177c165719104daa8ab675666625335e09a24f7a2363d7b3b878f34fe68fe01425275881c34b60ee78fcc0a54d56ac8304fc7a4bc0d5a447ab89b9206401e3c445bb1cc8e0c2541fe0f3634bb49d5af3a1b7c2e7651d208392718311247f0f15e4041a46301b93da2cda7af833d80191565833926a78468abac9eb4b02c5f047ed38851c3ed7add4edc05e8407481b8b942ab627e03d
+SaltVal = aa10fec3f83b7a97e092877a5bf9081283f502a0a46b50e395ab983a49ac
+
+SHAAlg = SHA-512
+Msg = d422e63e3c65eff3ee15c7eeb2ef0de7ab96a3c37e2af9c2b71d8ffa6842b504122796f5c9a5748f94b535b913851f2d64cce071465ad1087ff37be97c5d5b3038b8e2145f0ec019b22b6286adafb91a67613efbbbc633efa5f32bceee9fcc380c7cd48344c85af7111e573ec99364167efec5492297a7dfefc4a692062f9282
+S = 2bc6331715b62972a0a5dab2138c5663b0e33961063ce973e68e1ad172723bcea293f7ba35af24504cb2e373b11f80b49f79d3905e0aaef838fc7c7fb5df49a322d7c3daa294a1a0a8b71a52e2c5dd94575f319c64ef9f6fc6bbb70c0c97fa12ae78f73234aaeb93df299f81513458ecd243fca5284f44a1afcd0575dbf5f81d406236ce315e98ba4c9ef7c1d43896af3b5d172e7a786fc58c4220c27b56e5c7a9be49a40b49158305034a295a6c5743cda6c2c69f7ac02f87ed6cf7b4e989ce8218e5e7cbdac12fe7de3a5437170084ef8ce33e3530392c25a58ebeddc086685a4dfb9c0c5b91d946df65161ffbf82aa3d6a80c7c07995aa3ee06b1800a54ee
+SaltVal = aa10fec3f83b7a97e092877a5bf9081283f502a0a46b50e395ab983a49ac
+
+SHAAlg = SHA-512
+Msg = 6e87214fc1a8b0116f04a45a67e101ac75e9933366c532f96cee4559c4c085b695d1046d1c806d0706d18db41d7812f5273393980b5dd1e936c13d273dacba35c446a3929e21108b361355af2d41cc84447dd5787dd21a1a7d5c188a355ddb2ec18e08a790b32104c6720535de65b6c2946e5fbd024b96f5096ade6cf2fe700b
+S = 802db067a8d90967c2860c9076c1a0227560b59b66350490af1153d20b31840918e7d7262f633d37880a153b1a23e40d3cf9fcbd9c1610878b6317d9d1187f80074512524561f1c0f99f1b2ba168a15eac098b2b20673ac63f9b002e60887ff296d1212dc696450e7bb14a3efbdcdbc7f4ae2210ed35a3bf028d3eb99ab696f63a2fc69d8cce4b45846ab88943f89d588a72f00f15e1ea16d99961084542467b8f998c118fe76a2a326cb1ca3f9959c06c810a004a67cb0655f8c6202ff5e4ced43c4d8e0c3683d55607d4ddbcc0d9dd4e1783b58f51f95e159fe593066cec53b544f2391cbf0e3dc4172afd5ff6de23088404f7a496bbc6a4ce22826204b6aa
+SaltVal = aa10fec3f83b7a97e092877a5bf9081283f502a0a46b50e395ab983a49ac
+
+[mod = 3072]
+
+n = a7a1882a7fb896786034d07fb1b9f6327c27bdd7ce6fe39c285ae3b6c34259adc0dc4f7b9c7dec3ca4a20d3407339eedd7a12a421da18f5954673cac2ff059156ecc73c6861ec761e6a0f2a5a033a6768c6a42d8b459e1b4932349e84efd92df59b45935f3d0e30817c66201aa99d07ae36c5d74f408d69cc08f044151ff4960e531360cb19077833adf7bce77ecfaa133c0ccc63c93b856814569e0b9884ee554061b9a20ab46c38263c094dae791aa61a17f8d16f0e85b7e5ce3b067ece89e20bc4e8f1ae814b276d234e04f4e766f501da74ea7e3817c24ea35d016676cece652b823b051625573ca92757fc720d254ecf1dcbbfd21d98307561ecaab545480c7c52ad7e9fa6b597f5fe550559c2fe923205ac1761a99737ca02d7b19822e008a8969349c87fb874c81620e38f613c8521f0381fe5ba55b74827dad3e1cf2aa29c6933629f2b286ad11be88fa6436e7e3f64a75e3595290dc0d1cd5eee7aaac54959cc53bd5a934a365e72dd81a2bd4fb9a67821bffedf2ef2bd94913de8b
+
+e = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001415a7
+d = 073a5fc4cd642f6113dffc4f84035cee3a2b8acc549703751a1d6a5eaa13487229a58ef7d7a522bb9f4f25510f1aa0f74c6a8fc8a5c5be8b91a674ede50e92f7e34a90a3c9da999fffb1d695e4588f451256c163484c151350cb9c7825a7d910845ee5cf826fecf9a7c0fbbbba22bb4a531c131d2e7761ba898f002ebef8ab87218511f81d3266e1ec07a7ca8622514c6dfdc86c67679a2c8f5f031de9a0c22b5a88060b46ee0c64d3b9af3c0a379bcd9c6a1b51cf6480456d3fd6def94cd2a6c171dd3f010e3c9d662bc857208248c94ebcb9fd997b9ff4a7e5fd95558569906525e741d78344f6f6cfdbd59d4faa52ee3fa964fb7cccb2d6be1935d211fe1498217716273939a946081fd8509913fd47747c5c2f03efd4d6fc9c6fcfd8402e9f40a0a5b3de3ca2b3c0fac9456938faa6cf2c20e3912e5981c9876d8ca1ff29b87a15eeae0ccce3f8a8f1e405091c083b98bcc5fe0d0deaae33c67c0394437f0eccb385b7efb17aeebba8afaecca30a2f63eac8f0ac8f1eacad85bbcaf3960b
+
+SHAAlg = SHA-224
+Msg = c8ed14895c80a91fda8367cf4aee386b8a378645f06afee72f7c94047fddc7aef84c26c83fef13bf65a3c7750c91967ecc02748fd574b933d5ec21c01c8f178afe6c3356789d0112178e04c3169cfabec6e2621b334f3c6705fc1099a4bd3147a0f7431a4fb1fb80b8ed26a0af38ed93428057d154260fe98854687661919e4e
+S = 27b4f0aa139565fbd7860760610f6866d5b5f0d777921f06f5053291123e3b259d67294ccb8c0d068b8dae360aad2cf7d07296b539e4d2e9b08c343286d522f7dd63c6620e8672be492f3b039f73d88ab9d22a5463cd1f07d688e8ba3fbad531b0c3870ccbfebb596ce4ec643d309744bdbd675d5841284cbac902cfb70ade6d33946d8dc6109bbbc42412db25b8c62222c5ff94f8eb868982265392a44e807474910b4b39558bbef33197907178ce146fdd7e94092ad58bf41a474e626136789fc2fe6374a1b5fefddd5fecb7f8ca5893220d1ab9e822c3ae8adda1ebaddb18a6a12bfc165d12071441a991377cee6dc8e50839497346fee13f12c5b7b6d024b8ecfdad80d5ef6e9e4996ac21c4eb6036bb51f5be5e38f265181154000824e3c1f231d18589ccdaee90fe307ba56324318b5358468e9f3913b83ab8b34d949629ed7839f8da85bdcda52f3da5a419f777b3860dbf2ffe28d96244312549528a20cc7399fc010844365806167fe43235521c909587c2c7b8db4e296dad2aefa2
+SaltVal = 3f805057471aab0a28cfc8430dabcf990612e8a908b158ae36b4ed53
+
+SHAAlg = SHA-224
+Msg = d04be758e97644ee60a9212e5eb81a1088041aab31e428b0cd4a8437a9a3f3bedafe576e747182a1fcb84ca21f20e3b3a3a463559f55a7c3e7ff5ec0cb096192019d444fdf092a57cd65de22fb76203c4fd33d8da246e3de2b7532993bc216d02b6fd5819306e419bdf8ff365a8478b173dad0dca281840881f6294b6396bb80
+S = 4aba732c6255f0bc443939c131dd4ce64478d4f58dcbf1d73f5f0e660c492315e987cafbc83a1a0be3d359a960783d293d375ccc3ec0d82c72abcacc339f1b42207a03795be6808ba06a891e3b4251e1b3001dfb537252572a33b4c52846dafefb24aca53fc08e63c39da02c4138b3de9510fb790f87566cd14380b138c728c243543b89d1f916ce27cada85fa32d8185deefa25c323c65c7ed578ca57276b66744a7a1a78e66d4e570999d17015bdbdd8d3d6185a3eb1dec8bc3a1287a2e235e4f116a8b91d06128d36b58ed4c9a6ed84773dc49f755e2e27a6f1aea31417069bd066b848095c002f22dd6caa72957e21a1e640f9ab9b9180df8ef8963e3611df2693a7ed064f348221e7edb1a5a81acce24acc335c6ee7d4f1af6d68acaf15d77e128142ca9bfc55a121b1b13fe5bafe2e4d6a5546b8cc631bb9d304c0e9f3d6d5dfe833c346965f0103698d34a51bca5db266afded271d8490645b3f63efc991e01683211f9482d214cfa9220f7bc81e8cbb4d118a2c306709807c070c60d
+SaltVal = 3f805057471aab0a28cfc8430dabcf990612e8a908b158ae36b4ed53
+
+SHAAlg = SHA-224
+Msg = 39d8ec4816fa9365cdf299ce60053b9c1e99540ed29d2d163a249718ba5337ee527e222fce8eaab13ca6774ca306d9e1f22f5c9b37479d7511c05dfd6835d4575b9447847a82dde536fbaffa95391e702bd8695b45377fc067211156f9adec8d3d6286d0849fd607a23a69619f68b350afdda3d564347afd2390dcacd5842799
+S = 0df81ec6e9c2f0ebe824c445009902cd55e2718523546f08ed13faf811ec4e57e6f5772037e07025c3c0c99cd9d6c885682e0eb904a3314b825948819acecd195c845a81e22ae62c13251823d6ee386e0be17a604bafc6497b7a6cdaad1a33cd5ae33bdd50e62063bddf6d12b878b31d3b7d490ce86810f9d456739bcebde592b07808350aee542455d1761154188e6e02cbda795e48e4f28acb819440bcd8da53fdf19808456898a18fba517af06b51156129b0b8029547ca9bd9436a0673e5b5cb995340fc425fecc566acc99884e0b4fc87248f5b35bbf08b0dfd0b9ead06737b67c85f94e1eac8802fea1b1dcea446b7cab8a45b25429750946bc8b22e076828a0a9718277568b9b7202a8cc3688d44194e834e0a405fb9eea46bc7e94255d600ff6c95a46ebf46449510fdb39b6ce05a20ac1832938b659318764dc0b7e4a0215fd253f5219296fbc82f03a7b95a12628d219093e2cdac42e20eba3dd5aeeb9dd7bef5d647f151b04ab85c48970cfe73ef9fc3e7d1d8a138dec3f5d5fb5
+SaltVal = 3f805057471aab0a28cfc8430dabcf990612e8a908b158ae36b4ed53
+
+SHAAlg = SHA-224
+Msg = f7b22de3bee8295c4d8c8a94da8cd704c5541c97214390bc6f5c75baac3f40458f57fa4e0c54e61f1cdc64a6c07d151143e7409cc05874a7e5576f0cf6a53faf1571a757c0cbc4bc9b5bf0e17053e7a374a22992cc6b9f014fb580598e6476b31168fda5e4340c5b5371f8eaf1f495e2dfee9e224a6357f136de704a7a622d76
+S = 727669abeb6bcc9502d7e88162f4a6c1dfe1a0f5141d3763e0f7e16744f9063874f153cc2de48784de84426b548b03e05a9074cef6a951640eaf9b32014d97cd9f3a828b45def13527f72a3e5e5adccaece82212c016c28f9f3312853bf52062e719081bc028f70831f9fc9132e8b63824e37c7cdeba463f9034d815683e27750cb9b383c3420f122a3b7fc6e9440925a77d766f93d586161e9607beb8a6e4ac72c32ef7b69ed52f5077a881dd0e494591e2ba552b74731c18cece9905561459f4553d49acfd6cc6be027833a220429d46bcb88dfcff0d2c5cb567371563b4852b7e628c4a6432af967e8ed69c9b6428ac552cd370922a0a4b01ef1bdfdcbc9088cdfb6d9fe326bd6b2bb1fc2acfea3bcf60d1fac5880b0510736b7e201ee8f6bc6332c0756315789700350fa549009d16e0bac084bf6aa3492f63367819506bf0c4f9c232fbd7c4d4ad663a7566108238c31fed887f368666dc75a623f222d357f8e523ff084111be4db6baf444f191ad1468d077349fef8a22f3fa56085975
+SaltVal = 3f805057471aab0a28cfc8430dabcf990612e8a908b158ae36b4ed53
+
+SHAAlg = SHA-224
+Msg = 8d48fddf28b05b42c9b4df4742ed8e735a140a6972165ca6696bf06ebea4e106f44478243bd1efa44c2b7a7c951c88f2962f450d8bc664494b671d8e70577163b86ab560ab194ee17ed5ba02389bd0c713c9489a25307dfb3f6a7273166d13c9a061be79c1af0262275ba7bf7393ee58998819fa897c2e240f1cf903f71150a0
+S = a1a4d16956d718830f625f06c42e99189e36a80523b25f0c9a7bb85568ce76d1e85e437db0a7728b8a9c90d25e6f38150208debe54e1e3f648ff01798a8ce132e4b33f3d26fa8963771440fdc4f5d852117b3ccea975da10e5d4f27af1bec1b853b7b5c9b420012317a6c33b2596dbdcebf97bef821b3076ce86345309b6bdf29a4acd391d3b2e5c4a6866136287d17cb0e2d4d6a6cf89d64272d5c01849ed57fa2842074d3b7734c4c92be50a922d0517ebb9891072b1b47a710887004b238f90079d10fb2cad7f5013e7243089f3c601865c6bce1cb8d0d669f2bb709253e3f1e421936f6a1643bbbb7d503b0631f7e1660382bacf4680de8d70e24abf4450510e6b40475bfc9fe547752d0d5f63f40f62f4dcc903fe6d260fa45a1b85a7501065aa1900a3f841e54c136d686fadbb33b225d15ae6fc348be57fc9ccbfdeb57d5cbf53e3479d9bae9f4ff859cbd3fb076073ca016ad94086700cc85aced83aebb4254b0cfc814585f930dc623c7f85e89de6a554b9898918d7cbb4cd2db075
+SaltVal = 3f805057471aab0a28cfc8430dabcf990612e8a908b158ae36b4ed53
+
+SHAAlg = SHA-224
+Msg = 4753183ce5607fa03636db2fdc84722aeb9d98a6ed70d0282aba3571267a189b6aa6eb65871c5dcc59dbc7db8973c7c355ba2a2e94c110d1f4064a4087eb07077e67b0f634fc10bc6ee9b8b8e1a0a20bf47a14f2c8aac75375704995978fa0b50a003096f1e8df99fdc8766eecf34a2a4f461d9991133fd5355ef8175f4c2bce
+S = 2e078b29b5288a77ed25ecececa645f6d9298e4294e3ef08173cc37ccbf727ac9b092cd27d6fbd378fff7b1061b56ed5cf077fd1a227771f58cbb2c1195a01f830f0366f989aa2d0c486d441e112daeaf83e85958f65a9e60a1937d2a7022781fcd1a83b3f7641a743001ebad53a4669405603ba0393bcd94f64324f1b777068a3ab101a086a6972b2c11376307e7d2485fbfad85be7171d20a5251cf9a5f004847d172c77bd80fbac0870a0b6bb9733537ca72bb6eac351c21588287c317625a25f416129e6f53c607ae08f43e5e0339740775a531c720f3f731840184ac7cd3b1f7bb820ff30ba7bb120b21b4bae7f9d7fc34d7418f700b142cf8fff43d81599236ebabe93d2e89f4702fada8742dc3bb4bc8fc5e55b4f874ae59f5dc9636868828efbe1025a8ca5c61ed8cc832686d5d00c08775590b316060285dc5bb9d32c90a474a727ddba9e7a8b7d69bae555604add9de0dab0eb0d551bac067c0088523d134b2e50dfe3ff73eefed934c0984aa4a5c563b862d46ed957ec3446fd24
+SaltVal = 3f805057471aab0a28cfc8430dabcf990612e8a908b158ae36b4ed53
+
+SHAAlg = SHA-224
+Msg = aad03f3aa4cbd236d30fcf239c40da68de8ef54dcb36f5a6f64b32b6acb6834e887c6a35423f8bccc80863f2904336262c0b49eb1fa85271ef562d717b48d0598fed81a9b672479d4f889e0ce3676e90b6133ee79cdea5990e2e02db7d806db4e6adee5ea76cecef9119e8393eb56beea52d3c08ebdfd7677d5a1bbc5b6543a7
+S = 1bc325412cc952a8dd6918db8fb08192cdf81bf4111cb5f0a580a82d4dd2e14d7445eb7cb94cca6da06d2b5cc43e6ec22a5c9c845d99ac0353050c1374866befd9b6b849cf3b0efcc644ce17cca0dafcf7700c9c7d870c1e14511651b1d03a535110139c53b55938cc4a471d756a55b50d1bd280c324ac4dbaf526590c48c197573f3a91c70373ec62bd168288b0d163a09e623589d1ca5a70d17aa54c8627c7a64d921aad12626f7d32d61e8f14d0aa97c2d6502021e70855581f5e353e27f96efe1bc78c7fbaece66a560b93c0e7365d97dc4c729235484abe10bccae99fa8db9425614b673d5bbc188ea8f465424f768d8031f7eefbb698f058e1578ac41426739410aa7eacf796f43a4e4b2b4a463984d3d17d6d667cd15bf2e2b487aec3493440794c09908545f416b701a130f08027b8bcab4dc4a78cf4a55a688b2e1ca3a73a08ff0ed890bee4a0fa858cf69142f2f765400e7c29c4b540530a054641961499c709dbb4f36e7e75a5993cb3ab8cd4c886f6a3f5e3bdd3d68ef0a77750
+SaltVal = 3f805057471aab0a28cfc8430dabcf990612e8a908b158ae36b4ed53
+
+SHAAlg = SHA-224
+Msg = c828eca460b39703696750999e23486a432d80000882d061316b2e3ef4512d6d22d2c49a0a1551399b5addbec8d5a21131bcca3cff9f7a670ff80f075403a85276cfe4f6bf95ed0a384ab5450f707f6e3c31a21364ae897efe95ffe5b4f1a9e10c47d42147de72608a5e5e943b9de869aeb58ded015a068d446a8540ddc63b02
+S = 799450a1256d245df0bb7d5290abcefe69d3b0e3b94924072f2d67d53a966513955fa7a01b830ba2cbbb056716fd605a0cfdc05f8ff58d88cb1bf32248f117de41ddfdc466215fa4e704096947a2dbe836a99071ea7344be0ffc782d14f995e4bfc74dc3ab1fa96d7223ec456497a2f51e1eb199f0464d415aef00f841e39f4578a0c26d726f3065ee687adbe40207801857160d440151fa374257eaa3f777337d129dc8b8c701eed56a276ec90c03df54305f300ef8c51155db30b68c0b06dae4c4aa07e75ef0fb09299b2b04d73d0b3e874ea1b6ac4e16f1bed0cd8dd3cf958a27e14e09705d4f0e10f8d46c75a195380126b437c68183e6bd39097e2f45b1184f519b2eb101110db74519016297683aca4b461cec1d92a7e68cbf30c2bb0d96c3b33dc62d278b9a640478258c3405a6ab5fcef5280408d4573b7ae42408b9c40483768f16a01c9ee4163b325bbb8e377034fd31c787cc0db8a53f6c0ce93e7d854411a136e1013d69fd03a0171176dc0712640ef2f792c340eedd0d07a8e6
+SaltVal = 3f805057471aab0a28cfc8430dabcf990612e8a908b158ae36b4ed53
+
+SHAAlg = SHA-224
+Msg = 87edd97182f322c24e937664c94443a25dd4ebe528fe0cdf5a3e050adfe4b6513f68870cc2fdab32d768a6cab6130ca3455d8c4538352e277de7d923d7351826c9aa1d2cb52b076c45cf60cf0af1eaa763839b9ea1a4e6ec68753cce5829d333ed5ca6b8a4a6bdd6606fae5a0b05641680eb1fd7a975bc97e49137f3ace86edf
+S = 9cba01f79f3551acfccf56e74428e270949f78a00b4ff3507ef180ce4c78ef4c53f3b7347ee37633c653aaeca834fc004385f87798922c53f8fd741cbce15de8dcae8bb04c7d481a823eadac7d4d4546fa4b0cc7e25e67b166edde4b6f66748017a4dcef85952cbf37e802fe534ecb984cb32f446c02ccb60e257a18ac368c2d2ed21975093499e35880930f8529790c1c7762ae11526e829dc0621ac904b822ba4815d8f83ac8f0fb0f8fc11bd33b02aff4e406f8fda5efabf39e6641a791cf8241b0946b675fa48d07e48639cc1ecf420380b8581a539a4de60adb0da22e10ad41f8ba6af40d11e2720086a63db72a5d7fbe97929ab23cae1d75c485d614ca38094baca699e47200f7a792292b5c7ab95b960d6921f8beab94d26f9629d8702c40df696787a6fb6ab9d6f3c1240c2fe58c565c9328dcab603897693d9dc7dcdaf500850711e6f30b5d8498a38e348469df79c3628fe1403a7649e82f06161e0ece42479a56eaa845f0582cbf817d4ba7dced36e93a6dc7dc7362f658f06461
+SaltVal = 3f805057471aab0a28cfc8430dabcf990612e8a908b158ae36b4ed53
+
+SHAAlg = SHA-224
+Msg = 02a1a65f8af90a298636fe8fd31164b6907d74c8d38a0ef59a8a4eb80572625cc28398bec829bb544823a06ee0e4fcbc13397811f62d08662b2a782213604899406ab9d2292f288d22079b848b209af2471f4052700a916948650e86739b870964a0312216d5f8dbfc2c16593a8ce55e1577f113a8ea5205d984396d8cebc8b4
+S = 740eeb1c71940ccbc041cf204469bd2d6a461558b1d15c9eb23361cd55e1ad418a7d2851ed3d44f9c02881a22f9e4be042d451998bc181887950da38246dc1656243db15fef359fe50d2af8711b3973a57763bfc3964cfe3c911b937572e639aee53a98752598c4b15dd53dd9355aee866d5f1e48137c12c342e8f274690b7b277acd087f293cb8b8c9a3e4b3f0277e831a6864e503f925557511e57b5285221421879696802066587ce6f993aacb70dafd39f63f09cb3dcc28e56782dbfb8b4ccb1b19876101573ee9678a5f6265f808f75e7711946c27c7a22dce9f592acddac81c67afa17bffb766058e2318a1211079842bd5fc58f9cef4b50ff0ee1a293f80ac1bf2eb64ce4e1051e1abe55ee067db6c24130f0bf4c134b0abf1e2f4465dc50fd3799f6dc206b9a7d2fe34b4f4257065d7494ae733c28d70aadb057ce1bcff36edf9f9ca6908cac2141845310660ab759d1f3e651dd9fa8056a624efc714f51f3a4f85adcba68f4a58e3a956af93a5a52f2b89f9c914b48e8dfb919cfc6
+SaltVal = 3f805057471aab0a28cfc8430dabcf990612e8a908b158ae36b4ed53
+
+SHAAlg = SHA-256
+Msg = c16499110ed577202aed2d3e4d51ded6c66373faef6533a860e1934c63484f87a8d9b92f3ac45197b2909710abba1daf759fe0510e9bd8dd4d73cec961f06ee07acd9d42c6d40dac9f430ef90374a7e944bde5220096737454f96b614d0f6cdd9f08ed529a4ad0e759cf3a023dc8a30b9a872974af9b2af6dc3d111d0feb7006
+S = 4335707da735cfd10411c9c048ca9b60bb46e2fe361e51fbe336f9508dc945afe075503d24f836610f2178996b52c411693052d5d7aed97654a40074ed20ed6689c0501b7fbac21dc46b665ac079760086414406cd66f8537d1ebf0dce4cf0c98d4c30c71da359e9cd401ff49718fdd4d0f99efe70ad8dd8ba1304cefb88f24b0eedf70116da15932c76f0069551a245b5fc3b91ec101f1d63b9853b598c6fa1c1acdbacf9626356c760119be0955644301896d9d0d3ea5e6443cb72ca29f4d45246d16d74d00568c219182feb191179e4593dc152c608fd80536329a533b3a631566814cd654f587c2d8ce696085e6ed1b0b0278e60a049ec7a399f94fccae6462371a69695ef525e00936fa7d9781f9ee289d4105ee827a27996583033cedb2f297e7b4926d906ce0d09d84128406ab33d7da0f8a1d4d2f666568686c394d139b0e5e99337758de85910a5fa25ca2aa6d8fb1c777244e7d98de4c79bbd426a5e6f657e37477e01247432f83797fbf31b50d02b83f69ded26d4945b2bc3f86e
+SaltVal = 3e07ade72a3f52530f53135a5d7d93217435ba001ea55a8f5d5d1304684874bc
+
+SHAAlg = SHA-256
+Msg = 60402ded89d0979afb49f8508eb978a841abc2aec59cacef40b31ad34bac1f2d3c166611abbed1e62f6b5fbb69cb53df44ae93ab7a724ea35bbee1beca74fc0188e00052b536ac8c933bf9cf8e42421a795aa81b1bc6b545eaad4024161390edc908c45aae1f71b4b0228e3104048d816917cba4ae7f2afe75e7fcad3873241a
+S = 5f183009708b379637dac2b14293709aa6d7e86c267a0b690a3c275031139891267c64e5edecdff14c2cc2f2d985b62f900aee6e04ca51a70a5f946463691cf16c2d45547c5374f15bdb8881641d3040ef57807532cf5b2ced07623d0f638b39ebc2f2ce283eea2247e1df3af5430554d1d4b88b7b21622993419971b7d0d5449122a10fc31b2ddcc53ff751ff4bf4d336fac667b646780272db89a3ea4226afa20877bfb86ba3ff4204e5cd56e13a1dc9d53f5c9465b97a182b2bf671512ef89e6c3969f97307a3e4beba39a78e0ad1bb9799cda92976ca39d99db4ac149c84bb9bc8997e8d5e056d67ca23fe4be28e66c4bc00a25d65bb9d7d623fea2d3b9cf859dfd9efa9e52268bfa297afb1cc2883db0c9c42fc04180e2ec6f49657c7008e4025061f896886613895a35bc2d3655a8f50a9fca2ac648f352eb06bfba2fc340aaeead4a8457c65e2e8fdba568c60a6d8d381f5d9caa30127771f4a94fdb8cde7be4fa7b4f89fe379dd3e1ca66ae1fdd63bebdc0015448e61ef1666594b8f
+SaltVal = 3e07ade72a3f52530f53135a5d7d93217435ba001ea55a8f5d5d1304684874bc
+
+SHAAlg = SHA-256
+Msg = 2f03701c2fe07d47f5fa2c83a8ea824f1d429ce4fa1df2671bfadd6234ca5775b8470249fa886dc693d2928603b2a3899b48062a9ae69e5196da4ceb1d87b5979dbb46a2813c76369da44bcecc6f20edd753a51099d027e1610712ad98cfb418a40643100b2522ffdc1760454b4c82e59b09827e4102177e462a3792edcada61
+S = 8291bc1be9c981663156ec80c1ed1675763de06199b9f2760caaed5207fb4b3d6037bd08462b100bb1767e3340105b1a68728bc45c7d6fd078dc1b5e7cbfa193006d52f67e77fcf809cf26172a46db384eaf552a5fb8e33840fa3ef3d6b20c7b46c32ef019e8d15dd38eab66f6e40399ad0bbb07f94b8c555196901c27e2d4573958f53060d800cfff40c602308044b75d6451801c688d276525c3fee17a6792882a074c8a41420109e2511418c9eeaf3ab47350dd8c2d3e066abeb7913e08f0a40abe71d397c3dddafc41fbd04cc8fa3b0641bf53a90031b61a2a9b63d8ed8aacc9b301593c9f425105498cc4f84627f4950758e01a291b9b1a33ba918aacc172b68c9fb2c767c65910816921281aa8e5482512cee686e51cabe88e18f923fde170a506ba3c340fd1d68261986347d30d124931db2ce17602150000b794c050e137f4ebd45cc41f70ef3df1656218ff76f2e75ad96e4167eed524fa2ed9fd1a0cf76926f382ffb16124dfc87bb1a4110928d5b1cd3b16204ceeeccb7db88fce
+SaltVal = 3e07ade72a3f52530f53135a5d7d93217435ba001ea55a8f5d5d1304684874bc
+
+SHAAlg = SHA-256
+Msg = af90f131f9fc13db0bcebfae4a2e90ad39dc533f34165e3262bc23ffe5b20450538669bf6a5210e1ffe4a583381d9333fb971903a68aa08901f14c2a71e8d1996e59889a36d7c20cc3ca5c26fbcd930128541a56a7926a8ae49a5ae786c4ef2de6527549c653ce6440c80b1ffc06391da65b7dc39ff4643bf3fe74bf8c0c0714
+S = 8c45e38eafaaf10a710e131bec63e51e67741774a9ddbfccdd131a123ae2a03067e7a6a92e653a25178bf527b93d6aa83fa366a2bd44896baa8b7f3f54830e4d9f5632c2d1bcae2aaae8c55782132aa7279cf1cbb6b7a81e4965ff84635c296c5ac206a04680e91e7b1ee7e5793701b1feb832250010d4ad4017c1608de8f405014ca73c39adae7c4adcbaee35fbbc71151cf955acecd8083677fe49ececcb62353c0a89c9dcb9c507979b56bfe060fec45567517c05f29e262df50767df7547630d8a7b32483b923bb1e3d510422dd4cc2d61a647e4f9636aa7587d4f8ed84b6174c1fdca9a217d9b907972a66c1f5a2ec2dadb60b93b515bf74072d315d17d54d57d721c8f4ce1a43eedf2025e51a48e9ea28160cf300d7a26010383c3280a186c44a53b7188e6caa364bf4dbe0baf4dcbe37d70e3a475cfdae339386558ccbc119873b1863975e2300ede1e420031b4cdac567e7b9c5d575c8bae27eebb37097050acdc87008ca2380f5631d190029a1d712acda147c5c4378cb6eac81731
+SaltVal = 3e07ade72a3f52530f53135a5d7d93217435ba001ea55a8f5d5d1304684874bc
+
+SHAAlg = SHA-256
+Msg = e57debad3563fa81f4b9819405e41f98a54096d44f6ed119dceb25f8efe7d7329054de70173deb344c59a710cce03b16af9d168f6745eaf0eb07f80916648e804941ce7e583ab0a8a43a4b51844850edeaa4d7c943135efa9e770e9411a2411c586c423fc00353c34483f5bff5c763079f7e60eba98132213d64efffa94af7ed
+S = 851dcd2d4e1d34dae0fd585af126be448d611acaeacfa34f1492aa7d1caff616707dc31b05186cdbef769479243afb341577803b579e105070ad5406a6744f56e55f569370b9fcf6ab10e1aa0383f9182d451afb41358a2f8c29d1a571e11c404e6870cbb04f6ef30414d9b6d7f1416bacab0184eebd8deae72f2a48bea3a7844a8bf472a5f8d349d5973ffde3b1c40623dbaabd6f681485a9691c9be12618bba393b396f41cfeb89e18e378c51f147c7b0ededbc403bb1306454848c9bdb89f947843d0aeaadcdf09bad99efb76e742322521929f034dadffa483958df58a71af7da45461fc408c7c45973fc60c37a6358743315169b3100d4cd54f810d6e0369b9847ee38795cfe58443019523c3c9003edec4cdaa70de31d00958653058d8509907a5149a9f81be0ed028724f7232b57f93dc62ccf093a2635ee1e5bfe6ca9ea017ffab79182eefff542d278c471e1a2b34231700423bd0e757f6a572a14a99c90329dd0701f347d8a679cff25fd6b0d380ee5dc330d6ff1b4b1a347fc98d
+SaltVal = 3e07ade72a3f52530f53135a5d7d93217435ba001ea55a8f5d5d1304684874bc
+
+SHAAlg = SHA-256
+Msg = 28db8ffa55e115df7f188d627cd291fdecfbeea1109e1155e0aabc2157f7fe2a1284611e190365d2fd972d2a23dc793a5f28d4aac4100f5fbb2eed57532220d5d8d774bfa7084b44400249c19dab50e6c3c3af15966a960af1e2cec1f697a694a35c31a5a6f8ae7b73e148f09347004a3f54e7a82db390a0aa4fc526e95d79af
+S = 72c5555111eaef954236163753674a6ff81f182cbb379bfc6b548a52f9a5f260a0ed58f562a6086cf5ed00ed30adb023e90076a8adfa17cfd7d74f1e7b1978b210da847eda6b49891e6bd3fc6cd4c87b9326e8481a16c66e40021e5f878c303d3d8532bd7d966513717d5499865b2d03e378e76f7940f0448ab4d112e3c52cb332d340af122de3ee849f2e2544a40691ddf701d902bfe629766b36d82449286fd03f75bb2632dd61d6b3c6ce1c9ea8e5aff92ad2ca95a950eecd998e495e90e1f0966f922b7fb3f03380385f3b143ac1960c3bb688adbfd91d8fe1a1c32160243d3bd231a31c95dd78b6648c1175fa9c3c1244b1fa34d7c6f3255853ebacf5b3ec19b864e0a4eaee63fd719c21a72fc25b30b03207cf2aa45fd15d7102e5bae90882d00a812959593031ea3a436898582cae5eded5c7ce43de3dcac30b8690631e8db9f7a0a7f3f67b7524db275aafe02448727ff629d13afa94801d37526fbd9176fc4c216211037f8ec26b4f2672975887d70bcdbeef1e6ae99edbfb6c9a9c
+SaltVal = 3e07ade72a3f52530f53135a5d7d93217435ba001ea55a8f5d5d1304684874bc
+
+SHAAlg = SHA-256
+Msg = 4839d71aabdad8b15d9f37c3d37a346758d8941b01c83909e460f589855ca0e691096865cf62698353787e7ff517561801a6ca98304f6d11d76065e75ff17a8ef5c86d9582798be4ded181424175721afac7477e6309476c14c5e750576ce3cbdc3d8db3ae68655b6674eb149fdeb1f3a903b4d5823feca1015722cd55140224
+S = 796ac3f6adf4eabcb7a528ca63a6168ca6d31d5e357ad7a3fd180334a90d22bab20b762d767a6e3077c2cc8732784e81330041dc79068d50753bd4109c9c6f9ba03b5ac44efbcc23ecda27948511645fa17897dad7c122957ae56bf4ffe3d7bef85010b33d3b91785b0427417d94b11f73fda90e6a8748e6acc1d2d582e8836bc7dbe196876a9545b2a3207c1d4ec28acf8fe6f24c240b56ab3b4e4313a3d951aa1a558230e5f1eaf38cd7fd9b393d58d359f58f4ae51dd3971b418c5b81d0707cd9e2c33a148e492e74bfdd565eba8b1f3935e37a9d1a8764cd30497066e3c4622611fc14c45bf46fc85b3ed3f6c9d4d65e9925fe4b85ed30ec35ffc69c5fdc2bfa35d1bbdcb20e399cf934fe938f4c5798cf091d51100b4db4be42e81901e5dc79a98074119b7980b02821f4c3ff8ea07a2fc09a701978364bbd00ce4c5e2e45629526e34a3652719d27a47371480daf52fa49844f6495f35e6f5e3116c00b27042b3cead283bfc577905f8be87f0d5daa13d1ca74203a9e0d9199e885f4fb
+SaltVal = 3e07ade72a3f52530f53135a5d7d93217435ba001ea55a8f5d5d1304684874bc
+
+SHAAlg = SHA-256
+Msg = c0b8b24f4b8e0bf29168ba73aa912c97121f7140f3259c40a72a6d6f78da2dfcabfcda00bea48459edaaf7b5fb5a9aed2e6d97959c393cd1a524a269c15e8c207cd09142be4f7e7d5016f6f19c735b8ab4c0f28e96954172af3cbcf29d65a161391b213dd5f7c006c294fe5016423718abffc8546ba373cdcb5a053196573564
+S = 8503b85dbd9eba8d6fc57c6ae2103a78df1fff3600585e3e18f6ba6436a3acaf8e49fd12dcbb37c25b4b765037f545c3da8c39ef6842bc9ec264af6f519272f3d8698ef2ceac55393baa9846a7961b738e41f6360053d866763c824bc5873da14a28eb47d68d67f0cad7880853aeb561045f757a31d9f5c756f54d793637d721c88fb1f60126d3d16478f1fc15e0c4edbb531c2ca2e2fd9e8dabe1df2c09fd55bbc724ebeba290a7646249cd779fa1a923909b29345e54a2e25dd935bf0612a5580018b233d765a6fae3b46ef51bd8325912f439a7dc40148fdb754e2d866f357b8f0ebff6f18a6504ba31d10fe45226c88c9207b9be3c63261d75270466b43c271f75b1ab3c1d6b5a00dda8457b4d5c2195f320b0bd545fdd0679c84483c14a46b4d43c8452879725aa91d01fcc2c3867391c72200ca5d628ed9b566389f02fe74ba2a428a7ba31c00ef6b8d38c6b82b7379d2feb11031848fec0fac5b6091eb7607138bf0b96c3d2c174b5713d0dc8470b532eee6ea0ca1e8ffa3b15cbe0bb
+SaltVal = 3e07ade72a3f52530f53135a5d7d93217435ba001ea55a8f5d5d1304684874bc
+
+SHAAlg = SHA-256
+Msg = 4935eaccd2af7c5b99405471bed9b21da8965004f5e6f2a6b7ed3ee2dd26cebcef4d845fff7c1d5edc94093f88de7a3aecf2bc3ecbd8c435f56e0b89bd099de7ac5f6c4377a5eb1c2ff4d801b8f159547cad4b4e60cad743f8e04627f61e1652e9354d8024710d1cfb2969be365a77f2bf8fa63b9e045257270a96c572ad6285
+S = 66d1cea94b9603efad92b6ca8a1fbe0c6c4b9dc60ec0ab2c33bb62d27a100e839378a39208715de2102eae384ca407e92787ce1118f91a0ca2640a5c93fdb78635bc91082c99968ceab289890b3ec210d6cc6f1cf7e0fbe2dae88155e88f2fb7b325ab5e529e4b63493e551c53ae38c3fbfae49810050a81cdcea627da21b63224612d4361b9df19761d6ead44488dcabb50127149f077c2963afc049ac8837ff2c29e6a35593e22531ecc2e9ef8bcbaae4349bd7227ff3e13b31bb929bbd49e50059f28fd9ffe8c296a056c2760e5f6d8dab43e9bd557793f0759ad8e08b5c3773a305a0d316ff9bd07b43106335942055adc461a4346f05ab455780f32027de8b8bb6d4845bb24d0c5a21c293d2b0740e8d06ef5fb9dbdacb4fa1c6225fd4e19dae69a8e2cbfdff1ef8b7f21804ead0a45274c735fccbfa1d60bf497a3aa931bebac2e0c8beda9af596dff0cbe11e8d4602d36b2f6c6f5bb80f12f4b9daf2c0748f591098ea63d3193f50a1f4737efacb62ea85fb6fb212b3ec8effe788e55
+SaltVal = 3e07ade72a3f52530f53135a5d7d93217435ba001ea55a8f5d5d1304684874bc
+
+SHAAlg = SHA-256
+Msg = 3b8a68da11b61b5fee1c2ca00a6aa35bbfdbdd42855b284320ec8d0c1848edcf6ac850427d8479eb57bcbe9a11771637886974bd561a5387014592cb717e8364a8183fd4ad463c89c980215ff629d867956ee5e75f71f7a19ea7bd589d7efb915d44dd9789448bc1ac32fdf7a2c911734db2dbc589a83c1a61dab6bd83907ede
+S = 790058355d7ab9eccb46ea12368f3be9cf6b895e1734eb20a13c749557b9fecf92b316870f0f765864b607439ee5f7e510e2c83b2756a0d9877b48e0cf257b13c997b9dc70421d2d87c9b9e5625c36a17e21e20ed389657a3e544c677464eefff08a9ee4adb091a9fbce7626cdc127b5cf817c2a5f069e32c720bc2041cd21a6bae816dbbbe28552d022b7b608fa99da4d217dae8a69f54004fa3c004d50540957648296e14cca729f791b38e3645204c2c6d4cb678b0db63a181b40cd9851be84629a068415d54cab5cb5244c8dac8dc9799a0df1b58cebfbcd8377a391778869dd275e0dc8305eb0351d81e3afa46719355eee4f90894f7fed662dd3b03270660adff637b91e18330a4f3a62c914f0d32b4eb6a30b79371ab55190578a1e7d43294bb0a721def7dae3e021981707930bd9b5cb58675851c83acf330c6ba3aecb3a890ad3c151a1e2b583a7dccbf204850daa9f4679e759ec056abef7ba4d6e0bdfa57a5c5afb6368b048a2b74e3530bfa8991c55de7cc8bbfa990d118ada80
+SaltVal = 3e07ade72a3f52530f53135a5d7d93217435ba001ea55a8f5d5d1304684874bc
+
+SHAAlg = SHA-384
+Msg = 9221f0fe9115843554d5685d9fe69dc49e95ceb5793986e428b8a10b894c01d6af8782fd7d952faf74c2b637ca3b19dabc19a7fe259b2b924eb363a908c5b368f8ab1b2333fc67c30b8ea56b2839dc5bdadefb14ada810bc3e92bac54e2ae1ca1594a4b9d8d19337be421f40e0674e0e9fedb43d3ae89e2ca05d90a68203f2c2
+S = 9687115be478e4b642cd369392b9dd0f3576e704af7218b1f94d7f8fe7f07073e3e8e1186fa768977d6b514e513459f2373df6ec52e3de9bd83fcc5cc3e6b97f8b3fb534163c64f5267620700e9d8c52b3df61a7c3748ef159d6b390895afa3af59109a5478d016d96c49f68dfc735ba2aafd5012c13515ed6644f0d4109c45556e14a3821e1aa24beb8a81a48da27f131de84f7ba51581d81b8ff31ba92b8a1fde867f07e32e6c2709253448174dd31324dbc32b05f07587f76a9997decb80f38d8c13d0f6eb3c10e3d96a2293f7464f1e04602ef6e84c2d0245d7db256a67d132a47cae9abe06b61a8968f50a1749995dc15ef0dcb1d5f5959e4d454c8547bbb4d195698f484617bfd122acaae2d0e8c76d28b24005ab03caa781ea97b1c4d9396a16f7998eee7ddd9de4cabe57032d9438a5d99c6b34a956122350263c7e998bc61dec91381012e686d079e39e96b1ea4bfdb7cdf630ddb422c6b580e5506c9cc3d6c100f2041d17ceaaaa54589249f04a1370ffa3bf3ff1adeb890688698
+SaltVal = 61a762f8968d5f367e2dbcacb4021653dc75437d9000e3169d943729703837a5cbf4de62bdedc95fd0d1004e84751452
+
+SHAAlg = SHA-384
+Msg = 752a9916f449aebf814ce59ca6e82fa8038e4685419241c1488c6659b2ff3f7b7f38f0900a79c77a3b57151aff613c16f5020ad96ba945db88268722ca584c09b4054a40c00901149bb392f0916cd4244699a5e6a8c37e9621f54b471166797a7b58502cff4083140827052646501f5b5f1bc0b4e129147d7cc157cf6e73ec58
+S = 6646a88ee4b845da4931274c23840dada6145fe0af954829d1d56661546a25e46316e216bb6b9446b368884ba14969a6f68ccbc1cf5b4e7a6d3aabec67f64963f63b088fa817c855d776ddcada57e5daa50fc1c877389c3cb9d99095a869a963bc91ec24b2422ef6b8dd18fd20d2b215fee6e98cda415ae44d2d2616fe1708292a3ef50a075170b3a7ebab02918ab0301794c17fb35e2038f369d94dd49569c066f7c392889dc4b878c50c7e52586b5081114d202338d23304f16f912d519a9ad21baff0e3d21761f373d08421e10108a983048fcb90eb2adc7c7f12ffa1571b091c781b255a77a880e97975f14f42baf5aa285ecc142157c3e1addd6aa0c09253a11c59144abd3b1e212d89e27ed96fb75756afc20ec67423b151194cb0b0648c659987a5583cb7757779d8a39e205e7101a5351ce1af2c9c6b0847cca57af52593323905e3d2297c0d54541a0125621640fe1deef13e759f8f6c56a2ec2a94831ac2c614b911e79edd542fef651f5a827f480575ae220c495f2a2842f99ec4
+SaltVal = 61a762f8968d5f367e2dbcacb4021653dc75437d9000e3169d943729703837a5cbf4de62bdedc95fd0d1004e84751452
+
+SHAAlg = SHA-384
+Msg = 0403ef219938b8cdbf85d3b88cbb9c60d174134e43a7284cd87936d37456cdc3c541b4566b682e575dfc7d8f883fa581b9df7257bc82bc1bc6a2ea2a109bb5e6c5022fac1e390306cb40fe2196cece8143a10af3ba1273c368ec7a30e27e021dcbef6609f9d2be41d3fa5e54fd90a0c83862e40b837ed4ac8600edcb31283bcf
+S = 0a217503fc4870481264d8308292c663476b25f8dec08ea1d1276f0951ec6df27aae3beb93d630bf8fac08b6cce50bd92994851b4f310fdddce8e0d6a8b7a1e866a567b298c5577dc50d8a906ab1be880084e681b26456279149b4b85201621c445de13d127fb77e7f236c39df34052b4629572abe1c02c09eb198188003dd852f88f4f767f1000458680258fa4b63dafc761822ca8b98c1a121b72b1455393bee416d24051290f02a28a7b49b18b30ccb29c26fbac991401a3a6fe01fcd0608920facae9d5bc56540c80f4740af02c9b7a078958a8d8a7a93a5e5b6d2571f49d775ef7c35a6d674290b52cfbcd67277e2b2e829ec437fb70e90537eaa6fe4548551939bfa98fc98e235b264aa6064a505a8d67946e2c33e5c6f0f34fa86ba65715c258f238b69e4f6e36d86a89822b4802d21ba0ba760b2f3a5bd061f50aaadff12e0d86627294bd0c4cd1085b5dab6a6ab30146c9bbb37de3ac5c4f8ee29736d46047e450cfdcb1279e4ca83ab69e858741bfd01a779d475dfc0f71c621d78
+SaltVal = 61a762f8968d5f367e2dbcacb4021653dc75437d9000e3169d943729703837a5cbf4de62bdedc95fd0d1004e84751452
+
+SHAAlg = SHA-384
+Msg = 453e0835fee7cde81f18c2b309b804c67b9fd9e96ef0a96e3da94b640978830e5cd1c8940c3d4af763f5334a7caf2d20f0b82541b3434fa138016b92dcf14638817a833d79b79bc7a71223a7e0144ed4977bb217ba8d4f07d7adcd38832c05b0fc61c39a0dfcca3f32971931fd8e6dc9b81107d44c77af8a62d5f9c0c7d0c75e
+S = 6ec22bd58c32d41374c017a77027e770f678fd81017e20cdaaab48a8324b050749e5d864082f1f77fecf67a59c2885e931c3c2f58130fa6806fe1ca899045114b09d09cf9c513ce1109d2210511a3b2e93af511badad2716f48555310e6c5f547afbdb0b9a684491ff3588df933d6b04dae8883f5f8aad62a4570646f72f3656c4a7085623f5152164a81a06ccb59ca478c5c2315414550b0ad8eecd0328b2db01fff7db0f26596c41f970d032925887f1c8a446da889be64d48925b9c6b79a3d897700ab40af20b451aaa6b427ed162864db89f7824b6ae9b475b5433b865335d6f91491c1e32f635cb930dec1aa3ee7ddaa08e8ebd67b6b11a46ba049922446fa69f1a804acc29f6cee487723f2e61a40007865d80cde0119f3fe6e161a339487f5789e1fd23ac0a63b4673969fd8722e3edc9439778928f09610cbefbb42fe6242c73b68d466cef889da156d9d4ff888362db4cf9a941e80f577c944b79fb27dbe0a6967e88f1f67b91b0d38e083fc0c0228cd49d27352521312163f90fba
+SaltVal = 61a762f8968d5f367e2dbcacb4021653dc75437d9000e3169d943729703837a5cbf4de62bdedc95fd0d1004e84751452
+
+SHAAlg = SHA-384
+Msg = 9aff46c14fd810a039c0a62eda403f5ca902ac41b8e225c6944748a36cb45f8a769ae2a18f713d362206d2af4a1742bf3b1de8e0de69a7fdbb72e66e1c6ed82a6f1f0138edf0f6677940643fcbfe5337cd76ac29456af902b5656dbe7f4c24944d36ab6db07dc39b081662c8a31dfb2c29b4ff04370ea43f4ac7e57adf77ca2e
+S = 62a505b3f3adda45c6badb61b464a28bc45d4c66159a34b63c1cce32604242eb8fcd9ac6929ec6ee4ac1144932d725cbf4638511464ec70dbb5543a4487a241396adb804c9794b271f9d35310ee560368d949a20a2b64cb4617fcf63cf7b60978cad734650dae86c7e51b766522ef0be48bceafe2030564d5b7b17ba125097bdafee48e4df60fbb7ac2d9f14af9a270c2b7ef18cadac45b9b54ef230794339d279d72ba48783bb09b1d1d5c1c65301276523fe90e63789ffbcd489e45f8aa9cf98f33de8f7d9c5cdd21a9ab2847896de6dce0b92f07b1ffb4230ee71ba1fe8048c22dd38af80f8762e747cdec6e99f1ce0d1c743ef98ddbaf7c764412446dca58e6ff5ac0dd13322649acbc96f1c5e0bc58d1a8211853a7d2f51538c5e5e803de0b13044608d6e650bace12945a7008194586e3b74809714b2a52e9f3824be41de9fec3f36175a289baf9fd68b7e92f3754e00b41782d055faa65433c25259aa653fda069386b083fb31aeec8e30c769553f8f0389b6e6d4b392cadd24ce3f74
+SaltVal = 61a762f8968d5f367e2dbcacb4021653dc75437d9000e3169d943729703837a5cbf4de62bdedc95fd0d1004e84751452
+
+SHAAlg = SHA-384
+Msg = b50bf2767250f14fa7b6f5ea21a54da8d01e91151eb491107fd88b2d4a5aa157c72d89ba896b87e0fe989819442bf0213e4aa7fde8d6b026e7a70ae965193a0e1bc7f8b8af96298c41f60d154164ba678333c903958d4ffb50b50f57ad8eedb6da61a6398ddbbf9c9955bba6bf5991c4c6615df1cde156d8e188003dcbc3a399
+S = 1f068bd083a26534040f41c1387e71a8c00370c5f1c958127e0bc721751b5940513023fad02a6101bbcefaaaaeea2875952bf859d494bfb23fd89149d91290359ecb44ecf2fcaa5775e2e61e5f8d5151343576fe9c7167e919a5d081dac6bb8117229c420fd2b0fcb521f4e72366bfb443e688a65fa392eaa5115c292ab05bb4db65468aab267178653dfa0a5efc960636fcce86433528dbce955a0b1aa188ac33ea128206ecc0feeab8f7df6f8c381b10489c8cfb2d02459e4cffc16f43a66aa4eaa19bc518ccfcf9fc1e4861cfa13e9b41fcefade2cd2ebc001ec8430a1cb949a0f2f876badc568c703e4209e7ca16f688ba9705c14fa1c882e6c4871b9deff31521d2d418e0342e189c40ed19c1b6f4320d89a36f78eca143d3c16dd3eb338c0743646fd314c725c2d36a13080bfcdeea0e431de71d61f652033a75424fe1e1586695c3dc463ad553c1cf3ab24a41ff4e031f9e0c2cb0024cef68273ea3b8c1be9d923d3e9c9686c41977ac7be94a6d23181936131c17a39a898c943dcc8b
+SaltVal = 61a762f8968d5f367e2dbcacb4021653dc75437d9000e3169d943729703837a5cbf4de62bdedc95fd0d1004e84751452
+
+SHAAlg = SHA-384
+Msg = 5ff000f84a951dbfdd635a4d9f1891e94fc2a6b11c245f26195b76ebebc2edcac412a2f896ce239a80dec3878d79ee509d49b97ea3cabd1a11f426739119071bf610f1337293c3e809e6c33e45b9ee0d2c508d486fe10985e43e00ba36b39845dc32143047ada5b260c482f931a03a26e21f499ae831ea7079822d4a43594951
+S = 18cb47bbf80bad51006424830412d281c66ae45c0b756d03e5d8d49f73037968d13df46ebebd9b5b4c58b164d91d0608e8ebe31d8644cb0bebfaa8e2ccaa1f5746ac8f3bc02ff6930e219f53fe13fc070f910ba1cff0617aea6eb312c1ef285869746673ac1348e89c3646f583d7633f5a2341626bc2e7e2087ff9d8f13d573dc6455dc0068c7ac6eaf5b3093b081614f7b252170c4893891e469121fda655a2a55d67f5df0ff6e29ce5f9b0c3a1a88342140ead748edeea9706d6570e900f1cf3a9adcd7ae64f207585417946b104b3990d1a2d950e0e6a5533d3cfc8c470250e4c797273210f248b8922ab00422f2ecf85aef73587e8c5cd1c2ee6ed9509508409673fe07ee2c462c52d091e7a795d8d3c55fdd5a710d5450695a5a31ed76f115e71a73c6757d2def7ef472571b0bdc7558c71eaefeddec946860b0c77936db31f2001d0499a381e5018870b41ba04c8d42ec0dc55c9fa2af237dc1c405dd8f555b07a237cc50cbce46c3016118cf4ea06c047599283ad4719d647a225206e
+SaltVal = 61a762f8968d5f367e2dbcacb4021653dc75437d9000e3169d943729703837a5cbf4de62bdedc95fd0d1004e84751452
+
+SHAAlg = SHA-384
+Msg = 531dc2b8566e01a8bfc580da607ec212fc1fbebd5a2590d897046f0ec069df20a1c2278ad70006642d9ba28625d7c1efd4473b68f38fb064346d762bd2fbd5376c2e77de13a31a32a29b88264d44c9f27d3a97b8dc4d1267ab85b5e05c6389575d6a98fc32dea5dbc6cc1a01034a42e1a000b8f63ae720a9a7511474872a6148
+S = 80baa663877615c2e7ca9dd89958a74e54012efad55ad05868dd74b0ce78a661e2b893c3ac1fd837f282327efe4b041220942649b5472c1ac702070787ae5549398a57653d5fca69cd5446d63f6e9d0684925a235acc96b8a10bdf14fbe209fcd4930b5945910d84b08867b2055fe8eb1d771b753759593b90d6aec5ef182cb33bf2fe29e8c67ea4e8433ecfa3f9ba4ce461f0ab19997f299e95409af97bf57e2de410ef7538f699f385c1abafdf9337f7f9d268da87b2b389131fe3dbefd8c67bd2a158cc4e04f9ab7fee2a58d74d063e6c16958a90574e3e4cb881d32c3116987e46bf5bd44f80abe6b9eb717a9fcd4c0cfe80dd2ca62c33b5dd3a59c64810073e0476085ec7b76638983291b69559c815cd3bb87d4b07e24c6b9ebb7028e800a04f09b110c167f6ee3a3bbb73695d89bee92407d4adcea3eaa47811e23f8c7f2fdfe891f8cfc071cb984a63846b95ec04d6261bb1c5980018feee15c4e7bf632dc8306128fa22c47decfd9e8b099554f17253635e6316712e0b95efa3fb00
+SaltVal = 61a762f8968d5f367e2dbcacb4021653dc75437d9000e3169d943729703837a5cbf4de62bdedc95fd0d1004e84751452
+
+SHAAlg = SHA-384
+Msg = a454391a7c3695486c337a41c2add417d8e9e9c6466d2ebb56ad5f97b9e7ce30784cfcd82d6066e372a3a1639a71a9369f2777435c87d100fc5e6638b3631a0bac639f36429b4594726613e5901816cf3a29f9228b96d66090844c7d0026d2e327e24ab924afda6554c2f74f0e69c2e8913798ec3a61e4e4fb6838ee08f89dc0
+S = 261180717edd905b647bc869f5259203811606221f545a3aee5fc123f297cf7d8a7ee6cee3dc8f97d24284ccdec2fd4680f1428ee75797e0379512aecb9fc1667523413e323c4bd7dded5caf9e5c606e5ee0c694d4d1b5a1f1cb613b980129f64146e42e8261c1f7ef5603954d34d56a50f7431beee5ab291a4759168655a5123640d596b744d97979d39f874ea7ff13a7466a7655d02edb492b58049f2208852297eb023e657f3240c5da9a99fd377728bff3cc073109c31712d94bc24e08c433533d4b86a73b58fbf2c598ccad78d46ca0a055601850960195aac1364dfaddbd06f14a78aac2ab4d374505cc61fc72c1050647d95a733517b709aed2d896721e7484208501480058fa4f6044302dd705c273fa7fb42eaeb02d025092b252e16d270d88dab6f68fd7ad571011f89627683e029d1bf1edc149d47452ebe87ec68679579940f5aec25999b0dedb820a5483ec6901abfee041c03b1a7f743548a2caabca613ff5d9f8fd7c694af12b29f2c2468eff55f9e008757443960fae459e
+SaltVal = 61a762f8968d5f367e2dbcacb4021653dc75437d9000e3169d943729703837a5cbf4de62bdedc95fd0d1004e84751452
+
+SHAAlg = SHA-384
+Msg = a05e5782a96ee6d6f10be8830d8c27c0acf272abbf77e684dd6a6c19e5398381e5d0400d3a21927cf904cb6e8e425c1ca3ece04544f25d6c40f0c640d24bc45c807db53044adf63fea835d8cb93a0a4e55f760ebe4594e247051d38d8c34c1413b0ec1d30d3a97888b2fa7c3d59db8c08ab9f985e8d4411635339be95d1b0299
+S = 87d80275df7b196b7e1d0a41147719d773edd80b5627301a500d91665ba86076e6a31c8f3ae86aedb643fe2af223976ea4eb3d4dca2cbcf81ffd14b7ef7de3ee355a8d0f4143e5b0f0a0950a42811102e602cd214e1c945c47e8b7b66d507103c3456f404f9c48aa7fe48dee0aad05e599f242adcf8ccb0cc9db3a6c244a913551ab595600ecfbb67c25a95b54f4054397abe47650e5c4991edaf1441ba9c8e3fbed904ffbc977142ebdc84769865a215158d5b052e75de318d75012172e28c31db2d8bd4edca787216dde2a7387c543f162fc91924918fd6c845bf1ebc0220a1027fb4227340ca4cb0f183e5b34b1e7f93e14fa57bb9d2d2ea53f86d838bcbe3f055b473b0b469afd2960c0d76ce2c30f3d49a3b29065bb9260248e728cbe328bdf502b109e1f20b9d037860cf9e261611b4cbf27ff9b5bf425b2612afc7cfa3138f78ad26077cbfb947fb2aae6f4be85ab2d1a15860839b822dd03a1a92a19a5c7244e98bdf561625ca2a8df410ff855752ebdf3d49f5eb98f228acdd52791
+SaltVal = 61a762f8968d5f367e2dbcacb4021653dc75437d9000e3169d943729703837a5cbf4de62bdedc95fd0d1004e84751452
+
+SHAAlg = SHA-512
+Msg = 44240ce519f00239bd66ba03c84d3160b1ce39e3932866e531a62b1c37cf4170c3dc4809236fb1ade181db49fc9c7ccd794b433d1ad0bc056e14738e0ae45c0e155972a40a989fa4b9bcdc308f11990818835fa2c256b47ee4173fb4fed22ccf4385d2dd54d593c74f0004df08134eb8965dd53a122317f59b95d6b69d017958
+S = 8f47abc2326e22cf62404508b442e81ad45afff7274096b9a13e478cdd0a72f99a76bf517f1bb0f872a523d8c588d4402569e948fd6a108ae1a45c65830828a10e94d432765314ba82ead310fc87ac99a5b39f30ab8820bf69e6934a9c1c915c19f36ea7717eaff7af67b4991315b1873ba929bedf18a975be808e7aa14a6726126c79cc93f69541c5cefdeb5b67ec279d8f5a446583e4b4faed1685140ee4b3b757c8ff4a1ef9cd76a88e05319ee62003d2d77290c94c579b0ca2ab0deb3176ef10a3fdb85c80ffbc9e2a665a23744fc836f9a9a103cd9fb756952356a2f1acdd68a645e20179006558b5d4d0b9b0bd3adf5e290f49dae60b9d19920953ea8bb237d5b3dcfe149a60f12a4ee3a889b33bcd3a3b753d610757cbcd093dd5a734255333689695ab636963e3d215a8e77ff31973718a4944a1e9e44f45754d39f6fa431c53f9a2ef36e16a5f70636eb5fba54e15c20a714f2809a7cff4b8dc1165f836607eb5a5a3bb0c4567eee26941fef46fb41e73b565c0cf8c72e404221264
+SaltVal = 2d0c49b20789f39502eefd092a2b6a9b2757c1456147569a685fca4492a8d5b0e6234308385d3d629644ca37e3399616c266f199b6521a9987b2be9ee783
+
+SHAAlg = SHA-512
+Msg = 06d5534b7769256e8cf65c6ce52a3e86965a1fd12c7582d2eb36824a5a9d7053029fbeac721d1b528613e050e912abd7d9f049912abeda338efa2f5213067777edd91b7576f5e6fa7398696599379ed75028cb8db69fa96de7dbc6de7ca128dd51ea334e8cd9cd8fdaefbf53fc825eae836b6c6cd70039a77e420d999b57caae
+S = 913fc118d5ac1edffb4b8fcfa4e85986b46231cef3dad911d5e9534cc88261f6b6969b75a3f25d83ece7ec2034b01d3b2be6c5bd958cc4afcd44839e3953f01e4a15ea5ef6e1b4b0e8ae90bdfd404199e8f86547f67ff6b84f2162c4311cc9eee06bfb2fe46198afb9745d9c443833bf2387eb92406a6339521396f2cbda55d98fe64074d2f2e27b8bc6a79be3d1cc568869b0b50fcbf702b0831668fbfdedc2d1b5491e8ec623edeb60ac870e6e8d058593fbbc938fbf741700efc2b2467e7eb254ae008509e91607f8e50aa16a4e851abca7c8d20c6ff61cfee6c1fb676098e5cdf127c9b79538fd1e6c014161054caf43b734fa69fe06a00d76f710acc198f3da906a7d2e73a2ca882526cc354dd7630a303d8f32c655b5b33cf78859beeaba3f9ae052c8d7471cd2bd9edf42fd8f70c3b0aa79c076928068ca9770959afa632ca6aaba6679e45d6888c50125a73b9deb00d42a125f25df5434beff0d5b0ee13a16b17045cece0f2da7577d79d7cd75a4b6c5bc345f460a173487b51bc6a6
+SaltVal = 2d0c49b20789f39502eefd092a2b6a9b2757c1456147569a685fca4492a8d5b0e6234308385d3d629644ca37e3399616c266f199b6521a9987b2be9ee783
+
+SHAAlg = SHA-512
+Msg = 756c51bae61d75e8cf44930e1781dd6b8db6bf8b1f68b4ca4c685d14dcb2d4eece953eba92149f36788df34769987af5d53253b6ec1b4cef117cf9b88bcd03e07ef6c3301ab40ff4133f54b8512ae550e88a931b4a5a7e88bc1e2bd806c7d6266fd709a5e8c56d2a88a3e1ea38fec984b006a842a2eef29b34961bfdb468f4ca
+S = 735186ebf08d505161a8bab36786138414bb5ca2f4025289af237a40f8d0963df9117b619f83d9a98dfcf74b8f001a4a742c85ae018c3b51f16eb5015ba7027cb9a0d0b9e6b65c08ba58b671a9b3dd62107bbd5ae932784d328cdb2e1a551eb67e9d33ff1cf9bffdb223afd75d3650459fdb58143cd4490981efb0b3fe36f642e1837a5d95c3d444af73729dd1a5e9937b8114a28e065d1081f061049e650e45ff5ccf75c246e2e9433b27e79a1b06f7b6b57f9b009e97168a61297cfd0a8156d026a6bf8c3764d0b715c619d856b061df35725498d86cec25f7e1da65b99d9ecbb9a1a6364252e4790d97ea0ffd6234b515929b5ef22676c243d386ebb90a22e67a0e1d1094dddf7721099868c31326814887b646ca52a2c4bcd43f7c71399e7d13e19de688ae5c20463df5965d8255a3e6928d614b601274b757cfacdd4002d9ba8b248ae700d8776475d79d0a55ed4241c9919a3c44dfb9a1f5d0fec7ca341774c596144c38174af59af6deb8937a7d14c459b5d768a977445dafee1a4eeb
+SaltVal = 2d0c49b20789f39502eefd092a2b6a9b2757c1456147569a685fca4492a8d5b0e6234308385d3d629644ca37e3399616c266f199b6521a9987b2be9ee783
+
+SHAAlg = SHA-512
+Msg = a9579cce619ebade345e105a9214b938a21f2b7191c4211b2b75d9d2a853805dc8f1eb8f225b876ab857938bd0ea8cc2ff1ee90087030976e3f46afb9f1b1bae6d3874dd769d0426ee7dcbdceb67a9ad770e1781e34b15a45f656328c88ff485c1b2a083056d195afc5b20178c94f94131761cbd50a52defc8502e22cbb6f42a
+S = 603ff63ff638f1ad410e266d82a04c6d475416a0470d97f483c0c99e8fc7212d61e02cc8b4493c9a9dac711d2a8edf196a26563866d68fb04849e82db0f9741f721f2ba4e9db62f6ecfe3b87ebe7feed0c9e2dd46c3f9252d4c122c6bf1bf4ce215ba82fe7c5a91249da70dd30fc9c8ac8b3bb2810b4ff38bfacc13fd41f6fa26507a055e0f1242f18ea8ed8a702d265f893cb4eb61a3dc8e18777157552a1c58db14349a0d0a2a900a0a1f4de863fbadb063ad2a9e526a0a8c3bdcfca5524c181637b1c4a574809fb45b2e4f06f3f89f4ccfb30217b32fc484bb908276d659a0d9a3e7e3fbd46565a0924f918b16b2d6527ec4b5d1d6ef6d6720f3e00485e87de61ed49ed13e85ca6a10d46d4ca4839f486621cca48a7f955a878c4785d55de96facbb91b6ea12e9e4fe4beed00141b0372a3812465e65030f4fb8ddd58701aa3da27d26feb8644f7c80b8ee2a3c3b20a516c7f0b068b503fbb65d3f3b84b253466a887314aa8eb9d85cd035bf8dbb178ebd8d5496fd1b68432457c78c69cad
+SaltVal = 2d0c49b20789f39502eefd092a2b6a9b2757c1456147569a685fca4492a8d5b0e6234308385d3d629644ca37e3399616c266f199b6521a9987b2be9ee783
+
+SHAAlg = SHA-512
+Msg = c3287c23b613aefc2425a8b8317d647a447816bac56d0c99259bd9711f5fb2b13eab18e8a0b3b81ff9e98f6cda2c51c4343c0c1118720884c0aef32dd3903ac9e5ebbadb3d7698fedcc56d79bb78a71453b32c2a62ce4000ed4da85581120f3abfd1aa2418c51840d4a18c0659ca2d11aac3bd2e2ee879b3b3604112b24df9ad
+S = 878b9a443921bc7d720e3e288e8f39e550113e01d04fb1635a26f796fb8b161d5b758cff914a2441d8350f8d3922aa5615edfd86501c9a05c210c93a1ae04ff761151dc8d652fb5509ed100999d2bf6e40b1bbb64cf6c5d8e067b445daf567137cb8f0863996de8de9a647f982c9e21a787ee8d72657a2dd42ec9fec49ea1c3345cf004e94594a064b6b6b222845d64c935b539d3fd2d535fe0e47ac6746028e748556c2d88e4d40707e74a1c0cad5cd95dad263efd3ca637ac6b8f78ddf7ba81e443b836d85a83dbe843bd6271e45d842e1bb241c9c18805f37bc19838ba2bc6cd38401dce0cc9780306ea8a87d43110b3e395bbfb81c3ba45ce1cd71596ed27c03e2090a7ee81f60119e187adff0d96acfbaac38f7cb503039ead9cf9550ded5693d3c257406dd0bc061d451bd81d64f969b7c2b84619f0dd82481781eaf5b8fc82a3ac5b9fc20b42f86d4225a435b903d2258f5cf693d1b5c6a5d144f7f4eab9e70de2f3879f68e4c1c7a38dda63e6186534fcd78d58db709bf57a78a848c
+SaltVal = 2d0c49b20789f39502eefd092a2b6a9b2757c1456147569a685fca4492a8d5b0e6234308385d3d629644ca37e3399616c266f199b6521a9987b2be9ee783
+
+SHAAlg = SHA-512
+Msg = d54c51f90b278c1c602bb54a23419a62c2e8527229352ed74a17eda6fde02f4b0b012d708515a6215b221d2d291b41cf54a9ad8d562ad16156fb3017fcf2cdf6832fdfa21015cc41429355dd0aa80e09bd2612c867b6f4aa631cf93828bc8492665dd157522ee6c53d06c7226cf0ea5a24e7eae904de7ffb9804aed22a453d69
+S = 265749f7afb1e1d16492eebcee9f5004234e1dcb95b832d14165992f4d1c49d518ba15a6b3adedfd803287cf60ce8c915882e2c78d69ffc46fdecef008e5d7f146e38f268efe49065ddb6fd7969a842189b9d7b3ccb32d62aa05e87e932930f7a1775c338736d9bc8f36521609d8be0c29fdd1728430a537f0a2b9b9fef2cd9f0946c221c08aaa0270e3187ee5c518cfeb00169e7718b01ac0faef097e9cb6a4df3e87a5548a6c3d9f1ba230ee1caa01297e5f17d1be1d776552f36638cff13ab73a1058fe7c1eee28c76a145e9ff9b17074963c22c6435b6c5a619a6f39df94ce348b244320b207a9117e98b9aa5a8c58516d39c71878c4ecfd741ce6e51222fcd92ad32d70c3b92cbbe301dacddf2ec3aec21fdd38a7e110f4f5448577b9546f1a7cd71a35670c1ca47a9199437cbbc65926cd17dddd2c0c3b1ffebe682be616e638839744a147ea897885afefbe6f0e37d4e482dd005f4ff199d0d033bb753380780c90228a87d14d8dbfb829a195b5d8b2dbd67c9eedac48ae639c158eb3
+SaltVal = 2d0c49b20789f39502eefd092a2b6a9b2757c1456147569a685fca4492a8d5b0e6234308385d3d629644ca37e3399616c266f199b6521a9987b2be9ee783
+
+SHAAlg = SHA-512
+Msg = 57724b7062193d22f2b6bfd18461d87af122c27bf06093a5dd9c1d92b95f123971706cbf634b0b911ecfa0af6937cb4b884b8092bad7afca065d249d3707acb426df79883742c7752692c011042c9dbb7c9a0f775b09ddf950fdceffef43c9e4fc283b72e7e8b9f99369e79d5b2998f4577536d1dbdd655a41e4e361e9fcb2f1
+S = 84a21a5cc060d141ba9caeca77fd04be8ba8270235e9948d0706dca77413ce7f0811da8b2f5372f8ff5a2eb2bbeae43752c5d1c1e3877992a49574899a6ec9d2a9483156540322fdaa66eec4a2601c281ea5ae996190853644b48231bc22729f32c2188e5f5f7b5056fd3e99ccca3effcb9793343f52a9ee60217d1c492102534a334c1c60a9c4ed63ae861bec7de9898c2dde026d9a029e7d9fe44d552cd3763b8ec3f4371f4e682315657d72a888913d15e1a84a981b3d8d437589a6deb37d14e86aaa365124bf165045040b1f959accff35565205d0ee72bc56d273d1973410774cea7735ca79c6bcb256b54fef0172e058ba91619c66bc45e11b6bcc0f68b529ec3a4133598bcf09c9c4bb0f874c7095f3ebbf85a5f669bb3717eef929fb1c22943268c310282e8842840aecfdc942a468045b02595bb16336634da20ca0b8d758cd30a2b7a0bd0e3e2a6f30f36a1422adfed88e211485066d6c0fa5c986f1dc5b4c1d965021dcc24b3f729f07c02b47af75d01f49da3dea0f1bdd6b4c0f
+SaltVal = 2d0c49b20789f39502eefd092a2b6a9b2757c1456147569a685fca4492a8d5b0e6234308385d3d629644ca37e3399616c266f199b6521a9987b2be9ee783
+
+SHAAlg = SHA-512
+Msg = bf5ff776122898e22333fb6da96d2a87a3e6c4e63f28fe7afbc8e8a40a3af2a3f9e9ae4f9287d70901a293f23579f55b890dc67da47b856a9d88ac44637e35ad5d375d7e4d77a8bc7a7f25c80edef3d5bd8b049fa731215b80ca2ee9ee6fb051326e8c6d0b9e11e3d7ef3957fc452cde868706b512f2da33eab4f7fc71b66a78
+S = 86ece9321faf1387de6afa7b1e16c2127e71e6472e093708f0ac4b40e6efb30eedc546907182798535ad6b88ae4a6f8c4fae429d225058294ef76d44ca81defdadd12cea16c58c660a4d158cb6728545307f5a6234c3aa16ae6d989b0b788cc4c18b08c89b57fe302ca6560affc57bd533bdec6ae90fc37167c4355b07c6c7c7aa2bdaf96002832d62c2dd090c61cb8658ecc0e224964b50b9abf1b4271869a8951d81cd5b46af4ead70b0454c01a7229ef2ff27599c7370e747988b45b9a8148575d73014166082947c97e8730d5458ff4a4606b1185f1bfd476e8fea2d1d7fb5d14a061f90e438ce5e36b489b5873b7400ed779ec82adfdc2d9314d6e6547dec3be9853359821e6f6d853c2292f1731789002033ecb46cfc3a7f197a18a677574fcf6870d7e47db874cff258f0f6589386fd9667af292c315ffd849bf71749ef1b4fc5a3fdf39e2782f986bc8f523162c0016c51702513ed17c8f68672cf425fd6ef8b6c8e983bd2128ce4614085e7fb216af7ff01501941f23ffbce556f14
+SaltVal = 2d0c49b20789f39502eefd092a2b6a9b2757c1456147569a685fca4492a8d5b0e6234308385d3d629644ca37e3399616c266f199b6521a9987b2be9ee783
+
+SHAAlg = SHA-512
+Msg = 61b6dd24903672621810cbe3342497a6b298b524f7cd50e342914f483596ecad9122a2b341094dd99ad98d4ee1546b040d233f06cfc8d10bd0d5be4b3a5b1d9179a663924327847dd5b25bd380ea4c7965f9280c7d845074dcdd1ebc367b8020a2a8e6689e7a5f755304fe1a1bcd832d418237dd08e71845ee13364231dd5d82
+S = 57d827593ad09f00005ff1ba4521a9ab2717fe34d7af12d7ef5dc07814cb93257a2903cedf0a80704b16fd8aa9dbd06fe3d96fcc7be3843ea161e80ca56f3ef6f760dfc7f1704ed4a50142267b87d244c71fc72102112fe4ea801c82c631edd9d917808c0a1f1c81a9de859dd87569898cba76b35702232aa492850739ec0371b0342318b92eefc45e6ae8547a604d9a15c2829ea85533d6d23fb61ef569be63779d3d2c7cd3bfbc26df02616b7bdbbc0b4e2b5ebba7ec93886a369d10b7bfc0e7f56e7b7ccc814880baa634f4afd874a841d40cdf9c8f117535650b55129b8913d53417bdaf163d68e7044ac011a55ac0e1afd9279d46d31ef83a0bb4a7dbe70bde4b33396750b676576497e202e40cd1401fd6cb08878a6c22db61404b4c2aa88072f7a4851d9faaf016a60a7a49147fc234ad67f8375a90069c274aaddaea43df6292ccdf7daab5f5113070f8ca5e7f43c791acc7e1737cbc311bd5714abb66561703b9ac3629bb10bd1b7709f081840eb3e939c69657ea8f7cfd596b0265
+SaltVal = 2d0c49b20789f39502eefd092a2b6a9b2757c1456147569a685fca4492a8d5b0e6234308385d3d629644ca37e3399616c266f199b6521a9987b2be9ee783
+
+SHAAlg = SHA-512
+Msg = dcc271b1bb2e50ebc23330be36539d50338baf2e9d7a969358c677e8bcbc7787433615c485c2bc2e670098128f4caa411b9d171392adc6ac1a5b297eec4d5b0f06d96cfd1f26f93fe08effad5147f0c3924307a2cb54d95765942e607b040e6c8b731f6372a22ea697a50b98668c9a5d004327e230b7fa1da23a2b964f29b826
+S = 0ac938ab04bf4efa587e34143436ce608ad089420956a72b23103fea769c03f02c3a0db764cd5bf3cc8518565b7efff70c74cc653665dc06e7f1d584e967ba193a70f5e3f7416ed0d4d5dc0e761b24ac8a8be172eb95691f02244379c9aeda8a9f760e061fd476b063b5ededa56bed819fb7136a4604879a92b2cd35507fd49b7d478fbd24c764aa5bc535a6abd7bff5c7692035620597f6329a454ce9188731c4e74d56c5bdef11372540b958cf2f8c42cbdbf915e0c07c77f04b05d876afbc3f2c205a4048826319184d650a243d192fbe35a163ab8ea84a001dd7c1472988a78042cf9fffd96f6948f0e692fc3f3b1c9c13de4b7a021be25c80606e1105cd56815d27c45fef995b1fea36e2e12aafc4a69924785c4855c50c61b1f43be9a1adfd8d7ff2ef5240dcfe5ea4613db4ad085bb0a6fb8627b1ed94dd164a4d9c4c9f375983734f9d2c35ec69d6d7421157d8658dcec1bf6599ea94280a63422376bfabf1b9f730292c498c953654401743c9e6bc499446759484d93e28d5f9f486
+SaltVal = 2d0c49b20789f39502eefd092a2b6a9b2757c1456147569a685fca4492a8d5b0e6234308385d3d629644ca37e3399616c266f199b6521a9987b2be9ee783
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/pss/SigGenPSS_186-3_TruncatedSHAs.txt	2018-05-11 15:10:54.454821900 -0700
@@ -0,0 +1,257 @@
+# CAVS 17.6
+# "FIPS186-4 - SigGen RSA PKCS#1 RSASSA-PSS" information for "testverforgen"
+# Combinations selected:Mod Size 2048 with SHA-512/224(Salt len: 0); SHA-512/256(Salt len: 0);; Mod Size 3072 with SHA-512/224(Salt len: 0); SHA-512/256(Salt len: 0);
+# Generated on Mon May 11 14:15:38 2015
+
+[mod = 2048]
+
+n = abf44a770836fee434fc7bf17b06428a7cb50d27213facac88fb38d3a29ee81669d18e71daa3c78fd89774a223e7a15df4216290c4fda8e15a00088d4071b682f3121c45e25d93b03b2332a9f1a0772018548302f60b2d366528b2364a8962c8bf0ab64e87e1d6ae13432038e3f9e9fd8eb37aef736a19987c259106f4cbbcc4ed6a4d679fa9422489092cc4f12b17d974fe799477995b8cfa3494bc5b426ec3b2d8c02373969630c003e08a42e5e62072dfcb1183ea5364513e6e357bd6c47d69c41767a304b7e7ba115f348963b49b02f34c87e17f5fdd29674dc125d333a4c0c6ba96a5b8afb4e4f785d2e9eecb0165e7f2bbb464e2a65f03baec25d7f519
+
+e = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009b34af
+d = 1fd04b94cdfa3cdb225082a261b12b739ae7c359148acd5ac0899b54347eea93e1375aac688e3a2e6a40a4f4010126edf569a039566b315784bb6a3b3e370e89694f4e6d94608df9e1fc086eb9b3c283fcb7aaff7011e2d5a6f0aa56f2fd64d7dd75abce5e37247c6cccec7cb04e0b5e597020c7f63cce7dd7f84564a6c0fa8d73813d187878271d74cf8b696ff676204847cffa599f61cc3ae39fc1805be01fa2308011b7b1f1c39be87869b7faea7bf22d7fb2adffee26b364014554f6cf31e98d3fb68175731af23355048a22e9a3de432fe434f88cf0689aaba5aefbff08b9d996d92152a5bab5a650c73a1db065b8fcd4a9e260c69b7c806cadda8b0c4b
+
+SHAAlg = SHA-512/224
+Msg = 877b48928e3fae877f436179c74fd2a7fbb3e4f7be96f2e5e68b14bfda659e143e4dea6ad311582f98bf92f2367315d39a6ded38e466bfc280240d80924db6629879bcf04b8a4a3bc540f614e908437d00156a5da0b25a78d2d7fd9d73fabd21db27478dbd538e944eee1348aab7658d73d4e3cdbb22c9ed24ca6b804515bb3b
+S = a08596d43d483c01d959691c1b8d5bb22bb6e1bdb250a8a4d7d4c192e33389baf5328e84d8262115d5ed0eb1bfaa509285dcd17bb4da684e3fab339bf356d74a26e785e1c4e6b2b17518ed0fe796c86ed0b5be64b571f0abf19667e98656054edd3b1bd20c6aedb17b39aabfc5542673fb73bd9614ea37ac4dfd22dbdb1a55d3028984e65475d14caaf7088004555adc39b3cad91526b3812c943c2504bc9145b784f8ae534b6ac6d1395beaaa3d80467bf9b83ec0cd2edf31e50c582cd035b44215779393543e250dbf1c789e248bf980fe4ecfe23c84c78230db169a3b1f2959f63cc6a6950cbb30c91f7bd68fe8298c3c1619af9ee413169e5942626bfa92
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 6c2cdf5fcbb2a735f76045a50c35cc43db0cb86be0c48085759d6f8844e5afbd02d5a7c65bb687de28472062e863fa916edfa090d7b23fb0bf586ff4b57851ceebc4da2a32206ead2607b13fa62b9ac7885cc9358aab1ac68bcf7a83fbc8f90c90c221933a3b862b5a689f432fd5d46d904dd865e1f9394e40cb363eff1ed0fd
+S = 2c9796e896b6a034ad2bd39ff85fbd2764280f38e4a4e7ea7e369ef65b5cc43226ec9615be328330b2e598ab6e407808c44cce49c89d02adef349af24ac5c279e1ea6eb5d7930a612559ec8607e159be5df95f6df6227a4d55a6b4e75be5b7ca59f93c7c93d2c1fa1f25c4acf8e55fc920d4e21b84ad71d4601e3cf68cbca1b41ecdd2b770134d336e6a9c02e4531fc4bf8bbfd157e1d50a633e0b22c49eba6dbfad2743d0f586d49c9cd74bbe725f6633fddfc73b06fdf4c8673d4c723e0d81e5578e186af059e1e62197e270f7fccd97506b5d9bcf9e17463efe6ac15e3f1b7fe2addb1dd49732575676bbeef8339ce96a8800657d1d7bf8adb9ce5ff380af
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 64be9e2354f13bec61d7a59ac983318890be155dcf0764314fd840f1562b4b04c13d5e2e53927eb54d390bc33f513b0c1dccc7b09573e463a02a75cb58767f29093cdd3c8acc3563ce1d2a01b65ad325299e6c6b67fd4c1d9ac3179eaf00350963448315a1a7483c0b0c6a1cd7a7e21ddcbd6d54ecab84a7652a8f3203d156ea
+S = 57457c844156d5e608579f117e87f9721dfb86c72de9b464dff60201e81a5095b891e5c2d5cd1d902bb3b75881f930edbb3a955bc35a102202b6676637792d22135cc7bc67411258bc3a5a4d0bdd5bc2e2362e6bbef30cb40573e4cd404f374090a1b0417c9659244e33878f297006b3113635af5713f24d971f32fa2be633ee7bf12c4539ffede0026cbb9eeecc8312f375d1a4c8676cc51a9f26fbf64926adea4a1a3746a4276e5d4d2f282e81007ec0e498e54ffb2e7a318ab21f5a10d6c7f4d52c4723f22fc51ee4899221f7cab15477326bebfd031a771e937e3754be3695227ffed0f87677c0fce2fba40345b7f77c86ae04ec5cecb34bbc62112fd957
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 40c62273c4b139e7807d1f987b9dc8c0da351bb9628a971039b83cdaeca3a94bb62f828400b414ad24ac3c4476af84b485a2902a9e2bb9a49267f74bb9e0040237b9be3f7e2cce19153787a397911079fee3c6982135dc737ca644433061d39e4acca04b4803ad55da84c95ee52cb436cd6285acf49249a47edded6a580e5e46
+S = 3e6a0621cfaa5ff9c896ded65fa0480a86cfd22c7367bb11721b912441eefcc4f43fd6c60bc519c72d2ae3ec7c945b15d0a664b6183224cf08d9a14b3b30fafbf7fa90a582f68fa428fd1cd6c3c76400a4c0a1a256616bcc3494b2d96354ce0e31d6421299cfe56a8764f0ba6f97f77f063c3feb66e0d3bc89d174bd039b239edd553be0c677d7cdd1b1245563453e619c4673f7480bdce096c4a7344e7ed335d284cee291798fba609e16a06133b63891ca9c293dcee039af1fafda36fdce52f10d24bbca8756659bdb1b09297c95561b94362f85898fcb9bd90496ce1ea4b0db316d0057ea12f770d2d61fa5a1ed01f517cb439d7a3cc5a70ff961e9d51231
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = ca89b42f3a534fb6dd079bd8a463b1581c512197f15f94abb26fb0b0d3af3c63f8cc85ed716300fc00b93018e3abca350ee81884b95d9b8f1af1f485747305d250d053f30a8aae89906515ac6764d481eff3ef0fe766c34e33a2eb81dd1a61c65bfee5ec10aea3841575103b3874156745dc6fdf8561561085eb5c4d188e9967
+S = 6c6b9d1a5aa486e6f9b9cc83edf8390bdb1e9086d3600698ad2c56980f249860e73975b51fadfe64f4383f99b545714da25b246b8feee234af16f43f7822fef569851817ad669ac75d311ed82aaf0d31987b885bacab8886e4f53da93fb208d94dd7767172e22ca9d1c9677f1484e21bb71bc6a01c1db8eb95f5b2ecf0624bbfa048141022a781e3959935290fd477d95c2999bd0dc08a92614f7eff0d11cf56afd3ff05646d47a00559238131099532b425fd44830ed2af8677e539a135dfaf8a0f86e9da0bd614a59a22a1c009d303d623fd178d935d9322f9840c9b58494c1e689237f81ceca727b09203b72f750da314c9bc583978c34010e9af7cd0aa5f
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 847c8d5f082149677d5c0816e9ec20bc6e39e5ad1fdb1ce71260b3f4b64aaf12675865924007ed7e3157d47e51d211fc75cb3a8701e4f875fed3b9cd6d65a464dbc2d24536f4bb56dfa3ee390022067120b0d9c6f5f7f2ea79d9425c406c128d08433c4292f09b39b0c6c00fa0e4e661986f2832a21ef28caafcb66ad569e0d6
+S = 6e332aada45368149e434a5fd56aabd1034c2387d662b323c6d00919f90808b75d011a9418f8e876e1142008b2c637c94887cdd6d9341375934efa022cbd372a8573afbc2f221c2b25814de43708b9e3068f685f7a08c422bd65911f4609ee059f9e1e4a6658838192ffeb221d16a5bcb099d37d0032b04fafe84fd4e535153fcc980b4c2e8ce8473ad184191cdece6d8b3d06c88af24e80eabcac5c38ed36bd790d5cac562bb62b92f270d9c269c7f4a38b4db96b661733e5bcc0928184b6bef1b9d96de1dafbde41d481cf683fdf43f41793a54a82cfbfc9e17cf60e7d46d8c7323a1308aa4c1efd53e7ca9b6adce17612ce87872b11165122df1a18a92c5e
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 32c9805889b6208134896c8e74cdd00d3511b4954046514db268c3adad615f894d2a464bde333a804c05b196da2628e3173cbaea0f76f1dabe28dc58cab5627e71b2d524bf48cb5e05da294588e880fb76349de91e235b4b5f65bcef61d8383984aa556b96bf78234952fb26e4de7f5b383f841bd61437a87f698afadc938ac2
+S = 28f10bb4f6f9bf3c5e33bdb9c0f48cf583bda58b2cecf1917ea450f59951da191e8f77a05929efa6c8eb324629a21e9e894ad9a45b48e967c7f2aed3a44bc68200535901ce342d36a2e1a8785c353119975ef38a0064877d3b67a220ac6ced595e1ff351902e065c65ec94238b4d5d18b9b4c146489b1ac2c2cc70c159dfff13d13b05254355af3381499c2b2072e20e6dfcaf3b89f46d0154cce353f4b5b1a51b0586417ef824d00090f9e71ea274a7e12073482f467c6e7d383d9ca027c0fbb51db4e0139227c2f6775132c4c75c9548f0f139c3473be03d35c8f3054b5920aedf7e9e0bd3b0d21d271ab77414b75f3ad11283a47a35a54392464e50053bc8
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = e631de1cbe356af118de8a7808be1c6c6f012bfccff362715dc2c7105884a6429a7bcaf26d98f3379f3f8533d94a7e3b2c50aa37ed271a4cc3a7d2b9feb1c2ff2a70f845e4df13faed8cfbbc7d9bcf79da0d1fd428435cca83bd8c954b2842d0bf98ceddce12b184294d54dc9db9f96fa0c1f1992a4d0f31c68c5e6be8f00ffd
+S = 1d2da7020c7f307dfc97d775ad8d1a218761fb9d55c632398a63ecb2eac7712899362dd8e373226ae0955c8d7a37ae75fe74bf42d8af0e6c4f61a532c1fbb9223b22cf2de1283a7b4f00cf2ee473f79de7b364327e3443dbbf2983312b5df9a2b64b9c8c1ba67b568ca24b37ebf695a1080b2f1c472bb965c3b49fae480486d5ad082b6c649241b9fbd031cc679ea683c446bd131c7060ee77140df1eb4fbc28948ac47f6f500f3d27c4aa76ae50c3ea8ae1f1dbfe8de2df42a93c112994264ba5e6a5c67aca13c485c326fadb4a44d35337916588bc57ec45908b5f27a0d05d8fe5b2fce109fc7e0e2b2eddd936bb4a116aa2ee6fb5ec2f39d476a0973e9add
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 607889b7ba0071c5840960147da438d3ad0e51c754d41190203abd2ea2de8ec30399089af3a68769e3061bd3742295312fb3e29276df9800baa4cf06ef7a326f3d34564ff9284a48d38f6f06512f890c7c3717b3d96ae06f9a7fcf5516c800da77131bdeb2cee1e9bd6e04b4fc113cebfc61973163bc116527936423ff10218e
+S = 5c318b9e83c78bb1a3a26a3e6bbf619ca566ca0fbcffd4b382163c7deada6c095fbe3be8f7501e5b09b8ea4cd70b50d519b7d8572ce60e354d193ed584e499e4fdab6bc66e7c10faa8eb097a11c7c02180afec545a69e78b128441ff1fb3ca59258bd702b34a30e39a31bde69b50eb312f9aac82c8b5013a57edead1c4a8250158639d637b3ecde9c1764bae8177e596e8da98ba9bada550c7a59ea662f12de60dc965c9c08f85bfd179560e65c56394c98a0eb476e405539717ec667a0f29f0a63b57df171a60e76ffce83338d37b1234af79623654f911bf38df146b8efd8ef3e4d9e0303674cdde2be7f7a05ab67c4ff01492ec61c9cabf608070fd4b5542
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 8dc8f2d43a54d5da6080bb26c0d59b2621cf91d4a3e2d4de50bbe804f4c815c22efa1730c8ca1726447adaa3b79d3970dbd9d1005fecfb9b81edffbcdfd484b78a3d4b9e5d691d668d8602468030b460e33753a3f7a35af02bf5d27bf0b0c675c918f6e8a13acfe2622c9bd5c396f63e62718185120fda24765ccb0ccf63c144
+S = 42b530b315fb5507cf9a361b45eb179442992c1e6b3df9c405c44fa8f07f6bdb12c7929f08308e65a1aa4a8ce69c72002144801c1cc50ff1b55418ad24a4c853fbc3faf025f6fb592c768eae48ddbfe1485904c87cdc5a0bc6e27cfd21a5bc482c2455fb32bac168de1104939ce006b3005dc4c99dc6e13a03b3eec838f3a7f4151b470212b45cf946338750554ac3ac553e3c0a746e3c435a05f44639f912177187fbbbab58ec8ae1f5d148d1a3b0f7946876f99b844e17377d62cd4c38e88ba387bcc92a72c855c5b827df8597c38e01d3ecf0ac4b51d5c1f54bc0a6e5a8f5765b6788bdf866e090512a16283dcb689169851d04fec33f890df7dae82ddaa2
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = b75c5176eb13776150b26d43a11b6120219154828312216f07e7bb98e779b6d3f16609cb75d412f66106dac8ab2d9b27ef807f1e5a8eabd5c6d37cc1268a101825c309880ab58d28df5591afd22858e4db5536559ffe9a4c95d04cff67d9f2079b9ad913725ef2de10ca1b5edeb4a03f2d39028f1c09f7bbbb06b1ba700e6388
+S = 83855773c5c8d64c4d84a92b82259da5bc6ad0a6a1cdc001bcda472b41a98841bc85ff46692c9556e51001a0d6566d7e48776166e2ed69ce386d96e544bd498d0f58ec68f1a5739db424b43e1aac84bff459528c0928a04eecd6e199bc568cf376d6abfac1eff0993404ba4a40c8a80cc55d068b6fe5a7709a9b39e60686098f3289623feff411fdf1b333ef66d1b40e44f1041a05a7c53ab88e4a95a78b24ed821f774f748b80cb9f782c8cfd33882347361843723acd1b2366480423dcb953d22ad1a30329e042ae0e9264464a281a51fad7b5466e94c3438cb675bbc5be781511dc512a8c155ed09bb8b6ef66db604618e83e718bfafcd5d882676afc273b
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 6315b1755461ac2790fc33cc32a1e41a6bcc1b8727cdbb01ed1b2be007ec9e19e40298b4bac8ae806f9d8d05ba703dba868da77897b6552f6f767ad873b232aa4a810a91863ec3dc86db53359a772dd76933c2fb904248938c40ba3bdac5206d5c3910f4ffea75a39b5b8f461be03bd9dd6775f85c991b970c22f3f3854cf0c8
+S = 406231681c7ad1cf287f97daa602eca3547eb0e1ad196aa94c833fba93e95dcbe7f6fd71158940d4c1df03d86cb44ce4746c333444c385110dc431c9006140274ab49d66789a87507b025511d166bd9c42f20f62a407cbe473c7da815ff282d5d727898dac2e8ef735e1720dbdffac02e7956ddde13e355211c5922daaff52ab95c40cec6a4b3de46087319dc62354e156834d0b8431026b8607e079714ffeb9397706449900908adb26de948ad1960915b2fe26b47747a7bf034bedfdcb37fc57938c2f40a9de9683e78906da005c305acea3f6c1a186fba5bd36508cf0976d45204c3a2d90bb2f14f7b5d441d372b2e1c65ff9e774f01adc72f392c989d40d
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 4088572485b70f746faf4998c4a7b79057bd4999413196fe6fd17d315db40c1a202ba0afaaf54ec54ab28225729ae6e3bd6f86eb30b031ddc110221b1527e0208e6662138550779bd4e765f69865d045352dde2a9a019995c67595db8aa4d2099121e3779f3150a016373a30be6f3d5fc5df9b7e058b96cf86e91d9a4494ab7d
+S = 27572f4dc4785c626fa30adf0fc67202babb69fa731378e9aa30072fa70c9d5cc54494136d394e57bd380c5503debd0d041030617c9f3cb45915e6037c183699c708f24dc1c34de0b0d3395ec4f7f23d959e2a6536824bb6457e7bfaf9006ae23970b0b5b356204fdec8a134c15dab604edb79f91c9c676500a11c62deab67953d4fc01f633d7c159927ca44da0a41c748cd7871395e60028366e69257adfeb4f079a4f11903d1c46a4387bd29f3c4f2b135bf1f683c2d1dc62761d65c84a0d914bf22a0af025810ea9f75e0a50c6c1df1cc07212df625bc6f4ae70754dbaf7a6a41a46b8c2318260ef098220517b9cbadba89f918c895f52f48bf146aa3e177
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 29bcd97286a17dced9b367f4039f9f977d507790470f1f2521ef748cfe6819abb642c922fbb4eb8b8ece6700b214b9dee26c44c9bf3ae8f14cc9d6935deda3c24de69c67f0885a87c89996c47c7b3e27850ac71c2bc8c6beb038ba55cb872c1d5871fb4a4d63f148f0dd9947471b55f7d0f4ab907302e016b503c8db2e7fdc45
+S = 84183b2f03a27954833e90ccd8ce5dacf6d1b68fbc87862f48b113dd1e50c395ac3c86eeaa0a8b0c6909f47eb798987b24a69b3c1b114652c5fec23584db9dd5eaae0ea8ff9498c6942b7ecb51bb0969710b3a47b9e41380826d54668bc8eaf5da5c46c836689a950630df22adc5eb6f6a3acba79e5c11bef042070ce695ad92e9a45f9c831d237e439d284f7f62d52902a995651c3c0fa8729d7954c937eff7c77d106536b2042e2d6ce7840b1d1e0772b9fa5f23d1450133b11729e1478d20e5fbf1f38a3c95d938bdca362ce947d2aab1b9ecfcd4fc8876434c1bf845e810aeb0b1d9117376f0b93d35084bd435701b70fdfc6930d754a1f7b1e120750e56
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 6259622d0aea50b8a69ee33aae19f7ad84469d7258a91b4249f13467cccda92c5201ff9225b98344931d8ccd4f25000914af19d98bcf691b6f661cdaeff67ec154b4bdd6e3dfef6505515639a554e312dab6fa54c62075fdbea3ebd9aa9432f9af9a22610c059c014261cbe7784baab21d84c74acf4446ce7cd128cec74fcebb
+S = 0bb0c8cf7aa68abe7d1f3f65166bbd110b8d371f859312afed10241fe007a7cb977d01275d512a97d70d9b114b082e61516043b1958ab759bd86e0efc52b13b6c449c3fd4fd122737ad0d51244a83ddc7d4da6f66a6c56fc5e724c264ef627717ca28439ea8fe9b444d56ef096010142e21b910c10d0ad662cbe45b71c550783d0216ded08bb6dc5aa238023d953d7b6eaa5943452561e48dcd340ff41e989f19a76c99f0f3ee2bd1951e5623c9fdd32373982c1da91bab73833516b51107a13b2e8908465d9c1a91d3cdda4f9ccce1db3fa6b6a7ac23eeaa4c95f77ccab558377331420075bf1d1946abe139331a0818aecb32a6cf9e65ba8979bb5627d22c5
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 356a946ad7f0f8997ea518b8e36d19e7f97f253cd1bc6cb5ba3e6971ac336720e7ec43b9d731736b3bd847d586966f798514be6e43452e562af823906aa9f4af9f9da72aae2efc54ef63ae8f92c3f5bd3b6b4ff8f05f8083351ed7007579b4e3a4a44726238e9a3fe46ed24fce9eb29c63ad6041a0b06c2424d80e29954aafa5
+S = a995981fc9e3022e31e8f1e951ff4e1597bb614789a40dec0347f17ce3511df0882b60becadbb34d7ab3ed74f58dc539bbe5910b9060facbdc815859b2f6fe8069b710b1919913bc143081ffeb7af33a50858bcb0e985660f5e9fac4fa9c39afa76e7a57a160f1cf8143cc09d8758109635588469aaf0ef3cfaba3e815b2712e9ec1b6acc0e0c887187414b70fa546df49eb45f4ae9ca1743311b4d4f11d22d3934f1a3a11aa700f7b99b517586ca1d7c1f4e2e44a75a4c1b9c864d9b0a176c7ef08ffd1f4e10c9f9c8efa926605b15dd110a6d6c83b75ea445c07b5756289e69d0daf9478f468ab3de45b1e5151ad7c0afdda46bd55e8cd92c25c8e9e43691a
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = abd35f9e6bd9bc82151b770a8dbbbffb9a37a672f433d4c79e7978b6753e85c10aa71ad0ad8b411bca7bdd4979ffded95023b7c27b3212560fc2c26c9cf0f9be02edbb9085ba9293232f840824424228f486a2c42ef24f29f9e4bf46976566113baf2a261bed16b1c741528fb90b53b02d694fc033faf40602e8598c8f253580
+S = 63271499bfb0661dc5b28e39e19a7c1dd03f740ec9af3babaf739b2650af5eb876665cf7fa2c684eff47dcc1536d4f74040abd27380462886f1d558e92fc8760ae05f99db35705051f9ec765440a43c429d2064c8e51e23fc35432de3f0b5f4b712d2d6f06e0f73e5165df0ef27f5326f88732ed215e291dac2eb511190a8d14a8fff9ba10e69e4d2d3064746b8b8674b75048f54859eca43a62988f003f49ae87d36bf4404fa7cef5d30416f254fb044b420f949fb189dc431f3e43887fad4896956f5e16faeb67264cb02e29b3317abbe9312ec25bd2fa06e84178a39fa541e3510d28f35f90a206ba4734afa349528f2eb24c213699ff9953ff0b5cc7ad6f
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 1fba005c70aace58878615351e7472e6f0939b1f6ddeaa5db354b826ba56ae92ce50580a439bbb5064a2a9bfac4492d5397a9dee7d3af752379b6b72a139346febdb0fdce95394c509a6c5f0876de862e47b922594c00549f76dbb298a5943f05fa44c5bca9a00c05eda934f17b71b98d9dea24d19397949da14d0d2dc7f841b
+S = 248bea977c17b32876452b645309dc7bf989cf60090de1451e9776d09107eaa4c29897ed6c45e74a0042e8d82846e3ea15a3c09c1bd4b9a7c0a482ccfac324aeab4e209ac3738801084b8706f603413bbf5bf7fc10aeaf2f690792a27e47462f842a2213bdd46e2f006489d6f7f030daf32b0bab6f7c15854ab95870620b289a170ad4d8922b263f82e47e4f06c51af2b021eaf0448a7b3ecb731ea94a0822945868229b8e2a1981d81aac6315b2de197e2963f349ba5cea98147eecb3a8673250366038b5b73b2c43f589e08bad52ea817ab7e5c888e4dc41dd484b3d7439f53657749c5f12fd443ff863c11dbb9ac11aa0f475da16d76918affa68452a0732
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 73228209ad875ca1b92e458b47d68f24594f5e4e52395d5b500eaf2ebc63299c206abe1838bc3a904b553492bbe03db3dc365e310221c2d7de65af210a01bba1e2b23ca196b9000a7dde3e85acb5cddfc82094b218154242dea13fa5e82de2276201e4ecee0614d7f7d04dab41dba570c515e819bd9d4563fbcb46007e7006f5
+S = 96db5837e5644d02af09f74a91e12d9aec84f68e7c2f5b3228ec17e00ee25806ccf7f705b5c82166d8a043c8a4110fd289210a559e93b8ad9839bcbf18a3a79767d3617729d8c318d7e2019a330d7816a8e6cd637819aa7ace36df615853ff90253cad34d7b8aeaf86208e6154c8c691632982096d380631693dcae3492eaa6ff8ffc3454f3602bca6ec93cf3d56d338b7f1ae45d9afd12d1c0338fa73694a61c3c2b019bf444cdea8eac94245b089cf9caa8aa6fae776d43941a143532fde33348818b620bc1bea4e791909d7b64f44474a0c1c20c9ef4d0c467d4f9371927e2c8d2bba4cd8618fccf5f91bbba1336ce49b2f5de13b8f4d792d70a070b306ff
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 09d1932d2a8376d487b833ca5f43a09ed741b379414eebf79df9eb356075692c7591463d82e9fe0c6c5e43921dc5e56e85dcf57cde822aa93527830626812e1be780a97d888527a378cf35f54c359d26bc1b8bc4ee9fee0df8132105a0b0cbc565880416c4bdb93eb4f1511a73fd906d84e6bc78f90dffcbeea50d5a566a06d3
+S = 78248f02a777283a462dc6fcf94d7f0b0c4e6f10622af034f38f326469e0ad1bd8efc22bb441f9e7a8cda25c851a7aa6d690819cc6ff163fa3c0ebd583392256621a21dc8bbc193060b51eb194f8295438b10f0bf774f2eb48d030b6b6206cbe791698e89c71da2ba3c05b78996709904b3288fc6e2d5bb5929eab74e9b028092b45dd4acf11edfdf49aa8259c9a639868b70f0273c69991ca088855b3d1c7fb534d54bf8e507a33966b0185b0bd5204592515fd402da922ba68a6834e4b7176df5eb3114efa32dc5d328480b2cd0c018c783be87b267ff2c595a0392a6d920b023c21620aa58ebae4b0cff347ddf08418189cd16047a80dca087c8e0abe2907
+SaltVal = 00
+
+
+[mod = 3072]
+
+n = a9d6499f2f8bd5c848194a6b444ea48700b13a1988753cbd187d6e5ad8b99347a27a0f0c3bdc038e74b8dab1a958fb1988377de00e4a1c8b9fde61df9cbf6c6df20c57d1ebb99988208784cb2ccf067e4c1bd269f74d8b897896aaf7e4901b7861143440f054c7f53f0e3a29248677d707e4624e4e2c5d075b98bf0a18be780905a1588aa3440ce2d5760ecc767b1c43cbd00924428478923fbe6f4602fce36184d21fb895b04e6a8cde5f0b8798110cb0497155be5336b9fbc0529ab9980c85ba0edcb4af2dbc7cd268b2f699d15f2a7e91510fd782c581672dfc1d1ca8e798f70ee56080db77470118cfc398efa728471e5c4ffdadddfb3232251e1bf61e295acf80d874ccc2ec052ac1806276f98eaf25d2f9156853ea3f27a3f0ad6b9cff46b0deed82fd9f5175b6f845768b45881fb5e584129033161232a4da5375a719729c8f427390c2859997a5ac21bfc7c4cb3c433d29265a19399868a8c16744bbb5e44350c8b2b3acf766966ee04e91db3b564081d7b456d9d78d46ac438577bb
+
+e = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001fdecf
+d = 18402aa33d47f27bd0a21ff764132aa93da95e75e6d5fcd038b0bc89c94ca0fc65ff7d4145d50dec72d0a6d4a2ab331b5cdef5977db2251bd3ab0da528193f5c47afd4432525d075866c1543489a925352d97e91af471bb918176f9f4c6ff91d98560b073df25ccb850fb6bf6a1cfebb895e11e500f51cd55e3ff85203e753be3797fadba4e710ac1838fc1917ac12b4a8d01acf9d9fb1092f95ea861288ca4b618793754d2ecbec3d165e08133bf61e12ce799d5757811cc9fe1b2e63c9fd19b4f11390f8dcdc85667239cb77627e9307054a65a2dcd5411ea468adc6602eb9e71892c4a32fa1f353dd3c9559d2bf2f5f3731045745879e1b5a4de46c5aea1380016823eb48e4e2e0f5845407f03c2c34ec6cd09604d87c36f31c2f09b194f77ac27b56dce1bc582c55c439897876f49e8da0f6f15fd355e05e2254cc67c34671182622424dac86f680f08eb326a146e494d127168c4ff0b223c12cf761cf1ad2ed6cc5def7ff28b912b8a2cd313083950284bd7170839a4828f672ef22efdf
+
+SHAAlg = SHA-512/224
+Msg = c642a5a32850266844f96a1800a11c42fe728f80c1f0ffab11d41a4ba017be51ed4d050969347f4ad98dbef0fb2a188b6c49a859c920967214b998435a00b93d931b5acecaf976917e2e2ac247fe74f4bdb73b0695458f530d0033298bc8587d8054acdc93c793a5fc84b4762d44b8e4b8664e6f6d8673b4c250f0e579962477
+S = 341bec7948589d9deb40c0a65d17864229a7d221243883d1b10aff74181ff0a07db7d74e0b99203e668cacbb89b184e7e613e1129f6b61f7487beba7f1a9d5db81457c8c6269f2fc35972554dea977a73b42e6e9ed880bae8c66190bdf8937f1084a15c2a14f78784836ff566dd83533147c85773a10324a39d19e91abdc172542aa24b92ee09bb72d3ffb446ebd9ff61503e9629f09af6bd0903d484a6d8fef4b85759c932b67ac36bf65a691d42ef422e3e350e5779fa8e717641d8181a2543f7cb8162d41812b5560b8e178086666bdc7f9d3797959731718e8c9808967ca61d1657f07a28e523caef586c1894f66482b4d2f7c31a5247f0cbc4587b3c1aeeb9b32cc9f5d9907c47067a69aa0e1ba174c46ac15c1687f12287899413ab549f48a590c50a69bcab9498b0e48e220d5137efb4fbcf8b511ba9c20d8c5ebbe41459375956236bc87b208c10df1caa3f5ec349185bf4e89b6edddb6467056e197679390598abf8ef0ab98a5f2ecb6361cb895c6b9fd0ebf28eea48ffc5f2ae034
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 0de36b28a6f8ce5e2b3cce3560ad862b5c5bd37ef61263f07b390fc7a2fa6b19c1a49b46404d68c64ebb9325d485684ba7759701023140b1331a4d6d94750433bdc9dc70f88790c2f6f07302c0340382efd7c09320593f4ba3167a85736b6a286b1ad8adb6f070db88a517d50b037e579d4af73d38d4884531f53e152625c480
+S = 9f4647d2c195b9d468bcfef71577ce312ea4249f9f97cbe11b45951b55d0f7a3ec7911a6a82b3b365c8b63b9567b8180a434d652ccb9397002e9016ca4e4565b60e960a5bfe5f861627879a2864cb4f27b377fe3b42540fb71a4b385e69f089bfa3da3eae608329a533bfd8822a0c2e33c9d4372ee0fa6b72820cfe700e68f7cd3c30ea5380269384fb01628d83a56452fd94cae62a17294dc42dd25fc83250e0f90e1c0693d7e95270c220cc206d68ce8f01127b9be0f05fe51f2dc1191887367c880bda23bf815b980074a4427e9bb587b771dc782eebb805cb5d3cbce4b4e0fde6f79f4770e911aaa7fd07b5a2d52ea1b7a2258d1dbdeb5b59915a55e859657604d4367d68a20d8c6fb2f26ce98b4e8695b9da0ed2473aecf6a118e5781bcb189542b77705a37155cdde702fbaa04ee8bb687c3995c0bf7e3a350c0acba2862e6b41d7edff4747d0d52e7645f3731ac4fbe32ca97ab76956190314ad86c83f04feb36e1ad5f73fa1fc291ecca8458d725d61ad0e0203292e3c08753b09ea6
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 15984a7560c9bc4d8e5deb3e807cee541d42022ba5c27b10424b0163e1eaf83f3f2f405e47341f369bdc7b6871594d5ba0f15224fa0104aadd42c807054b6931a457c5d9b549c6938ded9438b3810988f1746614ab6d445c708fcd34cffc2b6c6c9741af530f99ac8b199e74effc0c233953a4c3600e246d24bb76b1e6042839
+S = 47f0f2e59c57d1368d8f7af9fbd9a276ba5664b7cceed05453af3a19e39221753a483afbb69b0ad2c3cb9eeba8a89b15fab2176c4d6f23d49901e755b26bcaa023a2d204ec3f9b1b86e884f915206e9700f1e3440c72ee82ef9cc9586e614bfcffe5f1ce5c1e88ca395dffe17092661763dd1f59342e85da7164877f34435549cc2f46beae3bda75cad2bb6245d95a78f42c35543df768fedc82c0c3eba0f8c9f0a9c9c49acf0659bb31c15e48f5210b40c2c908a7d16b741149f7a99ab662fb93ff03d2e1d1a9c747431a3bde0fc6bda2ca97ff0702c566a802850193f6015541b192d025fb4a066ac86fc3fac60dc126c8aab7407f96c57a9036f8c87101804f63d533bc27030108e9d818a0e781fccf84b1843491d2014d80e504499ffcc9652fae595536eeab6025e4349afbbbc39d98ef3651f9e396e440e10720d0088ddac25aa74c9678daa7009b27831455d724b92a7f385e30ce01348df8953757574d75db554253d6f0a98f44b6e1545bac6ba2ea9089ef53d50e74bf660f31a579
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 6ecef36b3e3f3eeec7b2fcafd5d3fad44a0cc643c09f715a6ff294e15129913c85fa1be5f2bdf91a2cc306d39be97df7da6d73cf5d00a5bb571c7424da972eb140798fbecb0b880a88303eaf79f85658f27370ae44c3f113997506931f12e61769f057dc124e7324a3a0ac2cb6280e5d5cc6c4c6bd11decafea6511668c13fd7
+S = 8dfb3af8566d416b0651852316ca2dbf80b4eedb88bbee9c616760cfea3b6460877d7e63d745c634b3c775498148566ab5c71c69bd476dc2d5db0b5914e1d649ee7648a0dcedcb0132616a696cb665bb872792f1e2e7880ce29ef4226de033b84c0a518a6b1805dbe164ff176fd252e8d784f4696967f444e585e087a1e694a123f0d7e10b1e5ad4894d9ee43107f32665be9ce11ebfb4b722f9e2c6b151a8dd8695156ee1e98f228556c8dc47dfe029ec22fb5c4cf96d8c4c190de823509f57a9674578d705e35d9423449e0519f056a04c47eaa042204d064dff84bf0c6f7e77478c93c4fa2a17fa617b51db9b3ef021501cedce2948119b015200e3f79dec13ebf5d872a9c24f4388e6fea5930e0fce2353543c5de84299d7cb30c7b92bca46a75e5f1d589cc6cf9012ba8754bc288127ca7a47338c2479b560ba66be39333888a3fb408fa6bffa87ae363c2b8dd17ee8091add784cac3d84f7ef9d31829b2bfb9f960918e8a9a703635f2b817dd4d33e34af595460f25d20952513390a4d
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 9d3851f81c9bcdd9bf1b49abb051cdedc3ce75d79eb0ba911d73f2a2f5091aab972cd45557f3ac88cda39fde7bc8de57b185cf4eae2955ab0802515b4e7669fdeb4f08de4d57a52847254956b4364beb5e405e641ec2cf6b44e0074d386e57ae624bf57c48f04121f6484dfda3c39d1391a62b0235a5ae3898b31c62fd196e26
+S = 8ad5a0410d3321c6db10825bb6cb6aff9b535ece860e234af1a765598deba1a3c0f9bcae8026d15fcdefa062465e24262f06444a0a3507742c867d35ea39df96d791970b2feed352987c70c138c7ec51555a6c74f86c7f2289881e10f1e97621397b1ff9664720f9d86ebe6baa42e0fadcacdaaaf72e0973e1d7f282818629697b2fc1bf513e52542ed79d9df500488582ca5bb27811a1f5cc22e9387ff1eb37e09cca5eca7599a17117cc58a5ed1cfb1cd09843a0ab617cdcaafb7657b166a6e2fc994506d728f1b4092fdd6c413922c4224ca9cf13bfde332f26659f93dfae176eeea066a4c5ab6f839c109a227f57b1bdbc7c282d4e683974bfd07184dde9af2ad9e0d5480c18680200cc7a4796188c970ded598610069709b7e57986087c583e46e19469956de5b7a2ec55d800db0483581cf1adface34db109fc1a32b2700a55722a920527511b3afcbe5205ae167f592b5e825770fd412f4c80a76fcaa18f49356dd9512a784350cd312b0b978234c178fa6db7523622fdec936b6ea65
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = d2d812b3558e77320d0a5ac5e028764a08cc74d517d10f4739427622bacdf19bc874c8f1798661fe10cea80c7c0ab3e9219fa73edb8ad51c409a29d826dcc5196657e92fdffa16a6bdd3731bfb826f4f26eca87a64340ce2b6e73dab7a763af134ea3d148dd3df539c81829d6577f0a39f1d4032bbb5fac021907b45bd829a4c
+S = 0c928fde1ba0d751a3416a9945a6d2d92348dcbded370d44ea2fd798d3909d616111cd7d7c1d53d213b94ff485a2c83a61eac10cfa52f5502d077b16b845c7d647fed022bca6ac5662ca71c9c7556750ee421cf3ca83c09227c95739cc1b9b2bd2d04ba65743b719aec6316f8d2a03b0bf09b79c56fa6c78180fb404253fb351945a3967303056a5d9d40640ae3d9089b894415a13dd525b9e68a0c431b0e2d97d99d88b20c63e8b44aff02b6ee7d6e919633e9b66f7cd4767993617ec29dd27714c10aa24fada7fdd3ca4c1f7eeef473e2426d59925337b1c0bcc5a408127c379cf0e5a3b003b15eebab349f1fa1744c0890cdc826bb498eda3d8f595f3b4d068e0c1670fd96e1d4ebec885322defa6ae3cf58501e9a23446004ac7301cfd239807fb03796dd5e07ab33f64bcadf2a51b41daac5e7030b3507b819627d67309ba591361a414964e109e98ccf9aa12b4f855c9f248d9c3546ba5553bd2fc355125375ed8ee5cd75ad32d44fcb58584670b397e8d7797fef0e0cb6968be1532a3
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 80a5889f08f13fe823fc42b0939ae58fdd448de4376bb8c7a70c3d3f6a85d4b593a7d8a9f40c4ca441aa1d6e73a9a6806b7279bcd8095d5c5a9c9329e85c5eed6f8bc22abbd68b0c9be6919d40323b38e7174240b82ab711edcd48373600bfdf5c7acb8a25f9030979d628a5c2dcaa9e995a6ed79e77cfcfa7c6e3d31e1aff72
+S = 0aa0c1be7e36c187a5cd2c0720fe266794df19bee8623dd1291717396abaa02093ca436b76f9cb335b70a19e7712714312eba39c60eecd78748a7cec932f7dbf10daeb18160bd5926e6c5dbcb3e74111521d637f460b6f44b1a3df562f0c93d0fae165fd2e48c03251c95983fa1e6ab61249dafa206cd476cb7fbf672e7084bb358c221b2e94ee268e41b96d32a83a481aba41560e81ffd2e6a3087d88b0e3433255217370b7be41299b0888ea570b74c3cd063c0f02bfcb6ebf77ed4221cfc4d7d3909b7bc087c7a5f0787cfe3dea8f84106488261af265243eb395219acee63011a11d49027703e8a7c11f397925ef0812611be315d209c3138e32238c3755a2021b28706f33f2f8f3f03df24790f013dbccff8455e38e460555818d44f3c400e3105a6464e3955df9f9435bb6b34dbb18ad3477831b45ca84be381f52c2699932e0d9e51fe043be5246d66f6e27892a42fe9d91a258de9da71e0b059e4a34ee683c363f09ce14881d8d34facb67499f0c4e6d98442bb1996f8c4df939a592
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = ee436b6a38d986c178896a803f6e5146bdc518ccd8acf3c7802a60103c705902095ece2365495207a7fc157291fc12bd2811897bc301b05c639fa6514204a8f0af1d871b186659dc69f46f9495b988557104448cc947dce3ae1d0f650d8b60e386867e977ab60408667a622d702c1bd540a632471105de2508ad8596c48de8a3
+S = 37773bb5e8fd6f59b29cd58b5aa6ae9a94b9a317ee96d045ae5450dfea51b0dfef5f82d364349769bcafb987186a163a4091b4d4caae5a961afdfad05e0ede656c10f2914e20b73865e6809b081410b539ee7b0c077803c27e315bb3dc6c40fd05409f306a2d6a6600f6051d974a108d96c54c8dfa33a346799209beedc46842579cd9d668cb809b7c305e8941709ab005cdfeaadf4df17eba04b9f976546a83ae155c66c7f391b5f978509e515356c925df1d41f56db3d4f980ad8dd86408460b772d5ef8fe9b634aa092664085fe750debfe7863052db8124eb8deeb9f2bf4f5f78648c327925bab1cf8e62405b6f38ee85271e5575d42fd0c4f0c9cd0caf8ca22393f8209fbb692731fb2f5e8b0051149651efc83e8ae1a7c979611c0254fce70b78ad81bd4ff8a8988478492e07e12a80c020a42684e57f5c0d55790eaef9756b7f8e4504bf577909eea870a0b2d859f4dac1e2784f3eabaabde6534dc13c23ca3fb4e2ddbef9afd1dee1fbac74470d23ea8ea51b6191cd160f157070c91
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = a0f16e1a5ea9b152f46a250fb197b26adab0e8829f7794c44e519169c7eee13f302cfcadea3968f1c3f88aad6da7bca22fbea0bbda1ab34dff5a259d5f8ae8a3a3ff070d4d813987efb0b63a9aa049929ac7a6456019ff91c071d2c55d330502612f344371c94a9be0574ebe22cb80c38492a5281bbc9f17fa5c40e7a83260e6
+S = 32d142de909db1cc8aa6bc7648c3dbe15cf37c51c5c68b68e631eeca93cb59c3cb063f70ad68bd5c48341fa36d8050ce0d05c691d21b91ee172dd201bd7fdb12e4938e16488990d9fd73efd1223d2502a55c7444e03ab5acca23be2a8ba0af2b3e2281f08de6eee5dd6c3b7a9e6cb94b1e9c5a0eec16b3aefb4f19656d36a555f299811df683107fa7d23834e2aa2fc33a72b7b9a1a8a46ceebd51304fac650e3364c7852b5a339c14be424de63d879b3e5baa97d25a83089cec27963f15ed05dd01aa670b22e12f33c692e3944e60e7d2760e34f05c52de4b983977bf54cfc20a953f631917556609d9f1ad99822c3f522aa9559976ce43cd299cb2fc36e3ac4a462ad2fdd18e30f69b284e720ab073eabeaf3a8b703f1626f722711fb607a0bfdbc282acedb642d780db89de0b01436d41cf48680dd9da79620e2dc862e6fb89d6afa6d9446c8c203d239f888e2cae4c080487f7bc8e290c4cbf283f1b6605d3f3d97b1d725357631b729e0cb01ac1df37a773d0ed6c41143cd8d90d325a7d
+SaltVal = 00
+
+
+SHAAlg = SHA-512/224
+Msg = 947fca2fdd2e5fd21080e50c45804dd61b9a6697f4feafa362456a01dc57f171b68c4dad501105f08d8e34b58605dec180fe84631ce1f6fbcea369b990a4c9a7d8d851eac7265845a30d6ede878da745594537b2fdd93f8ec896e7353859adfbe2acfd6dab3301d93b47ba10afe0506a8eb8a60bffad326539670cfe3a3c4473
+S = 4a9bf3cd69369cebe2346d866aa502765983d52221a26b33528c97fb8b3e33bc8386619012f3eb0c21326798f63be2969fdb853cc19fa1788649be7b59445f5fa8118f5228080d3e80f5e71405b7ecf0f12ad153fec738ddf8196ed174a3d066297d90f0224eeae935af243b04ff39172d61609ce6d46c8490478c5b2240b85830c2e8e4d4c18188277fe9b8318260d7463845f86ef172fb607eaf3ab65eb871016269242ec4de6700e163f3711c237c07ee181477ea6d8e5f01c1519fb4f4bf18b68b58e0e849895b85eadd1ad9c8f5a59c1e6161f23fc1274fd428dd2c446a5764d7163e3852d742c7fd599fd71a47a87bb52b1ce2180b9f028fc0104847b8f6fa8428a4b5830415e58d7ccc5f5d0316d9af988b75bb81814ce47591247ab6f392d7b79f0842664bb7a666dc376461a92c74abbc72925685bf4de29def70890c8127445cf1820060e6378fb9aafb32ac4e4573f0c7cfeb8b1d2abf27e77aacb06fc96deaaac3d42ed91e23b3d187a36e1355df5b7340db434d0ecab713df08
+SaltVal = 00
+
+SHAAlg = SHA-512/256
+Msg = dede9344f021a6bfaab1f31a1156bae87cd631d9ec0477de9bf9c98dd8a2f8c8117b1a99329980612eeee932dac9f579029cdde0b7026072e60001002f8b6fc4f34b4545af9ff37a89e1fc3229eb63b4cada5fa2911256231d8209405f290d8facd87a0f103ae754e61395e4a5c5eae0fd1821e7233a413769054b151181b870
+S = 552e173156b6a9fad3e7a696b0aebf594d2c4c8cfea3b3d5cc16398b1c88d4257faa9398bbf1bd96cde845411e4b0e46f062b0cb6d02300246b6788c50300a399f5f55c89ed1a7d5f7ce95c0e1b4446f0bb11c3fedf79cad0ecadac9b3304ec734ebaf63588a7701355aa715d16ed9e2a3b338abd5a96b12bd3a7a28555440e1d22e010350fa329dab5d08aaa53c23f344962cc71d6a00593344d16b6b8d92e41fb68dc3fe321374a17146c1b1d33d434725f9c9716d3afc0cc0fcca755725b95931e9539282271423fb329bcd482c8388b8b79c6a24593586616a7380d5fa7ccba2dee30151ac8ef92150459c630c05ea15ec907964bdde7167a6c6491facacd8e7bcae2e564612e2bcaba4459f10c1cd6e5c608774165d2ff11752a88e1e2394f8750229ecc82173d7aa57e6f8a4b20b7e9f676dbef75229c281468d7c1a3c0be1a71987161bc469140f9c224d67e01ece5da69f09f0ec282500ddd351806791f4b363c35920f00e02c2fd49bda9ff7d5111d38d1aacbc3f795cfc2679148c
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = ed654056cf27081d61fa37d5a91b2940e7194001cb38c417e613eea55f863ff4e7cb16baeee3829d173855f3ea807acccae48832266296aff370521059e24d69ac0d99599f2d968fb404098df7c46eacec2f9061c6fd56bed97ee03c5280d2b72673f0ba48cbecfd1fa67b2c37afaeea3742801613d1ac4d8286c1b0b32977e7
+S = 2694ab79aa110de26e5bb0c5738280c13e4c4075d850f7bc249076f1b4bef6d189cd55c1207d77915ca19513f110a7dfa2e595f6a840fe45a996ac8ff2fae2aeda666ede3148df4cf4112725ea4c638b7393e52ae1e8c756cd139ebad9f69b7a5e2d6ef65dd06248b06669fd4a90cf6a6f957fc6923e1bd2cafe73a798f7473eb25c153a5d003002e036782e41ae7c3a9c2176ee59e9c3b4957d6f7dcadbf3a033da5ff4cd980f638ce0b49bd0ec1468511a91d31ab25978282058426874aa5e4a3228a6758962280340db921cd727137545cdff946d39db072183770edc815eda2dea83667f1a426cd1510419703078faac7dd6a593789c95ae8c206510fd5a653c58d2e158d6b3a4d50444679583f8009217c72a076f78da6074a7758be3d894f7fb0cd6054df29af04acc53df1c6f6af544e363698da5c72af039f2fd52f51eee27051bacaeafedd56b433ae144e52203b838d0a550aac92f1d7640f7e27c0b07e4421f4b2e87674c1c94c4028886032836c3f9d4fc573a62301b3e938e68
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 78a462d13bced2fa9b5f4b5096b0d09a6c54b9a150fa06356495f470e4bbce3fa14b061db253842266313e3d7df809be9715ae17ec3241e33e5aae270c5e95d80978589ecc2f72d8c97a0ae08028c790f47fe7055f248ba2243b555805ce3525967380dbf1294323ac84d6c1080ab41a6bdc89f311998d7bfe7f118c37d3572e
+S = 6cde4917f5580de2a552238f2a866f34dba7817ccb913cf83e7b1fdb24f9768afb88d372a06fb01f1b904819e2c612d0d4b7dbb07484deb12a5135cdb7bacb79ca29aca60d3d5be245844efc15bb3d8fefb07f5e34b87c7bff61e5f68b71b55f5e7c41f88305100a3326e6dede69e8f9f5ed98de0fe5b3da716511188b4915c5e17b876d4e69c080da9ac3890499f9fb0c3af999a0f53f751c19736a17753e3de0e4bf597302f717424ccd628de245dd2f58dea65cf8ba70291f9ead1d11e68a83518ac9f43fd95eb308083ca5b1a9c750dd71a24e6604b752157eaa4ec12bde9cd10e5e6d2fe74bcef128059d260c9d3e43500099aa9df1bd1fc351878efb7d5e9096af9a453328a2bc4aa4d6cd95f16769bc5a639bfc3429a1ee3424680c74f558e0e716f18961e49b6f818f5ef2fb91b665835f703d3354aa3af41dd219b30162e58acdd0c42991d5929fcba63901681128bf10367df4caabdd3f788c3284d45b15f09a12031c2d79e3df43ff9c0c844332a458295417c9d1b5920b2b8c11
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 0bffa55ea33452b4cb7e729d75952abe7f73e0ed35c0e847188e607cde46586eb9e237fbdc5d59163c68fd1d935f5f66ab7b211cd949ef49c75b6333773d26ec85aa5925ad0033438cf2ebb5ab7dd884b91dd72b1840edaa9cfb2dd68ffcdcf3f8c0d4841c0626624683030cc4d7dd3e32c0c9c5fb8d28911cd6860c2b6bc2aa
+S = 090aedc468b0fbc38c4dbdab04a683f174c6896b0d1063f87adc78f2152aa4e74b728e370aa9e766a4ee80b569a8abf9cd9891f68832f8e6f05561dc8ae111ead42be07e10bbcf5430e062fb6b49ab61e7cf3cd9c58ec79094e1db324903df577b509e9b29a5f95d8a7ef2b252ad7f48d16c08fa273e389738c457b36651097a859329d04be44d529bf75c41d1d14562537ecf3e919221e22a05fd9d2c9d775793f4d69614c8f9e8bbeaf7faa75f046a1ede659f15674fd2c89de67c64f99d2c29715a188932831beaa73e93273a17730067289c161a9c217b5a60c6c38473a4e2c2b62f93fcc99963a8dffdcb7ff0d36fb03d913e72e024b22e2f1c87d79c3801dfef2b5c17e0b3189db14100f7c31eee6dd92454adebef3237a6f50f1c5966ba4e44a012afd4c98f171009b31daee4ab671ae8b669e71d65e7c79181c7d31079766f578c923293405472a6fbbb121355260394e890697bf2f39f552cd5bcafb0670661dd31b531843a89e5566845873c6d05acec03ce1aeafd0e2b4fe8af97
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 48031877336bb181d872f7dd7c9d6ecdeadd556965b433e8e299b21b749eb03a085094e352dede60077e03294d0d77a970f50b45d654799b355b3d0703f4a76c2ea72f310ebe088998a7f8f8d49b6613917db5875705d05c9d1d067b3c8b196e24d191684d515685f1b57e52f98e6490b53bfa35cf0d60b482a9b57e07ad2dc9
+S = 8e1e2ecd1b9b955fef52b996b25a20aa00c0bce4d6cbf8d2d3d9e6711411fa6b89a950a8168c43676050aa9a1d09461cb286891082e34aeb1693ba10bffc8669128009a480eb79b51ce708f31f31559d2111c3df4a1096cd8d3002ba24a4be18443f260d1c31ce4850b767fde5820645fdf1b6768c1c4edfe4c743ecaa656c4f26cd81a10df845bc7f109b7aba8b2b9ddf67eef88b3e715cfca8368c85c80949338007aebab6b821308e2bc5a1edbda48408f9a214d8694913da474135bb9a3e1ad6f9dfc30c78338b43f503ce62977bd34bea7eb3da52627c508db66ba80c02ea8c6082cfc0f06b2f47532f79f7364cce2ca80e24e65ad63620d1beb58ddf9ec940cc7896465f986a6bd5688ecb1099604f41f964722cc8aecbb31295b8ea02d7e71c4650183456c6d5f1a4dbb0e46407cce598174f5f42358d1948fdf5723b66839c35730c66b9beb04affedbd0624ebdea47e3f27f1ac7da98fa19a5210eb97961c6165c2f133651b74f6e6309bac135073034f0af5c3db8953b021c32de0
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 7d462b2bd2ddec9aae0c50d9ee912f304c8f3276d331e5d497900dcba2d73b7831a5a11721b225c7a4b6b48c3886d99ada808ed1762a5284a3167b7e8d09ce47325b4da3d2a1505ca08ad741be071f6f68af73cf706145e0ea2b7db7286a1144e933d6d6cdf296e10c516200685c293660e28a79a71ee771d496bb7d5b442df7
+S = 2845dae6c700ae0b12b4ee09387f532c1df75e4d4d6b8ec2baacfa66d5baac53257b09b090587e0b8e524c366c3b330f668a7b3229f7b16776a598b48e9018c04f074b75abd30d016af665d9f8a8fbf81fede76c3102cf15de174ab69d8160bb28637b257636e7ea69bee46c128afc57bf2c8d1fd639e01d049997c90d286d75f82121ab51fa9d92951724d32725e559961de1345fac18dafc9b472e235dd32bbcda8dd544ff01338189dc191d69141a79b39b7edb56adb48cbdb2e370a0425beb78cfa980e30b92daddabd9e10dac6f13ab0d5a29cabba60d5d637ac9c6abfaeded5672941761d3eeec3763951823b86b4df20838f7170cfe509deff4b1597c5fe3785df0a0a62d70e7fb75f183f6f73a134b4d89004a559edba910157068157e29e25b10c18aa37d1569a484387218712c847a8aad93023fe00cdc71e55aab46ea371bc52fc0496139cf30c7a53e6cf043ef0b9aea086efdba8fd2cbd15c6b82493cae581500040821ccceebbe51de2a2b356006afacb90cbd39f3cee7c99a
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 8ea2309acbdbf827b4af0a7f418741e147392587a474bc2abc5ea3c92a7b5ca7afd1ea936e4a9b6b5c5926e3f2e0f5832552c4ef97156b6b0f2af89e270f019644e4390dcbce40eb9299c00c95a1b542ebf20c9ef8ae70ebe3af617c4a6e862835234492492e8fae3fb60080949028278162251b2d0872b3223604eafd5f9262
+S = 3f5094a438d4bcdd51b54860f3d0e74f87350a0b230b125a7d7ba6c7782f5a38841a3c4dc89e2c51262f355661517184803f0324c83f54453bc3852348cea3683e48013222261bf28c5e1ed47c4f63f1bff0998f7551f71e427c5aca89e8b6558f802a7bfefdaa9c2834a08535d4b8ffc8734fd7d3e3eb903b50a96ba79eec6d114deb6e8cb1a3d301edb343b1f280fb1d6619f5aa980ab98c7fbe423854715226dfa87d2a065b0f77df1d3cc0f724af3764f1dd27dcc763c856c8b2ba64820fec6b8e3e837f31115aa36de077a54c3eb3d91b9bd162468a9036332cadbd295574fa57608ce24161d17a6421dc7425cd31f610fa4835d120a225fc0cba537b96ee5c03b135b62fe14fc95e10dea7a277cbeea8ce3364f284c691573e05fcb58f64b96634d9b49d13a9b271770e521abf4f6b67240a47f76a5cb30ddf33cfd6b0b608509e83b06f3166a8b544979520b5d7ffdcdd9520ea92a2437f33631c82d10ad722da93d16e873e5a279a77edf90924db213067ec94332c447e56b4c86a28
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 81dd6c87d05cef3d2ff53f42830ff45ccbb9af3a47425ba9e003b20bc480030451b03376349803b0d21f90e2e71d20d46cb51bd8bfe558fefe5b9a86b38a5b9bb7fec83e50ec0c809d0ed1f434ad04640900d9c392b4106328cc7668b1abae7d7c6f31c56c819414596a0a60b3e929726842f1e108d80a4128fe4d98040b8611
+S = 5be4d75ed981159652b7794287be96d502cf7705618f590ae7209b7e43df10276009014eb0b101f1aa216af8ed4bd3406e0c98bcca7642324e4727d501d50d8d7e4aa071711bf387ec926eeff74d985078560157f05f4f95c4ae0e1f2adc512f076ae1920a3c197e928c591b7bf3376f0d854ee7c243f08dbb8451ae2547d8f1fcc7f776541f8a98a8d93c50096ae44b366e2a0ac1f8747871676a742f14fea1de0bf2c2857c7d3911b9a5166a3122941d0df4ad80a091fbcc1a700bf381d59a25b0546b2e24c702e33e0216d0c2b800409f84797040373e1f61e0ba73e1c6bbec397dfbca4ce399fef9f48064eca462c3fb0a01c47644e07b43bccf077ba2f0c30be391805f09180c6d996c41ef79bfa2f6ea8fc39db007cf122ec29746f9b4a322a62ac22d5216c77682801921324e72d542a8ab8b6e624da5156e2ace2d7cbcf09200056657369797d1c194b08ee073e7b3b302321611f8706f82924b5c6f5a5a3bc6e1fcfc381555a0350cba6152bda463313ed0f6353e99f05125141236
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = ef2d179cb22c7b89dd1c9f86f007b01630b0bb27a981cda074c559393617d98fe91ab878df6b709303d4f02463c3401febfa678373878de9fdf75d5d37c7ad6c481b617ec8b28c67101ad938b5202a5b4f8b7edf7f0a1810306ade4b1c0cff109297d85977ea192a8c55236aee08b5f1e3cbc8e2d3f0b73b9586a3aaedd016a3
+S = 131d2cdb1a5ef38ad4ed19ebca4b8cc14533bbde7039c957c026c6ccd82a6d1d6088949a88dde506b94fe8cf679a352ba505b982ba9e6c91cecc62c3da3592ac39505ef43e77feedc2b1e4b749a37d56e8fa55b6b579927248bf6a669d61be6923db46062a97ade441a0c43a68cbcec4dbd440a08ee9355aade4327eb18a4fca6bf73b23a557a27074a588e704d9687a1a66d2be3b9851d9fb7869228213e39a6173d60b3f5f2ddeb3fb6bf8ec85dfcfc6685eda41390ea8f8390f9336b181c39e779b930bc93c2867414a4382f47ecd713531425b9fe6ee1573827cde76c01e34d5918d8754a37777fab7d63111970ab806caf53cae6976a1d8409ffb47309d651bb22ab90d474c52bb42367e6a44cee2fb76d2e61b9b2f1fa31e1673f68c8affb551990d5e2ba369b4614cefda05bf21209c44b4033d754b43a8a5585274b6cd198e99b2a17f69c57fe283f3a8f573e7bb92348973acab578a56f4d0a742442c3cbcc323ace0b1605834add2b8d759537c8b773a60f175d7bef555dd15fd08
+SaltVal = 00
+
+
+SHAAlg = SHA-512/256
+Msg = 2393f956864f57c5dd9cbcf27d89ca8da2772d1c0e2b68a7f321d4b51323e578261bb0457c26aa47e3e9b373cb2853bea894438e98e52f6f4629ba080e5cc34d6238e6f66c4e462ff4568a9185c42651cb9cdcb7408682d20825056b18a5ae379e93a4509df2b3e6d88b4b32f284ccacd334007e4e36e93800bcbec57b26309e
+S = 523cfd39492fdc70370d02763e2185abdbaa5ed331694a52ee7ad0382c4d2aa0c78b0fd0bc0d7debdef5b471dfe5c59962fca60a0b1d7cf68f1cf2d44ef8d9e110abb4e1531a9cb26bf4b585d486fd6ef5ee4d7eb7b6e4d6a930090d0d9d201ecab88fcf5c4c9231fbd5fe4285538ff85554073f9e49b084ba6c03ee6d6966afa029318b07dbea55a1570911579149efe87d67391e665b52774bc498a9f7194b4f0d304c8adf0998461ad7e1902ddcc0f7c326f7d5062f7c32f8d7e0fd3b5189b2ccda6451b7a93db018c93baad28ad871a464a4f0da5a32c81f645a77f9e1b6da16aaf96eb32fcf7d658e1846aad21f85f4af856b9853adf16f5cf5b7ea1ac2136fc13fb735df03b010ae854068bc758e3b875c319df322cba923f4ee6668087d59d80f2e55fdf6e44e5f2dfa1e747d0fb8bb3542d5466c47a2324334c8f5d4edb5a1fcc760a2c71d79b4146cd9d6821d92c308b58ac48502da31a63cc525157d63b25fd59f31a73b5398ecafe12739af44c2f441dc47b93f7f4d10c4b2e484
+SaltVal = 00
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/pss/SigRecord.java	2018-05-11 15:10:56.097194800 -0700
@@ -0,0 +1,210 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.math.BigInteger;
+import java.security.*;
+import java.security.spec.*;
+import java.util.ArrayList;
+import java.util.List;
+
+public final class SigRecord {
+
+    static final String TEST_SRC = System.getProperty("test.src", ".");
+
+    // utility method for converting byte array to hex string
+    static String toHexString(byte[] array) {
+        StringBuilder sb = new StringBuilder(array.length * 2);
+        for (byte b : array) {
+            // The single digits 0123456789abcdef get a leading 0
+            if ((b >= 0x00) && (b < 0x10)) {
+                sb.append('0');
+            }
+            sb.append(Integer.toHexString(b & 0xff));
+        }
+        return sb.toString();
+    }
+
+    // utility method for converting hex string to byte array
+    static byte[] toByteArray(String s) {
+        byte[] bytes = new byte[s.length() / 2];
+        for (int i = 0; i < bytes.length; i++) {
+            int index = i * 2;
+            int v = Integer.parseInt(s.substring(index, index + 2), 16);
+            bytes[i] = (byte) v;
+        }
+        return bytes;
+    }
+
+    public static final class SigVector {
+        // digest algorithm to use
+        final String mdAlg;
+
+        // message to test
+        final String msg;
+
+        // expected signature
+        final String sig;
+
+        // optional PSS-only salt value, maybe null
+        final String salt;
+
+        public SigVector(String mdAlg, String msg, String sig, String salt) {
+            if (mdAlg == null || mdAlg.isEmpty()) {
+                throw new IllegalArgumentException("Digest algo must be specified");
+            }
+            if (msg == null || mdAlg.isEmpty()) {
+                throw new IllegalArgumentException("Message must be specified");
+            }
+            if (sig == null || mdAlg.isEmpty()) {
+                throw new IllegalArgumentException("Signature must be specified");
+            }
+            this.mdAlg = mdAlg;
+            this.msg = msg;
+            this.sig = sig;
+            this.salt = salt;
+        }
+
+        @Override
+        public String toString() {
+            return mdAlg + ": msg=" + msg + ": sig=" + sig +
+                (salt != null? (": salt=" + salt) : "");
+        }
+    }
+
+    final String id;
+    // RSA private key value associated with the corresponding test vectors
+    final RSAPrivateKeySpec privKeySpec;
+
+    // RSA public key value associated with the corresponding test vectors
+    final RSAPublicKeySpec pubKeySpec;
+
+    // set of test vectors
+    final List<SigVector> testVectors;
+
+    SigRecord(String mod, String pubExp, String privExp, List<SigVector> testVectors) {
+        if (mod == null || mod.isEmpty()) {
+            throw new IllegalArgumentException("Modulus n must be specified");
+        }
+        if (pubExp == null || pubExp.isEmpty()) {
+            throw new IllegalArgumentException("Public Exponent e must be specified");
+        }
+        if (privExp == null || privExp.isEmpty()) {
+            throw new IllegalArgumentException("Private Exponent d must be specified");
+        }
+        if (testVectors == null || (testVectors.size() == 0)) {
+            throw new IllegalArgumentException("One or more test vectors must be specified");
+        }
+
+        BigInteger n = new BigInteger(1, toByteArray(mod));
+        BigInteger e = new BigInteger(1, toByteArray(pubExp));
+        BigInteger d = new BigInteger(1, toByteArray(privExp));
+        this.id = ("n=" + mod + ", e=" + pubExp);
+        this.pubKeySpec = new RSAPublicKeySpec(n, e);
+        this.privKeySpec = new RSAPrivateKeySpec(n, d);
+        this.testVectors = testVectors;
+    }
+
+    /*
+     * Read a data file into an ArrayList.
+     * This function will exit the program if reading the file fails
+     * or if the file is not in the expected format.
+     */
+    public static List<SigRecord> read(String filename)
+            throws IOException {
+
+        List<SigRecord> data = new ArrayList<>();
+        try (BufferedReader br = new BufferedReader(
+                new InputStreamReader(new FileInputStream(
+                        TEST_SRC + File.separator + filename)))) {
+            String line;
+            String mod = null;
+            String pubExp = null;
+            String privExp = null;
+            List<SigVector> testVectors = new ArrayList<>();
+            while ((line = br.readLine()) != null) {
+                if (line.startsWith("n =")) {
+                    mod = line.split("=")[1].trim();
+                } else if (line.startsWith("e =")) {
+                    pubExp = line.split("=")[1].trim();
+                } else if (line.startsWith("d =")) {
+                    privExp = line.split("=")[1].trim();
+
+                    // now should start parsing for test vectors
+                    String mdAlg = null;
+                    String msg = null;
+                    String sig = null;
+                    String salt = null;
+                    boolean sigVectorDone = false;
+                    while ((line = br.readLine()) != null) {
+                        // we only care for lines starting with
+                        // SHAALG, Msg, S, and Salt
+                        if (line.startsWith("SHAAlg =")) {
+                            mdAlg = line.split(" = ")[1].trim();
+                        } else if (line.startsWith("Msg =")) {
+                            msg = line.split(" = ")[1].trim();
+                        } else if (line.startsWith("S =")) {
+                            sig = line.split(" = ")[1].trim();
+                        } else if (line.startsWith("SaltVal =")) {
+                            salt = line.split(" = ")[1].trim();
+                            if (salt.equals("00")) {
+                                salt = "";
+                            }
+                        } else if (line.startsWith("[mod")) {
+                            sigVectorDone = true;
+                        }
+
+                        if ((mdAlg != null) && (msg != null) && (sig != null) &&
+                            (salt != null)) {
+                            // finish off current SigVector
+                            testVectors.add(new SigVector(mdAlg, msg, sig, salt));
+                            mdAlg = msg = sig = salt = null;
+                        }
+                        if (sigVectorDone) {
+                            break;
+                        }
+                    }
+                    // finish off current SigRecord and clear data for next SigRecord
+                    data.add(new SigRecord(mod, pubExp, privExp, testVectors));
+                    mod = pubExp = privExp = null;
+                    testVectors = new ArrayList<>();
+                }
+            }
+
+            if (data.isEmpty()) {
+                throw new RuntimeException("Nothing read from file "
+                        + filename);
+            }
+        }
+        return data;
+    }
+
+    @Override
+    public String toString() {
+        return (id + ", " + testVectors.size() + " test vectors");
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/pss/SignatureTest2.java	2018-05-11 15:10:57.675535800 -0700
@@ -0,0 +1,200 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+import java.security.*;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.*;
+import java.util.Arrays;
+import java.util.stream.IntStream;
+import static javax.crypto.Cipher.PRIVATE_KEY;
+import static javax.crypto.Cipher.PUBLIC_KEY;
+
+/**
+ * @test
+ * @bug 8146293
+ * @summary Create a signature for RSA and get its signed data. re-initiate
+ *          the signature with the public key. The signature can be verified
+ *          by acquired signed data.
+ * @run main SignatureTest2 768
+ * @run main SignatureTest2 1024
+ * @run main SignatureTest2 2048
+ * @run main/timeout=240 SignatureTest2 4096
+ */
+public class SignatureTest2 {
+    /**
+     * ALGORITHM name, fixed as RSA.
+     */
+    private static final String KEYALG = "RSASSA-PSS";
+
+    /**
+     * JDK default RSA Provider.
+     */
+    private static final String PROVIDER = "SunRsaSign";
+
+    /**
+     * How much times signature updated.
+     */
+    private static final int UPDATE_TIMES_TWO = 2;
+
+    /**
+     * How much times signature initial updated.
+     */
+    private static final int UPDATE_TIMES_TEN = 10;
+
+    /**
+     * Digest algorithms to test w/ RSASSA-PSS signature algorithms
+     */
+    private static final String[] DIGEST_ALG = {
+        "SHA-1", "SHA-224", "SHA-256", "SHA-384",
+        "SHA-512", "SHA-512/224", "SHA-512/256"
+    };
+
+    private static final String SIG_ALG = "RSASSA-PSS";
+
+    private static PSSParameterSpec genPSSParameter(String digestAlgo,
+        int digestLen, int keySize) {
+        // pick a salt length based on the key length and digestAlgo
+        int saltLength = keySize/8 - digestLen - 2;
+        if (saltLength < 0) {
+            System.out.println("keysize: " + keySize/8 + ", digestLen: " + digestLen);
+            return null;
+        }
+        return new PSSParameterSpec(digestAlgo, "MGF1",
+            new MGF1ParameterSpec(digestAlgo), saltLength, 1);
+    }
+
+    public static void main(String[] args) throws Exception {
+        final int testSize = Integer.parseInt(args[0]);
+
+        byte[] data = new byte[100];
+        IntStream.range(0, data.length).forEach(j -> {
+            data[j] = (byte) j;
+        });
+
+        // create a key pair
+        KeyPair kpair = generateKeys(KEYALG, testSize);
+        Key[] privs = manipulateKey(PRIVATE_KEY, kpair.getPrivate());
+        Key[] pubs = manipulateKey(PUBLIC_KEY, kpair.getPublic());
+
+        // For messsage digest algorithm, create and verify a RSASSA-PSS signature
+        Arrays.stream(privs).forEach(priv
+                -> Arrays.stream(pubs).forEach(pub
+                -> Arrays.stream(DIGEST_ALG).forEach(testAlg -> {
+            checkSignature(data, (PublicKey) pub, (PrivateKey) priv,
+                    testAlg, testSize);
+        }
+        )));
+
+    }
+
+    private static KeyPair generateKeys(String keyalg, int size)
+            throws NoSuchAlgorithmException {
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyalg);
+        kpg.initialize(size);
+        return kpg.generateKeyPair();
+    }
+
+    private static Key[] manipulateKey(int type, Key key)
+            throws NoSuchAlgorithmException, InvalidKeySpecException, NoSuchProviderException {
+        KeyFactory kf = KeyFactory.getInstance(KEYALG, PROVIDER);
+
+        switch (type) {
+            case PUBLIC_KEY:
+                return new Key[]{
+                    kf.generatePublic(kf.getKeySpec(key, RSAPublicKeySpec.class)),
+                    kf.generatePublic(new X509EncodedKeySpec(key.getEncoded())),
+                    kf.generatePublic(new RSAPublicKeySpec(
+                    ((RSAPublicKey) key).getModulus(),
+                    ((RSAPublicKey) key).getPublicExponent()))
+                };
+            case PRIVATE_KEY:
+                return new Key[]{
+                    kf.generatePrivate(kf.getKeySpec(key,
+                    RSAPrivateKeySpec.class)),
+                    kf.generatePrivate(new PKCS8EncodedKeySpec(
+                    key.getEncoded())),
+                    kf.generatePrivate(new RSAPrivateKeySpec(((RSAPrivateKey) key).getModulus(),
+                    ((RSAPrivateKey) key).getPrivateExponent()))
+                };
+        }
+        throw new RuntimeException("We shouldn't reach here");
+    }
+
+    private static void checkSignature(byte[] data, PublicKey pub,
+            PrivateKey priv, String digestAlg, int keySize) throws RuntimeException {
+        try {
+            Signature sig = Signature.getInstance(SIG_ALG, PROVIDER);
+            int digestLen = MessageDigest.getInstance(digestAlg).getDigestLength();
+            PSSParameterSpec params = genPSSParameter(digestAlg, digestLen, keySize);
+            if (params == null) {
+                System.out.println("Skip test due to short key size");
+                return;
+            }
+            sig.setParameter(params);
+            sig.initSign(priv);
+            for (int i = 0; i < UPDATE_TIMES_TEN; i++) {
+                sig.update(data);
+            }
+            byte[] signedDataTen = sig.sign();
+
+            // Make sure signature can be generated without re-init
+            sig.update(data);
+            byte[] signedDataOne = sig.sign();
+
+            // Make sure signature verifies with original data
+            System.out.println("Verify using params " + sig.getParameters());
+            sig.initVerify(pub);
+            sig.setParameter(params);
+            for (int i = 0; i < UPDATE_TIMES_TEN; i++) {
+                sig.update(data);
+            }
+            if (!sig.verify(signedDataTen)) {
+                throw new RuntimeException("Signature verification test#1 failed w/ "
+                    + digestAlg);
+            }
+
+            // Make sure signature can verify without re-init
+            sig.update(data);
+            if (!sig.verify(signedDataOne)) {
+                throw new RuntimeException("Signature verification test#2 failed w/ "
+                    + digestAlg);
+            }
+
+            // Make sure signature does NOT verify when the original data
+            // has changed
+            for (int i = 0; i < UPDATE_TIMES_TWO; i++) {
+                sig.update(data);
+            }
+
+            if (sig.verify(signedDataOne)) {
+                throw new RuntimeException("Bad signature accepted w/ "
+                    + digestAlg);
+            }
+        } catch (NoSuchAlgorithmException | InvalidKeyException |
+                 SignatureException | NoSuchProviderException |
+                 InvalidAlgorithmParameterException e) {
+            e.printStackTrace();
+            throw new RuntimeException(e);
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/pss/SignatureTestPSS.java	2018-05-11 15:10:59.257904800 -0700
@@ -0,0 +1,193 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+import java.security.*;
+import java.security.interfaces.*;
+import java.security.spec.*;
+import java.util.Arrays;
+import java.util.stream.IntStream;
+import jdk.test.lib.SigTestUtil;
+import static jdk.test.lib.SigTestUtil.SignatureType;
+import static javax.crypto.Cipher.PRIVATE_KEY;
+import static javax.crypto.Cipher.PUBLIC_KEY;
+
+/**
+ * @test
+ * @bug 8146293
+ * @summary Create a signature for RSA and get its signed data. re-initiate
+ *          the signature with the public key. The signature can be verified
+ *          by acquired signed data.
+ * @library /test/lib
+ * @build jdk.test.lib.SigTestUtil
+ * @run main SignatureTestPSS 512
+ * @run main SignatureTestPSS 768
+ * @run main SignatureTestPSS 1024
+ * @run main SignatureTestPSS 2048
+ * @run main/timeout=240 SignatureTestPSS 4096
+ * @run main/timeout=240 SignatureTestPSS 5120
+ * @run main/timeout=480 SignatureTestPSS 6144
+ */
+public class SignatureTestPSS {
+    /**
+     * ALGORITHM name, fixed as RSASSA-PSS.
+     */
+    private static final String KEYALG = SignatureType.RSASSA_PSS.toString();
+
+    /**
+     * JDK default RSA Provider.
+     */
+    private static final String PROVIDER = "SunRsaSign";
+
+    /**
+     * How much times signature updated.
+     */
+    private static final int UPDATE_TIMES_FIFTY = 50;
+
+    /**
+     * How much times signature initial updated.
+     */
+    private static final int UPDATE_TIMES_HUNDRED = 100;
+
+    public static void main(String[] args) throws Exception {
+        int testSize = Integer.parseInt(args[0]);
+
+        Iterable<String> md_alg_pss =
+            SigTestUtil.getDigestAlgorithms(SignatureType.RSASSA_PSS, testSize);
+
+        byte[] data = new byte[100];
+        IntStream.range(0, data.length).forEach(j -> {
+            data[j] = (byte) j;
+        });
+
+        // create a key pair
+        KeyPair kpair = generateKeys(KEYALG, testSize);
+        Key[] privs = manipulateKey(PRIVATE_KEY, kpair.getPrivate());
+        Key[] pubs = manipulateKey(PUBLIC_KEY, kpair.getPublic());
+
+        test(md_alg_pss, privs, pubs, data);
+    }
+
+    private static void test(Iterable<String> testAlgs, Key[] privs,
+            Key[] pubs, byte[] data) throws RuntimeException {
+        // For signature algorithm, create and verify a signature
+        Arrays.stream(privs).forEach(priv
+                -> Arrays.stream(pubs).forEach(pub
+                -> testAlgs.forEach(testAlg -> {
+            try {
+                checkSignature(data, (PublicKey) pub, (PrivateKey) priv,
+                        testAlg);
+            } catch (NoSuchAlgorithmException | InvalidKeyException |
+                     SignatureException | NoSuchProviderException |
+                     InvalidAlgorithmParameterException ex) {
+                throw new RuntimeException(ex);
+            }
+        }
+        )));
+
+    }
+
+    private static KeyPair generateKeys(String keyalg, int size)
+            throws NoSuchAlgorithmException {
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance(keyalg);
+        kpg.initialize(size);
+        return kpg.generateKeyPair();
+    }
+
+    private static Key[] manipulateKey(int type, Key key)
+            throws NoSuchAlgorithmException, InvalidKeySpecException,
+            NoSuchProviderException {
+        KeyFactory kf = KeyFactory.getInstance(KEYALG, PROVIDER);
+        switch (type) {
+            case PUBLIC_KEY:
+                try {
+                    kf.getKeySpec(key, RSAPrivateKeySpec.class);
+                    throw new RuntimeException("Expected InvalidKeySpecException"
+                            + " not thrown");
+                } catch (InvalidKeySpecException expected) {
+                    System.out.println("Expected IKSE thrown for PublicKey"); 
+                }
+                return new Key[]{
+                    kf.generatePublic(kf.getKeySpec(key, RSAPublicKeySpec.class)),
+                    kf.generatePublic(new X509EncodedKeySpec(key.getEncoded())),
+                    kf.generatePublic(new RSAPublicKeySpec(
+                        ((RSAPublicKey)key).getModulus(),
+                        ((RSAPublicKey)key).getPublicExponent(),
+                        ((RSAPublicKey)key).getParams()))
+                };
+            case PRIVATE_KEY:
+                try {
+                    kf.getKeySpec(key, RSAPublicKeySpec.class);
+                    throw new RuntimeException("Expected InvalidKeySpecException"
+                            + " not thrown");
+                } catch (InvalidKeySpecException expected) {
+                    System.out.println("Expected IKSE thrown for PrivateKey");
+                }
+                return new Key[]{
+                    kf.generatePrivate(kf.getKeySpec(key, RSAPrivateKeySpec.class)),
+                    kf.generatePrivate(new PKCS8EncodedKeySpec(key.getEncoded())),
+                    kf.generatePrivate(new RSAPrivateKeySpec(
+                        ((RSAPrivateKey)key).getModulus(),
+                        ((RSAPrivateKey)key).getPrivateExponent(),
+                        ((RSAPrivateKey)key).getParams()))
+                };
+        }
+        throw new RuntimeException("We shouldn't reach here");
+    }
+
+    private static void checkSignature(byte[] data, PublicKey pub,
+            PrivateKey priv, String mdAlg) throws NoSuchAlgorithmException,
+            InvalidKeyException, SignatureException, NoSuchProviderException,
+            InvalidAlgorithmParameterException {
+        System.out.println("Testing against " + mdAlg);
+        Signature sig = Signature.getInstance
+            (SignatureType.RSASSA_PSS.toString(), PROVIDER);
+        AlgorithmParameterSpec params =
+            SigTestUtil.generateDefaultParameter(SignatureType.RSASSA_PSS, mdAlg);
+        sig.setParameter(params);
+        sig.initSign(priv);
+        for (int i = 0; i < UPDATE_TIMES_HUNDRED; i++) {
+            sig.update(data);
+        }
+        byte[] signedData = sig.sign();
+
+        // Make sure signature verifies with original data
+        // do we need to call sig.setParameter(params) again?
+        sig.initVerify(pub);
+        for (int i = 0; i < UPDATE_TIMES_HUNDRED; i++) {
+            sig.update(data);
+        }
+        if (!sig.verify(signedData)) {
+            throw new RuntimeException("Failed to verify signature");
+        }
+
+        // Make sure signature does NOT verify when the original data
+        // has changed
+        sig.initVerify(pub);
+        for (int i = 0; i < UPDATE_TIMES_FIFTY; i++) {
+            sig.update(data);
+        }
+
+        if (sig.verify(signedData)) {
+            throw new RuntimeException("Failed to detect bad signature");
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/pss/TestPSSKeySupport.java	2018-05-11 15:11:00.852379100 -0700
@@ -0,0 +1,152 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8146293 
+ * @summary Test RSASSA-PSS Key related support such as KeyPairGenerator
+ * and KeyFactory of the SunRsaSign provider
+ */
+
+import java.io.*;
+import java.util.*;
+import java.math.BigInteger;
+
+import java.security.*;
+import java.security.interfaces.*;
+import java.security.spec.*;
+
+public class TestPSSKeySupport {
+
+    private static final String ALGO = "RSASSA-PSS";
+
+    /**
+     * Test that key1 (reference key) and key2 (key to be tested) are
+     * equivalent
+     */
+    private static void testKey(Key key1, Key key2) throws Exception {
+        if (key2.getAlgorithm().equals(ALGO) == false) {
+            throw new Exception("Algorithm not " + ALGO);
+        }
+        if (key1 instanceof PublicKey) {
+            if (key2.getFormat().equals("X.509") == false) {
+                throw new Exception("Format not X.509");
+            }
+        } else if (key1 instanceof PrivateKey) {
+            if (key2.getFormat().equals("PKCS#8") == false) {
+                throw new Exception("Format not PKCS#8");
+            }
+        }
+        if (key1.equals(key2) == false) {
+            throw new Exception("Keys not equal");
+        }
+        if (Arrays.equals(key1.getEncoded(), key2.getEncoded()) == false) {
+            throw new Exception("Encodings not equal");
+        }
+    }
+
+    private static void testPublic(KeyFactory kf, PublicKey key) throws Exception {
+        System.out.println("Testing public key...");
+        PublicKey key2 = (PublicKey)kf.translateKey(key);
+        KeySpec rsaSpec = kf.getKeySpec(key, RSAPublicKeySpec.class);
+        PublicKey key3 = kf.generatePublic(rsaSpec);
+        KeySpec x509Spec = kf.getKeySpec(key, X509EncodedKeySpec.class);
+        PublicKey key4 = kf.generatePublic(x509Spec);
+        KeySpec x509Spec2 = new X509EncodedKeySpec(key.getEncoded());
+        PublicKey key5 = kf.generatePublic(x509Spec2);
+        testKey(key, key);
+        testKey(key, key2);
+        testKey(key, key3);
+        testKey(key, key4);
+        testKey(key, key5);
+    }
+
+    private static void testPrivate(KeyFactory kf, PrivateKey key) throws Exception {
+        System.out.println("Testing private key...");
+        PrivateKey key2 = (PrivateKey)kf.translateKey(key);
+        KeySpec rsaSpec = kf.getKeySpec(key, RSAPrivateCrtKeySpec.class);
+        PrivateKey key3 = kf.generatePrivate(rsaSpec);
+        KeySpec pkcs8Spec = kf.getKeySpec(key, PKCS8EncodedKeySpec.class);
+        PrivateKey key4 = kf.generatePrivate(pkcs8Spec);
+        KeySpec pkcs8Spec2 = new PKCS8EncodedKeySpec(key.getEncoded());
+        PrivateKey key5 = kf.generatePrivate(pkcs8Spec2);
+        testKey(key, key);
+        testKey(key, key2);
+        testKey(key, key3);
+        testKey(key, key4);
+        testKey(key, key5);
+
+        KeySpec rsaSpec2 = kf.getKeySpec(key, RSAPrivateKeySpec.class);
+        PrivateKey key6 = kf.generatePrivate(rsaSpec2);
+        RSAPrivateKey rsaKey = (RSAPrivateKey)key;
+        KeySpec rsaSpec3 = new RSAPrivateKeySpec(rsaKey.getModulus(),
+            rsaKey.getPrivateExponent(), rsaKey.getParams());
+        PrivateKey key7 = kf.generatePrivate(rsaSpec3);
+        testKey(key6, key6);
+        testKey(key6, key7);
+    }
+
+    private static void test(KeyFactory kf, Key key) throws Exception {
+        if (key.getAlgorithm().equals(ALGO) == false) {
+            throw new Exception("Error: key algo should be " + ALGO);
+        }
+        if (key instanceof PublicKey) {
+            testPublic(kf, (PublicKey)key);
+        } else if (key instanceof PrivateKey) {
+            testPrivate(kf, (PrivateKey)key);
+        }
+    }
+
+    private static void checkKeyPair(KeyPair kp) throws Exception {
+        PublicKey pubKey = kp.getPublic();
+        if (!(pubKey instanceof RSAPublicKey)) {
+            throw new Exception("Error: public key should be RSAPublicKey");
+        }
+        PrivateKey privKey = kp.getPrivate();
+        if (!(privKey instanceof RSAPrivateKey)) {
+            throw new Exception("Error: private key should be RSAPrivateKey");
+        }
+    }
+
+    public static void main(String[] args) throws Exception {
+        KeyPairGenerator kpg =
+            KeyPairGenerator.getInstance(ALGO, "SunRsaSign");
+ 
+        // Algorithm-Independent Initialization
+        kpg.initialize(2048);
+        KeyPair kp = kpg.generateKeyPair();
+        checkKeyPair(kp);
+        BigInteger pubExp = ((RSAPublicKey)kp.getPublic()).getPublicExponent();
+
+        // Algorithm-specific Initialization
+        PSSParameterSpec params = new PSSParameterSpec("SHA-256", "MGF1", 
+            MGF1ParameterSpec.SHA256, 32, 1);
+        kpg.initialize(new RSAKeyGenParameterSpec(2048, pubExp, params));
+        KeyPair kp2 = kpg.generateKeyPair();
+        checkKeyPair(kp2);
+
+        KeyFactory kf = KeyFactory.getInstance(ALGO, "SunRsaSign");
+        test(kf, kp.getPublic());
+        test(kf, kp.getPrivate());
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/rsa/pss/TestSigGenPSS.java	2018-05-11 15:11:02.432546600 -0700
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.security.*;
+import java.security.spec.*;
+import java.security.interfaces.*;
+import java.util.ArrayList;
+import java.util.List;
+
+/*
+ * @test
+ * @bug 8146293
+ * @summary Known Answer Tests based on NIST 186-3 at:
+ * @compile SigRecord.java
+ * @run main/othervm TestSigGenPSS
+ */
+public class TestSigGenPSS {
+
+    private static final String[] testFiles = {
+        "SigGenPSS_186-3.txt", "SigGenPSS_186-3_TruncatedSHAs.txt"
+    };
+
+    static final class MyKnownRandomSrc extends SecureRandom {
+        final byte[] srcBytes;
+        int numBytes;
+
+        MyKnownRandomSrc(String srcString) {
+            this.srcBytes = SigRecord.toByteArray(srcString);
+            this.numBytes = this.srcBytes.length;
+        }
+        @Override
+        public void nextBytes(byte[] bytes) {
+            if (bytes.length > numBytes) {
+                throw new RuntimeException("Not enough bytes, need "
+                    + bytes.length + ", got " + numBytes);
+            }
+            System.arraycopy(this.srcBytes, this.srcBytes.length - numBytes, bytes, 0, bytes.length);
+            numBytes -= bytes.length;
+        }
+
+    }
+
+    public static void main(String[] args) throws Exception {
+        //for (Provider provider : Security.getProviders()) {
+        Provider p = Security.getProvider("SunRsaSign");
+        Signature sig;
+        try {
+            sig = Signature.getInstance("RSASSA-PSS", p);
+        } catch (NoSuchAlgorithmException e) {
+            System.out.println("Skip testing RSASSA-PSS" +
+                " due to no support");
+            return;
+        }
+
+        boolean success = true;
+        for (String f : testFiles) {
+            System.out.println("[INPUT FILE " + f + "]");
+            try {
+                success &= runTest(SigRecord.read(f), sig);
+            } catch (IOException e) {
+                System.out.println("Unexpected exception: " + e);
+                e.printStackTrace(System.out);
+                success = false;
+            }
+        }
+
+        if (!success) {
+            throw new RuntimeException("One or more test failed");
+        }
+        System.out.println("Test passed");
+    }
+
+    /*
+     * Run all the tests in the data list with specified algorithm
+     */
+    static boolean runTest(List<SigRecord> records, Signature sig) throws Exception {
+        boolean success = true;
+        KeyFactory kf = KeyFactory.getInstance("RSA", sig.getProvider());
+        for (SigRecord sr : records) {
+            System.out.println("==Testing Record : " + sr + "==");
+            PrivateKey privKey = kf.generatePrivate(sr.privKeySpec);
+            PublicKey pubKey = kf.generatePublic(sr.pubKeySpec);
+            success &= check(sig, privKey, pubKey, sr.testVectors);
+            System.out.println("==Done==");
+        }
+        return success;
+    }
+
+    /*
+     * Generate the signature, check against known values and verify.
+     */
+    static boolean check(Signature sig, PrivateKey privKey, PublicKey pubKey,
+        List<SigRecord.SigVector> vectors) throws Exception {
+
+        boolean success = true;
+        for (SigRecord.SigVector v : vectors) {
+            System.out.println("\tAgainst " + v.mdAlg);
+            byte[] msgBytes = SigRecord.toByteArray(v.msg);
+            byte[] expSigBytes = SigRecord.toByteArray(v.sig);
+
+            MyKnownRandomSrc saltSrc = new MyKnownRandomSrc(v.salt);
+            sig.initSign(privKey, saltSrc);
+            PSSParameterSpec params = new PSSParameterSpec(v.mdAlg, "MGF1",
+                new MGF1ParameterSpec(v.mdAlg), saltSrc.numBytes, 1);
+            sig.setParameter(params);
+            sig.update(msgBytes);
+            byte[] actualSigBytes = sig.sign();
+
+            // Check if the supplied salt bytes are used up
+            if (saltSrc.numBytes != 0) {
+                throw new RuntimeException("Error: salt length mismatch! "
+                    + saltSrc.numBytes + " bytes leftover");
+            }
+
+            success &= MessageDigest.isEqual(actualSigBytes, expSigBytes);
+
+            if (!success) {
+                System.out.println("\tFailed:");
+                System.out.println("\tSHAALG       = " + v.mdAlg);
+                System.out.println("\tMsg          = " + v.msg);
+                System.out.println("\tSalt          = " + v.salt);
+                System.out.println("\tExpected Sig = " + v.sig);
+                System.out.println("\tActual Sig   = " + SigRecord.toHexString(actualSigBytes));
+            } else {
+                System.out.println("\t" + v.mdAlg + " Test Vector Passed");
+            }
+        }
+        return success;
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/ssl/SSLEngineImpl/SSLEngineKeyLimit.java	2018-05-11 15:11:04.005793900 -0700
@@ -0,0 +1,460 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8164879
+ * @library /lib/testlibrary ../../
+ * @summary Verify AES/GCM's limits set in the jdk.tls.keyLimits property
+ * start a new handshake sequence to renegotiate the symmetric key with an
+ * SSLSocket connection.  This test verifies the handshake method was called
+ * via debugging info.  It does not verify the renegotiation was successful
+ * as that is very hard.
+ *
+ * @run main SSLEngineKeyLimit 0 server AES/GCM/NoPadding keyupdate 1050000
+ * @run main SSLEngineKeyLimit 1 client AES/GCM/NoPadding keyupdate 2^22
+ */
+
+/*
+ * This test runs in another process so we can monitor the debug
+ * results.  The OutputAnalyzer must see correct debug output to return a
+ * success.
+ */
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.File;
+import java.io.PrintWriter;
+import java.nio.ByteBuffer;
+import java.security.KeyStore;
+import java.security.SecureRandom;
+import java.util.Arrays;
+
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.Utils;
+import jdk.testlibrary.OutputAnalyzer;
+
+public class SSLEngineKeyLimit {
+
+    SSLEngine eng;
+    static ByteBuffer cTos;
+    static ByteBuffer sToc;
+    static ByteBuffer outdata;
+    ByteBuffer buf;
+    static boolean ready = false;
+
+    static String pathToStores = "../../../../javax/net/ssl/etc/";
+    static String keyStoreFile = "keystore";
+    static String trustStoreFile = "truststore";
+    static String passwd = "passphrase";
+    static String keyFilename;
+    static int dataLen = 10240;
+    static boolean serverwrite = true;
+    int totalDataLen = 0;
+    static boolean sc = true;
+    static boolean debug = false;
+    int delay = 1;
+
+    SSLEngineKeyLimit() {
+        buf = ByteBuffer.allocate(dataLen*4);
+    }
+
+    /**
+     * args should have two values:  server|client, <limit size>
+     * Prepending 'p' is for internal use only.
+     */
+    public static void main(String args[]) throws Exception {
+
+        for (int i = 0; i < args.length; i++) {
+            System.out.print(" " + args[i]);
+        }
+        System.out.println();
+        if (args[0].compareTo("p") != 0) {
+            boolean expectedFail = (Integer.parseInt(args[0]) == 1);
+            if (expectedFail) {
+                System.out.println("Test expected to not find updated msg");
+            }
+
+            // Write security property file to overwrite default
+            File f = new File("keyusage."+ System.nanoTime());
+            PrintWriter p = new PrintWriter(f);
+            p.write("jdk.tls.keyLimits=");
+            for (int i = 2; i < args.length; i++) {
+                p.write(" "+ args[i]);
+            }
+            p.close();
+
+            System.setProperty("test.java.opts",
+                    "-Dtest.src=" + System.getProperty("test.src") +
+                            " -Dtest.jdk=" + System.getProperty("test.jdk") +
+                            " -Djavax.net.debug=ssl" +
+                            " -Djava.security.properties=" + f.getName());
+
+            System.out.println("test.java.opts: " +
+                    System.getProperty("test.java.opts"));
+
+            ProcessBuilder pb = ProcessTools.createJavaProcessBuilder(true,
+                    Utils.addTestJavaOpts("SSLEngineKeyLimit", "p", args[1]));
+
+            OutputAnalyzer output = ProcessTools.executeProcess(pb);
+            try {
+                if (expectedFail) {
+                    output.shouldNotContain("KeyUpdate: write key updated");
+                    output.shouldNotContain("KeyUpdate: read key updated");
+                } else {
+                    output.shouldContain("KeyUpdate: write key updated");
+                    output.shouldContain("KeyUpdate: read key updated");
+                }
+            } catch (Exception e) {
+                throw e;
+            } finally {
+                System.out.println("-- BEGIN Stdout:");
+                System.out.println(output.getStdout());
+                System.out.println("-- END Stdout");
+                System.out.println("-- BEGIN Stderr:");
+                System.out.println(output.getStderr());
+                System.out.println("-- END Stderr");
+            }
+            return;
+        }
+
+        if (args[0].compareTo("p") != 0) {
+            throw new Exception ("Tried to run outside of a spawned process");
+        }
+
+        if (args[1].compareTo("client") == 0) {
+            serverwrite = false;
+        }
+
+        cTos = ByteBuffer.allocateDirect(dataLen*4);
+        keyFilename =
+            System.getProperty("test.src", "./") + "/" + pathToStores +
+                "/" + keyStoreFile;
+
+        System.setProperty("javax.net.ssl.keyStore", keyFilename);
+        System.setProperty("javax.net.ssl.keyStorePassword", passwd);
+
+        sToc = ByteBuffer.allocateDirect(dataLen*4);
+        outdata = ByteBuffer.allocateDirect(dataLen);
+
+        byte[] data  = new byte[dataLen];
+        Arrays.fill(data, (byte)0x0A);
+        outdata.put(data);
+        outdata.flip();
+        cTos.clear();
+        sToc.clear();
+
+        Thread ts = new Thread(serverwrite ? new Client() : new Server());
+        ts.start();
+        (serverwrite ? new Server() : new Client()).run();
+        ts.interrupt();
+        ts.join();
+    }
+
+    private static void doTask(SSLEngineResult result,
+            SSLEngine engine) throws Exception {
+
+        if (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_TASK) {
+            Runnable runnable;
+            while ((runnable = engine.getDelegatedTask()) != null) {
+                System.out.println("\trunning delegated task...");
+                runnable.run();
+            }
+            SSLEngineResult.HandshakeStatus hsStatus = engine.getHandshakeStatus();
+            if (hsStatus == SSLEngineResult.HandshakeStatus.NEED_TASK) {
+                throw new Exception(
+                    "handshake shouldn't need additional tasks");
+            }
+            print("\tnew HandshakeStatus: " + hsStatus);
+        }
+    }
+
+    static void print(String s) {
+        if (debug) {
+            System.out.println(s);
+        }
+    }
+
+    static void log(String s, SSLEngineResult r) {
+        if (!debug) {
+            return;
+        }
+        System.out.println(s + ": " +
+                r.getStatus() + "/" + r.getHandshakeStatus()+ " " +
+                r.bytesConsumed() + "/" + r.bytesProduced() + " ");
+
+    }
+
+    void write() throws Exception {
+        int i = 0;
+        SSLEngineResult r;
+        boolean again = true;
+
+        while (!ready) {
+            Thread.sleep(delay);
+        }
+        print("Write-side. ");
+
+        while (i++ < 120) {
+            while (sc) {
+                Thread.sleep(delay);
+            }
+
+            outdata.rewind();
+            print("write wrap");
+
+            while (true) {
+                r = eng.wrap(outdata, getWriteBuf());
+                log("write wrap", r);
+                if (debug && r.getStatus() != SSLEngineResult.Status.OK) {
+                    System.out.println("outdata pos: " + outdata.position() +
+                            " rem: " + outdata.remaining() +
+                            " lim: " + outdata.limit() +
+                            " cap: " + outdata.capacity());
+                    System.out.println("writebuf pos: " + getWriteBuf().position() +
+                            " rem: " + getWriteBuf().remaining() +
+                            " lim: " + getWriteBuf().limit() +
+                            " cap: " + getWriteBuf().capacity());
+                }
+                if (again && r.getStatus() == SSLEngineResult.Status.OK &&
+                        r.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
+                    print("again");
+                    again = false;
+                    continue;
+                }
+                break;
+            }
+            doTask(r, eng);
+            getWriteBuf().flip();
+            sc = true;
+            while (sc) {
+                Thread.sleep(delay);
+            }
+
+            while (true) {
+                buf.clear();
+                r = eng.unwrap(getReadBuf(), buf);
+                log("write unwrap", r);
+                if (debug && r.getStatus() != SSLEngineResult.Status.OK) {
+                    System.out.println("buf pos: " + buf.position() +
+                            " rem: " + buf.remaining() +
+                            " lim: " + buf.limit() +
+                            " cap: " + buf.capacity());
+                    System.out.println("readbuf pos: " + getReadBuf().position() +
+                            " rem: " + getReadBuf().remaining() +
+                            " lim: " + getReadBuf().limit() +
+                            " cap:"  + getReadBuf().capacity());
+                }
+                break;
+            }
+            doTask(r, eng);
+            getReadBuf().compact();
+            print("compacted readbuf pos: " + getReadBuf().position() +
+                    " rem: " + getReadBuf().remaining() +
+                    " lim: " + getReadBuf().limit() +
+                    " cap: " + getReadBuf().capacity());
+            sc = true;
+        }
+    }
+
+    void read() throws Exception {
+        byte b = 0x0B;
+        ByteBuffer buf2 = ByteBuffer.allocateDirect(dataLen);
+        SSLEngineResult r = null;
+        boolean exit, again = true;
+
+        while (eng == null) {
+            Thread.sleep(delay);
+        }
+
+        try {
+            System.out.println("connected");
+            print("entering read loop");
+            ready = true;
+            while (true) {
+
+                while (!sc) {
+                    Thread.sleep(delay);
+                }
+
+                print("read wrap");
+                exit = false;
+                while (!exit) {
+                    buf2.put(b);
+                    buf2.flip();
+                    r = eng.wrap(buf2, getWriteBuf());
+                    log("read wrap", r);
+                    if (debug ) { //&& r.getStatus() != SSLEngineResult.Status.OK) {
+                        System.out.println("buf2 pos: " + buf2.position() +
+                                " rem: " + buf2.remaining() +
+                                " cap: " + buf2.capacity());
+                        System.out.println("writebuf pos: " + getWriteBuf().position() +
+                                " rem: " + getWriteBuf().remaining() +
+                                " cap: " + getWriteBuf().capacity());
+                    }
+                    if (again && r.getStatus() == SSLEngineResult.Status.OK &&
+                            r.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
+                        buf2.compact();
+                        again = false;
+                        continue;
+                    }
+                    exit = true;
+                }
+                doTask(r, eng);
+                buf2.clear();
+                getWriteBuf().flip();
+
+                sc = false;
+
+                while (!sc) {
+                    Thread.sleep(delay);
+                }
+
+                while (true) {
+                        buf.clear();
+                        r = eng.unwrap(getReadBuf(), buf);
+                        log("read unwrap", r);
+                        if (debug && r.getStatus() != SSLEngineResult.Status.OK) {
+                            System.out.println("buf pos " + buf.position() +
+                                    " rem: " + buf.remaining() +
+                                    " lim: " + buf.limit() +
+                                    " cap: " + buf.capacity());
+                            System.out.println("readbuf pos: " + getReadBuf().position() +
+                                    " rem: " + getReadBuf().remaining() +
+                                    " lim: " + getReadBuf().limit() +
+                                    " cap: " + getReadBuf().capacity());
+                            doTask(r, eng);
+                        }
+
+                    if (again && r.getStatus() == SSLEngineResult.Status.OK &&
+                            r.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_UNWRAP) {
+                        buf.clear();
+                        print("again");
+                        again = false;
+                        continue;
+
+                    }
+                    break;
+                }
+                buf.clear();
+                getReadBuf().compact();
+
+                totalDataLen += r.bytesProduced();
+                sc = false;
+            }
+        } catch (Exception e) {
+            System.out.println(e.getMessage());
+            e.printStackTrace();
+        }
+        print("TotalDataLen = " + totalDataLen);
+    }
+
+    ByteBuffer getReadBuf() {
+        return null;
+    }
+
+    ByteBuffer getWriteBuf() {
+        return null;
+    }
+
+
+    SSLContext initContext() throws Exception {
+        SSLContext sc = SSLContext.getInstance("TLSv1.3");
+        KeyStore ks = KeyStore.getInstance(
+                new File(System.getProperty("javax.net.ssl.keyStore")),
+                passwd.toCharArray());
+        KeyManagerFactory kmf =
+                KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        kmf.init(ks, passwd.toCharArray());
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmf.init(ks);
+        sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
+        return sc;
+    }
+
+    static class Server extends SSLEngineKeyLimit implements Runnable {
+        Server() throws Exception {
+            super();
+            eng = initContext().createSSLEngine();
+            eng.setUseClientMode(false);
+            eng.setNeedClientAuth(true);
+        }
+        
+        public void run() {
+            try {
+                if (serverwrite) {
+                    write();
+                } else {
+                    read();
+                }
+
+            } catch (Exception e) {
+                System.out.println("server: " + e.getMessage());
+                e.printStackTrace();
+            }
+            System.out.println("Server closed");
+        }
+
+        @Override
+        ByteBuffer getWriteBuf() {
+            return sToc;
+        }
+        @Override
+        ByteBuffer getReadBuf() {
+            return cTos;
+        }
+    }
+
+
+    static class Client extends SSLEngineKeyLimit implements Runnable {
+        Client() throws Exception {
+            super();
+            eng = initContext().createSSLEngine("client", 80);
+            eng.setUseClientMode(true);
+        }
+
+        public void run() {
+            try {
+                if (!serverwrite) {
+                    write();
+                } else {
+                    read();
+                }
+            } catch (Exception e) {
+                System.out.println("client: " + e.getMessage());
+                e.printStackTrace();
+            }
+        }
+        @Override
+        ByteBuffer getWriteBuf() {
+            return cTos;
+        }
+        @Override
+        ByteBuffer getReadBuf() {
+            return sToc;
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/ssl/SSLSocketImpl/SSLSocketKeyLimit.java	2018-05-11 15:11:05.587714800 -0700
@@ -0,0 +1,298 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8164879
+ * @library /lib/testlibrary ../../
+ * @modules java.base/sun.security.util
+ * @summary Verify AES/GCM's limits set in the jdk.tls.keyLimits property
+ * @run main SSLSocketKeyLimit 0 server AES/GCM/NoPadding keyupdate 1000000
+ * @run main SSLSocketKeyLimit 0 client AES/GCM/NoPadding keyupdate 1000000
+ * @run main SSLSocketKeyLimit 1 client AES/GCM/NoPadding keyupdate 2^22
+ */
+
+ /**
+  * Verify AES/GCM's limits set in the jdk.tls.keyLimits property
+  * start a new handshake sequence to renegotiate the symmetric key with an
+  * SSLSocket connection.  This test verifies the handshake method was called
+  * via debugging info.  It does not verify the renegotiation was successful
+  * as that is very hard.
+  */
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.PrintWriter;
+import java.security.KeyStore;
+import java.security.SecureRandom;
+import java.util.Arrays;
+
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.Utils;
+import jdk.testlibrary.OutputAnalyzer;
+import sun.security.util.HexDumpEncoder;
+
+public class SSLSocketKeyLimit {
+
+    SSLSocket svr, c;
+    SSLServerSocketFactory ssf;
+    SSLServerSocket ss;
+    SSLSocketFactory sf;
+    InputStream in;
+    OutputStream out;
+
+    static boolean serverReady = false;
+    static int serverPort = 12345;
+
+    static String pathToStores = "../../../../javax/net/ssl/etc/";
+    static String keyStoreFile = "keystore";
+    static String passwd = "passphrase";
+    static int dataLen = 10240;
+    static byte[] data  = new byte[dataLen];
+    static boolean serverwrite = true;
+    int totalDataLen = 0;
+    static boolean done = false;
+
+        SSLSocketKeyLimit() {
+        in = new ByteArrayInputStream(new byte[dataLen]);
+        out = new ByteArrayOutputStream();
+    }
+
+    SSLContext initContext() throws Exception {
+        SSLContext sc = SSLContext.getInstance("TLSv1.3");
+        KeyStore ks = KeyStore.getInstance(
+                new File(System.getProperty("javax.net.ssl.keyStore")),
+                passwd.toCharArray());
+        KeyManagerFactory kmf =
+                KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+        kmf.init(ks, passwd.toCharArray());
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmf.init(ks);
+        sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
+        return sc;
+    }
+
+    /**
+     * args should have two values:  server|client, <limit size>
+     * Prepending 'p' is for internal use only.
+     */
+    public static void main(String args[]) throws Exception {
+        if (args[0].compareTo("p") != 0) {
+
+            boolean expectedFail = (Integer.parseInt(args[0]) == 1);
+            if (expectedFail) {
+                System.out.println("Test expected to not find updated msg");
+            }
+            //Write security property file to overwrite default
+            File f = new File("keyusage."+ System.nanoTime());
+            PrintWriter p = new PrintWriter(f);
+            p.write("jdk.tls.keyLimits=");
+            for (int i = 2; i < args.length; i++) {
+                p.write(" "+ args[i]);
+            }
+            p.close();
+            System.out.println("Keyusage path = " + f.getAbsolutePath());
+            System.setProperty("test.java.opts",
+                    "-Dtest.src=" + System.getProperty("test.src") +
+                            " -Dtest.jdk=" + System.getProperty("test.jdk") +
+                            " -Djavax.net.debug=ssl " +
+                            " -Djava.security.properties=" + f.getName());
+
+            System.out.println("test.java.opts: " +
+                    System.getProperty("test.java.opts"));
+
+            ProcessBuilder pb = ProcessTools.createJavaProcessBuilder(true,
+                    Utils.addTestJavaOpts("SSLSocketKeyLimit", "p", args[1]));
+
+            OutputAnalyzer output = ProcessTools.executeProcess(pb);
+            try {
+                if (expectedFail) {
+                    output.shouldNotContain("KeyUpdate: write key updated");
+                    output.shouldNotContain("KeyUpdate: read key updated");
+                } else {
+                    output.shouldContain("KeyUpdate: write key updated");
+                    output.shouldContain("KeyUpdate: read key updated");
+                }
+            } catch (Exception e) {
+                throw e;
+            } finally {
+                System.out.println("-- BEGIN Stdout:");
+                System.out.println(output.getStdout());
+                System.out.println("-- END Stdout");
+                System.out.println("-- BEGIN Stderr:");
+                System.out.println(output.getStderr());
+                System.out.println("-- END Stderr");
+            }
+            return;
+        }
+
+        if (args.length > 0 && args[0].compareToIgnoreCase("client") == 0) {
+            serverwrite = false;
+        }
+
+        String keyFilename =
+            System.getProperty("test.src", "./") + "/" + pathToStores +
+                "/" + keyStoreFile;
+
+        System.setProperty("javax.net.ssl.keyStore", keyFilename);
+        System.setProperty("javax.net.ssl.keyStorePassword", passwd);
+
+        Arrays.fill(data, (byte)0x0A);
+        Thread ts = new Thread(new Server());
+
+        ts.start();
+        while (!serverReady) {
+            Thread.sleep(100);
+        }
+        new Client().run();
+        ts.interrupt();
+        ts.join(10000);  // 10sec
+        System.exit(0);
+    }
+
+    void write(SSLSocket s) throws Exception {
+        int i = 0;
+        in = s.getInputStream();
+        out = s.getOutputStream();
+        System.out.print("Write-side writing... ");
+        while (i++ < 150) {
+            out.write(data, 0, dataLen);
+        }
+        out.flush();
+        out.write(0x0D);
+        out.flush();
+
+        // Let read side all the data
+        while (!done) {
+            Thread.sleep(100);
+        }
+    }
+
+
+    void read(SSLSocket s) throws Exception {
+        byte[] buf = new byte[dataLen];
+        int len;
+        int i = 0;
+        try {
+            System.out.println("connected " + s.getSession().getCipherSuite());
+            in = s.getInputStream();
+            out = s.getOutputStream();
+            while (true) {
+                len = in.read(buf, 0, dataLen);
+                System.out.print(".");
+                for (byte b: buf) {
+                    if (b == 0x0A || b == 0x0D) {
+                        continue;
+                    }
+                    System.out.println("\nData invalid: " + new HexDumpEncoder().encode(buf));
+                    break;
+                }
+
+                if (len > 0 && buf[len-1] == 0x0D) {
+                    System.out.print("got end byte");
+                    break;
+                }
+                out.write(i++);
+                totalDataLen += len;
+            }
+        } catch (Exception e) {
+            System.out.println("\n"  + e.getMessage());
+            e.printStackTrace();
+        } finally {
+            // Tell write side that we are done reading
+            done = true;
+        }
+        System.out.println("\nTotalDataLen = " + totalDataLen);
+    }
+
+    static class Server extends SSLSocketKeyLimit implements Runnable {
+        Server() {
+            super();
+            try {
+                ssf = initContext().getServerSocketFactory();
+                ss = (SSLServerSocket) ssf.createServerSocket(serverPort);
+                serverPort = ss.getLocalPort();
+            } catch (Exception e) {
+                System.out.println("server: " + e.getMessage());
+                e.printStackTrace();
+            }
+        }
+
+        public void run() {
+
+            try {
+                serverReady = true;
+                System.out.println("Server waiting... ");
+                svr = (SSLSocket) ss.accept();
+                if (serverwrite) {
+                    write(svr);
+                } else {
+                    read(svr);
+                }
+
+                svr.close();
+            } catch (Exception e) {
+                System.out.println("server: " + e.getMessage());
+                e.printStackTrace();
+            }
+            System.out.println("Server closed");
+        }
+    }
+
+
+    static class Client extends SSLSocketKeyLimit implements Runnable {
+        Client() {
+            super();
+        }
+
+        public void run() {
+            try {
+                sf = initContext().getSocketFactory();
+                System.out.print("Client connecting... ");
+                c = (SSLSocket)sf.createSocket("localhost", serverPort);
+                System.out.println("connected. " + c.getSession().getCipherSuite());
+
+                // Opposite of what the server does
+                if (!serverwrite) {
+                    write(c);
+                } else {
+                    read(c);
+                }
+
+            } catch (Exception e) {
+                System.err.println("client: " + e.getMessage());
+                e.printStackTrace();
+            }
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/ssl/Stapling/StatusResponseManager.java	2018-05-11 15:11:07.168487400 -0700
@@ -0,0 +1,32 @@
+/*
+ * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8046321
+ * @library ../../../../java/security/testlibrary
+ * @build CertificateBuilder SimpleOCSPServer
+ * @run main/othervm -Djavax.net.debug=ssl:respmgr java.base/sun.security.ssl.StatusResponseManagerTests
+ * @summary OCSP Stapling for TLS
+ */
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/ssl/Stapling/TEST.properties	2018-05-11 15:11:08.757262100 -0700
@@ -0,0 +1,6 @@
+modules = \
+    java.base/sun.security.provider.certpath \
+    java.base/sun.security.util \
+    java.base/sun.security.x509 \
+    java.base/sun.security.ssl
+bootclasspath.dirs=.
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/ssl/Stapling/java.base/sun/security/ssl/StatusResponseManagerTests.java	2018-05-11 15:11:10.401994000 -0700
@@ -0,0 +1,492 @@
+/*
+ * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.ssl;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.cert.*;
+import java.util.*;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.PublicKey;
+import java.util.concurrent.TimeUnit;
+
+import sun.security.testlibrary.SimpleOCSPServer;
+import sun.security.testlibrary.CertificateBuilder;
+
+import static sun.security.ssl.CertStatusExtension.*;
+
+/*
+ * Checks that the hash value for a certificate's issuer name is generated
+ * correctly. Requires any certificate that is not self-signed.
+ *
+ * NOTE: this test uses Sun private classes which are subject to change.
+ */
+public class StatusResponseManagerTests {
+
+    private static final boolean debug = true;
+    private static final boolean ocspDebug = false;
+
+    // PKI components we will need for this test
+    static String passwd = "passphrase";
+    static String ROOT_ALIAS = "root";
+    static String INT_ALIAS = "intermediate";
+    static String SSL_ALIAS = "ssl";
+    static KeyStore rootKeystore;           // Root CA Keystore
+    static KeyStore intKeystore;            // Intermediate CA Keystore
+    static KeyStore serverKeystore;         // SSL Server Keystore
+    static KeyStore trustStore;             // SSL Client trust store
+    static X509Certificate rootCert;
+    static X509Certificate intCert;
+    static X509Certificate sslCert;
+    static SimpleOCSPServer rootOcsp;       // Root CA OCSP Responder
+    static int rootOcspPort;                // Port number for root OCSP
+    static SimpleOCSPServer intOcsp;        // Intermediate CA OCSP Responder
+    static int intOcspPort;                 // Port number for intermed. OCSP
+
+    static X509Certificate[] chain;
+
+    public static void main(String[] args) throws Exception {
+        Map<String, TestCase> testList =
+                new LinkedHashMap<String, TestCase>() {{
+            put("Basic OCSP fetch test", testOcspFetch);
+            put("Clear StatusResponseManager cache", testClearSRM);
+            put("Basic OCSP_MULTI fetch test", testOcspMultiFetch);
+            put("Test Cache Expiration", testCacheExpiry);
+        }};
+
+        // Create the CAs and OCSP responders
+        createPKI();
+
+        // Grab the certificates and make a chain we can reuse for tests
+        sslCert = (X509Certificate)serverKeystore.getCertificate(SSL_ALIAS);
+        intCert = (X509Certificate)intKeystore.getCertificate(INT_ALIAS);
+        rootCert = (X509Certificate)rootKeystore.getCertificate(ROOT_ALIAS);
+        chain = new X509Certificate[3];
+        chain[0] = sslCert;
+        chain[1] = intCert;
+        chain[2] = rootCert;
+
+        runTests(testList);
+
+        intOcsp.stop();
+        rootOcsp.stop();
+    }
+
+    // Test a simple RFC 6066 server-side fetch
+    public static final TestCase testOcspFetch = new TestCase() {
+        @Override
+        public Map.Entry<Boolean, String> runTest() {
+            StatusResponseManager srm = new StatusResponseManager();
+            Boolean pass = Boolean.FALSE;
+            String message = null;
+            CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP;
+
+            try {
+                // Get OCSP responses for non-root certs in the chain
+                Map<X509Certificate, byte[]> responseMap = srm.get(
+                        CertStatusRequestType.OCSP, oReq, chain, 5000,
+                        TimeUnit.MILLISECONDS);
+
+                // There should be one entry in the returned map and
+                // one entry in the cache when the operation is complete.
+                if (responseMap.size() != 1) {
+                    message = "Incorrect number of responses: expected 1, got "
+                            + responseMap.size();
+                } else if (!responseMap.containsKey(sslCert)) {
+                    message = "Response map key is incorrect, expected " +
+                            sslCert.getSubjectX500Principal().toString();
+                } else if (srm.size() != 1) {
+                    message = "Incorrect number of cache entries: " +
+                            "expected 1, got " + srm.size();
+                } else {
+                    pass = Boolean.TRUE;
+                }
+            } catch (Exception e) {
+                e.printStackTrace(System.out);
+                message = e.getClass().getName();
+            }
+
+            return new AbstractMap.SimpleEntry<>(pass, message);
+        }
+    };
+
+    // Test clearing the StatusResponseManager cache.
+    public static final TestCase testClearSRM = new TestCase() {
+        @Override
+        public Map.Entry<Boolean, String> runTest() {
+            StatusResponseManager srm = new StatusResponseManager();
+            Boolean pass = Boolean.FALSE;
+            String message = null;
+            CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP_MULTI;
+
+            try {
+                // Get OCSP responses for non-root certs in the chain
+                srm.get(CertStatusRequestType.OCSP_MULTI, oReq, chain, 5000,
+                        TimeUnit.MILLISECONDS);
+
+                // There should be two entries in the returned map and
+                // two entries in the cache when the operation is complete.
+                if (srm.size() != 2) {
+                    message = "Incorrect number of responses: expected 2, got "
+                            + srm.size();
+                } else {
+                    // Next, clear the SRM, then check the size again
+                    srm.clear();
+                    if (srm.size() != 0) {
+                        message = "Incorrect number of responses: expected 0," +
+                                " got " + srm.size();
+                    } else {
+                        pass = Boolean.TRUE;
+                    }
+                }
+            } catch (Exception e) {
+                e.printStackTrace(System.out);
+                message = e.getClass().getName();
+            }
+
+            return new AbstractMap.SimpleEntry<>(pass, message);
+        }
+    };
+
+    // Test a simple RFC 6961 server-side fetch
+    public static final TestCase testOcspMultiFetch = new TestCase() {
+        @Override
+        public Map.Entry<Boolean, String> runTest() {
+            StatusResponseManager srm = new StatusResponseManager();
+            Boolean pass = Boolean.FALSE;
+            String message = null;
+            CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP_MULTI;
+
+            try {
+                // Get OCSP responses for non-root certs in the chain
+                Map<X509Certificate, byte[]> responseMap = srm.get(
+                        CertStatusRequestType.OCSP_MULTI, oReq, chain, 5000,
+                        TimeUnit.MILLISECONDS);
+
+                // There should be two entries in the returned map and
+                // two entries in the cache when the operation is complete.
+                if (responseMap.size() != 2) {
+                    message = "Incorrect number of responses: expected 2, got "
+                            + responseMap.size();
+                } else if (!responseMap.containsKey(sslCert) ||
+                        !responseMap.containsKey(intCert)) {
+                    message = "Response map keys are incorrect, expected " +
+                            sslCert.getSubjectX500Principal().toString() +
+                            " and " +
+                            intCert.getSubjectX500Principal().toString();
+                } else if (srm.size() != 2) {
+                    message = "Incorrect number of cache entries: " +
+                            "expected 2, got " + srm.size();
+                } else {
+                    pass = Boolean.TRUE;
+                }
+            } catch (Exception e) {
+                e.printStackTrace(System.out);
+                message = e.getClass().getName();
+            }
+
+            return new AbstractMap.SimpleEntry<>(pass, message);
+        }
+    };
+
+    // Test cache expiration
+    public static final TestCase testCacheExpiry = new TestCase() {
+        @Override
+        public Map.Entry<Boolean, String> runTest() {
+            // For this test, we will set the cache expiry to 5 seconds
+            System.setProperty("jdk.tls.stapling.cacheLifetime", "5");
+            StatusResponseManager srm = new StatusResponseManager();
+            Boolean pass = Boolean.FALSE;
+            String message = null;
+            CertStatusRequest oReq = OCSPStatusRequest.EMPTY_OCSP_MULTI;
+
+            try {
+                // Get OCSP responses for non-root certs in the chain
+                srm.get(CertStatusRequestType.OCSP_MULTI, oReq, chain, 5000,
+                        TimeUnit.MILLISECONDS);
+
+                // There should be two entries in the returned map and
+                // two entries in the cache when the operation is complete.
+                if (srm.size() != 2) {
+                    message = "Incorrect number of responses: expected 2, got "
+                            + srm.size();
+                } else {
+                    // Next, wait for more than 5 seconds so the responses
+                    // in the SRM will expire.
+                    Thread.sleep(7000);
+                    if (srm.size() != 0) {
+                        message = "Incorrect number of responses: expected 0," +
+                                " got " + srm.size();
+                    } else {
+                        pass = Boolean.TRUE;
+                    }
+                }
+            } catch (Exception e) {
+                e.printStackTrace(System.out);
+                message = e.getClass().getName();
+            }
+
+            // Set the cache lifetime back to the default
+            System.setProperty("jdk.tls.stapling.cacheLifetime", "");
+            return new AbstractMap.SimpleEntry<>(pass, message);
+        }
+    };
+
+    /**
+     * Creates the PKI components necessary for this test, including
+     * Root CA, Intermediate CA and SSL server certificates, the keystores
+     * for each entity, a client trust store, and starts the OCSP responders.
+     */
+    private static void createPKI() throws Exception {
+        CertificateBuilder cbld = new CertificateBuilder();
+        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
+        keyGen.initialize(2048);
+        KeyStore.Builder keyStoreBuilder =
+                KeyStore.Builder.newInstance("PKCS12", null,
+                        new KeyStore.PasswordProtection(passwd.toCharArray()));
+
+        // Generate Root, IntCA, EE keys
+        KeyPair rootCaKP = keyGen.genKeyPair();
+        log("Generated Root CA KeyPair");
+        KeyPair intCaKP = keyGen.genKeyPair();
+        log("Generated Intermediate CA KeyPair");
+        KeyPair sslKP = keyGen.genKeyPair();
+        log("Generated SSL Cert KeyPair");
+
+        // Set up the Root CA Cert
+        cbld.setSubjectName("CN=Root CA Cert, O=SomeCompany");
+        cbld.setPublicKey(rootCaKP.getPublic());
+        cbld.setSerialNumber(new BigInteger("1"));
+        // Make a 3 year validity starting from 60 days ago
+        long start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(60);
+        long end = start + TimeUnit.DAYS.toMillis(1085);
+        cbld.setValidity(new Date(start), new Date(end));
+        addCommonExts(cbld, rootCaKP.getPublic(), rootCaKP.getPublic());
+        addCommonCAExts(cbld);
+        // Make our Root CA Cert!
+        X509Certificate rootCert = cbld.build(null, rootCaKP.getPrivate(),
+                "SHA256withRSA");
+        log("Root CA Created:\n" + certInfo(rootCert));
+
+        // Now build a keystore and add the keys and cert
+        rootKeystore = keyStoreBuilder.getKeyStore();
+        Certificate[] rootChain = {rootCert};
+        rootKeystore.setKeyEntry(ROOT_ALIAS, rootCaKP.getPrivate(),
+                passwd.toCharArray(), rootChain);
+
+        // Now fire up the OCSP responder
+        rootOcsp = new SimpleOCSPServer(rootKeystore, passwd, ROOT_ALIAS, null);
+        rootOcsp.enableLog(ocspDebug);
+        rootOcsp.setNextUpdateInterval(3600);
+        rootOcsp.start();
+
+        // Wait 5 seconds for server ready
+        for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) {
+            Thread.sleep(50);
+        }
+        if (!rootOcsp.isServerReady()) {
+            throw new RuntimeException("Server not ready yet");
+        }
+
+        rootOcspPort = rootOcsp.getPort();
+        String rootRespURI = "http://localhost:" + rootOcspPort;
+        log("Root OCSP Responder URI is " + rootRespURI);
+
+        // Now that we have the root keystore and OCSP responder we can
+        // create our intermediate CA.
+        cbld.reset();
+        cbld.setSubjectName("CN=Intermediate CA Cert, O=SomeCompany");
+        cbld.setPublicKey(intCaKP.getPublic());
+        cbld.setSerialNumber(new BigInteger("100"));
+        // Make a 2 year validity starting from 30 days ago
+        start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(30);
+        end = start + TimeUnit.DAYS.toMillis(730);
+        cbld.setValidity(new Date(start), new Date(end));
+        addCommonExts(cbld, intCaKP.getPublic(), rootCaKP.getPublic());
+        addCommonCAExts(cbld);
+        cbld.addAIAExt(Collections.singletonList(rootRespURI));
+        // Make our Intermediate CA Cert!
+        X509Certificate intCaCert = cbld.build(rootCert, rootCaKP.getPrivate(),
+                "SHA256withRSA");
+        log("Intermediate CA Created:\n" + certInfo(intCaCert));
+
+        // Provide intermediate CA cert revocation info to the Root CA
+        // OCSP responder.
+        Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
+            new HashMap<>();
+        revInfo.put(intCaCert.getSerialNumber(),
+                new SimpleOCSPServer.CertStatusInfo(
+                        SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
+        rootOcsp.updateStatusDb(revInfo);
+
+        // Now build a keystore and add the keys, chain and root cert as a TA
+        intKeystore = keyStoreBuilder.getKeyStore();
+        Certificate[] intChain = {intCaCert, rootCert};
+        intKeystore.setKeyEntry(INT_ALIAS, intCaKP.getPrivate(),
+                passwd.toCharArray(), intChain);
+        intKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
+
+        // Now fire up the Intermediate CA OCSP responder
+        intOcsp = new SimpleOCSPServer(intKeystore, passwd,
+                INT_ALIAS, null);
+        intOcsp.enableLog(ocspDebug);
+        intOcsp.setNextUpdateInterval(3600);
+        intOcsp.start();
+
+        // Wait 5 seconds for server ready
+        for (int i = 0; (i < 100 && !intOcsp.isServerReady()); i++) {
+            Thread.sleep(50);
+        }
+        if (!intOcsp.isServerReady()) {
+            throw new RuntimeException("Server not ready yet");
+        }
+
+        intOcspPort = intOcsp.getPort();
+        String intCaRespURI = "http://localhost:" + intOcspPort;
+        log("Intermediate CA OCSP Responder URI is " + intCaRespURI);
+
+        // Last but not least, let's make our SSLCert and add it to its own
+        // Keystore
+        cbld.reset();
+        cbld.setSubjectName("CN=SSLCertificate, O=SomeCompany");
+        cbld.setPublicKey(sslKP.getPublic());
+        cbld.setSerialNumber(new BigInteger("4096"));
+        // Make a 1 year validity starting from 7 days ago
+        start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(7);
+        end = start + TimeUnit.DAYS.toMillis(365);
+        cbld.setValidity(new Date(start), new Date(end));
+
+        // Add extensions
+        addCommonExts(cbld, sslKP.getPublic(), intCaKP.getPublic());
+        boolean[] kuBits = {true, false, true, false, false, false,
+            false, false, false};
+        cbld.addKeyUsageExt(kuBits);
+        List<String> ekuOids = new ArrayList<>();
+        ekuOids.add("1.3.6.1.5.5.7.3.1");
+        ekuOids.add("1.3.6.1.5.5.7.3.2");
+        cbld.addExtendedKeyUsageExt(ekuOids);
+        cbld.addSubjectAltNameDNSExt(Collections.singletonList("localhost"));
+        cbld.addAIAExt(Collections.singletonList(intCaRespURI));
+        // Make our SSL Server Cert!
+        X509Certificate sslCert = cbld.build(intCaCert, intCaKP.getPrivate(),
+                "SHA256withRSA");
+        log("SSL Certificate Created:\n" + certInfo(sslCert));
+
+        // Provide SSL server cert revocation info to the Intermeidate CA
+        // OCSP responder.
+        revInfo = new HashMap<>();
+        revInfo.put(sslCert.getSerialNumber(),
+                new SimpleOCSPServer.CertStatusInfo(
+                        SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
+        intOcsp.updateStatusDb(revInfo);
+
+        // Now build a keystore and add the keys, chain and root cert as a TA
+        serverKeystore = keyStoreBuilder.getKeyStore();
+        Certificate[] sslChain = {sslCert, intCaCert, rootCert};
+        serverKeystore.setKeyEntry(SSL_ALIAS, sslKP.getPrivate(),
+                passwd.toCharArray(), sslChain);
+        serverKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
+
+        // And finally a Trust Store for the client
+        trustStore = keyStoreBuilder.getKeyStore();
+        trustStore.setCertificateEntry(ROOT_ALIAS, rootCert);
+    }
+
+    private static void addCommonExts(CertificateBuilder cbld,
+            PublicKey subjKey, PublicKey authKey) throws IOException {
+        cbld.addSubjectKeyIdExt(subjKey);
+        cbld.addAuthorityKeyIdExt(authKey);
+    }
+
+    private static void addCommonCAExts(CertificateBuilder cbld)
+            throws IOException {
+        cbld.addBasicConstraintsExt(true, true, -1);
+        // Set key usage bits for digitalSignature, keyCertSign and cRLSign
+        boolean[] kuBitSettings = {true, false, false, false, false, true,
+            true, false, false};
+        cbld.addKeyUsageExt(kuBitSettings);
+    }
+
+    /**
+     * Helper routine that dumps only a few cert fields rather than
+     * the whole toString() output.
+     *
+     * @param cert An X509Certificate to be displayed
+     *
+     * @return The {@link String} output of the issuer, subject and
+     * serial number
+     */
+    private static String certInfo(X509Certificate cert) {
+        StringBuilder sb = new StringBuilder();
+        sb.append("Issuer: ").append(cert.getIssuerX500Principal()).
+                append("\n");
+        sb.append("Subject: ").append(cert.getSubjectX500Principal()).
+                append("\n");
+        sb.append("Serial: ").append(cert.getSerialNumber()).append("\n");
+        return sb.toString();
+    }
+
+    /**
+     * Log a message on stdout
+     *
+     * @param message The message to log
+     */
+    private static void log(String message) {
+        if (debug) {
+            System.out.println(message);
+        }
+    }
+
+    public static void runTests(Map<String, TestCase> testList) {
+        int testNo = 0;
+        int numberFailed = 0;
+        Map.Entry<Boolean, String> result;
+
+        System.out.println("============ Tests ============");
+        for (String testName : testList.keySet()) {
+            System.out.println("Test " + ++testNo + ": " + testName);
+            result = testList.get(testName).runTest();
+            System.out.print("Result: " + (result.getKey() ? "PASS" : "FAIL"));
+            System.out.println(" " +
+                    (result.getValue() != null ? result.getValue() : ""));
+            System.out.println("-------------------------------------------");
+            if (!result.getKey()) {
+                numberFailed++;
+            }
+        }
+
+        System.out.println("End Results: " + (testList.size() - numberFailed) +
+                " Passed" + ", " + numberFailed + " Failed.");
+        if (numberFailed > 0) {
+            throw new RuntimeException(
+                    "One or more tests failed, see test output for details");
+        }
+    }
+
+    public interface TestCase {
+        Map.Entry<Boolean, String> runTest();
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/ssl/internal/TEST.properties	2018-05-11 15:11:12.066481400 -0700
@@ -0,0 +1,3 @@
+modules = \
+    java.base/sun.security.ssl
+bootclasspath.dirs=.
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/ssl/internal/TestRun.java	2018-05-11 15:11:13.655718000 -0700
@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * @test
+ * @bug 8145255
+ * @run main/othervm java.base/sun.security.ssl.TestHkdf
+ * @summary HKDF for Sun JSSE
+ */
+
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/jdk/sun/security/ssl/internal/java.base/sun/security/ssl/TestHkdf.java	2018-05-11 15:11:15.296806000 -0700
@@ -0,0 +1,260 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/*
+ * Actual test code for the package private HKDF implementation
+ */
+
+package sun.security.ssl;
+
+import java.util.Arrays;
+import java.util.List;
+import java.util.LinkedList;
+import java.util.Objects;
+import java.security.NoSuchAlgorithmException;
+import java.security.InvalidKeyException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.SecretKeySpec;
+
+public class TestHkdf {
+    public static class TestData {
+        public TestData(String name, String algStr, String ikmStr,
+                String saltStr, String infoStr, int oLen, String expPrkStr,
+                String expOkmStr) {
+            testName = Objects.requireNonNull(name);
+            algName = Objects.requireNonNull(algStr);
+            IKM = hex2bin(Objects.requireNonNull(ikmStr));
+            if ((outLen = oLen) <= 0) {
+                throw new IllegalArgumentException(
+                        "Output length must be greater than 0");
+            }
+            expectedPRK = hex2bin(Objects.requireNonNull(expPrkStr));
+            expectedOKM = hex2bin(Objects.requireNonNull(expOkmStr));
+
+            // Non-mandatory fields - may be null
+            salt = (saltStr != null) ? hex2bin(saltStr) : null;
+            info = (infoStr != null) ? hex2bin(infoStr) : null;
+        }
+
+        public final String testName;
+        public final String algName;
+        public final byte[] IKM;
+        public final byte[] salt;
+        public final byte[] info;
+        public final int outLen;
+        public final byte[] expectedPRK;
+        public final byte[] expectedOKM;
+    }
+
+    public static final List<TestData> testList = new LinkedList<TestData>() {{
+        add(new TestData("RFC 5689 Test Case 1", "SHA-256",
+            "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
+            "000102030405060708090a0b0c",
+            "f0f1f2f3f4f5f6f7f8f9",
+            42,
+            "077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5",
+            "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf" +
+            "34007208d5b887185865"));
+        add(new TestData("RFC 5689 Test Case 2", "SHA-256",
+            "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" +
+            "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" +
+            "404142434445464748494a4b4c4d4e4f",
+            "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" +
+            "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" +
+            "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
+            "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf" +
+            "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef" +
+            "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
+            82,
+            "06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244",
+            "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c" +
+            "59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71" +
+            "cc30c58179ec3e87c14c01d5c1f3434f1d87"));
+        add(new TestData("RFC 5689 Test Case 3", "SHA-256",
+            "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
+            null, null, 42,
+            "19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04",
+            "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d" +
+            "9d201395faa4b61a96c8"));
+        add(new TestData("RFC 5689 Test Case 4", "SHA-1",
+            "0b0b0b0b0b0b0b0b0b0b0b",
+            "000102030405060708090a0b0c",
+            "f0f1f2f3f4f5f6f7f8f9",
+            42,
+            "9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243",
+            "085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2" +
+            "c22e422478d305f3f896"));
+        add(new TestData("RFC 5689 Test Case 5", "SHA-1",
+            "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f" +
+            "202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f" +
+            "404142434445464748494a4b4c4d4e4f",
+            "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f" +
+            "808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f" +
+            "a0a1a2a3a4a5a6a7a8a9aaabacadaeaf",
+            "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecf" +
+            "d0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeef" +
+            "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
+            82,
+            "8adae09a2a307059478d309b26c4115a224cfaf6",
+            "0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe" +
+            "8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e" +
+            "927336d0441f4c4300e2cff0d0900b52d3b4"));
+        add(new TestData("RFC 5689 Test Case 6", "SHA-1",
+            "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b",
+            null, null, 42,
+            "da8c8a73c7fa77288ec6f5e7c297786aa0d32d01",
+            "0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0" +
+            "ea00033de03984d34918"));
+        add(new TestData("RFC 5689 Test Case 7", "SHA-1",
+            "0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c",
+            null, null, 42,
+            "2adccada18779e7c2077ad2eb19d3f3e731385dd",
+            "2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5" +
+            "673a081d70cce7acfc48"));
+    }};
+
+    public static void main(String args[]) throws Exception {
+        int testsPassed = 0;
+
+        int testNo = 0;
+        for (TestData test : testList) {
+            System.out.println("*** Test " + ++testNo + ": " +
+                    test.testName);
+            if (runVector(test)) {
+                testsPassed++;
+            }
+        }
+
+        System.out.println("Total tests: " + testList.size() +
+                ", Passed: " + testsPassed + ", Failed: " +
+                (testList.size() - testsPassed));
+        if (testsPassed != testList.size()) {
+            throw new RuntimeException("One or more tests failed.  " +
+                    "Check output for details");
+        }
+    }
+
+    private static boolean runVector(TestData testData)
+            throws NoSuchAlgorithmException, InvalidKeyException {
+        String kdfName, prfName;
+        HKDF kdfHkdf;
+        boolean result = true;
+        SecretKey actualPRK;
+        SecretKey actualOKM;
+        byte[] deriveData;
+
+        // Get an instance of the HKDF derivation engine
+        kdfHkdf = new HKDF(testData.algName);
+
+        // Set up the input keying material and the salt as a secret
+        SecretKey ikmKey = new SecretKeySpec(testData.IKM, "HKDF-IKM");
+        SecretKey saltKey = (testData.salt != null) ?
+                new SecretKeySpec(testData.salt, "HKDF-Salt") : null;
+
+        // *** HKDF-Extract-only testing
+        System.out.println("* HKDF-Extract-Only:");
+        actualPRK = kdfHkdf.extract(saltKey, ikmKey, "HKDF-PRK");
+        result &= compareKeyAndData(actualPRK, testData.expectedPRK);
+
+        // *** HKDF Expand-Only testing
+        // For these tests, we'll use the actualPRK as the input key
+        System.out.println("* HKDF-Expand-Only:");
+        actualOKM = kdfHkdf.expand(actualPRK, testData.info, testData.outLen,
+                "HKDF-OKM");
+        result &= compareKeyAndData(actualOKM, testData.expectedOKM);
+
+        // *** HKDF Extract-then-Expand testing
+        System.out.println("* HKDF-Extract-then-Expand:");
+        actualOKM = kdfHkdf.extractExpand(ikmKey, saltKey, testData.info,
+                testData.outLen, "HKDF-OKM2");
+        result &= compareKeyAndData(actualOKM, testData.expectedOKM);
+
+        return result;
+    }
+
+    /**
+     * Compare actual key output from HKDF against an expected output value.
+     *
+     * @param outKey the KDF output in key form
+     * @param expectedOut the expected value
+     *
+     * @return true if the underlying data for outKey, outData and
+     * expectedOut are the same.
+     */
+    private static boolean compareKeyAndData(SecretKey outKey,
+            byte[] expectedOut) {
+        boolean result = false;
+
+        if (Arrays.equals(outKey.getEncoded(), expectedOut)) {
+            System.out.println("\t* Key output: Pass");
+            result = true;
+        } else {
+            System.out.println("\t* Key output: FAIL");
+            System.out.println("Expected:\n" +
+                    dumpHexBytes(expectedOut, 16, "\n", " "));
+            System.out.println("Actual:\n" +
+                    dumpHexBytes(outKey.getEncoded(), 16, "\n", " "));
+            System.out.println();
+        }
+
+        return result;
+    }
+
+    /**
+     * Dump the hex bytes of a buffer into string form.
+     *
+     * @param data The array of bytes to dump to stdout.
+     * @param itemsPerLine The number of bytes to display per line
+     *      if the {@code lineDelim} character is blank then all bytes
+     *      will be printed on a single line.
+     * @param lineDelim The delimiter between lines
+     * @param itemDelim The delimiter between bytes
+     *
+     * @return The hexdump of the byte array
+     */
+    private static String dumpHexBytes(byte[] data, int itemsPerLine,
+            String lineDelim, String itemDelim) {
+        StringBuilder sb = new StringBuilder();
+        if (data != null) {
+            for (int i = 0; i < data.length; i++) {
+                if (i % itemsPerLine == 0 && i != 0) {
+                    sb.append(lineDelim);
+                }
+                sb.append(String.format("%02X", data[i])).append(itemDelim);
+            }
+        }
+
+        return sb.toString();
+    }
+
+    private static byte[] hex2bin(String hex) {
+        int i;
+        int len = hex.length();
+        byte[] data = new byte [len / 2];
+        for (i = 0; i < len; i += 2) {
+            data[i / 2] = (byte)((Character.digit(hex.charAt(i), 16) << 4) +
+                    Character.digit(hex.charAt(i + 1), 16));
+        }
+        return data;
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/lib/jdk/test/lib/RSAUtil.java	2018-05-11 15:11:16.952052400 -0700
@@ -0,0 +1,144 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.test.lib;
+
+import java.security.*;
+import java.security.spec.*;
+import java.util.*;
+
+public class RSAUtil {
+
+    public enum SignatureType {
+        RSA_PKCS1_5,
+        RSA_PSS,
+    }    
+ 
+    // collection of all supported RSA PKCS1.5 algorithms
+    // note that the entries are ordered by required key sizes
+    private static final String[] PKCS1_5_ALGS = {
+        // these requires key size 768
+        "SHA384withRSA", "SHA512withRSA",
+        // these are supported by min key size 512
+        "MD2withRSA", "MD5withRSA", "SHA1withRSA",
+        "SHA224withRSA", "SHA512/224withRSA",
+        "SHA256withRSA", "SHA512/256withRSA"
+    };
+
+    private static final int PKCS1_5_INDEX_768 = 0;
+    private static final int PKCS1_5_INDEX_512 = 2;
+
+    // collection of all supported RSA-PSS algorithms
+    // note that the entries are ordered by required key sizes
+    private static final String[] PSS_ALGS = {
+        // these requires key size 2048
+        "SHA512withRSAandMGF1",
+        // these requires key size 1024
+        "SHA384withRSAandMGF1",
+        // these requires key size 768
+        "SHA256withRSAandMGF1", "SHA512/256withRSAandMGF1",
+        // these are supported by min key size 512
+        "SHA1withRSAandMGF1", "SHA224withRSAandMGF1",
+        "SHA512/224withRSAandMGF1"
+    };
+
+    private static final int PSS_INDEX_2048 = 0;
+    private static final int PSS_INDEX_1024 = 1;
+    private static final int PSS_INDEX_768 = 2;
+    private static final int PSS_INDEX_512 = 4;
+    
+    public static Iterable<String> getSignatureAlgorithms(int keysize,
+            SignatureType type) throws RuntimeException {
+        List<String> algos;
+        Iterable<String> result;
+        switch (type) {
+            case RSA_PKCS1_5:
+                algos = new ArrayList<>(Arrays.asList(PKCS1_5_ALGS));
+                if (keysize >= 768) {
+                    result = algos.subList(PKCS1_5_INDEX_768, PKCS1_5_ALGS.length);
+                } else {
+                    result = algos.subList(PKCS1_5_INDEX_512, PKCS1_5_ALGS.length);
+                }
+                break;
+            case RSA_PSS:
+                algos = new ArrayList<>(Arrays.asList(PSS_ALGS));
+                if (keysize >= 2048) {
+                    result = algos.subList(PSS_INDEX_2048, PSS_ALGS.length);
+                } else if (keysize >= 1024) {
+                    result = algos.subList(PSS_INDEX_1024, PSS_ALGS.length);
+                } else if (keysize >= 768) {
+                    result = algos.subList(PSS_INDEX_768, PSS_ALGS.length);
+                } else {
+                    result = algos.subList(PSS_INDEX_512, PSS_ALGS.length);
+                }
+                break;
+            default:
+                throw new RuntimeException("Unsupported RSA signature algorithm type: " + type);
+        }
+        return result;
+    }
+
+    private static final String RSA_SIG_SUFFIX = "withRSA";
+    private static final String RSAPSS_SIG_SUFFIX = "RSA-PSS";
+    private static final String RSAPSS_SIG_SUFFIX2 = "withRSAandMGF1";
+
+    public static AlgorithmParameterSpec generateDefaultParameter(String sigalg)
+            throws RuntimeException {
+        if (sigalg.regionMatches(true,
+                sigalg.length() - RSA_SIG_SUFFIX.length(),
+                RSA_SIG_SUFFIX, 0, RSA_SIG_SUFFIX.length())) {
+            // RSA PKCS#1.5 signatures do not use parameters
+            return null;
+        } else if (sigalg.regionMatches(true,
+                sigalg.length() - RSAPSS_SIG_SUFFIX.length(),
+                RSAPSS_SIG_SUFFIX, 0, RSAPSS_SIG_SUFFIX.length())) {
+            // no default parameters for RSA-PSS signature.
+            // RSA-PSS signature with different PSS parameters
+            // are tested under Known Answer Tests
+            throw new RuntimeException("No default parameter generation for RSA-PSS");
+        } else if (sigalg.regionMatches(true,
+                sigalg.length() - RSAPSS_SIG_SUFFIX2.length(),
+                RSAPSS_SIG_SUFFIX2, 0, RSAPSS_SIG_SUFFIX2.length())) {
+            // should be the expanded/friendly name for RSA-PSS
+            // use the same digest algo as in its name and its
+            // output length as the salt length
+            String digest = sigalg.substring(0,
+                sigalg.length() - RSAPSS_SIG_SUFFIX2.length()).toUpperCase();
+            if (digest.startsWith("SHA") && digest.indexOf("-") == -1) {
+                // convert to standard name
+                digest = "SHA-" + digest.substring(3);
+            }
+            // verify the digest algorithm by trying the getInstance call
+            try {
+                MessageDigest md = MessageDigest.getInstance(digest);
+                System.out.println("Digest in PSS parameter: " + digest);
+                return new PSSParameterSpec(digest, "MGF1",
+                    new MGF1ParameterSpec(digest), md.getDigestLength(), 1);
+            } catch (NoSuchAlgorithmException e) {
+                throw new RuntimeException(e);
+            }
+        } else {
+            throw new RuntimeException("Unsupported RSA signature " + sigalg);
+        }
+    }
+}
--- /dev/null	2018-05-11 10:42:23.849000000 -0700
+++ new/test/lib/jdk/test/lib/SigTestUtil.java	2018-05-11 15:11:18.525250500 -0700
@@ -0,0 +1,150 @@
+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package jdk.test.lib;
+
+import java.security.*;
+import java.security.spec.*;
+import java.util.*;
+
+/*
+ * Utility class used by various Signature related regression tests for
+ * common functions such as generating the list of to-be-tested algorithms
+ * based on key size, etc. Currently, this is mostly needed by RSA
+ * signatures.
+ */
+public class SigTestUtil {
+
+    public enum SignatureType {
+        RSA("RSA"),
+        RSASSA_PSS("RSASSA-PSS")
+        ;
+
+        private String keyAlg;
+
+        SignatureType(String keyAlg) {
+            this.keyAlg = keyAlg;
+        }
+        @Override
+        public String toString() {
+            return keyAlg;
+        }
+    }    
+ 
+    // collection of all supported digest algorithms
+    // note that the entries are ordered by required key sizes
+    private static final String[] DIGEST_ALGS = {
+        "SHA-512",
+        "SHA-384",
+        "SHA-256",
+        "SHA-512/256",
+        "SHA-224",
+        "SHA-512/224",
+        "SHA-1",
+        "MD2", "MD5" // these aren't supported by RSA PSS
+    };
+
+    // indice for message digest algorithms lookup
+    // may need to be adjusted if new algorithms are added
+    private static final int PKCS1_5_INDEX_768 = 0;
+    private static final int PKCS1_5_INDEX_512 = 2;
+    private static final int PKCS1_5_INDEX_END = DIGEST_ALGS.length;
+    private static final int PSS_INDEX_2048 = 0;
+    private static final int PSS_INDEX_1024 = 1;
+    private static final int PSS_INDEX_768 = 2;
+    private static final int PSS_INDEX_512 = 4;
+    private static final int PSS_INDEX_END = 7;
+    
+    public static Iterable<String> getDigestAlgorithms(SignatureType type,
+            int keysize) throws RuntimeException {
+
+        // initialize to all, then trim based on key size
+        List<String> result = new ArrayList<>(Arrays.asList(DIGEST_ALGS));
+        int index = 0;
+        switch (type) {
+        case RSA:
+            if (keysize >= 768) {
+                index = PKCS1_5_INDEX_768;
+            } else if (keysize >= 512) {
+                index = PKCS1_5_INDEX_512;
+            } else {
+                throw new RuntimeException("Keysize too small: " + keysize);
+            }
+            result = result.subList(index, PKCS1_5_INDEX_END);
+            break;
+        case RSASSA_PSS:
+            if (keysize >= 2048) {
+                index = PSS_INDEX_2048;
+            } else if (keysize >= 1024) {
+                index = PSS_INDEX_1024;
+            } else if (keysize >= 768) {
+                index = PSS_INDEX_768;
+            } else if (keysize >= 512) {
+                index = PSS_INDEX_512;
+            } else {
+                throw new RuntimeException("Keysize too small: " + keysize);
+            }
+            result = result.subList(index, PSS_INDEX_END);
+            break;
+        default:
+            // XXX maybe just return result instead of error out?
+            throw new RuntimeException("Unsupported signature type: " + type);
+        }
+        return result;
+    }
+
+    public static AlgorithmParameterSpec generateDefaultParameter(
+            SignatureType type, String mdAlg) throws RuntimeException {
+        // only RSASSA-PSS signature uses parameters
+        switch (type) {
+        case RSASSA_PSS:
+            try {
+                MessageDigest md = MessageDigest.getInstance(mdAlg);
+                return new PSSParameterSpec(mdAlg, "MGF1",
+                    new MGF1ParameterSpec(mdAlg), md.getDigestLength(),
+                    PSSParameterSpec.TRAILER_FIELD_BC);
+            } catch (Exception e) {
+                throw new RuntimeException(e);
+            }
+        default:
+            return null;
+        }
+    }
+
+    public static String generateSigAlg(SignatureType type,
+            String mdAlg) throws RuntimeException {
+        switch (type) {
+        case RSA:
+            int idx = mdAlg.indexOf("-");
+            if (idx != -1) {
+                mdAlg = mdAlg.substring(0, idx) + mdAlg.substring(idx+1);
+            }
+            return mdAlg + "with" + type.toString();
+        case RSASSA_PSS:
+            return type.toString();
+        default:
+            throw new RuntimeException("Unsupported signature type " + type );
+        }
+    }
+
+}
--- old/src/java.base/share/classes/sun/security/ssl/AppInputStream.java	2018-05-11 15:11:20.588415500 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,212 +0,0 @@
-/*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-
-package sun.security.ssl;
-
-import java.io.InputStream;
-import java.io.IOException;
-import java.nio.ByteBuffer;
-
-import javax.net.ssl.SSLProtocolException;
-
-/**
- * InputStream for application data as returned by SSLSocket.getInputStream().
- *
- * @author David Brownell
- */
-final class AppInputStream extends InputStream {
-    // the buffer size for each read of network data
-    private static final int READ_BUFFER_SIZE = 4096;
-
-    // static dummy array we use to implement skip()
-    private static final byte[] SKIP_ARRAY = new byte[256];
-
-    // the related socket of the input stream
-    private final SSLSocketImpl socket;
-
-    // the temporary buffer used to read network
-    private ByteBuffer buffer;
-
-    // Is application data available in the stream?
-    private boolean appDataIsAvailable;
-
-    // One element array used to implement the single byte read() method
-    private final byte[] oneByte = new byte[1];
-
-    AppInputStream(SSLSocketImpl conn) {
-        this.buffer = ByteBuffer.allocate(READ_BUFFER_SIZE);
-        this.socket = conn;
-        this.appDataIsAvailable = false;
-    }
-
-    /**
-     * Return the minimum number of bytes that can be read without blocking.
-     *
-     * Currently not synchronized.
-     */
-    @Override
-    public int available() throws IOException {
-        if ((!appDataIsAvailable) || socket.checkEOF()) {
-            return 0;
-        }
-
-        return buffer.remaining();
-    }
-
-    /**
-     * Read a single byte, returning -1 on non-fault EOF status.
-     */
-    @Override
-    public synchronized int read() throws IOException {
-        int n = read(oneByte, 0, 1);
-        if (n <= 0) { // EOF
-            return -1;
-        }
-        return oneByte[0] & 0xFF;
-    }
-
-    /**
-     * Reads up to {@code len} bytes of data from the input stream into an
-     * array of bytes. An attempt is made to read as many as {@code len} bytes,
-     * but a smaller number may be read. The number of bytes actually read
-     * is returned as an integer.
-     *
-     * If the layer above needs more data, it asks for more, so we
-     * are responsible only for blocking to fill at most one buffer,
-     * and returning "-1" on non-fault EOF status.
-     */
-    @Override
-    public synchronized int read(byte[] b, int off, int len)
-            throws IOException {
-        if (b == null) {
-            throw new NullPointerException();
-        } else if (off < 0 || len < 0 || len > b.length - off) {
-            throw new IndexOutOfBoundsException();
-        } else if (len == 0) {
-            return 0;
-        }
-
-        if (socket.checkEOF()) {
-            return -1;
-        }
-
-        // Read the available bytes at first.
-        int remains = available();
-        if (remains > 0) {
-            int howmany = Math.min(remains, len);
-            buffer.get(b, off, howmany);
-
-            return howmany;
-        }
-
-        appDataIsAvailable = false;
-        int volume = 0;
-
-        try {
-            /*
-             * Read data if needed ... notice that the connection guarantees
-             * that handshake, alert, and change cipher spec data streams are
-             * handled as they arrive, so we never see them here.
-             */
-            while(volume == 0) {
-                // Clear the buffer for a new record reading.
-                buffer.clear();
-
-                //
-                // grow the buffer if needed
-                //
-
-                // Read the header of a record into the buffer, and return
-                // the packet size.
-                int packetLen = socket.bytesInCompletePacket();
-                if (packetLen < 0) {    // EOF
-                    return -1;
-                }
-
-                // Is this packet bigger than SSL/TLS normally allows?
-                if (packetLen > SSLRecord.maxLargeRecordSize) {
-                    throw new SSLProtocolException(
-                        "Illegal packet size: " + packetLen);
-                }
-
-                if (packetLen > buffer.remaining()) {
-                    buffer = ByteBuffer.allocate(packetLen);
-                }
-
-                volume = socket.readRecord(buffer);
-                if (volume < 0) {    // EOF
-                    return -1;
-                } else if (volume > 0) {
-                    appDataIsAvailable = true;
-                    break;
-                }
-            }
-
-            int howmany = Math.min(len, volume);
-            buffer.get(b, off, howmany);
-            return howmany;
-        } catch (Exception e) {
-            // shutdown and rethrow (wrapped) exception as appropriate
-            socket.handleException(e);
-
-            // dummy for compiler
-            return -1;
-        }
-    }
-
-
-    /**
-     * Skip n bytes. This implementation is somewhat less efficient
-     * than possible, but not badly so (redundant copy). We reuse
-     * the read() code to keep things simpler. Note that SKIP_ARRAY
-     * is static and may garbled by concurrent use, but we are not interested
-     * in the data anyway.
-     */
-    @Override
-    public synchronized long skip(long n) throws IOException {
-        long skipped = 0;
-        while (n > 0) {
-            int len = (int)Math.min(n, SKIP_ARRAY.length);
-            int r = read(SKIP_ARRAY, 0, len);
-            if (r <= 0) {
-                break;
-            }
-            n -= r;
-            skipped += r;
-        }
-        return skipped;
-    }
-
-    /*
-     * Socket close is already synchronized, no need to block here.
-     */
-    @Override
-    public void close() throws IOException {
-        socket.close();
-    }
-
-    // inherit default mark/reset behavior (throw Exceptions) from InputStream
-}
--- old/src/java.base/share/classes/sun/security/ssl/AppOutputStream.java	2018-05-11 15:11:21.577447300 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,93 +0,0 @@
-/*
- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.OutputStream;
-import java.io.IOException;
-import java.nio.ByteBuffer;
-
-/*
- * OutputStream for application data as returned by SSLSocket.getOutputStream().
- *
- * @author  David Brownell
- */
-class AppOutputStream extends OutputStream {
-
-    private SSLSocketImpl socket;
-
-    // One element array used to implement the write(byte) method
-    private final byte[] oneByte = new byte[1];
-
-    AppOutputStream(SSLSocketImpl conn) {
-        this.socket = conn;
-    }
-
-    /**
-     * Write the data out, NOW.
-     */
-    @Override
-    public synchronized void write(byte[] b, int off, int len)
-            throws IOException {
-        if (b == null) {
-            throw new NullPointerException();
-        } else if (off < 0 || len < 0 || len > b.length - off) {
-            throw new IndexOutOfBoundsException();
-        } else if (len == 0) {
-            return;
-        }
-
-        // check if the Socket is invalid (error or closed)
-        socket.checkWrite();
-
-        // Delegate the writing to the underlying socket.
-        try {
-            socket.writeRecord(b, off, len);
-            socket.checkWrite();
-        } catch (Exception e) {
-            // shutdown and rethrow (wrapped) exception as appropriate
-            socket.handleException(e);
-        }
-    }
-
-    /**
-     * Write one byte now.
-     */
-    @Override
-    public synchronized void write(int i) throws IOException {
-        oneByte[0] = (byte)i;
-        write(oneByte, 0, 1);
-    }
-
-    /*
-     * Socket close is already synchronized, no need to block here.
-     */
-    @Override
-    public void close() throws IOException {
-        socket.close();
-    }
-
-    // inherit no-op flush()
-}
--- old/src/java.base/share/classes/sun/security/ssl/ByteBufferInputStream.java	2018-05-11 15:11:22.579931900 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,187 +0,0 @@
-/*
- * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.*;
-import java.nio.*;
-
-/**
- * A simple InputStream which uses ByteBuffers as it's backing store.
- * <P>
- * The only IOException should come if the InputStream has been closed.
- * All other IOException should not occur because all the data is local.
- * Data reads on an exhausted ByteBuffer returns a -1.
- *
- * @author  Brad Wetmore
- */
-class ByteBufferInputStream extends InputStream {
-
-    ByteBuffer bb;
-
-    ByteBufferInputStream(ByteBuffer bb) {
-        this.bb = bb;
-    }
-
-    /**
-     * Returns a byte from the ByteBuffer.
-     *
-     * Increments position().
-     */
-    @Override
-    public int read() throws IOException {
-
-        if (bb == null) {
-            throw new IOException("read on a closed InputStream");
-        }
-
-        if (bb.remaining() == 0) {
-            return -1;
-        }
-
-        return (bb.get() & 0xFF);   // need to be in the range 0 to 255
-    }
-
-    /**
-     * Returns a byte array from the ByteBuffer.
-     *
-     * Increments position().
-     */
-    @Override
-    public int read(byte[] b) throws IOException {
-
-        if (bb == null) {
-            throw new IOException("read on a closed InputStream");
-        }
-
-        return read(b, 0, b.length);
-    }
-
-    /**
-     * Returns a byte array from the ByteBuffer.
-     *
-     * Increments position().
-     */
-    @Override
-    public int read(byte[] b, int off, int len) throws IOException {
-
-        if (bb == null) {
-            throw new IOException("read on a closed InputStream");
-        }
-
-        if (b == null) {
-            throw new NullPointerException();
-        } else if (off < 0 || len < 0 || len > b.length - off) {
-            throw new IndexOutOfBoundsException();
-        } else if (len == 0) {
-            return 0;
-        }
-
-        int length = Math.min(bb.remaining(), len);
-        if (length == 0) {
-            return -1;
-        }
-
-        bb.get(b, off, length);
-        return length;
-    }
-
-    /**
-     * Skips over and discards <code>n</code> bytes of data from this input
-     * stream.
-     */
-    @Override
-    public long skip(long n) throws IOException {
-
-        if (bb == null) {
-            throw new IOException("skip on a closed InputStream");
-        }
-
-        if (n <= 0) {
-            return 0;
-        }
-
-        /*
-         * ByteBuffers have at most an int, so lose the upper bits.
-         * The contract allows this.
-         */
-        int nInt = (int) n;
-        int skip = Math.min(bb.remaining(), nInt);
-
-        bb.position(bb.position() + skip);
-
-        return nInt;
-    }
-
-    /**
-     * Returns the number of bytes that can be read (or skipped over)
-     * from this input stream without blocking by the next caller of a
-     * method for this input stream.
-     */
-    @Override
-    public int available() throws IOException {
-
-        if (bb == null) {
-            throw new IOException("available on a closed InputStream");
-        }
-
-        return bb.remaining();
-    }
-
-    /**
-     * Closes this input stream and releases any system resources associated
-     * with the stream.
-     *
-     * @exception  IOException  if an I/O error occurs.
-     */
-    @Override
-    public void close() throws IOException {
-        bb = null;
-    }
-
-    /**
-     * Marks the current position in this input stream.
-     */
-    @Override
-    public synchronized void mark(int readlimit) {}
-
-    /**
-     * Repositions this stream to the position at the time the
-     * <code>mark</code> method was last called on this input stream.
-     */
-    @Override
-    public synchronized void reset() throws IOException {
-        throw new IOException("mark/reset not supported");
-    }
-
-    /**
-     * Tests if this input stream supports the <code>mark</code> and
-     * <code>reset</code> methods.
-     */
-    @Override
-    public boolean markSupported() {
-        return false;
-    }
-}
--- old/src/java.base/share/classes/sun/security/ssl/CertStatusReqItemV2.java	2018-05-11 15:11:23.557786700 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,199 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-import java.nio.ByteBuffer;
-import java.util.Objects;
-import javax.net.ssl.SSLException;
-
-/*
- * RFC6961 defines the TLS extension,"status_request_v2" (type 0x5),
- * which allows the client to request that the server perform OCSP
- * on the client's behalf.
- *
- * The RFC defines an CertStatusReqItemV2 structure:
- *
- *      struct {
- *          CertificateStatusType status_type;
- *          uint16 request_length;
- *          select (status_type) {
- *              case ocsp: OCSPStatusRequest;
- *              case ocsp_multi: OCSPStatusRequest;
- *          } request;
- *      } CertificateStatusRequestItemV2;
- *
- *      enum { ocsp(1), ocsp_multi(2), (255) } CertificateStatusType;
- */
-
-final class CertStatusReqItemV2 {
-
-    private final StatusRequestType statReqType;
-    private final StatusRequest request;
-
-    /**
-     * Construct a {@code CertStatusReqItemV2} object using a type value
-     *      and empty ResponderId and Extension lists.
-     *
-     * @param reqType the type of request (e.g. ocsp).  A {@code null} value
-     *      is not allowed.
-     * @param statReq the {@code StatusRequest} object used to provide the
-     *      encoding for this {@code CertStatusReqItemV2}.  A {@code null}
-     *      value is not allowed.
-     *
-     * @throws IllegalArgumentException if the provided {@code StatusRequest}
-     *      does not match the type.
-     * @throws NullPointerException if either the reqType or statReq arguments
-     *      are {@code null}.
-     */
-    CertStatusReqItemV2(StatusRequestType reqType, StatusRequest statReq) {
-        statReqType = Objects.requireNonNull(reqType,
-                "Unallowed null value for status_type");
-        request = Objects.requireNonNull(statReq,
-                "Unallowed null value for request");
-
-        // There is currently only one known status type (OCSP)
-        // We can add more clauses to cover other types in the future
-        if (statReqType.equals(StatusRequestType.OCSP) ||
-                statReqType.equals(StatusRequestType.OCSP_MULTI)) {
-            if (!(statReq instanceof OCSPStatusRequest)) {
-                throw new IllegalArgumentException("StatusRequest not " +
-                        "of type OCSPStatusRequest");
-            }
-        }
-    }
-
-    /**
-     * Construct a {@code CertStatusReqItemV2} object from encoded bytes
-     *
-     * @param requestBytes the encoded bytes for the {@code CertStatusReqItemV2}
-     *
-     * @throws IOException if any decoding errors take place
-     * @throws IllegalArgumentException if the parsed reqType value is not a
-     *      supported status request type.
-     */
-    CertStatusReqItemV2(byte[] reqItemBytes) throws IOException {
-        ByteBuffer reqBuf = ByteBuffer.wrap(reqItemBytes);
-        statReqType = StatusRequestType.get(reqBuf.get());
-        int requestLength = Short.toUnsignedInt(reqBuf.getShort());
-
-        if (requestLength == reqBuf.remaining()) {
-            byte[] statReqBytes = new byte[requestLength];
-            reqBuf.get(statReqBytes);
-            if (statReqType == StatusRequestType.OCSP ||
-                    statReqType == StatusRequestType.OCSP_MULTI) {
-                request = new OCSPStatusRequest(statReqBytes);
-            } else {
-                request = new UnknownStatusRequest(statReqBytes);
-            }
-        } else {
-            throw new SSLException("Incorrect request_length: " +
-                    "Expected " + reqBuf.remaining() + ", got " +
-                    requestLength);
-        }
-    }
-
-    /**
-     * Construct an {@code CertStatusReqItemV2} object from data read from
-     * a {@code HandshakeInputStream}
-     *
-     * @param s the {@code HandshakeInputStream} providing the encoded data
-     *
-     * @throws IOException if any decoding errors happen during object
-     *      construction.
-     * @throws IllegalArgumentException if the parsed reqType value is not a
-     *      supported status request type.
-     */
-    CertStatusReqItemV2(HandshakeInStream in) throws IOException {
-        statReqType = StatusRequestType.get(in.getInt8());
-        int requestLength = in.getInt16();
-
-        if (statReqType == StatusRequestType.OCSP ||
-                statReqType == StatusRequestType.OCSP_MULTI) {
-            request = new OCSPStatusRequest(in);
-        } else {
-            request = new UnknownStatusRequest(in, requestLength);
-        }
-    }
-
-    /**
-     * Return the length of this {@code CertStatusReqItemV2} in its encoded form
-     *
-     * @return the encoded length of this {@code CertStatusReqItemV2}
-     */
-    int length() {
-        // The length is the status type (1 byte) + the request length
-        // field (2 bytes) + the StatusRequest data length.
-        return request.length() + 3;
-    }
-
-    /**
-     * Send the encoded {@code CertStatusReqItemV2} through a
-     *      {@code HandshakeOutputStream}
-     *
-     * @param s the {@code HandshakeOutputStream} used to send the encoded data
-     *
-     * @throws IOException if any errors occur during the encoding process
-     */
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt8(statReqType.id);
-        s.putInt16(request.length());
-        request.send(s);
-    }
-
-    /**
-     * Create a string representation of this {@code CertStatusReqItemV2}
-     *
-     * @return the string representation of this {@code CertStatusReqItemV2}
-     */
-    @Override
-    public String toString() {
-        StringBuilder sb = new StringBuilder();
-        sb.append("CertStatusReqItemV2: ").append(statReqType).append(", ");
-        sb.append(request.toString());
-
-        return sb.toString();
-    }
-
-    /**
-     * Return the type field for this {@code CertStatusReqItemV2}
-     *
-     * @return the {@code StatusRequestType} for this extension.
-     */
-    StatusRequestType getType() {
-        return statReqType;
-    }
-
-    /**
-     * Get the underlying {@code StatusRequest} for this
-     *      {@code CertStatusReqItemV2}
-     *
-     * @return the {@code StatusRequest}
-     */
-    StatusRequest getRequest() {
-        return request;
-    }
-}
--- old/src/java.base/share/classes/sun/security/ssl/CertStatusReqListV2Extension.java	2018-05-11 15:11:24.553371900 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,220 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-import java.util.List;
-import java.util.Collections;
-import java.util.ArrayList;
-import java.util.Objects;
-import javax.net.ssl.SSLException;
-
-/*
- * RFC6066 defines the TLS extension,"status_request" (type 0x5),
- * which allows the client to request that the server perform OCSP
- * on the client's behalf.
- * The "extension data" field of this extension contains a
- * "CertificateStatusRequest" structure:
- *
- *      struct {
- *          CertificateStatusType status_type;
- *          select (status_type) {
- *              case ocsp: OCSPStatusRequest;
- *          } request;
- *      } CertificateStatusRequest;
- *
- *      enum { ocsp(1), (255) } CertificateStatusType;
- *
- *      struct {
- *          ResponderID responder_id_list<0..2^16-1>;
- *          Extensions  request_extensions;
- *      } OCSPStatusRequest;
- *
- *      opaque ResponderID<1..2^16-1>;
- *      opaque Extensions<0..2^16-1>;
- */
-
-final class CertStatusReqListV2Extension extends HelloExtension {
-
-    private final List<CertStatusReqItemV2> itemList;
-    private final int itemListLength;
-
-    /**
-     * Construct a default {@code CertStatusReqListV2Extension}.  The default
-     * object results in a status_request_v2 extension where the extension
-     * data segment is zero-length.  This is used primarily in ServerHello
-     * messages where the server asserts it can do RFC 6961 status stapling.
-     */
-    CertStatusReqListV2Extension() {
-        super(ExtensionType.EXT_STATUS_REQUEST_V2);
-        itemList = Collections.emptyList();
-        itemListLength = 0;
-    }
-
-    /**
-     * Construct a {@code CertStatusReqListV2Extension} from a provided list
-     *      of {@code CertStatusReqItemV2} objects.
-     *
-     * @param reqList a {@code List} containing one or more
-     *      {@code CertStatusReqItemV2} objects to be included in this TLS
-     *      Hello extension.  Passing an empty list will result in the encoded
-     *      extension having a zero-length extension_data segment, and is
-     *      the same as using the default constructor.
-     *
-     * @throws NullPointerException if reqList is {@code null}
-     */
-    CertStatusReqListV2Extension(List<CertStatusReqItemV2> reqList) {
-        super(ExtensionType.EXT_STATUS_REQUEST_V2);
-        Objects.requireNonNull(reqList,
-                "Unallowed null value for certificate_status_req_list");
-        itemList = Collections.unmodifiableList(new ArrayList<>(reqList));
-        itemListLength = calculateListLength();
-    }
-
-    /**
-     *  Construct the {@code CertStatusReqListV2Extension} object from data
-     *      read from a {@code HandshakeInputStream}
-     *
-     * @param s the {@code HandshakeInputStream} providing the encoded data
-     * @param len the length of the extension data
-     *
-     * @throws IOException if any decoding errors happen during object
-     *      construction.
-     */
-    CertStatusReqListV2Extension(HandshakeInStream s, int len)
-            throws IOException {
-        super(ExtensionType.EXT_STATUS_REQUEST_V2);
-
-        if (len <= 0) {
-            // Handle the empty extension data case (from a ServerHello)
-            itemList = Collections.emptyList();
-            itemListLength = 0;
-        } else {
-            List<CertStatusReqItemV2> workingList = new ArrayList<>();
-
-            itemListLength = s.getInt16();
-            if (itemListLength <= 0) {
-                throw new SSLException("certificate_status_req_list length " +
-                        "must be greater than zero (received length: " +
-                        itemListLength + ")");
-            }
-
-            int totalRead = 0;
-            CertStatusReqItemV2 reqItem;
-            do {
-                reqItem = new CertStatusReqItemV2(s);
-                totalRead += reqItem.length();
-            } while (workingList.add(reqItem) && totalRead < itemListLength);
-
-            // If for some reason the add returns false, we may not have read
-            // all the necessary bytes from the stream.  Check this and throw
-            // an exception if we terminated the loop early.
-            if (totalRead != itemListLength) {
-                throw new SSLException("Not all certificate_status_req_list " +
-                        "bytes were read: expected " + itemListLength +
-                        ", read " + totalRead);
-            }
-
-            itemList = Collections.unmodifiableList(workingList);
-        }
-    }
-
-    /**
-     * Get the list of {@code CertStatusReqItemV2} objects for this extension
-     *
-     * @return an unmodifiable list of {@code CertStatusReqItemV2} objects
-     */
-    List<CertStatusReqItemV2> getRequestItems() {
-        return itemList;
-    }
-
-    /**
-     * Return the length of the encoded extension, including extension type
-     *      and extension length fields.
-     *
-     * @return the length in bytes, including the extension type and
-     *      extension_data length.
-     */
-    @Override
-    int length() {
-        return (itemList.isEmpty() ? 4 : itemListLength + 6);
-    }
-
-    /**
-     * Send the encoded {@code CertStatusReqListV2Extension} through a
-     *      {@code HandshakeOutputStream}
-     *
-     * @param s the {@code HandshakeOutputStream} used to send the encoded data
-     *
-     * @throws IOException if any errors occur during the encoding process
-     */
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(type.id);
-        s.putInt16(this.length() - 4);
-        if (itemListLength > 0) {
-            s.putInt16(itemListLength);
-            for (CertStatusReqItemV2 item : itemList) {
-                item.send(s);
-            }
-        }
-    }
-
-    /**
-     * Create a string representation of this
-     *      {@code CertStatusReqListV2Extension}
-     *
-     * @return the string representation of this
-     *      {@code CertStatusReqListV2Extension}
-     */
-    @Override
-    public String toString() {
-        StringBuilder sb = new StringBuilder("Extension ").append(type);
-        for (CertStatusReqItemV2 item : itemList) {
-            sb.append("\n").append(item);
-        }
-
-        return sb.toString();
-    }
-
-    /**
-     * Determine the length of the certificate_status_req_list field in
-     * the status_request_v2 extension.
-     *
-     * @return the total encoded length of all items in the list, or 0 if the
-     *      encapsulating extension_data is zero-length (from a ServerHello)
-     */
-    private int calculateListLength() {
-        int listLen = 0;
-
-        for (CertStatusReqItemV2 item : itemList) {
-            listLen += item.length();
-        }
-
-        return listLen;
-    }
-
-}
--- old/src/java.base/share/classes/sun/security/ssl/CipherSuiteList.java	2018-05-11 15:11:25.545023600 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,187 +0,0 @@
-/*
- * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-
-package sun.security.ssl;
-
-import java.io.*;
-import java.util.*;
-
-import javax.net.ssl.SSLException;
-import static sun.security.ssl.NamedGroupType.*;
-
-/**
- * A list of CipherSuites. Also maintains the lists of supported and
- * default ciphersuites and supports I/O from handshake streams.
- *
- * Instances of this class are immutable.
- *
- */
-final class CipherSuiteList {
-
-    private final Collection<CipherSuite> cipherSuites;
-    private String[] suiteNames;
-    private final EnumSet<NamedGroupType> groupsTypes =
-            EnumSet.noneOf(NamedGroupType.class);
-
-    // for use by buildAvailableCache() and
-    // Handshaker.getKickstartMessage() only
-    CipherSuiteList(Collection<CipherSuite> cipherSuites) {
-        this.cipherSuites = cipherSuites;
-        for (CipherSuite suite : cipherSuites) {
-            updateGroupTypes(suite);
-        }
-    }
-
-    /**
-     * Create a CipherSuiteList with a single element.
-     */
-    CipherSuiteList(CipherSuite suite) {
-        cipherSuites = new ArrayList<CipherSuite>(1);
-        cipherSuites.add(suite);
-        updateGroupTypes(suite);
-    }
-
-    /**
-     * Construct a CipherSuiteList from a array of names. We don't bother
-     * to eliminate duplicates.
-     *
-     * @exception IllegalArgumentException if the array or any of its elements
-     * is null or if the ciphersuite name is unrecognized or unsupported
-     * using currently installed providers.
-     */
-    CipherSuiteList(String[] names) {
-        if (names == null) {
-            throw new IllegalArgumentException("CipherSuites may not be null");
-        }
-        cipherSuites = new ArrayList<CipherSuite>(names.length);
-        for (int i = 0; i < names.length; i++) {
-            String suiteName = names[i];
-            CipherSuite suite = CipherSuite.valueOf(suiteName);
-            if (suite.isAvailable() == false) {
-                throw new IllegalArgumentException("Cannot support "
-                    + suiteName + " with currently installed providers");
-            }
-            cipherSuites.add(suite);
-            updateGroupTypes(suite);
-        }
-    }
-
-    /**
-     * Read a CipherSuiteList from a HandshakeInStream in V3 ClientHello
-     * format. Does not check if the listed ciphersuites are known or
-     * supported.
-     */
-    CipherSuiteList(HandshakeInStream in) throws IOException {
-        byte[] bytes = in.getBytes16();
-        if ((bytes.length & 1) != 0) {
-            throw new SSLException("Invalid ClientHello message");
-        }
-        cipherSuites = new ArrayList<CipherSuite>(bytes.length >> 1);
-        for (int i = 0; i < bytes.length; i += 2) {
-            CipherSuite suite = CipherSuite.valueOf(bytes[i], bytes[i+1]);
-            cipherSuites.add(suite);
-            updateGroupTypes(suite);
-        }
-    }
-
-    // Please don't use this method except constructors.
-    private void updateGroupTypes(CipherSuite cipherSuite) {
-        if (cipherSuite.keyExchange != null && (!cipherSuite.exportable)) {
-            NamedGroupType groupType = cipherSuite.keyExchange.groupType;
-            if ((groupType != NAMED_GROUP_NONE) &&
-                    (!groupsTypes.contains(groupType))) {
-                groupsTypes.add(groupType);
-            }
-        }
-    }
-
-    /**
-     * Return whether this list contains the given CipherSuite.
-     */
-    boolean contains(CipherSuite suite) {
-        return cipherSuites.contains(suite);
-    }
-
-    // Return whether this list contains cipher suites of a named group type.
-    boolean contains(NamedGroupType groupType) {
-        return groupsTypes.contains(groupType);
-    }
-
-    /**
-     * Return an Iterator for the CipherSuites in this list.
-     */
-    Iterator<CipherSuite> iterator() {
-        return cipherSuites.iterator();
-    }
-
-    /**
-     * Return a reference to the internal Collection of CipherSuites.
-     * The Collection MUST NOT be modified.
-     */
-    Collection<CipherSuite> collection() {
-        return cipherSuites;
-    }
-
-    /**
-     * Return the number of CipherSuites in this list.
-     */
-    int size() {
-        return cipherSuites.size();
-    }
-
-    /**
-     * Return an array with the names of the CipherSuites in this list.
-     */
-    synchronized String[] toStringArray() {
-        if (suiteNames == null) {
-            suiteNames = new String[cipherSuites.size()];
-            int i = 0;
-            for (CipherSuite c : cipherSuites) {
-                suiteNames[i++] = c.name;
-            }
-        }
-        return suiteNames.clone();
-    }
-
-    @Override
-    public String toString() {
-        return cipherSuites.toString();
-    }
-
-    /**
-     * Write this list to an HandshakeOutStream in V3 ClientHello format.
-     */
-    void send(HandshakeOutStream s) throws IOException {
-        byte[] suiteBytes = new byte[cipherSuites.size() * 2];
-        int i = 0;
-        for (CipherSuite c : cipherSuites) {
-            suiteBytes[i] = (byte)(c.id >> 8);
-            suiteBytes[i+1] = (byte)c.id;
-            i += 2;
-        }
-        s.putBytes16(suiteBytes);
-    }
-}
--- old/src/java.base/share/classes/sun/security/ssl/DHCrypt.java	2018-05-11 15:11:26.563122400 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,278 +0,0 @@
-/*
- * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-
-package sun.security.ssl;
-
-import java.math.BigInteger;
-import java.security.*;
-import javax.net.ssl.SSLHandshakeException;
-import javax.crypto.SecretKey;
-import javax.crypto.KeyAgreement;
-import javax.crypto.interfaces.DHPublicKey;
-import javax.crypto.spec.*;
-import java.util.EnumSet;
-
-import sun.security.util.KeyUtil;
-
-/**
- * This class implements the Diffie-Hellman key exchange algorithm.
- * D-H means combining your private key with your partners public key to
- * generate a number. The peer does the same with its private key and our
- * public key. Through the magic of Diffie-Hellman we both come up with the
- * same number. This number is secret (discounting MITM attacks) and hence
- * called the shared secret. It has the same length as the modulus, e.g. 512
- * or 1024 bit. Man-in-the-middle attacks are typically countered by an
- * independent authentication step using certificates (RSA, DSA, etc.).
- *
- * The thing to note is that the shared secret is constant for two partners
- * with constant private keys. This is often not what we want, which is why
- * it is generally a good idea to create a new private key for each session.
- * Generating a private key involves one modular exponentiation assuming
- * suitable D-H parameters are available.
- *
- * General usage of this class (TLS DHE case):
- *  . if we are server, call DHCrypt(keyLength,random). This generates
- *    an ephemeral keypair of the request length.
- *  . if we are client, call DHCrypt(modulus, base, random). This
- *    generates an ephemeral keypair using the parameters specified by
- *    the server.
- *  . send parameters and public value to remote peer
- *  . receive peers ephemeral public key
- *  . call getAgreedSecret() to calculate the shared secret
- *
- * In TLS the server chooses the parameter values itself, the client must use
- * those sent to it by the server.
- *
- * The use of ephemeral keys as described above also achieves what is called
- * "forward secrecy". This means that even if the authentication keys are
- * broken at a later date, the shared secret remains secure. The session is
- * compromised only if the authentication keys are already broken at the
- * time the key exchange takes place and an active MITM attack is used.
- * This is in contrast to straightforward encrypting RSA key exchanges.
- *
- * @author David Brownell
- */
-final class DHCrypt {
-
-    // group parameters (prime modulus and generator)
-    private BigInteger modulus;                 // P (aka N)
-    private BigInteger base;                    // G (aka alpha)
-
-    // our private key (including private component x)
-    private PrivateKey privateKey;
-
-    // public component of our key, X = (g ^ x) mod p
-    private BigInteger publicValue;             // X (aka y)
-
-    // the times to recove from failure if public key validation
-    private static int MAX_FAILOVER_TIMES = 2;
-
-    /**
-     * Generate a Diffie-Hellman keypair of the specified size.
-     */
-    DHCrypt(int keyLength, SecureRandom random) {
-        this(keyLength,
-            PredefinedDHParameterSpecs.definedParams.get(keyLength), random);
-    }
-
-    /**
-     * Generate a Diffie-Hellman keypair using the specified parameters.
-     *
-     * @param modulus the Diffie-Hellman modulus P
-     * @param base the Diffie-Hellman base G
-     */
-    DHCrypt(BigInteger modulus, BigInteger base, SecureRandom random) {
-        this(modulus.bitLength(),
-                new DHParameterSpec(modulus, base), random);
-    }
-
-    /**
-     * Generate a Diffie-Hellman keypair using the named group.
-     */
-    DHCrypt(NamedGroup namedGroup, SecureRandom random) {
-        this(-1,        // The length (-1) is not used in the implementation.
-            SupportedGroupsExtension.getDHParameterSpec(namedGroup), random);
-    }
-
-    /**
-     * Generate a Diffie-Hellman keypair using the specified size and
-     * parameters.
-     */
-    private DHCrypt(int keyLength,
-            DHParameterSpec params, SecureRandom random) {
-
-        try {
-            KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("DiffieHellman");
-            if (params != null) {
-                kpg.initialize(params, random);
-            } else {
-                kpg.initialize(keyLength, random);
-            }
-
-            DHPublicKeySpec spec = generateDHPublicKeySpec(kpg);
-            if (spec == null) {
-                throw new RuntimeException("Could not generate DH keypair");
-            }
-
-            publicValue = spec.getY();
-            modulus = spec.getP();
-            base = spec.getG();
-        } catch (GeneralSecurityException e) {
-            throw new RuntimeException("Could not generate DH keypair", e);
-        }
-    }
-
-    static DHPublicKeySpec getDHPublicKeySpec(PublicKey key) {
-        if (key instanceof DHPublicKey) {
-            DHPublicKey dhKey = (DHPublicKey)key;
-            DHParameterSpec params = dhKey.getParams();
-            return new DHPublicKeySpec(dhKey.getY(),
-                                    params.getP(), params.getG());
-        }
-        try {
-            KeyFactory factory = JsseJce.getKeyFactory("DiffieHellman");
-            return factory.getKeySpec(key, DHPublicKeySpec.class);
-        } catch (Exception e) {
-            throw new RuntimeException(e);
-        }
-    }
-
-
-    /** Returns the Diffie-Hellman modulus. */
-    BigInteger getModulus() {
-        return modulus;
-    }
-
-    /** Returns the Diffie-Hellman base (generator).  */
-    BigInteger getBase() {
-        return base;
-    }
-
-    /**
-     * Gets the public key of this end of the key exchange.
-     */
-    BigInteger getPublicKey() {
-        return publicValue;
-    }
-
-    /**
-     * Get the secret data that has been agreed on through Diffie-Hellman
-     * key agreement protocol.  Note that in the two party protocol, if
-     * the peer keys are already known, no other data needs to be sent in
-     * order to agree on a secret.  That is, a secured message may be
-     * sent without any mandatory round-trip overheads.
-     *
-     * <P>It is illegal to call this member function if the private key
-     * has not been set (or generated).
-     *
-     * @param  peerPublicKey the peer's public key.
-     * @param  keyIsValidated whether the {@code peerPublicKey} has beed
-     *         validated
-     * @return the secret, which is an unsigned big-endian integer
-     *         the same size as the Diffie-Hellman modulus.
-     */
-    SecretKey getAgreedSecret(BigInteger peerPublicValue,
-            boolean keyIsValidated) throws SSLHandshakeException {
-        try {
-            KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
-            DHPublicKeySpec spec =
-                        new DHPublicKeySpec(peerPublicValue, modulus, base);
-            PublicKey publicKey = kf.generatePublic(spec);
-            KeyAgreement ka = JsseJce.getKeyAgreement("DiffieHellman");
-
-            // validate the Diffie-Hellman public key
-            if (!keyIsValidated &&
-                    !KeyUtil.isOracleJCEProvider(ka.getProvider().getName())) {
-                try {
-                    KeyUtil.validate(spec);
-                } catch (InvalidKeyException ike) {
-                    // prefer handshake_failure alert to internal_error alert
-                    throw new SSLHandshakeException(ike.getMessage());
-                }
-            }
-
-            ka.init(privateKey);
-            ka.doPhase(publicKey, true);
-            return ka.generateSecret("TlsPremasterSecret");
-        } catch (GeneralSecurityException e) {
-            throw (SSLHandshakeException) new SSLHandshakeException(
-                "Could not generate secret").initCause(e);
-        }
-    }
-
-    // Check constraints of the specified DH public key.
-    void checkConstraints(AlgorithmConstraints constraints,
-            BigInteger peerPublicValue) throws SSLHandshakeException {
-
-        try {
-            KeyFactory kf = JsseJce.getKeyFactory("DiffieHellman");
-            DHPublicKeySpec spec =
-                        new DHPublicKeySpec(peerPublicValue, modulus, base);
-            DHPublicKey publicKey = (DHPublicKey)kf.generatePublic(spec);
-
-            // check constraints of DHPublicKey
-            if (!constraints.permits(
-                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
-                throw new SSLHandshakeException(
-                    "DHPublicKey does not comply to algorithm constraints");
-            }
-        } catch (GeneralSecurityException gse) {
-            throw (SSLHandshakeException) new SSLHandshakeException(
-                    "Could not generate DHPublicKey").initCause(gse);
-        }
-    }
-
-    // Generate and validate DHPublicKeySpec
-    private DHPublicKeySpec generateDHPublicKeySpec(KeyPairGenerator kpg)
-            throws GeneralSecurityException {
-
-        boolean doExtraValiadtion =
-                    (!KeyUtil.isOracleJCEProvider(kpg.getProvider().getName()));
-        for (int i = 0; i <= MAX_FAILOVER_TIMES; i++) {
-            KeyPair kp = kpg.generateKeyPair();
-            privateKey = kp.getPrivate();
-            DHPublicKeySpec spec = getDHPublicKeySpec(kp.getPublic());
-
-            // validate the Diffie-Hellman public key
-            if (doExtraValiadtion) {
-                try {
-                    KeyUtil.validate(spec);
-                } catch (InvalidKeyException ivke) {
-                    if (i == MAX_FAILOVER_TIMES) {
-                        throw ivke;
-                    }
-                    // otherwise, ignore the exception and try the next one
-                    continue;
-                }
-            }
-
-            return spec;
-        }
-
-        return null;
-    }
-}
-
--- old/src/java.base/share/classes/sun/security/ssl/ECDHCrypt.java	2018-05-11 15:11:27.546586700 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,153 +0,0 @@
-/*
- * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.security.*;
-import java.security.interfaces.ECPublicKey;
-import java.security.spec.*;
-
-import java.util.EnumSet;
-import javax.crypto.SecretKey;
-import javax.crypto.KeyAgreement;
-import javax.net.ssl.SSLHandshakeException;
-
-/**
- * Helper class for the ECDH key exchange. It generates the appropriate
- * ephemeral keys as necessary and performs the actual shared secret derivation.
- *
- * @since   1.6
- * @author  Andreas Sterbenz
- */
-final class ECDHCrypt {
-
-    // our private key
-    private PrivateKey privateKey;
-
-    // our public key
-    private ECPublicKey publicKey;
-
-    // Called by ServerHandshaker for static ECDH
-    ECDHCrypt(PrivateKey privateKey, PublicKey publicKey) {
-        this.privateKey = privateKey;
-        this.publicKey = (ECPublicKey)publicKey;
-    }
-
-    // Called by ServerHandshaker for ephemeral ECDH
-    ECDHCrypt(NamedGroup namedGroup, SecureRandom random) {
-        try {
-            KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC");
-            ECGenParameterSpec params =
-                    SupportedGroupsExtension.getECGenParamSpec(namedGroup);
-            kpg.initialize(params, random);
-            KeyPair kp = kpg.generateKeyPair();
-            privateKey = kp.getPrivate();
-            publicKey = (ECPublicKey)kp.getPublic();
-        } catch (GeneralSecurityException e) {
-            throw new RuntimeException("Could not generate ECDH keypair", e);
-        }
-    }
-
-    // Called by ClientHandshaker with params it received from the server
-    ECDHCrypt(ECParameterSpec params, SecureRandom random) {
-        try {
-            KeyPairGenerator kpg = JsseJce.getKeyPairGenerator("EC");
-            kpg.initialize(params, random);
-            KeyPair kp = kpg.generateKeyPair();
-            privateKey = kp.getPrivate();
-            publicKey = (ECPublicKey)kp.getPublic();
-        } catch (GeneralSecurityException e) {
-            throw new RuntimeException("Could not generate ECDH keypair", e);
-        }
-    }
-
-    /**
-     * Gets the public key of this end of the key exchange.
-     */
-    PublicKey getPublicKey() {
-        return publicKey;
-    }
-
-    // called by ClientHandshaker with either the server's static or
-    // ephemeral public key
-    SecretKey getAgreedSecret(
-            PublicKey peerPublicKey) throws SSLHandshakeException {
-
-        try {
-            KeyAgreement ka = JsseJce.getKeyAgreement("ECDH");
-            ka.init(privateKey);
-            ka.doPhase(peerPublicKey, true);
-            return ka.generateSecret("TlsPremasterSecret");
-        } catch (GeneralSecurityException e) {
-            throw (SSLHandshakeException) new SSLHandshakeException(
-                "Could not generate secret").initCause(e);
-        }
-    }
-
-    // called by ServerHandshaker
-    SecretKey getAgreedSecret(
-            byte[] encodedPoint) throws SSLHandshakeException {
-
-        try {
-            ECParameterSpec params = publicKey.getParams();
-            ECPoint point =
-                    JsseJce.decodePoint(encodedPoint, params.getCurve());
-            KeyFactory kf = JsseJce.getKeyFactory("EC");
-            ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
-            PublicKey peerPublicKey = kf.generatePublic(spec);
-            return getAgreedSecret(peerPublicKey);
-        } catch (GeneralSecurityException | java.io.IOException e) {
-            throw (SSLHandshakeException) new SSLHandshakeException(
-                "Could not generate secret").initCause(e);
-        }
-    }
-
-    // Check constraints of the specified EC public key.
-    void checkConstraints(AlgorithmConstraints constraints,
-            byte[] encodedPoint) throws SSLHandshakeException {
-
-        try {
-
-            ECParameterSpec params = publicKey.getParams();
-            ECPoint point =
-                    JsseJce.decodePoint(encodedPoint, params.getCurve());
-            ECPublicKeySpec spec = new ECPublicKeySpec(point, params);
-
-            KeyFactory kf = JsseJce.getKeyFactory("EC");
-            ECPublicKey publicKey = (ECPublicKey)kf.generatePublic(spec);
-
-            // check constraints of ECPublicKey
-            if (!constraints.permits(
-                    EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
-                throw new SSLHandshakeException(
-                    "ECPublicKey does not comply to algorithm constraints");
-            }
-        } catch (GeneralSecurityException | java.io.IOException e) {
-            throw (SSLHandshakeException) new SSLHandshakeException(
-                    "Could not generate ECPublicKey").initCause(e);
-        }
-    }
-
-}
--- old/src/java.base/share/classes/sun/security/ssl/ExtensionType.java	2018-05-11 15:11:28.511781400 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,115 +0,0 @@
-/*
- * Copyright (c) 2006, 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.util.ArrayList;
-import java.util.List;
-
-final class ExtensionType {
-
-    final int id;
-    final String name;
-
-    private ExtensionType(int id, String name) {
-        this.id = id;
-        this.name = name;
-    }
-
-    @Override
-    public String toString() {
-        return name;
-    }
-
-    static List<ExtensionType> knownExtensions = new ArrayList<>(16);
-
-    static ExtensionType get(int id) {
-        for (ExtensionType ext : knownExtensions) {
-            if (ext.id == id) {
-                return ext;
-            }
-        }
-        return new ExtensionType(id, "type_" + id);
-    }
-
-    private static ExtensionType e(int id, String name) {
-        ExtensionType ext = new ExtensionType(id, name);
-        knownExtensions.add(ext);
-        return ext;
-    }
-
-    // extensions defined in RFC 3546
-    static final ExtensionType EXT_SERVER_NAME =
-            e(0x0000, "server_name");            // IANA registry value: 0
-    static final ExtensionType EXT_MAX_FRAGMENT_LENGTH =
-            e(0x0001, "max_fragment_length");    // IANA registry value: 1
-    static final ExtensionType EXT_CLIENT_CERTIFICATE_URL =
-            e(0x0002, "client_certificate_url"); // IANA registry value: 2
-    static final ExtensionType EXT_TRUSTED_CA_KEYS =
-            e(0x0003, "trusted_ca_keys");        // IANA registry value: 3
-    static final ExtensionType EXT_TRUNCATED_HMAC =
-            e(0x0004, "truncated_hmac");         // IANA registry value: 4
-    static final ExtensionType EXT_STATUS_REQUEST =
-            e(0x0005, "status_request");         // IANA registry value: 5
-
-    // extensions defined in RFC 4681
-    static final ExtensionType EXT_USER_MAPPING =
-            e(0x0006, "user_mapping");           // IANA registry value: 6
-
-    // extensions defined in RFC 5081
-    static final ExtensionType EXT_CERT_TYPE =
-            e(0x0009, "cert_type");              // IANA registry value: 9
-
-    // extensions defined in RFC 4492 (ECC) and RFC 7919 (FFDHE)
-    static final ExtensionType EXT_SUPPORTED_GROUPS =
-            e(0x000A, "supported_groups");       // IANA registry value: 10
-    static final ExtensionType EXT_EC_POINT_FORMATS =
-            e(0x000B, "ec_point_formats");       // IANA registry value: 11
-
-    // extensions defined in RFC 5054
-    static final ExtensionType EXT_SRP =
-            e(0x000C, "srp");                    // IANA registry value: 12
-
-    // extensions defined in RFC 5246
-    static final ExtensionType EXT_SIGNATURE_ALGORITHMS =
-            e(0x000D, "signature_algorithms");   // IANA registry value: 13
-
-    // extension defined in RFC 7301 (ALPN)
-    static final ExtensionType EXT_ALPN =
-            e(0x0010, "application_layer_protocol_negotiation");
-                                                 // IANA registry value: 16
-
-    // extensions defined in RFC 6961
-    static final ExtensionType EXT_STATUS_REQUEST_V2 =
-            e(0x0011, "status_request_v2");      // IANA registry value: 17
-
-    // extensions defined in RFC 7627
-    static final ExtensionType EXT_EXTENDED_MASTER_SECRET =
-            e(0x0017, "extended_master_secret"); // IANA registry value: 23
-
-    // extensions defined in RFC 5746
-    static final ExtensionType EXT_RENEGOTIATION_INFO =
-            e(0xff01, "renegotiation_info");     // IANA registry value: 65281
-}
--- old/src/java.base/share/classes/sun/security/ssl/HandshakeInStream.java	2018-05-11 15:11:29.497460600 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,179 +0,0 @@
-/*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.ByteArrayInputStream;
-import java.io.IOException;
-import java.nio.ByteBuffer;
-
-import javax.net.ssl.SSLException;
-
-/**
- * InputStream for handshake data, used internally only. Contains the
- * handshake message buffer and methods to parse them.
- *
- * Once a new handshake record arrives, it is buffered in this class until
- * processed by the Handshaker. The buffer may also contain incomplete
- * handshake messages in case the message is split across multiple records.
- * Handshaker.processRecord deals with all that. It may also contain
- * handshake messages larger than the default buffer size (e.g. large
- * certificate messages). The buffer is grown dynamically to handle that.
- *
- * Note that this class only handles Handshake messages in TLS format.
- * DTLS Handshake messages should be converted into TLS format before
- * calling into this method.
- *
- * @author David Brownell
- */
-
-// This class is used to handle plain text handshake messages.
-//
-public final class HandshakeInStream extends ByteArrayInputStream {
-
-    /*
-     * Construct the stream; we'll be accumulating hashes of the
-     * input records using two sets of digests.
-     */
-    HandshakeInStream() {
-        super(new byte[0]);     // lazy to alloacte the internal buffer
-    }
-
-    //
-    // overridden ByteArrayInputStream methods
-    //
-
-    @Override
-    public int read(byte[] b) throws IOException {
-        if (super.read(b) != b.length) {
-            throw new SSLException("Unexpected end of handshake data");
-        }
-
-        return b.length;
-    }
-
-    //
-    // handshake input stream management functions
-    //
-
-    /*
-     * Here's an incoming record with handshake data.  Queue the contents;
-     * it might be one or more entire messages, complete a message that's
-     * partly queued, or both.
-     */
-    void incomingRecord(ByteBuffer in) throws IOException {
-        int len;
-
-        // Move any unread data to the front of the buffer.
-        if (pos != 0) {
-            len = count - pos;
-            if (len != 0) {
-                System.arraycopy(buf, pos, buf, 0, len);
-            }
-            pos = 0;
-            count = len;
-        }
-
-        // Grow buffer if needed.
-        len = in.remaining() + count;
-        if (buf.length < len) {
-            byte[] newbuf = new byte[len];
-            if (count != 0) {
-                System.arraycopy(buf, 0, newbuf, 0, count);
-            }
-            buf = newbuf;
-        }
-
-        // Append the incoming record to the buffer
-        in.get(buf, count, in.remaining());
-        count = len;
-    }
-
-    //
-    // Message parsing methods
-    //
-
-    /*
-     * Read 8, 16, 24, and 32 bit SSL integer data types, encoded
-     * in standard big-endian form.
-     */
-    int getInt8() throws IOException {
-        verifyLength(1);
-        return read();
-    }
-
-    int getInt16() throws IOException {
-        verifyLength(2);
-        return (getInt8() << 8) | getInt8();
-    }
-
-    int getInt24() throws IOException {
-        verifyLength(3);
-        return (getInt8() << 16) | (getInt8() << 8) | getInt8();
-    }
-
-    int getInt32() throws IOException {
-        verifyLength(4);
-        return (getInt8() << 24) | (getInt8() << 16)
-             | (getInt8() << 8) | getInt8();
-    }
-
-    /*
-     * Read byte vectors with 8, 16, and 24 bit length encodings.
-     */
-    byte[] getBytes8() throws IOException {
-        int len = getInt8();
-        verifyLength(len);
-        byte[] b = new byte[len];
-
-        read(b);
-        return b;
-    }
-
-    public byte[] getBytes16() throws IOException {
-        int len = getInt16();
-        verifyLength(len);
-        byte[] b = new byte[len];
-
-        read(b);
-        return b;
-    }
-
-    byte[] getBytes24() throws IOException {
-        int len = getInt24();
-        verifyLength(len);
-        byte[] b = new byte[len];
-
-        read(b);
-        return b;
-    }
-
-    // Is a length greater than available bytes in the record?
-    private void verifyLength(int len) throws SSLException {
-        if (len > available()) {
-            throw new SSLException("Unexpected end of handshake data");
-        }
-    }
-}
--- old/src/java.base/share/classes/sun/security/ssl/HandshakeStateManager.java	2018-05-11 15:11:30.502841500 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,922 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.util.Collections;
-import java.util.List;
-import java.util.LinkedList;
-import java.util.HashMap;
-import javax.net.ssl.SSLProtocolException;
-
-import static sun.security.ssl.CipherSuite.KeyExchange;
-import static sun.security.ssl.CipherSuite.KeyExchange.*;
-import static sun.security.ssl.HandshakeStateManager.HandshakeState.*;
-import static sun.security.ssl.HandshakeMessage.*;
-
-/*
- * Handshake state manager.
- *
- * Messages flow for a full handshake:
- *
- *      -                                                         -
- *      |          HelloRequest       (No.0, RFC 5246) [*]        |
- *      |     <--------------------------------------------       |
- *      |                                                         |
- *      |          ClientHello        (No.1, RFC 5246)            |
- *      |     -------------------------------------------->       |
- *      |                                                         |
- *      |   -      HelloVerifyRequest (No.3, RFC 6347)      -     |
- *      | D | <-------------------------------------------- | D   |
- *      | T |                                               | T   |
- *      | L |      ClientHello        (No.1, RFC 5246)      | L   |
- *      | S | --------------------------------------------> | S   |
- *      |   -                                               -     |
- *      |                                                         |
- *   C  |          ServerHello        (No.2, RFC 5246)            |  S
- *   L  |          SupplementalData   (No.23, RFC4680) [*]        |  E
- *   I  |          Certificate        (No.11, RFC 5246) [*]       |  R
- *   E  |          CertificateStatus  (No.22, RFC 6066) [*]       |  V
- *   N  |          ServerKeyExchange  (No.12, RFC 5246) [*]       |  E
- *   T  |          CertificateRequest (No.13, RFC 5246) [*]       |  R
- *      |          ServerHelloDone    (No.14, RFC 5246)           |
- *      |     <--------------------------------------------       |
- *      |                                                         |
- *      |          SupplementalData   (No.23, RFC4680) [*]        |
- *      |          Certificate        (No.11, RFC 5246) [*] Or    |
- *      |              CertificateURL (No.21, RFC6066) [*]        |
- *      |          ClientKeyExchange  (No.16, RFC 5246)           |
- *      |          CertificateVerify  (No.15, RFC 5246) [*]       |
- *      |          [ChangeCipherSpec] (RFC 5246)                  |
- *      |          Finished           (No.20, RFC 5246)           |
- *      |     -------------------------------------------->       |
- *      |                                                         |
- *      |          NewSessionTicket   (No.4, RFC4507) [*]         |
- *      |          [ChangeCipherSpec] (RFC 5246)                  |
- *      |          Finished           (No.20, RFC 5246)           |
- *      |     <--------------------------------------------       |
- *      -                                                         -
- * [*] Indicates optional or situation-dependent messages that are not
- * always sent.
- *
- * Message flow for an abbreviated handshake:
- *      -                                                         -
- *      |          ClientHello        (No.1, RFC 5246)            |
- *      |     -------------------------------------------->       |
- *      |                                                         |
- *   C  |          ServerHello        (No.2, RFC 5246)            |  S
- *   L  |          NewSessionTicket   (No.4, RFC4507) [*]         |  E
- *   I  |          [ChangeCipherSpec] (RFC 5246)                  |  R
- *   E  |          Finished           (No.20, RFC 5246)           |  V
- *   N  |     <--------------------------------------------       |  E
- *   T  |                                                         |  R
- *      |          [ChangeCipherSpec] (RFC 5246)                  |
- *      |          Finished           (No.20, RFC 5246)           |
- *      |     -------------------------------------------->       |
- *      -                                                         -
- *
- *
- * State machine of handshake states:
- *
- *                   +--------------+
- *      START -----> | HelloRequest |
- *        |          +--------------+
- *        |               |
- *        v               v
- *     +---------------------+   -->  +---------------------+
- *     |    ClientHello      |        | HelloVerifyRequest  |
- *     +---------------------+   <--  +---------------------+
- *               |
- *               |
- * =========================================================================
- *               |
- *               v
- *     +---------------------+
- *     |    ServerHello      |  ----------------------------------+------+
- *     +---------------------+  -->  +-------------------------+  |      |
- *                    |              | Server SupplementalData |  |      |
- *                    |              +-------------------------+  |      |
- *                    |                |                          |      |
- *                    v                v                          |      |
- *                +---------------------+                         |      |
- *         +----  | Server Certificate  |                         |      |
- *         |      +---------------------+                         |      |
- *         |          |                                           |      |
- *         |          |   +--------------------+                  |      |
- *         |          +-> | CertificateStatus  |                  |      |
- *         |          |   +--------------------+                  v      |
- *         |          |      |          |     +--------------------+     |
- *         |          v      v          +-->  | ServerKeyExchange  |     |
- *         |  +---------------------+   |     +--------------------+     |
- *         |  | CertificateRequest  |   |         |                      |
- *         |  +---------------------+ <-+---------+                      |
- *         |            |               |         |                      |
- *         v            v               |         |                      |
- *     +---------------------+  <-------+         |                      |
- *     |  ServerHelloDone    |  <-----------------+                      |
- *     +---------------------+                                           |
- *       |         |                                                     |
- *       |         |                                                     |
- *       |         |                                                     |
- * =========================================================================
- *       |         |                                                     |
- *       |         v                                                     |
- *       |   +-------------------------+                                 |
- *       |   | Client SupplementalData | --------------+                 |
- *       |   +-------------------------+               |                 |
- *       |             |                               |                 |
- *       |             v                               |                 |
- *       |   +--------------------+                    |                 |
- *       +-> | Client Certificate | ALT.               |                 |
- *       |   +--------------------+----------------+   |                 |
- *       |                        | CertificateURL |   |                 |
- *       |                        +----------------+   |                 |
- *       v                                             |                 |
- *     +-------------------+  <------------------------+                 |
- *     | ClientKeyExchange |                                             |
- *     +-------------------+                                             |
- *          |           |                                                |
- *          |           v                                                |
- *          |      +-------------------+                                 |
- *          |      | CertificateVerify |                                 |
- *          |      +-------------------+                                 |
- *          |          |                                                 |
- *          v          v                                                 |
- *     +-------------------------+                                       |
- *     | Client ChangeCipherSpec |  <---------------+                    |
- *     +-------------------------+                  |                    |
- *               |                                  |                    |
- *               v                                  |                    |
- *     +-----------------+  (abbreviated)           |                    |
- *     | Client Finished |  -------------> END      |                    |
- *     +-----------------+  (Abbreviated handshake) |                    |
- *                      |                           |                    |
- *                      | (full)                    |                    |
- *                      |                           |                    |
- * ================================                 |                    |
- *                      |                           |                    |
- *                      |                   ================================
- *                      |                           |                    |
- *                      v                           |                    |
- *                 +------------------+             |    (abbreviated)   |
- *                 | NewSessionTicket | <--------------------------------+
- *                 +------------------+             |                    |
- *                      |                           |                    |
- *                      v                           |                    |
- *     +-------------------------+                  |    (abbreviated)   |
- *     | Server ChangeCipherSpec | <-------------------------------------+
- *     +-------------------------+                  |
- *               |                                  |
- *               v                                  |
- *     +-----------------+    (abbreviated)         |
- *     | Server Finished | -------------------------+
- *     +-----------------+
- *            | (full)
- *            v
- *        END (Full handshake)
- *
- *
- * The scenarios of the use of this class:
- * 1. Create an instance of HandshakeStateManager during the initializtion
- *    handshake.
- * 2. If receiving a handshake message, call HandshakeStateManager.check()
- *    to make sure that the message is of the expected handshake type.  And
- *    then call HandshakeStateManager.update() in case handshake states may
- *    be impacted by this new incoming handshake message.
- * 3. On delivering a handshake message, call HandshakeStateManager.update()
- *    in case handshake states may by thie new outgoing handshake message.
- * 4. On receiving and delivering ChangeCipherSpec message, call
- *    HandshakeStateManager.changeCipherSpec() to check the present sequence
- *    of this message, and update the states if necessary.
- */
-final class HandshakeStateManager {
-    // upcoming handshake states.
-    private LinkedList<HandshakeState> upcomingStates;
-    private LinkedList<HandshakeState> alternatives;
-
-    private boolean isDTLS;
-
-    private static final boolean debugIsOn;
-
-    private static final HashMap<Byte, String> handshakeTypes;
-
-    static {
-        debugIsOn = (Handshaker.debug != null) &&
-                Debug.isOn("handshake") && Debug.isOn("verbose");
-        handshakeTypes = new HashMap<>(15);
-
-        handshakeTypes.put(ht_hello_request,            "hello_request");
-        handshakeTypes.put(ht_client_hello,             "client_hello");
-        handshakeTypes.put(ht_server_hello,             "server_hello");
-        handshakeTypes.put(ht_hello_verify_request,     "hello_verify_request");
-        handshakeTypes.put(ht_new_session_ticket,       "session_ticket");
-        handshakeTypes.put(ht_certificate,              "certificate");
-        handshakeTypes.put(ht_server_key_exchange,      "server_key_exchange");
-        handshakeTypes.put(ht_certificate_request,      "certificate_request");
-        handshakeTypes.put(ht_server_hello_done,        "server_hello_done");
-        handshakeTypes.put(ht_certificate_verify,       "certificate_verify");
-        handshakeTypes.put(ht_client_key_exchange,      "client_key_exchange");
-        handshakeTypes.put(ht_finished,                 "finished");
-        handshakeTypes.put(ht_certificate_url,          "certificate_url");
-        handshakeTypes.put(ht_certificate_status,       "certificate_status");
-        handshakeTypes.put(ht_supplemental_data,        "supplemental_data");
-    }
-
-    HandshakeStateManager(boolean isDTLS) {
-        this.upcomingStates = new LinkedList<>();
-        this.alternatives = new LinkedList<>();
-        this.isDTLS = isDTLS;
-    }
-
-    //
-    // enumation of handshake type
-    //
-    static enum HandshakeState {
-        HS_HELLO_REQUEST(
-                "hello_request",
-                HandshakeMessage.ht_hello_request),
-        HS_CLIENT_HELLO(
-                "client_hello",
-                HandshakeMessage.ht_client_hello),
-        HS_HELLO_VERIFY_REQUEST(
-                "hello_verify_request",
-                HandshakeMessage.ht_hello_verify_request),
-        HS_SERVER_HELLO(
-                "server_hello",
-                HandshakeMessage.ht_server_hello),
-        HS_SERVER_SUPPLEMENTAL_DATA(
-                "server supplemental_data",
-                HandshakeMessage.ht_supplemental_data, true),
-        HS_SERVER_CERTIFICATE(
-                "server certificate",
-                HandshakeMessage.ht_certificate),
-        HS_CERTIFICATE_STATUS(
-                "certificate_status",
-                HandshakeMessage.ht_certificate_status, true),
-        HS_SERVER_KEY_EXCHANGE(
-                "server_key_exchange",
-                HandshakeMessage.ht_server_key_exchange, true),
-        HS_CERTIFICATE_REQUEST(
-                "certificate_request",
-                HandshakeMessage.ht_certificate_request, true),
-        HS_SERVER_HELLO_DONE(
-                "server_hello_done",
-                HandshakeMessage.ht_server_hello_done),
-        HS_CLIENT_SUPPLEMENTAL_DATA(
-                "client supplemental_data",
-                HandshakeMessage.ht_supplemental_data, true),
-        HS_CLIENT_CERTIFICATE(
-                "client certificate",
-                HandshakeMessage.ht_certificate, true),
-        HS_CERTIFICATE_URL(
-                "certificate_url",
-                HandshakeMessage.ht_certificate_url, true),
-        HS_CLIENT_KEY_EXCHANGE(
-                "client_key_exchange",
-                HandshakeMessage.ht_client_key_exchange),
-        HS_CERTIFICATE_VERIFY(
-                "certificate_verify",
-                HandshakeMessage.ht_certificate_verify, true),
-        HS_CLIENT_CHANGE_CIPHER_SPEC(
-                "client change_cipher_spec",
-                HandshakeMessage.ht_not_applicable),
-        HS_CLEINT_FINISHED(
-                "client finished",
-                HandshakeMessage.ht_finished),
-        HS_NEW_SESSION_TICKET(
-                "session_ticket",
-                HandshakeMessage.ht_new_session_ticket),
-        HS_SERVER_CHANGE_CIPHER_SPEC(
-                "server change_cipher_spec",
-                HandshakeMessage.ht_not_applicable),
-        HS_SERVER_FINISHED(
-                "server finished",
-                HandshakeMessage.ht_finished);
-
-        final String description;
-        final byte handshakeType;
-        final boolean isOptional;
-
-        HandshakeState(String description, byte handshakeType) {
-            this.description = description;
-            this.handshakeType = handshakeType;
-            this.isOptional = false;
-        }
-
-        HandshakeState(String description,
-                byte handshakeType, boolean isOptional) {
-
-            this.description = description;
-            this.handshakeType = handshakeType;
-            this.isOptional = isOptional;
-        }
-
-        public String toString() {
-            return description + "[" + handshakeType + "]" +
-                    (isOptional ? "(optional)" : "");
-        }
-    }
-
-    boolean isEmpty() {
-        return upcomingStates.isEmpty();
-    }
-
-    List<Byte> check(byte handshakeType) throws SSLProtocolException {
-        List<Byte> ignoredOptional = new LinkedList<>();
-        String exceptionMsg =
-                 "Handshake message sequence violation, " + handshakeType;
-
-        if (debugIsOn) {
-            System.out.println(
-                    "check handshake state: " + toString(handshakeType));
-        }
-
-        if (upcomingStates.isEmpty()) {
-            // Is it a kickstart message?
-            if ((handshakeType != HandshakeMessage.ht_hello_request) &&
-                (handshakeType != HandshakeMessage.ht_client_hello)) {
-
-                throw new SSLProtocolException(
-                    "Handshake message sequence violation, " + handshakeType);
-            }
-
-            // It is a kickstart message.
-            return Collections.emptyList();
-        }
-
-        // Ignore the checking for HelloRequest messages as they
-        // may be sent by the server at any time.
-        if (handshakeType == HandshakeMessage.ht_hello_request) {
-            return Collections.emptyList();
-        }
-
-        for (HandshakeState handshakeState : upcomingStates) {
-            if (handshakeState.handshakeType == handshakeType) {
-                // It's the expected next handshake type.
-                return ignoredOptional;
-            }
-
-            if (handshakeState.isOptional) {
-                ignoredOptional.add(handshakeState.handshakeType);
-                continue;
-            } else {
-                for (HandshakeState alternative : alternatives) {
-                    if (alternative.handshakeType == handshakeType) {
-                        return ignoredOptional;
-                    }
-
-                    if (alternative.isOptional) {
-                        continue;
-                    } else {
-                        throw new SSLProtocolException(exceptionMsg);
-                    }
-                }
-            }
-
-            throw new SSLProtocolException(exceptionMsg);
-        }
-
-        // Not an expected Handshake message.
-        throw new SSLProtocolException(
-                "Handshake message sequence violation, " + handshakeType);
-    }
-
-    void update(HandshakeMessage handshakeMessage,
-            boolean isAbbreviated) throws SSLProtocolException {
-
-        byte handshakeType = (byte)handshakeMessage.messageType();
-        String exceptionMsg =
-                 "Handshake message sequence violation, " + handshakeType;
-
-        if (debugIsOn) {
-            System.out.println(
-                    "update handshake state: " + toString(handshakeType));
-        }
-
-        boolean hasPresentState = false;
-        switch (handshakeType) {
-        case HandshakeMessage.ht_hello_request:
-            //
-            // State machine:
-            //     PRESENT: START
-            //        TO  : ClientHello
-            //
-
-            // No old state to update.
-
-            // Add the upcoming states.
-            if (!upcomingStates.isEmpty()) {
-                // A ClientHello message should be followed.
-                upcomingStates.add(HS_CLIENT_HELLO);
-
-            }   // Otherwise, ignore this HelloRequest message.
-
-            break;
-
-        case HandshakeMessage.ht_client_hello:
-            //
-            // State machine:
-            //     PRESENT: START
-            //              HS_CLIENT_HELLO
-            //        TO  : HS_HELLO_VERIFY_REQUEST (DTLS)
-            //              HS_SERVER_HELLO
-            //
-
-            // Check and update the present state.
-            if (!upcomingStates.isEmpty()) {
-                // The current state should be HS_CLIENT_HELLO.
-                HandshakeState handshakeState = upcomingStates.pop();
-                if (handshakeState != HS_CLIENT_HELLO) {
-                    throw new SSLProtocolException(exceptionMsg);
-                }
-            }
-
-            // Add the upcoming states.
-            ClientHello clientHello = (ClientHello)handshakeMessage;
-            if (isDTLS) {
-                // Is it an initial ClientHello message?
-                if (clientHello.cookie == null ||
-                        clientHello.cookie.length == 0) {
-                    // Is it an abbreviated handshake?
-                    if (clientHello.sessionId.length() != 0) {
-                        // A HelloVerifyRequest message or a ServerHello
-                        // message may follow the abbreviated session
-                        // resuming handshake request.
-                        upcomingStates.add(HS_HELLO_VERIFY_REQUEST);
-                        alternatives.add(HS_SERVER_HELLO);
-                    } else {
-                        // A HelloVerifyRequest message should follow
-                        // the initial ClientHello message.
-                        upcomingStates.add(HS_HELLO_VERIFY_REQUEST);
-                    }
-                } else {
-                    // A HelloVerifyRequest may be followed if the cookie
-                    // cannot be verified.
-                    upcomingStates.add(HS_SERVER_HELLO);
-                    alternatives.add(HS_HELLO_VERIFY_REQUEST);
-                }
-            } else {
-                upcomingStates.add(HS_SERVER_HELLO);
-            }
-
-            break;
-
-        case HandshakeMessage.ht_hello_verify_request:
-            //
-            // State machine:
-            //     PRESENT: HS_HELLO_VERIFY_REQUEST
-            //        TO  : HS_CLIENT_HELLO
-            //
-            // Note that this state may have an alternative option.
-
-            // Check and update the present state.
-            if (!upcomingStates.isEmpty()) {
-                // The current state should be HS_HELLO_VERIFY_REQUEST.
-                HandshakeState handshakeState = upcomingStates.pop();
-                HandshakeState alternative = null;
-                if (!alternatives.isEmpty()) {
-                    alternative = alternatives.pop();
-                }
-
-                if ((handshakeState != HS_HELLO_VERIFY_REQUEST) &&
-                        (alternative != HS_HELLO_VERIFY_REQUEST)) {
-
-                    throw new SSLProtocolException(exceptionMsg);
-                }
-            } else {
-                // No present state.
-                throw new SSLProtocolException(exceptionMsg);
-            }
-
-            // Add the upcoming states.
-            upcomingStates.add(HS_CLIENT_HELLO);
-
-            break;
-
-        case HandshakeMessage.ht_server_hello:
-            //
-            // State machine:
-            //     PRESENT: HS_SERVER_HELLO
-            //        TO  :
-            //          Full handshake state stacks
-            //              (ServerHello Flight)
-            //              HS_SERVER_SUPPLEMENTAL_DATA [optional]
-            //          --> HS_SERVER_CERTIFICATE [optional]
-            //          --> HS_CERTIFICATE_STATUS [optional]
-            //          --> HS_SERVER_KEY_EXCHANGE [optional]
-            //          --> HS_CERTIFICATE_REQUEST [optional]
-            //          --> HS_SERVER_HELLO_DONE
-            //              (Client ClientKeyExchange Flight)
-            //          --> HS_CLIENT_SUPPLEMENTAL_DATA [optional]
-            //          --> HS_CLIENT_CERTIFICATE or
-            //              HS_CERTIFICATE_URL
-            //          --> HS_CLIENT_KEY_EXCHANGE
-            //          --> HS_CERTIFICATE_VERIFY [optional]
-            //          --> HS_CLIENT_CHANGE_CIPHER_SPEC
-            //          --> HS_CLEINT_FINISHED
-            //              (Server Finished Flight)
-            //          --> HS_CLIENT_SUPPLEMENTAL_DATA [optional]
-            //
-            //          Abbreviated handshake state stacks
-            //              (Server Finished Flight)
-            //              HS_NEW_SESSION_TICKET
-            //          --> HS_SERVER_CHANGE_CIPHER_SPEC
-            //          --> HS_SERVER_FINISHED
-            //              (Client Finished Flight)
-            //          --> HS_CLIENT_CHANGE_CIPHER_SPEC
-            //          --> HS_CLEINT_FINISHED
-            //
-            // Note that this state may have an alternative option.
-
-            // Check and update the present state.
-            if (!upcomingStates.isEmpty()) {
-                // The current state should be HS_SERVER_HELLO
-                HandshakeState handshakeState = upcomingStates.pop();
-                HandshakeState alternative = null;
-                if (!alternatives.isEmpty()) {
-                    alternative = alternatives.pop();
-                }
-
-                if ((handshakeState != HS_SERVER_HELLO) &&
-                        (alternative != HS_SERVER_HELLO)) {
-
-                    throw new SSLProtocolException(exceptionMsg);
-                }
-            } else {
-                // No present state.
-                throw new SSLProtocolException(exceptionMsg);
-            }
-
-            // Add the upcoming states.
-            ServerHello serverHello = (ServerHello)handshakeMessage;
-            HelloExtensions hes = serverHello.extensions;
-
-
-            // Not support SessionTicket extension yet.
-            //
-            // boolean hasSessionTicketExt =
-            //     (hes.get(HandshakeMessage.ht_new_session_ticket) != null);
-
-            if (isAbbreviated) {
-                // Not support SessionTicket extension yet.
-                //
-                // // Mandatory NewSessionTicket message
-                // if (hasSessionTicketExt) {
-                //     upcomingStates.add(HS_NEW_SESSION_TICKET);
-                // }
-
-                // Mandatory server ChangeCipherSpec and Finished messages
-                upcomingStates.add(HS_SERVER_CHANGE_CIPHER_SPEC);
-                upcomingStates.add(HS_SERVER_FINISHED);
-
-                // Mandatory client ChangeCipherSpec and Finished messages
-                upcomingStates.add(HS_CLIENT_CHANGE_CIPHER_SPEC);
-                upcomingStates.add(HS_CLEINT_FINISHED);
-            } else {
-                // Not support SupplementalData extension yet.
-                //
-                // boolean hasSupplementalDataExt =
-                //     (hes.get(HandshakeMessage.ht_supplemental_data) != null);
-
-                // Not support CertificateURL extension yet.
-                //
-                // boolean hasCertificateUrlExt =
-                //     (hes.get(ExtensionType EXT_CLIENT_CERTIFICATE_URL)
-                //          != null);
-
-                // Not support SupplementalData extension yet.
-                //
-                // // Optional SupplementalData message
-                // if (hasSupplementalDataExt) {
-                //     upcomingStates.add(HS_SERVER_SUPPLEMENTAL_DATA);
-                // }
-
-                // Need server Certificate message or not?
-                KeyExchange keyExchange = serverHello.cipherSuite.keyExchange;
-                if ((keyExchange != K_KRB5) &&
-                        (keyExchange != K_KRB5_EXPORT) &&
-                        (keyExchange != K_DH_ANON) &&
-                        (keyExchange != K_ECDH_ANON)) {
-                    // Mandatory Certificate message
-                    upcomingStates.add(HS_SERVER_CERTIFICATE);
-                }
-
-                // Optional CertificateStatus message
-                if (hes.get(ExtensionType.EXT_STATUS_REQUEST) != null ||
-                        hes.get(ExtensionType.EXT_STATUS_REQUEST_V2) != null) {
-                    upcomingStates.add(HS_CERTIFICATE_STATUS);
-                }
-
-                // Need ServerKeyExchange message or not?
-                if ((keyExchange == K_RSA_EXPORT) ||
-                        (keyExchange == K_DHE_RSA) ||
-                        (keyExchange == K_DHE_DSS) ||
-                        (keyExchange == K_DH_ANON) ||
-                        (keyExchange == K_ECDHE_RSA) ||
-                        (keyExchange == K_ECDHE_ECDSA) ||
-                        (keyExchange == K_ECDH_ANON)) {
-                    // Optional ServerKeyExchange message
-                    upcomingStates.add(HS_SERVER_KEY_EXCHANGE);
-                }
-
-                // Optional CertificateRequest message
-                upcomingStates.add(HS_CERTIFICATE_REQUEST);
-
-                // Mandatory ServerHelloDone message
-                upcomingStates.add(HS_SERVER_HELLO_DONE);
-
-                // Not support SupplementalData extension yet.
-                //
-                // // Optional SupplementalData message
-                // if (hasSupplementalDataExt) {
-                //     upcomingStates.add(HS_CLIENT_SUPPLEMENTAL_DATA);
-                // }
-
-                // Optional client Certificate message
-                upcomingStates.add(HS_CLIENT_CERTIFICATE);
-
-                // Not support CertificateURL extension yet.
-                //
-                // // Alternative CertificateURL message, optional too.
-                // //
-                // // Please put CertificateURL rather than Certificate
-                // // message in the alternatives list.  So that we can
-                // // simplify the process of this alternative pair later.
-                // if (hasCertificateUrlExt) {
-                //     alternatives.add(HS_CERTIFICATE_URL);
-                // }
-
-                // Mandatory ClientKeyExchange message
-                upcomingStates.add(HS_CLIENT_KEY_EXCHANGE);
-
-                // Optional CertificateVerify message
-                upcomingStates.add(HS_CERTIFICATE_VERIFY);
-
-                // Mandatory client ChangeCipherSpec and Finished messages
-                upcomingStates.add(HS_CLIENT_CHANGE_CIPHER_SPEC);
-                upcomingStates.add(HS_CLEINT_FINISHED);
-
-                // Not support SessionTicket extension yet.
-                //
-                // // Mandatory NewSessionTicket message
-                // if (hasSessionTicketExt) {
-                //     upcomingStates.add(HS_NEW_SESSION_TICKET);
-                // }
-
-                // Mandatory server ChangeCipherSpec and Finished messages
-                upcomingStates.add(HS_SERVER_CHANGE_CIPHER_SPEC);
-                upcomingStates.add(HS_SERVER_FINISHED);
-            }
-
-            break;
-
-        case HandshakeMessage.ht_certificate:
-            //
-            // State machine:
-            //     PRESENT: HS_CERTIFICATE_URL or
-            //              HS_CLIENT_CERTIFICATE
-            //        TO  : HS_CLIENT_KEY_EXCHANGE
-            //
-            //     Or
-            //
-            //     PRESENT: HS_SERVER_CERTIFICATE
-            //        TO  : HS_CERTIFICATE_STATUS [optional]
-            //              HS_SERVER_KEY_EXCHANGE [optional]
-            //              HS_CERTIFICATE_REQUEST [optional]
-            //              HS_SERVER_HELLO_DONE
-            //
-            // Note that this state may have an alternative option.
-
-            // Check and update the present state.
-            while (!upcomingStates.isEmpty()) {
-                HandshakeState handshakeState = upcomingStates.pop();
-                if (handshakeState.handshakeType == handshakeType) {
-                    hasPresentState = true;
-
-                    // The current state should be HS_CLIENT_CERTIFICATE or
-                    // HS_SERVER_CERTIFICATE.
-                    //
-                    // Note that we won't put HS_CLIENT_CERTIFICATE into
-                    // the alternative list.
-                    if ((handshakeState != HS_CLIENT_CERTIFICATE) &&
-                            (handshakeState != HS_SERVER_CERTIFICATE)) {
-                        throw new SSLProtocolException(exceptionMsg);
-                    }
-
-                    // Is it an expected client Certificate message?
-                    boolean isClientMessage = false;
-                    if (!upcomingStates.isEmpty()) {
-                        // If the next expected message is ClientKeyExchange,
-                        // this one should be an expected client Certificate
-                        // message.
-                        HandshakeState nextState = upcomingStates.getFirst();
-                        if (nextState == HS_CLIENT_KEY_EXCHANGE) {
-                            isClientMessage = true;
-                        }
-                    }
-
-                    if (isClientMessage) {
-                        if (handshakeState != HS_CLIENT_CERTIFICATE) {
-                            throw new SSLProtocolException(exceptionMsg);
-                        }
-
-                        // Not support CertificateURL extension yet.
-                        /*******************************************
-                        // clear up the alternatives list
-                        if (!alternatives.isEmpty()) {
-                            HandshakeState alternative = alternatives.pop();
-
-                            if (alternative != HS_CERTIFICATE_URL) {
-                                throw new SSLProtocolException(exceptionMsg);
-                            }
-                        }
-                        ********************************************/
-                    } else {
-                        if ((handshakeState != HS_SERVER_CERTIFICATE)) {
-                            throw new SSLProtocolException(exceptionMsg);
-                        }
-                    }
-
-                    break;
-                } else if (!handshakeState.isOptional) {
-                    throw new SSLProtocolException(exceptionMsg);
-                }   // Otherwise, looking for next state track.
-            }
-
-            // No present state.
-            if (!hasPresentState) {
-                throw new SSLProtocolException(exceptionMsg);
-            }
-
-            // no new upcoming states.
-
-            break;
-
-        // Not support CertificateURL extension yet.
-        /*************************************************/
-        case HandshakeMessage.ht_certificate_url:
-            //
-            // State machine:
-            //     PRESENT: HS_CERTIFICATE_URL or
-            //              HS_CLIENT_CERTIFICATE
-            //        TO  : HS_CLIENT_KEY_EXCHANGE
-            //
-            // Note that this state may have an alternative option.
-
-            // Check and update the present state.
-            while (!upcomingStates.isEmpty()) {
-                // The current state should be HS_CLIENT_CERTIFICATE.
-                //
-                // Note that we won't put HS_CLIENT_CERTIFICATE into
-                // the alternative list.
-                HandshakeState handshakeState = upcomingStates.pop();
-                if (handshakeState.handshakeType ==
-                        HS_CLIENT_CERTIFICATE.handshakeType) {
-                    hasPresentState = true;
-
-                    // Look for HS_CERTIFICATE_URL state track.
-                    if (!alternatives.isEmpty()) {
-                        HandshakeState alternative = alternatives.pop();
-
-                        if (alternative != HS_CERTIFICATE_URL) {
-                            throw new SSLProtocolException(exceptionMsg);
-                        }
-                    } else {
-                        // No alternative CertificateUR state track.
-                        throw new SSLProtocolException(exceptionMsg);
-                    }
-
-                    if ((handshakeState != HS_CLIENT_CERTIFICATE)) {
-                        throw new SSLProtocolException(exceptionMsg);
-                    }
-
-                    break;
-                } else if (!handshakeState.isOptional) {
-                    throw new SSLProtocolException(exceptionMsg);
-                }   // Otherwise, looking for next state track.
-
-            }
-
-            // No present state.
-            if (!hasPresentState) {
-                // No present state.
-                throw new SSLProtocolException(exceptionMsg);
-            }
-
-            // no new upcoming states.
-
-            break;
-        /*************************************************/
-
-        default:
-            // Check and update the present state.
-            while (!upcomingStates.isEmpty()) {
-                HandshakeState handshakeState = upcomingStates.pop();
-                if (handshakeState.handshakeType == handshakeType) {
-                    hasPresentState = true;
-                    break;
-                } else if (!handshakeState.isOptional) {
-                    throw new SSLProtocolException(exceptionMsg);
-                }   // Otherwise, looking for next state track.
-            }
-
-            // No present state.
-            if (!hasPresentState) {
-                throw new SSLProtocolException(exceptionMsg);
-            }
-
-            // no new upcoming states.
-        }
-
-        if (debugIsOn) {
-            for (HandshakeState handshakeState : upcomingStates) {
-                System.out.println(
-                    "upcoming handshake states: " + handshakeState);
-            }
-            for (HandshakeState handshakeState : alternatives) {
-                System.out.println(
-                    "upcoming handshake alternative state: " + handshakeState);
-            }
-        }
-    }
-
-    void changeCipherSpec(boolean isInput,
-            boolean isClient) throws SSLProtocolException {
-
-        if (debugIsOn) {
-            System.out.println(
-                    "update handshake state: change_cipher_spec");
-        }
-
-        String exceptionMsg = "ChangeCipherSpec message sequence violation";
-
-        HandshakeState expectedState;
-        if ((isClient && isInput) || (!isClient && !isInput)) {
-            expectedState = HS_SERVER_CHANGE_CIPHER_SPEC;
-        } else {
-            expectedState = HS_CLIENT_CHANGE_CIPHER_SPEC;
-        }
-
-        boolean hasPresentState = false;
-
-        // Check and update the present state.
-        while (!upcomingStates.isEmpty()) {
-            HandshakeState handshakeState = upcomingStates.pop();
-            if (handshakeState == expectedState) {
-                hasPresentState = true;
-                break;
-            } else if (!handshakeState.isOptional) {
-                throw new SSLProtocolException(exceptionMsg);
-            }   // Otherwise, looking for next state track.
-        }
-
-        // No present state.
-        if (!hasPresentState) {
-            throw new SSLProtocolException(exceptionMsg);
-        }
-
-        // no new upcoming states.
-
-        if (debugIsOn) {
-            for (HandshakeState handshakeState : upcomingStates) {
-                System.out.println(
-                    "upcoming handshake states: " + handshakeState);
-            }
-            for (HandshakeState handshakeState : alternatives) {
-                System.out.println(
-                    "upcoming handshake alternative state: " + handshakeState);
-            }
-        }
-    }
-
-    private static String toString(byte handshakeType) {
-        String s = handshakeTypes.get(handshakeType);
-        if (s == null) {
-            s = "unknown";
-        }
-        return (s + "[" + handshakeType + "]");
-    }
-}
-
--- old/src/java.base/share/classes/sun/security/ssl/MAC.java	2018-05-11 15:11:31.483344900 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,199 +0,0 @@
-/*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.security.InvalidKeyException;
-import java.security.NoSuchAlgorithmException;
-
-import java.nio.ByteBuffer;
-
-import javax.crypto.Mac;
-import javax.crypto.SecretKey;
-
-import sun.security.ssl.CipherSuite.MacAlg;
-import static sun.security.ssl.CipherSuite.*;
-import static sun.security.ssl.CipherSuite.MacAlg.*;
-
-/**
- * This class computes the "Message Authentication Code" (MAC) for each
- * SSL stream and block cipher message.  This is essentially a shared-secret
- * signature, used to provide integrity protection for SSL messages.  The
- * MAC is actually one of several keyed hashes, as associated with the cipher
- * suite and protocol version. (SSL v3.0 uses one construct, TLS uses another.)
- *
- * @author David Brownell
- * @author Andreas Sterbenz
- */
-final class MAC extends Authenticator {
-
-    static final MAC TLS_NULL = new MAC(false);
-
-    // Value of the null MAC is fixed
-    private static final byte[] nullMAC = new byte[0];
-
-    // internal identifier for the MAC algorithm
-    private final MacAlg macAlg;
-
-    // JCE Mac object
-    private final Mac mac;
-
-    MAC(boolean isDTLS) {
-        super(isDTLS);
-
-        macAlg = M_NULL;
-        mac = null;
-    }
-
-    /**
-     * Set up, configured for the given MAC type and version.
-     */
-    MAC(MacAlg macAlg, ProtocolVersion protocolVersion, SecretKey key)
-            throws NoSuchAlgorithmException, InvalidKeyException {
-        super(protocolVersion);
-        this.macAlg = macAlg;
-
-        String algorithm;
-
-        // using SSL MAC computation?
-        boolean useSSLMac = (protocolVersion.v < ProtocolVersion.TLS10.v);
-
-        if (macAlg == M_MD5) {
-            algorithm = useSSLMac ? "SslMacMD5" : "HmacMD5";
-        } else if (macAlg == M_SHA) {
-            algorithm = useSSLMac ? "SslMacSHA1" : "HmacSHA1";
-        } else if (macAlg == M_SHA256) {
-            algorithm = "HmacSHA256";    // TLS 1.2+
-        } else if (macAlg == M_SHA384) {
-            algorithm = "HmacSHA384";    // TLS 1.2+
-        } else {
-            throw new RuntimeException("Unknown Mac " + macAlg);
-        }
-
-        mac = JsseJce.getMac(algorithm);
-        mac.init(key);
-    }
-
-    /**
-     * Returns the length of the MAC.
-     */
-    int MAClen() {
-        return macAlg.size;
-    }
-
-    /**
-     * Returns the hash function block length of the MAC alorithm.
-     */
-    int hashBlockLen() {
-        return macAlg.hashBlockSize;
-    }
-
-    /**
-     * Returns the hash function minimal padding length of the MAC alorithm.
-     */
-    int minimalPaddingLen() {
-        return macAlg.minimalPaddingSize;
-    }
-
-    /**
-     * Computes and returns the MAC for the data in this byte array.
-     *
-     * @param type record type
-     * @param buf compressed record on which the MAC is computed
-     * @param offset start of compressed record data
-     * @param len the size of the compressed record
-     * @param isSimulated if true, simulate the MAC computation
-     *
-     * @return the MAC result
-     */
-    final byte[] compute(byte type, byte buf[],
-            int offset, int len, boolean isSimulated) {
-        if (macAlg.size == 0) {
-            return nullMAC;
-        }
-
-        if (!isSimulated) {
-            // Uses the implicit sequence number for the computation.
-            byte[] additional = acquireAuthenticationBytes(type, len, null);
-            mac.update(additional);
-        }
-        mac.update(buf, offset, len);
-
-        return mac.doFinal();
-    }
-
-    /**
-     * Compute and returns the MAC for the remaining data
-     * in this ByteBuffer.
-     *
-     * On return, the bb position == limit, and limit will
-     * have not changed.
-     *
-     * @param type record type
-     * @param bb a ByteBuffer in which the position and limit
-     *          demarcate the data to be MAC'd.
-     * @param isSimulated if true, simulate the MAC computation
-     * @param sequence the explicit sequence number, or null if using
-     *        the implicit sequence number for the computation
-     *
-     * @return the MAC result
-     */
-    final byte[] compute(byte type, ByteBuffer bb,
-            byte[] sequence, boolean isSimulated) {
-
-        if (macAlg.size == 0) {
-            return nullMAC;
-        }
-
-        if (!isSimulated) {
-            // Uses the explicit sequence number for the computation.
-            byte[] additional =
-                    acquireAuthenticationBytes(type, bb.remaining(), sequence);
-            mac.update(additional);
-        }
-        mac.update(bb);
-
-        return mac.doFinal();
-    }
-
-    /**
-     * Compute and returns the MAC for the remaining data
-     * in this ByteBuffer.
-     *
-     * On return, the bb position == limit, and limit will
-     * have not changed.
-     *
-     * @param type record type
-     * @param bb a ByteBuffer in which the position and limit
-     *        demarcate the data to be MAC'd.
-     * @param isSimulated if true, simulate the MAC computation
-     *
-     * @return the MAC result
-     */
-    final byte[] compute(byte type, ByteBuffer bb, boolean isSimulated) {
-        // Uses the implicit sequence number for the computation.
-        return compute(type, bb, null, isSimulated);
-    }
-}
--- old/src/java.base/share/classes/sun/security/ssl/NamedGroup.java	2018-05-11 15:11:32.467249700 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,169 +0,0 @@
-/*
- * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.security.spec.ECParameterSpec;
-import java.security.spec.ECGenParameterSpec;
-import static sun.security.ssl.NamedGroupType.*;
-
-enum NamedGroup {
-    // Elliptic Curves (RFC 4492)
-    //
-    // See sun.security.util.CurveDB for the OIDs
-
-    // NIST K-163
-    SECT163_K1(1, NAMED_GROUP_ECDHE, "sect163k1", "1.3.132.0.1", true),
-
-    SECT163_R1(2, NAMED_GROUP_ECDHE, "sect163r1", "1.3.132.0.2", false),
-
-    // NIST B-163
-    SECT163_R2(3, NAMED_GROUP_ECDHE, "sect163r2", "1.3.132.0.15", true),
-
-    SECT193_R1(4, NAMED_GROUP_ECDHE, "sect193r1", "1.3.132.0.24", false),
-    SECT193_R2(5, NAMED_GROUP_ECDHE, "sect193r2", "1.3.132.0.25", false),
-
-    // NIST K-233
-    SECT233_K1(6, NAMED_GROUP_ECDHE, "sect233k1", "1.3.132.0.26", true),
-
-    // NIST B-233
-    SECT233_R1(7, NAMED_GROUP_ECDHE, "sect233r1", "1.3.132.0.27", true),
-
-    SECT239_K1(8, NAMED_GROUP_ECDHE, "sect239k1", "1.3.132.0.3", false),
-
-    // NIST K-283
-    SECT283_K1(9, NAMED_GROUP_ECDHE, "sect283k1", "1.3.132.0.16", true),
-
-    // NIST B-283
-    SECT283_R1(10, NAMED_GROUP_ECDHE, "sect283r1", "1.3.132.0.17", true),
-
-    // NIST K-409
-    SECT409_K1(11, NAMED_GROUP_ECDHE, "sect409k1", "1.3.132.0.36", true),
-
-    // NIST B-409
-    SECT409_R1(12, NAMED_GROUP_ECDHE, "sect409r1", "1.3.132.0.37", true),
-
-    // NIST K-571
-    SECT571_K1(13, NAMED_GROUP_ECDHE, "sect571k1", "1.3.132.0.38", true),
-
-    // NIST B-571
-    SECT571_R1(14, NAMED_GROUP_ECDHE, "sect571r1", "1.3.132.0.39", true),
-
-    SECP160_K1(15, NAMED_GROUP_ECDHE, "secp160k1", "1.3.132.0.9", false),
-    SECP160_R1(16, NAMED_GROUP_ECDHE, "secp160r1", "1.3.132.0.8", false),
-    SECP160_R2(17, NAMED_GROUP_ECDHE, "secp160r2", "1.3.132.0.30", false),
-    SECP192_K1(18, NAMED_GROUP_ECDHE, "secp192k1", "1.3.132.0.31", false),
-
-    // NIST P-192
-    SECP192_R1(19, NAMED_GROUP_ECDHE, "secp192r1", "1.2.840.10045.3.1.1", true),
-
-    SECP224_K1(20, NAMED_GROUP_ECDHE, "secp224k1", "1.3.132.0.32", false),
-    // NIST P-224
-    SECP224_R1(21, NAMED_GROUP_ECDHE, "secp224r1", "1.3.132.0.33", true),
-
-    SECP256_K1(22, NAMED_GROUP_ECDHE, "secp256k1", "1.3.132.0.10", false),
-
-    // NIST P-256
-    SECP256_R1(23, NAMED_GROUP_ECDHE, "secp256r1", "1.2.840.10045.3.1.7", true),
-
-    // NIST P-384
-    SECP384_R1(24, NAMED_GROUP_ECDHE, "secp384r1", "1.3.132.0.34", true),
-
-    // NIST P-521
-    SECP521_R1(25, NAMED_GROUP_ECDHE, "secp521r1", "1.3.132.0.35", true),
-
-    // Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919)
-    FFDHE_2048(256, NAMED_GROUP_FFDHE, "ffdhe2048",  true),
-    FFDHE_3072(257, NAMED_GROUP_FFDHE, "ffdhe3072",  true),
-    FFDHE_4096(258, NAMED_GROUP_FFDHE, "ffdhe4096",  true),
-    FFDHE_6144(259, NAMED_GROUP_FFDHE, "ffdhe6144",  true),
-    FFDHE_8192(260, NAMED_GROUP_FFDHE, "ffdhe8192",  true);
-
-    int             id;
-    NamedGroupType  type;
-    String          name;
-    String          oid;
-    String          algorithm;
-    boolean         isFips;
-
-    // Constructor used for Elliptic Curve Groups (ECDHE)
-    NamedGroup(int id, NamedGroupType type,
-                String name, String oid, boolean isFips) {
-        this.id = id;
-        this.type = type;
-        this.name = name;
-        this.oid = oid;
-        this.algorithm = "EC";
-        this.isFips = isFips;
-    }
-
-    // Constructor used for Finite Field Diffie-Hellman Groups (FFDHE)
-    NamedGroup(int id, NamedGroupType type, String name, boolean isFips) {
-        this.id = id;
-        this.type = type;
-        this.name = name;
-        this.oid = null;
-        this.algorithm = "DiffieHellman";
-        this.isFips = isFips;
-    }
-
-    static NamedGroup valueOf(int id) {
-        for (NamedGroup group : NamedGroup.values()) {
-            if (group.id == id) {
-                return group;
-            }
-        }
-
-        return null;
-    }
-
-    static NamedGroup nameOf(String name) {
-        for (NamedGroup group : NamedGroup.values()) {
-            if (group.name.equals(name)) {
-                return group;
-            }
-        }
-
-        return null;
-    }
-
-    static NamedGroup valueOf(ECParameterSpec params) {
-        String oid = JsseJce.getNamedCurveOid(params);
-        if ((oid != null) && (!oid.isEmpty())) {
-            for (NamedGroup group : NamedGroup.values()) {
-                if (oid.equals(group.oid)) {
-                    return group;
-                }
-            }
-        }
-
-        return null;
-    }
-
-    @Override
-    public String toString() {
-        return this.name;
-    }
-}
--- old/src/java.base/share/classes/sun/security/ssl/NamedGroupType.java	2018-05-11 15:11:33.469885200 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,32 +0,0 @@
-/*
- * Copyright (c) 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-enum NamedGroupType {
-    NAMED_GROUP_ECDHE,          // Elliptic Curve Groups (ECDHE)
-    NAMED_GROUP_FFDHE,          // Finite Field Groups (DHE)
-    NAMED_GROUP_NONE            // No predefined named group
-}
--- old/src/java.base/share/classes/sun/security/ssl/OCSPStatusRequest.java	2018-05-11 15:11:34.453503300 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,358 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-import java.nio.ByteBuffer;
-import java.security.cert.Extension;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Collections;
-import javax.net.ssl.SSLException;
-import sun.security.util.DerValue;
-import sun.security.util.DerInputStream;
-import sun.security.util.DerOutputStream;
-import sun.security.provider.certpath.ResponderId;
-
-/*
- * RFC6066 defines the TLS extension,"status_request" (type 0x5),
- * which allows the client to request that the server perform OCSP
- * on the client's behalf.
- *
- * The RFC defines an OCSPStatusRequest structure:
- *
- *      struct {
- *          ResponderID responder_id_list<0..2^16-1>;
- *          Extensions  request_extensions;
- *      } OCSPStatusRequest;
- */
-final class OCSPStatusRequest implements StatusRequest {
-
-    private final List<ResponderId> responderIds;
-    private final List<Extension> extensions;
-    private int encodedLen;
-    private int ridListLen;
-    private int extListLen;
-
-    /**
-     * Construct a default {@code OCSPStatusRequest} object with empty
-     * responder ID and code extension list fields.
-     */
-    OCSPStatusRequest() {
-        responderIds = new ArrayList<>();
-        extensions = new ArrayList<>();
-        encodedLen = this.length();
-    }
-
-    /**
-     * Construct an {@code OCSPStatusRequest} object using the provided
-     *      {@code ResponderId} and {@code Extension} lists.
-     *
-     * @param respIds the list of {@code ResponderId} objects to be placed
-     *      into the {@code OCSPStatusRequest}.  If the user wishes to place
-     *      no {@code ResponderId} objects in the request, either an empty
-     *      {@code List} or {@code null} is acceptable.
-     * @param exts the list of {@code Extension} objects to be placed into
-     *      the {@code OCSPStatusRequest}  If the user wishes to place
-     *      no {@code Extension} objects in the request, either an empty
-     *      {@code List} or {@code null} is acceptable.
-     */
-    OCSPStatusRequest(List<ResponderId> respIds, List<Extension> exts) {
-        responderIds = new ArrayList<>(respIds != null ? respIds :
-                Collections.emptyList());
-        extensions = new ArrayList<>(exts != null ? exts :
-                Collections.emptyList());
-        encodedLen = this.length();
-    }
-
-    /**
-     * Construct an {@code OCSPStatusRequest} object from data read from
-     * a {@code HandshakeInputStream}
-     *
-     * @param s the {@code HandshakeInputStream} providing the encoded data
-     *
-     * @throws IOException if any decoding errors happen during object
-     *      construction.
-     */
-    OCSPStatusRequest(HandshakeInStream in) throws IOException {
-        responderIds = new ArrayList<>();
-        extensions = new ArrayList<>();
-
-        int ridListBytesRemaining = in.getInt16();
-        while (ridListBytesRemaining != 0) {
-            byte[] ridBytes = in.getBytes16();
-            responderIds.add(new ResponderId(ridBytes));
-            ridListBytesRemaining -= (ridBytes.length + 2);
-            // Make sure that no individual responder ID's length caused an
-            // overrun relative to the outer responder ID list length
-            if (ridListBytesRemaining < 0) {
-                throw new SSLException("Responder ID length overflow: " +
-                        "current rid = " + ridBytes.length + ", remaining = " +
-                        ridListBytesRemaining);
-            }
-        }
-
-        int extensionLength = in.getInt16();
-        if (extensionLength > 0) {
-            byte[] extensionData = new byte[extensionLength];
-            in.read(extensionData);
-            DerInputStream dis = new DerInputStream(extensionData);
-            DerValue[] extSeqContents = dis.getSequence(extensionData.length);
-            for (DerValue extDerVal : extSeqContents) {
-                extensions.add(new sun.security.x509.Extension(extDerVal));
-            }
-        }
-    }
-
-    /**
-     * Construct an {@code OCSPStatusRequest} from its encoded form
-     *
-     * @param requestBytes the status request extension bytes
-     *
-     * @throws IOException if any error occurs during decoding
-     */
-    OCSPStatusRequest(byte[] requestBytes) throws IOException {
-        responderIds = new ArrayList<>();
-        extensions = new ArrayList<>();
-        ByteBuffer reqBuf = ByteBuffer.wrap(requestBytes);
-
-        // Get the ResponderId list length
-        encodedLen = requestBytes.length;
-        ridListLen = Short.toUnsignedInt(reqBuf.getShort());
-        int endOfRidList = reqBuf.position() + ridListLen;
-
-        // The end position of the ResponderId list in the ByteBuffer
-        // should be at least 2 less than the end of the buffer.  This
-        // 2 byte defecit is the minimum length required to encode a
-        // zero-length extensions segment.
-        if (reqBuf.limit() - endOfRidList < 2) {
-            throw new SSLException
-                ("ResponderId List length exceeds provided buffer - Len: "
-                 + ridListLen + ", Buffer: " + reqBuf.remaining());
-        }
-
-        while (reqBuf.position() < endOfRidList) {
-            int ridLength = Short.toUnsignedInt(reqBuf.getShort());
-            // Make sure an individual ResponderId length doesn't
-            // run past the end of the ResponderId list portion of the
-            // provided buffer.
-            if (reqBuf.position() + ridLength > endOfRidList) {
-                throw new SSLException
-                    ("ResponderId length exceeds list length - Off: "
-                     + reqBuf.position() + ", Length: " + ridLength
-                     + ", End offset: " + endOfRidList);
-            }
-
-            // Consume/add the ResponderId
-            if (ridLength > 0) {
-                byte[] ridData = new byte[ridLength];
-                reqBuf.get(ridData);
-                responderIds.add(new ResponderId(ridData));
-            }
-        }
-
-        // Get the Extensions length
-        int extensionsLen = Short.toUnsignedInt(reqBuf.getShort());
-
-        // The end of the extensions should also be the end of the
-        // encoded OCSPStatusRequest
-        if (extensionsLen != reqBuf.remaining()) {
-            throw new SSLException("Incorrect extensions length: Read "
-                    + extensionsLen + ", Data length: " + reqBuf.remaining());
-        }
-
-        // Extensions are a SEQUENCE of Extension
-        if (extensionsLen > 0) {
-            byte[] extensionData = new byte[extensionsLen];
-            reqBuf.get(extensionData);
-            DerInputStream dis = new DerInputStream(extensionData);
-            DerValue[] extSeqContents = dis.getSequence(extensionData.length);
-            for (DerValue extDerVal : extSeqContents) {
-                extensions.add(new sun.security.x509.Extension(extDerVal));
-            }
-        }
-    }
-
-    /**
-     * Obtain the length of the {@code OCSPStatusRequest} object in its
-     *      encoded form
-     *
-     * @return the length of the {@code OCSPStatusRequest} object in its
-     *      encoded form
-     */
-    @Override
-    public int length() {
-        // If we've previously calculated encodedLen simply return it
-        if (encodedLen != 0) {
-            return encodedLen;
-        }
-
-        ridListLen = 0;
-        for (ResponderId rid : responderIds) {
-            ridListLen += rid.length() + 2;
-        }
-
-        extListLen = 0;
-        if (!extensions.isEmpty()) {
-            try {
-                DerOutputStream extSequence = new DerOutputStream();
-                DerOutputStream extEncoding = new DerOutputStream();
-                for (Extension ext : extensions) {
-                    ext.encode(extEncoding);
-                }
-                extSequence.write(DerValue.tag_Sequence, extEncoding);
-                extListLen = extSequence.size();
-            } catch (IOException ioe) {
-                // Not sure what to do here
-            }
-        }
-
-        // Total length is the responder ID list length and extensions length
-        // plus each lists' 2-byte length fields.
-        encodedLen = ridListLen + extListLen + 4;
-
-        return encodedLen;
-    }
-
-    /**
-     * Send the encoded {@code OCSPStatusRequest} out through the provided
-     *      {@code HandshakeOutputStream}
-     *
-     * @param s the {@code HandshakeOutputStream} on which to send the encoded
-     *      data
-     *
-     * @throws IOException if any encoding errors occur
-     */
-    @Override
-    public void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(ridListLen);
-        for (ResponderId rid : responderIds) {
-            s.putBytes16(rid.getEncoded());
-        }
-
-        DerOutputStream seqOut = new DerOutputStream();
-        DerOutputStream extBytes = new DerOutputStream();
-
-        if (extensions.size() > 0) {
-            for (Extension ext : extensions) {
-                ext.encode(extBytes);
-            }
-            seqOut.write(DerValue.tag_Sequence, extBytes);
-        }
-        s.putBytes16(seqOut.toByteArray());
-    }
-
-    /**
-     * Determine if a provided {@code OCSPStatusRequest} objects is equal to
-     *      this one.
-     *
-     * @param obj an {@code OCSPStatusRequest} object to be compared against
-     *
-     * @return {@code true} if the objects are equal, {@code false} otherwise.
-     *      Equivalence is established if the lists of responder IDs and
-     *      extensions between the two objects are also equal.
-     */
-    @Override
-    public boolean equals(Object obj) {
-        if (obj == null) {
-            return false;
-        } else if (this == obj) {
-            return true;
-        } else if (obj instanceof OCSPStatusRequest) {
-            OCSPStatusRequest respObj = (OCSPStatusRequest)obj;
-            return responderIds.equals(respObj.getResponderIds()) &&
-                extensions.equals(respObj.getExtensions());
-        }
-
-        return false;
-    }
-
-    /**
-     * Returns the hash code value for this {@code OCSPStatusRequest}
-     *
-     * @return the hash code value for this {@code OCSPStatusRequest}
-     */
-    @Override
-    public int hashCode() {
-        int result = 17;
-
-        result = 31 * result + responderIds.hashCode();
-        result = 31 * result + extensions.hashCode();
-
-        return result;
-    }
-
-    /**
-     * Create a string representation of this {@code OCSPStatusRequest}
-     *
-     * @return a string representation of this {@code OCSPStatusRequest}
-     */
-    @Override
-    public String toString() {
-        StringBuilder sb = new StringBuilder();
-        sb.append("OCSPStatusRequest\n");
-        sb.append("    ResponderIds:");
-
-        if (responderIds.isEmpty()) {
-            sb.append(" <EMPTY>");
-        } else {
-            for (ResponderId rid : responderIds) {
-                sb.append("\n    ").append(rid.toString());
-            }
-        }
-
-        sb.append("\n").append("    Extensions:");
-        if (extensions.isEmpty()) {
-            sb.append(" <EMPTY>");
-        } else {
-            for (Extension ext : extensions) {
-                sb.append("\n    ").append(ext.toString());
-            }
-        }
-
-        return sb.toString();
-    }
-
-    /**
-     * Get the list of {@code ResponderId} objects for this
-     *      {@code OCSPStatusRequest}
-     *
-     * @return an unmodifiable {@code List} of {@code ResponderId} objects
-     */
-    List<ResponderId> getResponderIds() {
-        return Collections.unmodifiableList(responderIds);
-    }
-
-    /**
-     * Get the list of {@code Extension} objects for this
-     *      {@code OCSPStatusRequest}
-     *
-     * @return an unmodifiable {@code List} of {@code Extension} objects
-     */
-    List<Extension> getExtensions() {
-        return Collections.unmodifiableList(extensions);
-    }
-}
--- old/src/java.base/share/classes/sun/security/ssl/ProtocolList.java	2018-05-11 15:11:35.438321800 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,155 +0,0 @@
-/*
- * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.util.*;
-
-/**
- * A list of ProtocolVersions. Also maintains the list of supported protocols.
- * Instances of this class are immutable. Some member variables are final
- * and can be accessed directly without method accessors.
- *
- * @author  Andreas Sterbenz
- * @since   1.4.1
- */
-final class ProtocolList {
-
-    // the sorted protocol version list
-    private final ArrayList<ProtocolVersion> protocols;
-
-    private String[] protocolNames;
-
-    // the minimum and maximum ProtocolVersions in this list
-    final ProtocolVersion min, max;
-
-    // the format for the hello version to use
-    final ProtocolVersion helloVersion;
-
-    ProtocolList(String[] names) {
-        this(convert(names));
-    }
-
-    ProtocolList(ArrayList<ProtocolVersion> versions) {
-        this.protocols = versions;
-
-        if ((protocols.size() == 1) &&
-                protocols.contains(ProtocolVersion.SSL20Hello)) {
-            throw new IllegalArgumentException("SSLv2Hello cannot be " +
-                "enabled unless at least one other supported version " +
-                "is also enabled.");
-        }
-
-        if (protocols.size() != 0) {
-            Collections.sort(protocols);
-            min = protocols.get(0);
-            max = protocols.get(protocols.size() - 1);
-            helloVersion = protocols.get(0);
-        } else {
-            min = ProtocolVersion.NONE;
-            max = ProtocolVersion.NONE;
-            helloVersion = ProtocolVersion.NONE;
-        }
-    }
-
-    private static ArrayList<ProtocolVersion> convert(String[] names) {
-        if (names == null) {
-            throw new IllegalArgumentException("Protocols may not be null");
-        }
-
-        ArrayList<ProtocolVersion> versions = new ArrayList<>(names.length);
-        for (int i = 0; i < names.length; i++ ) {
-            ProtocolVersion version = ProtocolVersion.valueOf(names[i]);
-            if (versions.contains(version) == false) {
-                versions.add(version);
-            }
-        }
-
-        return versions;
-    }
-
-    /**
-     * Return whether this list contains the specified protocol version.
-     * SSLv2Hello is not a real protocol version we support, we always
-     * return false for it.
-     */
-    boolean contains(ProtocolVersion protocolVersion) {
-        if (protocolVersion == ProtocolVersion.SSL20Hello) {
-            return false;
-        }
-        return protocols.contains(protocolVersion);
-    }
-
-    /**
-     * Return a reference to the internal Collection of CipherSuites.
-     * The Collection MUST NOT be modified.
-     */
-    Collection<ProtocolVersion> collection() {
-        return protocols;
-    }
-
-    /**
-     * Select a protocol version from the list.
-     *
-     * Return the lower of the protocol version of that suggested by
-     * the <code>protocolVersion</code> and the highest version of this
-     * protocol list, or null if no protocol version is available.
-     *
-     * The method is used by TLS server to negotiated the protocol
-     * version between client suggested protocol version in the
-     * client hello and protocol versions supported by the server.
-     */
-    ProtocolVersion selectProtocolVersion(ProtocolVersion protocolVersion) {
-        ProtocolVersion selectedVersion = null;
-        for (ProtocolVersion pv : protocols) {
-            if (pv.compareTo(protocolVersion) > 0) {
-                break;      // Safe to break here as this.protocols is sorted,
-                            // and DTLS and SSL/TLS protocols are not mixed.
-            }
-            selectedVersion = pv;
-        }
-
-        return selectedVersion;
-    }
-
-    /**
-     * Return an array with the names of the ProtocolVersions in this list.
-     */
-    synchronized String[] toStringArray() {
-        if (protocolNames == null) {
-            protocolNames = new String[protocols.size()];
-            int i = 0;
-            for (ProtocolVersion version : protocols) {
-                protocolNames[i++] = version.name;
-            }
-        }
-        return protocolNames.clone();
-    }
-
-    @Override
-    public String toString() {
-        return protocols.toString();
-    }
-}
--- old/src/java.base/share/classes/sun/security/ssl/SignatureAndHashAlgorithm.java	2018-05-11 15:11:36.415739200 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,441 +0,0 @@
-/*
- * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.security.AlgorithmConstraints;
-import java.security.CryptoPrimitive;
-import java.security.PrivateKey;
-import java.security.Security;
-
-import java.util.Set;
-import java.util.HashSet;
-import java.util.Map;
-import java.util.EnumSet;
-import java.util.TreeMap;
-import java.util.Collection;
-import java.util.Collections;
-import java.util.ArrayList;
-
-import sun.security.util.KeyUtil;
-
-/**
- * Signature and hash algorithm.
- *
- * [RFC5246] The client uses the "signature_algorithms" extension to
- * indicate to the server which signature/hash algorithm pairs may be
- * used in digital signatures.  The "extension_data" field of this
- * extension contains a "supported_signature_algorithms" value.
- *
- *     enum {
- *         none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
- *         sha512(6), (255)
- *     } HashAlgorithm;
- *
- *     enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
- *       SignatureAlgorithm;
- *
- *     struct {
- *           HashAlgorithm hash;
- *           SignatureAlgorithm signature;
- *     } SignatureAndHashAlgorithm;
- */
-final class SignatureAndHashAlgorithm {
-
-    // minimum priority for default enabled algorithms
-    static final int SUPPORTED_ALG_PRIORITY_MAX_NUM = 0x00F0;
-
-    // performance optimization
-    private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
-        Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
-
-    // supported pairs of signature and hash algorithm
-    private static final Map<Integer, SignatureAndHashAlgorithm> supportedMap;
-    private static final Map<Integer, SignatureAndHashAlgorithm> priorityMap;
-
-    // the hash algorithm
-    private HashAlgorithm hash;
-
-    // id in 16 bit MSB format, i.e. 0x0603 for SHA512withECDSA
-    private int id;
-
-    // the standard algorithm name, for example "SHA512withECDSA"
-    private String algorithm;
-
-    // Priority for the preference order. The lower the better.
-    //
-    // If the algorithm is unsupported, its priority should be bigger
-    // than SUPPORTED_ALG_PRIORITY_MAX_NUM.
-    private int priority;
-
-    // constructor for supported algorithm
-    private SignatureAndHashAlgorithm(HashAlgorithm hash,
-            SignatureAlgorithm signature, String algorithm, int priority) {
-        this.hash = hash;
-        this.algorithm = algorithm;
-        this.id = ((hash.value & 0xFF) << 8) | (signature.value & 0xFF);
-        this.priority = priority;
-    }
-
-    // constructor for unsupported algorithm
-    private SignatureAndHashAlgorithm(String algorithm, int id, int sequence) {
-        this.hash = HashAlgorithm.valueOf((id >> 8) & 0xFF);
-        this.algorithm = algorithm;
-        this.id = id;
-
-        // add one more to the sequence number, in case that the number is zero
-        this.priority = SUPPORTED_ALG_PRIORITY_MAX_NUM + sequence + 1;
-    }
-
-    // Note that we do not use the sequence argument for supported algorithms,
-    // so please don't sort by comparing the objects read from handshake
-    // messages.
-    static SignatureAndHashAlgorithm valueOf(int hash,
-            int signature, int sequence) {
-        hash &= 0xFF;
-        signature &= 0xFF;
-
-        int id = (hash << 8) | signature;
-        SignatureAndHashAlgorithm signAlg = supportedMap.get(id);
-        if (signAlg == null) {
-            // unsupported algorithm
-            signAlg = new SignatureAndHashAlgorithm(
-                "Unknown (hash:0x" + Integer.toString(hash, 16) +
-                ", signature:0x" + Integer.toString(signature, 16) + ")",
-                id, sequence);
-        }
-
-        return signAlg;
-    }
-
-    int getHashValue() {
-        return (id >> 8) & 0xFF;
-    }
-
-    int getSignatureValue() {
-        return id & 0xFF;
-    }
-
-    String getAlgorithmName() {
-        return algorithm;
-    }
-
-    // return the size of a SignatureAndHashAlgorithm structure in TLS record
-    static int sizeInRecord() {
-        return 2;
-    }
-
-    // Get local supported algorithm collection complying to
-    // algorithm constraints
-    static Collection<SignatureAndHashAlgorithm>
-            getSupportedAlgorithms(AlgorithmConstraints constraints) {
-
-        Collection<SignatureAndHashAlgorithm> supported = new ArrayList<>();
-        for (SignatureAndHashAlgorithm sigAlg : priorityMap.values()) {
-            if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM &&
-                    constraints.permits(SIGNATURE_PRIMITIVE_SET,
-                            sigAlg.algorithm, null)) {
-                supported.add(sigAlg);
-            }
-        }
-
-        return supported;
-    }
-
-    // Get supported algorithm collection from an untrusted collection
-    static Collection<SignatureAndHashAlgorithm> getSupportedAlgorithms(
-            AlgorithmConstraints constraints,
-            Collection<SignatureAndHashAlgorithm> algorithms ) {
-        Collection<SignatureAndHashAlgorithm> supported = new ArrayList<>();
-        for (SignatureAndHashAlgorithm sigAlg : algorithms) {
-            if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM &&
-                    constraints.permits(SIGNATURE_PRIMITIVE_SET,
-                                sigAlg.algorithm, null)) {
-                supported.add(sigAlg);
-            }
-        }
-
-        return supported;
-    }
-
-    static String[] getAlgorithmNames(
-            Collection<SignatureAndHashAlgorithm> algorithms) {
-        ArrayList<String> algorithmNames = new ArrayList<>();
-        if (algorithms != null) {
-            for (SignatureAndHashAlgorithm sigAlg : algorithms) {
-                algorithmNames.add(sigAlg.algorithm);
-            }
-        }
-
-        String[] array = new String[algorithmNames.size()];
-        return algorithmNames.toArray(array);
-    }
-
-    static Set<String> getHashAlgorithmNames(
-            Collection<SignatureAndHashAlgorithm> algorithms) {
-        Set<String> algorithmNames = new HashSet<>();
-        if (algorithms != null) {
-            for (SignatureAndHashAlgorithm sigAlg : algorithms) {
-                if (sigAlg.hash.value > 0) {
-                    algorithmNames.add(sigAlg.hash.standardName);
-                }
-            }
-        }
-
-        return algorithmNames;
-    }
-
-    static String getHashAlgorithmName(SignatureAndHashAlgorithm algorithm) {
-        return algorithm.hash.standardName;
-    }
-
-    private static void supports(HashAlgorithm hash,
-            SignatureAlgorithm signature, String algorithm, int priority) {
-
-        SignatureAndHashAlgorithm pair =
-            new SignatureAndHashAlgorithm(hash, signature, algorithm, priority);
-        if (supportedMap.put(pair.id, pair) != null) {
-            throw new RuntimeException(
-                "Duplicate SignatureAndHashAlgorithm definition, id: " +
-                pair.id);
-        }
-        if (priorityMap.put(pair.priority, pair) != null) {
-            throw new RuntimeException(
-                "Duplicate SignatureAndHashAlgorithm definition, priority: " +
-                pair.priority);
-        }
-    }
-
-    static SignatureAndHashAlgorithm getPreferableAlgorithm(
-        Collection<SignatureAndHashAlgorithm> algorithms, String expected) {
-
-        return SignatureAndHashAlgorithm.getPreferableAlgorithm(
-                algorithms, expected, null);
-    }
-
-    static SignatureAndHashAlgorithm getPreferableAlgorithm(
-            Collection<SignatureAndHashAlgorithm> algorithms,
-            String expected, PrivateKey signingKey) {
-
-        int maxDigestLength = getMaxDigestLength(signingKey);
-        for (SignatureAndHashAlgorithm algorithm : algorithms) {
-            int signValue = algorithm.id & 0xFF;
-            if ((expected == null) ||
-                    (expected.equalsIgnoreCase("rsa") &&
-                            signValue == SignatureAlgorithm.RSA.value) ||
-                    (expected.equalsIgnoreCase("dsa") &&
-                            signValue == SignatureAlgorithm.DSA.value) ||
-                    (expected.equalsIgnoreCase("ecdsa") &&
-                            signValue == SignatureAlgorithm.ECDSA.value) ||
-                    (expected.equalsIgnoreCase("ec") &&
-                            signValue == SignatureAlgorithm.ECDSA.value)) {
-
-                if (algorithm.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM &&
-                        algorithm.hash.length <= maxDigestLength) {
-
-                    return algorithm;
-                }
-            }
-        }
-
-        return null;
-    }
-
-    /*
-     * Need to check key length to match the length of hash value
-     */
-    private static int getMaxDigestLength(PrivateKey signingKey) {
-        int maxDigestLength = Integer.MAX_VALUE;
-
-        // only need to check RSA algorithm at present.
-        if (signingKey != null &&
-                "rsa".equalsIgnoreCase(signingKey.getAlgorithm())) {
-            /*
-             * RSA keys of 512 bits have been shown to be practically
-             * breakable, it does not make much sense to use the strong
-             * hash algorithm for keys whose key size less than 512 bits.
-             * So it is not necessary to caculate the required max digest
-             * length exactly.
-             *
-             * If key size is greater than or equals to 768, there is no max
-             * digest length limitation in currect implementation.
-             *
-             * If key size is greater than or equals to 512, but less than
-             * 768, the digest length should be less than or equal to 32 bytes.
-             *
-             * If key size is less than 512, the  digest length should be
-             * less than or equal to 20 bytes.
-             */
-            int keySize = KeyUtil.getKeySize(signingKey);
-            if (keySize >= 768) {
-                maxDigestLength = HashAlgorithm.SHA512.length;
-            } else if ((keySize >= 512) && (keySize < 768)) {
-                maxDigestLength = HashAlgorithm.SHA256.length;
-            } else if ((keySize > 0) && (keySize < 512)) {
-                maxDigestLength = HashAlgorithm.SHA1.length;
-            }   // Otherwise, cannot determine the key size, prefer the most
-                // preferable hash algorithm.
-        }
-
-        return maxDigestLength;
-    }
-
-    static enum HashAlgorithm {
-        UNDEFINED("undefined",        "", -1, -1),
-        NONE(          "none",    "NONE",  0, -1),
-        MD5(            "md5",     "MD5",  1, 16),
-        SHA1(          "sha1",   "SHA-1",  2, 20),
-        SHA224(      "sha224", "SHA-224",  3, 28),
-        SHA256(      "sha256", "SHA-256",  4, 32),
-        SHA384(      "sha384", "SHA-384",  5, 48),
-        SHA512(      "sha512", "SHA-512",  6, 64);
-
-        final String name;  // not the standard signature algorithm name
-                            // except the UNDEFINED, other names are defined
-                            // by TLS 1.2 protocol
-        final String standardName; // the standard MessageDigest algorithm name
-        final int value;
-        final int length;   // digest length in bytes, -1 means not applicable
-
-        private HashAlgorithm(String name, String standardName,
-                int value, int length) {
-            this.name = name;
-            this.standardName = standardName;
-            this.value = value;
-            this.length = length;
-        }
-
-        static HashAlgorithm valueOf(int value) {
-            HashAlgorithm algorithm = UNDEFINED;
-            switch (value) {
-                case 0:
-                    algorithm = NONE;
-                    break;
-                case 1:
-                    algorithm = MD5;
-                    break;
-                case 2:
-                    algorithm = SHA1;
-                    break;
-                case 3:
-                    algorithm = SHA224;
-                    break;
-                case 4:
-                    algorithm = SHA256;
-                    break;
-                case 5:
-                    algorithm = SHA384;
-                    break;
-                case 6:
-                    algorithm = SHA512;
-                    break;
-            }
-
-            return algorithm;
-        }
-    }
-
-    static enum SignatureAlgorithm {
-        UNDEFINED("undefined", -1),
-        ANONYMOUS("anonymous",  0),
-        RSA(            "rsa",  1),
-        DSA(            "dsa",  2),
-        ECDSA(        "ecdsa",  3);
-
-        final String name;  // not the standard signature algorithm name
-                            // except the UNDEFINED, other names are defined
-                            // by TLS 1.2 protocol
-        final int value;
-
-        private SignatureAlgorithm(String name, int value) {
-            this.name = name;
-            this.value = value;
-        }
-
-        static SignatureAlgorithm valueOf(int value) {
-            SignatureAlgorithm algorithm = UNDEFINED;
-            switch (value) {
-                case 0:
-                    algorithm = ANONYMOUS;
-                    break;
-                case 1:
-                    algorithm = RSA;
-                    break;
-                case 2:
-                    algorithm = DSA;
-                    break;
-                case 3:
-                    algorithm = ECDSA;
-                    break;
-            }
-
-            return algorithm;
-        }
-    }
-
-    static {
-        supportedMap = Collections.synchronizedSortedMap(
-            new TreeMap<Integer, SignatureAndHashAlgorithm>());
-        priorityMap = Collections.synchronizedSortedMap(
-            new TreeMap<Integer, SignatureAndHashAlgorithm>());
-
-        synchronized (supportedMap) {
-            int p = SUPPORTED_ALG_PRIORITY_MAX_NUM;
-            supports(HashAlgorithm.MD5,         SignatureAlgorithm.RSA,
-                    "MD5withRSA",           --p);
-            supports(HashAlgorithm.SHA1,        SignatureAlgorithm.DSA,
-                    "SHA1withDSA",          --p);
-            supports(HashAlgorithm.SHA1,        SignatureAlgorithm.RSA,
-                    "SHA1withRSA",          --p);
-            supports(HashAlgorithm.SHA1,        SignatureAlgorithm.ECDSA,
-                    "SHA1withECDSA",        --p);
-
-            if (Security.getProvider("SunMSCAPI") == null) {
-                supports(HashAlgorithm.SHA224,      SignatureAlgorithm.DSA,
-                        "SHA224withDSA",        --p);
-                supports(HashAlgorithm.SHA224,      SignatureAlgorithm.RSA,
-                        "SHA224withRSA",        --p);
-                supports(HashAlgorithm.SHA224,      SignatureAlgorithm.ECDSA,
-                        "SHA224withECDSA",      --p);
-            }
-
-            supports(HashAlgorithm.SHA256,      SignatureAlgorithm.DSA,
-                    "SHA256withDSA",        --p);
-            supports(HashAlgorithm.SHA256,      SignatureAlgorithm.RSA,
-                    "SHA256withRSA",        --p);
-            supports(HashAlgorithm.SHA256,      SignatureAlgorithm.ECDSA,
-                    "SHA256withECDSA",      --p);
-            supports(HashAlgorithm.SHA384,      SignatureAlgorithm.RSA,
-                    "SHA384withRSA",        --p);
-            supports(HashAlgorithm.SHA384,      SignatureAlgorithm.ECDSA,
-                    "SHA384withECDSA",      --p);
-            supports(HashAlgorithm.SHA512,      SignatureAlgorithm.RSA,
-                    "SHA512withRSA",        --p);
-            supports(HashAlgorithm.SHA512,      SignatureAlgorithm.ECDSA,
-                    "SHA512withECDSA",      --p);
-        }
-    }
-}
-
--- old/src/java.base/share/classes/sun/security/ssl/StatusRequest.java	2018-05-11 15:11:37.410492100 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,56 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-
-/*
- * RFC 6066 defines the TLS extension,"status_request" (type 0x5),
- * which allows the client to request that the server perform OCSP
- * on the client's behalf.
- *
- * This class is an interface for multiple types of StatusRequests
- * (e.g. OCSPStatusRequest).
- */
-interface StatusRequest {
-
-    /**
-     * Obtain the length of the {@code StatusRequest} object in encoded form
-     *
-     * @return the length of the {@code StatusRequest} object in encoded form
-     */
-    int length();
-
-    /**
-     * Place the encoded {@code StatusRequest} bytes into the
-     *      {@code HandshakeOutputStream}
-     *
-     * @param s the target {@code HandshakeOutputStream}
-     *
-     * @throws IOException if any encoding error occurs
-     */
-    void send(HandshakeOutStream s) throws IOException;
-}
--- old/src/java.base/share/classes/sun/security/ssl/StatusRequestType.java	2018-05-11 15:11:38.376126200 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,66 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.util.ArrayList;
-import java.util.List;
-
-final class StatusRequestType {
-
-    final int id;
-    final String name;
-    static List<StatusRequestType> knownTypes = new ArrayList<>(4);
-
-    private StatusRequestType(int id, String name) {
-        this.id = id;
-        this.name = name;
-    }
-
-    static StatusRequestType get(int id) {
-        for (StatusRequestType ext : knownTypes) {
-            if (ext.id == id) {
-                return ext;
-            }
-        }
-        return new StatusRequestType(id, "type_" + id);
-    }
-
-    private static StatusRequestType e(int id, String name) {
-        StatusRequestType ext = new StatusRequestType(id, name);
-        knownTypes.add(ext);
-        return ext;
-    }
-
-    @Override
-    public String toString() {
-        return (name == null || name.isEmpty()) ?
-                String.format("Unknown (0x%04X", id) : name;
-    }
-
-    // Status request types defined in RFC 6066 and 6961
-    static final StatusRequestType OCSP = e(0x01, "ocsp");
-    static final StatusRequestType OCSP_MULTI = e(0x02, "ocsp_multi");
-}
--- old/src/java.base/share/classes/sun/security/ssl/UnknownExtension.java	2018-05-11 15:11:39.386758300 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,60 +0,0 @@
-/*
- * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-
-final class UnknownExtension extends HelloExtension {
-
-    private final byte[] data;
-
-    UnknownExtension(HandshakeInStream s, int len, ExtensionType type)
-            throws IOException {
-        super(type);
-        data = new byte[len];
-        // s.read() does not handle 0-length arrays.
-        if (len != 0) {
-            s.read(data);
-        }
-    }
-
-    @Override
-    int length() {
-        return 4 + data.length;
-    }
-
-    @Override
-    void send(HandshakeOutStream s) throws IOException {
-        s.putInt16(type.id);
-        s.putBytes16(data);
-    }
-
-    @Override
-    public String toString() {
-        return "Unsupported extension " + type + ", data: " +
-            Debug.toString(data);
-    }
-}
--- old/src/java.base/share/classes/sun/security/ssl/UnknownStatusRequest.java	2018-05-11 15:11:40.379219900 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,61 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-
-final class UnknownStatusRequest implements StatusRequest  {
-
-    private final byte[] data;
-
-    UnknownStatusRequest(HandshakeInStream s, int len) throws IOException {
-        data = new byte[len];
-        if (len > 0) {
-            s.read(data);
-        }
-    }
-
-    UnknownStatusRequest(byte[] requestBytes) {
-        data = requestBytes;
-    }
-
-    @Override
-    public int length() {
-        return data.length;
-    }
-
-    @Override
-    public void send(HandshakeOutStream s) throws IOException {
-        // A raw write of the data
-        s.write(data);
-    }
-
-    @Override
-    public String toString() {
-        return "Unsupported StatusRequest, data: " +
-            Debug.toString(data);
-    }
-}
--- old/src/java.security.jgss/share/classes/sun/security/krb5/internal/ssl/KerberosPreMasterSecret.java	2018-05-11 15:11:41.408387000 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,269 +0,0 @@
-/*
- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.krb5.internal.ssl;
-
-import java.io.*;
-import java.security.*;
-import java.util.Arrays;
-
-import javax.net.ssl.*;
-
-import sun.security.krb5.EncryptionKey;
-import sun.security.krb5.EncryptedData;
-import sun.security.krb5.KrbException;
-import sun.security.krb5.internal.crypto.KeyUsage;
-
-import sun.security.ssl.Debug;
-import sun.security.ssl.HandshakeInStream;
-import sun.security.ssl.HandshakeMessage;
-import sun.security.ssl.ProtocolVersion;
-
-/**
- * This is the Kerberos premaster secret in the Kerberos client key
- * exchange message (CLIENT --> SERVER); it holds the
- * Kerberos-encrypted pre-master secret. The secret is encrypted using the
- * Kerberos session key.  The padding and size of the resulting message
- * depends on the session key type, but the pre-master secret is
- * always exactly 48 bytes.
- *
- */
-final class KerberosPreMasterSecret {
-
-    private ProtocolVersion protocolVersion; // preMaster [0,1]
-    private byte[] preMaster;           // 48 bytes
-    private byte[] encrypted;
-
-    /**
-     * Constructor used by client to generate premaster secret.
-     *
-     * Client randomly creates a pre-master secret and encrypts it
-     * using the Kerberos session key; only the server can decrypt
-     * it, using the session key available in the service ticket.
-     *
-     * @param protocolVersion used to set preMaster[0,1]
-     * @param generator random number generator for generating premaster secret
-     * @param sessionKey Kerberos session key for encrypting premaster secret
-     */
-    KerberosPreMasterSecret(ProtocolVersion protocolVersion,
-            SecureRandom generator, EncryptionKey sessionKey) throws IOException {
-
-        if (sessionKey.getEType() ==
-                EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) {
-            throw new IOException(
-                    "session keys with des3-cbc-hmac-sha1-kd encryption type " +
-                            "are not supported for TLS Kerberos cipher suites");
-        }
-
-        this.protocolVersion = protocolVersion;
-        preMaster = generatePreMaster(generator, protocolVersion);
-
-        // Encrypt premaster secret
-        try {
-            EncryptedData eData = new EncryptedData(sessionKey, preMaster,
-                    KeyUsage.KU_UNKNOWN);
-            encrypted = eData.getBytes();  // not ASN.1 encoded.
-
-        } catch (KrbException e) {
-            throw (SSLKeyException)new SSLKeyException
-                    ("Kerberos premaster secret error").initCause(e);
-        }
-    }
-
-    /*
-     * Constructor used by server to decrypt encrypted premaster secret.
-     * The protocol version in preMaster[0,1] must match either currentVersion
-     * or clientVersion, otherwise, the premaster secret is set to
-     * a random one to foil possible attack.
-     *
-     * @param currentVersion version of protocol being used
-     * @param clientVersion version requested by client
-     * @param generator random number generator used to generate
-     *        bogus premaster secret if premaster secret verification fails
-     * @param input input stream from which to read the encrypted
-     *        premaster secret
-     * @param sessionKey Kerberos session key to be used for decryption
-     */
-    KerberosPreMasterSecret(ProtocolVersion currentVersion,
-            ProtocolVersion clientVersion,
-            SecureRandom generator, byte[] encrypted,
-            EncryptionKey sessionKey) throws IOException {
-
-        if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
-            if (encrypted != null) {
-                Debug.println(System.out,
-                        "encrypted premaster secret", encrypted);
-            }
-        }
-
-        if (sessionKey.getEType() ==
-                EncryptedData.ETYPE_DES3_CBC_HMAC_SHA1_KD) {
-            throw new IOException(
-                    "session keys with des3-cbc-hmac-sha1-kd encryption type " +
-                            "are not supported for TLS Kerberos cipher suites");
-        }
-
-        // Decrypt premaster secret
-        try {
-            EncryptedData data = new EncryptedData(sessionKey.getEType(),
-                    null /* optional kvno */, encrypted);
-
-            byte[] temp = data.decrypt(sessionKey, KeyUsage.KU_UNKNOWN);
-            if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
-                if (encrypted != null) {
-                    Debug.println(System.out,
-                            "decrypted premaster secret", temp);
-                }
-            }
-
-            // Remove padding bytes after decryption. Only DES and DES3 have
-            // paddings and we don't support DES3 in TLS (see above)
-
-            if (temp.length == 52 &&
-                    data.getEType() == EncryptedData.ETYPE_DES_CBC_CRC) {
-                // For des-cbc-crc, 4 paddings. Value can be 0x04 or 0x00.
-                if (paddingByteIs(temp, 52, (byte)4) ||
-                        paddingByteIs(temp, 52, (byte)0)) {
-                    temp = Arrays.copyOf(temp, 48);
-                }
-            } else if (temp.length == 56 &&
-                    data.getEType() == EncryptedData.ETYPE_DES_CBC_MD5) {
-                // For des-cbc-md5, 8 paddings with 0x08, or no padding
-                if (paddingByteIs(temp, 56, (byte)8)) {
-                    temp = Arrays.copyOf(temp, 48);
-                }
-            }
-
-            preMaster = temp;
-
-            protocolVersion = ProtocolVersion.valueOf(preMaster[0],
-                    preMaster[1]);
-            if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
-                System.out.println("Kerberos PreMasterSecret version: "
-                        + protocolVersion);
-            }
-        } catch (Exception e) {
-            // catch exception & process below
-            preMaster = null;
-            protocolVersion = currentVersion;
-        }
-
-        // check if the premaster secret version is ok
-        // the specification says that it must be the maximum version supported
-        // by the client from its ClientHello message. However, many
-        // old implementations send the negotiated version, so accept both
-        // for SSL v3.0 and TLS v1.0.
-        // NOTE that we may be comparing two unsupported version numbers in
-        // the second case, which is why we cannot use object references
-        // equality in this special case
-        boolean versionMismatch = (protocolVersion.v != clientVersion.v);
-
-        /*
-         * we never checked the client_version in server side
-         * for TLS v1.0 and SSL v3.0. For compatibility, we
-         * maintain this behavior.
-         */
-        if (versionMismatch && (clientVersion.v <= 0x0301)) {
-            versionMismatch = (protocolVersion.v != currentVersion.v);
-        }
-
-        /*
-         * Bogus decrypted ClientKeyExchange? If so, conjure a
-         * a random preMaster secret that will fail later during
-         * Finished message processing. This is a countermeasure against
-         * the "interactive RSA PKCS#1 encryption envelop attack" reported
-         * in June 1998. Preserving the executation path will
-         * mitigate timing attacks and force consistent error handling
-         * that will prevent an attacking client from differentiating
-         * different kinds of decrypted ClientKeyExchange bogosities.
-         */
-        if ((preMaster == null) || (preMaster.length != 48)
-                || versionMismatch) {
-            if (HandshakeMessage.debug != null && Debug.isOn("handshake")) {
-                System.out.println("Kerberos PreMasterSecret error, "
-                        + "generating random secret");
-                if (preMaster != null) {
-                    Debug.println(System.out, "Invalid secret", preMaster);
-                }
-            }
-
-            /*
-             * Randomize the preMaster secret with the
-             * ClientHello.client_version, as will produce invalid master
-             * secret to prevent the attacks.
-             */
-            preMaster = generatePreMaster(generator, clientVersion);
-            protocolVersion = clientVersion;
-        }
-    }
-
-    /**
-     * Checks if all paddings of data are b
-     * @param data the block with padding
-     * @param len length of data, >= 48
-     * @param b expected padding byte
-     */
-    private static boolean paddingByteIs(byte[] data, int len, byte b) {
-        for (int i=48; i<len; i++) {
-            if (data[i] != b) return false;
-        }
-        return true;
-    }
-
-    /*
-     * Used by server to generate premaster secret in case of
-     * problem decoding ticket.
-     *
-     * @param protocolVersion used for preMaster[0,1]
-     * @param generator random number generator to use for generating secret.
-     */
-    KerberosPreMasterSecret(ProtocolVersion protocolVersion,
-            SecureRandom generator) {
-
-        this.protocolVersion = protocolVersion;
-        preMaster = generatePreMaster(generator, protocolVersion);
-    }
-
-    private static byte[] generatePreMaster(SecureRandom rand,
-            ProtocolVersion ver) {
-
-        byte[] pm = new byte[48];
-        rand.nextBytes(pm);
-        pm[0] = ver.major;
-        pm[1] = ver.minor;
-
-        return pm;
-    }
-
-    // Clone not needed; internal use only
-    byte[] getUnencrypted() {
-        return preMaster;
-    }
-
-    // Clone not needed; internal use only
-    byte[] getEncrypted() {
-        return encrypted;
-    }
-}
--- old/src/java.security.jgss/share/classes/sun/security/krb5/internal/ssl/Krb5KeyExchangeService.java	2018-05-11 15:11:42.417360200 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,563 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.  Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.krb5.internal.ssl;
-
-import sun.security.ssl.ClientKeyExchange;
-import sun.security.ssl.Debug;
-import sun.security.ssl.ClientKeyExchangeService;
-import sun.security.ssl.HandshakeOutStream;
-
-import sun.security.jgss.GSSCaller;
-import sun.security.jgss.krb5.Krb5Util;
-import sun.security.jgss.krb5.ServiceCreds;
-import sun.security.krb5.EncryptedData;
-import sun.security.krb5.EncryptionKey;
-import sun.security.krb5.KrbException;
-import sun.security.krb5.PrincipalName;
-import sun.security.krb5.internal.EncTicketPart;
-import sun.security.krb5.internal.Ticket;
-import sun.security.krb5.internal.crypto.KeyUsage;
-import sun.security.ssl.ProtocolVersion;
-
-import javax.crypto.SecretKey;
-import javax.crypto.spec.SecretKeySpec;
-import javax.security.auth.Subject;
-import javax.security.auth.kerberos.KerberosKey;
-import javax.security.auth.kerberos.KerberosPrincipal;
-import javax.security.auth.kerberos.KerberosTicket;
-import javax.security.auth.kerberos.KeyTab;
-import javax.security.auth.kerberos.ServicePermission;
-import java.io.IOException;
-import java.io.PrintStream;
-import java.net.InetAddress;
-import java.security.AccessControlContext;
-import java.security.AccessController;
-import java.security.Principal;
-import java.security.PrivilegedAction;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.security.SecureRandom;
-import java.util.Set;
-
-/**
- * The provider for TLS_KRB_ cipher suites.
- *
- * @since 9
- */
-public class Krb5KeyExchangeService implements ClientKeyExchangeService {
-
-    public static final Debug debug = Debug.getInstance("ssl");
-
-    @Override
-    public String[] supported() {
-        return new String[] { "KRB5", "KRB5_EXPORT" };
-    }
-
-    @Override
-    public Object getServiceCreds(AccessControlContext acc) {
-        try {
-            ServiceCreds serviceCreds = AccessController.doPrivileged(
-                    (PrivilegedExceptionAction<ServiceCreds>)
-                            () -> Krb5Util.getServiceCreds(
-                                    GSSCaller.CALLER_SSL_SERVER, null, acc));
-            if (serviceCreds == null) {
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println("Kerberos serviceCreds not available");
-                }
-                return null;
-            }
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println("Using Kerberos creds");
-            }
-            String serverPrincipal = serviceCreds.getName();
-            if (serverPrincipal != null) {
-                // When service is bound, we check ASAP. Otherwise,
-                // will check after client request is received
-                // in in Kerberos ClientKeyExchange
-                SecurityManager sm = System.getSecurityManager();
-                try {
-                    if (sm != null) {
-                        // Eliminate dependency on ServicePermission
-                        sm.checkPermission(new ServicePermission(
-                                serverPrincipal, "accept"), acc);
-                    }
-                } catch (SecurityException se) {
-                    if (debug != null && Debug.isOn("handshake")) {
-                        System.out.println("Permission to access Kerberos"
-                                + " secret key denied");
-                    }
-                    return null;
-                }
-            }
-            return serviceCreds;
-        } catch (PrivilegedActionException e) {
-            // Likely exception here is LoginException
-            if (debug != null && Debug.isOn("handshake")) {
-                System.out.println("Attempt to obtain Kerberos key failed: "
-                        + e.toString());
-            }
-            return null;
-        }
-    }
-
-    @Override
-    public String getServiceHostName(Principal principal) {
-        if (principal == null) {
-            return null;
-        }
-        String hostName = null;
-        try {
-            PrincipalName princName =
-                    new PrincipalName(principal.getName(),
-                            PrincipalName.KRB_NT_SRV_HST);
-            String[] nameParts = princName.getNameStrings();
-            if (nameParts.length >= 2) {
-                hostName = nameParts[1];
-            }
-        } catch (Exception e) {
-            // ignore
-        }
-        return hostName;
-    }
-
-
-    @Override
-    public boolean isRelated(boolean isClient,
-            AccessControlContext acc, Principal p) {
-
-        if (p == null) return false;
-        try {
-            Subject subject = AccessController.doPrivileged(
-                    (PrivilegedExceptionAction<Subject>)
-                            () -> Krb5Util.getSubject(
-                                    isClient ? GSSCaller.CALLER_SSL_CLIENT
-                                            : GSSCaller.CALLER_SSL_SERVER,
-                                    acc));
-            if (subject == null) {
-                if (debug != null && Debug.isOn("session")) {
-                    System.out.println("Kerberos credentials are" +
-                            " not present in the current Subject;" +
-                            " check if " +
-                            " javax.security.auth.useSubjectAsCreds" +
-                            " system property has been set to false");
-                }
-                return false;
-            }
-            Set<Principal> principals =
-                    subject.getPrincipals(Principal.class);
-            if (principals.contains(p)) {
-                // bound to this principal
-                return true;
-            } else {
-                if (isClient) {
-                    return false;
-                } else {
-                    for (KeyTab pc : subject.getPrivateCredentials(KeyTab.class)) {
-                        if (!pc.isBound()) {
-                            return true;
-                        }
-                    }
-                    return false;
-                }
-            }
-        } catch (PrivilegedActionException pae) {
-            if (debug != null && Debug.isOn("session")) {
-                System.out.println("Attempt to obtain" +
-                        " subject failed! " + pae);
-            }
-            return false;
-        }
-
-    }
-
-    public ClientKeyExchange createClientExchange(
-            String serverName, AccessControlContext acc,
-            ProtocolVersion protocolVerson, SecureRandom rand) throws IOException {
-        return new ExchangerImpl(serverName, acc, protocolVerson, rand);
-    }
-
-    public ClientKeyExchange createServerExchange(
-            ProtocolVersion protocolVersion, ProtocolVersion clientVersion,
-            SecureRandom rand, byte[] encodedTicket, byte[] encrypted,
-            AccessControlContext acc, Object serviceCreds) throws IOException {
-        return new ExchangerImpl(protocolVersion, clientVersion, rand,
-                encodedTicket, encrypted, acc, serviceCreds);
-    }
-
-    static class ExchangerImpl extends ClientKeyExchange {
-
-        final private KerberosPreMasterSecret preMaster;
-        final private byte[] encodedTicket;
-        final private KerberosPrincipal peerPrincipal;
-        final private KerberosPrincipal localPrincipal;
-
-        @Override
-        public int messageLength() {
-            return encodedTicket.length + preMaster.getEncrypted().length + 6;
-        }
-
-        @Override
-        public void send(HandshakeOutStream s) throws IOException {
-            s.putBytes16(encodedTicket);
-            s.putBytes16(null);
-            s.putBytes16(preMaster.getEncrypted());
-        }
-
-        @Override
-        public void print(PrintStream s) throws IOException {
-            s.println("*** ClientKeyExchange, Kerberos");
-
-            if (debug != null && Debug.isOn("verbose")) {
-                Debug.println(s, "Kerberos service ticket", encodedTicket);
-                Debug.println(s, "Random Secret", preMaster.getUnencrypted());
-                Debug.println(s, "Encrypted random Secret", preMaster.getEncrypted());
-            }
-        }
-
-        ExchangerImpl(String serverName, AccessControlContext acc,
-                ProtocolVersion protocolVersion, SecureRandom rand) throws IOException {
-
-            // Get service ticket
-            KerberosTicket ticket = getServiceTicket(serverName, acc);
-            encodedTicket = ticket.getEncoded();
-
-            // Record the Kerberos principals
-            peerPrincipal = ticket.getServer();
-            localPrincipal = ticket.getClient();
-
-            // Optional authenticator, encrypted using session key,
-            // currently ignored
-
-            // Generate premaster secret and encrypt it using session key
-            EncryptionKey sessionKey = new EncryptionKey(
-                    ticket.getSessionKeyType(),
-                    ticket.getSessionKey().getEncoded());
-
-            preMaster = new KerberosPreMasterSecret(protocolVersion,
-                    rand, sessionKey);
-        }
-
-        ExchangerImpl(
-                ProtocolVersion protocolVersion, ProtocolVersion clientVersion, SecureRandom rand,
-                byte[] encodedTicket, byte[] encrypted,
-                AccessControlContext acc, Object serviceCreds) throws IOException {
-
-            // Read ticket
-            this.encodedTicket = encodedTicket;
-
-            if (debug != null && Debug.isOn("verbose")) {
-                Debug.println(System.out,
-                        "encoded Kerberos service ticket", encodedTicket);
-            }
-
-            EncryptionKey sessionKey = null;
-            KerberosPrincipal tmpPeer = null;
-            KerberosPrincipal tmpLocal = null;
-
-            try {
-                Ticket t = new Ticket(encodedTicket);
-
-                EncryptedData encPart = t.encPart;
-                PrincipalName ticketSname = t.sname;
-
-                final ServiceCreds creds = (ServiceCreds)serviceCreds;
-                final KerberosPrincipal princ =
-                        new KerberosPrincipal(ticketSname.toString());
-
-                // For bound service, permission already checked at setup
-                if (creds.getName() == null) {
-                    SecurityManager sm = System.getSecurityManager();
-                    try {
-                        if (sm != null) {
-                            // Eliminate dependency on ServicePermission
-                            sm.checkPermission(new ServicePermission(
-                                    ticketSname.toString(), "accept"), acc);
-                        }
-                    } catch (SecurityException se) {
-                        serviceCreds = null;
-                        // Do not destroy keys. Will affect Subject
-                        if (debug != null && Debug.isOn("handshake")) {
-                            System.out.println("Permission to access Kerberos"
-                                    + " secret key denied");
-                            se.printStackTrace(System.out);
-                        }
-                        throw new IOException("Kerberos service not allowedy");
-                    }
-                }
-                KerberosKey[] serverKeys = AccessController.doPrivileged(
-                        new PrivilegedAction<KerberosKey[]>() {
-                            @Override
-                            public KerberosKey[] run() {
-                                return creds.getKKeys(princ);
-                            }
-                        });
-                if (serverKeys.length == 0) {
-                    throw new IOException("Found no key for " + princ +
-                            (creds.getName() == null ? "" :
-                                    (", this keytab is for " + creds.getName() + " only")));
-                }
-
-                /*
-                 * permission to access and use the secret key of the Kerberized
-                 * "host" service is done in ServerHandshaker.getKerberosKeys()
-                 * to ensure server has the permission to use the secret key
-                 * before promising the client
-                 */
-
-                // See if we have the right key to decrypt the ticket to get
-                // the session key.
-                int encPartKeyType = encPart.getEType();
-                Integer encPartKeyVersion = encPart.getKeyVersionNumber();
-                KerberosKey dkey = null;
-                try {
-                    dkey = findKey(encPartKeyType, encPartKeyVersion, serverKeys);
-                } catch (KrbException ke) { // a kvno mismatch
-                    throw new IOException(
-                            "Cannot find key matching version number", ke);
-                }
-                if (dkey == null) {
-                    // %%% Should print string repr of etype
-                    throw new IOException("Cannot find key of appropriate type" +
-                            " to decrypt ticket - need etype " + encPartKeyType);
-                }
-
-                EncryptionKey secretKey = new EncryptionKey(
-                        encPartKeyType,
-                        dkey.getEncoded());
-
-                // Decrypt encPart using server's secret key
-                byte[] bytes = encPart.decrypt(secretKey, KeyUsage.KU_TICKET);
-
-                // Reset data stream after decryption, remove redundant bytes
-                byte[] temp = encPart.reset(bytes);
-                EncTicketPart encTicketPart = new EncTicketPart(temp);
-
-                // Record the Kerberos Principals
-                tmpPeer = new KerberosPrincipal(encTicketPart.cname.getName());
-                tmpLocal = new KerberosPrincipal(ticketSname.getName());
-
-                sessionKey = encTicketPart.key;
-
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println("server principal: " + ticketSname);
-                    System.out.println("cname: " + encTicketPart.cname.toString());
-                }
-            } catch (IOException e) {
-                throw e;
-            } catch (Exception e) {
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println("KerberosWrapper error getting session key,"
-                            + " generating random secret (" + e.getMessage() + ")");
-                }
-                sessionKey = null;
-            }
-
-            //input.getBytes16();   // XXX Read and ignore authenticator
-
-            if (sessionKey != null) {
-                preMaster = new KerberosPreMasterSecret(protocolVersion,
-                        clientVersion, rand, encrypted, sessionKey);
-            } else {
-                // Generate bogus premaster secret
-                preMaster = new KerberosPreMasterSecret(clientVersion, rand);
-            }
-
-            peerPrincipal = tmpPeer;
-            localPrincipal = tmpLocal;
-        }
-
-        // Similar to sun.security.jgss.krb5.Krb5InitCredenetial/Krb5Context
-        private static KerberosTicket getServiceTicket(String serverName,
-                final AccessControlContext acc) throws IOException {
-
-            if ("localhost".equals(serverName) ||
-                    "localhost.localdomain".equals(serverName)) {
-
-                if (debug != null && Debug.isOn("handshake")) {
-                    System.out.println("Get the local hostname");
-                }
-                String localHost = java.security.AccessController.doPrivileged(
-                        new java.security.PrivilegedAction<String>() {
-                            public String run() {
-                                try {
-                                    return InetAddress.getLocalHost().getHostName();
-                                } catch (java.net.UnknownHostException e) {
-                                    if (debug != null && Debug.isOn("handshake")) {
-                                        System.out.println("Warning,"
-                                                + " cannot get the local hostname: "
-                                                + e.getMessage());
-                                    }
-                                    return null;
-                                }
-                            }
-                        });
-                if (localHost != null) {
-                    serverName = localHost;
-                }
-            }
-
-            // Resolve serverName (possibly in IP addr form) to Kerberos principal
-            // name for service with hostname
-            String serviceName = "host/" + serverName;
-            PrincipalName principal;
-            try {
-                principal = new PrincipalName(serviceName,
-                        PrincipalName.KRB_NT_SRV_HST);
-            } catch (SecurityException se) {
-                throw se;
-            } catch (Exception e) {
-                IOException ioe = new IOException("Invalid service principal" +
-                        " name: " + serviceName);
-                ioe.initCause(e);
-                throw ioe;
-            }
-            String realm = principal.getRealmAsString();
-
-            final String serverPrincipal = principal.toString();
-            final String tgsPrincipal = "krbtgt/" + realm + "@" + realm;
-            final String clientPrincipal = null;  // use default
-
-
-            // check permission to obtain a service ticket to initiate a
-            // context with the "host" service
-            SecurityManager sm = System.getSecurityManager();
-            if (sm != null) {
-                sm.checkPermission(new ServicePermission(serverPrincipal,
-                        "initiate"), acc);
-            }
-
-            try {
-                KerberosTicket ticket = AccessController.doPrivileged(
-                        new PrivilegedExceptionAction<KerberosTicket>() {
-                            public KerberosTicket run() throws Exception {
-                                return Krb5Util.getTicketFromSubjectAndTgs(
-                                        GSSCaller.CALLER_SSL_CLIENT,
-                                        clientPrincipal, serverPrincipal,
-                                        tgsPrincipal, acc);
-                            }});
-
-                if (ticket == null) {
-                    throw new IOException("Failed to find any kerberos service" +
-                            " ticket for " + serverPrincipal);
-                }
-                return ticket;
-            } catch (PrivilegedActionException e) {
-                IOException ioe = new IOException(
-                        "Attempt to obtain kerberos service ticket for " +
-                                serverPrincipal + " failed!");
-                ioe.initCause(e);
-                throw ioe;
-            }
-        }
-
-        @Override
-        public SecretKey clientKeyExchange() {
-            byte[] secretBytes = preMaster.getUnencrypted();
-            return new SecretKeySpec(secretBytes, "TlsPremasterSecret");
-        }
-
-        @Override
-        public Principal getPeerPrincipal() {
-            return peerPrincipal;
-        }
-
-        @Override
-        public Principal getLocalPrincipal() {
-            return localPrincipal;
-        }
-
-        /**
-         * Determines if a kvno matches another kvno. Used in the method
-         * findKey(etype, version, keys). Always returns true if either input
-         * is null or zero, in case any side does not have kvno info available.
-         *
-         * Note: zero is included because N/A is not a legal value for kvno
-         * in javax.security.auth.kerberos.KerberosKey. Therefore, the info
-         * that the kvno is N/A might be lost when converting between
-         * EncryptionKey and KerberosKey.
-         */
-        private static boolean versionMatches(Integer v1, int v2) {
-            if (v1 == null || v1 == 0 || v2 == 0) {
-                return true;
-            }
-            return v1.equals(v2);
-        }
-
-        private static KerberosKey findKey(int etype, Integer version,
-                KerberosKey[] keys) throws KrbException {
-            int ktype;
-            boolean etypeFound = false;
-
-            // When no matched kvno is found, returns tke key of the same
-            // etype with the highest kvno
-            int kvno_found = 0;
-            KerberosKey key_found = null;
-
-            for (int i = 0; i < keys.length; i++) {
-                ktype = keys[i].getKeyType();
-                if (etype == ktype) {
-                    int kv = keys[i].getVersionNumber();
-                    etypeFound = true;
-                    if (versionMatches(version, kv)) {
-                        return keys[i];
-                    } else if (kv > kvno_found) {
-                        key_found = keys[i];
-                        kvno_found = kv;
-                    }
-                }
-            }
-            // Key not found.
-            // %%% kludge to allow DES keys to be used for diff etypes
-            if ((etype == EncryptedData.ETYPE_DES_CBC_CRC ||
-                    etype == EncryptedData.ETYPE_DES_CBC_MD5)) {
-                for (int i = 0; i < keys.length; i++) {
-                    ktype = keys[i].getKeyType();
-                    if (ktype == EncryptedData.ETYPE_DES_CBC_CRC ||
-                            ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
-                        int kv = keys[i].getVersionNumber();
-                        etypeFound = true;
-                        if (versionMatches(version, kv)) {
-                            return new KerberosKey(keys[i].getPrincipal(),
-                                    keys[i].getEncoded(),
-                                    etype,
-                                    kv);
-                        } else if (kv > kvno_found) {
-                            key_found = new KerberosKey(keys[i].getPrincipal(),
-                                    keys[i].getEncoded(),
-                                    etype,
-                                    kv);
-                            kvno_found = kv;
-                        }
-                    }
-                }
-            }
-            if (etypeFound) {
-                return key_found;
-            }
-            return null;
-        }
-    }
-}
--- old/test/jdk/sun/security/krb5/auto/SSL.java	2018-05-11 15:11:43.468175700 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,329 +0,0 @@
-/*
- * Copyright (c) 2009, 2018, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 6894643 6913636 8005523 8025123 8194486
- * @summary Test JSSE Kerberos ciphersuite
- * @library /test/lib
- * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSL
- *      TLS_KRB5_WITH_RC4_128_SHA
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSL
- *      TLS_KRB5_WITH_RC4_128_SHA unbound
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSL
- *      TLS_KRB5_WITH_RC4_128_SHA unbound sni
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSL
- *      TLS_KRB5_WITH_3DES_EDE_CBC_SHA
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSL
- *      TLS_KRB5_WITH_3DES_EDE_CBC_MD5
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSL
- *      TLS_KRB5_WITH_DES_CBC_SHA
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSL
- *      TLS_KRB5_WITH_DES_CBC_MD5
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSL
- *      TLS_KRB5_EXPORT_WITH_RC4_40_SHA
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSL
- *      TLS_KRB5_EXPORT_WITH_RC4_40_MD5
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSL
- *      TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSL
- *      TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5
- */
-import java.io.*;
-import java.security.Permission;
-import javax.net.ssl.*;
-import java.security.Principal;
-import java.security.Security;
-import java.util.Date;
-import java.util.List;
-import java.util.ArrayList;
-import java.util.Locale;
-import javax.security.auth.kerberos.ServicePermission;
-import sun.security.jgss.GSSUtil;
-import sun.security.krb5.PrincipalName;
-import sun.security.krb5.internal.ktab.KeyTab;
-
-public class SSL extends SecurityManager {
-
-    private static String krb5Cipher;
-    private static final int LOOP_LIMIT = 3;
-    private static int loopCount = 0;
-    private static volatile String server;
-    private static volatile int port;
-    private static String sniHostname = null;
-    private static String sniMatcherPattern = null;
-
-    private static String permChecks = "";
-
-    // 0-Not started, 1-Start OK, 2-Failure
-    private static volatile int serverState = 0;
-
-    @Override
-    public void checkPermission(Permission perm, Object context) {
-        checkPermission(perm);
-    }
-
-    public void checkPermission(Permission perm) {
-        if (!(perm instanceof ServicePermission)) {
-            return;
-        }
-        ServicePermission p = (ServicePermission)perm;
-        // ServicePermissions required to create GSSName are ignored
-        if (!p.getActions().isEmpty()) {
-            permChecks = permChecks
-                + p.getActions().toUpperCase(Locale.US).charAt(0);
-        }
-    }
-
-    public static void main(String[] args) throws Exception {
-        // reset the security property to make sure that the algorithms
-        // and keys used in this test are not disabled.
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
-
-        krb5Cipher = args[0];
-
-        boolean unbound = args.length > 1;
-
-        // Workaround for JDK-8161101, reference the class before
-        // SecurityManager is set.
-        System.out.println("Touching " + ServicePermission.class);
-
-        System.setSecurityManager(new SSL());
-
-        KDC kdc = KDC.create(OneKDC.REALM);
-        server = "host." + OneKDC.REALM_LOWER_CASE;
-
-        if (args.length > 2) {
-            sniHostname = "test." + server;
-            sniMatcherPattern = ".*";
-        }
-
-        kdc.addPrincipal(OneKDC.USER, OneKDC.PASS);
-        kdc.addPrincipalRandKey("krbtgt/" + OneKDC.REALM);
-        KDC.saveConfig(OneKDC.KRB5_CONF, kdc);
-        System.setProperty("java.security.krb5.conf", OneKDC.KRB5_CONF);
-
-        // Add 3 versions of keys into keytab
-        KeyTab ktab = KeyTab.create(OneKDC.KTAB);
-        String serviceName = null;
-        if (sniHostname != null) {
-            serviceName = "host/" + sniHostname;
-        } else {
-            serviceName = "host/" + server;
-        }
-        PrincipalName service = new PrincipalName(
-            serviceName, PrincipalName.KRB_NT_SRV_HST);
-        ktab.addEntry(service, "pass1".toCharArray(), 1, true);
-        ktab.addEntry(service, "pass2".toCharArray(), 2, true);
-        ktab.addEntry(service, "pass3".toCharArray(), 3, true);
-        ktab.save();
-
-        // and use the middle one as the real key
-        kdc.addPrincipal(serviceName, "pass2".toCharArray());
-
-
-        // JAAS config entry name ssl
-        System.setProperty("java.security.auth.login.config", OneKDC.JAAS_CONF);
-        File f = new File(OneKDC.JAAS_CONF);
-        FileOutputStream fos = new FileOutputStream(f);
-        fos.write((
-                "ssl {\n" +
-                "    com.sun.security.auth.module.Krb5LoginModule required\n" +
-                (unbound ?
-                    "    principal=*\n" :
-                    "    principal=\"" + serviceName + "\"\n") +
-                "    useKeyTab=true\n" +
-                "    keyTab=" + OneKDC.KTAB + "\n" +
-                "    isInitiator=false\n" +
-                "    storeKey=true;\n};\n"
-                ).getBytes());
-        fos.close();
-
-        Context c;
-        final Context s = Context.fromJAAS("ssl");
-
-        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
-
-        Thread server = new Thread(new Runnable() {
-            public void run() {
-                try {
-                    s.doAs(new JsseServerAction(), null);
-                } catch (Exception e) {
-                    e.printStackTrace();
-                    serverState = 2;
-                }
-            }
-        });
-        server.setDaemon(true);
-        server.start();
-
-        while (serverState == 0) {
-            Thread.sleep(50);
-        }
-
-        if (serverState == 2) {
-            throw new Exception("Server already failed");
-        }
-
-        c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
-        c.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
-        c.doAs(new JsseClientAction(), null);
-
-        // Add another version of key, make sure it can be loaded
-        Thread.sleep(2000);
-        ktab = KeyTab.getInstance(OneKDC.KTAB);
-        ktab.addEntry(service, "pass4".toCharArray(), 4, true);
-        ktab.save();
-        kdc.addPrincipal(serviceName, "pass4".toCharArray());
-
-        c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false);
-        c.startAsClient(serviceName, GSSUtil.GSS_KRB5_MECH_OID);
-        c.doAs(new JsseClientAction(), null);
-
-        // Permission checking check. Please note this is highly
-        // implementation related.
-        if (unbound) {
-            // For unbound, server does not know what name to check.
-            // Client checks "initiate", then server gets the name
-            // and checks "accept". Second connection resume.
-            if (!permChecks.equals("IA")) {
-                throw new Exception(permChecks);
-            }
-        } else {
-            // For bound, JAAS checks "accept" once. Server checks again,
-            // client then checks "initiate". Second connection resume.
-            if (!permChecks.equals("AAI")) {
-                throw new Exception(permChecks);
-            }
-        }
-    }
-
-    // Following codes copied from
-    // http://java.sun.com/javase/6/docs/technotes/guides/security/jgss/lab/part2.html#JSSE
-    private static class JsseClientAction implements Action {
-        public byte[] run(Context s, byte[] input) throws Exception {
-            SSLSocketFactory sslsf =
-                (SSLSocketFactory) SSLSocketFactory.getDefault();
-            System.out.println("Connecting " + server + ":" + port);
-            SSLSocket sslSocket = (SSLSocket) sslsf.createSocket(server, port);
-
-            // Enable only a KRB5 cipher suite.
-            String enabledSuites[] = {krb5Cipher};
-            sslSocket.setEnabledCipherSuites(enabledSuites);
-            // Should check for exception if enabledSuites is not supported
-
-            if (sniHostname != null) {
-                List<SNIServerName> serverNames = new ArrayList<>();
-                serverNames.add(new SNIHostName(sniHostname));
-                SSLParameters params = sslSocket.getSSLParameters();
-                params.setServerNames(serverNames);
-                sslSocket.setSSLParameters(params);
-            }
-
-            BufferedReader in = new BufferedReader(new InputStreamReader(
-                sslSocket.getInputStream()));
-            BufferedWriter out = new BufferedWriter(new OutputStreamWriter(
-                sslSocket.getOutputStream()));
-
-            String outStr = "Hello There!\n";
-            out.write(outStr);
-            out.flush();
-            System.out.print("Sending " + outStr);
-
-            String inStr = in.readLine();
-            System.out.println("Received " + inStr);
-
-            String cipherSuiteChosen = sslSocket.getSession().getCipherSuite();
-            System.out.println("Cipher suite in use: " + cipherSuiteChosen);
-            Principal self = sslSocket.getSession().getLocalPrincipal();
-            System.out.println("I am: " + self.toString());
-            Principal peer = sslSocket.getSession().getPeerPrincipal();
-            System.out.println("Server is: " + peer.toString());
-
-            sslSocket.close();
-            // This line should not be needed. It's the server's duty to
-            // forget the old key
-            //sslSocket.getSession().invalidate();
-            return null;
-        }
-    }
-
-    private static class JsseServerAction implements Action {
-        public byte[] run(Context s, byte[] input) throws Exception {
-            SSLServerSocketFactory sslssf =
-                (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
-            SSLServerSocket sslServerSocket =
-                (SSLServerSocket) sslssf.createServerSocket(0); // any port
-            port = sslServerSocket.getLocalPort();
-            System.out.println("Listening on " + port);
-            serverState = 1;
-
-            // Enable only a KRB5 cipher suite.
-            String enabledSuites[] = {krb5Cipher};
-            sslServerSocket.setEnabledCipherSuites(enabledSuites);
-            // Should check for exception if enabledSuites is not supported
-
-            if (sniMatcherPattern != null) {
-                List<SNIMatcher> matchers = new ArrayList<>();
-                matchers.add(SNIHostName.createSNIMatcher(sniMatcherPattern));
-                SSLParameters params = sslServerSocket.getSSLParameters();
-                params.setSNIMatchers(matchers);
-                sslServerSocket.setSSLParameters(params);
-            }
-
-            while (loopCount++ < LOOP_LIMIT) {
-                System.out.println("Waiting for incoming connection...");
-
-                SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
-
-                System.out.println("Got connection from client "
-                    + sslSocket.getInetAddress());
-
-                BufferedReader in = new BufferedReader(new InputStreamReader(
-                    sslSocket.getInputStream()));
-                BufferedWriter out = new BufferedWriter(new OutputStreamWriter(
-                    sslSocket.getOutputStream()));
-
-                String inStr = in.readLine();
-                System.out.println("Received " + inStr);
-
-                String outStr = inStr + " " + new Date().toString() + "\n";
-                out.write(outStr);
-                System.out.println("Sending " + outStr);
-                out.flush();
-
-                String cipherSuiteChosen =
-                    sslSocket.getSession().getCipherSuite();
-                System.out.println("Cipher suite in use: " + cipherSuiteChosen);
-                Principal self = sslSocket.getSession().getLocalPrincipal();
-                System.out.println("I am: " + self.toString());
-                Principal peer = sslSocket.getSession().getPeerPrincipal();
-                System.out.println("Client is: " + peer.toString());
-
-                sslSocket.close();
-            }
-            return null;
-        }
-    }
-}
--- old/test/jdk/sun/security/krb5/auto/SSLwithPerms.java	2018-05-11 15:11:44.444596600 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,235 +0,0 @@
-/*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 8038089 8194486
- * @summary TLS optional support for Kerberos cipher suites needs to be re-examined
- * @library ../../../../java/security/testlibrary/ /test/lib
- * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
- * @run main/othervm -Djdk.net.hosts.file=TestHosts SSLwithPerms
- */
-import java.io.*;
-import javax.net.ssl.*;
-import javax.security.auth.AuthPermission;
-import javax.security.auth.kerberos.ServicePermission;
-import java.net.SocketPermission;
-import java.nio.ByteBuffer;
-import java.nio.file.Files;
-import java.nio.file.Paths;
-import java.security.Principal;
-import java.security.Security;
-import java.security.SecurityPermission;
-import java.util.Collections;
-import java.util.Date;
-import java.util.List;
-import java.util.ArrayList;
-import java.util.Locale;
-import java.util.PropertyPermission;
-
-import sun.security.jgss.GSSUtil;
-
-public class SSLwithPerms {
-
-    static String KRB5_CONF = "krb5.conf";
-    static String JAAS_CONF = "jaas.conf";
-    static String REALM = "REALM";
-    static String KTAB = "ktab";
-    static String HOST = "host." + REALM.toLowerCase(Locale.US);
-    static String SERVER = "host/" + HOST;
-    static String USER = "user";
-    static char[] PASS = "password".toCharArray();
-
-    public static void main(String[] args) throws Exception {
-
-        Security.setProperty("jdk.tls.disabledAlgorithms", "");
-        if (args.length == 0) {
-            KDC kdc = KDC.create(REALM, HOST, 0, true);
-
-            kdc.addPrincipal(USER, PASS);
-            kdc.addPrincipalRandKey("krbtgt/" + REALM);
-            kdc.addPrincipalRandKey(SERVER);
-            KDC.saveConfig(KRB5_CONF, kdc);
-            kdc.writeKtab(KTAB);
-
-            File f = new File(JAAS_CONF);
-            FileOutputStream fos = new FileOutputStream(f);
-            fos.write((
-                    "ssl {\n" +
-                            "    com.sun.security.auth.module.Krb5LoginModule required\n" +
-                            "    principal=\"" + SERVER + "\"\n" +
-                            "    useKeyTab=true\n" +
-                            "    keyTab=" + KTAB + "\n" +
-                            "    isInitiator=false\n" +
-                            "    storeKey=true;\n};\n"
-            ).getBytes());
-            fos.close();
-
-            String hostsFileName = System.getProperty("test.src", ".") + "/TestHosts";
-
-            Proc pc = Proc.create("SSLwithPerms")
-                    .args("client")
-                    .inheritIO()
-                    .prop("java.security.manager", "")
-                    .prop("java.security.krb5.conf", KRB5_CONF)
-                    .prop("jdk.net.hosts.file", hostsFileName)
-                    .prop("javax.net.ssl", "handshake")
-                    .prop("sun.security.krb5.debug", "true")
-                    .perm(new SecurityPermission("setProperty.jdk.tls.disabledAlgorithms"))
-                    .perm(new java.util.PropertyPermission("user.name", "read"))
-                    .perm(new PropertyPermission("sun.security.krb5.principal", "read"))
-                    .perm(new FilePermission("port", "read"))
-                    .perm(new FilePermission(hostsFileName, "read"))
-                    .perm(new FilePermission(KTAB, "read"))
-                    .perm(new AuthPermission("modifyPrincipals"))
-                    .perm(new AuthPermission("modifyPrivateCredentials"))
-                    .perm(new AuthPermission("doAs"))
-                    .perm(new SocketPermission("127.0.0.1", "connect"))
-                    .perm(new ServicePermission("host/host.realm@REALM", "initiate"))
-                    .start();
-
-            Proc ps = Proc.create("SSLwithPerms")
-                    .args("server")
-                    .inheritIO()
-                    .prop("java.security.manager", "")
-                    .prop("java.security.krb5.conf", KRB5_CONF)
-                    .prop("java.security.auth.login.config", JAAS_CONF)
-                    .prop("jdk.net.hosts.file", hostsFileName)
-                    .prop("javax.net.ssl", "handshake")
-                    .prop("sun.security.krb5.debug", "true")
-                    .perm(new SecurityPermission("setProperty.jdk.tls.disabledAlgorithms"))
-                    .perm(new AuthPermission("createLoginContext.ssl"))
-                    .perm(new AuthPermission("doAs"))
-                    .perm(new FilePermission(hostsFileName, "read"))
-                    .perm(new FilePermission("port", "write"))
-                    .perm(new SocketPermission("127.0.0.1", "accept"))
-                    .perm(new ServicePermission("host/host.realm@REALM", "accept"))
-                    .start();
-
-            if (pc.waitFor() != 0) {
-                throw new Exception();
-            }
-            if (ps.waitFor() != 0) {
-                throw new Exception();
-            }
-        } else if (args[0].equals("client")) {
-            Context c;
-            c = Context.fromUserPass(USER, PASS, false);
-            c.doAs(new JsseClientAction(), null);
-        } else if (args[0].equals("server")) {
-            final Context s = Context.fromJAAS("ssl");
-            s.doAs(new JsseServerAction(), null);
-        }
-    }
-
-    private static class JsseClientAction implements Action {
-        public byte[] run(Context s, byte[] input) throws Exception {
-            SSLSocketFactory sslsf =
-                (SSLSocketFactory) SSLSocketFactory.getDefault();
-            while (!Files.exists(Paths.get("port"))) {
-                Thread.sleep(100);
-            }
-            int port = ByteBuffer.allocate(4)
-                    .put(Files.readAllBytes(Paths.get("port"))).getInt(0);
-            System.out.println("Connecting " + SERVER + ":" + port);
-            SSLSocket sslSocket = (SSLSocket) sslsf.createSocket(HOST, port);
-
-            // Enable only a KRB5 cipher suite.
-            String enabledSuites[] = {"TLS_KRB5_WITH_RC4_128_SHA"};
-            sslSocket.setEnabledCipherSuites(enabledSuites);
-
-            SSLParameters params = sslSocket.getSSLParameters();
-            params.setServerNames(Collections.singletonList(new SNIHostName(HOST)));
-            sslSocket.setSSLParameters(params);
-
-            BufferedReader in = new BufferedReader(new InputStreamReader(
-                sslSocket.getInputStream()));
-            BufferedWriter out = new BufferedWriter(new OutputStreamWriter(
-                sslSocket.getOutputStream()));
-
-            String outStr = "Hello There!\n";
-            out.write(outStr);
-            out.flush();
-            System.out.print("Sending " + outStr);
-
-            String inStr = in.readLine();
-            System.out.println("Received " + inStr);
-
-            String cipherSuiteChosen = sslSocket.getSession().getCipherSuite();
-            System.out.println("Cipher suite in use: " + cipherSuiteChosen);
-            Principal self = sslSocket.getSession().getLocalPrincipal();
-            System.out.println("I am: " + self.toString());
-            Principal peer = sslSocket.getSession().getPeerPrincipal();
-            System.out.println("Server is: " + peer.toString());
-
-            sslSocket.close();
-            return null;
-        }
-    }
-
-    private static class JsseServerAction implements Action {
-        public byte[] run(Context s, byte[] input) throws Exception {
-            SSLServerSocketFactory sslssf =
-                (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
-            SSLServerSocket sslServerSocket =
-                (SSLServerSocket) sslssf.createServerSocket(0); // any port
-            int port = sslServerSocket.getLocalPort();
-            System.out.println("Listening on " + port);
-
-            String enabledSuites[] = {"TLS_KRB5_WITH_RC4_128_SHA"};
-            sslServerSocket.setEnabledCipherSuites(enabledSuites);
-
-            Files.write(Paths.get("port"), ByteBuffer.allocate(4).putInt(port).array());
-            System.out.println("Waiting for incoming connection...");
-
-            SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
-
-            System.out.println("Got connection from client "
-                + sslSocket.getInetAddress());
-
-            BufferedReader in = new BufferedReader(new InputStreamReader(
-                sslSocket.getInputStream()));
-            BufferedWriter out = new BufferedWriter(new OutputStreamWriter(
-                sslSocket.getOutputStream()));
-
-            String inStr = in.readLine();
-            System.out.println("Received " + inStr);
-
-            String outStr = inStr + " " + new Date().toString() + "\n";
-            out.write(outStr);
-            System.out.println("Sending " + outStr);
-            out.flush();
-
-            String cipherSuiteChosen =
-                sslSocket.getSession().getCipherSuite();
-            System.out.println("Cipher suite in use: " + cipherSuiteChosen);
-            Principal self = sslSocket.getSession().getLocalPrincipal();
-            System.out.println("I am: " + self.toString());
-            Principal peer = sslSocket.getSession().getPeerPrincipal();
-            System.out.println("Client is: " + peer.toString());
-
-            sslSocket.close();
-            return null;
-        }
-    }
-}
--- old/test/jdk/sun/security/krb5/auto/UnboundSSL.java	2018-05-11 15:11:45.432615500 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,138 +0,0 @@
-/*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivilegedActionException;
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.security.auth.login.LoginException;
-
-/*
- * @test
- * @bug 8025123 8194486
- * @summary Checks if an unbound server can handle connections
- *          only for allowed service principals
- * @library /test/lib
- * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
- * @run main/othervm/policy=unbound.ssl.policy -Djdk.net.hosts.file=TestHosts
- *      UnboundSSL unbound.ssl.jaas.conf server_star
- * @run main/othervm/policy=unbound.ssl.policy -Djdk.net.hosts.file=TestHosts
- *      UnboundSSL unbound.ssl.jaas.conf server_multiple_principals
- */
-public class UnboundSSL {
-
-    public static void main(String[] args) throws IOException,
-            NoSuchAlgorithmException,LoginException, PrivilegedActionException,
-            InterruptedException {
-        UnboundSSL test = new UnboundSSL();
-        test.start(args[0], args[1]);
-    }
-
-    private void start(String jaacConfigFile, String serverJaasConfig)
-            throws IOException, NoSuchAlgorithmException,LoginException,
-            PrivilegedActionException, InterruptedException {
-
-        // define principals
-        String service1host = "service1." + UnboundSSLUtils.HOST;
-        String service2host = "service2." + UnboundSSLUtils.HOST;
-        String service3host = "service3." + UnboundSSLUtils.HOST;
-        String service1Principal = "host/" + service1host + "@"
-                + UnboundSSLUtils.REALM;
-        String service2Principal = "host/" + service2host + "@"
-                + UnboundSSLUtils.REALM;
-        String service3Principal = "host/" + service3host + "@"
-                + UnboundSSLUtils.REALM;
-
-        Map<String, String> principals = new HashMap<>();
-        principals.put(UnboundSSLUtils.USER_PRINCIPAL,
-                UnboundSSLUtils.USER_PASSWORD);
-        principals.put(UnboundSSLUtils.KRBTGT_PRINCIPAL, null);
-        principals.put(service1Principal, null);
-        principals.put(service2Principal, null);
-        principals.put(service3Principal, null);
-
-        System.setProperty("java.security.krb5.conf",
-               UnboundSSLUtils.KRB5_CONF_FILENAME);
-
-        // start a local KDC instance
-        KDC.startKDC(UnboundSSLUtils.HOST, UnboundSSLUtils.KRB5_CONF_FILENAME,
-                UnboundSSLUtils.REALM, principals,
-                UnboundSSLUtils.KTAB_FILENAME, KDC.KtabMode.APPEND);
-
-        System.setProperty("java.security.auth.login.config",
-                UnboundSSLUtils.TEST_SRC + UnboundSSLUtils.FS + jaacConfigFile);
-        System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
-
-        try (final SSLEchoServer server = SSLEchoServer.init(
-                UnboundSSLUtils.TLS_KRB5_FILTER, UnboundSSLUtils.SNI_PATTERN)) {
-
-            // start a server instance
-            UnboundSSLUtils.startServerWithJaas(server, serverJaasConfig);
-
-            // wait for the server is ready
-            while (!server.isReady()) {
-                Thread.sleep(UnboundSSLUtils.DELAY);
-            }
-
-            int port = server.getPort();
-
-            // run clients
-
-            // the server should have a permission to handle a request
-            // with this service principal (there should be an appropriate
-            // javax.security.auth.kerberos.ServicePermission in policy file)
-            System.out.println("Connect: SNI hostname = " + service1host
-                    + ", successful connection is expected");
-            SSLClient.init(UnboundSSLUtils.HOST, port,
-                    UnboundSSLUtils.TLS_KRB5_FILTER, service1host).connect();
-
-            // the server should NOT have a permission to handle a request
-            // with this service principal (there should be an appropriate
-            // javax.security.auth.kerberos.ServicePermission in policy file)
-            // handshake failures is expected
-            System.out.println("Connect: SNI hostname = " + service2host
-                    + ", connection failure is expected");
-            try {
-                SSLClient.init(UnboundSSLUtils.HOST, port,
-                        UnboundSSLUtils.TLS_KRB5_FILTER, service2host)
-                            .connect();
-                throw new RuntimeException("Test failed: "
-                        + "expected IOException not thrown");
-            } catch (IOException e) {
-                System.out.println("Expected exception: " + e);
-            }
-
-            // the server should have a permission to handle a request
-            // with this service principal (there should be an appropriate
-            // javax.security.auth.kerberos.ServicePermission in policy file)
-            System.out.println("Connect: SNI hostname = " + service3host
-                    + ", successful connection is expected");
-            SSLClient.init(UnboundSSLUtils.HOST, port,
-                    UnboundSSLUtils.TLS_KRB5_FILTER, service3host).connect();
-        }
-
-        System.out.println("Test passed");
-    }
-}
--- old/test/jdk/sun/security/krb5/auto/UnboundSSLMultipleKeys.java	2018-05-11 15:11:46.404817400 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,115 +0,0 @@
-/*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivilegedActionException;
-import java.util.HashMap;
-import java.util.Map;
-
-import javax.security.auth.login.LoginException;
-
-/*
- * @test
- * @bug 8025123 8194486
- * @summary Checks if an unbound server pick up a correct key from keytab
- * @library /test/lib
- * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
- * @run main/othervm -Djdk.net.hosts.file=TestHosts UnboundSSLMultipleKeys
- *                              unbound.ssl.jaas.conf server_star
- * @run main/othervm -Djdk.net.hosts.file=TestHosts UnboundSSLMultipleKeys
- *                              unbound.ssl.jaas.conf server_multiple_principals
- */
-public class UnboundSSLMultipleKeys {
-
-    public static void main(String[] args)
-            throws IOException, NoSuchAlgorithmException, LoginException,
-            PrivilegedActionException, InterruptedException {
-        UnboundSSLMultipleKeys test = new UnboundSSLMultipleKeys();
-        test.start(args[0], args[1]);
-    }
-
-    private void start(String jaacConfigFile, String serverJaasConfig)
-            throws IOException, NoSuchAlgorithmException, LoginException,
-            PrivilegedActionException, InterruptedException {
-
-        // define service principals
-        String service1host = "service1." + UnboundSSLUtils.HOST;
-        String service2host = "service2." + UnboundSSLUtils.HOST;
-        String service3host = "service3." + UnboundSSLUtils.HOST;
-        String service1Principal = "host/" + service1host + "@"
-                + UnboundSSLUtils.REALM;
-        String service2Principal = "host/" + service2host + "@"
-                + UnboundSSLUtils.REALM;
-        String service3Principal = "host/" + service3host + "@"
-                + UnboundSSLUtils.REALM;
-
-        Map<String, String> principals = new HashMap<>();
-        principals.put(UnboundSSLUtils.USER_PRINCIPAL,
-                UnboundSSLUtils.USER_PASSWORD);
-        principals.put(UnboundSSLUtils.KRBTGT_PRINCIPAL, "pass");
-        principals.put(service1Principal, "pass0");
-        principals.put(service1Principal, "pass1");
-        principals.put(service1Principal, "pass2");
-        principals.put(service2Principal, "pass");
-        principals.put(service3Principal, "pass");
-
-        System.setProperty("java.security.krb5.conf",
-                UnboundSSLUtils.KRB5_CONF_FILENAME);
-
-        /*
-         * Start a local KDC instance
-         *
-         * Keytab file contains 3 keys (with different KVNO) for service1
-         * principal, but password for only one key is the same with the record
-         * for service1 principal in KDC.
-         */
-        KDC.startKDC(UnboundSSLUtils.HOST, UnboundSSLUtils.KRB5_CONF_FILENAME,
-                UnboundSSLUtils.REALM, principals,
-                UnboundSSLUtils.KTAB_FILENAME, KDC.KtabMode.APPEND);
-
-        System.setProperty("java.security.auth.login.config",
-                UnboundSSLUtils.TEST_SRC + UnboundSSLUtils.FS + jaacConfigFile);
-        System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
-
-        // start an SSL server instance
-        try (SSLEchoServer server = SSLEchoServer.init(
-                UnboundSSLUtils.TLS_KRB5_FILTER, UnboundSSLUtils.SNI_PATTERN)) {
-
-            UnboundSSLUtils.startServerWithJaas(server, serverJaasConfig);
-
-            //  wait for the server is ready
-            while (!server.isReady()) {
-                Thread.sleep(UnboundSSLUtils.DELAY);
-            }
-
-            // run a client
-            System.out.println("Successful connection is expected");
-            SSLClient.init(UnboundSSLUtils.HOST, server.getPort(),
-                    UnboundSSLUtils.TLS_KRB5_FILTER, service1host).connect();
-        }
-
-        System.out.println("Test passed");
-    }
-
-}
--- old/test/jdk/sun/security/krb5/auto/UnboundSSLPrincipalProperty.java	2018-05-11 15:11:47.398729600 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,122 +0,0 @@
-/*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivilegedActionException;
-import java.util.HashMap;
-import java.util.Map;
-import javax.security.auth.login.LoginException;
-
-/*
- * @test
- * @bug 8025123 8194486
- * @summary Checks if an unbound server uses a service principal
- *          from sun.security.krb5.principal system property if specified
- * @library /test/lib
- * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
- * @run main/othervm -Djdk.net.hosts.file=TestHosts UnboundSSLPrincipalProperty
- *                              unbound.ssl.jaas.conf server_star
- * @run main/othervm -Djdk.net.hosts.file=TestHosts UnboundSSLPrincipalProperty
- *                              unbound.ssl.jaas.conf server_multiple_principals
- */
-public class UnboundSSLPrincipalProperty {
-
-    public static void main(String[] args) throws IOException,
-            NoSuchAlgorithmException,LoginException, PrivilegedActionException,
-            InterruptedException {
-        UnboundSSLPrincipalProperty test = new UnboundSSLPrincipalProperty();
-        test.start(args[0], args[1]);
-    }
-
-    public void start(String jaacConfigFile, String serverJaasConfig)
-            throws IOException, NoSuchAlgorithmException,LoginException,
-            PrivilegedActionException, InterruptedException {
-
-        // define principals
-        String service1host = "service1." + UnboundSSLUtils.HOST;
-        String service3host = "service3." + UnboundSSLUtils.HOST;
-        String service1Principal = "host/" + service1host + "@"
-                + UnboundSSLUtils.REALM;
-        String service3Principal = "host/" + service3host
-                + "@" + UnboundSSLUtils.REALM;
-
-        Map<String, String> principals = new HashMap<>();
-        principals.put(UnboundSSLUtils.USER_PRINCIPAL,
-                UnboundSSLUtils.USER_PASSWORD);
-        principals.put(UnboundSSLUtils.KRBTGT_PRINCIPAL, null);
-        principals.put(service1Principal, null);
-        principals.put(service3Principal, null);
-
-        System.setProperty("java.security.krb5.conf",
-                UnboundSSLUtils.KRB5_CONF_FILENAME);
-
-        // start a local KDC instance
-        KDC.startKDC(UnboundSSLUtils.HOST, UnboundSSLUtils.KRB5_CONF_FILENAME,
-                UnboundSSLUtils.REALM, principals,
-                UnboundSSLUtils.KTAB_FILENAME, KDC.KtabMode.APPEND);
-
-        System.setProperty("java.security.auth.login.config",
-                UnboundSSLUtils.TEST_SRC + UnboundSSLUtils.FS + jaacConfigFile);
-        System.setProperty("javax.security.auth.useSubjectCredsOnly", "false");
-
-        // start an SSL server instance
-        try (final SSLEchoServer server = SSLEchoServer.init(
-                UnboundSSLUtils.TLS_KRB5_FILTER, UnboundSSLUtils.SNI_PATTERN)) {
-
-            // specify a service principal for the server
-            System.setProperty("sun.security.krb5.principal",
-                    service3Principal);
-
-            UnboundSSLUtils.startServerWithJaas(server, serverJaasConfig);
-
-            // wait for the server is ready
-            while (!server.isReady()) {
-                Thread.sleep(UnboundSSLUtils.DELAY);
-            }
-
-            int port = server.getPort();
-
-            // connetion failure is expected
-            // since service3 principal was specified to use by the server
-            System.out.println("Connect: SNI hostname = " + service1host
-                    + ", connection failure is expected");
-            try {
-                SSLClient.init(UnboundSSLUtils.HOST, port,
-                        UnboundSSLUtils.TLS_KRB5_FILTER, service1host)
-                            .connect();
-                throw new RuntimeException("Test failed: "
-                        + "expected IOException not thrown");
-            } catch (IOException e) {
-                System.out.println("Expected exception: " + e);
-            }
-
-            System.out.println("Connect: SNI hostname = " + service3host
-                    + ", successful connection is expected");
-            SSLClient.init(UnboundSSLUtils.HOST, port,
-                    UnboundSSLUtils.TLS_KRB5_FILTER, service3host).connect();
-        }
-
-        System.out.println("Test passed");
-    }
-}
--- old/test/jdk/sun/security/krb5/auto/UnboundSSLUtils.java	2018-05-11 15:11:48.375176800 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,292 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-import java.io.BufferedInputStream;
-import java.io.BufferedOutputStream;
-import java.io.File;
-import java.io.IOException;
-import java.security.NoSuchAlgorithmException;
-import java.security.PrivilegedActionException;
-import java.security.PrivilegedExceptionAction;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
-import java.util.Map;
-import javax.net.ssl.SNIHostName;
-import javax.net.ssl.SNIMatcher;
-import javax.net.ssl.SNIServerName;
-import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLParameters;
-import javax.net.ssl.SSLServerSocket;
-import javax.net.ssl.SSLServerSocketFactory;
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
-import javax.security.auth.Subject;
-import javax.security.auth.login.LoginContext;
-import javax.security.auth.login.LoginException;
-
-/*
- * Helper class for unbound krb5 tests.
- */
-class UnboundSSLUtils {
-
-    static final String KTAB_FILENAME = "krb5.keytab.data";
-    static final String HOST = "localhost";
-    static final String REALM = "TEST.REALM";
-    static final String KRBTGT_PRINCIPAL = "krbtgt/" + REALM;
-    static final String TEST_SRC = System.getProperty("test.src", ".");
-    static final String TLS_KRB5_FILTER = "TLS_KRB5";
-    static final String USER = "USER";
-    static final String USER_PASSWORD = "password";
-    static final String FS = System.getProperty("file.separator");
-    static final String SNI_PATTERN = ".*";
-    static final String USER_PRINCIPAL = USER + "@" + REALM;
-    static final String KRB5_CONF_FILENAME = "krb5.conf";
-    static final int DELAY = 1000;
-
-   static String[] filterStringArray(String[] src, String filter) {
-        return Arrays.stream(src).filter((item) -> item.startsWith(filter))
-                .toArray(size -> new String[size]);
-    }
-
-    /*
-     * The method does JAAS login,
-     * and runs an SSL server in the JAAS context.
-     */
-    static void startServerWithJaas(final SSLEchoServer server,
-            String config) throws LoginException, PrivilegedActionException {
-        LoginContext context = new LoginContext(config);
-        context.login();
-        System.out.println("Server: successful authentication");
-        Subject.doAs(context.getSubject(),
-                (PrivilegedExceptionAction<Object>) () -> {
-            SSLEchoServer.startServer(server);
-            return null;
-        });
-    }
-
-}
-
-class SSLClient {
-
-    private final static byte[][] arrays = {
-        new byte[] {-1, 0, 2},
-        new byte[] {}
-    };
-
-    private final SSLSocket socket;
-
-    private SSLClient(SSLSocket socket) {
-        this.socket = socket;
-    }
-
-    void connect() throws IOException {
-        System.out.println("Client: connect to server");
-        try (BufferedInputStream bis = new BufferedInputStream(
-                        socket.getInputStream());
-                BufferedOutputStream bos = new BufferedOutputStream(
-                        socket.getOutputStream())) {
-
-            for (byte[] bytes : arrays) {
-                System.out.println("Client: send byte array: "
-                        + Arrays.toString(bytes));
-
-                bos.write(bytes);
-                bos.flush();
-
-                byte[] recieved = new byte[bytes.length];
-                int read = bis.read(recieved, 0, bytes.length);
-                if (read < 0) {
-                    throw new IOException("Client: couldn't read a response");
-                }
-
-                System.out.println("Client: recieved byte array: "
-                        + Arrays.toString(recieved));
-
-                if (!Arrays.equals(bytes, recieved)) {
-                    throw new IOException("Client: sent byte array "
-                                + "is not equal with recieved byte array");
-                }
-            }
-            socket.getSession().invalidate();
-        } finally {
-            if (!socket.isClosed()) {
-                socket.close();
-            }
-        }
-    }
-
-    static SSLClient init(String host, int port, String cipherSuiteFilter,
-            String sniHostName) throws NoSuchAlgorithmException, IOException {
-        SSLContext sslContext = SSLContext.getDefault();
-        SSLSocketFactory ssf = (SSLSocketFactory) sslContext.getSocketFactory();
-        SSLSocket socket = (SSLSocket) ssf.createSocket(host, port);
-        SSLParameters params = new SSLParameters();
-
-        if (cipherSuiteFilter != null) {
-            String[] cipherSuites = UnboundSSLUtils.filterStringArray(
-                    ssf.getSupportedCipherSuites(), cipherSuiteFilter);
-            System.out.println("Client: enabled cipher suites: "
-                    + Arrays.toString(cipherSuites));
-            params.setCipherSuites(cipherSuites);
-        }
-
-        if (sniHostName != null) {
-            System.out.println("Client: set SNI hostname: " + sniHostName);
-            SNIHostName serverName = new SNIHostName(sniHostName);
-            List<SNIServerName> serverNames = new ArrayList<>();
-            serverNames.add(serverName);
-            params.setServerNames(serverNames);
-        }
-
-        socket.setSSLParameters(params);
-
-        return new SSLClient(socket);
-    }
-
-}
-
-class SSLEchoServer implements Runnable, AutoCloseable {
-
-    private final SSLServerSocket ssocket;
-    private volatile boolean stopped = false;
-    private volatile boolean ready = false;
-
-    /*
-     * Starts the server in a separate thread.
-     */
-    static void startServer(SSLEchoServer server) {
-        Thread serverThread = new Thread(server, "SSL echo server thread");
-        serverThread.setDaemon(true);
-        serverThread.start();
-    }
-
-    private SSLEchoServer(SSLServerSocket ssocket) {
-        this.ssocket = ssocket;
-    }
-
-    /*
-     * Main server loop.
-     */
-    @Override
-    public void run() {
-        System.out.println("Server: started");
-        while (!stopped) {
-            ready = true;
-            try (SSLSocket socket = (SSLSocket) ssocket.accept()) {
-                System.out.println("Server: client connection accepted");
-                try (
-                    BufferedInputStream bis = new BufferedInputStream(
-                            socket.getInputStream());
-                    BufferedOutputStream bos = new BufferedOutputStream(
-                            socket.getOutputStream())
-                ) {
-                    byte[] buffer = new byte[1024];
-                    int read;
-                    while ((read = bis.read(buffer)) > 0) {
-                        bos.write(buffer, 0, read);
-                        System.out.println("Server: recieved " + read
-                                + " bytes: "
-                                + Arrays.toString(Arrays.copyOf(buffer, read)));
-                        bos.flush();
-                    }
-                }
-            } catch (IOException e) {
-                if (stopped) {
-                    // stopped == true means that stop() method was called,
-                    // so just ignore the exception, and finish the loop
-                    break;
-                }
-                System.out.println("Server: couldn't accept client connection: "
-                        + e);
-            }
-        }
-        System.out.println("Server: finished");
-    }
-
-    boolean isReady() {
-        return ready;
-    }
-
-    void stop() {
-        stopped = true;
-        ready = false;
-
-        // close the server socket to interupt accept() method
-        try {
-            if (!ssocket.isClosed()) {
-                ssocket.close();
-            }
-        } catch (IOException e) {
-            throw new RuntimeException("Unexpected exception: " + e);
-        }
-    }
-
-    @Override
-    public void close() {
-        stop();
-    }
-
-    int getPort() {
-        return ssocket.getLocalPort();
-    }
-
-    /*
-     * Creates server instance.
-     *
-     * @param cipherSuiteFilter Filter for enabled cipher suites
-     * @param sniMatcherPattern Pattern for SNI server hame
-     */
-    static SSLEchoServer init(String cipherSuiteFilter,
-            String sniPattern) throws NoSuchAlgorithmException, IOException {
-        SSLContext context = SSLContext.getDefault();
-        SSLServerSocketFactory ssf =
-                (SSLServerSocketFactory) context.getServerSocketFactory();
-        SSLServerSocket ssocket =
-                (SSLServerSocket) ssf.createServerSocket(0);
-
-        // specify enabled cipher suites
-        if (cipherSuiteFilter != null) {
-            String[] ciphersuites = UnboundSSLUtils.filterStringArray(
-                    ssf.getSupportedCipherSuites(), cipherSuiteFilter);
-            System.out.println("Server: enabled cipher suites: "
-                    + Arrays.toString(ciphersuites));
-            ssocket.setEnabledCipherSuites(ciphersuites);
-        }
-
-        // specify SNI matcher pattern
-        if (sniPattern != null) {
-            System.out.println("Server: set SNI matcher: " + sniPattern);
-            SNIMatcher matcher = SNIHostName.createSNIMatcher(sniPattern);
-            List<SNIMatcher> matchers = new ArrayList<>();
-            matchers.add(matcher);
-            SSLParameters params = ssocket.getSSLParameters();
-            params.setSNIMatchers(matchers);
-            ssocket.setSSLParameters(params);
-        }
-
-        return new SSLEchoServer(ssocket);
-    }
-
-}
-
--- old/test/jdk/sun/security/ssl/ExtensionType/OptimalListSize.java	2018-05-11 15:11:49.350286200 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,43 +0,0 @@
-/*
- * Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/**
- * @test
- * @bug 8080535
- * @summary Expected size of Character.UnicodeBlock.map is not optimal
- * @library /lib/testlibrary
- * @modules java.base/java.util:open
- *          java.base/sun.security.ssl:open
- * @build jdk.testlibrary.OptimalCapacity
- * @run main OptimalListSize
- */
-
-import jdk.testlibrary.OptimalCapacity;
-
-public class OptimalListSize {
-    public static void main(String[] args) throws Throwable {
-        OptimalCapacity.ofArrayList(
-                Class.forName("sun.security.ssl.ExtensionType"),
-                "knownExtensions", 16);
-    }
-}
--- old/test/jdk/sun/security/ssl/SSLEngineImpl/CloseInboundException.java	2018-05-11 15:11:50.345122300 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,275 +0,0 @@
-/*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-//
-// SunJSSE does not support dynamic system properties, no way to re-use
-// system properties in samevm/agentvm mode.
-//
-
-/*
- * @test
- * @bug 4931274
- * @summary closeInbound does not signal when a close_notify has not
- *              been received.
- * @run main/othervm CloseInboundException
- * @author Brad Wetmore
- */
-
-import javax.net.ssl.*;
-import javax.net.ssl.SSLEngineResult.*;
-import java.io.*;
-import java.security.*;
-import java.nio.*;
-
-public class CloseInboundException {
-
-    private SSLEngine ssle1;    // client
-    private SSLEngine ssle2;    // server
-
-    SSLEngineResult result1;    // ssle1's results from last operation
-    SSLEngineResult result2;    // ssle2's results from last operation
-
-    private static String pathToStores = "../../../../javax/net/ssl/etc";
-    private static String keyStoreFile = "keystore";
-    private static String trustStoreFile = "truststore";
-    private static String passwd = "passphrase";
-
-    private static String keyFilename =
-            System.getProperty("test.src", "./") + "/" + pathToStores +
-                "/" + keyStoreFile;
-    private static String trustFilename =
-            System.getProperty("test.src", "./") + "/" + pathToStores +
-                "/" + trustStoreFile;
-
-    private ByteBuffer appOut1;         // write side of ssle1
-    private ByteBuffer appIn1;          // read side of ssle1
-    private ByteBuffer appOut2;         // write side of ssle2
-    private ByteBuffer appIn2;          // read side of ssle2
-
-    private ByteBuffer oneToTwo;        // "reliable" transport ssle1->ssle2
-    private ByteBuffer twoToOne;        // "reliable" transport ssle2->ssle1
-
-    /*
-     * Majority of the test case is here, setup is done below.
-     */
-    private void runTest(boolean inboundClose) throws Exception {
-
-        boolean done = false;
-
-        while (!isEngineClosed(ssle1) || !isEngineClosed(ssle2)) {
-
-            System.out.println("================");
-
-            result1 = ssle1.wrap(appOut1, oneToTwo);
-            result2 = ssle2.wrap(appOut2, twoToOne);
-
-            System.out.println("wrap1 = " + result1);
-            System.out.println("oneToTwo  = " + oneToTwo);
-
-            System.out.println("wrap2 = " + result2);
-            System.out.println("twoToOne  = " + twoToOne);
-
-            runDelegatedTasks(result1, ssle1);
-            runDelegatedTasks(result2, ssle2);
-
-            oneToTwo.flip();
-            twoToOne.flip();
-
-            System.out.println("----");
-            result1 = ssle1.unwrap(twoToOne, appIn1);
-
-            if (done && inboundClose) {
-                try {
-                    result2 = ssle2.unwrap(oneToTwo, appIn2);
-                    throw new Exception("Didn't throw Exception");
-                } catch (SSLException e) {
-                    System.out.println("Caught proper exception\n" + e);
-                    return;
-                }
-            } else {
-                result2 = ssle2.unwrap(oneToTwo, appIn2);
-            }
-
-            System.out.println("unwrap1 = " + result1);
-            System.out.println("twoToOne  = " + twoToOne);
-
-            System.out.println("unwrap2 = " + result2);
-            System.out.println("oneToTwo  = " + oneToTwo);
-
-            runDelegatedTasks(result1, ssle1);
-            runDelegatedTasks(result2, ssle2);
-
-            oneToTwo.compact();
-            twoToOne.compact();
-
-            /*
-             * If we've transfered all the data between app1 and app2,
-             * we try to close and see what that gets us.
-             */
-            if (!done && (appOut1.limit() == appIn2.position()) &&
-                (appOut2.limit() == appIn1.position())) {
-
-                if (inboundClose) {
-                    try {
-                        System.out.println("Closing ssle1's *INBOUND*...");
-                        ssle1.closeInbound();
-                        throw new Exception("closeInbound didn't throw");
-                    } catch (SSLException e) {
-                        System.out.println("Caught closeInbound exc properly");
-                        checkStatus();
-                        /*
-                         * Let the message processing continue to
-                         * handle the alert.
-                         */
-                    }
-                    done = true;
-                } else {
-                    done = true;
-                    System.out.println("Closing ssle1's *OUTBOUND*...");
-                    ssle1.closeOutbound();
-                }
-            }
-        }
-    }
-
-    /*
-     * Check to see if the close generated a close_notify message,
-     * that the result status is sane, and that close again doesn't
-     * generate a new exception.
-     *
-     * We'll consume the wrapped data when we loop back around.
-     */
-    private void checkStatus() throws Exception {
-        System.out.println("\nCalling last wrap");
-        int pos = oneToTwo.position();
-
-        result1 = ssle1.wrap(appOut1, oneToTwo);
-        System.out.println("result1 = " + result1);
-
-        if ((pos >= oneToTwo.position()) ||
-                !result1.getStatus().equals(Status.CLOSED) ||
-                !result1.getHandshakeStatus().equals(
-                    HandshakeStatus.NOT_HANDSHAKING) ||
-                !ssle1.isOutboundDone() ||
-                !ssle1.isInboundDone()) {
-            throw new Exception(result1.toString());
-        }
-        System.out.println("Make sure we don't throw a second SSLException.");
-        ssle1.closeInbound();
-    }
-
-    public static void main(String args[]) throws Exception {
-
-        CloseInboundException test;
-
-        test = new CloseInboundException();
-        test.runTest(false);
-
-        test = new CloseInboundException();
-        test.runTest(true);
-        System.out.println("Test PASSED!!!");
-    }
-
-    /*
-     * **********************************************************
-     * Majority of the test case is above, below is just setup stuff
-     * **********************************************************
-     */
-
-    public CloseInboundException() throws Exception {
-
-        SSLContext sslc = getSSLContext(keyFilename, trustFilename);
-
-        ssle1 = sslc.createSSLEngine("host1", 1);
-        ssle1.setUseClientMode(true);
-
-        ssle2 = sslc.createSSLEngine("host2", 2);
-        ssle2.setUseClientMode(false);
-
-        createBuffers();
-    }
-
-    /*
-     * Create an initialized SSLContext to use for this test.
-     */
-    private SSLContext getSSLContext(String keyFile, String trustFile)
-            throws Exception {
-
-        KeyStore ks = KeyStore.getInstance("JKS");
-        KeyStore ts = KeyStore.getInstance("JKS");
-
-        char[] passphrase = "passphrase".toCharArray();
-
-        ks.load(new FileInputStream(keyFile), passphrase);
-        ts.load(new FileInputStream(trustFile), passphrase);
-
-        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
-        kmf.init(ks, passphrase);
-
-        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
-        tmf.init(ts);
-
-        SSLContext sslCtx = SSLContext.getInstance("TLS");
-
-        sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
-
-        return sslCtx;
-    }
-
-    private void createBuffers() {
-        // Size the buffers as appropriate.
-        SSLSession session = ssle1.getSession();
-        int appBufferMax = session.getApplicationBufferSize();
-        int netBufferMax = session.getPacketBufferSize();
-
-        appIn1 = ByteBuffer.allocateDirect(appBufferMax + 50);
-        appIn2 = ByteBuffer.allocateDirect(appBufferMax + 50);
-
-        oneToTwo = ByteBuffer.allocateDirect(netBufferMax);
-        twoToOne = ByteBuffer.allocateDirect(netBufferMax);
-
-        appOut1 = ByteBuffer.wrap("Hi Engine2, I'm SSLEngine1".getBytes());
-        appOut2 = ByteBuffer.wrap("Hello Engine1, I'm SSLEngine2".getBytes());
-
-        System.out.println("AppOut1 = " + appOut1);
-        System.out.println("AppOut2 = " + appOut2);
-        System.out.println();
-    }
-
-    private static void runDelegatedTasks(SSLEngineResult result,
-            SSLEngine engine) throws Exception {
-
-        if (result.getHandshakeStatus().equals(HandshakeStatus.NEED_TASK)) {
-            Runnable runnable;
-            while ((runnable = engine.getDelegatedTask()) != null) {
-                System.out.println("running delegated task...");
-                runnable.run();
-            }
-        }
-    }
-
-    private static boolean isEngineClosed(SSLEngine engine) {
-        return (engine.isOutboundDone() && engine.isInboundDone());
-    }
-
-}
--- old/test/jdk/sun/security/ssl/StatusStapling/RunStatReqSelect.java	2018-05-11 15:11:51.312458500 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,33 +0,0 @@
-/*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 8132943
- * @library ../../../../java/security/testlibrary
- * @build CertificateBuilder SimpleOCSPServer
- * @run main/othervm java.base/sun.security.ssl.StatusReqSelection
- * @summary ServerHandshaker may select non-empty OCSPStatusRequest
- *          structures when Responder ID selection is not supported
- */
-
--- old/test/jdk/sun/security/ssl/StatusStapling/TEST.properties	2018-05-11 15:11:52.280742900 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,6 +0,0 @@
-modules = \
-    java.base/sun.security.provider.certpath \
-    java.base/sun.security.util \
-    java.base/sun.security.x509 \
-    java.base/sun.security.ssl
-bootclasspath.dirs=.
--- old/test/jdk/sun/security/ssl/StatusStapling/TestRun.java	2018-05-11 15:11:53.253091200 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,36 +0,0 @@
-/*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-/*
- * @test
- * @bug 8046321
- * @library ../../../../java/security/testlibrary
- * @build CertificateBuilder SimpleOCSPServer
- * @run main/othervm java.base/sun.security.ssl.CertStatusReqExtensionTests
- * @run main/othervm java.base/sun.security.ssl.CertStatusReqItemV2Tests
- * @run main/othervm java.base/sun.security.ssl.CertStatusReqListV2ExtensionTests
- * @run main/othervm java.base/sun.security.ssl.OCSPStatusRequestTests
- * @run main/othervm -Djavax.net.debug=ssl:respmgr java.base/sun.security.ssl.StatusResponseManagerTests
- * @summary OCSP Stapling for TLS
- */
-
--- old/test/jdk/sun/security/ssl/StatusStapling/java.base/sun/security/ssl/BogusStatusRequest.java	2018-05-11 15:11:54.269959700 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,41 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-
-final class BogusStatusRequest implements StatusRequest {
-    BogusStatusRequest() { }
-
-    @Override
-    public int length() { return 0; }
-
-    @Override
-    public void send(HandshakeOutStream s) throws IOException { }
-
-    @Override
-    public String toString() {
-        return "BogusStatusRequest";
-    }
-}
--- old/test/jdk/sun/security/ssl/StatusStapling/java.base/sun/security/ssl/CertStatusReqExtensionTests.java	2018-05-11 15:11:55.307043600 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,338 +0,0 @@
-/*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-import java.util.*;
-import java.nio.ByteBuffer;
-
-/*
- * Checks that the hash value for a certificate's issuer name is generated
- * correctly. Requires any certificate that is not self-signed.
- *
- * NOTE: this test uses Sun private classes which are subject to change.
- */
-public class CertStatusReqExtensionTests {
-
-    private static final boolean debug = false;
-
-    // Default status_request extension (type = ocsp, OCSPStatusRequest
-    // with no responder IDs or extensions
-    private static final byte[] CSRE_DEF_OSR = {1, 0, 0, 0, 0};
-
-    // A status_request extension using a user-defined type (0xFF) and
-    // an underlying no-Responder ID/no-extension OCSPStatusRequest
-    private static final byte[] CSRE_TYPE_FF = {-1, 0, 0, 0, 0};
-
-    // A CertStatusReqExtension with 5 ResponderIds and 1 Extension
-    private static final byte[] CSRE_REQ_RID_EXTS = {
-           1,    0,  -13,    0,   59,  -95,   57,   48,
-          55,   49,   16,   48,   14,    6,    3,   85,
-           4,   10,   19,    7,   83,  111,  109,  101,
-          73,  110,   99,   49,   16,   48,   14,    6,
-           3,   85,    4,   11,   19,    7,   83,  111,
-         109,  101,   80,   75,   73,   49,   17,   48,
-          15,    6,    3,   85,    4,    3,   19,    8,
-          83,  111,  109,  101,   79,   67,   83,   80,
-           0,   68,  -95,   66,   48,   64,   49,   13,
-          48,   11,    6,    3,   85,    4,   10,   19,
-           4,   79,  104,   77,  121,   49,   14,   48,
-          12,    6,    3,   85,    4,   11,   19,    5,
-          66,  101,   97,  114,  115,   49,   15,   48,
-          13,    6,    3,   85,    4,   11,   19,    6,
-          84,  105,  103,  101,  114,  115,   49,   14,
-          48,   12,    6,    3,   85,    4,    3,   19,
-           5,   76,  105,  111,  110,  115,    0,   58,
-         -95,   56,   48,   54,   49,   16,   48,   14,
-           6,    3,   85,    4,   10,   19,    7,   67,
-         111,  109,  112,   97,  110,  121,   49,   13,
-          48,   11,    6,    3,   85,    4,   11,   19,
-           4,   87,  101,  115,  116,   49,   19,   48,
-          17,    6,    3,   85,    4,    3,   19,   10,
-          82,  101,  115,  112,  111,  110,  100,  101,
-         114,   49,    0,   24,  -94,   22,    4,   20,
-         -67,  -36,  114,  121,   92,  -79,  116,   -1,
-         102, -107,    7,  -21,   18, -113,   64,   76,
-          96,   -7,  -66,  -63,    0,   24,  -94,   22,
-           4,   20,  -51,  -69,  107,  -82,  -39,  -87,
-          45,   25,   41,   28,  -76,  -68,  -11, -110,
-         -94,  -97,   62,   47,   58, -125,    0,   51,
-          48,   49,   48,   47,    6,    9,   43,    6,
-           1,    5,    5,    7,   48,    1,    2,    4,
-          34,    4,   32,  -26,  -81, -120,  -61, -127,
-         -79,    0,  -39,  -54,   49,    3,  -51,  -57,
-         -85,   19, -126,   94,   -2,   21,   26,   98,
-           6,  105,  -35,  -37,  -29,  -73,  101,   53,
-          44,   15,  -19
-    };
-
-    public static void main(String[] args) throws Exception {
-        Map<String, TestCase> testList =
-                new LinkedHashMap<String, TestCase>() {{
-            put("CTOR (default)", testCtorDefault);
-            put("CTOR (int, StatusRequest)", testCtorStatReqs);
-            put("CTOR (HandshakeInStream, length, getReqType, getRequest)",
-                    testCtorInStream);
-        }};
-
-        TestUtils.runTests(testList);
-    }
-
-    public static final TestCase testCtorDefault = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                CertStatusReqExtension csreDef = new CertStatusReqExtension();
-                HandshakeOutStream hsout =
-                        new HandshakeOutStream(null);
-                csreDef.send(hsout);
-                TestUtils.valueCheck(wrapExtData(null), hsout.toByteArray());
-
-                // The length should be 4 (2 bytes for the type, 2 for the
-                // encoding of zero-length
-                if (csreDef.length() != 4) {
-                    throw new RuntimeException("Incorrect length from " +
-                            "default object.  Expected 4, got " +
-                            csreDef.length());
-                }
-
-                // Since there's no data, there are no status_type or request
-                // data fields defined.  Both should return null in this case
-                if (csreDef.getType() != null) {
-                    throw new RuntimeException("Default CSRE returned " +
-                            "non-null status_type");
-                } else if (csreDef.getRequest() != null) {
-                    throw new RuntimeException("Default CSRE returned " +
-                            "non-null request object");
-                }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    public static final TestCase testCtorStatReqs = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                HandshakeOutStream hsout =
-                        new HandshakeOutStream(null);
-                StatusRequest basicStatReq = new OCSPStatusRequest();
-
-                // Create an extension using a default-style OCSPStatusRequest
-                // (no responder IDs, no extensions).
-                CertStatusReqExtension csre1 = new CertStatusReqExtension(
-                        StatusRequestType.OCSP, basicStatReq);
-                csre1.send(hsout);
-                TestUtils.valueCheck(wrapExtData(CSRE_DEF_OSR),
-                        hsout.toByteArray());
-                hsout.reset();
-
-                // Create the extension using a StatusRequestType not already
-                // instantiated as a static StatusRequestType
-                // (e.g. OCSP/OCSP_MULTI)
-                CertStatusReqExtension csre2 =
-                        new CertStatusReqExtension(StatusRequestType.get(-1),
-                                basicStatReq);
-                csre2.send(hsout);
-                TestUtils.valueCheck(wrapExtData(CSRE_TYPE_FF),
-                        hsout.toByteArray());
-
-                // Create the extension using a StatusRequest that
-                // does not match the status_type field
-                // This should throw an IllegalArgumentException
-                try {
-                    CertStatusReqExtension csreBadRequest =
-                            new CertStatusReqExtension(StatusRequestType.OCSP,
-                                    new BogusStatusRequest());
-                    throw new RuntimeException("Constructor accepted a " +
-                            "StatusRequest that is inconsistent with " +
-                            "the status_type");
-                } catch (IllegalArgumentException iae) { }
-
-                // We don't allow a null value for the StatusRequestType
-                // parameter in this constructor.
-                try {
-                    CertStatusReqExtension csreBadRequest =
-                            new CertStatusReqExtension(null, basicStatReq);
-                    throw new RuntimeException("Constructor accepted a " +
-                            "null StatusRequestType");
-                } catch (NullPointerException npe) { }
-
-                // We also don't allow a null value for the StatusRequest
-                // parameter in this constructor.
-                try {
-                    CertStatusReqExtension csreBadRequest =
-                            new CertStatusReqExtension(StatusRequestType.OCSP,
-                                    null);
-                    throw new RuntimeException("Constructor accepted a " +
-                            "null StatusRequest");
-                } catch (NullPointerException npe) { }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test the constructor that builds the ob ject using data from
-    // a HandshakeInStream
-    // This also tests the length, getReqType and getRequest methods
-    public static final TestCase testCtorInStream = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            OCSPStatusRequest osr;
-
-            try {
-                // To simulate the extension coming in a ServerHello, the
-                // type and length would already be read by HelloExtensions
-                // and there is no extension data
-                HandshakeInStream hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(new byte[0]));
-                CertStatusReqExtension csre =
-                        new CertStatusReqExtension(hsis, hsis.available());
-                // Verify length/type/request
-                if (csre.length() != 4) {
-                     throw new RuntimeException("Invalid length: received " +
-                            csre.length() + ", expected 4");
-                } else if (csre.getType() != null) {
-                    throw new RuntimeException("Non-null type from default " +
-                            "extension");
-                } else if (csre.getRequest() != null) {
-                    throw new RuntimeException("Non-null request from default " +
-                            "extension");
-                }
-
-                // Try the an extension with a default OCSPStatusRequest
-                hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(CSRE_DEF_OSR));
-                csre = new CertStatusReqExtension(hsis, hsis.available());
-                if (csre.length() != (CSRE_DEF_OSR.length + 4)) {
-                    throw new RuntimeException("Invalid length: received " +
-                            csre.length() + ", expected " +
-                            CSRE_DEF_OSR.length + 4);
-                } else if (!csre.getType().equals(StatusRequestType.OCSP)) {
-                    throw new RuntimeException("Unknown status_type: " +
-                            String.format("0x%02X", csre.getType().id));
-                } else {
-                    osr = (OCSPStatusRequest)csre.getRequest();
-                    if (!osr.getResponderIds().isEmpty() ||
-                            !osr.getExtensions().isEmpty()) {
-                        throw new RuntimeException("Non-default " +
-                                "OCSPStatusRequest found in extension");
-                    }
-                }
-
-                // Try with a non-default extension
-                hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(CSRE_REQ_RID_EXTS));
-                csre = new CertStatusReqExtension(hsis, hsis.available());
-                if (csre.length() != (CSRE_REQ_RID_EXTS.length + 4)) {
-                    throw new RuntimeException("Invalid length: received " +
-                            csre.length() + ", expected " +
-                            CSRE_REQ_RID_EXTS.length + 4);
-                } else if (!(csre.getType().equals(StatusRequestType.OCSP))) {
-                    throw new RuntimeException("Unknown status_type: " +
-                            String.format("0x%02X", csre.getType().id));
-                } else {
-                    osr = (OCSPStatusRequest)csre.getRequest();
-                    if (osr.getResponderIds().size() != 5 ||
-                            osr.getExtensions().size() != 1) {
-                        throw new RuntimeException("Incorrect number of " +
-                                "ResponderIds or Extensions found in " +
-                                "OCSPStatusRequest");
-                    }
-                }
-
-                // Create a CSRE that asserts status_request and has the
-                // proper length, but really is a bunch of random junk inside
-                // In this case, it will create an UnknownStatusRequest to
-                // handle the unparseable data.
-                byte[] junkData = new byte[48];
-                Random r = new Random(System.currentTimeMillis());
-                r.nextBytes(junkData);
-                junkData[0] = 7;        // Ensure it isn't a valid status_type
-                hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(junkData));
-                csre = new CertStatusReqExtension(hsis, hsis.available());
-                StatusRequest sr = csre.getRequest();
-                if (!(sr instanceof UnknownStatusRequest)) {
-                    throw new RuntimeException("Expected returned status " +
-                            "request to be of type UnknownStatusRequest but " +
-                            "received " + sr.getClass().getName());
-                } else if (csre.length() != (junkData.length + 4)) {
-                    throw new RuntimeException("Invalid length: received " +
-                            csre.length() + ", expected " +
-                            junkData.length + 4);
-                }
-
-                // Set the leading byte to 1 (OCSP type) and run again
-                // It should pass the argument check and fail trying to parse
-                // the underlying StatusRequest.
-                junkData[0] = (byte)StatusRequestType.OCSP.id;
-                hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(junkData));
-                try {
-                    csre = new CertStatusReqExtension(hsis, hsis.available());
-                    throw new RuntimeException("Expected CTOR exception did " +
-                            "not occur");
-                } catch (IOException ioe) { }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Take CSRE extension data and add extension type and length decorations
-    private static byte[] wrapExtData(byte[] extData) {
-        int bufferLen = (extData != null ? extData.length : 0) + 4;
-        ByteBuffer bb = ByteBuffer.allocate(bufferLen);
-        bb.putShort((short)ExtensionType.EXT_STATUS_REQUEST.id);
-        bb.putShort((short)(extData != null ? extData.length: 0));
-        if (extData != null) {
-            bb.put(extData);
-        }
-        return bb.array();
-    }
-}
--- old/test/jdk/sun/security/ssl/StatusStapling/java.base/sun/security/ssl/CertStatusReqItemV2Tests.java	2018-05-11 15:11:56.317705700 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,455 +0,0 @@
-/*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.security.cert.*;
-import java.util.*;
-import java.nio.ByteBuffer;
-import javax.net.ssl.SSLException;
-import javax.security.auth.x500.X500Principal;
-import sun.security.provider.certpath.ResponderId;
-import sun.security.provider.certpath.OCSPNonceExtension;
-
-/*
- * Checks that the hash value for a certificate's issuer name is generated
- * correctly. Requires any certificate that is not self-signed.
- *
- * NOTE: this test uses Sun private classes which are subject to change.
- */
-public class CertStatusReqItemV2Tests {
-
-    private static final boolean debug = false;
-
-    private static final byte[] DEF_CSRIV2_OCSP_MULTI_BYTES = {
-           2,    0,    4,    0,    0,    0,    0
-    };
-
-    private static final byte[] DEF_CSRIV2_OCSP_BYTES = {
-           1,    0,    4,    0,    0,    0,    0
-    };
-
-    // This is a CSRIV2 (ocsp_multi) that has a single
-    // responder ID and no extensions.
-    private static final byte[] CSRIV2_1RID = {
-            2,    0,   32,     0,   28,    0,   26,  -95,
-           24,   48,   22,    49,   20,   48,   18,    6,
-            3,   85,    4,     3,   19,   11,   79,   67,
-           83,   80,   32,    83,  105,  103,  110,  101,
-          114,    0 ,   0
-    };
-
-    // This is a CSRIV2 (ocsp_multi) that has a single
-    // responder ID and no extensions.  The request_length
-    // field is too short in this case.
-    private static final byte[] CSRIV2_LENGTH_TOO_SHORT = {
-            2,    0,   27,     0,   28,    0,   26,  -95,
-           24,   48,   22,    49,   20,   48,   18,    6,
-            3,   85,    4,     3,   19,   11,   79,   67,
-           83,   80,   32,    83,  105,  103,  110,  101,
-          114,    0 ,   0
-    };
-
-    // This is a CSRIV2 (ocsp_multi) that has a single
-    // responder ID and no extensions.  The request_length
-    // field is too long in this case.
-    private static final byte[] CSRIV2_LENGTH_TOO_LONG = {
-            2,    0,   54,     0,   28,    0,   26,  -95,
-           24,   48,   22,    49,   20,   48,   18,    6,
-            3,   85,    4,     3,   19,   11,   79,   67,
-           83,   80,   32,    83,  105,  103,  110,  101,
-          114,    0 ,   0
-    };
-
-    // A CSRIV2 (ocsp) with one Responder ID (byName: CN=OCSP Signer)
-    // and a nonce extension (32 bytes).
-    private static final byte[] CSRIV2_OCSP_1RID_1EXT = {
-            1,    0,   83,    0,   28,    0,   26,  -95,
-           24,   48,   22,   49,   20,   48,   18,    6,
-            3,   85,    4,    3,   19,   11,   79,   67,
-           83,   80,   32,   83,  105,  103,  110,  101,
-          114,    0,   51,   48,   49,   48,   47,    6,
-            9,   43,    6,    1,    5,    5,    7,   48,
-            1,    2,    4,   34,    4,   32,  -34,  -83,
-          -66,  -17,  -34,  -83,  -66,  -17,  -34,  -83,
-          -66,  -17,  -34,  -83,  -66,  -17,  -34,  -83,
-          -66,  -17,  -34,  -83,  -66,  -17,  -34,  -83,
-          -66,  -17,  -34,  -83,  -66,  -17
-    };
-
-    public static void main(String[] args) throws Exception {
-        Map<String, TestCase> testList =
-                new LinkedHashMap<String, TestCase>() {{
-            put("CTOR (Default)", testCtorTypeStatReq);
-            put("CTOR (Byte array)", testCtorByteArray);
-            put("CTOR (invalid lengths)", testCtorInvalidLengths);
-        }};
-
-        TestUtils.runTests(testList);
-    }
-
-    public static final TestCase testCtorTypeStatReq = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                // Attempt to create CSRIv2 objects using null pointers
-                // for either parameter.  In either case NPE should be thrown
-                CertStatusReqItemV2 csriNull;
-                try {
-                    csriNull = new CertStatusReqItemV2(null,
-                            new OCSPStatusRequest());
-                    throw new RuntimeException("Did not catch expected NPE " +
-                            "for null status_type parameter");
-                } catch (NullPointerException npe) { }
-
-                try {
-                    csriNull = new CertStatusReqItemV2(StatusRequestType.OCSP,
-                            null);
-                    throw new RuntimeException("Did not catch expected NPE " +
-                            "for null StatusRequest parameter");
-                } catch (NullPointerException npe) { }
-
-                // Create an "ocsp_multi" type request using a default
-                // (no Responder IDs, no Extensions) OCSPStatusRequest
-                CertStatusReqItemV2 csriMulti =
-                        new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
-                                new OCSPStatusRequest());
-                HandshakeOutStream hsout = new HandshakeOutStream(null);
-                csriMulti.send(hsout);
-                TestUtils.valueCheck(DEF_CSRIV2_OCSP_MULTI_BYTES,
-                        hsout.toByteArray());
-                hsout.reset();
-
-                // Create an "ocsp" type request using a default
-                // (no Responder IDs, no Extensions) OCSPStatusRequest
-                CertStatusReqItemV2 csriSingle =
-                        new CertStatusReqItemV2(StatusRequestType.OCSP,
-                                new OCSPStatusRequest(new LinkedList<>(),
-                                        new LinkedList<>()));
-                csriSingle.send(hsout);
-                TestUtils.valueCheck(DEF_CSRIV2_OCSP_BYTES,
-                        hsout.toByteArray());
-
-                // Create the CertStatusRequestItemV2 with a user-defined
-                // StatusRequestType value
-                CertStatusReqItemV2 csriNine =
-                        new CertStatusReqItemV2(StatusRequestType.get(9),
-                                new OCSPStatusRequest(null, null));
-                if (csriNine.getType().id != 9) {
-                    throw new RuntimeException("Expected status_type = 9, " +
-                            "got " + csriNine.getType().id);
-                } else {
-                    StatusRequest sr = csriNine.getRequest();
-                    if (!(sr instanceof OCSPStatusRequest)) {
-                        throw new RuntimeException("Expected " +
-                                "OCSPStatusRequest, got " +
-                                sr.getClass().getName());
-                    }
-                }
-
-                // Create the CertStatusRequestItemV2 with a StatusRequest
-                // that does not match the status_type argument.
-                // We expect IllegalArgumentException in this case.
-                try {
-                    CertStatusReqItemV2 csriBadSR = new CertStatusReqItemV2(
-                            StatusRequestType.OCSP_MULTI,
-                            new BogusStatusRequest());
-                    throw new RuntimeException("Constructor accepted a " +
-                            "StatusRequest that is inconsistent with " +
-                            "the status_type");
-                } catch (IllegalArgumentException iae) {
-                    // The expected result...nothing to do here
-                }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test the constructor form that takes the data from a byte array
-    public static final TestCase testCtorByteArray = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                StatusRequestType sType;
-                StatusRequest sReq;
-                ResponderId checkRid =
-                        new ResponderId(new X500Principal("CN=OCSP Signer"));
-                Extension checkExt = new OCSPNonceExtension(32);
-
-                CertStatusReqItemV2 csriv =
-                        new CertStatusReqItemV2(CSRIV2_OCSP_1RID_1EXT);
-                sType = csriv.getType();
-                if (sType != StatusRequestType.OCSP) {
-                    throw new RuntimeException("Unexpected StatusRequestType " +
-                            sType.getClass().getName());
-                }
-
-                sReq = csriv.getRequest();
-                if (sReq instanceof OCSPStatusRequest) {
-                    OCSPStatusRequest osr = (OCSPStatusRequest)sReq;
-                    List<ResponderId> ridList = osr.getResponderIds();
-                    List<Extension> extList = osr.getExtensions();
-
-                    if (ridList.size() != 1 || !ridList.contains(checkRid)) {
-                        throw new RuntimeException("Responder list mismatch");
-                    } else if (extList.size() !=  1 ||
-                            !extList.get(0).getId().equals(checkExt.getId())) {
-                        throw new RuntimeException("Extension list mismatch");
-                    }
-                } else {
-                    throw new RuntimeException("Expected OCSPStatusRequest " +
-                            "from decoded bytes, got " +
-                            sReq.getClass().getName());
-                }
-
-                // Create a CSRIV2 out of random data.  A non-OCSP/OCSP_MULTI
-                // type will be forcibly set and the outer length field will
-                // be correct.
-                // The constructor should create a StatusRequestType object
-                // and an UnknownStatusRequest object consisting of the
-                // data segment.
-                byte[] junkData = new byte[48];
-                Random r = new Random(System.currentTimeMillis());
-                r.nextBytes(junkData);
-                junkData[0] = 7;        // status_type = 7
-                junkData[1] = 0;
-                junkData[2] = 45;       // request_length = 45
-                csriv = new CertStatusReqItemV2(junkData);
-
-                sType = csriv.getType();
-                sReq = csriv.getRequest();
-                if (sType.id != junkData[0]) {
-                    throw new RuntimeException("StatusRequestType mismatch: " +
-                            "expected 7, got " + sType.id);
-                }
-                if (sReq instanceof UnknownStatusRequest) {
-                    // Verify the underlying StatusRequest bytes have been
-                    // preserved correctly.
-                    HandshakeOutStream hsout = new HandshakeOutStream(null);
-                    sReq.send(hsout);
-                    byte[] srDataOut = hsout.toByteArray();
-                    TestUtils.valueCheck(srDataOut, junkData, 0, 3,
-                            srDataOut.length);
-                } else {
-                    throw new RuntimeException("StatusRequest mismatch: " +
-                            "expected UnknownStatusRequest, got " +
-                            sReq.getClass().getName());
-                }
-
-                // Test the parsing of the default OCSP/OCSP_MULTI extensions
-                // and make sure the underlying StatusRequestType and
-                // StatusRequest objects are correct.
-                csriv = new CertStatusReqItemV2(DEF_CSRIV2_OCSP_MULTI_BYTES);
-                sType = csriv.getType();
-                sReq = csriv.getRequest();
-                if (sType != StatusRequestType.OCSP_MULTI) {
-                    throw new RuntimeException("StatusRequestType mismatch: " +
-                            "expected OCSP_MULTI (2), got " + sType.id);
-                }
-                if (!(sReq instanceof OCSPStatusRequest)) {
-                    throw new RuntimeException("StatusRequest mismatch: " +
-                            "expected OCSPStatusRequest, got " +
-                            sReq.getClass().getName());
-                }
-
-                csriv = new CertStatusReqItemV2(DEF_CSRIV2_OCSP_BYTES);
-                sType = csriv.getType();
-                sReq = csriv.getRequest();
-                if (sType != StatusRequestType.OCSP) {
-                    throw new RuntimeException("StatusRequestType mismatch: " +
-                            "expected OCSP (1), got " + sType.id);
-                }
-                if (!(sReq instanceof OCSPStatusRequest)) {
-                    throw new RuntimeException("StatusRequest mismatch: " +
-                            "expected OCSPStatusRequest, got " +
-                            sReq.getClass().getName());
-                }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    public static final TestCase testCtorInvalidLengths = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                try {
-                    CertStatusReqItemV2 csriTooShort =
-                            new CertStatusReqItemV2(CSRIV2_LENGTH_TOO_SHORT);
-                    throw new RuntimeException("Expected exception not thrown");
-                } catch (SSLException ssle) { }
-
-                try {
-                    CertStatusReqItemV2 csriTooLong =
-                            new CertStatusReqItemV2(CSRIV2_LENGTH_TOO_LONG);
-                    throw new RuntimeException("Expected exception not thrown");
-                } catch (SSLException ssle) { }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test the constructor form that takes the data from HandshakeInputStream
-    public static final TestCase testCtorInputStream = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                StatusRequestType sType;
-                StatusRequest sReq;
-                ResponderId checkRid =
-                        new ResponderId(new X500Principal("CN=OCSP Signer"));
-                Extension checkExt = new OCSPNonceExtension(32);
-
-                HandshakeInStream hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(CSRIV2_OCSP_1RID_1EXT));
-                CertStatusReqItemV2 csriv = new CertStatusReqItemV2(hsis);
-                sType = csriv.getType();
-                if (sType != StatusRequestType.OCSP) {
-                    throw new RuntimeException("Unexpected StatusRequestType " +
-                            sType.getClass().getName());
-                }
-
-                sReq = csriv.getRequest();
-                if (sReq instanceof OCSPStatusRequest) {
-                    OCSPStatusRequest osr = (OCSPStatusRequest)sReq;
-                    List<ResponderId> ridList = osr.getResponderIds();
-                    List<Extension> extList = osr.getExtensions();
-
-                    if (ridList.size() != 1 || !ridList.contains(checkRid)) {
-                        throw new RuntimeException("Responder list mismatch");
-                    } else if (extList.size() !=  1 ||
-                            !extList.get(0).getId().equals(checkExt.getId())) {
-                        throw new RuntimeException("Extension list mismatch");
-                    }
-                } else {
-                    throw new RuntimeException("Expected OCSPStatusRequest " +
-                            "from decoded bytes, got " +
-                            sReq.getClass().getName());
-                }
-
-                // Create a CSRIV2 out of random data.  A non-OCSP/OCSP_MULTI
-                // type will be forcibly set and the outer length field will
-                // be correct.
-                // The constructor should create a StatusRequestType object
-                // and an UnknownStatusRequest object consisting of the
-                // data segment.
-                byte[] junkData = new byte[48];
-                Random r = new Random(System.currentTimeMillis());
-                r.nextBytes(junkData);
-                junkData[0] = 7;        // status_type = 7
-                junkData[1] = 0;
-                junkData[2] = 45;       // request_length = 45
-                hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(junkData));
-                csriv = new CertStatusReqItemV2(hsis);
-
-                sType = csriv.getType();
-                sReq = csriv.getRequest();
-                if (sType.id != junkData[0]) {
-                    throw new RuntimeException("StatusRequestType mismatch: " +
-                            "expected 7, got " + sType.id);
-                }
-                if (sReq instanceof UnknownStatusRequest) {
-                    // Verify the underlying StatusRequest bytes have been
-                    // preserved correctly.
-                    HandshakeOutStream hsout = new HandshakeOutStream(null);
-                    sReq.send(hsout);
-                    byte[] srDataOut = hsout.toByteArray();
-                    TestUtils.valueCheck(srDataOut, junkData, 0, 3,
-                            srDataOut.length);
-                } else {
-                    throw new RuntimeException("StatusRequest mismatch: " +
-                            "expected UnknownStatusRequest, got " +
-                            sReq.getClass().getName());
-                }
-
-                // Test the parsing of the default OCSP/OCSP_MULTI extensions
-                // and make sure the underlying StatusRequestType and
-                // StatusRequest objects are correct.
-                hsis = new HandshakeInStream();
-                hsis.incomingRecord(
-                        ByteBuffer.wrap(DEF_CSRIV2_OCSP_MULTI_BYTES));
-                csriv = new CertStatusReqItemV2(hsis);
-                sType = csriv.getType();
-                sReq = csriv.getRequest();
-                if (sType != StatusRequestType.OCSP_MULTI) {
-                    throw new RuntimeException("StatusRequestType mismatch: " +
-                            "expected OCSP_MULTI (2), got " + sType.id);
-                }
-                if (!(sReq instanceof OCSPStatusRequest)) {
-                    throw new RuntimeException("StatusRequest mismatch: " +
-                            "expected OCSPStatusRequest, got " +
-                            sReq.getClass().getName());
-                }
-
-                hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(DEF_CSRIV2_OCSP_BYTES));
-                csriv = new CertStatusReqItemV2(hsis);
-                sType = csriv.getType();
-                sReq = csriv.getRequest();
-                if (sType != StatusRequestType.OCSP) {
-                    throw new RuntimeException("StatusRequestType mismatch: " +
-                            "expected OCSP (1), got " + sType.id);
-                }
-                if (!(sReq instanceof OCSPStatusRequest)) {
-                    throw new RuntimeException("StatusRequest mismatch: " +
-                            "expected OCSPStatusRequest, got " +
-                            sReq.getClass().getName());
-                }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-}
--- old/test/jdk/sun/security/ssl/StatusStapling/java.base/sun/security/ssl/CertStatusReqListV2ExtensionTests.java	2018-05-11 15:11:57.323321700 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,405 +0,0 @@
-/*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-import java.util.*;
-import java.nio.ByteBuffer;
-import javax.net.ssl.*;
-
-/*
- * Checks that the hash value for a certificate's issuer name is generated
- * correctly. Requires any certificate that is not self-signed.
- *
- * NOTE: this test uses Sun private classes which are subject to change.
- */
-public class CertStatusReqListV2ExtensionTests {
-
-    private static final boolean debug = false;
-
-    // Default status_request_v2 extension with two items
-    // 1. Type = ocsp_multi, OCSPStatusRequest is default
-    // 2. Type = ocsp, OCSPStatusRequest is default
-    private static final byte[] CSRLV2_DEF = {
-           0,   14,    2,    0,    4,    0,    0,    0,
-           0,    1,    0,    4,    0,    0,    0,    0
-    };
-
-    // A status_request_v2 where the item list length is
-    // longer than the provided data
-    private static final byte[] CSRLV2_LEN_TOO_LONG = {
-           0,   18,    2,    0,    4,    0,    0,    0,
-           0,    1,    0,    4,    0,    0,    0,    0
-    };
-
-    // A status_request_v2 where the item list length is
-    // shorter than the provided data
-    private static final byte[] CSRLV2_LEN_TOO_SHORT = {
-           0,   11,    2,    0,    4,    0,    0,    0,
-           0,    1,    0,    4,    0,    0,    0,    0
-    };
-
-    // A status_request_v2 extension with a zero-length
-    // certificate_status_req_list (not allowed by the spec)
-    private static final byte[] CSRLV2_INVALID_ZEROLEN = {0, 0};
-
-    // A status_request_v2 extension with two items (ocsp_multi and ocsp)
-    // using OCSPStatusRequests with 5 ResponderIds and 1 Extension each.
-    private static final byte[] CSRLV2_TWO_NON_DEF_ITEMS = {
-            2,   90,    2,    1,   42,    0,  -13,    0,
-           59,  -95,   57,   48,   55,   49,   16,   48,
-           14,    6,    3,   85,    4,   10,   19,    7,
-           83,  111,  109,  101,   73,  110,   99,   49,
-           16,   48,   14,    6,    3,   85,    4,   11,
-           19,    7,   83,  111,  109,  101,   80,   75,
-           73,   49,   17,   48,   15,    6,    3,   85,
-            4,    3,   19,    8,   83,  111,  109,  101,
-           79,   67,   83,   80,    0,   68,  -95,   66,
-           48,   64,   49,   13,   48,   11,    6,    3,
-           85,    4,   10,   19,    4,   79,  104,   77,
-          121,   49,   14,   48,   12,    6,    3,   85,
-            4,   11,   19,    5,   66,  101,   97,  114,
-          115,   49,   15,   48,   13,    6,    3,   85,
-            4,   11,   19,    6,   84,  105,  103,  101,
-          114,  115,   49,   14,   48,   12,    6,    3,
-           85,    4,    3,   19,    5,   76,  105,  111,
-          110,  115,    0,   58,  -95,   56,   48,   54,
-           49,   16,   48,   14,    6,    3,   85,    4,
-           10,   19,    7,   67,  111,  109,  112,   97,
-          110,  121,   49,   13,   48,   11,    6,    3,
-           85,    4,   11,   19,    4,   87,  101,  115,
-          116,   49,   19,   48,   17,    6,    3,   85,
-            4,    3,   19,   10,   82,  101,  115,  112,
-          111,  110,  100,  101,  114,   49,    0,   24,
-          -94,   22,    4,   20,  -67,  -36,  114,  121,
-           92,  -79,  116,   -1,  102, -107,    7,  -21,
-           18, -113,   64,   76,   96,   -7,  -66,  -63,
-            0,   24,  -94,   22,    4,   20,  -51,  -69,
-          107,  -82,  -39,  -87,   45,   25,   41,   28,
-          -76,  -68,  -11, -110,  -94,  -97,   62,   47,
-           58, -125,    0,   51,   48,   49,   48,   47,
-            6,    9,   43,    6,    1,    5,    5,    7,
-           48,    1,    2,    4,   34,    4,   32,  -26,
-          -81, -120,  -61, -127,  -79,    0,  -39,  -54,
-           49,    3,  -51,  -57,  -85,   19, -126,   94,
-           -2,   21,   26,   98,    6,  105,  -35,  -37,
-          -29,  -73,  101,   53,   44,   15,  -19,    1,
-            1,   42,    0,  -13,    0,   59,  -95,   57,
-           48,   55,   49,   16,   48,   14,    6,    3,
-           85,    4,   10,   19,    7,   83,  111,  109,
-          101,   73,  110,   99,   49,   16,   48,   14,
-            6,    3,   85,    4,   11,   19,    7,   83,
-          111,  109,  101,   80,   75,   73,   49,   17,
-           48,   15,    6,    3,   85,    4,    3,   19,
-            8,   83,  111,  109,  101,   79,   67,   83,
-           80,    0,   68,  -95,   66,   48,   64,   49,
-           13,   48,   11,    6,    3,   85,    4,   10,
-           19,    4,   79,  104,   77,  121,   49,   14,
-           48,   12,    6,    3,   85,    4,   11,   19,
-            5,   66,  101,   97,  114,  115,   49,   15,
-           48,   13,    6,    3,   85,    4,   11,   19,
-            6,   84,  105,  103,  101,  114,  115,   49,
-           14,   48,   12,    6,    3,   85,    4,    3,
-           19,    5,   76,  105,  111,  110,  115,    0,
-           58,  -95,   56,   48,   54,   49,   16,   48,
-           14,    6,    3,   85,    4,   10,   19,    7,
-           67,  111,  109,  112,   97,  110,  121,   49,
-           13,   48,   11,    6,    3,   85,    4,   11,
-           19,    4,   87,  101,  115,  116,   49,   19,
-           48,   17,    6,    3,   85,    4,    3,   19,
-           10,   82,  101,  115,  112,  111,  110,  100,
-          101,  114,   49,    0,   24,  -94,   22,    4,
-           20,  -67,  -36,  114,  121,   92,  -79,  116,
-           -1,  102, -107,    7,  -21,   18, -113,   64,
-           76,   96,   -7,  -66,  -63,    0,   24,  -94,
-           22,    4,   20,  -51,  -69,  107,  -82,  -39,
-          -87,   45,   25,   41,   28,  -76,  -68,  -11,
-         -110,  -94,  -97,   62,   47,   58, -125,    0,
-           51,   48,   49,   48,   47,    6,    9,   43,
-            6,    1,    5,    5,    7,   48,    1,    2,
-            4,   34,    4,   32,  -26,  -81, -120,  -61,
-         -127,  -79,    0,  -39,  -54,   49,    3,  -51,
-          -57,  -85,   19, -126,   94,   -2,   21,   26,
-           98,    6,  105,  -35,  -37,  -29,  -73,  101,
-           53,   44,   15,  -19
-    };
-
-    public static void main(String[] args) throws Exception {
-        Map<String, TestCase> testList =
-                new LinkedHashMap<String, TestCase>() {{
-            put("CTOR (default)", testCtorDefault);
-            put("CTOR (List<CertStatusReqItemV2)", testCtorItemList);
-            put("CTOR (HandshakeInStream, getRequestList",
-                    testCtorInStream);
-        }};
-
-        TestUtils.runTests(testList);
-    }
-
-    public static final TestCase testCtorDefault = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                CertStatusReqListV2Extension csrlV2 =
-                        new CertStatusReqListV2Extension();
-                HandshakeOutStream hsout = new HandshakeOutStream(null);
-                csrlV2.send(hsout);
-                TestUtils.valueCheck(wrapExtData(new byte[0]),
-                        hsout.toByteArray());
-
-                // The length should be 4 (2 bytes for the type, 2 for the
-                // encoding of zero-length
-                if (csrlV2.length() != 4) {
-                    throw new RuntimeException("Incorrect length from " +
-                            "default object.  Expected 4, got " +
-                            csrlV2.length());
-                }
-
-                // Since there's no data, there are no status_type or request
-                // data fields defined.  An empty, unmodifiable list should be
-                // returned when obtained from the extension.
-                List<CertStatusReqItemV2> itemList = csrlV2.getRequestItems();
-                if (!itemList.isEmpty()) {
-                    throw new RuntimeException("Default CSRLV2 returned " +
-                            "non-empty request list");
-                } else {
-                    try {
-                        itemList.add(new CertStatusReqItemV2(
-                                StatusRequestType.OCSP_MULTI,
-                                new OCSPStatusRequest()));
-                        throw new RuntimeException("Returned itemList is " +
-                                "modifiable!");
-                    } catch (UnsupportedOperationException uoe) { }
-                }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    public static final TestCase testCtorItemList = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            OCSPStatusRequest osr = new OCSPStatusRequest();
-            List<CertStatusReqItemV2> noItems = Collections.emptyList();
-            List<CertStatusReqItemV2> defList =
-                    new ArrayList<CertStatusReqItemV2>() {{
-                add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI, osr));
-                add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr));
-            }};
-            List<CertStatusReqItemV2> unknownTypesList =
-                    new ArrayList<CertStatusReqItemV2>() {{
-                add(new CertStatusReqItemV2(StatusRequestType.get(8),
-                        new UnknownStatusRequest(new byte[0])));
-                add(new CertStatusReqItemV2(StatusRequestType.get(12),
-                        new UnknownStatusRequest(new byte[5])));
-            }};
-
-            try {
-                HandshakeOutStream hsout = new HandshakeOutStream(null);
-                StatusRequest basicStatReq = new OCSPStatusRequest();
-
-                // Create an extension using a default-style OCSPStatusRequest
-                // (no responder IDs, no extensions).
-                CertStatusReqListV2Extension csrlv2 =
-                        new CertStatusReqListV2Extension(defList);
-                csrlv2.send(hsout);
-                TestUtils.valueCheck(wrapExtData(CSRLV2_DEF),
-                        hsout.toByteArray());
-                hsout.reset();
-
-                // Create the extension using a StatusRequestType not already
-                // instantiated as a static StatusRequestType
-                // (e.g. OCSP/OCSP_MULTI)
-                csrlv2 = new CertStatusReqListV2Extension(unknownTypesList);
-                List<CertStatusReqItemV2> itemList = csrlv2.getRequestItems();
-                if (itemList.size() != unknownTypesList.size()) {
-                    throw new RuntimeException("Custom CSRLV2 returned " +
-                            "an incorrect number of items: expected " +
-                            unknownTypesList.size() + ", got " +
-                            itemList.size());
-                } else {
-                    // Verify that the list is unmodifiable
-                    try {
-                        itemList.add(new CertStatusReqItemV2(
-                                StatusRequestType.OCSP_MULTI,
-                                new OCSPStatusRequest()));
-                        throw new RuntimeException("Returned itemList is " +
-                                "modifiable!");
-                    } catch (UnsupportedOperationException uoe) { }
-                }
-
-                // Pass a null value for the item list.  This should throw
-                // an exception
-                try {
-                    CertStatusReqListV2Extension csrlv2Null =
-                            new CertStatusReqListV2Extension(null);
-                    throw new RuntimeException("Constructor accepted a " +
-                            "null request list");
-                } catch (NullPointerException npe) { }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test the constructor that builds the ob ject using data from
-    // a HandshakeInStream
-    // This also tests the length, getReqType and getRequest methods
-    public static final TestCase testCtorInStream = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            OCSPStatusRequest osr;
-            CertStatusReqListV2Extension csrlv2;
-
-            try {
-                // To simulate the extension coming in a ServerHello, the
-                // type and length would already be read by HelloExtensions
-                // and there is no extension data
-                HandshakeInStream hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(new byte[0]));
-                csrlv2 = new CertStatusReqListV2Extension(hsis,
-                        hsis.available());
-
-                // Verify length/request list
-                if (csrlv2.length() != 4) {
-                     throw new RuntimeException("Invalid length: received " +
-                            csrlv2.length() + ", expected 4");
-                } else {
-                    List<CertStatusReqItemV2> itemList =
-                            csrlv2.getRequestItems();
-                    if (!itemList.isEmpty()) {
-                        throw new RuntimeException("Default CSRLV2 returned " +
-                                "non-empty request list");
-                    } else {
-                        try {
-                            itemList.add(new CertStatusReqItemV2(
-                                    StatusRequestType.OCSP_MULTI,
-                                    new OCSPStatusRequest()));
-                            throw new RuntimeException("Returned itemList is " +
-                                    "modifiable!");
-                        } catch (UnsupportedOperationException uoe) { }
-                    }
-                }
-
-                // Try the an extension with our basic client-generated
-                // status_request_v2 (2 items, ocsp_multi and ocsp, each with
-                // a default OCSPStatusRequest
-                hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(CSRLV2_DEF));
-                csrlv2 = new CertStatusReqListV2Extension(hsis,
-                        hsis.available());
-                if (csrlv2.length() != (CSRLV2_DEF.length + 4)) {
-                    throw new RuntimeException("Invalid length: received " +
-                            csrlv2.length() + ", expected " +
-                            CSRLV2_DEF.length + 4);
-                } else {
-                    List<CertStatusReqItemV2> itemList =
-                            csrlv2.getRequestItems();
-                    if (itemList.size() != 2) {
-                        throw new RuntimeException("Unexpected number of " +
-                                "items request list, expected 2, got " +
-                                itemList.size());
-                    } else {
-                        try {
-                            itemList.add(new CertStatusReqItemV2(
-                                    StatusRequestType.OCSP_MULTI,
-                                    new OCSPStatusRequest()));
-                            throw new RuntimeException("Returned itemList is " +
-                                    "modifiable!");
-                        } catch (UnsupportedOperationException uoe) { }
-                    }
-                }
-
-                // Try incoming data with an illegal zero-length
-                // certificate_status_req_list
-                try {
-                    hsis = new HandshakeInStream();
-                    hsis.incomingRecord(
-                            ByteBuffer.wrap(CSRLV2_INVALID_ZEROLEN));
-                    csrlv2 = new CertStatusReqListV2Extension(hsis,
-                            hsis.available());
-                    throw new RuntimeException("Unxpected successful " +
-                            "object construction");
-                } catch (SSLException ssle) { }
-
-                // Try extensions where the certificate_status_req_list length
-                // is either too long or too short
-                try {
-                    hsis = new HandshakeInStream();
-                    hsis.incomingRecord(ByteBuffer.wrap(CSRLV2_LEN_TOO_LONG));
-                    csrlv2 = new CertStatusReqListV2Extension(hsis,
-                            hsis.available());
-                    throw new RuntimeException("Unxpected successful " +
-                            "object construction");
-                } catch (SSLException ssle) { }
-
-                try {
-                    hsis = new HandshakeInStream();
-                    hsis.incomingRecord(ByteBuffer.wrap(CSRLV2_LEN_TOO_SHORT));
-                    csrlv2 = new CertStatusReqListV2Extension(hsis,
-                            hsis.available());
-                    throw new RuntimeException("Unxpected successful " +
-                            "object construction");
-                } catch (SSLException ssle) { }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Take CSRE extension data and add extension type and length decorations
-    private static byte[] wrapExtData(byte[] extData) {
-        int bufferLen = extData.length + 4;
-        ByteBuffer bb = ByteBuffer.allocate(bufferLen);
-
-        bb.putShort((short)ExtensionType.EXT_STATUS_REQUEST_V2.id);
-        bb.putShort((short)extData.length);
-        if (extData.length != 0) {
-            bb.put(extData);
-        }
-        return bb.array();
-    }
-}
--- old/test/jdk/sun/security/ssl/StatusStapling/java.base/sun/security/ssl/OCSPStatusRequestTests.java	2018-05-11 15:11:58.360902400 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,332 +0,0 @@
-/*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.security.cert.*;
-import java.util.*;
-import java.nio.ByteBuffer;
-import javax.security.auth.x500.X500Principal;
-import sun.security.provider.certpath.ResponderId;
-import sun.security.provider.certpath.OCSPNonceExtension;
-
-/*
- * Checks that the hash value for a certificate's issuer name is generated
- * correctly. Requires any certificate that is not self-signed.
- *
- * NOTE: this test uses Sun private classes which are subject to change.
- */
-public class OCSPStatusRequestTests {
-
-    private static final boolean debug = false;
-
-    // The default (no Responder IDs or Extensions)
-    private static final byte[] DEF_OCSPREQ_BYTES = { 0, 0, 0, 0 };
-
-    // OCSP Extension with one Responder ID (byName: CN=OCSP Signer) and
-    // a nonce extension (32 bytes).
-    private static final byte[] OCSPREQ_1RID_1EXT = {
-            0,   28,    0,   26,  -95,   24,   48,   22,
-           49,   20,   48,   18,    6,    3,   85,    4,
-            3,   19,   11,   79,   67,   83,   80,   32,
-           83,  105,  103,  110,  101,  114,    0,   51,
-           48,   49,   48,   47,    6,    9,   43,    6,
-            1,    5,    5,    7,   48,    1,    2,    4,
-           34,    4,   32,  -34,  -83,  -66,  -17,  -34,
-          -83,  -66,  -17,  -34,  -83,  -66,  -17,  -34,
-          -83,  -66,  -17,  -34,  -83,  -66,  -17,  -34,
-          -83,  -66,  -17,  -34,  -83,  -66,  -17,  -34,
-          -83,  -66,  -17
-    };
-
-    public static void main(String[] args) throws Exception {
-        Map<String, TestCase> testList =
-                new LinkedHashMap<String, TestCase>() {{
-            put("CTOR (default)", testCtorDefault);
-            put("CTOR (Responder Id and Extension)", testCtorRidsExts);
-            put("CTOR (HandshakeInStream)", testCtorInStream);
-            put("CTOR (byte array)", testCtorByteArray);
-            put("Length tests", testLength);
-            put("Equals tests", testEquals);
-        }};
-
-        TestUtils.runTests(testList);
-    }
-
-    // Test the default constructor and its encoding
-    public static final TestCase testCtorDefault = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                // Create a OCSPStatusRequest with a single ResponderId
-                // and Extension
-                OCSPStatusRequest osrDefault = new OCSPStatusRequest();
-                HandshakeOutStream hsout = new HandshakeOutStream(null);
-                osrDefault.send(hsout);
-                System.out.println("Encoded Result:");
-                TestUtils.dumpBytes(hsout.toByteArray());
-
-                TestUtils.valueCheck(DEF_OCSPREQ_BYTES, hsout.toByteArray());
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test the constructor form that allows the user to specify zero
-    // or more ResponderId objects and/or Extensions
-    public static final TestCase testCtorRidsExts = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                List<ResponderId> ridList = new LinkedList<ResponderId>() {{
-                    add(new ResponderId(new X500Principal("CN=OCSP Signer")));
-                }};
-                List<Extension> extList = new LinkedList<Extension>() {{
-                    add(new OCSPNonceExtension(32));
-                }};
-
-                // Default-style OCSPStatusRequest using both empty Lists and
-                // null inputs
-                OCSPStatusRequest osrDef1 =
-                        new OCSPStatusRequest(new LinkedList<ResponderId>(),
-                                null);
-                OCSPStatusRequest osrDef2 =
-                        new OCSPStatusRequest(null,
-                                new LinkedList<Extension>());
-                HandshakeOutStream hsout = new HandshakeOutStream(null);
-                osrDef1.send(hsout);
-                System.out.println("Encoded Result:");
-                TestUtils.dumpBytes(hsout.toByteArray());
-                TestUtils.valueCheck(DEF_OCSPREQ_BYTES, hsout.toByteArray());
-
-                hsout.reset();
-                osrDef2.send(hsout);
-                System.out.println("Encoded Result:");
-                TestUtils.dumpBytes(hsout.toByteArray());
-                TestUtils.valueCheck(DEF_OCSPREQ_BYTES, hsout.toByteArray());
-
-                hsout.reset();
-                OCSPStatusRequest osrWithItems =
-                        new OCSPStatusRequest(ridList, extList);
-                osrWithItems.send(hsout);
-                System.out.println("Encoded Result:");
-                byte[] encodedData = hsout.toByteArray();
-                TestUtils.dumpBytes(encodedData);
-                // Check everything except the last 32 bytes (nonce data)
-                TestUtils.valueCheck(OCSPREQ_1RID_1EXT, encodedData, 0, 0,
-                        encodedData.length - 32);
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test the constructor that builds the ob ject using data from
-    // a HandshakeInStream
-    public static final TestCase testCtorInStream = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                ResponderId checkRid =
-                        new ResponderId(new X500Principal("CN=OCSP Signer"));
-                Extension checkExt = new OCSPNonceExtension(32);
-
-                HandshakeInStream hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(OCSPREQ_1RID_1EXT));
-                OCSPStatusRequest osr = new OCSPStatusRequest(hsis);
-
-                List<ResponderId> ridList = osr.getResponderIds();
-                List<Extension> extList = osr.getExtensions();
-
-                if (ridList.size() != 1 || !ridList.contains(checkRid)) {
-                    throw new RuntimeException("Responder list mismatch");
-                } else if (extList.size() !=  1 ||
-                        !extList.get(0).getId().equals(checkExt.getId())) {
-                    throw new RuntimeException("Extension list mismatch");
-                }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test the constructor form that takes the data from a byte array
-    public static final TestCase testCtorByteArray = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                ResponderId checkRid =
-                        new ResponderId(new X500Principal("CN=OCSP Signer"));
-                Extension checkExt = new OCSPNonceExtension(32);
-
-                OCSPStatusRequest osr =
-                        new OCSPStatusRequest(OCSPREQ_1RID_1EXT);
-
-                List<ResponderId> ridList = osr.getResponderIds();
-                List<Extension> extList = osr.getExtensions();
-
-                if (ridList.size() != 1 || !ridList.contains(checkRid)) {
-                    throw new RuntimeException("Responder list mismatch");
-                } else if (extList.size() !=  1 ||
-                        !extList.get(0).getId().equals(checkExt.getId())) {
-                    throw new RuntimeException("Extension list mismatch");
-                }
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test the length functions for both default and non-default
-    // OCSPStatusRequest objects
-    public static final TestCase testLength = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                HandshakeInStream hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(OCSPREQ_1RID_1EXT));
-                OCSPStatusRequest osr = new OCSPStatusRequest(hsis);
-                OCSPStatusRequest osrDefault = new OCSPStatusRequest();
-
-                if (osrDefault.length() != DEF_OCSPREQ_BYTES.length) {
-                    throw new RuntimeException("Invalid length for default: " +
-                            "Expected" + DEF_OCSPREQ_BYTES.length +
-                            ", received " + osrDefault.length());
-                } else if (osr.length() != OCSPREQ_1RID_1EXT.length) {
-                    throw new RuntimeException("Invalid length for default: " +
-                            "Expected" + OCSPREQ_1RID_1EXT.length +
-                            ", received " + osr.length());
-                }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test the equals method with default and non-default objects
-    public static final TestCase testEquals = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            try {
-                // Make two different lists with the same ResponderId values
-                // and also make a extension list
-                List<ResponderId> ridList1 = new LinkedList<ResponderId>() {{
-                    add(new ResponderId(new X500Principal("CN=OCSP Signer")));
-                }};
-                List<ResponderId> ridList2 = new LinkedList<ResponderId>() {{
-                    add(new ResponderId(new X500Principal("CN=OCSP Signer")));
-                }};
-                List<Extension> extList = new LinkedList<Extension>() {{
-                    add(new OCSPNonceExtension(32));
-                }};
-
-                // We expect two default OCSP objects to be equal
-                OCSPStatusRequest osrDefault = new OCSPStatusRequest();
-                if (!osrDefault.equals(new OCSPStatusRequest())) {
-                    throw new RuntimeException("Default OCSPStatusRequest" +
-                            " equality test failed");
-                }
-
-                // null test (expect false return)
-                if (osrDefault.equals(null)) {
-                    throw new RuntimeException("OCSPStatusRequest matched" +
-                            " unexpectedly");
-                }
-
-                // Self-reference test
-                OCSPStatusRequest osrSelfRef = osrDefault;
-                if (!osrDefault.equals(osrSelfRef)) {
-                    throw new RuntimeException("Default OCSPStatusRequest" +
-                            " equality test failed");
-                }
-
-                // Two OCSPStatusRequests with matching ResponderIds should
-                // be considered equal
-                OCSPStatusRequest osrByList1 =
-                        new OCSPStatusRequest(ridList1, null);
-                OCSPStatusRequest osrByList2 = new OCSPStatusRequest(ridList2,
-                        Collections.emptyList());
-                if (!osrByList1.equals(osrByList2)) {
-                    throw new RuntimeException("Single Responder ID " +
-                            "OCSPStatusRequest equality test failed");
-                }
-
-                // We expect OCSPStatusRequests with different nonces to be
-                // considered unequal.
-                HandshakeInStream hsis = new HandshakeInStream();
-                hsis.incomingRecord(ByteBuffer.wrap(OCSPREQ_1RID_1EXT));
-                OCSPStatusRequest osrStream = new OCSPStatusRequest(hsis);
-                OCSPStatusRequest osrRidExt = new OCSPStatusRequest(ridList1,
-                        extList);
-                if (osrStream.equals(osrRidExt)) {
-                    throw new RuntimeException("OCSPStatusRequest matched" +
-                            " unexpectedly");
-                }
-
-                pass = Boolean.TRUE;
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-}
--- old/test/jdk/sun/security/ssl/StatusStapling/java.base/sun/security/ssl/StatusReqSelection.java	2018-05-11 15:11:59.382040000 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,899 +0,0 @@
-/*
- * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-// SunJSSE does not support dynamic system properties, no way to re-use
-// system properties in samevm/agentvm mode.
-
-// See ../../../../RunStatReqSelect.java for the jtreg header
-
-package sun.security.ssl;
-
-import javax.net.ssl.*;
-import javax.net.ssl.SSLEngineResult.*;
-import javax.security.auth.x500.X500Principal;
-import java.io.*;
-import java.math.BigInteger;
-import java.security.*;
-import java.nio.*;
-import java.security.cert.X509Certificate;
-import java.security.cert.Extension;
-import java.util.ArrayList;
-import java.util.Collections;
-import java.util.Date;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Objects;
-import java.util.concurrent.TimeUnit;
-
-import sun.security.provider.certpath.OCSPNonceExtension;
-import sun.security.provider.certpath.ResponderId;
-import sun.security.testlibrary.SimpleOCSPServer;
-import sun.security.testlibrary.CertificateBuilder;
-
-public class StatusReqSelection {
-
-    /*
-     * Enables logging of the SSLEngine operations.
-     */
-    private static final boolean logging = true;
-
-    /*
-     * Enables the JSSE system debugging system property:
-     *
-     *     -Djavax.net.debug=all
-     *
-     * This gives a lot of low-level information about operations underway,
-     * including specific handshake messages, and might be best examined
-     * after gaining some familiarity with this application.
-     */
-    private static final boolean debug = false;
-
-    // The following items are used to set up the keystores.
-    private static final String passwd = "passphrase";
-    private static final String ROOT_ALIAS = "root";
-    private static final String INT_ALIAS = "intermediate";
-    private static final String SSL_ALIAS = "ssl";
-
-    // PKI and server components we will need for this test
-    private static KeyManagerFactory kmf;
-    private static TrustManagerFactory tmf;
-    private static KeyStore rootKeystore;       // Root CA Keystore
-    private static KeyStore intKeystore;        // Intermediate CA Keystore
-    private static KeyStore serverKeystore;     // SSL Server Keystore
-    private static KeyStore trustStore;         // SSL Client trust store
-    private static SimpleOCSPServer rootOcsp;   // Root CA OCSP Responder
-    private static int rootOcspPort;            // Port for root OCSP
-    private static SimpleOCSPServer intOcsp;    // Intermediate CA OCSP server
-    private static int intOcspPort;             // Port for intermediate OCSP
-    private static SSLContext ctxStaple;        // SSLContext for all tests
-
-    // Some useful objects we will need for test purposes
-    private static final SecureRandom RNG = new SecureRandom();
-
-    // We'll be using these objects repeatedly to make hello messages
-    private static final ProtocolVersion VER_1_0 = ProtocolVersion.TLS10;
-    private static final ProtocolVersion VER_1_2 = ProtocolVersion.TLS12;
-    private static final CipherSuiteList SUITES = new CipherSuiteList(
-            CipherSuite.valueOf("TLS_RSA_WITH_AES_128_GCM_SHA256"));
-    private static final SessionId SID = new SessionId(new byte[0]);
-    private static final HelloExtension RNIEXT =
-            new RenegotiationInfoExtension(new byte[0], new byte[0]);
-    private static final List<SignatureAndHashAlgorithm> algList =
-            new ArrayList<SignatureAndHashAlgorithm>() {{
-               add(SignatureAndHashAlgorithm.valueOf(4, 1, 0));
-            }};         // List with only SHA256withRSA
-    private static final SignatureAlgorithmsExtension SIGALGEXT =
-            new SignatureAlgorithmsExtension(algList);
-
-    /*
-     * Main entry point for this test.
-     */
-    public static void main(String args[]) throws Exception {
-        int testsPassed = 0;
-
-        if (debug) {
-            System.setProperty("javax.net.debug", "ssl");
-        }
-
-        // All tests will have stapling enabled on the server side
-        System.setProperty("jdk.tls.server.enableStatusRequestExtension",
-                "true");
-
-        // Create a single SSLContext that we can use for all tests
-        ctxStaple = SSLContext.getInstance("TLS");
-
-        // Create the PKI we will use for the test and start the OCSP servers
-        createPKI();
-
-        // Set up the KeyManagerFactory and TrustManagerFactory
-        kmf = KeyManagerFactory.getInstance("PKIX");
-        kmf.init(serverKeystore, passwd.toCharArray());
-        tmf = TrustManagerFactory.getInstance("PKIX");
-        tmf.init(trustStore);
-
-        List<TestCase> testList = new ArrayList<TestCase>() {{
-            add(new TestCase("ClientHello: No stapling extensions",
-                    makeHelloNoStaplingExts(), false, false));
-            add(new TestCase("ClientHello: Default status_request only",
-                    makeDefaultStatReqOnly(), true, false));
-            add(new TestCase("ClientHello: Default status_request_v2 only",
-                    makeDefaultStatReqV2Only(), false, true));
-            add(new TestCase("ClientHello: Both status_request exts, default",
-                    makeDefaultStatReqBoth(), false, true));
-            add(new TestCase(
-                    "ClientHello: Hello with status_request and responder IDs",
-                    makeStatReqWithRid(), false, false));
-            add(new TestCase(
-                    "ClientHello: Hello with status_request using no " +
-                    "responder IDs but provides the OCSP nonce extension",
-                    makeStatReqNoRidNonce(), true, false));
-            add(new TestCase("ClientHello with default status_request and " +
-                    "status_request_v2 with ResponderIds",
-                    makeStatReqDefV2WithRid(), true, false));
-            add(new TestCase("ClientHello with default status_request and " +
-                    "status_request_v2 (OCSP_MULTI with ResponderId, " +
-                    "OCSP as a default request)",
-                    makeStatReqDefV2MultiWithRidSingleDef(), false, true));
-            add(new TestCase("ClientHello with status_request and " +
-                    "status_request_v2 and all OCSPStatusRequests use " +
-                    "Responder IDs",
-                    makeStatReqAllWithRid(), false, false));
-            add(new TestCase("ClientHello with default status_request and " +
-                    "status_request_v2 that has a default OCSP item and " +
-                    "multiple OCSP_MULTI items, only one is default",
-                    makeHelloMultiV2andSingle(), false, true));
-        }};
-
-        // Run the client and server property tests
-        for (TestCase test : testList) {
-            try {
-                log("*** Test: " + test.testName);
-                if (runTest(test)) {
-                    log("PASS: status_request: " + test.statReqEnabled +
-                            ", status_request_v2: " + test.statReqV2Enabled);
-                    testsPassed++;
-                }
-            } catch (Exception e) {
-                // If we get an exception, we'll count it as a failure
-                log("Test failure due to exception: " + e);
-            }
-            log("");
-        }
-
-        // Summary
-        if (testsPassed != testList.size()) {
-            throw new RuntimeException(testList.size() - testsPassed +
-                    " tests failed out of " + testList.size() + " total.");
-        } else {
-            log("Total tests: " + testList.size() + ", all passed");
-        }
-    }
-
-    private static boolean runTest(TestCase test) throws Exception {
-        SSLEngineResult serverResult;
-
-        // Create a Server SSLEngine to receive our customized ClientHello
-        ctxStaple.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
-        SSLEngine engine = ctxStaple.createSSLEngine();
-        engine.setUseClientMode(false);
-        engine.setNeedClientAuth(false);
-
-        SSLSession session = engine.getSession();
-        ByteBuffer serverOut = ByteBuffer.wrap("I'm a Server".getBytes());
-        ByteBuffer serverIn =
-                ByteBuffer.allocate(session.getApplicationBufferSize() + 50);
-        ByteBuffer sTOc =
-                ByteBuffer.allocateDirect(session.getPacketBufferSize());
-
-        // Send the ClientHello ByteBuffer in the test case
-        if (debug) {
-            System.out.println("Sending Client Hello:\n" +
-                    dumpHexBytes(test.data));
-        }
-
-        // Consume the client hello
-        serverResult = engine.unwrap(test.data, serverIn);
-        if (debug) {
-            log("server unwrap: ", serverResult);
-        }
-        if (serverResult.getStatus() != SSLEngineResult.Status.OK) {
-            throw new SSLException("Server unwrap got status: " +
-                    serverResult.getStatus());
-        } else if (serverResult.getHandshakeStatus() !=
-                SSLEngineResult.HandshakeStatus.NEED_TASK) {
-             throw new SSLException("Server unwrap expected NEED_TASK, got: " +
-                    serverResult.getHandshakeStatus());
-        }
-        runDelegatedTasks(serverResult, engine);
-        if (engine.getHandshakeStatus() !=
-                SSLEngineResult.HandshakeStatus.NEED_WRAP) {
-            throw new SSLException("Expected NEED_WRAP, got: " +
-                    engine.getHandshakeStatus());
-        }
-
-        // Generate a TLS record with the ServerHello
-        serverResult = engine.wrap(serverOut, sTOc);
-        if (debug) {
-            log("client wrap: ", serverResult);
-        }
-        if (serverResult.getStatus() != SSLEngineResult.Status.OK) {
-            throw new SSLException("Client wrap got status: " +
-                    serverResult.getStatus());
-        }
-        sTOc.flip();
-
-        if (debug) {
-            log("Server Response:\n" + dumpHexBytes(sTOc));
-        }
-
-        return checkServerHello(sTOc, test.statReqEnabled,
-                test.statReqV2Enabled);
-    }
-
-    /**
-     * Make a TLSv1.2 ClientHello with only RNI and no stapling extensions
-     */
-    private static ByteBuffer makeHelloNoStaplingExts() throws IOException {
-        // Craft the ClientHello byte buffer
-        HelloExtensions exts = new HelloExtensions();
-        exts.add(RNIEXT);
-        exts.add(SIGALGEXT);
-        return createTlsRecord(Record.ct_handshake, VER_1_2,
-                createClientHelloMsg(VER_1_2, SID, SUITES, exts));
-    }
-
-    /**
-     * Make a TLSv1.2 ClientHello with the RNI and Status Request extensions
-     */
-    private static ByteBuffer makeDefaultStatReqOnly() throws IOException {
-        // Craft the ClientHello byte buffer
-        HelloExtensions exts = new HelloExtensions();
-        exts.add(RNIEXT);
-        exts.add(SIGALGEXT);
-        exts.add(new CertStatusReqExtension(StatusRequestType.OCSP,
-                new OCSPStatusRequest(null, null)));
-        return createTlsRecord(Record.ct_handshake, VER_1_2,
-                createClientHelloMsg(VER_1_2, SID, SUITES, exts));
-    }
-
-    /**
-     * Make a TLSv1.2 ClientHello with the RNI and Status Request V2 extension
-     */
-    private static ByteBuffer makeDefaultStatReqV2Only() throws IOException {
-        // Craft the ClientHello byte buffer
-        HelloExtensions exts = new HelloExtensions();
-        OCSPStatusRequest osr = new OCSPStatusRequest();
-        List<CertStatusReqItemV2> itemList = new ArrayList<>(2);
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
-                osr));
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr));
-
-        exts.add(RNIEXT);
-        exts.add(SIGALGEXT);
-        exts.add(new CertStatusReqListV2Extension(itemList));
-        return createTlsRecord(Record.ct_handshake, VER_1_2,
-                createClientHelloMsg(VER_1_2, SID, SUITES, exts));
-    }
-    /**
-     * Make a TLSv1.2 ClientHello with Status Request and Status Request V2
-     * extensions.
-     */
-    private static ByteBuffer makeDefaultStatReqBoth() throws IOException {
-        // Craft the ClientHello byte buffer
-        HelloExtensions exts = new HelloExtensions();
-        OCSPStatusRequest osr = new OCSPStatusRequest();
-        List<CertStatusReqItemV2> itemList = new ArrayList<>(2);
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
-                osr));
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP, osr));
-
-        exts.add(RNIEXT);
-        exts.add(SIGALGEXT);
-        exts.add(new CertStatusReqExtension(StatusRequestType.OCSP,
-                new OCSPStatusRequest(null, null)));
-        exts.add(new CertStatusReqListV2Extension(itemList));
-        return createTlsRecord(Record.ct_handshake, VER_1_2,
-                createClientHelloMsg(VER_1_2, SID, SUITES, exts));
-    }
-
-    /**
-     * Make a ClientHello using a status_request that has a single
-     * responder ID in it.
-     */
-    private static ByteBuffer makeStatReqWithRid() throws IOException {
-        HelloExtensions exts = new HelloExtensions();
-        exts.add(RNIEXT);
-        exts.add(SIGALGEXT);
-        List<ResponderId> rids = new ArrayList<ResponderId>() {{
-            add(new ResponderId(new X500Principal("CN=Foo")));
-        }};
-        exts.add(new CertStatusReqExtension(StatusRequestType.OCSP,
-                new OCSPStatusRequest(rids, null)));
-        return createTlsRecord(Record.ct_handshake, VER_1_2,
-                createClientHelloMsg(VER_1_2, SID, SUITES, exts));
-    }
-
-    /**
-     * Make a ClientHello using a status_request that has no
-     * responder IDs but does provide the nonce extension.
-     */
-    private static ByteBuffer makeStatReqNoRidNonce() throws IOException {
-        HelloExtensions exts = new HelloExtensions();
-        exts.add(RNIEXT);
-        exts.add(SIGALGEXT);
-        List<Extension> ocspExts = new ArrayList<Extension>() {{
-            add(new OCSPNonceExtension(16));
-        }};
-        exts.add(new CertStatusReqExtension(StatusRequestType.OCSP,
-                new OCSPStatusRequest(null, ocspExts)));
-        return createTlsRecord(Record.ct_handshake, VER_1_2,
-                createClientHelloMsg(VER_1_2, SID, SUITES, exts));
-    }
-
-    /**
-     * Make a ClientHello using a default status_request and a
-     * status_request_v2 that has a single responder ID in it.
-     */
-    private static ByteBuffer makeStatReqDefV2WithRid() throws IOException {
-        HelloExtensions exts = new HelloExtensions();
-        List<ResponderId> rids = new ArrayList<ResponderId>() {{
-            add(new ResponderId(new X500Principal("CN=Foo")));
-        }};
-        List<CertStatusReqItemV2> itemList = new ArrayList<>(2);
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
-                new OCSPStatusRequest(rids, null)));
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP,
-                new OCSPStatusRequest(rids, null)));
-
-        exts.add(RNIEXT);
-        exts.add(SIGALGEXT);
-        exts.add(new CertStatusReqExtension(StatusRequestType.OCSP,
-                new OCSPStatusRequest(null, null)));
-        exts.add(new CertStatusReqListV2Extension(itemList));
-        return createTlsRecord(Record.ct_handshake, VER_1_2,
-                createClientHelloMsg(VER_1_2, SID, SUITES, exts));
-    }
-
-    /**
-     * Make a ClientHello using a default status_request and a
-     * status_request_v2 that has a single responder ID in it for the
-     * OCSP_MULTI request item and a default OCSP request item.
-     */
-    private static ByteBuffer makeStatReqDefV2MultiWithRidSingleDef()
-            throws IOException {
-        HelloExtensions exts = new HelloExtensions();
-        List<ResponderId> rids = new ArrayList<ResponderId>() {{
-            add(new ResponderId(new X500Principal("CN=Foo")));
-        }};
-        List<CertStatusReqItemV2> itemList = new ArrayList<>(2);
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
-                new OCSPStatusRequest(rids, null)));
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP,
-                new OCSPStatusRequest(null, null)));
-
-        exts.add(RNIEXT);
-        exts.add(SIGALGEXT);
-        exts.add(new CertStatusReqExtension(StatusRequestType.OCSP,
-                new OCSPStatusRequest(null, null)));
-        exts.add(new CertStatusReqListV2Extension(itemList));
-        return createTlsRecord(Record.ct_handshake, VER_1_2,
-                createClientHelloMsg(VER_1_2, SID, SUITES, exts));
-    }
-
-    /**
-     * Make a ClientHello using status_request and status_request_v2 where
-     * all underlying OCSPStatusRequests use responder IDs.
-     */
-    private static ByteBuffer makeStatReqAllWithRid() throws IOException {
-        HelloExtensions exts = new HelloExtensions();
-        List<ResponderId> rids = new ArrayList<ResponderId>() {{
-            add(new ResponderId(new X500Principal("CN=Foo")));
-        }};
-        List<CertStatusReqItemV2> itemList = new ArrayList<>(2);
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
-                new OCSPStatusRequest(rids, null)));
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP,
-                new OCSPStatusRequest(rids, null)));
-
-        exts.add(RNIEXT);
-        exts.add(SIGALGEXT);
-        exts.add(new CertStatusReqExtension(StatusRequestType.OCSP,
-                new OCSPStatusRequest(rids, null)));
-        exts.add(new CertStatusReqListV2Extension(itemList));
-        return createTlsRecord(Record.ct_handshake, VER_1_2,
-                createClientHelloMsg(VER_1_2, SID, SUITES, exts));
-    }
-
-    /**
-     * Make a TLSv1.2 ClientHello multiple CertStatusReqItemV2s of different
-     * types.  One of the middle items should be acceptable while the others
-     * have responder IDs.  The status_request (v1) should also be acceptable
-     * but should be overridden in favor of the status_request_v2.
-     */
-    private static ByteBuffer makeHelloMultiV2andSingle() throws IOException {
-        // Craft the ClientHello byte buffer
-        HelloExtensions exts = new HelloExtensions();
-        List<ResponderId> fooRid = Collections.singletonList(
-                new ResponderId(new X500Principal("CN=Foo")));
-        List<ResponderId> barRid = Collections.singletonList(
-                new ResponderId(new X500Principal("CN=Bar")));
-        List<CertStatusReqItemV2> itemList = new ArrayList<>();
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP,
-                new OCSPStatusRequest(null, null)));
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
-                new OCSPStatusRequest(fooRid, null)));
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
-                new OCSPStatusRequest(null, null)));
-        itemList.add(new CertStatusReqItemV2(StatusRequestType.OCSP_MULTI,
-                new OCSPStatusRequest(barRid, null)));
-
-        exts.add(RNIEXT);
-        exts.add(SIGALGEXT);
-        exts.add(new CertStatusReqExtension(StatusRequestType.OCSP,
-                new OCSPStatusRequest(null, null)));
-        exts.add(new CertStatusReqListV2Extension(itemList));
-        return createTlsRecord(Record.ct_handshake, VER_1_2,
-                createClientHelloMsg(VER_1_2, SID, SUITES, exts));
-    }
-
-    /**
-     * Wrap a TLS content message into a TLS record header
-     *
-     * @param contentType a byte containing the content type value
-     * @param pv the protocol version for this record
-     * @param data a byte buffer containing the message data
-     * @return
-     */
-    private static ByteBuffer createTlsRecord(byte contentType,
-            ProtocolVersion pv, ByteBuffer data) {
-        int msgLen = (data != null) ? data.limit() : 0;
-
-        // Allocate enough space to hold the TLS record header + the message
-        ByteBuffer recordBuf = ByteBuffer.allocate(msgLen + 5);
-        recordBuf.put(contentType);
-        recordBuf.putShort((short)pv.v);
-        recordBuf.putShort((short)msgLen);
-        if (msgLen > 0) {
-            recordBuf.put(data);
-        }
-
-        recordBuf.flip();
-        return recordBuf;
-    }
-
-    /**
-     * Craft and encode a ClientHello message as a byte array.
-     *
-     * @param pv the protocol version asserted in the hello message.
-     * @param sessId the session ID for this hello message.
-     * @param suites a list consisting of one or more cipher suite objects
-     * @param extensions a list of HelloExtension objects
-     *
-     * @return a byte array containing the encoded ClientHello message.
-     */
-    private static ByteBuffer createClientHelloMsg(ProtocolVersion pv,
-            SessionId sessId, CipherSuiteList suites,
-            HelloExtensions extensions) throws IOException {
-        ByteBuffer msgBuf;
-
-        HandshakeOutStream hsos =
-                new HandshakeOutStream(new SSLEngineOutputRecord());
-
-        // Construct the client hello object from the first 3 parameters
-        HandshakeMessage.ClientHello cHello =
-                new HandshakeMessage.ClientHello(RNG, pv, sessId, suites,
-                        false);
-
-        // Use the HelloExtensions provided by the caller
-        if (extensions != null) {
-            cHello.extensions = extensions;
-        }
-
-        cHello.send(hsos);
-        msgBuf = ByteBuffer.allocate(hsos.size() + 4);
-
-        // Combine the handshake type with the length
-        msgBuf.putInt((HandshakeMessage.ht_client_hello << 24) |
-                (hsos.size() & 0x00FFFFFF));
-        msgBuf.put(hsos.toByteArray());
-        msgBuf.flip();
-        return msgBuf;
-    }
-
-    /*
-     * If the result indicates that we have outstanding tasks to do,
-     * go ahead and run them in this thread.
-     */
-    private static void runDelegatedTasks(SSLEngineResult result,
-            SSLEngine engine) throws Exception {
-
-        if (result.getHandshakeStatus() == HandshakeStatus.NEED_TASK) {
-            Runnable runnable;
-            while ((runnable = engine.getDelegatedTask()) != null) {
-                if (debug) {
-                    log("\trunning delegated task...");
-                }
-                runnable.run();
-            }
-            HandshakeStatus hsStatus = engine.getHandshakeStatus();
-            if (hsStatus == HandshakeStatus.NEED_TASK) {
-                throw new Exception(
-                    "handshake shouldn't need additional tasks");
-            }
-            if (debug) {
-                log("\tnew HandshakeStatus: " + hsStatus);
-            }
-        }
-    }
-
-    private static void log(String str, SSLEngineResult result) {
-        if (!logging) {
-            return;
-        }
-        HandshakeStatus hsStatus = result.getHandshakeStatus();
-        log(str +
-            result.getStatus() + "/" + hsStatus + ", " +
-            result.bytesConsumed() + "/" + result.bytesProduced() +
-            " bytes");
-        if (hsStatus == HandshakeStatus.FINISHED) {
-            log("\t...ready for application data");
-        }
-    }
-
-    private static void log(String str) {
-        if (logging) {
-            System.out.println(str);
-        }
-    }
-
-    /**
-     * Dump a ByteBuffer as a hexdump to stdout.  The dumping routine will
-     * start at the current position of the buffer and run to its limit.
-     * After completing the dump, the position will be returned to its
-     * starting point.
-     *
-     * @param data the ByteBuffer to dump to stdout.
-     *
-     * @return the hexdump of the byte array.
-     */
-    private static String dumpHexBytes(ByteBuffer data) {
-        StringBuilder sb = new StringBuilder();
-        if (data != null) {
-            int i = 0;
-            data.mark();
-            while (data.hasRemaining()) {
-                if (i % 16 == 0 && i != 0) {
-                    sb.append("\n");
-                }
-                sb.append(String.format("%02X ", data.get()));
-                i++;
-            }
-            data.reset();
-        }
-
-        return sb.toString();
-    }
-
-    /**
-     * Tests the ServerHello for the presence (or not) of the status_request
-     * or status_request_v2 hello extension.  It is assumed that the provided
-     * ByteBuffer has its position set at the first byte of the TLS record
-     * containing the ServerHello and contains the entire hello message.  Upon
-     * successful completion of this method the ByteBuffer will have its
-     * position reset to the initial offset in the buffer.  If an exception is
-     * thrown the position at the time of the exception will be preserved.
-     *
-     * @param statReqPresent true if the status_request hello extension should
-     * be present.
-     * @param statReqV2Present true if the status_request_v2 hello extension
-     * should be present.
-     *
-     * @return true if the ServerHello's extension set matches the presence
-     *      booleans for status_request and status_request_v2.  False if
-     *      not, or if the TLS record or message is of the wrong type.
-     */
-    private static boolean checkServerHello(ByteBuffer data,
-            boolean statReqPresent, boolean statReqV2Present) {
-        boolean hasV1 = false;
-        boolean hasV2 = false;
-        Objects.requireNonNull(data);
-        int startPos = data.position();
-        data.mark();
-
-        // Process the TLS record header
-        int type = Byte.toUnsignedInt(data.get());
-        int ver_major = Byte.toUnsignedInt(data.get());
-        int ver_minor = Byte.toUnsignedInt(data.get());
-        int recLen = Short.toUnsignedInt(data.getShort());
-
-        // Simple sanity checks
-        if (type != 22) {
-            log("Not a handshake: Type = " + type);
-            return false;
-        } else if (recLen > data.remaining()) {
-            log("Incomplete record in buffer: Record length = " + recLen +
-                    ", Remaining = " + data.remaining());
-            return false;
-        }
-
-        // Grab the handshake message header.
-        int msgHdr = data.getInt();
-        int msgType = (msgHdr >> 24) & 0x000000FF;
-        int msgLen = msgHdr & 0x00FFFFFF;
-
-        // More simple sanity checks
-        if (msgType != 2) {
-            log("Not a ServerHello: Type = " + msgType);
-            return false;
-        }
-
-        // Skip over the protocol version and server random
-        data.position(data.position() + 34);
-
-        // Jump past the session ID
-        int sessLen = Byte.toUnsignedInt(data.get());
-        if (sessLen != 0) {
-            data.position(data.position() + sessLen);
-        }
-
-        // Skip the cipher suite and compression method
-        data.position(data.position() + 3);
-
-        // Go through the extensions and look for the request extension
-        // expected by the caller.
-        int extsLen = Short.toUnsignedInt(data.getShort());
-        while (data.position() < recLen + startPos + 5) {
-            int extType = Short.toUnsignedInt(data.getShort());
-            int extLen = Short.toUnsignedInt(data.getShort());
-            hasV1 |= (extType == ExtensionType.EXT_STATUS_REQUEST.id);
-            hasV2 |= (extType == ExtensionType.EXT_STATUS_REQUEST_V2.id);
-            data.position(data.position() + extLen);
-        }
-
-        if (hasV1 != statReqPresent) {
-            log("The status_request extension is " +
-                    "inconsistent with the expected result: expected = " +
-                    statReqPresent + ", actual = " + hasV1);
-        }
-        if (hasV2 != statReqV2Present) {
-            log("The status_request_v2 extension is " +
-                    "inconsistent with the expected result: expected = " +
-                    statReqV2Present + ", actual = " + hasV2);
-        }
-
-        // Reset the position to the initial spot at the start of this method.
-        data.reset();
-
-        return ((hasV1 == statReqPresent) && (hasV2 == statReqV2Present));
-    }
-
-    /**
-     * Creates the PKI components necessary for this test, including
-     * Root CA, Intermediate CA and SSL server certificates, the keystores
-     * for each entity, a client trust store, and starts the OCSP responders.
-     */
-    private static void createPKI() throws Exception {
-        CertificateBuilder cbld = new CertificateBuilder();
-        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
-        keyGen.initialize(2048);
-        KeyStore.Builder keyStoreBuilder =
-                KeyStore.Builder.newInstance("PKCS12", null,
-                        new KeyStore.PasswordProtection(passwd.toCharArray()));
-
-        // Generate Root, IntCA, EE keys
-        KeyPair rootCaKP = keyGen.genKeyPair();
-        log("Generated Root CA KeyPair");
-        KeyPair intCaKP = keyGen.genKeyPair();
-        log("Generated Intermediate CA KeyPair");
-        KeyPair sslKP = keyGen.genKeyPair();
-        log("Generated SSL Cert KeyPair");
-
-        // Set up the Root CA Cert
-        cbld.setSubjectName("CN=Root CA Cert, O=SomeCompany");
-        cbld.setPublicKey(rootCaKP.getPublic());
-        cbld.setSerialNumber(new BigInteger("1"));
-        // Make a 3 year validity starting from 60 days ago
-        long start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(60);
-        long end = start + TimeUnit.DAYS.toMillis(1085);
-        cbld.setValidity(new Date(start), new Date(end));
-        addCommonExts(cbld, rootCaKP.getPublic(), rootCaKP.getPublic());
-        addCommonCAExts(cbld);
-        // Make our Root CA Cert!
-        X509Certificate rootCert = cbld.build(null, rootCaKP.getPrivate(),
-                "SHA256withRSA");
-        log("Root CA Created:\n" + certInfo(rootCert));
-
-        // Now build a keystore and add the keys and cert
-        rootKeystore = keyStoreBuilder.getKeyStore();
-        java.security.cert.Certificate[] rootChain = {rootCert};
-        rootKeystore.setKeyEntry(ROOT_ALIAS, rootCaKP.getPrivate(),
-                passwd.toCharArray(), rootChain);
-
-        // Now fire up the OCSP responder
-        rootOcsp = new SimpleOCSPServer(rootKeystore, passwd, ROOT_ALIAS, null);
-        rootOcsp.enableLog(debug);
-        rootOcsp.setNextUpdateInterval(3600);
-        rootOcsp.start();
-
-        // Wait 5 seconds for server ready
-        for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) {
-            Thread.sleep(50);
-        }
-        if (!rootOcsp.isServerReady()) {
-            throw new RuntimeException("Server not ready yet");
-        }
-
-        rootOcspPort = rootOcsp.getPort();
-        String rootRespURI = "http://localhost:" + rootOcspPort;
-        log("Root OCSP Responder URI is " + rootRespURI);
-
-        // Now that we have the root keystore and OCSP responder we can
-        // create our intermediate CA.
-        cbld.reset();
-        cbld.setSubjectName("CN=Intermediate CA Cert, O=SomeCompany");
-        cbld.setPublicKey(intCaKP.getPublic());
-        cbld.setSerialNumber(new BigInteger("100"));
-        // Make a 2 year validity starting from 30 days ago
-        start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(30);
-        end = start + TimeUnit.DAYS.toMillis(730);
-        cbld.setValidity(new Date(start), new Date(end));
-        addCommonExts(cbld, intCaKP.getPublic(), rootCaKP.getPublic());
-        addCommonCAExts(cbld);
-        cbld.addAIAExt(Collections.singletonList(rootRespURI));
-        // Make our Intermediate CA Cert!
-        X509Certificate intCaCert = cbld.build(rootCert, rootCaKP.getPrivate(),
-                "SHA256withRSA");
-        log("Intermediate CA Created:\n" + certInfo(intCaCert));
-
-        // Provide intermediate CA cert revocation info to the Root CA
-        // OCSP responder.
-        Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
-            new HashMap<>();
-        revInfo.put(intCaCert.getSerialNumber(),
-                new SimpleOCSPServer.CertStatusInfo(
-                        SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
-        rootOcsp.updateStatusDb(revInfo);
-
-        // Now build a keystore and add the keys, chain and root cert as a TA
-        intKeystore = keyStoreBuilder.getKeyStore();
-        java.security.cert.Certificate[] intChain = {intCaCert, rootCert};
-        intKeystore.setKeyEntry(INT_ALIAS, intCaKP.getPrivate(),
-                passwd.toCharArray(), intChain);
-        intKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
-
-        // Now fire up the Intermediate CA OCSP responder
-        intOcsp = new SimpleOCSPServer(intKeystore, passwd,
-                INT_ALIAS, null);
-        intOcsp.enableLog(debug);
-        intOcsp.setNextUpdateInterval(3600);
-        intOcsp.start();
-
-        // Wait 5 seconds for server ready
-        for (int i = 0; (i < 100 && !intOcsp.isServerReady()); i++) {
-            Thread.sleep(50);
-        }
-        if (!intOcsp.isServerReady()) {
-            throw new RuntimeException("Server not ready yet");
-        }
-
-        intOcspPort = intOcsp.getPort();
-        String intCaRespURI = "http://localhost:" + intOcspPort;
-        log("Intermediate CA OCSP Responder URI is " + intCaRespURI);
-
-        // Last but not least, let's make our SSLCert and add it to its own
-        // Keystore
-        cbld.reset();
-        cbld.setSubjectName("CN=SSLCertificate, O=SomeCompany");
-        cbld.setPublicKey(sslKP.getPublic());
-        cbld.setSerialNumber(new BigInteger("4096"));
-        // Make a 1 year validity starting from 7 days ago
-        start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(7);
-        end = start + TimeUnit.DAYS.toMillis(365);
-        cbld.setValidity(new Date(start), new Date(end));
-
-        // Add extensions
-        addCommonExts(cbld, sslKP.getPublic(), intCaKP.getPublic());
-        boolean[] kuBits = {true, false, true, false, false, false,
-            false, false, false};
-        cbld.addKeyUsageExt(kuBits);
-        List<String> ekuOids = new ArrayList<>();
-        ekuOids.add("1.3.6.1.5.5.7.3.1");
-        ekuOids.add("1.3.6.1.5.5.7.3.2");
-        cbld.addExtendedKeyUsageExt(ekuOids);
-        cbld.addSubjectAltNameDNSExt(Collections.singletonList("localhost"));
-        cbld.addAIAExt(Collections.singletonList(intCaRespURI));
-        // Make our SSL Server Cert!
-        X509Certificate sslCert = cbld.build(intCaCert, intCaKP.getPrivate(),
-                "SHA256withRSA");
-        log("SSL Certificate Created:\n" + certInfo(sslCert));
-
-        // Provide SSL server cert revocation info to the Intermeidate CA
-        // OCSP responder.
-        revInfo = new HashMap<>();
-        revInfo.put(sslCert.getSerialNumber(),
-                new SimpleOCSPServer.CertStatusInfo(
-                        SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
-        intOcsp.updateStatusDb(revInfo);
-
-        // Now build a keystore and add the keys, chain and root cert as a TA
-        serverKeystore = keyStoreBuilder.getKeyStore();
-        java.security.cert.Certificate[] sslChain = {sslCert, intCaCert, rootCert};
-        serverKeystore.setKeyEntry(SSL_ALIAS, sslKP.getPrivate(),
-                passwd.toCharArray(), sslChain);
-        serverKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
-
-        // And finally a Trust Store for the client
-        trustStore = keyStoreBuilder.getKeyStore();
-        trustStore.setCertificateEntry(ROOT_ALIAS, rootCert);
-    }
-
-    private static void addCommonExts(CertificateBuilder cbld,
-            PublicKey subjKey, PublicKey authKey) throws IOException {
-        cbld.addSubjectKeyIdExt(subjKey);
-        cbld.addAuthorityKeyIdExt(authKey);
-    }
-
-    private static void addCommonCAExts(CertificateBuilder cbld)
-            throws IOException {
-        cbld.addBasicConstraintsExt(true, true, -1);
-        // Set key usage bits for digitalSignature, keyCertSign and cRLSign
-        boolean[] kuBitSettings = {true, false, false, false, false, true,
-            true, false, false};
-        cbld.addKeyUsageExt(kuBitSettings);
-    }
-
-    /**
-     * Helper routine that dumps only a few cert fields rather than
-     * the whole toString() output.
-     *
-     * @param cert an X509Certificate to be displayed
-     *
-     * @return the String output of the issuer, subject and
-     * serial number
-     */
-    private static String certInfo(X509Certificate cert) {
-        StringBuilder sb = new StringBuilder();
-        sb.append("Issuer: ").append(cert.getIssuerX500Principal()).
-                append("\n");
-        sb.append("Subject: ").append(cert.getSubjectX500Principal()).
-                append("\n");
-        sb.append("Serial: ").append(cert.getSerialNumber()).append("\n");
-        return sb.toString();
-    }
-
-    private static class TestCase {
-        public final String testName;
-        public final ByteBuffer data;
-        public final boolean statReqEnabled;
-        public final boolean statReqV2Enabled;
-
-        TestCase(String name, ByteBuffer buffer, boolean srEn, boolean srv2En) {
-            testName = (name != null) ? name : "";
-            data = Objects.requireNonNull(buffer,
-                    "TestCase requires a non-null ByteBuffer");
-            statReqEnabled = srEn;
-            statReqV2Enabled = srv2En;
-        }
-    }
-}
--- old/test/jdk/sun/security/ssl/StatusStapling/java.base/sun/security/ssl/StatusResponseManagerTests.java	2018-05-11 15:12:00.430167500 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,460 +0,0 @@
-/*
- * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.io.IOException;
-import java.math.BigInteger;
-import java.security.cert.*;
-import java.util.*;
-import java.security.KeyPair;
-import java.security.KeyPairGenerator;
-import java.security.KeyStore;
-import java.security.PublicKey;
-import java.util.concurrent.TimeUnit;
-
-import sun.security.testlibrary.SimpleOCSPServer;
-import sun.security.testlibrary.CertificateBuilder;
-
-/*
- * Checks that the hash value for a certificate's issuer name is generated
- * correctly. Requires any certificate that is not self-signed.
- *
- * NOTE: this test uses Sun private classes which are subject to change.
- */
-public class StatusResponseManagerTests {
-
-    private static final boolean debug = true;
-    private static final boolean ocspDebug = false;
-
-    // PKI components we will need for this test
-    static String passwd = "passphrase";
-    static String ROOT_ALIAS = "root";
-    static String INT_ALIAS = "intermediate";
-    static String SSL_ALIAS = "ssl";
-    static KeyStore rootKeystore;           // Root CA Keystore
-    static KeyStore intKeystore;            // Intermediate CA Keystore
-    static KeyStore serverKeystore;         // SSL Server Keystore
-    static KeyStore trustStore;             // SSL Client trust store
-    static X509Certificate rootCert;
-    static X509Certificate intCert;
-    static X509Certificate sslCert;
-    static SimpleOCSPServer rootOcsp;       // Root CA OCSP Responder
-    static int rootOcspPort;                // Port number for root OCSP
-    static SimpleOCSPServer intOcsp;        // Intermediate CA OCSP Responder
-    static int intOcspPort;                 // Port number for intermed. OCSP
-
-    static X509Certificate[] chain;
-
-    public static void main(String[] args) throws Exception {
-        Map<String, TestCase> testList =
-                new LinkedHashMap<String, TestCase>() {{
-            put("Basic OCSP fetch test", testOcspFetch);
-            put("Clear StatusResponseManager cache", testClearSRM);
-            put("Basic OCSP_MULTI fetch test", testOcspMultiFetch);
-            put("Test Cache Expiration", testCacheExpiry);
-        }};
-
-        // Create the CAs and OCSP responders
-        createPKI();
-
-        // Grab the certificates and make a chain we can reuse for tests
-        sslCert = (X509Certificate)serverKeystore.getCertificate(SSL_ALIAS);
-        intCert = (X509Certificate)intKeystore.getCertificate(INT_ALIAS);
-        rootCert = (X509Certificate)rootKeystore.getCertificate(ROOT_ALIAS);
-        chain = new X509Certificate[3];
-        chain[0] = sslCert;
-        chain[1] = intCert;
-        chain[2] = rootCert;
-
-        TestUtils.runTests(testList);
-
-        intOcsp.stop();
-        rootOcsp.stop();
-    }
-
-    // Test a simple RFC 6066 server-side fetch
-    public static final TestCase testOcspFetch = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            StatusResponseManager srm = new StatusResponseManager();
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            StatusRequest oReq = new OCSPStatusRequest();
-
-            try {
-                // Get OCSP responses for non-root certs in the chain
-                Map<X509Certificate, byte[]> responseMap = srm.get(
-                        StatusRequestType.OCSP, oReq, chain, 5000,
-                        TimeUnit.MILLISECONDS);
-
-                // There should be one entry in the returned map and
-                // one entry in the cache when the operation is complete.
-                if (responseMap.size() != 1) {
-                    message = "Incorrect number of responses: expected 1, got "
-                            + responseMap.size();
-                } else if (!responseMap.containsKey(sslCert)) {
-                    message = "Response map key is incorrect, expected " +
-                            sslCert.getSubjectX500Principal().toString();
-                } else if (srm.size() != 1) {
-                    message = "Incorrect number of cache entries: " +
-                            "expected 1, got " + srm.size();
-                } else {
-                    pass = Boolean.TRUE;
-                }
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test clearing the StatusResponseManager cache.
-    public static final TestCase testClearSRM = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            StatusResponseManager srm = new StatusResponseManager();
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            StatusRequest oReq = new OCSPStatusRequest();
-
-            try {
-                // Get OCSP responses for non-root certs in the chain
-                srm.get(StatusRequestType.OCSP_MULTI, oReq, chain, 5000,
-                        TimeUnit.MILLISECONDS);
-
-                // There should be two entries in the returned map and
-                // two entries in the cache when the operation is complete.
-                if (srm.size() != 2) {
-                    message = "Incorrect number of responses: expected 2, got "
-                            + srm.size();
-                } else {
-                    // Next, clear the SRM, then check the size again
-                    srm.clear();
-                    if (srm.size() != 0) {
-                        message = "Incorrect number of responses: expected 0," +
-                                " got " + srm.size();
-                    } else {
-                        pass = Boolean.TRUE;
-                    }
-                }
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test a simple RFC 6961 server-side fetch
-    public static final TestCase testOcspMultiFetch = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            StatusResponseManager srm = new StatusResponseManager();
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            StatusRequest oReq = new OCSPStatusRequest();
-
-            try {
-                // Get OCSP responses for non-root certs in the chain
-                Map<X509Certificate, byte[]> responseMap = srm.get(
-                        StatusRequestType.OCSP_MULTI, oReq, chain, 5000,
-                        TimeUnit.MILLISECONDS);
-
-                // There should be two entries in the returned map and
-                // two entries in the cache when the operation is complete.
-                if (responseMap.size() != 2) {
-                    message = "Incorrect number of responses: expected 2, got "
-                            + responseMap.size();
-                } else if (!responseMap.containsKey(sslCert) ||
-                        !responseMap.containsKey(intCert)) {
-                    message = "Response map keys are incorrect, expected " +
-                            sslCert.getSubjectX500Principal().toString() +
-                            " and " +
-                            intCert.getSubjectX500Principal().toString();
-                } else if (srm.size() != 2) {
-                    message = "Incorrect number of cache entries: " +
-                            "expected 2, got " + srm.size();
-                } else {
-                    pass = Boolean.TRUE;
-                }
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    // Test cache expiration
-    public static final TestCase testCacheExpiry = new TestCase() {
-        @Override
-        public Map.Entry<Boolean, String> runTest() {
-            // For this test, we will set the cache expiry to 5 seconds
-            System.setProperty("jdk.tls.stapling.cacheLifetime", "5");
-            StatusResponseManager srm = new StatusResponseManager();
-            Boolean pass = Boolean.FALSE;
-            String message = null;
-            StatusRequest oReq = new OCSPStatusRequest();
-
-            try {
-                // Get OCSP responses for non-root certs in the chain
-                srm.get(StatusRequestType.OCSP_MULTI, oReq, chain, 5000,
-                        TimeUnit.MILLISECONDS);
-
-                // There should be two entries in the returned map and
-                // two entries in the cache when the operation is complete.
-                if (srm.size() != 2) {
-                    message = "Incorrect number of responses: expected 2, got "
-                            + srm.size();
-                } else {
-                    // Next, wait for more than 5 seconds so the responses
-                    // in the SRM will expire.
-                    Thread.sleep(7000);
-                    if (srm.size() != 0) {
-                        message = "Incorrect number of responses: expected 0," +
-                                " got " + srm.size();
-                    } else {
-                        pass = Boolean.TRUE;
-                    }
-                }
-            } catch (Exception e) {
-                e.printStackTrace(System.out);
-                message = e.getClass().getName();
-            }
-
-            // Set the cache lifetime back to the default
-            System.setProperty("jdk.tls.stapling.cacheLifetime", "");
-            return new AbstractMap.SimpleEntry<>(pass, message);
-        }
-    };
-
-    /**
-     * Creates the PKI components necessary for this test, including
-     * Root CA, Intermediate CA and SSL server certificates, the keystores
-     * for each entity, a client trust store, and starts the OCSP responders.
-     */
-    private static void createPKI() throws Exception {
-        CertificateBuilder cbld = new CertificateBuilder();
-        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
-        keyGen.initialize(2048);
-        KeyStore.Builder keyStoreBuilder =
-                KeyStore.Builder.newInstance("PKCS12", null,
-                        new KeyStore.PasswordProtection(passwd.toCharArray()));
-
-        // Generate Root, IntCA, EE keys
-        KeyPair rootCaKP = keyGen.genKeyPair();
-        log("Generated Root CA KeyPair");
-        KeyPair intCaKP = keyGen.genKeyPair();
-        log("Generated Intermediate CA KeyPair");
-        KeyPair sslKP = keyGen.genKeyPair();
-        log("Generated SSL Cert KeyPair");
-
-        // Set up the Root CA Cert
-        cbld.setSubjectName("CN=Root CA Cert, O=SomeCompany");
-        cbld.setPublicKey(rootCaKP.getPublic());
-        cbld.setSerialNumber(new BigInteger("1"));
-        // Make a 3 year validity starting from 60 days ago
-        long start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(60);
-        long end = start + TimeUnit.DAYS.toMillis(1085);
-        cbld.setValidity(new Date(start), new Date(end));
-        addCommonExts(cbld, rootCaKP.getPublic(), rootCaKP.getPublic());
-        addCommonCAExts(cbld);
-        // Make our Root CA Cert!
-        X509Certificate rootCert = cbld.build(null, rootCaKP.getPrivate(),
-                "SHA256withRSA");
-        log("Root CA Created:\n" + certInfo(rootCert));
-
-        // Now build a keystore and add the keys and cert
-        rootKeystore = keyStoreBuilder.getKeyStore();
-        Certificate[] rootChain = {rootCert};
-        rootKeystore.setKeyEntry(ROOT_ALIAS, rootCaKP.getPrivate(),
-                passwd.toCharArray(), rootChain);
-
-        // Now fire up the OCSP responder
-        rootOcsp = new SimpleOCSPServer(rootKeystore, passwd, ROOT_ALIAS, null);
-        rootOcsp.enableLog(ocspDebug);
-        rootOcsp.setNextUpdateInterval(3600);
-        rootOcsp.start();
-
-        // Wait 5 seconds for server ready
-        for (int i = 0; (i < 100 && !rootOcsp.isServerReady()); i++) {
-            Thread.sleep(50);
-        }
-        if (!rootOcsp.isServerReady()) {
-            throw new RuntimeException("Server not ready yet");
-        }
-
-        rootOcspPort = rootOcsp.getPort();
-        String rootRespURI = "http://localhost:" + rootOcspPort;
-        log("Root OCSP Responder URI is " + rootRespURI);
-
-        // Now that we have the root keystore and OCSP responder we can
-        // create our intermediate CA.
-        cbld.reset();
-        cbld.setSubjectName("CN=Intermediate CA Cert, O=SomeCompany");
-        cbld.setPublicKey(intCaKP.getPublic());
-        cbld.setSerialNumber(new BigInteger("100"));
-        // Make a 2 year validity starting from 30 days ago
-        start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(30);
-        end = start + TimeUnit.DAYS.toMillis(730);
-        cbld.setValidity(new Date(start), new Date(end));
-        addCommonExts(cbld, intCaKP.getPublic(), rootCaKP.getPublic());
-        addCommonCAExts(cbld);
-        cbld.addAIAExt(Collections.singletonList(rootRespURI));
-        // Make our Intermediate CA Cert!
-        X509Certificate intCaCert = cbld.build(rootCert, rootCaKP.getPrivate(),
-                "SHA256withRSA");
-        log("Intermediate CA Created:\n" + certInfo(intCaCert));
-
-        // Provide intermediate CA cert revocation info to the Root CA
-        // OCSP responder.
-        Map<BigInteger, SimpleOCSPServer.CertStatusInfo> revInfo =
-            new HashMap<>();
-        revInfo.put(intCaCert.getSerialNumber(),
-                new SimpleOCSPServer.CertStatusInfo(
-                        SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
-        rootOcsp.updateStatusDb(revInfo);
-
-        // Now build a keystore and add the keys, chain and root cert as a TA
-        intKeystore = keyStoreBuilder.getKeyStore();
-        Certificate[] intChain = {intCaCert, rootCert};
-        intKeystore.setKeyEntry(INT_ALIAS, intCaKP.getPrivate(),
-                passwd.toCharArray(), intChain);
-        intKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
-
-        // Now fire up the Intermediate CA OCSP responder
-        intOcsp = new SimpleOCSPServer(intKeystore, passwd,
-                INT_ALIAS, null);
-        intOcsp.enableLog(ocspDebug);
-        intOcsp.setNextUpdateInterval(3600);
-        intOcsp.start();
-
-        // Wait 5 seconds for server ready
-        for (int i = 0; (i < 100 && !intOcsp.isServerReady()); i++) {
-            Thread.sleep(50);
-        }
-        if (!intOcsp.isServerReady()) {
-            throw new RuntimeException("Server not ready yet");
-        }
-
-        intOcspPort = intOcsp.getPort();
-        String intCaRespURI = "http://localhost:" + intOcspPort;
-        log("Intermediate CA OCSP Responder URI is " + intCaRespURI);
-
-        // Last but not least, let's make our SSLCert and add it to its own
-        // Keystore
-        cbld.reset();
-        cbld.setSubjectName("CN=SSLCertificate, O=SomeCompany");
-        cbld.setPublicKey(sslKP.getPublic());
-        cbld.setSerialNumber(new BigInteger("4096"));
-        // Make a 1 year validity starting from 7 days ago
-        start = System.currentTimeMillis() - TimeUnit.DAYS.toMillis(7);
-        end = start + TimeUnit.DAYS.toMillis(365);
-        cbld.setValidity(new Date(start), new Date(end));
-
-        // Add extensions
-        addCommonExts(cbld, sslKP.getPublic(), intCaKP.getPublic());
-        boolean[] kuBits = {true, false, true, false, false, false,
-            false, false, false};
-        cbld.addKeyUsageExt(kuBits);
-        List<String> ekuOids = new ArrayList<>();
-        ekuOids.add("1.3.6.1.5.5.7.3.1");
-        ekuOids.add("1.3.6.1.5.5.7.3.2");
-        cbld.addExtendedKeyUsageExt(ekuOids);
-        cbld.addSubjectAltNameDNSExt(Collections.singletonList("localhost"));
-        cbld.addAIAExt(Collections.singletonList(intCaRespURI));
-        // Make our SSL Server Cert!
-        X509Certificate sslCert = cbld.build(intCaCert, intCaKP.getPrivate(),
-                "SHA256withRSA");
-        log("SSL Certificate Created:\n" + certInfo(sslCert));
-
-        // Provide SSL server cert revocation info to the Intermeidate CA
-        // OCSP responder.
-        revInfo = new HashMap<>();
-        revInfo.put(sslCert.getSerialNumber(),
-                new SimpleOCSPServer.CertStatusInfo(
-                        SimpleOCSPServer.CertStatus.CERT_STATUS_GOOD));
-        intOcsp.updateStatusDb(revInfo);
-
-        // Now build a keystore and add the keys, chain and root cert as a TA
-        serverKeystore = keyStoreBuilder.getKeyStore();
-        Certificate[] sslChain = {sslCert, intCaCert, rootCert};
-        serverKeystore.setKeyEntry(SSL_ALIAS, sslKP.getPrivate(),
-                passwd.toCharArray(), sslChain);
-        serverKeystore.setCertificateEntry(ROOT_ALIAS, rootCert);
-
-        // And finally a Trust Store for the client
-        trustStore = keyStoreBuilder.getKeyStore();
-        trustStore.setCertificateEntry(ROOT_ALIAS, rootCert);
-    }
-
-    private static void addCommonExts(CertificateBuilder cbld,
-            PublicKey subjKey, PublicKey authKey) throws IOException {
-        cbld.addSubjectKeyIdExt(subjKey);
-        cbld.addAuthorityKeyIdExt(authKey);
-    }
-
-    private static void addCommonCAExts(CertificateBuilder cbld)
-            throws IOException {
-        cbld.addBasicConstraintsExt(true, true, -1);
-        // Set key usage bits for digitalSignature, keyCertSign and cRLSign
-        boolean[] kuBitSettings = {true, false, false, false, false, true,
-            true, false, false};
-        cbld.addKeyUsageExt(kuBitSettings);
-    }
-
-    /**
-     * Helper routine that dumps only a few cert fields rather than
-     * the whole toString() output.
-     *
-     * @param cert An X509Certificate to be displayed
-     *
-     * @return The {@link String} output of the issuer, subject and
-     * serial number
-     */
-    private static String certInfo(X509Certificate cert) {
-        StringBuilder sb = new StringBuilder();
-        sb.append("Issuer: ").append(cert.getIssuerX500Principal()).
-                append("\n");
-        sb.append("Subject: ").append(cert.getSubjectX500Principal()).
-                append("\n");
-        sb.append("Serial: ").append(cert.getSerialNumber()).append("\n");
-        return sb.toString();
-    }
-
-    /**
-     * Log a message on stdout
-     *
-     * @param message The message to log
-     */
-    private static void log(String message) {
-        if (debug) {
-            System.out.println(message);
-        }
-    }
-}
--- old/test/jdk/sun/security/ssl/StatusStapling/java.base/sun/security/ssl/TestCase.java	2018-05-11 15:12:01.447399100 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,30 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.util.Map;
-
-public interface TestCase {
-    Map.Entry<Boolean, String> runTest();
-}
--- old/test/jdk/sun/security/ssl/StatusStapling/java.base/sun/security/ssl/TestUtils.java	2018-05-11 15:12:02.461859400 -0700
+++ /dev/null	2018-05-11 10:42:23.849000000 -0700
@@ -1,124 +0,0 @@
-/*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.security.ssl;
-
-import java.nio.ByteBuffer;
-import java.util.Arrays;
-import java.util.Map;
-
-public class TestUtils {
-
-    // private constructor to prevent instantiation for this utility class
-    private TestUtils() {
-        throw new AssertionError();
-    }
-
-    public static void runTests(Map<String, TestCase> testList) {
-        int testNo = 0;
-        int numberFailed = 0;
-        Map.Entry<Boolean, String> result;
-
-        System.out.println("============ Tests ============");
-        for (String testName : testList.keySet()) {
-            System.out.println("Test " + ++testNo + ": " + testName);
-            result = testList.get(testName).runTest();
-            System.out.print("Result: " + (result.getKey() ? "PASS" : "FAIL"));
-            System.out.println(" " +
-                    (result.getValue() != null ? result.getValue() : ""));
-            System.out.println("-------------------------------------------");
-            if (!result.getKey()) {
-                numberFailed++;
-            }
-        }
-
-        System.out.println("End Results: " + (testList.size() - numberFailed) +
-                " Passed" + ", " + numberFailed + " Failed.");
-        if (numberFailed > 0) {
-            throw new RuntimeException(
-                    "One or more tests failed, see test output for details");
-        }
-    }
-
-    public static void dumpBytes(byte[] data) {
-        dumpBytes(ByteBuffer.wrap(data));
-    }
-
-    public static void dumpBytes(ByteBuffer data) {
-        int i = 0;
-
-        data.mark();
-        while (data.hasRemaining()) {
-            if (i % 16 == 0 && i != 0) {
-                System.out.print("\n");
-            }
-            System.out.print(String.format("%02X ", data.get()));
-            i++;
-        }
-        System.out.print("\n");
-        data.reset();
-    }
-
-    public static void valueCheck(byte[] array1, byte[] array2) {
-        if (!Arrays.equals(array1, array2)) {
-            throw new RuntimeException("Array mismatch");
-        }
-    }
-
-    // Compares a range of bytes at specific offsets in each array
-    public static void valueCheck(byte[] array1, byte[] array2, int skip1,
-            int skip2, int length) {
-        ByteBuffer buf1 = ByteBuffer.wrap(array1);
-        ByteBuffer buf2 = ByteBuffer.wrap(array2);
-
-        // Skip past however many bytes are requested in both buffers
-        buf1.position(skip1);
-        buf2.position(skip2);
-
-        // Reset the limits on each buffer to account for the length
-        buf1.limit(buf1.position() + length);
-        buf2.limit(buf2.position() + length);
-
-        if (!buf1.equals(buf2)) {
-            throw new RuntimeException("Array range mismatch");
-        }
-    }
-
-    // Concatenate 1 or more arrays
-    public static byte[] gatherBuffers(byte[]... arrays) {
-        int totalLength = 0;
-        for (byte[] ar : arrays) {
-            totalLength += ar != null ? ar.length : 0;
-        }
-
-        byte[] resultBuf = new byte[totalLength];
-        int offset = 0;
-        for (byte[] ar : arrays) {
-            if (ar != null) {
-                System.arraycopy(ar, 0, resultBuf, offset, ar.length);
-                offset += ar.length;
-            }
-        }
-        return resultBuf;
-    }
-}