--- java.security
+++ java.security
@@ -699,7 +700,8 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
 # It is not guaranteed to be examined and used by other implementations.
 #
 # Example:
-#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
+#   jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048, \
+#       rsa_pkcs1_sha1, secp224r1
 jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
     EC keySize < 224, 3DES_EDE_CBC, anon, NULL
 
--- DHKeyExchange.java
+++ DHKeyExchange.java
@@ -85,11 +85,7 @@ static DHECredentials valueOf(NamedGroup ng,
                 return null;
             }
 
-            DHParameterSpec params = (DHParameterSpec)ng.getParameterSpec();
-            if (params == null) {
-                return null;
-            }
-
+            DHParameterSpec params = (DHParameterSpec)ng.keAlgParamSpec;
             KeyFactory kf = KeyFactory.getInstance("DiffieHellman");
             DHPublicKeySpec spec = new DHPublicKeySpec(
                     new BigInteger(1, encodedPublic),
@@ -110,9 +106,7 @@ static DHECredentials valueOf(NamedGroup ng,
             try {
                 KeyPairGenerator kpg =
                         KeyPairGenerator.getInstance("DiffieHellman");
-                DHParameterSpec params =
-                        (DHParameterSpec)namedGroup.getParameterSpec();
-                kpg.initialize(params, random);
+                kpg.initialize(namedGroup.keAlgParamSpec, random);
                 KeyPair kp = generateDHKeyPair(kpg);
                 if (kp == null) {
                     throw new RuntimeException("Could not generate DH keypair");
--- SupportedGroupsExtension.java
+++ SupportedGroupsExtension.java
@@ -190,7 +185,7 @@ public String toString(ByteBuffer buffer) {
                     if (!group.isEmpty()) {
                         NamedGroup namedGroup = NamedGroup.nameOf(group);
                         if (namedGroup != null) {
-                            if (isAvailableGroup(namedGroup)) {
+                            if (namedGroup.isAvailable) {
                                 groupList.add(namedGroup);
                             }
                         }   // ignore unknown groups
--- SignatureScheme.java
+++ SignatureScheme.java
@@ -184,21 +184,25 @@
         RSA_PSS_SHA384 ("SHA-384", 48),
         RSA_PSS_SHA512 ("SHA-512", 64);
 
-        final private AlgorithmParameterSpec parameterSpec;
-        final boolean isAvailable;
+        private final AlgorithmParameterSpec parameterSpec;
+        private final AlgorithmParameters parameters;
+        private final boolean isAvailable;
 
         SigAlgParamSpec(String hash, int saltLength) {
             // See RFC 8017
             PSSParameterSpec pssParamSpec =
                     new PSSParameterSpec(hash, "MGF1",
                             new MGF1ParameterSpec(hash), saltLength, 1);
+            AlgorithmParameters pssParams = null;
 
             boolean mediator = true;
             try {
                 Signature signer = Signature.getInstance("RSASSA-PSS");
                 signer.setParameter(pssParamSpec);
+                pssParams = signer.getParameters();
             } catch (InvalidAlgorithmParameterException |
-                    NoSuchAlgorithmException exp) {
+                    NoSuchAlgorithmException | RuntimeException exp) {
+                // Signature.getParameters() may throw RuntimeException.
                 mediator = false;
                 if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
                     SSLLogger.warning(
@@ -272,8 +272,8 @@ private SignatureScheme(int id, String name,
                 Arrays.asList(handshakeSupportedProtocols);
 
         boolean mediator = true;
-        if (signAlgParamSpec != null) {
-            mediator = signAlgParamSpec.isAvailable;
+        if (signAlgParams != null) {
+            mediator = signAlgParams.isAvailable;
         } else {
             try {
                 Signature.getInstance(algorithm);
@@ -437,6 +448,7 @@ static SignatureScheme getPreferableAlgorithm(
     }
 
     static SignatureScheme getPreferableAlgorithm(
+            AlgorithmConstraints constraints,
             List<SignatureScheme> schemes,
             X509Possession x509Possession,
             ProtocolVersion version) {
@@ -527,10 +540,13 @@ Signature getSignature(Key key) throws NoSuchAlgorithmException,
         Signature signer = Signature.getInstance(algorithm);
         if (key instanceof PublicKey) {
             SignatureUtil.initVerifyWithParam(signer, (PublicKey)key,
-                    signAlgParameter);
+                    (signAlgParams != null ?
+                            signAlgParams.parameterSpec : null));
         } else {
             SignatureUtil.initSignWithParam(signer, (PrivateKey)key,
-                    signAlgParameter, null);
+                    (signAlgParams != null ?
+                            signAlgParams.parameterSpec : null),
+                    null);
         }
 
         return signer;
--- NamedGroup.java
+++ NamedGroup.java
@@ -52,186 +51,253 @@
     // See sun.security.util.CurveDB for the OIDs
     // NIST K-163
 
-    SECT163_K1(0x0001, "sect163k1", "1.3.132.0.1",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
-    SECT163_R1(0x0002, "sect163r1", "1.3.132.0.2",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECT163_K1(0x0001, "sect163k1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect163k1")),
+    SECT163_R1(0x0002, "sect163r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect163r1")),
 
     // NIST B-163
-    SECT163_R2(0x0003, "sect163r2", "1.3.132.0.15",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
-    SECT193_R1(0x0004, "sect193r1", "1.3.132.0.24",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
-    SECT193_R2(0x0005, "sect193r2", "1.3.132.0.25",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECT163_R2(0x0003, "sect163r2",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect163r2")),
+    SECT193_R1(0x0004, "sect193r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect193r1")),
+    SECT193_R2(0x0005, "sect193r2",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect193r2")),
 
     // NIST K-233
-    SECT233_K1(0x0006, "sect233k1", "1.3.132.0.26",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECT233_K1(0x0006, "sect233k1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect233k1")),
 
     // NIST B-233
-    SECT233_R1(0x0007, "sect233r1", "1.3.132.0.27",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
-    SECT239_K1(0x0008, "sect239k1", "1.3.132.0.3",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECT233_R1(0x0007, "sect233r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect233r1")),
+    SECT239_K1(0x0008, "sect239k1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect239k1")),
 
     // NIST K-283
-    SECT283_K1(0x0009, "sect283k1", "1.3.132.0.16",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECT283_K1(0x0009, "sect283k1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect283k1")),
 
     // NIST B-283
-    SECT283_R1(0x000A, "sect283r1", "1.3.132.0.17",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECT283_R1(0x000A, "sect283r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect283r1")),
 
     // NIST K-409
-    SECT409_K1(0x000B, "sect409k1", "1.3.132.0.36",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECT409_K1(0x000B, "sect409k1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect409k1")),
 
     // NIST B-409
-    SECT409_R1(0x000C, "sect409r1", "1.3.132.0.37",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECT409_R1(0x000C, "sect409r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect409r1")),
 
     // NIST K-571
-    SECT571_K1(0x000D, "sect571k1", "1.3.132.0.38",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECT571_K1(0x000D, "sect571k1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect571k1")),
 
     // NIST B-571
-    SECT571_R1(0x000E, "sect571r1", "1.3.132.0.39",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
-    SECP160_K1(0x000F, "secp160k1", "1.3.132.0.9",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
-    SECP160_R1(0x0010, "secp160r1", "1.3.132.0.8",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
-    SECP160_R2(0x0011, "secp160r2", "1.3.132.0.30",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
-    SECP192_K1(0x0012, "secp192k1", "1.3.132.0.31",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECT571_R1(0x000E, "sect571r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("sect571r1")),
+    SECP160_K1(0x000F, "secp160k1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("secp160k1")),
+    SECP160_R1(0x0010, "secp160r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("secp160r1")),
+    SECP160_R2(0x0011, "secp160r2",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("secp160r2")),
+    SECP192_K1(0x0012, "secp192k1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("secp192k1")),
 
     // NIST P-192
-    SECP192_R1(0x0013, "secp192r1", "1.2.840.10045.3.1.1",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
-    SECP224_K1(0x0014, "secp224k1", "1.3.132.0.32",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECP192_R1(0x0013, "secp192r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("secp192r1")),
+    SECP224_K1(0x0014, "secp224k1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("secp224k1")),
 
     // NIST P-224
-    SECP224_R1(0x0015, "secp224r1", "1.3.132.0.33",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
-    SECP256_K1(0x0016, "secp256k1", "1.3.132.0.10",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_12),
+    SECP224_R1(0x0015, "secp224r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("secp224r1")),
+    SECP256_K1(0x0016, "secp256k1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            CurveDB.lookup("secp256k1")),
 
     // NIST P-256
-    SECP256_R1(0x0017, "secp256r1", "1.2.840.10045.3.1.7",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_13),
+    SECP256_R1(0x0017, "secp256r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_13,
+            CurveDB.lookup("secp256r1")),
 
     // NIST P-384
-    SECP384_R1(0x0018, "secp384r1", "1.3.132.0.34",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_13),
+    SECP384_R1(0x0018, "secp384r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_13,
+            CurveDB.lookup("secp384r1")),
 
     // NIST P-521
-    SECP521_R1(0x0019, "secp521r1", "1.3.132.0.35",
-            NamedGroupType.NAMED_GROUP_ECDHE,
-            ProtocolVersion.PROTOCOLS_TO_13),
+    SECP521_R1(0x0019, "secp521r1",
+            NamedGroupSpec.NAMED_GROUP_ECDHE,
+            ProtocolVersion.PROTOCOLS_TO_13,
+            CurveDB.lookup("secp521r1")),
 
     // x25519 and x448 (RFC 8422/8446)
-    X25519(0x001D, "x25519", "1.3.101.110",
-            NamedGroupType.NAMED_GROUP_XDH,
-            ProtocolVersion.PROTOCOLS_TO_13),
-    X448(0x001E, "x448", "1.3.101.111",
-            NamedGroupType.NAMED_GROUP_XDH,
-            ProtocolVersion.PROTOCOLS_TO_13),
+    X25519(0x001D, "x25519",
+            NamedGroupSpec.NAMED_GROUP_XDH,
+            ProtocolVersion.PROTOCOLS_TO_13,
+            NamedParameterSpec.X25519),
+    X448(0x001E, "x448",
+            NamedGroupSpec.NAMED_GROUP_XDH,
+            ProtocolVersion.PROTOCOLS_TO_13,
+            NamedParameterSpec.X448),
 
     // Finite Field Diffie-Hellman Ephemeral Parameters (RFC 7919)
-    FFDHE_2048(0x0100, "ffdhe2048", null,
-            NamedGroupType.NAMED_GROUP_FFDHE,
-            ProtocolVersion.PROTOCOLS_TO_13),
-    FFDHE_3072(0x0101, "ffdhe3072", null,
-            NamedGroupType.NAMED_GROUP_FFDHE,
-            ProtocolVersion.PROTOCOLS_TO_13),
-    FFDHE_4096(0x0102, "ffdhe4096", null,
-            NamedGroupType.NAMED_GROUP_FFDHE,
-            ProtocolVersion.PROTOCOLS_TO_13),
-    FFDHE_6144(0x0103, "ffdhe6144", null,
-            NamedGroupType.NAMED_GROUP_FFDHE,
-            ProtocolVersion.PROTOCOLS_TO_13),
-    FFDHE_8192(0x0104, "ffdhe8192", null,
-            NamedGroupType.NAMED_GROUP_FFDHE,
-            ProtocolVersion.PROTOCOLS_TO_13),
+    FFDHE_2048(0x0100, "ffdhe2048",
+            NamedGroupSpec.NAMED_GROUP_FFDHE,
+            ProtocolVersion.PROTOCOLS_TO_13,
+            PredefinedDHParameterSpecs.ffdheParams.get(2048)),
+
+    FFDHE_3072(0x0101, "ffdhe3072",
+            NamedGroupSpec.NAMED_GROUP_FFDHE,
+            ProtocolVersion.PROTOCOLS_TO_13,
+            PredefinedDHParameterSpecs.ffdheParams.get(3072)),
+    FFDHE_4096(0x0102, "ffdhe4096",
+            NamedGroupSpec.NAMED_GROUP_FFDHE,
+            ProtocolVersion.PROTOCOLS_TO_13,
+            PredefinedDHParameterSpecs.ffdheParams.get(4096)),
+    FFDHE_6144(0x0103, "ffdhe6144",
+            NamedGroupSpec.NAMED_GROUP_FFDHE,
+            ProtocolVersion.PROTOCOLS_TO_13,
+            PredefinedDHParameterSpecs.ffdheParams.get(6144)),
+    FFDHE_8192(0x0104, "ffdhe8192",
+            NamedGroupSpec.NAMED_GROUP_FFDHE,
+            ProtocolVersion.PROTOCOLS_TO_13,
+            PredefinedDHParameterSpecs.ffdheParams.get(8192)),
 
     // Elliptic Curves (RFC 4492)
     //
     // arbitrary prime and characteristic-2 curves
-    ARBITRARY_PRIME(0xFF01, "arbitrary_explicit_prime_curves", null,
-            NamedGroupType.NAMED_GROUP_ARBITRARY,
-            ProtocolVersion.PROTOCOLS_TO_12),
-    ARBITRARY_CHAR2(0xFF02, "arbitrary_explicit_char2_curves", null,
-            NamedGroupType.NAMED_GROUP_ARBITRARY,
-            ProtocolVersion.PROTOCOLS_TO_12);
+    ARBITRARY_PRIME(0xFF01, "arbitrary_explicit_prime_curves",
+            NamedGroupSpec.NAMED_GROUP_ARBITRARY,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            null),
+    ARBITRARY_CHAR2(0xFF02, "arbitrary_explicit_char2_curves",
+            NamedGroupSpec.NAMED_GROUP_ARBITRARY,
+            ProtocolVersion.PROTOCOLS_TO_12,
+            null);
 
     final int id;               // hash + signature
-    final NamedGroupType type;  // group type
     final String name;          // literal name
-    final String oid;           // object identifier of the named group
-    final String algorithm;     // signature algorithm
+    final NamedGroupSpec spec;  // group type
     final ProtocolVersion[] supportedProtocols;
-    private final NamedGroupFunctions functions;    // may be null
+    final String algorithm;     // key exchange algorithm
+    final AlgorithmParameterSpec keAlgParamSpec;
+    final AlgorithmParameters keAlgParams;
+    final boolean isAvailable;
+
+    // performance optimization
+    private static final Set<CryptoPrimitive> KEY_AGREEMENT_PRIMITIVE_SET =
+        Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT));
 
     // Constructor used for all NamedGroup types
-    private NamedGroup(int id, String name, String oid,
-            NamedGroupType namedGroupType,
-            ProtocolVersion[] supportedProtocols) {
+    private NamedGroup(int id, String name,
+            NamedGroupSpec namedGroupSpec,
+            ProtocolVersion[] supportedProtocols,
+            AlgorithmParameterSpec keAlgParamSpec) {
         this.id = id;
         this.name = name;
-        this.oid = oid;
-        this.type = namedGroupType;
+        this.spec = namedGroupSpec;
+        this.algorithm = namedGroupSpec.algorithm;
         this.supportedProtocols = supportedProtocols;
+        this.keAlgParamSpec = keAlgParamSpec;
 
-        if (this.type == NamedGroupType.NAMED_GROUP_ECDHE) {
-            this.functions = ECDHFunctions.getInstance();
-            this.algorithm = "EC";
-        } else if (this.type == NamedGroupType.NAMED_GROUP_FFDHE) {
-            this.functions = FFDHFunctions.getInstance();
-            this.algorithm = "DiffieHellman";
-        } else if (this.type == NamedGroupType.NAMED_GROUP_XDH) {
-            this.functions = XDHFunctions.getInstance();
-            this.algorithm = "XDH";
-        } else if (this.type == NamedGroupType.NAMED_GROUP_ARBITRARY) {
-            this.functions = null;
-            this.algorithm = "EC";
-        } else {
-            throw new RuntimeException("Unexpected Named Group Type");
+        AlgorithmParameters algParams = null;
+        boolean mediator = (keAlgParamSpec != null);
+        if (mediator) {
+            try {
+                algParams =
+                    AlgorithmParameters.getInstance(namedGroupSpec.algorithm);
+                algParams.init(keAlgParamSpec);
+            } catch (InvalidParameterSpecException
+                    | NoSuchAlgorithmException exp) {
+                if (namedGroupSpec != NamedGroupSpec.NAMED_GROUP_XDH) {
+                    mediator = false;
+                    if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                        SSLLogger.warning(
+                            "No AlgorithmParameters for " + name, exp);
+                    }
+                } else {
+                    // HACK CODE
+                    //
+                    // Please remove the following code if the XDH/X25519/X448
+                    // AlgorithmParameters algorithms are supported in JDK.
+                    algParams = null;
+                    try {
+                        KeyAgreement.getInstance(name);
+
+                        // The following service is also needed.  But for
+                        // performance, check the KeyAgreement impl only.
+                        //
+                        // KeyFactory.getInstance(name);
+                        // KeyPairGenerator.getInstance(name);
+                        // AlgorithmParameters.getInstance(name);
+                    } catch (NoSuchAlgorithmException nsae) {
+                        mediator = false;
+                        if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
+                            SSLLogger.warning(
+                                "No AlgorithmParameters for " + name, nsae);
+                        }
+                    }
+                }
+            }
         }
-    }
 
-    private Optional<NamedGroupFunctions> getFunctions() {
-        return Optional.ofNullable(functions);
+        this.isAvailable = mediator;
+        this.keAlgParams = mediator ? algParams : null;
     }
 
+    //
     // The next set of methods search & retrieve NamedGroups.
-
+    //
     static NamedGroup valueOf(int id) {
         for (NamedGroup group : NamedGroup.values()) {
             if (group.id == id) {
@@ -243,12 +309,11 @@ static NamedGroup valueOf(int id) {
     }
 
     static NamedGroup valueOf(ECParameterSpec params) {
-        String oid = ECUtil.getCurveName(null, params);
-        if ((oid != null) && (!oid.isEmpty())) {
-            for (NamedGroup group : NamedGroup.values()) {
-                if ((group.type == NamedGroupType.NAMED_GROUP_ECDHE)
-                        && oid.equals(group.oid)) {
-                    return group;
+        for (NamedGroup ng : NamedGroup.values()) {
+            if (ng.spec == NamedGroupSpec.NAMED_GROUP_ECDHE) {
+                if ((params == ng.keAlgParamSpec) ||
+                        (ng.keAlgParamSpec == CurveDB.lookup(params))) {
+                    return ng;
                 }
             }
         }
@@ -258,23 +323,11 @@ static NamedGroup valueOf(ECParameterSpec params) {
 
     static NamedGroup valueOf(DHParameterSpec params) {
         for (NamedGroup ng : NamedGroup.values()) {
-            if (ng.type != NamedGroupType.NAMED_GROUP_FFDHE) {
-                continue;
-            }
-
-            DHParameterSpec ngParams = null;
-            // functions is non-null for FFDHE type
-            AlgorithmParameters aps = ng.functions.getParameters(ng);
-            try {
-                ngParams = aps.getParameterSpec(DHParameterSpec.class);
-            } catch (InvalidParameterSpecException ipse) {
-                // should be unlikely
-            }
-
-            if (ngParams == null) {
+            if (ng.spec != NamedGroupSpec.NAMED_GROUP_FFDHE) {
                 continue;
             }
 
+            DHParameterSpec ngParams = (DHParameterSpec)ng.keAlgParamSpec;
             if (ngParams.getP().equals(params.getP())
                     && ngParams.getG().equals(params.getG())) {
                 return ng;
@@ -543,111 +577,15 @@ public SSLPossession createPossession(
         }
 
         @Override
-        public SSLKeyDerivation createKeyDerivation(HandshakeContext hc)
-                throws IOException {
+        public SSLKeyDerivation createKeyDerivation(
+                HandshakeContext hc) throws IOException {
 
             return DHKeyExchange.kaGenerator.createKeyDerivation(hc);
         }
-
-        @Override
-        public AlgorithmParameterSpec getParameterSpec(NamedGroup ng) {
-            return getDHParameterSpec(ng);
-        }
-
-        DHParameterSpec getDHParameterSpec(NamedGroup ng) {
-
-            AlgorithmParameters params = getParameters(ng);
-            try {
-                return params.getParameterSpec(DHParameterSpec.class);
-            } catch (InvalidParameterSpecException ipse) {
-                // should be unlikely
-                return getPredefinedDHParameterSpec(ng);
-            }
-        }
-
-        private static DHParameterSpec getFFDHEDHParameterSpec(
-                NamedGroup namedGroup) {
-
-            DHParameterSpec spec = null;
-            switch (namedGroup) {
-                case FFDHE_2048:
-                    spec = PredefinedDHParameterSpecs.ffdheParams.get(2048);
-                    break;
-                case FFDHE_3072:
-                    spec = PredefinedDHParameterSpecs.ffdheParams.get(3072);
-                    break;
-                case FFDHE_4096:
-                    spec = PredefinedDHParameterSpecs.ffdheParams.get(4096);
-                    break;
-                case FFDHE_6144:
-                    spec = PredefinedDHParameterSpecs.ffdheParams.get(6144);
-                    break;
-                case FFDHE_8192:
-                    spec = PredefinedDHParameterSpecs.ffdheParams.get(8192);
-            }
-
-            return spec;
-        }
-
-        private static DHParameterSpec getPredefinedDHParameterSpec(
-                NamedGroup namedGroup) {
-
-            DHParameterSpec spec = null;
-            switch (namedGroup) {
-                case FFDHE_2048:
-                    spec = PredefinedDHParameterSpecs.definedParams.get(2048);
-                    break;
-                case FFDHE_3072:
-                    spec = PredefinedDHParameterSpecs.definedParams.get(3072);
-                    break;
-                case FFDHE_4096:
-                    spec = PredefinedDHParameterSpecs.definedParams.get(4096);
-                    break;
-                case FFDHE_6144:
-                    spec = PredefinedDHParameterSpecs.definedParams.get(6144);
-                    break;
-                case FFDHE_8192:
-                    spec = PredefinedDHParameterSpecs.definedParams.get(8192);
-            }
-
-            return spec;
-        }
-
-        @Override
-        public boolean isAvailable(NamedGroup ng) {
-
-            AlgorithmParameters params = getParameters(ng);
-            return params != null;
-        }
-
-        @Override
-        protected Optional<AlgorithmParameters> getParametersImpl(
-                NamedGroup ng) {
-            try {
-                AlgorithmParameters params
-                        = AlgorithmParameters.getInstance("DiffieHellman");
-                AlgorithmParameterSpec spec
-                        = getFFDHEDHParameterSpec(ng);
-                params.init(spec);
-                return Optional.of(params);
-            } catch (InvalidParameterSpecException
-                    | NoSuchAlgorithmException ex) {
-                return Optional.empty();
-            }
-        }
-
     }
 
-    private static class ECDHFunctions extends NamedGroupFunctions {
-
-        // lazy initialization
-        private static class FunctionsHolder {
-            private static final ECDHFunctions instance = new ECDHFunctions();
-        }
-
-        private static ECDHFunctions getInstance() {
-            return FunctionsHolder.instance;
-        }
+    private static class ECDHEScheme implements NamedGroupScheme {
+        private static final ECDHEScheme instance = new ECDHEScheme();
 
         @Override
         public byte[] encodePossessionPublicKey(
@@ -677,52 +615,14 @@ public SSLPossession createPossession(
         }
 
         @Override
-        public SSLKeyDerivation createKeyDerivation(HandshakeContext hc)
-                throws IOException {
-
+        public SSLKeyDerivation createKeyDerivation(
+                HandshakeContext hc) throws IOException {
             return ECDHKeyExchange.ecdheKAGenerator.createKeyDerivation(hc);
         }
-
-        @Override
-        public AlgorithmParameterSpec getParameterSpec(NamedGroup ng) {
-            return SupportedGroupsExtension.SupportedGroups
-                    .getECGenParamSpec(ng);
-        }
-
-        @Override
-        public boolean isAvailable(NamedGroup ng) {
-
-            AlgorithmParameters params = getParameters(ng);
-            return params != null;
-        }
-
-        @Override
-        protected Optional<AlgorithmParameters> getParametersImpl(
-                NamedGroup ng) {
-            try {
-                AlgorithmParameters params
-                        = AlgorithmParameters.getInstance("EC");
-                AlgorithmParameterSpec spec
-                        = new ECGenParameterSpec(ng.oid);
-                params.init(spec);
-                return Optional.of(params);
-            } catch (InvalidParameterSpecException
-                    | NoSuchAlgorithmException ex) {
-                return Optional.empty();
-            }
-        }
     }
 
-    private static class XDHFunctions extends NamedGroupFunctions {
-
-        // lazy initialization
-        private static class FunctionsHolder {
-            private static final XDHFunctions instance = new XDHFunctions();
-        }
-
-        private static XDHFunctions getInstance() {
-            return FunctionsHolder.instance;
-        }
+    private static class XDHScheme implements NamedGroupScheme {
+        private static final XDHScheme instance = new XDHScheme();
 
         @Override
         public byte[] encodePossessionPublicKey(NamedGroupPossession poss) {
@@ -751,31 +651,9 @@ public SSLPossession createPossession(
         }
 
         @Override
-        public SSLKeyDerivation createKeyDerivation(HandshakeContext hc)
-                throws IOException {
+        public SSLKeyDerivation createKeyDerivation(
+                HandshakeContext hc) throws IOException {
             return XDHKeyExchange.xdheKAGenerator.createKeyDerivation(hc);
         }
-
-        @Override
-        public AlgorithmParameterSpec getParameterSpec(NamedGroup ng) {
-            return new NamedParameterSpec(ng.name);
-        }
-
-        @Override
-        public boolean isAvailable(NamedGroup ng) {
-
-            try {
-                KeyAgreement.getInstance(ng.algorithm);
-                return true;
-            } catch (NoSuchAlgorithmException ex) {
-                return false;
-            }
-        }
-
-        @Override
-        protected Optional<AlgorithmParameters> getParametersImpl(
-                NamedGroup ng) {
-            return Optional.empty();
-        }
     }
 }
--- ECDHKeyExchange.java
+++ ECDHKeyExchange.java
@@ -98,11 +97,7 @@ static ECDHECredentials valueOf(NamedGroup namedGroup,
             }
 
             ECParameterSpec parameters =
-                    ECUtil.getECParameterSpec(null, namedGroup.oid);
-            if (parameters == null) {
-                return null;
-            }
-
+                    (ECParameterSpec)namedGroup.keAlgParamSpec;
             ECPoint point = ECUtil.decodePoint(
                     encodedPoint, parameters.getCurve());
             KeyFactory factory = KeyFactory.getInstance("EC");
@@ -120,9 +115,7 @@ static ECDHECredentials valueOf(NamedGroup namedGroup,
         ECDHEPossession(NamedGroup namedGroup, SecureRandom random) {
             try {
                 KeyPairGenerator kpg = KeyPairGenerator.getInstance("EC");
-                ECGenParameterSpec params =
-                        (ECGenParameterSpec)namedGroup.getParameterSpec();
-                kpg.initialize(params, random);
+                kpg.initialize(namedGroup.keAlgParamSpec, random);
                 KeyPair kp = kpg.generateKeyPair();
                 privateKey = kp.getPrivate();
                 publicKey = (ECPublicKey)kp.getPublic();
--- ECDHServerKeyExchange.java
+++ ECDHServerKeyExchange.java
@@ -38,6 +38,7 @@
 import java.security.SignatureException;
 import java.text.MessageFormat;
 import java.util.Locale;
+import sun.security.ssl.NamedGroup.NamedGroupSpec;
 import sun.security.ssl.SSLHandshake.HandshakeMessage;
 import sun.security.ssl.SupportedGroupsExtension.SupportedGroups;
 import sun.security.ssl.X509Authentication.X509Credentials;
@@ -130,6 +136,7 @@
                 Signature signer = null;
                 if (useExplicitSigAlgorithm) {
                     signatureScheme = SignatureScheme.getPreferableAlgorithm(
+                            shc.algorithmConstraints,
                             shc.peerRequestedSignatureSchemes,
                             x509Possession,
                             shc.negotiatedProtocol);
--- XDHKeyExchange.java
+++ XDHKeyExchange.java
@@ -101,8 +101,7 @@ static XDHECredentials valueOf(NamedGroup namedGroup,
             try {
                 KeyPairGenerator kpg
                         = KeyPairGenerator.getInstance(namedGroup.algorithm);
-                AlgorithmParameterSpec params = namedGroup.getParameterSpec();
-                kpg.initialize(params, random);
+                kpg.initialize(namedGroup.keAlgParamSpec, random);
                 KeyPair kp = kpg.generateKeyPair();
                 privateKey = kp.getPrivate();
                 publicKey = (XECPublicKey) kp.getPublic();
--- CertificateVerify.java
+++ CertificateVerify.java
@@ -586,6 +586,7 @@ public void consume(ConnectionContext context,
             // This happens in client side only.
             ClientHandshakeContext chc = (ClientHandshakeContext)context;
             this.signatureScheme = SignatureScheme.getPreferableAlgorithm(
+                    chc.algorithmConstraints,
                     chc.peerRequestedSignatureSchemes,
                     x509Possession,
                     chc.negotiatedProtocol);
@@ -898,6 +899,7 @@ public void consume(ConnectionContext context,
             super(context);
 
             this.signatureScheme = SignatureScheme.getPreferableAlgorithm(
+                    context.algorithmConstraints,
                     context.peerRequestedSignatureSchemes,
                     x509Possession,
                     context.negotiatedProtocol);
--- DHServerKeyExchange.java
+++ DHServerKeyExchange.java
@@ -125,6 +125,7 @@
                 Signature signer = null;
                 if (useExplicitSigAlgorithm) {
                     signatureScheme = SignatureScheme.getPreferableAlgorithm(
+                            shc.algorithmConstraints,
                             shc.peerRequestedSignatureSchemes,
                             x509Possession,
                             shc.negotiatedProtocol);