2 files changed, 4329 insertions, 2 deletions

diff --git a/java/openjdk7/Makefile b/java/openjdk7/Makefile
index 52f4c8be480b..5745548a485c 100644
--- a/java/openjdk7/Makefile
+++ b/java/openjdk7/Makefile
@@ -6,8 +6,7 @@
 #
 
 PORTNAME=	openjdk
-PORTVERSION=	${JDK_MAJOR_VERSION}.${JDK_MINOR_VERSION}.${JDK_BUILD_NUMBER}
-PORTREVISION=	1
+PORTVERSION=	${JDK_MAJOR_VERSION}.${PORT_MINOR_VERSION}.${PORT_BUILD_NUMBER}
 CATEGORIES=	java devel
 MASTER_SITES=	http://download.java.net/openjdk/jdk7u2/promoted/b${JDK_BUILD_NUMBER}/ \
 		http://download.java.net/jaxp/1.4.5/:jaxp \
@@ -39,7 +38,9 @@ OPTIONS=	TZUPDATE	"Update the time zone data"	on
 
 JDK_MAJOR_VERSION=	7
 JDK_MINOR_VERSION=	2
+PORT_MINOR_VERSION=	3
 JDK_BUILD_NUMBER=	13
+PORT_BUILD_NUMBER=	04
 JDK_BUILD_DATE=		17_nov_2011
 JDK_SRC_DISTFILE=	${PORTNAME}-${JDK_MAJOR_VERSION}u${JDK_MINOR_VERSION}-fcs-src-b${JDK_BUILD_NUMBER}-${JDK_BUILD_DATE}
 
diff --git a/java/openjdk7/files/patch-u3 b/java/openjdk7/files/patch-u3
new file mode 100644
index 000000000000..b44fa61ee87b
--- /dev/null
+++ b/java/openjdk7/files/patch-u3
@@ -0,0 +1,4326 @@
+diff -uNr -x '.hg*' jdk7u2/corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyFactoryImpl.java jdk7u3/corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyFactoryImpl.java
+--- corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyFactoryImpl.java	2012-04-17 17:40:35.000000000 -0400
++++ corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyFactoryImpl.java	2012-04-17 17:50:37.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -82,6 +82,6 @@
+     private String[] __ids = { "IDL:omg.org/DynamicAny/DynAnyFactory:1.0" };
+ 
+     public String[] _ids() {
+-        return __ids;
++        return (String[])__ids.clone();
+     }
+ }
+diff -uNr -x '.hg*' jdk7u2/corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyImpl.java jdk7u3/corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyImpl.java
+--- corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyImpl.java	2012-04-17 17:40:35.000000000 -0400
++++ corba/src/share/classes/com/sun/corba/se/impl/dynamicany/DynAnyImpl.java	2012-04-17 17:50:37.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2000, 2003, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -195,6 +195,6 @@
+     private String[] __ids = { "IDL:omg.org/DynamicAny/DynAny:1.0" };
+ 
+     public String[] _ids() {
+-        return __ids;
++        return (String[])__ids.clone();
+     }
+ }
+diff -uNr -x '.hg*' jdk7u2/corba/src/share/classes/com/sun/org/omg/SendingContext/_CodeBaseImplBase.java jdk7u3/corba/src/share/classes/com/sun/org/omg/SendingContext/_CodeBaseImplBase.java
+--- corba/src/share/classes/com/sun/org/omg/SendingContext/_CodeBaseImplBase.java	2012-04-17 17:40:36.000000000 -0400
++++ corba/src/share/classes/com/sun/org/omg/SendingContext/_CodeBaseImplBase.java	2012-04-17 17:50:39.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1999, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -138,7 +138,7 @@
+ 
+     public String[] _ids ()
+     {
+-        return __ids;
++        return (String[])__ids.clone();
+     }
+ 
+ 
+diff -uNr -x '.hg*' jdk7u2/hotspot/make/hotspot_version jdk7u3/hotspot/make/hotspot_version
+--- hotspot/make/hotspot_version	2012-04-17 17:34:59.000000000 -0400
++++ hotspot/make/hotspot_version	2012-04-17 17:50:17.000000000 -0400
+@@ -34,12 +34,12 @@
+ HOTSPOT_VM_COPYRIGHT=Copyright 2011
+ 
+ HS_MAJOR_VER=22
+-HS_MINOR_VER=0
+-HS_BUILD_NUMBER=10
++HS_MINOR_VER=1
++HS_BUILD_NUMBER=02
+ 
+ JDK_MAJOR_VER=1
+-JDK_MINOR_VER=8
++JDK_MINOR_VER=7
+ JDK_MICRO_VER=0
+ 
+ # Previous (bootdir) JDK version
+-JDK_PREVIOUS_VERSION=1.7.0
++JDK_PREVIOUS_VERSION=1.6.0
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/com/sun/media/sound/DirectAudioDevice.java jdk7u3/jdk/src/share/classes/com/sun/media/sound/DirectAudioDevice.java
+--- jdk/src/share/classes/com/sun/media/sound/DirectAudioDevice.java	2012-04-17 17:39:04.000000000 -0400
++++ jdk/src/share/classes/com/sun/media/sound/DirectAudioDevice.java	2012-04-17 17:48:41.000000000 -0400
+@@ -736,7 +736,7 @@
+             if (off < 0) {
+                 throw new ArrayIndexOutOfBoundsException(off);
+             }
+-            if (off + len > b.length) {
++            if ((long)off + (long)len > (long)b.length) {
+                 throw new ArrayIndexOutOfBoundsException(b.length);
+             }
+ 
+@@ -964,7 +964,7 @@
+             if (off < 0) {
+                 throw new ArrayIndexOutOfBoundsException(off);
+             }
+-            if (off + len > b.length) {
++            if ((long)off + (long)len > (long)b.length) {
+                 throw new ArrayIndexOutOfBoundsException(b.length);
+             }
+             if (!isActive() && doIO) {
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java jdk7u3/jdk/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java
+--- jdk/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java	2012-04-17 17:39:04.000000000 -0400
++++ jdk/src/share/classes/com/sun/media/sound/SoftMixingSourceDataLine.java	2012-04-17 17:48:41.000000000 -0400
+@@ -130,6 +130,12 @@
+         if (len % framesize != 0)
+             throw new IllegalArgumentException(
+                     "Number of bytes does not represent an integral number of sample frames.");
++        if (off < 0) {
++            throw new ArrayIndexOutOfBoundsException(off);
++        }
++        if ((long)off + (long)len > (long)b.length) {
++            throw new ArrayIndexOutOfBoundsException(b.length);
++        }
+ 
+         byte[] buff = cycling_buffer;
+         int buff_len = cycling_buffer.length;
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/java/awt/KeyboardFocusManager.java jdk7u3/jdk/src/share/classes/java/awt/KeyboardFocusManager.java
+--- jdk/src/share/classes/java/awt/KeyboardFocusManager.java	2012-04-17 17:39:07.000000000 -0400
++++ jdk/src/share/classes/java/awt/KeyboardFocusManager.java	2012-04-17 17:48:43.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -503,14 +503,8 @@
+      */
+     protected Component getGlobalFocusOwner() throws SecurityException {
+         synchronized (KeyboardFocusManager.class) {
+-            if (this == getCurrentKeyboardFocusManager()) {
+-                return focusOwner;
+-            } else {
+-                if (focusLog.isLoggable(PlatformLogger.FINER)) {
+-                    focusLog.finer("This manager is " + this + ", current is " + getCurrentKeyboardFocusManager());
+-                }
+-                throw new SecurityException(notPrivileged);
+-            }
++            checkCurrentKFMSecurity();
++            return focusOwner;
+         }
+     }
+ 
+@@ -544,6 +538,8 @@
+ 
+         if (focusOwner == null || focusOwner.isFocusable()) {
+             synchronized (KeyboardFocusManager.class) {
++                checkCurrentKFMSecurity();
++
+                 oldFocusOwner = getFocusOwner();
+ 
+                 try {
+@@ -593,6 +589,9 @@
+      * @see java.awt.event.FocusEvent#FOCUS_LOST
+      */
+     public void clearGlobalFocusOwner() {
++        synchronized (KeyboardFocusManager.class) {
++            checkCurrentKFMSecurity();
++        }
+         if (!GraphicsEnvironment.isHeadless()) {
+             // Toolkit must be fully initialized, otherwise
+             // _clearGlobalFocusOwner will crash or throw an exception
+@@ -672,14 +671,8 @@
+         throws SecurityException
+     {
+         synchronized (KeyboardFocusManager.class) {
+-            if (this == getCurrentKeyboardFocusManager()) {
+-                return permanentFocusOwner;
+-            } else {
+-                if (focusLog.isLoggable(PlatformLogger.FINER)) {
+-                    focusLog.finer("This manager is " + this + ", current is " + getCurrentKeyboardFocusManager());
+-                }
+-                throw new SecurityException(notPrivileged);
+-            }
++            checkCurrentKFMSecurity();
++            return permanentFocusOwner;
+         }
+     }
+ 
+@@ -708,13 +701,14 @@
+      * @beaninfo
+      *       bound: true
+      */
+-    protected void setGlobalPermanentFocusOwner(Component permanentFocusOwner)
+-    {
++    protected void setGlobalPermanentFocusOwner(Component permanentFocusOwner) {
+         Component oldPermanentFocusOwner = null;
+         boolean shouldFire = false;
+ 
+         if (permanentFocusOwner == null || permanentFocusOwner.isFocusable()) {
+             synchronized (KeyboardFocusManager.class) {
++                checkCurrentKFMSecurity();
++
+                 oldPermanentFocusOwner = getPermanentFocusOwner();
+ 
+                 try {
+@@ -780,14 +774,8 @@
+      */
+     protected Window getGlobalFocusedWindow() throws SecurityException {
+         synchronized (KeyboardFocusManager.class) {
+-            if (this == getCurrentKeyboardFocusManager()) {
+-               return focusedWindow;
+-            } else {
+-                if (focusLog.isLoggable(PlatformLogger.FINER)) {
+-                    focusLog.finer("This manager is " + this + ", current is " + getCurrentKeyboardFocusManager());
+-                }
+-                throw new SecurityException(notPrivileged);
+-            }
++            checkCurrentKFMSecurity();
++            return focusedWindow;
+         }
+     }
+ 
+@@ -818,6 +806,8 @@
+ 
+         if (focusedWindow == null || focusedWindow.isFocusableWindow()) {
+             synchronized (KeyboardFocusManager.class) {
++                checkCurrentKFMSecurity();
++
+                 oldFocusedWindow = getFocusedWindow();
+ 
+                 try {
+@@ -884,14 +874,8 @@
+      */
+     protected Window getGlobalActiveWindow() throws SecurityException {
+         synchronized (KeyboardFocusManager.class) {
+-            if (this == getCurrentKeyboardFocusManager()) {
+-               return activeWindow;
+-            } else {
+-                if (focusLog.isLoggable(PlatformLogger.FINER)) {
+-                    focusLog.finer("This manager is " + this + ", current is " + getCurrentKeyboardFocusManager());
+-                }
+-                throw new SecurityException(notPrivileged);
+-            }
++            checkCurrentKFMSecurity();
++            return activeWindow;
+         }
+     }
+ 
+@@ -920,6 +904,8 @@
+     protected void setGlobalActiveWindow(Window activeWindow) {
+         Window oldActiveWindow;
+         synchronized (KeyboardFocusManager.class) {
++            checkCurrentKFMSecurity();
++
+             oldActiveWindow = getActiveWindow();
+             if (focusLog.isLoggable(PlatformLogger.FINER)) {
+                 focusLog.finer("Setting global active window to " + activeWindow + ", old active " + oldActiveWindow);
+@@ -1214,14 +1200,8 @@
+         throws SecurityException
+     {
+         synchronized (KeyboardFocusManager.class) {
+-            if (this == getCurrentKeyboardFocusManager()) {
+-                return currentFocusCycleRoot;
+-            } else {
+-                if (focusLog.isLoggable(PlatformLogger.FINER)) {
+-                    focusLog.finer("This manager is " + this + ", current is " + getCurrentKeyboardFocusManager());
+-                }
+-                throw new SecurityException(notPrivileged);
+-            }
++            checkCurrentKFMSecurity();
++            return currentFocusCycleRoot;
+         }
+     }
+ 
+@@ -1245,6 +1225,8 @@
+         Container oldFocusCycleRoot;
+ 
+         synchronized (KeyboardFocusManager.class) {
++            checkCurrentKFMSecurity();
++
+             oldFocusCycleRoot  = getCurrentFocusCycleRoot();
+             currentFocusCycleRoot = newFocusCycleRoot;
+         }
+@@ -3062,4 +3044,14 @@
+                 : null;
+         }
+     }
++
++    private void checkCurrentKFMSecurity() {
++        if (this != getCurrentKeyboardFocusManager()) {
++            if (focusLog.isLoggable(PlatformLogger.FINER)) {
++                focusLog.finer("This manager is " + this +
++                               ", current is " + getCurrentKeyboardFocusManager());
++            }
++            throw new SecurityException(notPrivileged);
++        }
++    }
+ }
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/java/io/ObjectStreamClass.java jdk7u3/jdk/src/share/classes/java/io/ObjectStreamClass.java
+--- jdk/src/share/classes/java/io/ObjectStreamClass.java	2012-04-17 17:39:08.000000000 -0400
++++ jdk/src/share/classes/java/io/ObjectStreamClass.java	2012-04-17 17:48:44.000000000 -0400
+@@ -123,14 +123,39 @@
+      */
+     private boolean hasBlockExternalData = true;
+ 
++    /**
++     * Contains information about InvalidClassException instances to be thrown
++     * when attempting operations on an invalid class. Note that instances of
++     * this class are immutable and are potentially shared among
++     * ObjectStreamClass instances.
++     */
++    private static class ExceptionInfo {
++        private final String className;
++        private final String message;
++
++        ExceptionInfo(String cn, String msg) {
++            className = cn;
++            message = msg;
++        }
++
++        /**
++         * Returns (does not throw) an InvalidClassException instance created
++         * from the information in this object, suitable for being thrown by
++         * the caller.
++         */
++        InvalidClassException newInvalidClassException() {
++            return new InvalidClassException(className, message);
++        }
++    }
++
+     /** exception (if any) thrown while attempting to resolve class */
+     private ClassNotFoundException resolveEx;
+     /** exception (if any) to throw if non-enum deserialization attempted */
+-    private InvalidClassException deserializeEx;
++    private ExceptionInfo deserializeEx;
+     /** exception (if any) to throw if non-enum serialization attempted */
+-    private InvalidClassException serializeEx;
++    private ExceptionInfo serializeEx;
+     /** exception (if any) to throw if default serialization attempted */
+-    private InvalidClassException defaultSerializeEx;
++    private ExceptionInfo defaultSerializeEx;
+ 
+     /** serializable fields */
+     private ObjectStreamField[] fields;
+@@ -444,7 +469,8 @@
+                         fields = getSerialFields(cl);
+                         computeFieldOffsets();
+                     } catch (InvalidClassException e) {
+-                        serializeEx = deserializeEx = e;
++                        serializeEx = deserializeEx =
++                            new ExceptionInfo(e.classname, e.getMessage());
+                         fields = NO_FIELDS;
+                     }
+ 
+@@ -483,15 +509,14 @@
+ 
+         if (deserializeEx == null) {
+             if (isEnum) {
+-                deserializeEx = new InvalidClassException(name, "enum type");
++                deserializeEx = new ExceptionInfo(name, "enum type");
+             } else if (cons == null) {
+-                deserializeEx = new InvalidClassException(
+-                    name, "no valid constructor");
++                deserializeEx = new ExceptionInfo(name, "no valid constructor");
+             }
+         }
+         for (int i = 0; i < fields.length; i++) {
+             if (fields[i].getField() == null) {
+-                defaultSerializeEx = new InvalidClassException(
++                defaultSerializeEx = new ExceptionInfo(
+                     name, "unmatched serializable field(s) declared");
+             }
+         }
+@@ -601,8 +626,8 @@
+                     (externalizable != localDesc.externalizable) ||
+                     !(serializable || externalizable))
+                 {
+-                    deserializeEx = new InvalidClassException(localDesc.name,
+-                        "class invalid for deserialization");
++                    deserializeEx = new ExceptionInfo(
++                        localDesc.name, "class invalid for deserialization");
+                 }
+             }
+ 
+@@ -727,11 +752,7 @@
+      */
+     void checkDeserialize() throws InvalidClassException {
+         if (deserializeEx != null) {
+-            InvalidClassException ice =
+-                new InvalidClassException(deserializeEx.classname,
+-                                          deserializeEx.getMessage());
+-            ice.initCause(deserializeEx);
+-            throw ice;
++            throw deserializeEx.newInvalidClassException();
+         }
+     }
+ 
+@@ -742,11 +763,7 @@
+      */
+     void checkSerialize() throws InvalidClassException {
+         if (serializeEx != null) {
+-            InvalidClassException ice =
+-                new InvalidClassException(serializeEx.classname,
+-                                          serializeEx.getMessage());
+-            ice.initCause(serializeEx);
+-            throw ice;
++            throw serializeEx.newInvalidClassException();
+         }
+     }
+ 
+@@ -759,11 +776,7 @@
+      */
+     void checkDefaultSerialize() throws InvalidClassException {
+         if (defaultSerializeEx != null) {
+-            InvalidClassException ice =
+-                new InvalidClassException(defaultSerializeEx.classname,
+-                                          defaultSerializeEx.getMessage());
+-            ice.initCause(defaultSerializeEx);
+-            throw ice;
++            throw defaultSerializeEx.newInvalidClassException();
+         }
+     }
+ 
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/java/util/TimeZone.java jdk7u3/jdk/src/share/classes/java/util/TimeZone.java
+--- jdk/src/share/classes/java/util/TimeZone.java	2012-04-17 17:39:10.000000000 -0400
++++ jdk/src/share/classes/java/util/TimeZone.java	2012-04-17 17:48:47.000000000 -0400
+@@ -43,6 +43,7 @@
+ import java.security.AccessController;
+ import java.security.PrivilegedAction;
+ import java.util.concurrent.ConcurrentHashMap;
++import sun.awt.AppContext;
+ import sun.security.action.GetPropertyAction;
+ import sun.util.TimeZoneNameUtility;
+ import sun.util.calendar.ZoneInfo;
+@@ -615,7 +616,7 @@
+      * method doesn't create a clone.
+      */
+     static TimeZone getDefaultRef() {
+-        TimeZone defaultZone = defaultZoneTL.get();
++        TimeZone defaultZone = getDefaultInAppContext();
+         if (defaultZone == null) {
+             defaultZone = defaultTimeZone;
+             if (defaultZone == null) {
+@@ -706,10 +707,49 @@
+         if (hasPermission()) {
+             synchronized (TimeZone.class) {
+                 defaultTimeZone = zone;
+-                defaultZoneTL.set(null);
++                setDefaultInAppContext(null);
+             }
+         } else {
+-            defaultZoneTL.set(zone);
++            setDefaultInAppContext(zone);
++        }
++    }
++
++    /**
++     * Returns the default TimeZone in an AppContext if any AppContext
++     * has ever used. null is returned if any AppContext hasn't been
++     * used or if the AppContext doesn't have the default TimeZone.
++     */
++    private synchronized static TimeZone getDefaultInAppContext() {
++        if (!hasSetInAppContext) {
++            return null;
++        }
++
++        AppContext ac = AppContext.getAppContext();
++        if (ac != null && !ac.isDisposed()) {
++            return (TimeZone) ac.get(TimeZone.class);
++        }
++        return null;
++    }
++
++    /**
++     * Sets the default TimeZone in the AppContext to the given
++     * tz. null is handled special: do nothing if any AppContext
++     * hasn't been used, remove the default TimeZone in the
++     * AppContext otherwise.
++     */
++    private synchronized static void setDefaultInAppContext(TimeZone tz) {
++        if (!hasSetInAppContext && tz == null) {
++            return;
++        }
++
++        AppContext ac = AppContext.getAppContext();
++        if (ac != null && !ac.isDisposed()) {
++            if (tz != null) {
++                ac.put(TimeZone.class, tz);
++                hasSetInAppContext = true;
++            } else {
++                ac.remove(TimeZone.class);
++            }
+         }
+     }
+ 
+@@ -760,12 +800,13 @@
+      */
+     private String           ID;
+     private static volatile TimeZone defaultTimeZone;
+-    private static final InheritableThreadLocal<TimeZone> defaultZoneTL
+-                                        = new InheritableThreadLocal<TimeZone>();
+ 
+     static final String         GMT_ID        = "GMT";
+     private static final int    GMT_ID_LENGTH = 3;
+ 
++    // true if the default TimeZone has been set in any AppContext
++    private static boolean hasSetInAppContext;
++
+     /**
+      * Parses a custom time zone identifier and returns a corresponding zone.
+      * This method doesn't support the RFC 822 time zone format. (e.g., +hhmm)
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java jdk7u3/jdk/src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java
+--- jdk/src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java	2012-04-17 17:39:10.000000000 -0400
++++ jdk/src/share/classes/java/util/concurrent/atomic/AtomicReferenceArray.java	2012-04-17 17:48:47.000000000 -0400
+@@ -34,8 +34,10 @@
+  */
+ 
+ package java.util.concurrent.atomic;
++
++import java.lang.reflect.Array;
++import java.util.Arrays;
+ import sun.misc.Unsafe;
+-import java.util.*;
+ 
+ /**
+  * An array of object references in which elements may be updated
+@@ -49,13 +51,23 @@
+ public class AtomicReferenceArray<E> implements java.io.Serializable {
+     private static final long serialVersionUID = -6209656149925076980L;
+ 
+-    private static final Unsafe unsafe = Unsafe.getUnsafe();
+-    private static final int base = unsafe.arrayBaseOffset(Object[].class);
++    private static final Unsafe unsafe;
++    private static final int base;
+     private static final int shift;
+-    private final Object[] array;
++    private static final long arrayFieldOffset;
++    private final Object[] array; // must have exact type Object[]
+ 
+     static {
+-        int scale = unsafe.arrayIndexScale(Object[].class);
++        int scale;
++        try {
++            unsafe = Unsafe.getUnsafe();
++            arrayFieldOffset = unsafe.objectFieldOffset
++                (AtomicReferenceArray.class.getDeclaredField("array"));
++            base = unsafe.arrayBaseOffset(Object[].class);
++            scale = unsafe.arrayIndexScale(Object[].class);
++        } catch (Exception e) {
++            throw new Error(e);
++        }
+         if ((scale & (scale - 1)) != 0)
+             throw new Error("data type scale not a power of two");
+         shift = 31 - Integer.numberOfLeadingZeros(scale);
+@@ -91,7 +103,7 @@
+      */
+     public AtomicReferenceArray(E[] array) {
+         // Visibility guaranteed by final field guarantees
+-        this.array = array.clone();
++        this.array = Arrays.copyOf(array, array.length, Object[].class);
+     }
+ 
+     /**
+@@ -150,7 +162,7 @@
+     public final E getAndSet(int i, E newValue) {
+         long offset = checkedByteOffset(i);
+         while (true) {
+-            E current = (E) getRaw(offset);
++            E current = getRaw(offset);
+             if (compareAndSetRaw(offset, current, newValue))
+                 return current;
+         }
+@@ -196,7 +208,7 @@
+      * @return the String representation of the current values of array
+      */
+     public String toString() {
+-           int iMax = array.length - 1;
++        int iMax = array.length - 1;
+         if (iMax == -1)
+             return "[]";
+ 
+@@ -210,4 +222,19 @@
+         }
+     }
+ 
++    /**
++     * Reconstitutes the instance from a stream (that is, deserializes it).
++     * @param s the stream
++     */
++    private void readObject(java.io.ObjectInputStream s)
++        throws java.io.IOException, ClassNotFoundException {
++        // Note: This must be changed if any additional fields are defined
++        Object a = s.readFields().get("array", null);
++        if (a == null || !a.getClass().isArray())
++            throw new java.io.InvalidObjectException("Not array type");
++        if (a.getClass() != Object[].class)
++            a = Arrays.copyOf((Object[])a, Array.getLength(a), Object[].class);
++        unsafe.putObjectVolatile(this, arrayFieldOffset, a);
++    }
++
+ }
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/java2d/SunGraphics2D.java jdk7u3/jdk/src/share/classes/sun/java2d/SunGraphics2D.java
+--- jdk/src/share/classes/sun/java2d/SunGraphics2D.java	2012-04-17 17:39:17.000000000 -0400
++++ jdk/src/share/classes/sun/java2d/SunGraphics2D.java	2012-04-17 17:48:53.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1996, 2008, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -370,6 +370,17 @@
+     }
+ 
+     public void validatePipe() {
++        /* This workaround is for the situation when we update the Pipelines
++         * for invalid SurfaceData and run further code when the current
++         * pipeline doesn't support the type of new SurfaceData created during
++         * the current pipeline's work (in place of the invalid SurfaceData).
++         * Usually SurfaceData and Pipelines are repaired (through revalidateAll)
++         * and called again in the exception handlers */
++
++        if (!surfaceData.isValid()) {
++            throw new InvalidPipeException("attempt to validate Pipe with invalid SurfaceData");
++        }
++
+         surfaceData.validatePipe(this);
+     }
+ 
+@@ -1804,7 +1815,12 @@
+             width += x;
+             height += y;
+         }
+-        if (!getCompClip().intersectsQuickCheckXYXY(x, y, width, height)) {
++
++        try {
++            if (!getCompClip().intersectsQuickCheckXYXY(x, y, width, height)) {
++                return false;
++            }
++        } catch (InvalidPipeException e) {
+             return false;
+         }
+         // REMIND: We could go one step further here and examine the
+@@ -1988,8 +2004,8 @@
+         try {
+             doCopyArea(x, y, w, h, dx, dy);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 doCopyArea(x, y, w, h, dx, dy);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2120,8 +2136,8 @@
+         try {
+             drawpipe.drawLine(this, x1, y1, x2, y2);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 drawpipe.drawLine(this, x1, y1, x2, y2);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2137,8 +2153,8 @@
+         try {
+             drawpipe.drawRoundRect(this, x, y, w, h, arcW, arcH);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 drawpipe.drawRoundRect(this, x, y, w, h, arcW, arcH);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2154,8 +2170,8 @@
+         try {
+             fillpipe.fillRoundRect(this, x, y, w, h, arcW, arcH);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 fillpipe.fillRoundRect(this, x, y, w, h, arcW, arcH);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2171,8 +2187,8 @@
+         try {
+             drawpipe.drawOval(this, x, y, w, h);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 drawpipe.drawOval(this, x, y, w, h);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2188,8 +2204,8 @@
+         try {
+             fillpipe.fillOval(this, x, y, w, h);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 fillpipe.fillOval(this, x, y, w, h);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2206,8 +2222,8 @@
+         try {
+             drawpipe.drawArc(this, x, y, w, h, startAngl, arcAngl);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 drawpipe.drawArc(this, x, y, w, h, startAngl, arcAngl);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2224,8 +2240,8 @@
+         try {
+             fillpipe.fillArc(this, x, y, w, h, startAngl, arcAngl);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 fillpipe.fillArc(this, x, y, w, h, startAngl, arcAngl);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2241,8 +2257,8 @@
+         try {
+             drawpipe.drawPolyline(this, xPoints, yPoints, nPoints);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 drawpipe.drawPolyline(this, xPoints, yPoints, nPoints);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2258,8 +2274,8 @@
+         try {
+             drawpipe.drawPolygon(this, xPoints, yPoints, nPoints);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 drawpipe.drawPolygon(this, xPoints, yPoints, nPoints);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2275,8 +2291,8 @@
+         try {
+             fillpipe.fillPolygon(this, xPoints, yPoints, nPoints);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 fillpipe.fillPolygon(this, xPoints, yPoints, nPoints);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2292,8 +2308,8 @@
+         try {
+             drawpipe.drawRect(this, x, y, w, h);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 drawpipe.drawRect(this, x, y, w, h);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2309,8 +2325,8 @@
+         try {
+             fillpipe.fillRect(this, x, y, w, h);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 fillpipe.fillRect(this, x, y, w, h);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2358,7 +2374,6 @@
+         Paint p = paint;
+         setComposite(AlphaComposite.Src);
+         setColor(getBackground());
+-        validatePipe();
+         fillRect(x, y, w, h);
+         setPaint(p);
+         setComposite(c);
+@@ -2382,8 +2397,8 @@
+         try {
+             shapepipe.draw(this, s);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 shapepipe.draw(this, s);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2412,8 +2427,8 @@
+         try {
+             shapepipe.fill(this, s);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 shapepipe.fill(this, s);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2560,10 +2575,17 @@
+         // Include padding for interpolation/antialiasing if necessary
+         int pad = isIntegerTranslate ? 0 : 3;
+ 
++        Region clip;
++        try {
++            clip = getCompClip();
++        } catch (InvalidPipeException e) {
++            return;
++        }
++
+         // Determine the region of the image that may contribute to
+         // the clipped drawing area
+         Rectangle region = getImageRegion(img,
+-                                          getCompClip(),
++                                          clip,
+                                           transform,
+                                           xform,
+                                           pad, pad);
+@@ -2806,8 +2828,8 @@
+         try {
+             textpipe.drawString(this, str, x, y);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 textpipe.drawString(this, str, x, y);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2835,8 +2857,8 @@
+         try {
+             textpipe.drawString(this, str, x, y);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 textpipe.drawString(this, str, x, y);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2881,8 +2903,8 @@
+         try {
+             textpipe.drawGlyphVector(this, gv, x, y);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 textpipe.drawGlyphVector(this, gv, x, y);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2914,8 +2936,8 @@
+         try {
+             textpipe.drawChars(this, data, offset, length, x, y);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 textpipe.drawChars(this, data, offset, length, x, y);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2951,8 +2973,8 @@
+         try {
+             textpipe.drawChars(this, chData, 0, length, x, y);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 textpipe.drawChars(this, chData, 0, length, x, y);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -2988,8 +3010,8 @@
+             return imagepipe.copyImage(this, img, dx, dy, sx, sy,
+                                        width, height, bgcolor, observer);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 return imagepipe.copyImage(this, img, dx, dy, sx, sy,
+                                            width, height, bgcolor, observer);
+             } catch (InvalidPipeException e2) {
+@@ -3025,8 +3047,8 @@
+             return imagepipe.scaleImage(this, img, x, y, width, height,
+                                         bg, observer);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 return imagepipe.scaleImage(this, img, x, y, width, height,
+                                             bg, observer);
+             } catch (InvalidPipeException e2) {
+@@ -3061,8 +3083,8 @@
+         try {
+             return imagepipe.copyImage(this, img, x, y, bg, observer);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 return imagepipe.copyImage(this, img, x, y, bg, observer);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -3138,8 +3160,8 @@
+                                           sx1, sy1, sx2, sy2, bgcolor,
+                                           observer);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 return imagepipe.scaleImage(this, img, dx1, dy1, dx2, dy2,
+                                               sx1, sy1, sx2, sy2, bgcolor,
+                                               observer);
+@@ -3187,8 +3209,8 @@
+         try {
+             return imagepipe.transformImage(this, img, xform, observer);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 return imagepipe.transformImage(this, img, xform, observer);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+@@ -3213,8 +3235,8 @@
+         try {
+             imagepipe.transformImage(this, bImg, op, x, y);
+         } catch (InvalidPipeException e) {
+-            revalidateAll();
+             try {
++                revalidateAll();
+                 imagepipe.transformImage(this, bImg, op, x, y);
+             } catch (InvalidPipeException e2) {
+                 // Still catching the exception; we are not yet ready to
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/java2d/opengl/OGLRenderer.java jdk7u3/jdk/src/share/classes/sun/java2d/opengl/OGLRenderer.java
+--- jdk/src/share/classes/sun/java2d/opengl/OGLRenderer.java	2012-04-17 17:39:17.000000000 -0400
++++ jdk/src/share/classes/sun/java2d/opengl/OGLRenderer.java	2012-04-17 17:48:53.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2003, 2008, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -27,6 +27,7 @@
+ 
+ import java.awt.Transparency;
+ import java.awt.geom.Path2D;
++import sun.java2d.InvalidPipeException;
+ import sun.java2d.SunGraphics2D;
+ import sun.java2d.loops.GraphicsPrimitive;
+ import sun.java2d.pipe.BufferedRenderPipe;
+@@ -46,7 +47,12 @@
+         int ctxflags =
+             sg2d.paint.getTransparency() == Transparency.OPAQUE ?
+                 OGLContext.SRC_IS_OPAQUE : OGLContext.NO_CONTEXT_FLAGS;
+-        OGLSurfaceData dstData = (OGLSurfaceData)sg2d.surfaceData;
++        OGLSurfaceData dstData;
++        try {
++            dstData = (OGLSurfaceData)sg2d.surfaceData;
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+         OGLContext.validateContext(dstData, dstData,
+                                    sg2d.getCompClip(), sg2d.composite,
+                                    null, sg2d.paint, sg2d, ctxflags);
+@@ -55,7 +61,12 @@
+     @Override
+     protected void validateContextAA(SunGraphics2D sg2d) {
+         int ctxflags = OGLContext.NO_CONTEXT_FLAGS;
+-        OGLSurfaceData dstData = (OGLSurfaceData)sg2d.surfaceData;
++        OGLSurfaceData dstData;
++        try {
++            dstData = (OGLSurfaceData)sg2d.surfaceData;
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+         OGLContext.validateContext(dstData, dstData,
+                                    sg2d.getCompClip(), sg2d.composite,
+                                    null, sg2d.paint, sg2d, ctxflags);
+@@ -69,7 +80,12 @@
+             int ctxflags =
+                 sg2d.surfaceData.getTransparency() == Transparency.OPAQUE ?
+                     OGLContext.SRC_IS_OPAQUE : OGLContext.NO_CONTEXT_FLAGS;
+-            OGLSurfaceData dstData = (OGLSurfaceData)sg2d.surfaceData;
++            OGLSurfaceData dstData;
++            try {
++                dstData = (OGLSurfaceData)sg2d.surfaceData;
++            } catch (ClassCastException e) {
++                throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++            }
+             OGLContext.validateContext(dstData, dstData,
+                                        sg2d.getCompClip(), sg2d.composite,
+                                        null, null, null, ctxflags);
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/java2d/pipe/BufferedContext.java jdk7u3/jdk/src/share/classes/sun/java2d/pipe/BufferedContext.java
+--- jdk/src/share/classes/sun/java2d/pipe/BufferedContext.java	2012-04-17 17:39:17.000000000 -0400
++++ jdk/src/share/classes/sun/java2d/pipe/BufferedContext.java	2012-04-17 17:48:54.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2005, 2008, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -111,6 +111,8 @@
+      *
+      * Note: must be called while the RenderQueue lock is held.
+      *
++     * It's assumed that the type of surfaces has been checked by the Renderer
++     *
+      * @throws InvalidPipeException if either src or dest surface is not valid
+      * or lost
+      * @see RenderQueue#lock
+@@ -135,6 +137,8 @@
+      *
+      * Note: must be called while the RenderQueue lock is held.
+      *
++     * It's assumed that the type of surfaces has been checked by the Renderer
++     *
+      * @throws InvalidPipeException if the surface is not valid
+      * or lost
+      * @see RenderQueue#lock
+@@ -160,6 +164,8 @@
+      *
+      * Note: must be called while the RenderQueue lock is held.
+      *
++     * It's assumed that the type of surfaces has been checked by the Renderer
++     *
+      * @throws InvalidPipeException if either src or dest surface is not valid
+      * or lost
+      */
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/net/httpserver/Request.java jdk7u3/jdk/src/share/classes/sun/net/httpserver/Request.java
+--- jdk/src/share/classes/sun/net/httpserver/Request.java	2012-04-17 17:39:18.000000000 -0400
++++ jdk/src/share/classes/sun/net/httpserver/Request.java	2012-04-17 17:48:55.000000000 -0400
+@@ -203,6 +203,13 @@
+                 v = new String();
+             else
+                 v = String.copyValueOf(s, keyend, len - keyend);
++
++            if (hdrs.size() >= ServerConfig.getMaxReqHeaders()) {
++                throw new IOException("Maximum number of request headers (" +
++                        "sun.net.httpserver.maxReqHeaders) exceeded, " +
++                        ServerConfig.getMaxReqHeaders() + ".");
++            }
++
+             hdrs.add (k,v);
+             len = 0;
+         }
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/net/httpserver/ServerConfig.java jdk7u3/jdk/src/share/classes/sun/net/httpserver/ServerConfig.java
+--- jdk/src/share/classes/sun/net/httpserver/ServerConfig.java	2012-04-17 17:39:18.000000000 -0400
++++ jdk/src/share/classes/sun/net/httpserver/ServerConfig.java	2012-04-17 17:48:55.000000000 -0400
+@@ -46,13 +46,14 @@
+     static final long DEFAULT_MAX_REQ_TIME = -1; // default: forever
+     static final long DEFAULT_MAX_RSP_TIME = -1; // default: forever
+     static final long DEFAULT_TIMER_MILLIS = 1000;
+-
++    static final int  DEFAULT_MAX_REQ_HEADERS = 200;
+     static final long DEFAULT_DRAIN_AMOUNT = 64 * 1024;
+ 
+     static long idleInterval;
+     static long drainAmount;    // max # of bytes to drain from an inputstream
+     static int maxIdleConnections;
+-
++    // The maximum number of request headers allowable
++    private static int maxReqHeaders;
+     // max time a request or response is allowed to take
+     static long maxReqTime;
+     static long maxRspTime;
+@@ -80,6 +81,10 @@
+                     drainAmount = Long.getLong("sun.net.httpserver.drainAmount",
+                             DEFAULT_DRAIN_AMOUNT);
+ 
++                    maxReqHeaders = Integer.getInteger(
++                            "sun.net.httpserver.maxReqHeaders",
++                            DEFAULT_MAX_REQ_HEADERS);
++
+                     maxReqTime = Long.getLong("sun.net.httpserver.maxReqTime",
+                             DEFAULT_MAX_REQ_TIME);
+ 
+@@ -157,6 +162,10 @@
+         return drainAmount;
+     }
+ 
++    static int getMaxReqHeaders() {
++        return maxReqHeaders;
++    }
++
+     static long getMaxReqTime () {
+         return maxReqTime;
+     }
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java jdk7u3/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
+--- jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	2012-04-17 17:39:20.000000000 -0400
++++ jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	2012-04-17 17:48:57.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -668,7 +668,10 @@
+                 + "\n  Subject: " + cert.getSubjectX500Principal() + ")");
+         }
+ 
+-        ForwardState currState = (ForwardState) currentState;
++        ForwardState currState = (ForwardState)currentState;
++
++        // Don't bother to verify untrusted certificate more.
++        currState.untrustedChecker.check(cert, Collections.<String>emptySet());
+ 
+         /*
+          * check for looping - abort a loop if
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java jdk7u3/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java
+--- jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java	2012-04-17 17:39:20.000000000 -0400
++++ jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java	2012-04-17 17:48:57.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -79,6 +79,9 @@
+     /* the checker used for revocation status */
+     public CrlRevocationChecker crlChecker;
+ 
++    /* the untrusted certificates checker */
++    UntrustedChecker untrustedChecker;
++
+     /* The list of user-defined checkers that support forward checking */
+     ArrayList<PKIXCertPathChecker> forwardCheckers;
+ 
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java jdk7u3/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
+--- jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	2012-04-17 17:39:20.000000000 -0400
++++ jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	2012-04-17 17:48:57.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -314,10 +314,12 @@
+                               pkixParam.isAnyPolicyInhibited(),
+                               pkixParam.getPolicyQualifiersRejected(),
+                               rootNode);
++        UntrustedChecker untrustedChecker = new UntrustedChecker();
+ 
+         ArrayList<PKIXCertPathChecker> certPathCheckers =
+             new ArrayList<PKIXCertPathChecker>();
+         // add standard checkers that we will be using
++        certPathCheckers.add(untrustedChecker);
+         certPathCheckers.add(algorithmChecker);
+         certPathCheckers.add(keyChecker);
+         certPathCheckers.add(constraintsChecker);
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java jdk7u3/jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java
+--- jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java	2012-04-17 17:39:20.000000000 -0400
++++ jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java	2012-04-17 17:48:57.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -347,6 +347,10 @@
+             return;
+         }
+ 
++        // Don't bother to verify untrusted certificate more.
++        currentState.untrustedChecker.check(cert,
++                                    Collections.<String>emptySet());
++
+         /*
+          * check for looping - abort a loop if
+          * ((we encounter the same certificate twice) AND
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java jdk7u3/jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java
+--- jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java	2012-04-17 17:39:20.000000000 -0400
++++ jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java	2012-04-17 17:48:57.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -99,6 +99,9 @@
+     /* the algorithm checker */
+     AlgorithmChecker algorithmChecker;
+ 
++    /* the untrusted certificates checker */
++    UntrustedChecker untrustedChecker;
++
+     /* the trust anchor used to validate the path */
+     TrustAnchor trustAnchor;
+ 
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java jdk7u3/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
+--- jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	2012-04-17 17:39:20.000000000 -0400
++++ jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	2012-04-17 17:48:57.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -284,6 +284,7 @@
+         Iterator<TrustAnchor> iter = buildParams.getTrustAnchors().iterator();
+         while (iter.hasNext()) {
+             TrustAnchor anchor = iter.next();
++
+             /* check if anchor satisfies target constraints */
+             if (anchorIsTarget(anchor, targetSel)) {
+                 this.trustAnchor = anchor;
+@@ -303,6 +304,7 @@
+             currentState.crlChecker =
+                 new CrlRevocationChecker(null, buildParams, null, onlyEECert);
+             currentState.algorithmChecker = new AlgorithmChecker(anchor);
++            currentState.untrustedChecker = new UntrustedChecker();
+             try {
+                 depthFirstSearchReverse(null, currentState,
+                 new ReverseBuilder(buildParams, targetSubjectDN), adjacencyList,
+@@ -349,6 +351,7 @@
+         // init the crl checker
+         currentState.crlChecker
+             = new CrlRevocationChecker(null, buildParams, null, onlyEECert);
++        currentState.untrustedChecker = new UntrustedChecker();
+ 
+         depthFirstSearchForward(targetSubjectDN, currentState,
+           new ForwardBuilder
+@@ -645,8 +648,8 @@
+             vertex.setIndex(adjList.size() - 1);
+ 
+             /* recursively search for matching certs at next dN */
+-            depthFirstSearchForward(cert.getIssuerX500Principal(), nextState, builder,
+-                adjList, certPathList);
++            depthFirstSearchForward(cert.getIssuerX500Principal(),
++                                    nextState, builder, adjList, certPathList);
+ 
+             /*
+              * If path has been completed, return ASAP!
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/security/provider/certpath/UntrustedChecker.java jdk7u3/jdk/src/share/classes/sun/security/provider/certpath/UntrustedChecker.java
+--- jdk/src/share/classes/sun/security/provider/certpath/UntrustedChecker.java	1969-12-31 19:00:00.000000000 -0500
++++ jdk/src/share/classes/sun/security/provider/certpath/UntrustedChecker.java	2012-04-17 17:48:57.000000000 -0400
+@@ -0,0 +1,89 @@
++/*
++ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.provider.certpath;
++
++import java.security.cert.Certificate;
++import java.security.cert.X509Certificate;
++import java.security.cert.CertPathValidatorException;
++import java.security.cert.PKIXCertPathChecker;
++import java.util.Set;
++import java.util.Collection;
++import sun.security.util.Debug;
++import sun.security.util.UntrustedCertificates;
++
++/**
++ * A <code>PKIXCertPathChecker</code> implementation to check whether a
++ * specified certificate is distrusted.
++ *
++ * @see PKIXCertPathChecker
++ * @see PKIXParameters
++ */
++final public class UntrustedChecker extends PKIXCertPathChecker {
++
++    private static final Debug debug = Debug.getInstance("certpath");
++
++    /**
++     * Default Constructor
++     */
++    public UntrustedChecker() {
++        // blank
++    }
++
++    @Override
++    public void init(boolean forward) throws CertPathValidatorException {
++        // Note that this class supports both forward and reverse modes.
++    }
++
++    @Override
++    public boolean isForwardCheckingSupported() {
++        // Note that this class supports both forward and reverse modes.
++        return true;
++    }
++
++    @Override
++    public Set<String> getSupportedExtensions() {
++        return null;
++    }
++
++    @Override
++    public void check(Certificate cert,
++            Collection<String> unresolvedCritExts)
++            throws CertPathValidatorException {
++
++        X509Certificate currCert = (X509Certificate)cert;
++
++        if (UntrustedCertificates.isUntrusted(currCert)) {
++            if (debug != null) {
++                debug.println("UntrustedChecker: untrusted certificate " +
++                        currCert.getSubjectX500Principal());
++            }
++
++            throw new CertPathValidatorException(
++                "Untrusted certificate: " + currCert.getSubjectX500Principal());
++        }
++    }
++}
++
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/security/util/UntrustedCertificates.java jdk7u3/jdk/src/share/classes/sun/security/util/UntrustedCertificates.java
+--- jdk/src/share/classes/sun/security/util/UntrustedCertificates.java	1969-12-31 19:00:00.000000000 -0500
++++ jdk/src/share/classes/sun/security/util/UntrustedCertificates.java	2012-04-17 17:48:58.000000000 -0400
+@@ -0,0 +1,741 @@
++/*
++ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++package sun.security.util;
++
++import java.io.IOException;
++import java.io.ByteArrayInputStream;
++import java.security.cert.X509Certificate;
++import java.security.cert.CertificateFactory;
++import java.security.cert.CertificateException;
++import java.util.Set;
++import java.util.HashSet;
++
++/**
++ * A utility class to check if a certificate is untrusted. This is an internal
++ * mechanism that explicitly marks a certificate as untrusted, normally in the
++ * case that a certificate is known to be used for malicious reasons.
++ *
++ * <b>Attention</b>: This check is NOT meant to replace the standard PKI-defined
++ * validation check, neither is it used as an alternative to CRL.
++ */
++public final class UntrustedCertificates {
++
++    private final static Set<X509Certificate> untrustedCerts = new HashSet<>();
++
++    /**
++     * Checks if a certificate is untrusted.
++     *
++     * @param cert the certificate to check
++     * @return true if the certificate is untrusted.
++     */
++    public static boolean isUntrusted(X509Certificate cert) {
++        return untrustedCerts.contains(cert);
++    }
++
++    private static void add(String alias, String pemCert) {
++        // generate certificate from PEM certificate
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(pemCert.getBytes())) {
++            CertificateFactory cf = CertificateFactory.getInstance("X.509");
++            X509Certificate cert = (X509Certificate)cf.generateCertificate(is);
++
++            if (!untrustedCerts.add(cert)) {
++                throw new RuntimeException("Duplicate untrusted certificate: " +
++                    cert.getSubjectX500Principal());
++            }
++        } catch (CertificateException | IOException e) {
++            throw new RuntimeException(
++                        "Incorrect untrusted certificate: " + alias, e);
++        }
++    }
++
++    static {
++        // -----------------------------------------------------------------
++        // Compromised CAs of Digicert Malaysia
++        //
++        // Reported by Digicert in its announcement on November 05, 2011.
++        //
++
++        // Digicert Malaysia intermediate, cross-signed by CyberTrust
++        //
++        // Subject: CN=Digisign Server ID (Enrich),
++        //          OU=457608-K,
++        //          O=Digicert Sdn. Bhd.,
++        //          C=MY
++        // Issuer:  CN=GTE CyberTrust Global Root,
++        //          OU=GTE CyberTrust Solutions, Inc.,
++        //          O=GTE Corporation,
++        //          C=US
++        // Serial:  120001705 (07:27:14:a9)
++        add("digicert-server-cross-to-cybertrust-4C0E636A",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIDyzCCAzSgAwIBAgIEBycUqTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" +
++        "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" +
++        "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" +
++        "b2JhbCBSb290MB4XDTA3MDcxNzE1MTc0OFoXDTEyMDcxNzE1MTY1NFowYzELMAkG\n" +
++        "A1UEBhMCTVkxGzAZBgNVBAoTEkRpZ2ljZXJ0IFNkbi4gQmhkLjERMA8GA1UECxMI\n" +
++        "NDU3NjA4LUsxJDAiBgNVBAMTG0RpZ2lzaWduIFNlcnZlciBJRCAoRW5yaWNoKTCB\n" +
++        "nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArahkS02Hx4RZufuQRqCmicDx/tXa\n" +
++        "VII3DZkrRSYK6Fawf8qo9I5HhAGCKeOzarWR8/uVhbxyqGToCkCcxfRxrnt7agfq\n" +
++        "kBRPjYmvlKuyBtQCanuYH1m5Os1U+iDfsioK6bjdaZDAKdNO0JftZszFGUkGf/pe\n" +
++        "LHx7hRsyQt97lSUCAwEAAaOCAXgwggF0MBIGA1UdEwEB/wQIMAYBAf8CAQAwXAYD\n" +
++        "VR0gBFUwUzBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcCARYtaHR0cDovL2N5YmVy\n" +
++        "dHJ1c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnkuY2ZtMAcGBWCDSgEBMA4GA1Ud\n" +
++        "DwEB/wQEAwIB5jCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYD\n" +
++        "VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv\n" +
++        "bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv\n" +
++        "b3SCAgGlMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0\n" +
++        "LmNvbS9jZ2ktYmluL0NSTC8yMDE4L2NkcC5jcmwwHQYDVR0OBBYEFMYWk04WF+wW\n" +
++        "royUdvOGbcV0boR3MA0GCSqGSIb3DQEBBQUAA4GBAHYAe6Z4K2Ydjl42xqSOBfIj\n" +
++        "knyTZ9P0wAp9iy3Z6tVvGvPhSilaIoRNUC9LDPL/hcJ7VdREgr5trGeOvLQfkpxR\n" +
++        "gBoU9m6rYYgLrRx/90tQUdZlG6ZHcRVesHHzNRTyN71jyNXwk1o0X9g96F33xR7A\n" +
++        "5c8fhiSpPAdmzcHSNmNZ\n" +
++        "-----END CERTIFICATE-----");
++
++        // Digicert Malaysia intermediate, cross-signed by Entrust
++        //
++        // Subject: CN=Digisign Server ID - (Enrich),
++        //          OU=457608-K,
++        //          O=Digicert Sdn. Bhd.,
++        //          C=MY
++        // Issuer:  CN=Entrust.net Certification Authority (2048)
++        //          OU=(c) 1999 Entrust.net Limited,
++        //          OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),
++        //          O=Entrust.net
++        // Serial:  1184644297 (4c:0e:63:6a)
++        add("digicert-server-cross-to-entrust-ca-4C0E636A",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIEzjCCA7agAwIBAgIETA5jajANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML\n" +
++        "RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp\n" +
++        "bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5\n" +
++        "IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp\n" +
++        "ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw0xMDA3MTYxNzIzMzdaFw0xNTA3\n" +
++        "MTYxNzUzMzdaMGUxCzAJBgNVBAYTAk1ZMRswGQYDVQQKExJEaWdpY2VydCBTZG4u\n" +
++        "IEJoZC4xETAPBgNVBAsTCDQ1NzYwOC1LMSYwJAYDVQQDEx1EaWdpc2lnbiBTZXJ2\n" +
++        "ZXIgSUQgLSAoRW5yaWNoKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n" +
++        "AMWJ5PQNBkCSWccaszXRDkwqM/n4r8qef+65p21g9FTob9Wb8xtjMQRoctE0Foy0\n" +
++        "FyyX3nPF2JAVoBor9cuzSIZE8B2ITM5BQhrv9Qze/kDaOSD3BlU6ap1GwdJvpbLI\n" +
++        "Vz4po5zg6YV3ZuiYpyR+vsBZIOVEb7ZX2L7OwmV3WMZhQdF0BMh/SULFcqlyFu6M\n" +
++        "3RJdtErU0a9Qt9iqdXZorT5dqjBtYairEFs+E78z4K9EnTgiW+9ML6ZxJhUmyiiM\n" +
++        "2fqOjqmiFDXimySItPR/hZ2DTwehthSQNsQ0HI0mYW0Tb3i+6I8nx0uElqOGaAwj\n" +
++        "vgvsjJQAqQSKE5D334VsDLECAwEAAaOCATQwggEwMA4GA1UdDwEB/wQEAwIBBjAS\n" +
++        "BgNVHRMBAf8ECDAGAQH/AgEAMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcD\n" +
++        "AgYIKwYBBQUHAwQwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8v\n" +
++        "b2NzcC5lbnRydXN0Lm5ldDBEBgNVHSAEPTA7MDkGBWCDSgEBMDAwLgYIKwYBBQUH\n" +
++        "AgEWImh0dHA6Ly93d3cuZGlnaWNlcnQuY29tLm15L2Nwcy5odG0wMgYDVR0fBCsw\n" +
++        "KTAnoCWgI4YhaHR0cDovL2NybC5lbnRydXN0Lm5ldC8yMDQ4Y2EuY3JsMBEGA1Ud\n" +
++        "DgQKBAhMTswlKAMpgTAfBgNVHSMEGDAWgBRV5IHREYC+2Im5CKMx+aEkCRa5cDAN\n" +
++        "BgkqhkiG9w0BAQUFAAOCAQEAl0zvSjpJrHL8MCBrtClbp8WVBJD5MtXChWreA6E3\n" +
++        "+YkAsFqsVX7bQzX/yQH4Ub7MJsrIaqTEVD4mHucMo82XZ5TdpkLrXM2POXlrM3kh\n" +
++        "Bnn6gkQVmczBtznTRmJ8snDrb84gqj4Zt+l0gpy0pUtNYQA35IfS8hQ6ZHy4qXth\n" +
++        "4JMi59WfPkfmNnagU9gAAzoPtTP+lsrT0oI6Lt3XSOHkp2nMHOmZSufKcEXXCwcO\n" +
++        "mnUb0C+Sb/akB8O9HEumhLZ9qJqp0qcp8QtXaR6XVybsK0Os1EWDBQDp4/BGQAf6\n" +
++        "6rFRc5Mcpd1TETfIKqcVJx20qsx/qjEw/LhFn0gJ7RDixQ==\n" +
++        "-----END CERTIFICATE-----");
++
++
++        // -----------------------------------------------------------------
++        //
++        // No longer used certificates
++        //
++
++        // Subject: CN=Java Media APIs,
++        //          OU=Java Signed Extensions,
++        //          OU=Corporate Object Signing,
++        //          O=Sun Microsystems Inc
++        // Issuer:  CN=Object Signing CA,
++        //          OU=Class 2 OnSite Subscriber CA,
++        //          OU=VeriSign Trust Network,
++        //          O=Sun Microsystems Inc
++        // Serial:  6a:8b:99:91:37:59:4f:89:53:e2:97:18:9f:19:1e:4e
++        add("java-media-pretrusted-9F191E4E",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFdzCCBF+gAwIBAgIQaouZkTdZT4lT4pcYnxkeTjANBgkqhkiG9w0BAQUFADCB\n" +
++        "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" +
++        "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" +
++        "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA5MDUxMjAw\n" +
++        "MDAwMFoXDTEyMDUxMTIzNTk1OVowfTEdMBsGA1UEChQUU3VuIE1pY3Jvc3lzdGVt\n" +
++        "cyBJbmMxITAfBgNVBAsUGENvcnBvcmF0ZSBPYmplY3QgU2lnbmluZzEfMB0GA1UE\n" +
++        "CxQWSmF2YSBTaWduZWQgRXh0ZW5zaW9uczEYMBYGA1UEAxQPSmF2YSBNZWRpYSBB\n" +
++        "UElzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl5blzoKTVE8y4Hpz\n" +
++        "q6E15RZz1bF5HnYEyYqgHkZXnAKedmYCoMzm1XK8s+gQWShLEvGEAvs5yqarx9gE\n" +
++        "nnC21N28aEZgIJMa2/arKxCUkS4pxdGPYGexL9UzSRkUpoBShCZKEGdmX7gfJE2K\n" +
++        "/sd9MFvGV5/yZtWXrADzvm0Kd/9mg1KRv1gfrZIq0TJbupoXPYYqb73AkI9eT2ZD\n" +
++        "q9MdwD4E5+oojsDFXt8GU/D00fUhtXpYwuplU7D667WHYdJhIah0ST6JywyqcLXG\n" +
++        "XSuFTXOgITT2idSHluZVmx3dqJ72u9kPkO4JdJTMDfaK8zgNLaRkiU8Qcj+qhLYH\n" +
++        "ytaqcwIDAQABo4IB6jCCAeYwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwfwYD\n" +
++        "VR0fBHgwdjB0oHKgcIZuaHR0cDovL29uc2l0ZWNybC52ZXJpc2lnbi5jb20vU3Vu\n" +
++        "TWljcm9zeXN0ZW1zSW5jQ29ycG9yYXRlT2JqZWN0U2lnbmluZ0phdmFTaWduZWRF\n" +
++        "eHRlbnNpb25zQ2xhc3NCL0xhdGVzdENSTC5jcmwwHwYDVR0jBBgwFoAUs0crgn5T\n" +
++        "tHPKuLsZt76BTQeVx+0wHQYDVR0OBBYEFKS32mVx0gNWTeS4ProHEaeSpvvIMDsG\n" +
++        "CCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29uc2l0ZS1vY3NwLnZl\n" +
++        "cmlzaWduLmNvbTCBtQYDVR0gBIGtMIGqMDkGC2CGSAGG+EUBBxcCMCowKAYIKwYB\n" +
++        "BQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwbQYLYIZIAYb3AIN9\n" +
++        "nD8wXjAnBggrBgEFBQcCARYbaHR0cHM6Ly93d3cuc3VuLmNvbS9wa2kvY3BzMDMG\n" +
++        "CCsGAQUFBwICMCcaJVZhbGlkYXRlZCBGb3IgU3VuIEJ1c2luZXNzIE9wZXJhdGlv\n" +
++        "bnMwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQEFBQADggEBAAe6BO4W\n" +
++        "3TSNWfezyelJs6kE3HfulT6Bdyz4UUoh9ykXcV8nRwT+kh25I5MdyG2GfkJoADPR\n" +
++        "VhC5DYo13UFpIsTNVjq+hGYe2hML93bN7ad9SxCCyjHUo3yMz2qgBbHZI3VA9ZHA\n" +
++        "aWM4Tx0saMwbcnVvlbuGh+PXvStfypJqYT6lzcdFfjNVX4FI/QQNGhBswMY51tC8\n" +
++        "GTBCL2qhJon0gSCU4zaawDOf7+XxJWirLamYL1Aal1/h2z2sFrvA/1ftxtU3kZ6I\n" +
++        "7De8DyoHeZg7pYGdrj7g+lPhCga/WvEhN152I+aP08YbFcJHYmK05ngl/Ye4c6Bd\n" +
++        "cdrdfbw6QzEUIYY=\n" +
++        "-----END CERTIFICATE-----");
++
++        // Subject: CN=JavaFX 1.0 Runtime,
++        //          OU=Java Signed Extensions,
++        //          OU=Corporate Object Signing,
++        //          O=Sun Microsystems Inc
++        // Issuer:  CN=Object Signing CA,
++        //          OU=Class 2 OnSite Subscriber CA,
++        //          OU=VeriSign Trust Network,
++        //          O=Sun Microsystems Inc
++        // Serial:  55:c0:e6:44:59:59:79:9e:d9:26:f1:b0:4a:1e:f0:27
++        add("java-fx10-pretrusted-4A1EF027",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFezCCBGOgAwIBAgIQVcDmRFlZeZ7ZJvGwSh7wJzANBgkqhkiG9w0BAQUFADCB\n" +
++        "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" +
++        "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" +
++        "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA4MTAwOTAw\n" +
++        "MDAwMFoXDTExMTAwOTIzNTk1OVowgYAxHTAbBgNVBAoUFFN1biBNaWNyb3N5c3Rl\n" +
++        "bXMgSW5jMSEwHwYDVQQLFBhDb3Jwb3JhdGUgT2JqZWN0IFNpZ25pbmcxHzAdBgNV\n" +
++        "BAsUFkphdmEgU2lnbmVkIEV4dGVuc2lvbnMxGzAZBgNVBAMUEkphdmFGWCAxLjAg\n" +
++        "UnVudGltZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+WDc6+bu+4\n" +
++        "tmAcS/lBtUc02WOt9QZpVsXg9cG2pu/8bUtmDELa8iiYBVFpIs8DU58HLrGQtCUY\n" +
++        "SIAGOVPsOJoN29UKCDWfY9j5JeVhfhMGqk9DwrWhzgsjy4cpZ1pIp+k/fJ8zT8Ul\n" +
++        "aYLpow1vg3UNddsmwz02tN7cOrMw9WYIG4CRYnY1OrtJSfe2pYzheC4zyvR+aiVl\n" +
++        "nang2OtqikSQsNFOFHsLOJFxngy9LrO8evDSu25VTKI6zlWU6/bMeqtztJPN0VOn\n" +
++        "NyUrJZvkxZ207Jg0T693BGSxNC1n+ihztXogql8950M/pEuUbDjylv5FFvlp6DSB\n" +
++        "dDT2MkutmyMCAwEAAaOCAeowggHmMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeA\n" +
++        "MH8GA1UdHwR4MHYwdKByoHCGbmh0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29t\n" +
++        "L1N1bk1pY3Jvc3lzdGVtc0luY0NvcnBvcmF0ZU9iamVjdFNpZ25pbmdKYXZhU2ln\n" +
++        "bmVkRXh0ZW5zaW9uc0NsYXNzQi9MYXRlc3RDUkwuY3JsMB8GA1UdIwQYMBaAFLNH\n" +
++        "K4J+U7Rzyri7Gbe+gU0HlcftMB0GA1UdDgQWBBTjgufVi3XJ3gx1ewsA6Rr7BR4Z\n" +
++        "zjA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0dHA6Ly9vbnNpdGUtb2Nz\n" +
++        "cC52ZXJpc2lnbi5jb20wgbUGA1UdIASBrTCBqjA5BgtghkgBhvhFAQcXAjAqMCgG\n" +
++        "CCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMG0GC2CGSAGG\n" +
++        "9wCDfZw/MF4wJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LnN1bi5jb20vcGtpL2Nw\n" +
++        "czAzBggrBgEFBQcCAjAnGiVWYWxpZGF0ZWQgRm9yIFN1biBCdXNpbmVzcyBPcGVy\n" +
++        "YXRpb25zMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBQUAA4IBAQAB\n" +
++        "YVJTTVe7rzyTO4jc3zajErOT/COkdQTfNo0eIX1QbNynFieJvwY/jRzUZwjktIFR\n" +
++        "2p4JtbpHGAtKtjOAOTieQ8xdDOoC1djzpE7/AbMvuvlTavtUKT+F7tPdhfXgWXJV\n" +
++        "6Wbt8jryKyk3zZGiEhauIwZUkfjRkEtffEmZWLUd8c8rURJjfC/XHH2oyurscoxc\n" +
++        "CjX29c9ynxSiS/VvQp1an0HvErGh69N48wj7cj8mtZ1yHzd2XCzSSR1OfTPfk0Pt\n" +
++        "yg51p7yJaFiH21PTZegEL6zyVNOYBTKwwIi2OzpwYalD3uvK6e3OKDrfFCOxu17u\n" +
++        "4PveESbrdyrmvLe7IVez\n" +
++        "-----END CERTIFICATE-----");
++
++        // Subject: CN=JavaFX Runtime,
++        //          OU=Java Signed Extensions,
++        //          OU=Corporate Object Signing,
++        //          O=Sun Microsystems Inc
++        // Issuer:  CN=Object Signing CA,
++        //          OU=Class 2 OnSite Subscriber CA,
++        //          OU=VeriSign Trust Network,
++        //          O=Sun Microsystems Inc
++        // Serial:  47:f4:55:f1:da:4a:5e:f9:e3:f7:a8:03:62:17:c0:ff
++        add("javafx-runtime-pretrusted-6217C0FF",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFdjCCBF6gAwIBAgIQR/RV8dpKXvnj96gDYhfA/zANBgkqhkiG9w0BAQUFADCB\n" +
++        "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" +
++        "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" +
++        "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA5MDEyOTAw\n" +
++        "MDAwMFoXDTEyMDEyOTIzNTk1OVowfDEdMBsGA1UEChQUU3VuIE1pY3Jvc3lzdGVt\n" +
++        "cyBJbmMxITAfBgNVBAsUGENvcnBvcmF0ZSBPYmplY3QgU2lnbmluZzEfMB0GA1UE\n" +
++        "CxQWSmF2YSBTaWduZWQgRXh0ZW5zaW9uczEXMBUGA1UEAxQOSmF2YUZYIFJ1bnRp\n" +
++        "bWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCIzd0fAk8mI9ONc6RJ\n" +
++        "aGieioK2FLdXEwj8zL3vdGDVmBwyR1zwYkaOIFFgF9IW/8qc4iAYA5sGUY+0g8q3\n" +
++        "5DuYAxfTzBB5KdaYvbuq6GGnoHIWmTirXY+1friFp8lyXSvtuEaGB1VHaBoZchEg\n" +
++        "k+UgeVDA43dHwcT1Ov3DePczJRUes8T/QHzLX+BxUDG43vjyncCEO/AjqLZxXEz2\n" +
++        "xrNbKLcH3lGMJK7hdbfssUfF5BjC38Hn71HauYlA43b2no+2y0Sjulwzez2YPbDC\n" +
++        "0GLR3TnKtA8dqOrnl5t3DniDbfOBNtBE3VOydJO0XW57Ng1HRXD023nm9ECPY2xp\n" +
++        "0N/pAgMBAAGjggHqMIIB5jAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDB/BgNV\n" +
++        "HR8EeDB2MHSgcqBwhm5odHRwOi8vb25zaXRlY3JsLnZlcmlzaWduLmNvbS9TdW5N\n" +
++        "aWNyb3N5c3RlbXNJbmNDb3Jwb3JhdGVPYmplY3RTaWduaW5nSmF2YVNpZ25lZEV4\n" +
++        "dGVuc2lvbnNDbGFzc0IvTGF0ZXN0Q1JMLmNybDAfBgNVHSMEGDAWgBSzRyuCflO0\n" +
++        "c8q4uxm3voFNB5XH7TAdBgNVHQ4EFgQUvOdd0cKPj+Yik/iOBwTdphh5A+gwOwYI\n" +
++        "KwYBBQUHAQEELzAtMCsGCCsGAQUFBzABhh9odHRwOi8vb25zaXRlLW9jc3AudmVy\n" +
++        "aXNpZ24uY29tMIG1BgNVHSAEga0wgaowOQYLYIZIAYb4RQEHFwIwKjAoBggrBgEF\n" +
++        "BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTBtBgtghkgBhvcAg32c\n" +
++        "PzBeMCcGCCsGAQUFBwIBFhtodHRwczovL3d3dy5zdW4uY29tL3BraS9jcHMwMwYI\n" +
++        "KwYBBQUHAgIwJxolVmFsaWRhdGVkIEZvciBTdW4gQnVzaW5lc3MgT3BlcmF0aW9u\n" +
++        "czATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQUFAAOCAQEAbGcf2NjL\n" +
++        "AI93HG6ny2BbepaZA1a8xa/R6uUc7xV+Qw6MgLwFD4Q4i6LWUztQDvg9l68MM2/i\n" +
++        "Y9LEi1KM4lcNbK5+D+t9x98wXBiuojXhVdp5ZmC03EyEBbriopdBsmXVLDSu/Y3+\n" +
++        "zowOO5xwpMK3dbgsSDs2Vt0UosD3FTcRaD3GNfOhXMp+o1grHNiXF9YgkmdQbPPZ\n" +
++        "DQ2KBhFPCRJXBGvyKOqno/DTg0sQ3crGH/C4/4t7mnQXWldZotmJUZ0ONc9oD+Q1\n" +
++        "JAaguUKqIwn9yZ093ie+JWHbYNid9IIIPXYgtRxmf9a376WBhqhu56uJftBJ7x9g\n" +
++        "eQ7Lot6CSWCiFw==\n" +
++        "-----END CERTIFICATE-----");
++
++        //
++        // Compromised Solaris INTERNAL DEVELOPMENT USE ONLY certificate
++        //
++
++        // Subject: CN=Solaris INTERNAL DEVELOPMENT USE ONLY,
++        //          OU=Solaris Cryptographic Framework,
++        //          OU=Corporate Object Signing,
++        //          O=Sun Microsystems Inc
++        // Issuer:  CN=Object Signing CA,
++        //          OU=Class 2 OnSite Subscriber CA,
++        //          OU=VeriSign Trust Network,
++        //          O=Sun Microsystems Inc
++        // Serial:  77:29:77:52:6a:19:7b:9a:a6:a2:c7:99:a0:e1:cd:8c
++        add("solaris-internal-dev-A0E1CD8C",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFHjCCBAagAwIBAgIQdyl3UmoZe5qmoseZoOHNjDANBgkqhkiG9w0BAQUFADCB\n" +
++        "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" +
++        "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" +
++        "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA3MDEwNDAw\n" +
++        "MDAwMFoXDTEwMDEwMzIzNTk1OVowgZwxHTAbBgNVBAoUFFN1biBNaWNyb3N5c3Rl\n" +
++        "bXMgSW5jMSEwHwYDVQQLFBhDb3Jwb3JhdGUgT2JqZWN0IFNpZ25pbmcxKDAmBgNV\n" +
++        "BAsUH1NvbGFyaXMgQ3J5cHRvZ3JhcGhpYyBGcmFtZXdvcmsxLjAsBgNVBAMUJVNv\n" +
++        "bGFyaXMgSU5URVJOQUwgREVWRUxPUE1FTlQgVVNFIE9OTFkwgZ8wDQYJKoZIhvcN\n" +
++        "AQEBBQADgY0AMIGJAoGBALbNU4hf3mD5ArDI9pjgioAyvV3bjMPRQdCZniIeGJBp\n" +
++        "odFlSEH+Mh64W1DsY8coeZ7FvvGJkx9IpTMJW9k8w1oJK9UNqHyAQfaYjQyXi3xQ\n" +
++        "LJp62EvYdGfDlwOZejEcR/MbzZG+GOPMMvQj5+xyFDvLXNGfQNTnxw2qnBgCJXjj\n" +
++        "AgMBAAGjggH1MIIB8TAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDCBiQYDVR0f\n" +
++        "BIGBMH8wfaB7oHmGd2h0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29tL1N1bk1p\n" +
++        "Y3Jvc3lzdGVtc0luY0NvcnBvcmF0ZU9iamVjdFNpZ25pbmdTb2xhcmlzQ3J5cHRv\n" +
++        "Z3JhcGhpY0ZyYW1ld29ya0NsYXNzQi9MYXRlc3RDUkwuY3JsMB8GA1UdIwQYMBaA\n" +
++        "FLNHK4J+U7Rzyri7Gbe+gU0HlcftMB0GA1UdDgQWBBRpfiGYkehTnsIzuN2H6AFb\n" +
++        "VCZG8jA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0dHA6Ly9vbnNpdGUt\n" +
++        "b2NzcC52ZXJpc2lnbi5jb20wgbUGA1UdIASBrTCBqjA5BgtghkgBhvhFAQcXAjAq\n" +
++        "MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMG0GC2CG\n" +
++        "SAGG9wCDfZw/MF4wJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LnN1bi5jb20vcGtp\n" +
++        "L2NwczAzBggrBgEFBQcCAjAnFiVWYWxpZGF0ZWQgRm9yIFN1biBCdXNpbmVzcyBP\n" +
++        "cGVyYXRpb25zMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBQUAA4IB\n" +
++        "AQCG5soy3LFHTFbA8/5SzDRhQoJkHUnOP0t3b6nvX6vZYRp649fje7TQOPRm1pFd\n" +
++        "CZ17J+tggdZwgzTqY4aYpJ00jZaK6pV37q/vgFC/ia6jDs8Q+ly9cEcadBZ5loYg\n" +
++        "cmxp9p57W2MNWx8VA8oFdNtKfF0jUNXbLNtvwGHmgR6YcwLrGN1b6/9Lt9bO3ODl\n" +
++        "FO+ZDwkfQz5ClUVrTx2dGBvKRYFqSG5S8JAfsgYhPvcacUQkA7ExyKvfRXLWVrce\n" +
++        "ZiPpcElbx+819H2sAPvVvparVeAruZGMAtejHZp9NFoowKen5drJp9VxePS4eM49\n" +
++        "3DepB6lKRrNRw66LNQol4ZBz\n" +
++        "-----END CERTIFICATE-----");
++
++
++        // -----------------------------------------------------------------
++        // Compromised CAs of DigiNotar
++        //
++        // Reported by Fox-IT in its interim report on September 5, 2011,
++        // "DigiNotar Certificate Authority breach 'Operation Black Tulip'".
++        //
++
++        //
++        // Compromised DigiNotar Cyber CA
++        //
++
++        // DigiNotar intermediate, cross-signed by CyberTrust
++        //
++        // Subject: EMAILADDRESS=info@diginotar.nl, CN=DigiNotar Cyber CA,
++        //          O=DigiNotar, C=NL
++        // Issuer:  CN=GTE CyberTrust Global Root,
++        //          OU=GTE CyberTrust Solutions, Inc.,
++        //          O=GTE Corporation,
++        //          C=US
++        // Serial:  120000525 (07:27:10:0D)
++        add("info-at-diginotar-cyber-ca-cross-to-gte-cybertrust-0727100D",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFWjCCBMOgAwIBAgIEBycQDTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" +
++        "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" +
++        "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" +
++        "b2JhbCBSb290MB4XDTA2MTAwNDEwNTQxMVoXDTExMTAwNDEwNTMxMVowYDELMAkG\n" +
++        "A1UEBhMCTkwxEjAQBgNVBAoTCURpZ2lOb3RhcjEbMBkGA1UEAxMSRGlnaU5vdGFy\n" +
++        "IEN5YmVyIENBMSAwHgYJKoZIhvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIw\n" +
++        "DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANLOFQotqF6EZ639vu9Gx8i5z3P8\n" +
++        "9DS5+SxD52ATPXrjss87Z2yQrcC5P4RS8DVC3HTcKDu9UrSnrHJFF8bwieu0qiXy\n" +
++        "XUte0dmHutZ9fPXOMp8QM8WxSrtekTHC0OlBwpFkfglBO9uLCDdqqspS3rU5HsCI\n" +
++        "A6U/i5kTYUO1m4Kz7iBvz6FEouova0CfjytXraFTwoUiaZ2gP1HfC0GRDaXhqKpc\n" +
++        "SQhdvd5wQbEPyWNr0380dAIvNFp4dRxoeoFnivPaQPBgY/SSINcDpj2jHmfEhBtB\n" +
++        "pcmM5r3qSLYFFgizNxJa92E89zhvLpfgb1Y4VNMota0Ubi5LZLUnZbd1JQm2Bz2V\n" +
++        "VgIKgmCyc0XgMyZRdJq51FAc9k1bW1JSE1qmf6cO4ehBVGeYjIfVydNsy9NUkgYJ\n" +
++        "NEH3gW8/nsl8dVWw58Gzd+jDxAA1lUBwEEoF3iW7n1mlZLxHYL9g43aLE1Xd4XR6\n" +
++        "uc8kpmp/3mQiRFhogmoQ+T3lPhu5vfwi9GAEibtVbShV+t6OjRshFNc3izR7Tfay\n" +
++        "shDPM7F9HGKZSMsrbHaWVb8ZDR0fu2WqG46ZtcYokOWCLXhQIJr9eS8kf/CJKWn0\n" +
++        "fc1zvrPtTsHR7VJej/e4142HrbLZG1ES/1az4a80fVykeIgQnp0DxqWqoiRR90kU\n" +
++        "xbHuWUOV36toKDA/AgMBAAGjggGGMIIBgjASBgNVHRMBAf8ECDAGAQH/AgEBMFMG\n" +
++        "A1UdIARMMEowSAYJKwYBBAGxPgEAMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93d3cu\n" +
++        "cHVibGljLXRydXN0LmNvbS9DUFMvT21uaVJvb3QuaHRtbDAOBgNVHQ8BAf8EBAMC\n" +
++        "AQYwgaAGA1UdIwSBmDCBlYAUpgwdn2H/Bxe1vzhG20Mw1Y6wUgaheaR3MHUxCzAJ\n" +
++        "BgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdU\n" +
++        "RSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVy\n" +
++        "VHJ1c3QgR2xvYmFsIFJvb3SCAgGlMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93\n" +
++        "d3cucHVibGljLXRydXN0LmNvbS9jZ2ktYmluL0NSTC8yMDE4L2NkcC5jcmwwHQYD\n" +
++        "VR0OBBYEFKv5aN/PSjfXe0WMX3LeQETDZbvCMA0GCSqGSIb3DQEBBQUAA4GBAI9o\n" +
++        "a6VbB7pEZg4cqFwwezPkCiYE/O+eGjjWLqEf0JlHwnVkJP2eOyh2uSYoYZEMbSz4\n" +
++        "BJ98UAHV42mv7xXSRZskCSpmBU8lgcpdvqrBWSeuM46C9990sFWzjvjnN8huqlZE\n" +
++        "9r1TgSOWPbT6MopTZkQloiXGpjwljPDgKAYityZB\n" +
++        "-----END CERTIFICATE-----");
++
++        // DigiNotar intermediate, cross-signed by CyberTrust
++        //
++        // Subject: CN=DigiNotar Cyber CA, O=DigiNotar, C=NL
++        // Issuer:  CN=GTE CyberTrust Global Root,
++        //          OU=GTE CyberTrust Solutions, Inc.,
++        //          O=GTE Corporation,
++        //          C=US
++        // Serial:  120000505 (07:27:0F:F9)
++        add("diginotar-cyber-ca-cross-to-gte-cybertrust-07270FF9",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFODCCBKGgAwIBAgIEBycP+TANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" +
++        "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" +
++        "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" +
++        "b2JhbCBSb290MB4XDTA2MDkyMDA5NDUzMloXDTEzMDkyMDA5NDQwNlowPjELMAkG\n" +
++        "A1UEBhMCTkwxEjAQBgNVBAoTCURpZ2lOb3RhcjEbMBkGA1UEAxMSRGlnaU5vdGFy\n" +
++        "IEN5YmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0s4VCi2o\n" +
++        "XoRnrf2+70bHyLnPc/z0NLn5LEPnYBM9euOyzztnbJCtwLk/hFLwNULcdNwoO71S\n" +
++        "tKesckUXxvCJ67SqJfJdS17R2Ye61n189c4ynxAzxbFKu16RMcLQ6UHCkWR+CUE7\n" +
++        "24sIN2qqylLetTkewIgDpT+LmRNhQ7WbgrPuIG/PoUSi6i9rQJ+PK1etoVPChSJp\n" +
++        "naA/Ud8LQZENpeGoqlxJCF293nBBsQ/JY2vTfzR0Ai80Wnh1HGh6gWeK89pA8GBj\n" +
++        "9JIg1wOmPaMeZ8SEG0GlyYzmvepItgUWCLM3Elr3YTz3OG8ul+BvVjhU0yi1rRRu\n" +
++        "LktktSdlt3UlCbYHPZVWAgqCYLJzReAzJlF0mrnUUBz2TVtbUlITWqZ/pw7h6EFU\n" +
++        "Z5iMh9XJ02zL01SSBgk0QfeBbz+eyXx1VbDnwbN36MPEADWVQHAQSgXeJbufWaVk\n" +
++        "vEdgv2DjdosTVd3hdHq5zySman/eZCJEWGiCahD5PeU+G7m9/CL0YASJu1VtKFX6\n" +
++        "3o6NGyEU1zeLNHtN9rKyEM8zsX0cYplIyytsdpZVvxkNHR+7Zaobjpm1xiiQ5YIt\n" +
++        "eFAgmv15LyR/8IkpafR9zXO+s+1OwdHtUl6P97jXjYetstkbURL/VrPhrzR9XKR4\n" +
++        "iBCenQPGpaqiJFH3SRTFse5ZQ5Xfq2goMD8CAwEAAaOCAYYwggGCMBIGA1UdEwEB\n" +
++        "/wQIMAYBAf8CAQEwUwYDVR0gBEwwSjBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcC\n" +
++        "ARYtaHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL0NQUy9PbW5pUm9vdC5odG1s\n" +
++        "MA4GA1UdDwEB/wQEAwIBBjCBoAYDVR0jBIGYMIGVgBSmDB2fYf8HF7W/OEbbQzDV\n" +
++        "jrBSBqF5pHcwdTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlv\n" +
++        "bjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1c3QgU29sdXRpb25zLCBJbmMuMSMwIQYD\n" +
++        "VQQDExpHVEUgQ3liZXJUcnVzdCBHbG9iYWwgUm9vdIICAaUwRQYDVR0fBD4wPDA6\n" +
++        "oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIw\n" +
++        "MTgvY2RwLmNybDAdBgNVHQ4EFgQUq/lo389KN9d7RYxfct5ARMNlu8IwDQYJKoZI\n" +
++        "hvcNAQEFBQADgYEACcpiD427SuDUejUrBi3RKGG2rAH7g0m8rtQvLYauGYOl1h0T\n" +
++        "4he+/jJ06XoUOMqUXvcpAWlxG5Ea/aO7qh3Ke+IW/aGjDvMMX7LhIDGUK16Sdu36\n" +
++        "6bUjpr8KOwOpb1JgVM1f6bcvfKIn/UGDdbYN+3gm87FF6TKVKho1IZXFonU=\n" +
++        "-----END CERTIFICATE-----");
++
++        // DigiNotar intermediate, cross-signed by CyberTrust
++        //
++        // Subject: CN=DigiNotar Cyber CA, O=DigiNotar, C=NL
++        // Issuer:  CN=GTE CyberTrust Global Root,
++        //          OU=GTE CyberTrust Solutions, Inc.,
++        //          O=GTE Corporation,
++        //          C=US
++        // Serial:  120000515 (07:27:10:03)
++        add("diginotar-cyber-ca-cross-to-gte-cybertrust-07271003",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFODCCBKGgAwIBAgIEBycQAzANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" +
++        "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" +
++        "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" +
++        "b2JhbCBSb290MB4XDTA2MDkyNzEwNTMzMloXDTExMDkyNzEwNTIzMFowPjELMAkG\n" +
++        "A1UEBhMCTkwxEjAQBgNVBAoTCURpZ2lOb3RhcjEbMBkGA1UEAxMSRGlnaU5vdGFy\n" +
++        "IEN5YmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0s4VCi2o\n" +
++        "XoRnrf2+70bHyLnPc/z0NLn5LEPnYBM9euOyzztnbJCtwLk/hFLwNULcdNwoO71S\n" +
++        "tKesckUXxvCJ67SqJfJdS17R2Ye61n189c4ynxAzxbFKu16RMcLQ6UHCkWR+CUE7\n" +
++        "24sIN2qqylLetTkewIgDpT+LmRNhQ7WbgrPuIG/PoUSi6i9rQJ+PK1etoVPChSJp\n" +
++        "naA/Ud8LQZENpeGoqlxJCF293nBBsQ/JY2vTfzR0Ai80Wnh1HGh6gWeK89pA8GBj\n" +
++        "9JIg1wOmPaMeZ8SEG0GlyYzmvepItgUWCLM3Elr3YTz3OG8ul+BvVjhU0yi1rRRu\n" +
++        "LktktSdlt3UlCbYHPZVWAgqCYLJzReAzJlF0mrnUUBz2TVtbUlITWqZ/pw7h6EFU\n" +
++        "Z5iMh9XJ02zL01SSBgk0QfeBbz+eyXx1VbDnwbN36MPEADWVQHAQSgXeJbufWaVk\n" +
++        "vEdgv2DjdosTVd3hdHq5zySman/eZCJEWGiCahD5PeU+G7m9/CL0YASJu1VtKFX6\n" +
++        "3o6NGyEU1zeLNHtN9rKyEM8zsX0cYplIyytsdpZVvxkNHR+7Zaobjpm1xiiQ5YIt\n" +
++        "eFAgmv15LyR/8IkpafR9zXO+s+1OwdHtUl6P97jXjYetstkbURL/VrPhrzR9XKR4\n" +
++        "iBCenQPGpaqiJFH3SRTFse5ZQ5Xfq2goMD8CAwEAAaOCAYYwggGCMBIGA1UdEwEB\n" +
++        "/wQIMAYBAf8CAQEwUwYDVR0gBEwwSjBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcC\n" +
++        "ARYtaHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL0NQUy9PbW5pUm9vdC5odG1s\n" +
++        "MA4GA1UdDwEB/wQEAwIBBjCBoAYDVR0jBIGYMIGVgBSmDB2fYf8HF7W/OEbbQzDV\n" +
++        "jrBSBqF5pHcwdTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlv\n" +
++        "bjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1c3QgU29sdXRpb25zLCBJbmMuMSMwIQYD\n" +
++        "VQQDExpHVEUgQ3liZXJUcnVzdCBHbG9iYWwgUm9vdIICAaUwRQYDVR0fBD4wPDA6\n" +
++        "oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIw\n" +
++        "MTgvY2RwLmNybDAdBgNVHQ4EFgQUq/lo389KN9d7RYxfct5ARMNlu8IwDQYJKoZI\n" +
++        "hvcNAQEFBQADgYEAWcyGZhizJlRP1jjNupZey+yZG6oMDW4Z11boriMHbYPCndBE\n" +
++        "bVh07zmPbZsihOw9w/vm5KbVX5CgxUv4Rhzh/20Faixf3P3bpWg0qgzHVVusNVR/\n" +
++        "P50aKkpdK3hp+QLl56e+lWOddSAINIpmcuyDI1hyuzB+GJEASm9tNU/6rs8=\n" +
++        "-----END CERTIFICATE-----");
++
++        //
++        // Compromised DigiNotar Root CA
++        //
++
++        // DigiNotar intermediate, cross-signed by Entrust
++        //
++        // Subject: EMAILADDRESS=info@diginotar.nl,
++        //          CN=DigiNotar Root CA,
++        //          O=DigiNotar, C=NL
++        // Issuer:  CN=Entrust.net Secure Server Certification Authority
++        //          OU=(c) 1999 Entrust.net Limited,
++        //          OU=www.entrust.net/CPS incorp. by ref. (limits liab.),
++        //          O=Entrust.net,
++        //          C=US,
++        // Serial:  1184644297 (46:9C:3C:C9)
++        add("info-at-diginotar-root-ca-cross-to-entrust-secure-server-469C3CC9",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFSDCCBLGgAwIBAgIERpw8yTANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
++        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
++        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
++        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
++        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA0\n" +
++        "MjYwNTAwMDBaFw0xMzA4MTQyMDEyMzZaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
++        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
++        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
++        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
++        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
++        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
++        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
++        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
++        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
++        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
++        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
++        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
++        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
++        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
++        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
++        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
++        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
++        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
++        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
++        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
++        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAI979rBep8tu3TeLunapgsZ0jtXp\n" +
++        "GDFjKWSk87dj1jCyYi+q/GyDyZ6ZQZNRP0sF+6twscq05lClWNy3TROMp7QeuoLO\n" +
++        "G7Utw3OJaswUtp4YglANMRTHEe3g9ltifUXRH5tSuy7u6yi4LD4WTm5ULP6r/g6l\n" +
++        "0CnjXYb0+b1Fmz6U\n" +
++        "-----END CERTIFICATE-----");
++
++        // DigiNotar intermediate, cross-signed by Entrust
++        //
++        // Subject: EMAILADDRESS=info@diginotar.nl,
++        //          CN=DigiNotar Root CA,
++        //          O=DigiNotar, C=NL
++        // Issuer:  CN=Entrust.net Secure Server Certification Authority
++        //          OU=(c) 1999 Entrust.net Limited,
++        //          OU=www.entrust.net/CPS incorp. by ref. (limits liab.),
++        //          O=Entrust.net,
++        //          C=US,
++        // Serial:  1184640175 (46:9C:2C:AF)
++        add("info-at-diginotar-root-ca-cross-to-entrust-secure-server-469C2CAF",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFSDCCBLGgAwIBAgIERpwsrzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
++        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
++        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
++        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
++        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
++        "MjYxNTU3MzlaFw0xMzA4MjYxNjI3MzlaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
++        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
++        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
++        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
++        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
++        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
++        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
++        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
++        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
++        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
++        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
++        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
++        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
++        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
++        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
++        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
++        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
++        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
++        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
++        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
++        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAEa6RcDNcEIGUlkDJUY/pWTds4zh\n" +
++        "xbVkp3wSmpwPFhx5fxTyF4HD2L60jl3aqjTB7gPpsL2Pk5QZlNsi3t4UkCV70UOd\n" +
++        "ueJRN3o/LOtk4+bjXY2lC0qTHbN80VMLqPjmaf9ghSA9hwhskdtMgRsgfd90q5QP\n" +
++        "ZFdYf+hthc3m6IcJ\n" +
++        "-----END CERTIFICATE-----");
++
++        //
++        // Compromised DigiNotar PKIoverheid CA Organisatie - G2
++        //
++
++        // DigiNotar intermediate, cross-signed by the Dutch government
++        //
++        // Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2,
++        //          O=DigiNotar B.V.,
++        //          C=NL
++        // Issuer:  CN=Staat der Nederlanden Organisatie CA - G2,
++        //          O=Staat der Nederlanden,
++        //          C=NL
++        // Serial:  20001983 (01:31:34:bf)
++        add("diginotar-pkioverheid-organisatie-cross-to-nederlanden-013134BF",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIGnDCCBISgAwIBAgIEATE0vzANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJO\n" +
++        "TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMTIwMAYDVQQDDClTdGFh\n" +
++        "dCBkZXIgTmVkZXJsYW5kZW4gT3JnYW5pc2F0aWUgQ0EgLSBHMjAeFw0xMDA1MTIw\n" +
++        "ODUxMzhaFw0yMDAzMjMwOTUwMDRaMFoxCzAJBgNVBAYTAk5MMRcwFQYDVQQKDA5E\n" +
++        "aWdpTm90YXIgQi5WLjEyMDAGA1UEAwwpRGlnaU5vdGFyIFBLSW92ZXJoZWlkIENB\n" +
++        "IE9yZ2FuaXNhdGllIC0gRzIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC\n" +
++        "AQCxExkPJ+Zs1FWGS9DsiYpFkXisR71HK+T8RetPtCZzWzfTw3/2497Xo/gtaMUI\n" +
++        "PkuU1uSHJTZrhLUYdPMoWHMvm2rPvAQe9t7dr/xLqvXbZmIlASWC3vKXWhBu3V2p\n" +
++        "IrEEqSNzOvhxrR3PhETrR9Gvbch8KKvH8jd6dF9fxQIUiqNa4xtsAeNdjtlo1vQJ\n" +
++        "GzLckbUs9SDrjANtJkm4k8SFXdjSm69WaswFM8ygQp40VUSca6DUEtArVM23iQ3l\n" +
++        "9uvo+4UBM096a/GdcjOWDveyhKWlJ8Qn8VFzKXe6Z27+TNy04qGhgS85SY1DOBPO\n" +
++        "0KVcwoc6AGdlQiPxNlkKHaNRyLyjlCox3+M88p0aPASw77EKMBNzttfzo0wBdRSF\n" +
++        "eMDXijlYhVD6LubFvs+LP6+PNtQlCS3SD6xyk/K/i9RQs/kVUJuZ9RTZ+4uRozIm\n" +
++        "JqD43ztggYaDeVsr6xM9KTrBbd29no6H1kquNJcF7hSm9tw4fkrpJFQHPZdoN0Zr\n" +
++        "DceoIa8TVOQJavFNRgrJXfubT73e+7dUy7g4nKc5+2otwHuNq6WnV+xKkoozxeEg\n" +
++        "XHPYkJIrgNUPhhhpfDlPhIa890xb89W0yqDC8DciynlSH1PmqvOQsDvd8ij9rOvF\n" +
++        "BiSgydQvD1j9tZ7sD8+yWdCiBHo4aq5y+73wJWKUCacFCwIDAQABo4IBYTCCAV0w\n" +
++        "SAYDVR0gBEEwPzA9BgRVHSAAMDUwMwYIKwYBBQUHAgEWJ2h0dHA6Ly93d3cuZGln\n" +
++        "aW5vdGFyLm5sL2Nwcy9wa2lvdmVyaGVpZDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n" +
++        "DwEB/wQEAwIBBjCBhQYDVR0jBH4wfIAUORCLSZJc22ESIM1JnRqO2pxnQLmhXqRc\n" +
++        "MFoxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4x\n" +
++        "KzApBgNVBAMMIlN0YWF0IGRlciBOZWRlcmxhbmRlbiBSb290IENBIC0gRzKCBACY\n" +
++        "lvQwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5wa2lvdmVyaGVpZC5ubC9E\n" +
++        "b21PcmdhbmlzYXRpZUxhdGVzdENSTC1HMi5jcmwwHQYDVR0OBBYEFLxdlDvZq3sD\n" +
++        "JXNhwtst7vyrj2WhMA0GCSqGSIb3DQEBCwUAA4ICAQCP/C1Mt9kt1R+978v0t2gX\n" +
++        "dZ1O1ffdnPEqJu2forYcA9VTs+wIzzTi48P0tRYvyMO+19NzqwA2+RpKftZj6V5G\n" +
++        "uqW2jhW3oyrYQx3vXcgfgYWzi/f/PPTZ9EYIP5y8HaDZqEzNJVJOCrEg9x/pQ9lU\n" +
++        "RoETmsBedGwqmDLq/He7DaWiMZgifnx859qkrey3LhoZcfhIUNpDjyyE3cFAJ+O1\n" +
++        "8BVOltT4XOOGKUYr1zsH6zh/yIZXl9PvKjPEF1DVZGlrK2tFXl0vF8paTs/D1zk8\n" +
++        "9TufRrmb5w5Jl53W1eMbD+qPAU6aE5RZCgIHSEsaYKt/T+0L2FUNaG9VnGllFULs\n" +
++        "wNzdbKzDFs4LHVabpMTE0i7gD+JEJytQaaTcYuiKISlCbMwAOpZ2m+9AwKRed4Qy\n" +
++        "bCYqOWauXeO5ubIsaB8empADOfCqs6TMSYsYNOk3yXspx4R8b0QVL+xhWQTJRcui\n" +
++        "1lKifH8pktZKxYtCqNT+6tjHhyMY5J16fXNAUpigrm7jBT8FD+Clxm1N7YM3iJzH\n" +
++        "89xCmmq21yFJNnfy7xhPxXDZnunetyuL9Lx+KN8NQMmFXK6dxTH/0FwOtah+8Okv\n" +
++        "uq+IruW10Vilr5xxpykBkINpN4IFuvwJwQhujHg7wzMCgD9EhQgd31VWCK0shS1d\n" +
++        "sQPhrqp0xaTzTro3mHuCuQ==\n" +
++        "-----END CERTIFICATE-----");
++
++        //
++        // Compromised DigiNotar PKIoverheid CA Overheid en Bedrijven
++        //
++
++        // DigiNotar intermediate, cross-signed by the Dutch government
++        //
++        // Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven,
++        //          O=DigiNotar B.V.,
++        //          C=NL
++        // Issuer:  CN=Staat der Nederlanden Overheid CA
++        //          O=Staat der Nederlanden,
++        //          C=NL
++        // Serial:  20015536 (01:31:69:b0)
++        add("diginotar-pkioverheid-overheid-enb-cross-to-nederlanden-013169B0",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIEiDCCA3CgAwIBAgIEATFpsDANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJO\n" +
++        "TDEeMBwGA1UEChMVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSowKAYDVQQDEyFTdGFh\n" +
++        "dCBkZXIgTmVkZXJsYW5kZW4gT3ZlcmhlaWQgQ0EwHhcNMDcwNzA1MDg0MjA3WhcN\n" +
++        "MTUwNzI3MDgzOTQ2WjBfMQswCQYDVQQGEwJOTDEXMBUGA1UEChMORGlnaU5vdGFy\n" +
++        "IEIuVi4xNzA1BgNVBAMTLkRpZ2lOb3RhciBQS0lvdmVyaGVpZCBDQSBPdmVyaGVp\n" +
++        "ZCBlbiBCZWRyaWp2ZW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc\n" +
++        "vdKnTmoKuzuiheF/AK2+tDBomAfNoHrElM9x+Yo35FPrV3bMi+Zs/u6HVcg+uwQ5\n" +
++        "AKeAeKxbT370vbhUuHE7BzFJOZNUfCA7eSuPu2GQfbGs5h+QLp1FAalkLU3DL7nn\n" +
++        "UNVOKlyrdnY3Rtd57EKZ96LspIlw3Dgrh6aqJOadkiQbvvb91C8ZF3rmMgeUVAVT\n" +
++        "Q+lsvK9Hy7zL/b07RBKB8WtLu+20z6slTxjSzAL8o0+1QjPLWc0J3NNQ/aB2jKx+\n" +
++        "ZopC9q0ckvO2+xRG603XLzDgbe5bNr5EdLcgBVeFTegAGaL2DOauocBC36esgl3H\n" +
++        "aLcY5olLmmv6znn58yynAgMBAAGjggFQMIIBTDBIBgNVHSAEQTA/MD0GBFUdIAAw\n" +
++        "NTAzBggrBgEFBQcCARYnaHR0cDovL3d3dy5kaWdpbm90YXIubmwvY3BzL3BraW92\n" +
++        "ZXJoZWlkMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMIGABgNVHSME\n" +
++        "eTB3gBQLhtYPd6NosftkCcOIblwEHFfpPaFZpFcwVTELMAkGA1UEBhMCTkwxHjAc\n" +
++        "BgNVBAoTFVN0YWF0IGRlciBOZWRlcmxhbmRlbjEmMCQGA1UEAxMdU3RhYXQgZGVy\n" +
++        "IE5lZGVybGFuZGVuIFJvb3QgQ0GCBACYmnkwPQYDVR0fBDYwNDAyoDCgLoYsaHR0\n" +
++        "cDovL2NybC5wa2lvdmVyaGVpZC5ubC9Eb21PdkxhdGVzdENSTC5jcmwwHQYDVR0O\n" +
++        "BBYEFEwIyY128ZjHPt881y91DbF2eZfMMA0GCSqGSIb3DQEBBQUAA4IBAQAMlIca\n" +
++        "v03jheLu19hjeQ5Q38aEW9K72fUxCho1l3TfFPoqDz7toOMI9tVOW6+mriXiRWsi\n" +
++        "D7dUKH6S3o0UbNEc5W50BJy37zRERd/Jgx0ZH8Apad+J1T/CsFNt5U4X5HNhIxMm\n" +
++        "cUP9TFnLw98iqiEr2b+VERqKpOKrp11Lbyn1UtHk0hWxi/7wA8+nfemZhzizDXMU\n" +
++        "5HIs4c71rQZIZPrTKbmi2Lv01QulQERDjqC/zlqlUkxk0xcxYczopIro5Ij76eUv\n" +
++        "BjMzm5RmZrGrUDqhCYF0U1onuabSJc/Tw6f/ltAv6uAejVLpGBwgCkegllYOQJBR\n" +
++        "RKwa/fHuhR/3Qlpl\n" +
++        "-----END CERTIFICATE-----");
++
++        //
++        // Compromised DigiNotar PKIoverheid CA Overheid
++        //
++
++        // DigiNotar intermediate, cross-signed by the Dutch government
++        //
++        // Subject: CN=DigiNotar PKIoverheid CA Overheid
++        //          O=DigiNotar B.V.,
++        //          C=NL
++        // Issuer:  CN=Staat der Nederlanden Overheid CA
++        //          O=Staat der Nederlanden,
++        //          C=NL
++        // Serial:  20006006 (01:31:44:76)
++        add("diginotar-pkioverheid-overheid-cross-to-nederlanden-01314476",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIEezCCA2OgAwIBAgIEATFEdjANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJO\n" +
++        "TDEeMBwGA1UEChMVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSowKAYDVQQDEyFTdGFh\n" +
++        "dCBkZXIgTmVkZXJsYW5kZW4gT3ZlcmhlaWQgQ0EwHhcNMDQwNjI0MDgxOTMyWhcN\n" +
++        "MTAwNjIzMDgxNzM2WjBSMQswCQYDVQQGEwJOTDEXMBUGA1UEChMORGlnaU5vdGFy\n" +
++        "IEIuVi4xKjAoBgNVBAMTIURpZ2lOb3RhciBQS0lvdmVyaGVpZCBDQSBPdmVyaGVp\n" +
++        "ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSlrubta5tlOjVCi/gb\n" +
++        "yLCvRqfBjxG8H594VcKHu0WAYc99SPZF9cycj5mw2GyfQvy/WIrGrL4iyNq1gSqR\n" +
++        "0QA/mTXKZIaPqzpDhdm+VvrKkmjrbZfaQxgMSs3ChtBsjcP9Lc0X1zXZ4Q8nBe3k\n" +
++        "BTp+zehINfmbjoEgXLxsMR5RQ6GxzKjuC04PQpbJQgTIakglKaqYcDDZbEscWgPV\n" +
++        "Hgj/2aoHlj6leW/ThHZ+O41jUguEmBLZA3mu3HrCfrHntb5dPt0ihzSx7GtD/SaX\n" +
++        "5HBLxnP189YuqMk5iRA95CtiSdKauvon/xRKRLNgG6XAz0ctSoY7xLDdiBVU5kJd\n" +
++        "FScCAwEAAaOCAVAwggFMMEgGA1UdIARBMD8wPQYEVR0gADA1MDMGCCsGAQUFBwIB\n" +
++        "FidodHRwOi8vd3d3LmRpZ2lub3Rhci5ubC9jcHMvcGtpb3ZlcmhlaWQwDwYDVR0T\n" +
++        "AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwgYAGA1UdIwR5MHeAFAuG1g93o2ix\n" +
++        "+2QJw4huXAQcV+k9oVmkVzBVMQswCQYDVQQGEwJOTDEeMBwGA1UEChMVU3RhYXQg\n" +
++        "ZGVyIE5lZGVybGFuZGVuMSYwJAYDVQQDEx1TdGFhdCBkZXIgTmVkZXJsYW5kZW4g\n" +
++        "Um9vdCBDQYIEAJiaeTA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY3JsLnBraW92\n" +
++        "ZXJoZWlkLm5sL0RvbU92TGF0ZXN0Q1JMLmNybDAdBgNVHQ4EFgQUvRaYQh2+kdE9\n" +
++        "wpcl4CjXWOC1f+IwDQYJKoZIhvcNAQEFBQADggEBAGhQsCWLiaN2EOhPAW+JQP6o\n" +
++        "XBOrLv5w6joahzBFVn1BiefzmlMKjibqKYxURRvMAsMkh82/MfL8V0w6ugxl81lu\n" +
++        "i42dcxl9cKSVXKMw4bbBzJ2VQI5HTIABwefeNuy/eX6idVwYdt3ajAH7fUA8Q9Cq\n" +
++        "vr6H8B+8mwoEqTVTEVlCSsC/EXsokYEUr06PPzRudKjDmijgj7zFaIioZNc8hk7g\n" +
++        "ufEgrs/tmcNGylrwRHgCXjCRBt2NHlZ08l7A1AGU8HcHlSbG9Un/2q9kVHUkps0D\n" +
++        "gtUaEK+x6jpAu/R8Ojezu/+ZEcwwjI/KOhG+84+ejFmtyEkrUdsAdEdLf/2dKsw=\n" +
++        "-----END CERTIFICATE-----");
++
++        //
++        // Compromised DigiNotar Services 1024 CA
++        //
++
++        // DigiNotar intermediate, cross-signed by the Entrust
++        //
++        // Subject: EMAILADDRESS=info@diginotar.nl,
++        //          CN=DigiNotar Services 1024 CA
++        //          O=DigiNotar, C=NL
++        // Issuer:  CN=Entrust.net Secure Server Certification Authority,
++        //          OU=(c) 1999 Entrust.net Limited,
++        //          OU=www.entrust.net/CPS incorp. by ref. (limits liab.),
++        //          O=Entrust.net,
++        //          C=US
++        // Serial:  1184640176 (46:9c:2c:b0)
++        add("diginotar-services-1024-ca-cross-to-entrust-469C2CB0",
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIDzTCCAzagAwIBAgIERpwssDANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
++        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
++        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
++        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
++        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
++        "MjYxNTU5MDBaFw0xMzA4MjYxNjI5MDBaMGgxCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
++        "EwlEaWdpTm90YXIxIzAhBgNVBAMTGkRpZ2lOb3RhciBTZXJ2aWNlcyAxMDI0IENB\n" +
++        "MSAwHgYJKoZIhvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCBnzANBgkqhkiG9w0B\n" +
++        "AQEFAAOBjQAwgYkCgYEA2ptNXTz50eKLxsYIIMXZHkjsZlhneWIrQWP0iY1o2q+4\n" +
++        "lDaLGSSkoJPSmQ+yrS01Tc0vauH5mxkrvAQafi09UmTN8T5nD4ku6PJPrqYIoYX+\n" +
++        "oakJ5sarPkP8r3oDkdqmOaZh7phPGKjTs69mgumfvN1y+QYEvRLZGCTnq5NTi1kC\n" +
++        "AwEAAaOCASYwggEiMBIGA1UdEwEB/wQIMAYBAf8CAQAwJwYDVR0lBCAwHgYIKwYB\n" +
++        "BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwMwYI\n" +
++        "KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5l\n" +
++        "dDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L3NlcnZl\n" +
++        "cjEuY3JsMB0GA1UdDgQWBBT+3JRJDG/vXH/G8RKZTxZJrfuCZTALBgNVHQ8EBAMC\n" +
++        "AQYwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7UISX8+1i0BowGQYJKoZIhvZ9B0EA\n" +
++        "BAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQADgYEAY3RqN6k/lpxmyFisCcnv\n" +
++        "9WWUf6MCxDgxvV0jh+zUVrLJsm7kBQb87PX6iHBZ1O7m3bV6oKNgLwIMq94SXa/w\n" +
++        "NUuqikeRGvWFLELHHe+VQ7NeuJWTpdrFKKqtci0xrZlrbP+MISevrZqRK8fdWMNu\n" +
++        "B8WfedLHjFW/TMcnXlEWKz4=\n" +
++        "-----END CERTIFICATE-----");
++
++    }
++}
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/security/validator/SimpleValidator.java jdk7u3/jdk/src/share/classes/sun/security/validator/SimpleValidator.java
+--- jdk/src/share/classes/sun/security/validator/SimpleValidator.java	2012-04-17 17:39:21.000000000 -0400
++++ jdk/src/share/classes/sun/security/validator/SimpleValidator.java	2012-04-17 17:48:58.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -41,6 +41,7 @@
+ import sun.security.util.ObjectIdentifier;
+ 
+ import sun.security.provider.certpath.AlgorithmChecker;
++import sun.security.provider.certpath.UntrustedChecker;
+ 
+ /**
+  * A simple validator implementation. It is based on code from the JSSE
+@@ -137,6 +138,9 @@
+             date = new Date();
+         }
+ 
++        // create distrusted certificates checker
++        UntrustedChecker untrustedChecker = new UntrustedChecker();
++
+         // create default algorithm constraints checker
+         TrustAnchor anchor = new TrustAnchor(chain[chain.length - 1], null);
+         AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
+@@ -154,6 +158,17 @@
+             X509Certificate issuerCert = chain[i + 1];
+             X509Certificate cert = chain[i];
+ 
++            // check untrusted certificate
++            try {
++                // Untrusted checker does not care about the unresolved
++                // critical extensions.
++                untrustedChecker.check(cert, Collections.<String>emptySet());
++            } catch (CertPathValidatorException cpve) {
++                throw new ValidatorException(
++                    "Untrusted certificate: " + cert.getSubjectX500Principal(),
++                    ValidatorException.T_UNTRUSTED_CERT, cert, cpve);
++            }
++
+             // check certificate algorithm
+             try {
+                 // Algorithm checker does not care about the unresolved
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/classes/sun/security/validator/ValidatorException.java jdk7u3/jdk/src/share/classes/sun/security/validator/ValidatorException.java
+--- jdk/src/share/classes/sun/security/validator/ValidatorException.java	2012-04-17 17:39:21.000000000 -0400
++++ jdk/src/share/classes/sun/security/validator/ValidatorException.java	2012-04-17 17:48:58.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -58,6 +58,9 @@
+     public final static Object T_ALGORITHM_DISABLED =
+         "Certificate signature algorithm disabled";
+ 
++    public final static Object T_UNTRUSTED_CERT =
++        "Untrusted certificate";
++
+     private Object type;
+     private X509Certificate cert;
+ 
+diff -uNr -x '.hg*' jdk7u2/jdk/src/share/native/java/util/zip/zip_util.c jdk7u3/jdk/src/share/native/java/util/zip/zip_util.c
+--- jdk/src/share/native/java/util/zip/zip_util.c	2012-04-17 17:39:25.000000000 -0400
++++ jdk/src/share/native/java/util/zip/zip_util.c	2012-04-17 17:49:02.000000000 -0400
+@@ -521,7 +521,7 @@
+ {
+     jint count = 0;
+     ptrdiff_t i;
+-    for (i = 0; i + CENHDR < end - beg; i += CENSIZE(beg + i))
++    for (i = 0; i + CENHDR <= end - beg; i += CENSIZE(beg + i))
+         count++;
+     return count;
+ }
+diff -uNr -x '.hg*' jdk7u2/jdk/src/windows/classes/sun/java2d/d3d/D3DRenderer.java jdk7u3/jdk/src/windows/classes/sun/java2d/d3d/D3DRenderer.java
+--- jdk/src/windows/classes/sun/java2d/d3d/D3DRenderer.java	2012-04-17 17:39:31.000000000 -0400
++++ jdk/src/windows/classes/sun/java2d/d3d/D3DRenderer.java	2012-04-17 17:49:07.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2007, 2008, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -27,6 +27,7 @@
+ 
+ import java.awt.Transparency;
+ import java.awt.geom.Path2D;
++import sun.java2d.InvalidPipeException;
+ import sun.java2d.SunGraphics2D;
+ import sun.java2d.loops.GraphicsPrimitive;
+ import sun.java2d.pipe.BufferedPaints;
+@@ -47,7 +48,12 @@
+         int ctxflags =
+             sg2d.paint.getTransparency() == Transparency.OPAQUE ?
+                 D3DContext.SRC_IS_OPAQUE : D3DContext.NO_CONTEXT_FLAGS;
+-        D3DSurfaceData dstData = (D3DSurfaceData)sg2d.surfaceData;
++        D3DSurfaceData dstData;
++        try {
++            dstData = (D3DSurfaceData)sg2d.surfaceData;
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+         D3DContext.validateContext(dstData, dstData,
+                                    sg2d.getCompClip(), sg2d.composite,
+                                    null, sg2d.paint, sg2d, ctxflags);
+@@ -56,7 +62,12 @@
+     @Override
+     protected void validateContextAA(SunGraphics2D sg2d) {
+         int ctxflags = D3DContext.NO_CONTEXT_FLAGS;
+-        D3DSurfaceData dstData = (D3DSurfaceData)sg2d.surfaceData;
++        D3DSurfaceData dstData;
++        try {
++            dstData = (D3DSurfaceData)sg2d.surfaceData;
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+         D3DContext.validateContext(dstData, dstData,
+                                    sg2d.getCompClip(), sg2d.composite,
+                                    null, sg2d.paint, sg2d, ctxflags);
+@@ -70,7 +81,12 @@
+             int ctxflags =
+                 sg2d.surfaceData.getTransparency() == Transparency.OPAQUE ?
+                     D3DContext.SRC_IS_OPAQUE : D3DContext.NO_CONTEXT_FLAGS;
+-            D3DSurfaceData dstData = (D3DSurfaceData)sg2d.surfaceData;
++            D3DSurfaceData dstData;
++            try {
++                dstData = (D3DSurfaceData)sg2d.surfaceData;
++            } catch (ClassCastException e) {
++                throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++            }
+             D3DContext.validateContext(dstData, dstData,
+                                        sg2d.getCompClip(), sg2d.composite,
+                                        null, null, null, ctxflags);
+diff -uNr -x '.hg*' jdk7u2/jdk/src/windows/classes/sun/java2d/windows/GDIRenderer.java jdk7u3/jdk/src/windows/classes/sun/java2d/windows/GDIRenderer.java
+--- jdk/src/windows/classes/sun/java2d/windows/GDIRenderer.java	2012-04-17 17:39:31.000000000 -0400
++++ jdk/src/windows/classes/sun/java2d/windows/GDIRenderer.java	2012-04-17 17:49:07.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1999, 2006, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -29,6 +29,7 @@
+ import java.awt.Shape;
+ import java.awt.geom.Path2D;
+ import java.awt.geom.PathIterator;
++import sun.java2d.InvalidPipeException;
+ import sun.java2d.SunGraphics2D;
+ import sun.java2d.SurfaceData;
+ import sun.java2d.pipe.Region;
+@@ -45,7 +46,7 @@
+     PixelFillPipe,
+     ShapeDrawPipe
+ {
+-    native void doDrawLine(SurfaceData sData,
++    native void doDrawLine(GDIWindowSurfaceData sData,
+                            Region clip, Composite comp, int color,
+                            int x1, int y1, int x2, int y2);
+ 
+@@ -54,24 +55,32 @@
+     {
+         int transx = sg2d.transX;
+         int transy = sg2d.transY;
+-        doDrawLine(sg2d.surfaceData,
+-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                   x1+transx, y1+transy, x2+transx, y2+transy);
++        try {
++            doDrawLine((GDIWindowSurfaceData)sg2d.surfaceData,
++                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                       x1+transx, y1+transy, x2+transx, y2+transy);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+-    native void doDrawRect(SurfaceData sData,
++    native void doDrawRect(GDIWindowSurfaceData sData,
+                            Region clip, Composite comp, int color,
+                            int x, int y, int w, int h);
+ 
+     public void drawRect(SunGraphics2D sg2d,
+                          int x, int y, int width, int height)
+     {
+-        doDrawRect(sg2d.surfaceData,
+-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                   x+sg2d.transX, y+sg2d.transY, width, height);
++        try {
++            doDrawRect((GDIWindowSurfaceData)sg2d.surfaceData,
++                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                       x+sg2d.transX, y+sg2d.transY, width, height);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+-    native void doDrawRoundRect(SurfaceData sData,
++    native void doDrawRoundRect(GDIWindowSurfaceData sData,
+                                 Region clip, Composite comp, int color,
+                                 int x, int y, int w, int h,
+                                 int arcW, int arcH);
+@@ -80,25 +89,33 @@
+                               int x, int y, int width, int height,
+                               int arcWidth, int arcHeight)
+     {
+-        doDrawRoundRect(sg2d.surfaceData,
+-                        sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                        x+sg2d.transX, y+sg2d.transY, width, height,
+-                        arcWidth, arcHeight);
++        try {
++            doDrawRoundRect((GDIWindowSurfaceData)sg2d.surfaceData,
++                            sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                            x+sg2d.transX, y+sg2d.transY, width, height,
++                            arcWidth, arcHeight);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+-    native void doDrawOval(SurfaceData sData,
++    native void doDrawOval(GDIWindowSurfaceData sData,
+                            Region clip, Composite comp, int color,
+                            int x, int y, int w, int h);
+ 
+     public void drawOval(SunGraphics2D sg2d,
+                          int x, int y, int width, int height)
+     {
+-        doDrawOval(sg2d.surfaceData,
+-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                   x+sg2d.transX, y+sg2d.transY, width, height);
++        try {
++            doDrawOval((GDIWindowSurfaceData)sg2d.surfaceData,
++                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                       x+sg2d.transX, y+sg2d.transY, width, height);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+-    native void doDrawArc(SurfaceData sData,
++    native void doDrawArc(GDIWindowSurfaceData sData,
+                           Region clip, Composite comp, int color,
+                           int x, int y, int w, int h,
+                           int angleStart, int angleExtent);
+@@ -107,13 +124,17 @@
+                         int x, int y, int width, int height,
+                         int startAngle, int arcAngle)
+     {
+-        doDrawArc(sg2d.surfaceData,
+-                  sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                  x+sg2d.transX, y+sg2d.transY, width, height,
+-                  startAngle, arcAngle);
++        try {
++            doDrawArc((GDIWindowSurfaceData)sg2d.surfaceData,
++                      sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                      x+sg2d.transX, y+sg2d.transY, width, height,
++                      startAngle, arcAngle);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+-    native void doDrawPoly(SurfaceData sData,
++    native void doDrawPoly(GDIWindowSurfaceData sData,
+                            Region clip, Composite comp, int color,
+                            int transx, int transy,
+                            int[] xpoints, int[] ypoints,
+@@ -123,33 +144,45 @@
+                              int xpoints[], int ypoints[],
+                              int npoints)
+     {
+-        doDrawPoly(sg2d.surfaceData,
+-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                   sg2d.transX, sg2d.transY, xpoints, ypoints, npoints, false);
++        try {
++            doDrawPoly((GDIWindowSurfaceData)sg2d.surfaceData,
++                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                       sg2d.transX, sg2d.transY, xpoints, ypoints, npoints, false);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+     public void drawPolygon(SunGraphics2D sg2d,
+                             int xpoints[], int ypoints[],
+                             int npoints)
+     {
+-        doDrawPoly(sg2d.surfaceData,
+-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                   sg2d.transX, sg2d.transY, xpoints, ypoints, npoints, true);
++        try {
++            doDrawPoly((GDIWindowSurfaceData)sg2d.surfaceData,
++                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                       sg2d.transX, sg2d.transY, xpoints, ypoints, npoints, true);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+-    native void doFillRect(SurfaceData sData,
++    native void doFillRect(GDIWindowSurfaceData sData,
+                            Region clip, Composite comp, int color,
+                            int x, int y, int w, int h);
+ 
+     public void fillRect(SunGraphics2D sg2d,
+                          int x, int y, int width, int height)
+     {
+-        doFillRect(sg2d.surfaceData,
+-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                   x+sg2d.transX, y+sg2d.transY, width, height);
++        try {
++            doFillRect((GDIWindowSurfaceData)sg2d.surfaceData,
++                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                       x+sg2d.transX, y+sg2d.transY, width, height);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+-    native void doFillRoundRect(SurfaceData sData,
++    native void doFillRoundRect(GDIWindowSurfaceData sData,
+                                 Region clip, Composite comp, int color,
+                                 int x, int y, int w, int h,
+                                 int arcW, int arcH);
+@@ -158,25 +191,33 @@
+                               int x, int y, int width, int height,
+                               int arcWidth, int arcHeight)
+     {
+-        doFillRoundRect(sg2d.surfaceData,
+-                        sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                        x+sg2d.transX, y+sg2d.transY, width, height,
+-                        arcWidth, arcHeight);
++        try {
++            doFillRoundRect((GDIWindowSurfaceData)sg2d.surfaceData,
++                            sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                            x+sg2d.transX, y+sg2d.transY, width, height,
++                            arcWidth, arcHeight);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+-    native void doFillOval(SurfaceData sData,
++    native void doFillOval(GDIWindowSurfaceData sData,
+                            Region clip, Composite comp, int color,
+                            int x, int y, int w, int h);
+ 
+     public void fillOval(SunGraphics2D sg2d,
+                          int x, int y, int width, int height)
+     {
+-        doFillOval(sg2d.surfaceData,
+-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                   x+sg2d.transX, y+sg2d.transY, width, height);
++        try {
++            doFillOval((GDIWindowSurfaceData)sg2d.surfaceData,
++                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                       x+sg2d.transX, y+sg2d.transY, width, height);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+-    native void doFillArc(SurfaceData sData,
++    native void doFillArc(GDIWindowSurfaceData sData,
+                           Region clip, Composite comp, int color,
+                           int x, int y, int w, int h,
+                           int angleStart, int angleExtent);
+@@ -185,13 +226,17 @@
+                         int x, int y, int width, int height,
+                         int startAngle, int arcAngle)
+     {
+-        doFillArc(sg2d.surfaceData,
+-                  sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                  x+sg2d.transX, y+sg2d.transY, width, height,
+-                  startAngle, arcAngle);
++        try {
++            doFillArc((GDIWindowSurfaceData)sg2d.surfaceData,
++                      sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                      x+sg2d.transX, y+sg2d.transY, width, height,
++                      startAngle, arcAngle);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+-    native void doFillPoly(SurfaceData sData,
++    native void doFillPoly(GDIWindowSurfaceData sData,
+                            Region clip, Composite comp, int color,
+                            int transx, int transy,
+                            int[] xpoints, int[] ypoints,
+@@ -201,12 +246,16 @@
+                             int xpoints[], int ypoints[],
+                             int npoints)
+     {
+-        doFillPoly(sg2d.surfaceData,
+-                   sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                   sg2d.transX, sg2d.transY, xpoints, ypoints, npoints);
++        try {
++            doFillPoly((GDIWindowSurfaceData)sg2d.surfaceData,
++                       sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                       sg2d.transX, sg2d.transY, xpoints, ypoints, npoints);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+-    native void doShape(SurfaceData sData,
++    native void doShape(GDIWindowSurfaceData sData,
+                         Region clip, Composite comp, int color,
+                         int transX, int transY,
+                         Path2D.Float p2df, boolean isfill);
+@@ -228,9 +277,13 @@
+             transX = 0;
+             transY = 0;
+         }
+-        doShape(sg2d.surfaceData,
+-                sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
+-                transX, transY, p2df, isfill);
++        try {
++            doShape((GDIWindowSurfaceData)sg2d.surfaceData,
++                    sg2d.getCompClip(), sg2d.composite, sg2d.eargb,
++                    transX, transY, p2df, isfill);
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+     }
+ 
+     // REMIND: This is just a hack to get WIDE lines to honor the
+@@ -239,7 +292,12 @@
+     // method that could be filled by the doShape method more quickly.
+     public void doFillSpans(SunGraphics2D sg2d, SpanIterator si) {
+         int box[] = new int[4];
+-        SurfaceData sd = sg2d.surfaceData;
++        GDIWindowSurfaceData sd;
++        try {
++            sd = (GDIWindowSurfaceData)sg2d.surfaceData;
++        } catch (ClassCastException e) {
++            throw new InvalidPipeException("wrong surface data type: " + sg2d.surfaceData);
++        }
+         Region clip = sg2d.getCompClip();
+         Composite comp = sg2d.composite;
+         int eargb = sg2d.eargb;
+@@ -268,7 +326,7 @@
+         doShape(sg2d, s, true);
+     }
+ 
+-    public native void devCopyArea(SurfaceData sData,
++    public native void devCopyArea(GDIWindowSurfaceData sData,
+                                    int srcx, int srcy,
+                                    int dx, int dy,
+                                    int w, int h);
+@@ -278,21 +336,21 @@
+     }
+ 
+     public static class Tracer extends GDIRenderer {
+-        void doDrawLine(SurfaceData sData,
++        void doDrawLine(GDIWindowSurfaceData sData,
+                         Region clip, Composite comp, int color,
+                         int x1, int y1, int x2, int y2)
+         {
+             GraphicsPrimitive.tracePrimitive("GDIDrawLine");
+             super.doDrawLine(sData, clip, comp, color, x1, y1, x2, y2);
+         }
+-        void doDrawRect(SurfaceData sData,
++        void doDrawRect(GDIWindowSurfaceData sData,
+                         Region clip, Composite comp, int color,
+                         int x, int y, int w, int h)
+         {
+             GraphicsPrimitive.tracePrimitive("GDIDrawRect");
+             super.doDrawRect(sData, clip, comp, color, x, y, w, h);
+         }
+-        void doDrawRoundRect(SurfaceData sData,
++        void doDrawRoundRect(GDIWindowSurfaceData sData,
+                              Region clip, Composite comp, int color,
+                              int x, int y, int w, int h,
+                              int arcW, int arcH)
+@@ -301,14 +359,14 @@
+             super.doDrawRoundRect(sData, clip, comp, color,
+                                   x, y, w, h, arcW, arcH);
+         }
+-        void doDrawOval(SurfaceData sData,
++        void doDrawOval(GDIWindowSurfaceData sData,
+                         Region clip, Composite comp, int color,
+                         int x, int y, int w, int h)
+         {
+             GraphicsPrimitive.tracePrimitive("GDIDrawOval");
+             super.doDrawOval(sData, clip, comp, color, x, y, w, h);
+         }
+-        void doDrawArc(SurfaceData sData,
++        void doDrawArc(GDIWindowSurfaceData sData,
+                        Region clip, Composite comp, int color,
+                        int x, int y, int w, int h,
+                        int angleStart, int angleExtent)
+@@ -317,7 +375,7 @@
+             super.doDrawArc(sData, clip, comp, color, x, y, w, h,
+                             angleStart, angleExtent);
+         }
+-        void doDrawPoly(SurfaceData sData,
++        void doDrawPoly(GDIWindowSurfaceData sData,
+                         Region clip, Composite comp, int color,
+                         int transx, int transy,
+                         int[] xpoints, int[] ypoints,
+@@ -327,14 +385,14 @@
+             super.doDrawPoly(sData, clip, comp, color, transx, transy,
+                              xpoints, ypoints, npoints, isclosed);
+         }
+-        void doFillRect(SurfaceData sData,
++        void doFillRect(GDIWindowSurfaceData sData,
+                         Region clip, Composite comp, int color,
+                         int x, int y, int w, int h)
+         {
+             GraphicsPrimitive.tracePrimitive("GDIFillRect");
+             super.doFillRect(sData, clip, comp, color, x, y, w, h);
+         }
+-        void doFillRoundRect(SurfaceData sData,
++        void doFillRoundRect(GDIWindowSurfaceData sData,
+                              Region clip, Composite comp, int color,
+                              int x, int y, int w, int h,
+                              int arcW, int arcH)
+@@ -343,14 +401,14 @@
+             super.doFillRoundRect(sData, clip, comp, color,
+                                   x, y, w, h, arcW, arcH);
+         }
+-        void doFillOval(SurfaceData sData,
++        void doFillOval(GDIWindowSurfaceData sData,
+                         Region clip, Composite comp, int color,
+                         int x, int y, int w, int h)
+         {
+             GraphicsPrimitive.tracePrimitive("GDIFillOval");
+             super.doFillOval(sData, clip, comp, color, x, y, w, h);
+         }
+-        void doFillArc(SurfaceData sData,
++        void doFillArc(GDIWindowSurfaceData sData,
+                        Region clip, Composite comp, int color,
+                        int x, int y, int w, int h,
+                        int angleStart, int angleExtent)
+@@ -359,7 +417,7 @@
+             super.doFillArc(sData, clip, comp, color, x, y, w, h,
+                             angleStart, angleExtent);
+         }
+-        void doFillPoly(SurfaceData sData,
++        void doFillPoly(GDIWindowSurfaceData sData,
+                         Region clip, Composite comp, int color,
+                         int transx, int transy,
+                         int[] xpoints, int[] ypoints,
+@@ -369,7 +427,7 @@
+             super.doFillPoly(sData, clip, comp, color, transx, transy,
+                              xpoints, ypoints, npoints);
+         }
+-        void doShape(SurfaceData sData,
++        void doShape(GDIWindowSurfaceData sData,
+                      Region clip, Composite comp, int color,
+                      int transX, int transY,
+                      Path2D.Float p2df, boolean isfill)
+@@ -380,7 +438,7 @@
+             super.doShape(sData, clip, comp, color,
+                           transX, transY, p2df, isfill);
+         }
+-        public void devCopyArea(SurfaceData sData,
++        public void devCopyArea(GDIWindowSurfaceData sData,
+                                 int srcx, int srcy,
+                                 int dx, int dy,
+                                 int w, int h)
+diff -uNr -x '.hg*' jdk7u2/jdk/src/windows/native/sun/java2d/windows/GDIRenderer.cpp jdk7u3/jdk/src/windows/native/sun/java2d/windows/GDIRenderer.cpp
+--- jdk/src/windows/native/sun/java2d/windows/GDIRenderer.cpp	2012-04-17 17:39:32.000000000 -0400
++++ jdk/src/windows/native/sun/java2d/windows/GDIRenderer.cpp	2012-04-17 17:49:08.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 1999, 2008, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -117,7 +117,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doDrawLine
+- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_doDrawLine
+@@ -164,7 +164,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doDrawRect
+- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_doDrawRect
+@@ -209,7 +209,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doDrawRoundRect
+- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_doDrawRoundRect
+@@ -253,7 +253,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doDrawOval
+- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_doDrawOval
+@@ -291,7 +291,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doDrawArc
+- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_doDrawArc
+@@ -347,7 +347,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doDrawPoly
+- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;III[I[IIZ)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;III[I[IIZ)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_doDrawPoly
+@@ -412,7 +412,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doFillRect
+- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_doFillRect
+@@ -445,7 +445,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doFillRoundRect
+- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_doFillRoundRect
+@@ -488,7 +488,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doFillOval
+- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIII)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_doFillOval
+@@ -555,7 +555,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doFillArc
+- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;IIIIIII)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_doFillArc
+@@ -615,7 +615,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doFillPoly
+- * Signature: (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;III[I[II)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;Ljava/awt/Composite;III[I[II)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_doFillPoly
+@@ -680,7 +680,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    doShape
+- * Signature:  (Lsun/java2d/SurfaceData;Lsun/java2d/pipe/Region;
++ * Signature:  (Lsun/java2d/windows/GDIWindowSurfaceData;Lsun/java2d/pipe/Region;
+  *              Ljava/awt/Composite;IIILjava/awt/geom/Path2D.Float;Z)V
+  */
+ JNIEXPORT void JNICALL
+@@ -863,7 +863,7 @@
+ /*
+  * Class:     sun_java2d_windows_GDIRenderer
+  * Method:    devCopyArea
+- * Signature: (Lsun/awt/windows/SurfaceData;IIIIII)V
++ * Signature: (Lsun/java2d/windows/GDIWindowSurfaceData;IIIIII)V
+  */
+ JNIEXPORT void JNICALL
+ Java_sun_java2d_windows_GDIRenderer_devCopyArea
+diff -uNr -x '.hg*' jdk7u2/jdk/test/java/io/Serializable/expectedStackTrace/ExpectedStackTrace.java jdk7u3/jdk/test/java/io/Serializable/expectedStackTrace/ExpectedStackTrace.java
+--- jdk/test/java/io/Serializable/expectedStackTrace/ExpectedStackTrace.java	2012-04-17 17:39:36.000000000 -0400
++++ jdk/test/java/io/Serializable/expectedStackTrace/ExpectedStackTrace.java	2012-04-17 17:49:13.000000000 -0400
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
++ * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -22,7 +22,7 @@
+  */
+ 
+ /* @test
+- * @bug 6317435
++ * @bug 6317435 7110700
+  * @summary Verify that stack trace contains a proper cause of
+  *          InvalidClassException (methods: checkSerialize,
+  *          checkDeserialize or checkDefaultSerialize)
+@@ -59,7 +59,7 @@
+     private static final String SER_METHOD_NAME = "checkSerializable";
+ 
+     public static final void main(String[] args) throws Exception {
+-        System.err.println("\nRegression test for CR6317435");
++        System.err.println("\nRegression test for CRs 6317435, 7110700");
+         checkSerializable(getObject());
+     }
+ 
+@@ -99,9 +99,12 @@
+                 }
+             }
+             if (found) {
++                if (ex.getCause() != null) {
++                    throw new Error("\nTest for CR 7110700 FAILED");
++                }
+                 System.err.println("\nTEST PASSED");
+             } else {
+-                throw new Error();
++                throw new Error("\nTest for CR 6317435 FAILED");
+             }
+         }
+     }
+diff -uNr -x '.hg*' jdk7u2/jdk/test/java/util/zip/ZipFile/VmCrash.java jdk7u3/jdk/test/java/util/zip/ZipFile/VmCrash.java
+--- jdk/test/java/util/zip/ZipFile/VmCrash.java	1969-12-31 19:00:00.000000000 -0500
++++ jdk/test/java/util/zip/ZipFile/VmCrash.java	2012-04-17 17:49:21.000000000 -0400
+@@ -0,0 +1,47 @@
++/*
++ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++/* @test
++   @bug 7118283
++   @summary Test if a corrupted zip file crashes VM
++   */
++
++import java.util.zip.*;
++import java.io.*;
++import java.util.*;
++
++public class VmCrash {
++    public static void main(String[] argv) throws Exception {
++        try {
++            ZipFile zf = new ZipFile(new File(System.getProperty("test.src","."),
++                                              "vmcrash.zip"));
++            for (Enumeration e = zf.entries(); e.hasMoreElements();) {
++                System.out.println(e.nextElement());
++            }
++            throw new RuntimeException("Corrupted zip read without exception");
++        } catch (ZipException ex) {
++            System.out.println("expected ZipException:");
++            //ex.printStackTrace();
++        }
++    }
++}
+Files jdk7u2/jdk/test/java/util/zip/ZipFile/vmcrash.zip and jdk7u3/jdk/test/java/util/zip/ZipFile/vmcrash.zip differ
+diff -uNr -x '.hg*' jdk7u2/jdk/test/javax/sound/sampled/DataLine/DataLine_ArrayIndexOutOfBounds.java jdk7u3/jdk/test/javax/sound/sampled/DataLine/DataLine_ArrayIndexOutOfBounds.java
+--- jdk/test/javax/sound/sampled/DataLine/DataLine_ArrayIndexOutOfBounds.java	1969-12-31 19:00:00.000000000 -0500
++++ jdk/test/javax/sound/sampled/DataLine/DataLine_ArrayIndexOutOfBounds.java	2012-04-17 17:49:23.000000000 -0400
+@@ -0,0 +1,226 @@
++/**
++ * @test
++ * @bug 7088367
++ * @summary SourceDataLine.write and TargetDataLine.read don't throw ArrayIndexOutOfBoundsException
++ * @author Alex Menkov
++ */
++
++import javax.sound.sampled.AudioSystem;
++import javax.sound.sampled.DataLine;
++import javax.sound.sampled.Line;
++import javax.sound.sampled.LineUnavailableException;
++import javax.sound.sampled.Mixer;
++import javax.sound.sampled.SourceDataLine;
++import javax.sound.sampled.TargetDataLine;
++
++public class DataLine_ArrayIndexOutOfBounds {
++
++    static int total = 0;
++    static int failed = 0;
++
++    // shared buffer for all tests
++    static final byte[] buffer = new byte[5000000];
++
++    // the class describes different test scenarios (buffer properties)
++    static abstract class Scenario {
++        abstract int getBufferOffset(DataLine line);
++        abstract int getBufferLength(DataLine line);
++    }
++
++    // scenarios to tests
++    static Scenario[] scenarios = new Scenario[]{
++        new Scenario() {
++            public String toString() {
++                return "offset is near Integer.MAX_VALUE";
++            }
++            public int getBufferOffset(DataLine line) {
++                return Integer.MAX_VALUE - 4096;
++            }
++            public int getBufferLength(DataLine line) {
++                return 65536;
++            }
++        },
++        new Scenario() {
++            public String toString() {
++                return "offset is less than buffer.length, length is large";
++            }
++            int getBufferOffset(DataLine line) {
++                return buffer.length / 10;
++            }
++            int getBufferLength(DataLine line) {
++                return Integer.MAX_VALUE - getBufferOffset(line) + 4096;
++            }
++        }
++    };
++
++    public static void main(String[] args) throws Exception {
++        Mixer.Info[] infos = AudioSystem.getMixerInfo();
++        log("" + infos.length + " mixers detected");
++        for (int i=0; i<infos.length; i++) {
++            Mixer mixer = AudioSystem.getMixer(infos[i]);
++            log("Mixer " + (i+1) + ": " + infos[i]);
++            try {
++                mixer.open();
++                for (Scenario scenario: scenarios) {
++                    testSDL(mixer, scenario);
++                    testTDL(mixer, scenario);
++                }
++                mixer.close();
++            } catch (LineUnavailableException ex) {
++                log("LineUnavailableException: " + ex);
++            }
++        }
++        if (failed == 0) {
++            log("PASSED (" + total + " tests)");
++        } else {
++            log("FAILED (" + failed + " of " + total + " tests)");
++            throw new Exception("Test FAILED");
++        }
++    }
++
++    final static int STOPPER_DELAY = 5000;  // 1 sec
++
++    static class AsyncLineStopper implements Runnable {
++        private final DataLine line;
++        private final long delayMS;  // delay before stop the line
++        private final Thread thread;
++        private final Object readyEvent = new Object();
++        private final Object startEvent = new Object();
++
++        public AsyncLineStopper(DataLine line, long delayMS) {
++            this.line = line;
++            this.delayMS = delayMS;
++            thread = new Thread(this);
++            thread.setDaemon(true);
++            // starts the thread and waits until it becomes ready
++            synchronized (readyEvent) {
++                thread.start();
++                try {
++                    readyEvent.wait();
++                } catch (InterruptedException ex) { }
++            }
++        }
++
++        // makes the delay and then stops the line
++        public void schedule() {
++            synchronized(startEvent) {
++                startEvent.notifyAll();
++            }
++        }
++
++        // force stop/close the line
++        public void force() {
++            thread.interrupt();
++            try {
++                thread.join();
++            } catch (InterruptedException ex) {
++                log("join exception: " + ex);
++            }
++        }
++
++        // Runnable implementation
++        public void run() {
++            try {
++                synchronized(readyEvent) {
++                    readyEvent.notifyAll();
++                }
++                synchronized(startEvent) {
++                    startEvent.wait();
++                }
++                // delay
++                Thread.sleep(delayMS);
++            } catch (InterruptedException ex) {
++                log("    AsyncLineStopper has been interrupted: " + ex);
++            }
++            // and flush
++            log("    stop...");
++            line.stop();
++            log("    close...");
++            line.close();
++        }
++    }
++
++    static void testSDL(Mixer mixer, Scenario scenario) {
++        log("  Testing SDL (scenario: " + scenario + ")...");
++        Line.Info linfo = new Line.Info(SourceDataLine.class);
++        SourceDataLine line = null;
++        try {
++            line = (SourceDataLine)mixer.getLine(linfo);
++            log("    got line: " + line);
++            log("    open...");
++            line.open();
++        } catch (IllegalArgumentException ex) {
++            log("    unsupported (IllegalArgumentException)");
++            return;
++        } catch (LineUnavailableException ex) {
++            log("    unavailable: " + ex);
++            return;
++        }
++
++        total++;
++
++        log("    start...");
++        line.start();
++
++        AsyncLineStopper lineStopper = new AsyncLineStopper(line, STOPPER_DELAY);
++        int offset = scenario.getBufferOffset(line);
++        int len = scenario.getBufferLength(line);
++        // ensure len represents integral number of frames
++        len -= len % line.getFormat().getFrameSize();
++
++        log("    write...");
++        lineStopper.schedule();
++        try {
++            line.write(buffer, offset, len);
++            log("    ERROR: didn't get ArrayIndexOutOfBoundsException");
++            failed++;
++        } catch (ArrayIndexOutOfBoundsException  ex) {
++            log("    OK: got ArrayIndexOutOfBoundsException: " + ex);
++        }
++        lineStopper.force();
++    }
++
++    static void testTDL(Mixer mixer, Scenario scenario) {
++        log("  Testing TDL (scenario: " + scenario + ")...");
++        Line.Info linfo = new Line.Info(TargetDataLine.class);
++        TargetDataLine line = null;
++        try {
++            line = (TargetDataLine)mixer.getLine(linfo);
++            log("    got line: " + line);
++            log("    open...");
++            line.open();
++        } catch (IllegalArgumentException ex) {
++            log("    unsupported (IllegalArgumentException)");
++            return;
++        } catch (LineUnavailableException ex) {
++            log("    unavailable: " + ex);
++            return;
++        }
++
++        total++;
++
++        log("    start...");
++        line.start();
++
++        AsyncLineStopper lineStopper = new AsyncLineStopper(line, STOPPER_DELAY);
++        int offset = scenario.getBufferOffset(line);
++        int len = scenario.getBufferLength(line);
++        // ensure len represents integral number of frames
++        len -= len % line.getFormat().getFrameSize();
++
++        log("    read...");
++        try {
++            line.read(buffer, offset, len);
++            log("    ERROR: didn't get ArrayIndexOutOfBoundsException");
++            failed++;
++        } catch (ArrayIndexOutOfBoundsException  ex) {
++            log("    OK: got ArrayIndexOutOfBoundsException: " + ex);
++        }
++        lineStopper.force();
++    }
++
++    static void log(String s) {
++        System.out.println(s);
++        System.out.flush();
++    }
++}
+diff -uNr -x '.hg*' jdk7u2/jdk/test/sun/security/provider/certpath/X509CertPath/ForwardBuildCompromised.java jdk7u3/jdk/test/sun/security/provider/certpath/X509CertPath/ForwardBuildCompromised.java
+--- jdk/test/sun/security/provider/certpath/X509CertPath/ForwardBuildCompromised.java	1969-12-31 19:00:00.000000000 -0500
++++ jdk/test/sun/security/provider/certpath/X509CertPath/ForwardBuildCompromised.java	2012-04-17 17:49:27.000000000 -0400
+@@ -0,0 +1,312 @@
++/*
++ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++/*
++ * @test
++ * @bug 7123519
++ * @summary Problem with java/classes_security
++ */
++
++import java.net.*;
++import java.util.*;
++import java.io.*;
++import javax.net.ssl.*;
++import java.security.KeyStore;
++import java.security.cert.*;
++import java.security.spec.*;
++import java.security.interfaces.*;
++
++public class ForwardBuildCompromised {
++    // DigiNotar Root CA, untrusted root certificate
++    static String trustedCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
++        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
++        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
++        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
++        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1\n" +
++        "MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE\n" +
++        "ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j\n" +
++        "b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF\n" +
++        "bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg\n" +
++        "U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA\n" +
++        "A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/\n" +
++        "I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3\n" +
++        "wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC\n" +
++        "AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb\n" +
++        "oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5\n" +
++        "BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p\n" +
++        "dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk\n" +
++        "MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp\n" +
++        "b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu\n" +
++        "dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0\n" +
++        "MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi\n" +
++        "E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa\n" +
++        "MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI\n" +
++        "hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN\n" +
++        "95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd\n" +
++        "2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Root CA, untrusted cross-certificate
++    static String untrustedCrossCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFSDCCBLGgAwIBAgIERpwsrzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
++        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
++        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
++        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
++        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
++        "MjYxNTU3MzlaFw0xMzA4MjYxNjI3MzlaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
++        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
++        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
++        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
++        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
++        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
++        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
++        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
++        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
++        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
++        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
++        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
++        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
++        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
++        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
++        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
++        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
++        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
++        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
++        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
++        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAEa6RcDNcEIGUlkDJUY/pWTds4zh\n" +
++        "xbVkp3wSmpwPFhx5fxTyF4HD2L60jl3aqjTB7gPpsL2Pk5QZlNsi3t4UkCV70UOd\n" +
++        "ueJRN3o/LOtk4+bjXY2lC0qTHbN80VMLqPjmaf9ghSA9hwhskdtMgRsgfd90q5QP\n" +
++        "ZFdYf+hthc3m6IcJ\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Root CA, compromised certificate
++    static String compromisedCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFijCCA3KgAwIBAgIQDHbanJEMTiye/hXQWJM8TDANBgkqhkiG9w0BAQUFADBf\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
++        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
++        "HhcNMDcwNTE2MTcxOTM2WhcNMjUwMzMxMTgxOTIxWjBfMQswCQYDVQQGEwJOTDES\n" +
++        "MBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdpTm90YXIgUm9vdCBDQTEg\n" +
++        "MB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmwwggIiMA0GCSqGSIb3DQEB\n" +
++        "AQUAA4ICDwAwggIKAoICAQCssFjBAL3YIQgLK5r+blYwBZ8bd5AQQVzDDYcRd46B\n" +
++        "8cp86Yxq7Th0Nbva3/m7wAk3tJZzgX0zGpg595NvlX89ubF1h7pRSOiLcD6VBMXY\n" +
++        "tsMW2YiwsYcdcNqGtA8Ui3rPENF0NqISe3eGSnnme98CEWilToauNFibJBN4ViIl\n" +
++        "HgGLS1Fx+4LMWZZpiFpoU8W5DQI3y0u8ZkqQfioLBQftFl9VkHXYRskbg+IIvvEj\n" +
++        "zJkd1ioPgyAVWCeCLvriIsJJsbkBgWqdbZ1Ad2h2TiEqbYRAhU52mXyC8/O3AlnU\n" +
++        "JgEbjt+tUwbRrhjd4rI6y9eIOI6sWym5GdOY+RgDz0iChmYLG2kPyes4iHomGgVM\n" +
++        "ktck1JbyrFIto0fVUvY//s6EBnCmqj6i8rZWNBhXouSBbefK8GrTx5FrAoNBfBXv\n" +
++        "a5pkXuPQPOWx63tdhvvL5ndJzaNl3Pe5nLjkC1+Tz8wwGjIczhxjlaX56uF0i57p\n" +
++        "K6kwe6AYHw4YC+VbqdPRbB4HZ4+RS6mKvNJmqpMBiLKR+jFc1abBUggJzQpjotMi\n" +
++        "puih2TkGl/VujQKQjBR7P4DNG5y6xFhyI6+2Vp/GekIzKQc/gsnmHwUNzUwoNovT\n" +
++        "yD4cxojvXu6JZOkd69qJfjKmadHdzIif0dDJZiHcBmfFlHqabWJMfczgZICynkeO\n" +
++        "owIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV\n" +
++        "HQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wDQYJKoZIhvcNAQEFBQADggIBADsC\n" +
++        "jcs8MOhuoK3yc7NfniUTBAXT9uOLuwt5zlPe5JbF0a9zvNXD0EBVfEB/zRtfCdXy\n" +
++        "fJ9oHbtdzno5wozWmHvFg1Wo1X1AyuAe94leY12hE8JdiraKfADzI8PthV9xdvBo\n" +
++        "Y6pFITlIYXg23PFDk9Qlx/KAZeFTAnVR/Ho67zerhChXDNjU1JlWbOOi/lmEtDHo\n" +
++        "M/hklJRRl6s5xUvt2t2AC298KQ3EjopyDedTFLJgQT2EkTFoPSdE2+Xe9PpjRchM\n" +
++        "Ppj1P0G6Tss3DbpmmPHdy59c91Q2gmssvBNhl0L4eLvMyKKfyvBovWsdst+Nbwed\n" +
++        "2o5nx0ceyrm/KkKRt2NTZvFCo+H0Wk1Ya7XkpDOtXHAd3ODy63MUkZoDweoAZbwH\n" +
++        "/M8SESIsrqC9OuCiKthZ6SnTGDWkrBFfGbW1G/8iSlzGeuQX7yCpp/Q/rYqnmgQl\n" +
++        "nQ7KN+ZQ/YxCKQSa7LnPS3K94gg2ryMvYuXKAdNw23yCIywWMQzGNgeQerEfZ1jE\n" +
++        "O1hZibCMjFCz2IbLaKPECudpSyDOwR5WS5WpI2jYMNjD67BVUc3l/Su49bsRn1NU\n" +
++        "9jQZjHkJNsphFyUXC4KYcwx3dMPVDceoEkzHp1RxRy4sGn3J4ys7SN4nhKdjNrN9\n" +
++        "j6BkOSQNPXuHr2ZcdBtLc7LljPCGmbjlxd+Ewbfr\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Public CA 2025, intermediate certificate
++    static String intermediateCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIGAzCCA+ugAwIBAgIQHn16Uz1FMEGWQA9xSB9FBDANBgkqhkiG9w0BAQUFADBf\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
++        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
++        "HhcNMDYwMjA2MTYwNzAyWhcNMjUwMzI4MTYwNzAyWjBmMQswCQYDVQQGEwJOTDES\n" +
++        "MBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdpTm90YXIgUHVibGljIENB\n" +
++        "IDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5vdGFyLm5sMIIBIjANBgkq\n" +
++        "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/2eu/I5fMG8lbvPph3e8zfJpZQtg/72\n" +
++        "Yx29+ivtKehiF6A3n785XyoY6IT3vlCrhy1CbMOY3M0x1n4YQlv17B0XZ/DqHyBA\n" +
++        "SQvnDNbkM9j4NoSy/sRtGsP6PetIFFjrhE9whZuvuSUC1PY4PruEEJp8zOCx4+wU\n" +
++        "Zt9xvjy4Xra+bSia5rwccQ/R5FYTGKrYCthOy9C9ud5Fhd++rlVhgdA/78w+Cs2s\n" +
++        "xS4i0MAxG75P3/e/bATJKepbydHdDjkyz9o3RW/wdPUXhzEw4EwUjYg6XJrDzMad\n" +
++        "6aL9M/eaxDjgz6o48EaWRDrGptaE2uJRuErVz7oOO0p/wYKq/BU+/wIDAQABo4IB\n" +
++        "sjCCAa4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vdmFsaWRh\n" +
++        "dGlvbi5kaWdpbm90YXIubmwwHwYDVR0jBBgwFoAUiGi/4I41xDs4a2L3KDuEgcgM\n" +
++        "100wEgYDVR0TAQH/BAgwBgEB/wIBADCBxgYDVR0gBIG+MIG7MIG4Bg5ghBABh2kB\n" +
++        "AQEBBQIGBDCBpTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpbm90YXIubmwv\n" +
++        "Y3BzMHoGCCsGAQUFBwICMG4abENvbmRpdGlvbnMsIGFzIG1lbnRpb25lZCBvbiBv\n" +
++        "dXIgd2Vic2l0ZSAod3d3LmRpZ2lub3Rhci5ubCksIGFyZSBhcHBsaWNhYmxlIHRv\n" +
++        "IGFsbCBvdXIgcHJvZHVjdHMgYW5kIHNlcnZpY2VzLjBDBgNVHR8EPDA6MDigNqA0\n" +
++        "hjJodHRwOi8vc2VydmljZS5kaWdpbm90YXIubmwvY3JsL3Jvb3QvbGF0ZXN0Q1JM\n" +
++        "LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFN8zwK+S/jf8ttgWFtDZsZHV\n" +
++        "+m6lMA0GCSqGSIb3DQEBBQUAA4ICAQCfV1rmBd9QStEyQ40lT0tqby0/3ez0STuJ\n" +
++        "ESBQLQD56XYdb4VFSuqA6xTtiuSVHLoiv2xyISN9FvX3A5VtifkJ00JEaLQJiSsE\n" +
++        "wGDkYGl1DT7SsqtAVKdMAuCM+e0j0/RV3hZ6kcrM7/wFccHwM+/TiurR9lgZDzB4\n" +
++        "a7++A4XrYyKx9vc9ZwBEnD1nrAe7++gg9cuZgP7e+QL0FBHMjpw+gnCDjr2dzBZC\n" +
++        "4r+b8SOqlbPRPexBuNghlc7PfcPIyFis2LJXDRMWiAd3TcfdALwRsuKMR/T+cwyr\n" +
++        "asy69OEGHplLT57otQ524BDctDXNzlH9bHEh52QzqkWvIDqs42910IUy1nYNPIUG\n" +
++        "yYJV/T7H8Jb6vfMZWe47iUFvtNZCi8+b542gRUwdi+ca+hGviBC9Qr4Wv1pl7CBQ\n" +
++        "Hy1axTkHiQawUo/hgmoetCpftugl9yJTfvsBorUV1ZMxn9B1JLSGtWnbUsFRla7G\n" +
++        "fNa0IsUkzmmha8XCzvNu0d1PDGtcQyUqmDOE1Hx4cIBeuF8ipuIXkrVCr9zAZ4ZC\n" +
++        "hgz6aA1gDTW8whSRJqYEYEQ0pcMEFLyXE+Nz3O8NinO2AuxqKhjMk13203xA7lPY\n" +
++        "MnBQ0v7S3qqbp/pvPMiUhOz/VaYted6QmOY5EATBnFiLCuw87JXoAyp382eJ3WX1\n" +
++        "hOiR4IX9Tg==\n" +
++        "-----END CERTIFICATE-----";
++
++    // The fraudulent certificate issued by above compromised CA
++    static String targetCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp\n" +
++        "Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v\n" +
++        "dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE\n" +
++        "BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp\n" +
++        "ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j\n" +
++        "b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS\n" +
++        "CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q\n" +
++        "7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD\n" +
++        "ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x\n" +
++        "OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8\n" +
++        "vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2\n" +
++        "EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0\n" +
++        "dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43\n" +
++        "/LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH\n" +
++        "aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u\n" +
++        "bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u\n" +
++        "IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg\n" +
++        "dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8\n" +
++        "oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s\n" +
++        "YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn\n" +
++        "b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG\n" +
++        "9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH\n" +
++        "UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB\n" +
++        "pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM\n" +
++        "FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum\n" +
++        "U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK\n" +
++        "baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==\n" +
++        "-----END CERTIFICATE-----";
++
++    public static void main(String args[]) throws Exception {
++
++        Exception reservedException = null;
++        try {
++            build();
++        } catch (CertPathBuilderException cpbe) {
++            reservedException = cpbe;
++        }
++
++        if (reservedException == null) {
++            throw new Exception("Unable to block fraudulent certificate");
++        }
++
++        System.out.println(
++            "The expected untrusted cert exception: " + reservedException);
++    }
++
++    private static X509CertSelector generateSelector() throws Exception {
++
++        // generate certificate from cert strings
++        CertificateFactory cf = CertificateFactory.getInstance("X.509");
++
++        X509Certificate target = null;
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(targetCertStr.getBytes())) {
++            target = (X509Certificate)cf.generateCertificate(is);
++        }
++
++        X509CertSelector selector = new X509CertSelector();
++        selector.setCertificate(target);
++
++        return selector;
++    }
++
++
++    private static CertStore generateCertificateStore() throws Exception {
++
++        // generate certificate from cert strings
++        CertificateFactory cf = CertificateFactory.getInstance("X.509");
++
++        // generate certification path
++        Set<Certificate> entries = new HashSet();
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(targetCertStr.getBytes())) {
++            entries.add(cf.generateCertificate(is));
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(intermediateCertStr.getBytes())) {
++            entries.add(cf.generateCertificate(is));
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(compromisedCertStr.getBytes())) {
++            entries.add(cf.generateCertificate(is));
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(untrustedCrossCertStr.getBytes())) {
++            entries.add(cf.generateCertificate(is));
++        }
++
++        return CertStore.getInstance("Collection",
++                            new CollectionCertStoreParameters(entries));
++    }
++
++    private static Set<TrustAnchor> generateTrustAnchors()
++            throws CertificateException, IOException {
++        // generate certificate from cert string
++        CertificateFactory cf = CertificateFactory.getInstance("X.509");
++
++        Certificate trustedCert = null;
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(trustedCertStr.getBytes())) {
++            trustedCert = cf.generateCertificate(is);
++        }
++
++        // generate a trust anchor
++        TrustAnchor anchor =
++            new TrustAnchor((X509Certificate)trustedCert, null);
++
++        return Collections.singleton(anchor);
++    }
++
++    private static void build() throws Exception {
++        X509CertSelector selector = generateSelector();
++        Set<TrustAnchor> anchors = generateTrustAnchors();
++        CertStore certs = generateCertificateStore();
++
++        PKIXBuilderParameters params =
++                new PKIXBuilderParameters(anchors, selector);
++        params.addCertStore(certs);
++        params.setRevocationEnabled(false);
++        params.setDate(new Date(111, 11, 25));   // 2011-12-25
++
++        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
++        PKIXCertPathBuilderResult result =
++                        (PKIXCertPathBuilderResult)builder.build(params);
++    }
++}
++
+diff -uNr -x '.hg*' jdk7u2/jdk/test/sun/security/provider/certpath/X509CertPath/ReverseBuildCompromised.java jdk7u3/jdk/test/sun/security/provider/certpath/X509CertPath/ReverseBuildCompromised.java
+--- jdk/test/sun/security/provider/certpath/X509CertPath/ReverseBuildCompromised.java	1969-12-31 19:00:00.000000000 -0500
++++ jdk/test/sun/security/provider/certpath/X509CertPath/ReverseBuildCompromised.java	2012-04-17 17:49:27.000000000 -0400
+@@ -0,0 +1,315 @@
++/*
++ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++/*
++ * @test
++ * @bug 7123519
++ * @summary Problem with java/classes_security
++ */
++
++import java.net.*;
++import java.util.*;
++import java.io.*;
++import javax.net.ssl.*;
++import java.security.KeyStore;
++import java.security.cert.*;
++import java.security.spec.*;
++import java.security.interfaces.*;
++import sun.security.provider.certpath.SunCertPathBuilderParameters;
++
++public class ReverseBuildCompromised {
++    // DigiNotar Root CA, untrusted root certificate
++    static String trustedCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
++        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
++        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
++        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
++        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1\n" +
++        "MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE\n" +
++        "ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j\n" +
++        "b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF\n" +
++        "bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg\n" +
++        "U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA\n" +
++        "A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/\n" +
++        "I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3\n" +
++        "wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC\n" +
++        "AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb\n" +
++        "oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5\n" +
++        "BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p\n" +
++        "dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk\n" +
++        "MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp\n" +
++        "b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu\n" +
++        "dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0\n" +
++        "MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi\n" +
++        "E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa\n" +
++        "MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI\n" +
++        "hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN\n" +
++        "95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd\n" +
++        "2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Root CA, untrusted cross-certificate
++    static String untrustedCrossCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFSDCCBLGgAwIBAgIERpwsrzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
++        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
++        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
++        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
++        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
++        "MjYxNTU3MzlaFw0xMzA4MjYxNjI3MzlaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
++        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
++        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
++        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
++        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
++        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
++        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
++        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
++        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
++        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
++        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
++        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
++        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
++        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
++        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
++        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
++        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
++        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
++        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
++        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
++        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAEa6RcDNcEIGUlkDJUY/pWTds4zh\n" +
++        "xbVkp3wSmpwPFhx5fxTyF4HD2L60jl3aqjTB7gPpsL2Pk5QZlNsi3t4UkCV70UOd\n" +
++        "ueJRN3o/LOtk4+bjXY2lC0qTHbN80VMLqPjmaf9ghSA9hwhskdtMgRsgfd90q5QP\n" +
++        "ZFdYf+hthc3m6IcJ\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Root CA, compromised certificate
++    static String compromisedCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFijCCA3KgAwIBAgIQDHbanJEMTiye/hXQWJM8TDANBgkqhkiG9w0BAQUFADBf\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
++        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
++        "HhcNMDcwNTE2MTcxOTM2WhcNMjUwMzMxMTgxOTIxWjBfMQswCQYDVQQGEwJOTDES\n" +
++        "MBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdpTm90YXIgUm9vdCBDQTEg\n" +
++        "MB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmwwggIiMA0GCSqGSIb3DQEB\n" +
++        "AQUAA4ICDwAwggIKAoICAQCssFjBAL3YIQgLK5r+blYwBZ8bd5AQQVzDDYcRd46B\n" +
++        "8cp86Yxq7Th0Nbva3/m7wAk3tJZzgX0zGpg595NvlX89ubF1h7pRSOiLcD6VBMXY\n" +
++        "tsMW2YiwsYcdcNqGtA8Ui3rPENF0NqISe3eGSnnme98CEWilToauNFibJBN4ViIl\n" +
++        "HgGLS1Fx+4LMWZZpiFpoU8W5DQI3y0u8ZkqQfioLBQftFl9VkHXYRskbg+IIvvEj\n" +
++        "zJkd1ioPgyAVWCeCLvriIsJJsbkBgWqdbZ1Ad2h2TiEqbYRAhU52mXyC8/O3AlnU\n" +
++        "JgEbjt+tUwbRrhjd4rI6y9eIOI6sWym5GdOY+RgDz0iChmYLG2kPyes4iHomGgVM\n" +
++        "ktck1JbyrFIto0fVUvY//s6EBnCmqj6i8rZWNBhXouSBbefK8GrTx5FrAoNBfBXv\n" +
++        "a5pkXuPQPOWx63tdhvvL5ndJzaNl3Pe5nLjkC1+Tz8wwGjIczhxjlaX56uF0i57p\n" +
++        "K6kwe6AYHw4YC+VbqdPRbB4HZ4+RS6mKvNJmqpMBiLKR+jFc1abBUggJzQpjotMi\n" +
++        "puih2TkGl/VujQKQjBR7P4DNG5y6xFhyI6+2Vp/GekIzKQc/gsnmHwUNzUwoNovT\n" +
++        "yD4cxojvXu6JZOkd69qJfjKmadHdzIif0dDJZiHcBmfFlHqabWJMfczgZICynkeO\n" +
++        "owIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV\n" +
++        "HQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wDQYJKoZIhvcNAQEFBQADggIBADsC\n" +
++        "jcs8MOhuoK3yc7NfniUTBAXT9uOLuwt5zlPe5JbF0a9zvNXD0EBVfEB/zRtfCdXy\n" +
++        "fJ9oHbtdzno5wozWmHvFg1Wo1X1AyuAe94leY12hE8JdiraKfADzI8PthV9xdvBo\n" +
++        "Y6pFITlIYXg23PFDk9Qlx/KAZeFTAnVR/Ho67zerhChXDNjU1JlWbOOi/lmEtDHo\n" +
++        "M/hklJRRl6s5xUvt2t2AC298KQ3EjopyDedTFLJgQT2EkTFoPSdE2+Xe9PpjRchM\n" +
++        "Ppj1P0G6Tss3DbpmmPHdy59c91Q2gmssvBNhl0L4eLvMyKKfyvBovWsdst+Nbwed\n" +
++        "2o5nx0ceyrm/KkKRt2NTZvFCo+H0Wk1Ya7XkpDOtXHAd3ODy63MUkZoDweoAZbwH\n" +
++        "/M8SESIsrqC9OuCiKthZ6SnTGDWkrBFfGbW1G/8iSlzGeuQX7yCpp/Q/rYqnmgQl\n" +
++        "nQ7KN+ZQ/YxCKQSa7LnPS3K94gg2ryMvYuXKAdNw23yCIywWMQzGNgeQerEfZ1jE\n" +
++        "O1hZibCMjFCz2IbLaKPECudpSyDOwR5WS5WpI2jYMNjD67BVUc3l/Su49bsRn1NU\n" +
++        "9jQZjHkJNsphFyUXC4KYcwx3dMPVDceoEkzHp1RxRy4sGn3J4ys7SN4nhKdjNrN9\n" +
++        "j6BkOSQNPXuHr2ZcdBtLc7LljPCGmbjlxd+Ewbfr\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Public CA 2025, intermediate certificate
++    static String intermediateCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIGAzCCA+ugAwIBAgIQHn16Uz1FMEGWQA9xSB9FBDANBgkqhkiG9w0BAQUFADBf\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
++        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
++        "HhcNMDYwMjA2MTYwNzAyWhcNMjUwMzI4MTYwNzAyWjBmMQswCQYDVQQGEwJOTDES\n" +
++        "MBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdpTm90YXIgUHVibGljIENB\n" +
++        "IDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5vdGFyLm5sMIIBIjANBgkq\n" +
++        "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/2eu/I5fMG8lbvPph3e8zfJpZQtg/72\n" +
++        "Yx29+ivtKehiF6A3n785XyoY6IT3vlCrhy1CbMOY3M0x1n4YQlv17B0XZ/DqHyBA\n" +
++        "SQvnDNbkM9j4NoSy/sRtGsP6PetIFFjrhE9whZuvuSUC1PY4PruEEJp8zOCx4+wU\n" +
++        "Zt9xvjy4Xra+bSia5rwccQ/R5FYTGKrYCthOy9C9ud5Fhd++rlVhgdA/78w+Cs2s\n" +
++        "xS4i0MAxG75P3/e/bATJKepbydHdDjkyz9o3RW/wdPUXhzEw4EwUjYg6XJrDzMad\n" +
++        "6aL9M/eaxDjgz6o48EaWRDrGptaE2uJRuErVz7oOO0p/wYKq/BU+/wIDAQABo4IB\n" +
++        "sjCCAa4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vdmFsaWRh\n" +
++        "dGlvbi5kaWdpbm90YXIubmwwHwYDVR0jBBgwFoAUiGi/4I41xDs4a2L3KDuEgcgM\n" +
++        "100wEgYDVR0TAQH/BAgwBgEB/wIBADCBxgYDVR0gBIG+MIG7MIG4Bg5ghBABh2kB\n" +
++        "AQEBBQIGBDCBpTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpbm90YXIubmwv\n" +
++        "Y3BzMHoGCCsGAQUFBwICMG4abENvbmRpdGlvbnMsIGFzIG1lbnRpb25lZCBvbiBv\n" +
++        "dXIgd2Vic2l0ZSAod3d3LmRpZ2lub3Rhci5ubCksIGFyZSBhcHBsaWNhYmxlIHRv\n" +
++        "IGFsbCBvdXIgcHJvZHVjdHMgYW5kIHNlcnZpY2VzLjBDBgNVHR8EPDA6MDigNqA0\n" +
++        "hjJodHRwOi8vc2VydmljZS5kaWdpbm90YXIubmwvY3JsL3Jvb3QvbGF0ZXN0Q1JM\n" +
++        "LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFN8zwK+S/jf8ttgWFtDZsZHV\n" +
++        "+m6lMA0GCSqGSIb3DQEBBQUAA4ICAQCfV1rmBd9QStEyQ40lT0tqby0/3ez0STuJ\n" +
++        "ESBQLQD56XYdb4VFSuqA6xTtiuSVHLoiv2xyISN9FvX3A5VtifkJ00JEaLQJiSsE\n" +
++        "wGDkYGl1DT7SsqtAVKdMAuCM+e0j0/RV3hZ6kcrM7/wFccHwM+/TiurR9lgZDzB4\n" +
++        "a7++A4XrYyKx9vc9ZwBEnD1nrAe7++gg9cuZgP7e+QL0FBHMjpw+gnCDjr2dzBZC\n" +
++        "4r+b8SOqlbPRPexBuNghlc7PfcPIyFis2LJXDRMWiAd3TcfdALwRsuKMR/T+cwyr\n" +
++        "asy69OEGHplLT57otQ524BDctDXNzlH9bHEh52QzqkWvIDqs42910IUy1nYNPIUG\n" +
++        "yYJV/T7H8Jb6vfMZWe47iUFvtNZCi8+b542gRUwdi+ca+hGviBC9Qr4Wv1pl7CBQ\n" +
++        "Hy1axTkHiQawUo/hgmoetCpftugl9yJTfvsBorUV1ZMxn9B1JLSGtWnbUsFRla7G\n" +
++        "fNa0IsUkzmmha8XCzvNu0d1PDGtcQyUqmDOE1Hx4cIBeuF8ipuIXkrVCr9zAZ4ZC\n" +
++        "hgz6aA1gDTW8whSRJqYEYEQ0pcMEFLyXE+Nz3O8NinO2AuxqKhjMk13203xA7lPY\n" +
++        "MnBQ0v7S3qqbp/pvPMiUhOz/VaYted6QmOY5EATBnFiLCuw87JXoAyp382eJ3WX1\n" +
++        "hOiR4IX9Tg==\n" +
++        "-----END CERTIFICATE-----";
++
++    // The fraudulent certificate issued by above compromised CA
++    static String targetCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp\n" +
++        "Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v\n" +
++        "dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE\n" +
++        "BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp\n" +
++        "ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j\n" +
++        "b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS\n" +
++        "CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q\n" +
++        "7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD\n" +
++        "ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x\n" +
++        "OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8\n" +
++        "vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2\n" +
++        "EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0\n" +
++        "dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43\n" +
++        "/LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH\n" +
++        "aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u\n" +
++        "bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u\n" +
++        "IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg\n" +
++        "dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8\n" +
++        "oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s\n" +
++        "YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn\n" +
++        "b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG\n" +
++        "9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH\n" +
++        "UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB\n" +
++        "pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM\n" +
++        "FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum\n" +
++        "U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK\n" +
++        "baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==\n" +
++        "-----END CERTIFICATE-----";
++
++    public static void main(String args[]) throws Exception {
++
++        Exception reservedException = null;
++        try {
++            build();
++        } catch (CertPathBuilderException cpbe) {
++            reservedException = cpbe;
++        }
++
++        if (reservedException == null) {
++            throw new Exception("Unable to block fraudulent certificate");
++        }
++
++        System.out.println(
++            "The expected untrusted cert exception: " + reservedException);
++    }
++
++    private static X509CertSelector generateSelector() throws Exception {
++
++        // generate certificate from cert strings
++        CertificateFactory cf = CertificateFactory.getInstance("X.509");
++
++        X509Certificate target = null;
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(targetCertStr.getBytes())) {
++            target = (X509Certificate)cf.generateCertificate(is);
++        }
++
++        X509CertSelector selector = new X509CertSelector();
++        selector.setCertificate(target);
++        selector.setSubject(target.getSubjectX500Principal());
++
++        return selector;
++    }
++
++
++    private static CertStore generateCertificateStore() throws Exception {
++
++        // generate certificate from cert strings
++        CertificateFactory cf = CertificateFactory.getInstance("X.509");
++
++        // generate certification path
++        Set<Certificate> entries = new HashSet();
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(targetCertStr.getBytes())) {
++            entries.add(cf.generateCertificate(is));
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(intermediateCertStr.getBytes())) {
++            entries.add(cf.generateCertificate(is));
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(compromisedCertStr.getBytes())) {
++            entries.add(cf.generateCertificate(is));
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(untrustedCrossCertStr.getBytes())) {
++            entries.add(cf.generateCertificate(is));
++        }
++
++        return CertStore.getInstance("Collection",
++                            new CollectionCertStoreParameters(entries));
++    }
++
++    private static Set<TrustAnchor> generateTrustAnchors()
++            throws CertificateException, IOException {
++        // generate certificate from cert string
++        CertificateFactory cf = CertificateFactory.getInstance("X.509");
++
++        Certificate trustedCert = null;
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(trustedCertStr.getBytes())) {
++            trustedCert = cf.generateCertificate(is);
++        }
++
++        // generate a trust anchor
++        TrustAnchor anchor =
++            new TrustAnchor((X509Certificate)trustedCert, null);
++
++        return Collections.singleton(anchor);
++    }
++
++    private static void build() throws Exception {
++        X509CertSelector selector = generateSelector();
++        Set<TrustAnchor> anchors = generateTrustAnchors();
++        CertStore certs = generateCertificateStore();
++
++        SunCertPathBuilderParameters params =
++            new SunCertPathBuilderParameters(anchors, selector);
++        params.setBuildForward(false);
++        params.addCertStore(certs);
++        params.setRevocationEnabled(false);
++        params.setDate(new Date(111, 11, 25));   // 2011-12-25
++
++        CertPathBuilder builder = CertPathBuilder.getInstance("PKIX");
++        PKIXCertPathBuilderResult result =
++                        (PKIXCertPathBuilderResult)builder.build(params);
++    }
++}
++
+diff -uNr -x '.hg*' jdk7u2/jdk/test/sun/security/provider/certpath/X509CertPath/ValidateCompromised.java jdk7u3/jdk/test/sun/security/provider/certpath/X509CertPath/ValidateCompromised.java
+--- jdk/test/sun/security/provider/certpath/X509CertPath/ValidateCompromised.java	1969-12-31 19:00:00.000000000 -0500
++++ jdk/test/sun/security/provider/certpath/X509CertPath/ValidateCompromised.java	2012-04-17 17:49:27.000000000 -0400
+@@ -0,0 +1,297 @@
++/*
++ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++/*
++ * @test
++ * @bug 7123519
++ * @summary Problem with java/classes_security
++ */
++
++import java.net.*;
++import java.util.*;
++import java.io.*;
++import javax.net.ssl.*;
++import java.security.KeyStore;
++import java.security.cert.*;
++import java.security.spec.*;
++import java.security.interfaces.*;
++
++public class ValidateCompromised {
++    // DigiNotar Root CA, untrusted root certificate
++    static String trustedCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
++        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
++        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
++        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
++        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1\n" +
++        "MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE\n" +
++        "ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j\n" +
++        "b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF\n" +
++        "bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg\n" +
++        "U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA\n" +
++        "A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/\n" +
++        "I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3\n" +
++        "wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC\n" +
++        "AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb\n" +
++        "oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5\n" +
++        "BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p\n" +
++        "dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk\n" +
++        "MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp\n" +
++        "b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu\n" +
++        "dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0\n" +
++        "MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi\n" +
++        "E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa\n" +
++        "MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI\n" +
++        "hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN\n" +
++        "95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd\n" +
++        "2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Root CA, untrusted cross-certificate
++    static String untrustedCrossCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFSDCCBLGgAwIBAgIERpwsrzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
++        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
++        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
++        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
++        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
++        "MjYxNTU3MzlaFw0xMzA4MjYxNjI3MzlaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
++        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
++        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
++        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
++        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
++        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
++        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
++        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
++        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
++        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
++        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
++        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
++        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
++        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
++        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
++        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
++        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
++        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
++        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
++        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
++        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAEa6RcDNcEIGUlkDJUY/pWTds4zh\n" +
++        "xbVkp3wSmpwPFhx5fxTyF4HD2L60jl3aqjTB7gPpsL2Pk5QZlNsi3t4UkCV70UOd\n" +
++        "ueJRN3o/LOtk4+bjXY2lC0qTHbN80VMLqPjmaf9ghSA9hwhskdtMgRsgfd90q5QP\n" +
++        "ZFdYf+hthc3m6IcJ\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Root CA, compromised certificate
++    static String compromisedCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFijCCA3KgAwIBAgIQDHbanJEMTiye/hXQWJM8TDANBgkqhkiG9w0BAQUFADBf\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
++        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
++        "HhcNMDcwNTE2MTcxOTM2WhcNMjUwMzMxMTgxOTIxWjBfMQswCQYDVQQGEwJOTDES\n" +
++        "MBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdpTm90YXIgUm9vdCBDQTEg\n" +
++        "MB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmwwggIiMA0GCSqGSIb3DQEB\n" +
++        "AQUAA4ICDwAwggIKAoICAQCssFjBAL3YIQgLK5r+blYwBZ8bd5AQQVzDDYcRd46B\n" +
++        "8cp86Yxq7Th0Nbva3/m7wAk3tJZzgX0zGpg595NvlX89ubF1h7pRSOiLcD6VBMXY\n" +
++        "tsMW2YiwsYcdcNqGtA8Ui3rPENF0NqISe3eGSnnme98CEWilToauNFibJBN4ViIl\n" +
++        "HgGLS1Fx+4LMWZZpiFpoU8W5DQI3y0u8ZkqQfioLBQftFl9VkHXYRskbg+IIvvEj\n" +
++        "zJkd1ioPgyAVWCeCLvriIsJJsbkBgWqdbZ1Ad2h2TiEqbYRAhU52mXyC8/O3AlnU\n" +
++        "JgEbjt+tUwbRrhjd4rI6y9eIOI6sWym5GdOY+RgDz0iChmYLG2kPyes4iHomGgVM\n" +
++        "ktck1JbyrFIto0fVUvY//s6EBnCmqj6i8rZWNBhXouSBbefK8GrTx5FrAoNBfBXv\n" +
++        "a5pkXuPQPOWx63tdhvvL5ndJzaNl3Pe5nLjkC1+Tz8wwGjIczhxjlaX56uF0i57p\n" +
++        "K6kwe6AYHw4YC+VbqdPRbB4HZ4+RS6mKvNJmqpMBiLKR+jFc1abBUggJzQpjotMi\n" +
++        "puih2TkGl/VujQKQjBR7P4DNG5y6xFhyI6+2Vp/GekIzKQc/gsnmHwUNzUwoNovT\n" +
++        "yD4cxojvXu6JZOkd69qJfjKmadHdzIif0dDJZiHcBmfFlHqabWJMfczgZICynkeO\n" +
++        "owIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV\n" +
++        "HQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wDQYJKoZIhvcNAQEFBQADggIBADsC\n" +
++        "jcs8MOhuoK3yc7NfniUTBAXT9uOLuwt5zlPe5JbF0a9zvNXD0EBVfEB/zRtfCdXy\n" +
++        "fJ9oHbtdzno5wozWmHvFg1Wo1X1AyuAe94leY12hE8JdiraKfADzI8PthV9xdvBo\n" +
++        "Y6pFITlIYXg23PFDk9Qlx/KAZeFTAnVR/Ho67zerhChXDNjU1JlWbOOi/lmEtDHo\n" +
++        "M/hklJRRl6s5xUvt2t2AC298KQ3EjopyDedTFLJgQT2EkTFoPSdE2+Xe9PpjRchM\n" +
++        "Ppj1P0G6Tss3DbpmmPHdy59c91Q2gmssvBNhl0L4eLvMyKKfyvBovWsdst+Nbwed\n" +
++        "2o5nx0ceyrm/KkKRt2NTZvFCo+H0Wk1Ya7XkpDOtXHAd3ODy63MUkZoDweoAZbwH\n" +
++        "/M8SESIsrqC9OuCiKthZ6SnTGDWkrBFfGbW1G/8iSlzGeuQX7yCpp/Q/rYqnmgQl\n" +
++        "nQ7KN+ZQ/YxCKQSa7LnPS3K94gg2ryMvYuXKAdNw23yCIywWMQzGNgeQerEfZ1jE\n" +
++        "O1hZibCMjFCz2IbLaKPECudpSyDOwR5WS5WpI2jYMNjD67BVUc3l/Su49bsRn1NU\n" +
++        "9jQZjHkJNsphFyUXC4KYcwx3dMPVDceoEkzHp1RxRy4sGn3J4ys7SN4nhKdjNrN9\n" +
++        "j6BkOSQNPXuHr2ZcdBtLc7LljPCGmbjlxd+Ewbfr\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Public CA 2025, intermediate certificate
++    static String intermediateCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIGAzCCA+ugAwIBAgIQHn16Uz1FMEGWQA9xSB9FBDANBgkqhkiG9w0BAQUFADBf\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
++        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
++        "HhcNMDYwMjA2MTYwNzAyWhcNMjUwMzI4MTYwNzAyWjBmMQswCQYDVQQGEwJOTDES\n" +
++        "MBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdpTm90YXIgUHVibGljIENB\n" +
++        "IDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5vdGFyLm5sMIIBIjANBgkq\n" +
++        "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/2eu/I5fMG8lbvPph3e8zfJpZQtg/72\n" +
++        "Yx29+ivtKehiF6A3n785XyoY6IT3vlCrhy1CbMOY3M0x1n4YQlv17B0XZ/DqHyBA\n" +
++        "SQvnDNbkM9j4NoSy/sRtGsP6PetIFFjrhE9whZuvuSUC1PY4PruEEJp8zOCx4+wU\n" +
++        "Zt9xvjy4Xra+bSia5rwccQ/R5FYTGKrYCthOy9C9ud5Fhd++rlVhgdA/78w+Cs2s\n" +
++        "xS4i0MAxG75P3/e/bATJKepbydHdDjkyz9o3RW/wdPUXhzEw4EwUjYg6XJrDzMad\n" +
++        "6aL9M/eaxDjgz6o48EaWRDrGptaE2uJRuErVz7oOO0p/wYKq/BU+/wIDAQABo4IB\n" +
++        "sjCCAa4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vdmFsaWRh\n" +
++        "dGlvbi5kaWdpbm90YXIubmwwHwYDVR0jBBgwFoAUiGi/4I41xDs4a2L3KDuEgcgM\n" +
++        "100wEgYDVR0TAQH/BAgwBgEB/wIBADCBxgYDVR0gBIG+MIG7MIG4Bg5ghBABh2kB\n" +
++        "AQEBBQIGBDCBpTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpbm90YXIubmwv\n" +
++        "Y3BzMHoGCCsGAQUFBwICMG4abENvbmRpdGlvbnMsIGFzIG1lbnRpb25lZCBvbiBv\n" +
++        "dXIgd2Vic2l0ZSAod3d3LmRpZ2lub3Rhci5ubCksIGFyZSBhcHBsaWNhYmxlIHRv\n" +
++        "IGFsbCBvdXIgcHJvZHVjdHMgYW5kIHNlcnZpY2VzLjBDBgNVHR8EPDA6MDigNqA0\n" +
++        "hjJodHRwOi8vc2VydmljZS5kaWdpbm90YXIubmwvY3JsL3Jvb3QvbGF0ZXN0Q1JM\n" +
++        "LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFN8zwK+S/jf8ttgWFtDZsZHV\n" +
++        "+m6lMA0GCSqGSIb3DQEBBQUAA4ICAQCfV1rmBd9QStEyQ40lT0tqby0/3ez0STuJ\n" +
++        "ESBQLQD56XYdb4VFSuqA6xTtiuSVHLoiv2xyISN9FvX3A5VtifkJ00JEaLQJiSsE\n" +
++        "wGDkYGl1DT7SsqtAVKdMAuCM+e0j0/RV3hZ6kcrM7/wFccHwM+/TiurR9lgZDzB4\n" +
++        "a7++A4XrYyKx9vc9ZwBEnD1nrAe7++gg9cuZgP7e+QL0FBHMjpw+gnCDjr2dzBZC\n" +
++        "4r+b8SOqlbPRPexBuNghlc7PfcPIyFis2LJXDRMWiAd3TcfdALwRsuKMR/T+cwyr\n" +
++        "asy69OEGHplLT57otQ524BDctDXNzlH9bHEh52QzqkWvIDqs42910IUy1nYNPIUG\n" +
++        "yYJV/T7H8Jb6vfMZWe47iUFvtNZCi8+b542gRUwdi+ca+hGviBC9Qr4Wv1pl7CBQ\n" +
++        "Hy1axTkHiQawUo/hgmoetCpftugl9yJTfvsBorUV1ZMxn9B1JLSGtWnbUsFRla7G\n" +
++        "fNa0IsUkzmmha8XCzvNu0d1PDGtcQyUqmDOE1Hx4cIBeuF8ipuIXkrVCr9zAZ4ZC\n" +
++        "hgz6aA1gDTW8whSRJqYEYEQ0pcMEFLyXE+Nz3O8NinO2AuxqKhjMk13203xA7lPY\n" +
++        "MnBQ0v7S3qqbp/pvPMiUhOz/VaYted6QmOY5EATBnFiLCuw87JXoAyp382eJ3WX1\n" +
++        "hOiR4IX9Tg==\n" +
++        "-----END CERTIFICATE-----";
++
++    // The fraudulent certificate issued by above compromised CA
++    static String targetCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp\n" +
++        "Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v\n" +
++        "dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE\n" +
++        "BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp\n" +
++        "ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j\n" +
++        "b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS\n" +
++        "CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q\n" +
++        "7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD\n" +
++        "ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x\n" +
++        "OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8\n" +
++        "vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2\n" +
++        "EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0\n" +
++        "dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43\n" +
++        "/LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH\n" +
++        "aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u\n" +
++        "bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u\n" +
++        "IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg\n" +
++        "dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8\n" +
++        "oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s\n" +
++        "YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn\n" +
++        "b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG\n" +
++        "9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH\n" +
++        "UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB\n" +
++        "pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM\n" +
++        "FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum\n" +
++        "U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK\n" +
++        "baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==\n" +
++        "-----END CERTIFICATE-----";
++
++    public static void main(String args[]) throws Exception {
++
++        Exception reservedException = null;
++        try {
++            validate();
++        } catch (CertPathValidatorException cpve) {
++            reservedException = cpve;
++        }
++
++        if (reservedException == null) {
++            throw new Exception("Unable to block fraudulent certificate");
++        }
++
++        System.out.println(
++            "The expected untrusted cert exception: " + reservedException);
++    }
++
++    private static CertPath generateCertificatePath()
++            throws CertificateException, IOException {
++
++        // generate certificate from cert strings
++        CertificateFactory cf = CertificateFactory.getInstance("X.509");
++
++        // generate certification path
++        List<Certificate> list = new ArrayList();
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(targetCertStr.getBytes())) {
++            list.add(cf.generateCertificate(is));
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(intermediateCertStr.getBytes())) {
++            list.add(cf.generateCertificate(is));
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(compromisedCertStr.getBytes())) {
++            list.add(cf.generateCertificate(is));
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(untrustedCrossCertStr.getBytes())) {
++            list.add(cf.generateCertificate(is));
++        }
++
++        return cf.generateCertPath(list);
++    }
++
++    private static Set<TrustAnchor> generateTrustAnchors()
++            throws CertificateException, IOException {
++        // generate certificate from cert string
++        CertificateFactory cf = CertificateFactory.getInstance("X.509");
++
++        Certificate trustedCert = null;
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(trustedCertStr.getBytes())) {
++            trustedCert = cf.generateCertificate(is);
++        }
++
++        // generate a trust anchor
++        TrustAnchor anchor =
++            new TrustAnchor((X509Certificate)trustedCert, null);
++
++        return Collections.singleton(anchor);
++    }
++
++    private static void validate()
++            throws CertPathValidatorException, Exception {
++
++        CertPath path = generateCertificatePath();
++        Set<TrustAnchor> anchors = generateTrustAnchors();
++
++        PKIXParameters params = new PKIXParameters(anchors);
++
++        // disable certificate revocation checking
++        params.setRevocationEnabled(false);
++
++        // set the validation time
++        params.setDate(new Date(111, 11, 25));   // 2011-12-25
++
++        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
++
++        validator.validate(path, params);
++    }
++}
++
+diff -uNr -x '.hg*' jdk7u2/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/ComodoHacker.java jdk7u3/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/ComodoHacker.java
+--- jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/ComodoHacker.java	1969-12-31 19:00:00.000000000 -0500
++++ jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/ComodoHacker.java	2012-04-17 17:49:27.000000000 -0400
+@@ -0,0 +1,305 @@
++/*
++ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++/*
++ * @test
++ * @bug 7123519
++ * @summary Problem with java/classes_security
++ * @run main/othervm ComodoHacker PKIX
++ * @run main/othervm ComodoHacker SunX509
++ */
++
++import java.net.*;
++import java.util.*;
++import java.io.*;
++import javax.net.ssl.*;
++import java.security.KeyStore;
++import java.security.cert.Certificate;
++import java.security.cert.CertificateFactory;
++import java.security.cert.X509Certificate;
++import java.security.cert.CertificateException;
++import java.security.spec.*;
++import java.security.interfaces.*;
++
++public class ComodoHacker {
++    // DigiNotar Root CA, untrusted root certificate
++    static String trustedCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
++        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
++        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
++        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
++        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1\n" +
++        "MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE\n" +
++        "ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j\n" +
++        "b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF\n" +
++        "bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg\n" +
++        "U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA\n" +
++        "A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/\n" +
++        "I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3\n" +
++        "wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC\n" +
++        "AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb\n" +
++        "oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5\n" +
++        "BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p\n" +
++        "dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk\n" +
++        "MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp\n" +
++        "b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu\n" +
++        "dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0\n" +
++        "MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi\n" +
++        "E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa\n" +
++        "MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI\n" +
++        "hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN\n" +
++        "95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd\n" +
++        "2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Root CA, untrusted cross-certificate
++    static String untrustedCrossCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFSDCCBLGgAwIBAgIERpwsrzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" +
++        "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" +
++        "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" +
++        "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" +
++        "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" +
++        "MjYxNTU3MzlaFw0xMzA4MjYxNjI3MzlaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" +
++        "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" +
++        "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" +
++        "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" +
++        "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" +
++        "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" +
++        "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" +
++        "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" +
++        "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" +
++        "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" +
++        "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" +
++        "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" +
++        "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" +
++        "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" +
++        "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" +
++        "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" +
++        "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" +
++        "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" +
++        "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" +
++        "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" +
++        "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAEa6RcDNcEIGUlkDJUY/pWTds4zh\n" +
++        "xbVkp3wSmpwPFhx5fxTyF4HD2L60jl3aqjTB7gPpsL2Pk5QZlNsi3t4UkCV70UOd\n" +
++        "ueJRN3o/LOtk4+bjXY2lC0qTHbN80VMLqPjmaf9ghSA9hwhskdtMgRsgfd90q5QP\n" +
++        "ZFdYf+hthc3m6IcJ\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Root CA, compromised certificate
++    static String compromisedCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFijCCA3KgAwIBAgIQDHbanJEMTiye/hXQWJM8TDANBgkqhkiG9w0BAQUFADBf\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
++        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
++        "HhcNMDcwNTE2MTcxOTM2WhcNMjUwMzMxMTgxOTIxWjBfMQswCQYDVQQGEwJOTDES\n" +
++        "MBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdpTm90YXIgUm9vdCBDQTEg\n" +
++        "MB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmwwggIiMA0GCSqGSIb3DQEB\n" +
++        "AQUAA4ICDwAwggIKAoICAQCssFjBAL3YIQgLK5r+blYwBZ8bd5AQQVzDDYcRd46B\n" +
++        "8cp86Yxq7Th0Nbva3/m7wAk3tJZzgX0zGpg595NvlX89ubF1h7pRSOiLcD6VBMXY\n" +
++        "tsMW2YiwsYcdcNqGtA8Ui3rPENF0NqISe3eGSnnme98CEWilToauNFibJBN4ViIl\n" +
++        "HgGLS1Fx+4LMWZZpiFpoU8W5DQI3y0u8ZkqQfioLBQftFl9VkHXYRskbg+IIvvEj\n" +
++        "zJkd1ioPgyAVWCeCLvriIsJJsbkBgWqdbZ1Ad2h2TiEqbYRAhU52mXyC8/O3AlnU\n" +
++        "JgEbjt+tUwbRrhjd4rI6y9eIOI6sWym5GdOY+RgDz0iChmYLG2kPyes4iHomGgVM\n" +
++        "ktck1JbyrFIto0fVUvY//s6EBnCmqj6i8rZWNBhXouSBbefK8GrTx5FrAoNBfBXv\n" +
++        "a5pkXuPQPOWx63tdhvvL5ndJzaNl3Pe5nLjkC1+Tz8wwGjIczhxjlaX56uF0i57p\n" +
++        "K6kwe6AYHw4YC+VbqdPRbB4HZ4+RS6mKvNJmqpMBiLKR+jFc1abBUggJzQpjotMi\n" +
++        "puih2TkGl/VujQKQjBR7P4DNG5y6xFhyI6+2Vp/GekIzKQc/gsnmHwUNzUwoNovT\n" +
++        "yD4cxojvXu6JZOkd69qJfjKmadHdzIif0dDJZiHcBmfFlHqabWJMfczgZICynkeO\n" +
++        "owIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV\n" +
++        "HQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wDQYJKoZIhvcNAQEFBQADggIBADsC\n" +
++        "jcs8MOhuoK3yc7NfniUTBAXT9uOLuwt5zlPe5JbF0a9zvNXD0EBVfEB/zRtfCdXy\n" +
++        "fJ9oHbtdzno5wozWmHvFg1Wo1X1AyuAe94leY12hE8JdiraKfADzI8PthV9xdvBo\n" +
++        "Y6pFITlIYXg23PFDk9Qlx/KAZeFTAnVR/Ho67zerhChXDNjU1JlWbOOi/lmEtDHo\n" +
++        "M/hklJRRl6s5xUvt2t2AC298KQ3EjopyDedTFLJgQT2EkTFoPSdE2+Xe9PpjRchM\n" +
++        "Ppj1P0G6Tss3DbpmmPHdy59c91Q2gmssvBNhl0L4eLvMyKKfyvBovWsdst+Nbwed\n" +
++        "2o5nx0ceyrm/KkKRt2NTZvFCo+H0Wk1Ya7XkpDOtXHAd3ODy63MUkZoDweoAZbwH\n" +
++        "/M8SESIsrqC9OuCiKthZ6SnTGDWkrBFfGbW1G/8iSlzGeuQX7yCpp/Q/rYqnmgQl\n" +
++        "nQ7KN+ZQ/YxCKQSa7LnPS3K94gg2ryMvYuXKAdNw23yCIywWMQzGNgeQerEfZ1jE\n" +
++        "O1hZibCMjFCz2IbLaKPECudpSyDOwR5WS5WpI2jYMNjD67BVUc3l/Su49bsRn1NU\n" +
++        "9jQZjHkJNsphFyUXC4KYcwx3dMPVDceoEkzHp1RxRy4sGn3J4ys7SN4nhKdjNrN9\n" +
++        "j6BkOSQNPXuHr2ZcdBtLc7LljPCGmbjlxd+Ewbfr\n" +
++        "-----END CERTIFICATE-----";
++
++    // DigiNotar Public CA 2025, intermediate certificate
++    static String intermediateCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIGAzCCA+ugAwIBAgIQHn16Uz1FMEGWQA9xSB9FBDANBgkqhkiG9w0BAQUFADBf\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMRowGAYDVQQDExFEaWdp\n" +
++        "Tm90YXIgUm9vdCBDQTEgMB4GCSqGSIb3DQEJARYRaW5mb0BkaWdpbm90YXIubmww\n" +
++        "HhcNMDYwMjA2MTYwNzAyWhcNMjUwMzI4MTYwNzAyWjBmMQswCQYDVQQGEwJOTDES\n" +
++        "MBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdpTm90YXIgUHVibGljIENB\n" +
++        "IDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5vdGFyLm5sMIIBIjANBgkq\n" +
++        "hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs/2eu/I5fMG8lbvPph3e8zfJpZQtg/72\n" +
++        "Yx29+ivtKehiF6A3n785XyoY6IT3vlCrhy1CbMOY3M0x1n4YQlv17B0XZ/DqHyBA\n" +
++        "SQvnDNbkM9j4NoSy/sRtGsP6PetIFFjrhE9whZuvuSUC1PY4PruEEJp8zOCx4+wU\n" +
++        "Zt9xvjy4Xra+bSia5rwccQ/R5FYTGKrYCthOy9C9ud5Fhd++rlVhgdA/78w+Cs2s\n" +
++        "xS4i0MAxG75P3/e/bATJKepbydHdDjkyz9o3RW/wdPUXhzEw4EwUjYg6XJrDzMad\n" +
++        "6aL9M/eaxDjgz6o48EaWRDrGptaE2uJRuErVz7oOO0p/wYKq/BU+/wIDAQABo4IB\n" +
++        "sjCCAa4wOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUFBzABhh5odHRwOi8vdmFsaWRh\n" +
++        "dGlvbi5kaWdpbm90YXIubmwwHwYDVR0jBBgwFoAUiGi/4I41xDs4a2L3KDuEgcgM\n" +
++        "100wEgYDVR0TAQH/BAgwBgEB/wIBADCBxgYDVR0gBIG+MIG7MIG4Bg5ghBABh2kB\n" +
++        "AQEBBQIGBDCBpTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpbm90YXIubmwv\n" +
++        "Y3BzMHoGCCsGAQUFBwICMG4abENvbmRpdGlvbnMsIGFzIG1lbnRpb25lZCBvbiBv\n" +
++        "dXIgd2Vic2l0ZSAod3d3LmRpZ2lub3Rhci5ubCksIGFyZSBhcHBsaWNhYmxlIHRv\n" +
++        "IGFsbCBvdXIgcHJvZHVjdHMgYW5kIHNlcnZpY2VzLjBDBgNVHR8EPDA6MDigNqA0\n" +
++        "hjJodHRwOi8vc2VydmljZS5kaWdpbm90YXIubmwvY3JsL3Jvb3QvbGF0ZXN0Q1JM\n" +
++        "LmNybDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFN8zwK+S/jf8ttgWFtDZsZHV\n" +
++        "+m6lMA0GCSqGSIb3DQEBBQUAA4ICAQCfV1rmBd9QStEyQ40lT0tqby0/3ez0STuJ\n" +
++        "ESBQLQD56XYdb4VFSuqA6xTtiuSVHLoiv2xyISN9FvX3A5VtifkJ00JEaLQJiSsE\n" +
++        "wGDkYGl1DT7SsqtAVKdMAuCM+e0j0/RV3hZ6kcrM7/wFccHwM+/TiurR9lgZDzB4\n" +
++        "a7++A4XrYyKx9vc9ZwBEnD1nrAe7++gg9cuZgP7e+QL0FBHMjpw+gnCDjr2dzBZC\n" +
++        "4r+b8SOqlbPRPexBuNghlc7PfcPIyFis2LJXDRMWiAd3TcfdALwRsuKMR/T+cwyr\n" +
++        "asy69OEGHplLT57otQ524BDctDXNzlH9bHEh52QzqkWvIDqs42910IUy1nYNPIUG\n" +
++        "yYJV/T7H8Jb6vfMZWe47iUFvtNZCi8+b542gRUwdi+ca+hGviBC9Qr4Wv1pl7CBQ\n" +
++        "Hy1axTkHiQawUo/hgmoetCpftugl9yJTfvsBorUV1ZMxn9B1JLSGtWnbUsFRla7G\n" +
++        "fNa0IsUkzmmha8XCzvNu0d1PDGtcQyUqmDOE1Hx4cIBeuF8ipuIXkrVCr9zAZ4ZC\n" +
++        "hgz6aA1gDTW8whSRJqYEYEQ0pcMEFLyXE+Nz3O8NinO2AuxqKhjMk13203xA7lPY\n" +
++        "MnBQ0v7S3qqbp/pvPMiUhOz/VaYted6QmOY5EATBnFiLCuw87JXoAyp382eJ3WX1\n" +
++        "hOiR4IX9Tg==\n" +
++        "-----END CERTIFICATE-----";
++
++    // The fraudulent certificate issued by above compromised CA
++    static String targetCertStr =
++        "-----BEGIN CERTIFICATE-----\n" +
++        "MIIFKDCCBBCgAwIBAgIQBeLmpM0J6lTWZbB1/iKiVjANBgkqhkiG9w0BAQUFADBm\n" +
++        "MQswCQYDVQQGEwJOTDESMBAGA1UEChMJRGlnaU5vdGFyMSEwHwYDVQQDExhEaWdp\n" +
++        "Tm90YXIgUHVibGljIENBIDIwMjUxIDAeBgkqhkiG9w0BCQEWEWluZm9AZGlnaW5v\n" +
++        "dGFyLm5sMB4XDTExMDcxMDE5MDYzMFoXDTEzMDcwOTE5MDYzMFowajELMAkGA1UE\n" +
++        "BhMCVVMxEzARBgNVBAoTCkdvb2dsZSBJbmMxFjAUBgNVBAcTDU1vdW50YWluIFZp\n" +
++        "ZXcxFzAVBgNVBAUTDlBLMDAwMjI5MjAwMDAyMRUwEwYDVQQDEwwqLmdvb2dsZS5j\n" +
++        "b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNbeKubCV0aCxhOiOS\n" +
++        "CSQ/w9HXTYuD5BLKuiqXNw3setdTymeJz2L8aWOHo3nicFNDVwWTgwWomGNr2J6Q\n" +
++        "7g1iINNSW0rR4E1l2szRkcnAY6c6i/Eke93nF4i2hDsnIBveolF5yjpuRm73uQQD\n" +
++        "ulHjA3BFRF/PTi0fw2/Yt+8ieoMuNcMWN6Eou5Gqt5YZkWv176ofeCbsBmMrP87x\n" +
++        "OhhtTDckCapk4VQZG2XrfzZcV6tdzCp5TI8uHdu17cdzXm1imZ8tyvzFeiCEOQN8\n" +
++        "vPNzB/fIr3CJQ5q4uM5aKT3DD5PeVzf4rfJKQNgCTWiIBc9XcWEUuszwAsnmg7e2\n" +
++        "EJRdAgMBAAGjggHMMIIByDA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0\n" +
++        "dHA6Ly92YWxpZGF0aW9uLmRpZ2lub3Rhci5ubDAfBgNVHSMEGDAWgBTfM8Cvkv43\n" +
++        "/LbYFhbQ2bGR1fpupTAJBgNVHRMEAjAAMIHGBgNVHSAEgb4wgbswgbgGDmCEEAGH\n" +
++        "aQEBAQIEAQICMIGlMCcGCCsGAQUFBwIBFhtodHRwOi8vd3d3LmRpZ2lub3Rhci5u\n" +
++        "bC9jcHMwegYIKwYBBQUHAgIwbhpsQ29uZGl0aW9ucywgYXMgbWVudGlvbmVkIG9u\n" +
++        "IG91ciB3ZWJzaXRlICh3d3cuZGlnaW5vdGFyLm5sKSwgYXJlIGFwcGxpY2FibGUg\n" +
++        "dG8gYWxsIG91ciBwcm9kdWN0cyBhbmQgc2VydmljZXMuMEkGA1UdHwRCMEAwPqA8\n" +
++        "oDqGOGh0dHA6Ly9zZXJ2aWNlLmRpZ2lub3Rhci5ubC9jcmwvcHVibGljMjAyNS9s\n" +
++        "YXRlc3RDUkwuY3JsMA4GA1UdDwEB/wQEAwIEsDAbBgNVHREEFDASgRBhZG1pbkBn\n" +
++        "b29nbGUuY29tMB0GA1UdDgQWBBQHSn0WJzIo0eMBMQUNsMqN6eF/7TANBgkqhkiG\n" +
++        "9w0BAQUFAAOCAQEAAs5dL7N9wzRJkI4Aq4lC5t8j5ZadqnqUcgYLADzSv4ExytNH\n" +
++        "UY2nH6iVTihC0UPSsILWraoeApdT7Rphz/8DLQEBRGdeKWAptNM3EbiXtQaZT2uB\n" +
++        "pidL8UoafX0kch3f71Y1scpBEjvu5ZZLnjg0A8AL0tnsereOVdDpU98bKqdbbrnM\n" +
++        "FRmBlSf7xdaNca6JJHeEpga4E9Ty683CmccrSGXdU2tTCuHEJww+iOAUtPIZcsum\n" +
++        "U7/eYeY1pMyGLyIjbNgRY7nDzRwvM/BsbL9eh4/mSQj/4nncqJd22sVQpCggQiVK\n" +
++        "baB2sVGcVNBkK55bT8gPqnx8JypubyUvayzZGg==\n" +
++        "-----END CERTIFICATE-----";
++
++    private static String tmAlgorithm;               // trust manager
++
++    public static void main(String args[]) throws Exception {
++        // Get the customized arguments.
++        parseArguments(args);
++
++        X509TrustManager tm = getTrustManager();
++        X509Certificate[] chain = getFraudulentChain();
++
++        Exception reservedException = null;
++        try {
++            tm.checkClientTrusted(chain, "RSA");
++        } catch (CertificateException ce) {
++            reservedException = ce;
++        }
++
++        if (reservedException == null) {
++            throw new Exception("Unable to block fraudulent certificate");
++        }
++
++        reservedException = null;
++        try {
++            tm.checkServerTrusted(chain, "RSA");
++        } catch (CertificateException ce) {
++            reservedException = ce;
++        }
++
++        if (reservedException == null) {
++            throw new Exception("Unable to block fraudulent certificate");
++        }
++
++        System.out.println(
++            "The expected untrusted cert exception: " + reservedException);
++    }
++
++    private static void parseArguments(String[] args) {
++        tmAlgorithm = args[0];
++    }
++
++    private static X509TrustManager getTrustManager() throws Exception {
++        // generate certificate from cert string
++        CertificateFactory cf = CertificateFactory.getInstance("X.509");
++
++        // create a key store
++        KeyStore ks = KeyStore.getInstance("JKS");
++        ks.load(null, null);
++
++        // import the trusted cert
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(trustedCertStr.getBytes())) {
++            Certificate trustedCert = cf.generateCertificate(is);
++            ks.setCertificateEntry("RSA Export Signer", trustedCert);
++        }
++
++        // create the trust manager
++        TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm);
++        tmf.init(ks);
++
++        return (X509TrustManager)tmf.getTrustManagers()[0];
++    }
++
++    private static X509Certificate[] getFraudulentChain() throws Exception {
++        // generate certificate from cert string
++        CertificateFactory cf = CertificateFactory.getInstance("X.509");
++
++        X509Certificate[] chain = new X509Certificate[4];
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(targetCertStr.getBytes())) {
++            chain[0] = (X509Certificate)cf.generateCertificate(is);
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(intermediateCertStr.getBytes())) {
++            chain[1] = (X509Certificate)cf.generateCertificate(is);
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(compromisedCertStr.getBytes())) {
++            chain[2] = (X509Certificate)cf.generateCertificate(is);
++        }
++
++        try (ByteArrayInputStream is =
++                new ByteArrayInputStream(untrustedCrossCertStr.getBytes())) {
++            chain[3] = (X509Certificate)cf.generateCertificate(is);
++        }
++
++        return chain;
++    }
++}
++