From 58cc444e69adead98c25a5823860812ac328081d Mon Sep 17 00:00:00 2001
From: Artur Barashev <artur.barashev@oracle.com>
Date: Mon, 31 Mar 2025 09:59:10 -0400
Subject: [PATCH 1/5] 8272875: Change the default key manager to PKIX

---
 .../share/classes/javax/net/ssl/KeyManagerFactory.java          | 2 +-
 src/java.base/share/conf/security/java.security                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java b/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java
index 652a20c837705..b591d5a30e4dc 100644
--- a/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java
+++ b/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java
@@ -64,7 +64,7 @@ public class KeyManagerFactory {
     public static final String getDefaultAlgorithm() {
         String type = Security.getProperty("ssl.KeyManagerFactory.algorithm");
         if (type == null) {
-            type = "SunX509";
+            type = "NewSunX509";
         }
         return type;
     }
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index 693d19438f6da..a5df0c4d2f785 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -320,7 +320,7 @@ security.overridePropertiesFile=true
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
 #
-ssl.KeyManagerFactory.algorithm=SunX509
+ssl.KeyManagerFactory.algorithm=NewSunX509
 ssl.TrustManagerFactory.algorithm=PKIX
 
 #

From c80fc6a8ab9e775b1ce456f12834e5b11ff5085d Mon Sep 17 00:00:00 2001
From: Artur Barashev <artur.barashev@oracle.com>
Date: Thu, 17 Apr 2025 10:56:05 -0400
Subject: [PATCH 2/5] Use standard PKIX alias

---
 .../share/classes/javax/net/ssl/KeyManagerFactory.java          | 2 +-
 src/java.base/share/conf/security/java.security                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java b/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java
index b591d5a30e4dc..6c38e9577daf1 100644
--- a/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java
+++ b/src/java.base/share/classes/javax/net/ssl/KeyManagerFactory.java
@@ -64,7 +64,7 @@ public class KeyManagerFactory {
     public static final String getDefaultAlgorithm() {
         String type = Security.getProperty("ssl.KeyManagerFactory.algorithm");
         if (type == null) {
-            type = "NewSunX509";
+            type = "PKIX";
         }
         return type;
     }
diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
index e5826f549cfba..826e3b4a21d1d 100644
--- a/src/java.base/share/conf/security/java.security
+++ b/src/java.base/share/conf/security/java.security
@@ -320,7 +320,7 @@ security.overridePropertiesFile=true
 # Determines the default key and trust manager factory algorithms for
 # the javax.net.ssl package.
 #
-ssl.KeyManagerFactory.algorithm=NewSunX509
+ssl.KeyManagerFactory.algorithm=PKIX
 ssl.TrustManagerFactory.algorithm=PKIX
 
 #

From 19a2ad1d5501abbdda72dde0e833d1da8fc7856f Mon Sep 17 00:00:00 2001
From: Artur Barashev <artur.barashev@oracle.com>
Date: Fri, 18 Apr 2025 12:56:29 -0400
Subject: [PATCH 3/5] Rework unit tests

---
 .../rmi/ssl/SSLSocketParametersTest.java      |  34 ++--
 test/jdk/javax/rmi/ssl/keystore               | Bin 1364 -> 0 bytes
 test/jdk/javax/rmi/ssl/truststore             | Bin 661 -> 0 bytes
 .../https/HttpsClient/ServerIdentityTest.java | 178 +++++++++++++++---
 .../www/protocol/https/HttpsClient/dnsstore   | Bin 1418 -> 0 bytes
 .../www/protocol/https/HttpsClient/ipstore    | Bin 1413 -> 0 bytes
 .../sun/security/tools/keytool/PrintSSL.java  |   6 +-
 .../test/lib/security/CertificateBuilder.java |  21 +++
 8 files changed, 186 insertions(+), 53 deletions(-)
 delete mode 100644 test/jdk/javax/rmi/ssl/keystore
 delete mode 100644 test/jdk/javax/rmi/ssl/truststore
 delete mode 100644 test/jdk/sun/net/www/protocol/https/HttpsClient/dnsstore
 delete mode 100644 test/jdk/sun/net/www/protocol/https/HttpsClient/ipstore

diff --git a/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java b/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java
index 6da3289458751..ead2473f8e361 100644
--- a/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java
+++ b/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2004, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2004, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,7 +24,8 @@
 /*
  * @test
  * @bug 5016500
- * @library /test/lib/
+ * @library /javax/net/ssl/templates
+ *          /test/lib/
  * @summary Test SslRmi[Client|Server]SocketFactory SSL socket parameters.
  * @run main/othervm SSLSocketParametersTest 1
  * @run main/othervm SSLSocketParametersTest 2
@@ -36,8 +37,6 @@
  */
 import jdk.test.lib.Asserts;
 
-import java.io.IOException;
-import java.io.File;
 import java.io.Serializable;
 import java.lang.ref.Reference;
 import java.rmi.ConnectIOException;
@@ -49,13 +48,18 @@
 import javax.rmi.ssl.SslRMIClientSocketFactory;
 import javax.rmi.ssl.SslRMIServerSocketFactory;
 
-public class SSLSocketParametersTest implements Serializable {
+public class SSLSocketParametersTest extends SSLContextTemplate implements
+        Serializable {
+
+    public SSLSocketParametersTest() throws Exception {
+        SSLContext.setDefault(createServerSSLContext());
+    }
 
     public interface Hello extends Remote {
         String sayHello() throws RemoteException;
     }
 
-    public class HelloImpl implements Hello {
+    public static class HelloImpl implements Hello {
         public String sayHello() {
             return "Hello World!";
         }
@@ -134,23 +138,7 @@ public void runTest(int testNumber) throws Exception {
     }
 
     public static void main(String[] args) throws Exception {
-        // Set keystore properties (server-side)
-        //
-        final String keystore = System.getProperty("test.src") +
-                File.separator + "keystore";
-        System.out.println("KeyStore = " + keystore);
-        System.setProperty("javax.net.ssl.keyStore", keystore);
-        System.setProperty("javax.net.ssl.keyStorePassword", "password");
-
-        // Set truststore properties (client-side)
-        //
-        final String truststore = System.getProperty("test.src") +
-                File.separator + "truststore";
-        System.out.println("TrustStore = " + truststore);
-        System.setProperty("javax.net.ssl.trustStore", truststore);
-        System.setProperty("javax.net.ssl.trustStorePassword", "trustword");
-
         SSLSocketParametersTest test = new SSLSocketParametersTest();
         test.runTest(Integer.parseInt(args[0]));
     }
-}
\ No newline at end of file
+}
diff --git a/test/jdk/javax/rmi/ssl/keystore b/test/jdk/javax/rmi/ssl/keystore
deleted file mode 100644
index 05f535645827bae28d6168fe4ad38f55b4faa076..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1364
zcmezO_TO6u1_mY|W&~rFl+x@}AnVJnxrbPQ61xqWn6?}6v2kg$F|sgfF$pp<vNEtV
zF)a=?tv-CdY4M5mZ!f={)g9#@6YQ9{%3h+iN+Hf$FhE3}qqAuL`W^m@-egbMnOtqu
zq<!c4_W3s}UE)rB{eJwHJ!7`+zb!kD@0^gcc^V7fMa$F}?%mTrN6px*@@eXc*`;5#
zTV#&2Y_m)Jp2_9YwJYWK&Z{@<ADg@~VLm7~{l?BNmb2$y-Z1)q?OjCW&A+|pSbo2`
zcXw{iw1cOdP6P+PzN@;%`ku;<muu&(^O&Qw)usKBP|vnrU2$vi*#=(&t)&BOZa@0G
z=WcViwSr3~r?$YvGn22sI8iFiR3>@x>ho1^r&%56_HAo+kX-fS_qrLG%<ZPFjxxoD
zLSL<>Yn5yK^;n~6$t&>v*xw~)X3eP!zSgL%KOtM?csA62-VTT4$i1_bl&AJ8J4Kf~
ziYq>~>~z7T=JwQ&`THIyDly((cmBuZsJWL9R9dwM*e?9V^<nak`D$M2iG14(|F|hi
zUcY*8w^RACCi!stO>W<2oX~rE?2@~@<T>Z_DXF{XSl#`RkR;Szp|kbZYS*iaruy^P
zST}Z@wO{qwyZOTFL-+qoSh8dGH)oMlb>{<@F6u5daCMvdGfKYnm+_yf)kmFuzP$0;
zUO$K9wCIbL!f!l{|DreY@0nkf-PE&2@iS+ksfS&YmU@(7<g{m=?AJ=audNSUcIjnj
zp|#hO8}G~}{l9-FSCHFoOH=NnYa2`}{)qi=m@W5z<HrrHMvbBxx2NA(VY#vKsz*aj
zq8e+vklbso@-mL85;Gajvm3o*KD06QI<uU<RN2=r@oYb~SeyKqaME_$%XdrmEQ@SC
z$z`57fg^7AwHHApujB)~_T4zRY+ISnlyhF4FSBnP^Dkz9#!}s5(c5Xc@JfTi${qLo
zpZMNiug<3CaN=6nTf@yW<LCPM8mcs$EL56YIjM6OmwN2vevb)F-~`PYp=WAf2~5c$
zz?2+d(8RctiN$VN-w6X=HcqWJkGAi;jEpR-3<mjz+y<O%%%Lo7!c3vTFb;<>le43t
zh=CADhFzFDI5DpzQNcMUu_)0{-ar;4$|WooT$-ogo0(jcUtC#SlA2qrqu`mBtY^q;
zzztHsEzII&6zmG)G7Gb~0P~oEoH(z6v4M$^v7xbnk%2*!IIppRfu(^3luLgHHO@y4
z6JR!HZtP_+XzXNaY-HGfCcO30-Nk>C&t^D3kre0H7s|HG%zJ|HgZJC_FP+00a)3{8
z>dl}fM{>-U?K)u?^<sx}<Y7LCS^067@A!CcXS4LXyE=lo@UM;dzY@(E4X<|m%Qh|C
zJ9Y2IGjsEr-+Q&4z3LYev-!{gyN8WTLaQbS&wu)9CxgNq0Vb!g%x~F(pOl%H85tOn
zod=9EW}v%V>slWj`}isG>HM2}Hf@xwP3+FPCH2Eu?D39r?N9aJ&br)Lbi`95G5&Q?
z%Y`i+Gi`!B4lzGva^Ygy+7q!NgeN#ov?O}MlGRgNvaYtgc(UBxPV3kQ^@DF}rhYtg
zZtpz@_BOUjDzmggY+H9)n(a*vTbg~J;Y+sM;`SA@pBVj}A<BMs#_{IzrGkH=IA2`S
MGQ1e!pqIf606~{HZU6uP

diff --git a/test/jdk/javax/rmi/ssl/truststore b/test/jdk/javax/rmi/ssl/truststore
deleted file mode 100644
index 2f5ba3433dc61aaa429fa3e67f3603d009dcca80..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 661
zcmezO_TO6u1_mY|W(3n5DW%z|$*DypK;D;K^M2+sutw;a8dw6=gcvk21sF6j?qp)I
zTh@2NfR~L^tIebBJ1-+63oC;`z9F{(CmVAp3!5-gXfTY!A<X3LXeeSJ1d?GF<_=EG
zD@jyv&PgmvG?X`x1&MMAiv^eFDfnh47v&dM7MG;v7V9W@<|XSH@)~f16mSc(co_w|
z!nn-BEG|Gt8pw(B8W<ax7#SNH8yFcFM2Yhn8yHv`SU|b-cTnSe<S=1mWngaXWiV*$
zWNK_=*ncLx_0iqMf0NH<I6sjT=hzp@w#>|Xg7Aa)+xIV>!y0mcPjKqZpe09g%$Myt
zVHovdhjZj%K8IQPahLD-cyDL3^t-z{g1PXojrhM3%^3}^cKpjWE!;bG@5VE8^P1m#
zwVl1{7ZbDj&;h%LjZ8wTCJ4`e`e`SF!W;o6r?AX#*@B;xnV1<F7?GU^j521RyIkv9
zA07MnDe>w2n|n5Gl&nqc&blS_!&&U{j&ki!_216A+*x$QQzJ3{by3TOEgds$f;|o~
zKV@>^V%pjhu_A;gI8L-Adcu;`Q(LmGw!C<<+}%#=*a!84Z)&D~JacaEJqPwSwn-|p
zv_foKcUqe5O%7X{eV^e=w%p?O6|<ih{hcAo{ya82d*9<N$1Mbv9@&54da%U)?rs2#
CXWxMU

diff --git a/test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java b/test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java
index 15224e22e6eea..5164acd66a5e2 100644
--- a/test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java
+++ b/test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2001, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -31,31 +31,58 @@
  * @bug 4328195
  * @summary Need to include the alternate subject DN for certs,
  *          https should check for this
+ * @modules java.base/sun.security.x509
+ *          java.base/sun.security.util
  * @library /javax/net/ssl/templates
- * @run main/othervm ServerIdentityTest dnsstore localhost
- * @run main/othervm ServerIdentityTest ipstore 127.0.0.1
+ *          /test/lib
+ * @run main/othervm ServerIdentityTest dns localhost
+ * @run main/othervm ServerIdentityTest ip 127.0.0.1
  *
  * @author Yingxian Wang
  */
 
-import java.io.InputStream;
+import static jdk.test.lib.Asserts.fail;
+
 import java.io.BufferedWriter;
+import java.io.IOException;
+import java.io.InputStream;
 import java.io.OutputStreamWriter;
+import java.math.BigInteger;
 import java.net.HttpURLConnection;
 import java.net.InetAddress;
 import java.net.Proxy;
 import java.net.URL;
 import java.net.UnknownHostException;
-
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.time.Instant;
+import java.time.temporal.ChronoUnit;
+import java.util.Date;
+import java.util.List;
 import javax.net.ssl.HttpsURLConnection;
+import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManagerFactory;
+import jdk.test.lib.security.CertificateBuilder;
+import sun.security.x509.AuthorityKeyIdentifierExtension;
+import sun.security.x509.GeneralName;
+import sun.security.x509.GeneralNames;
+import sun.security.x509.KeyIdentifier;
+import sun.security.x509.SerialNumber;
+import sun.security.x509.X500Name;
 
 public final class ServerIdentityTest extends SSLSocketTemplate {
 
-    private static String keystore;
     private static String hostname;
-    private static SSLContext context;
+    private static SSLContext serverContext;
 
     /*
      * Run the test case.
@@ -64,7 +91,7 @@ public static void main(String[] args) throws Exception {
         // Get the customized arguments.
         initialize(args);
 
-        (new ServerIdentityTest()).run();
+        new ServerIdentityTest().run();
     }
 
     ServerIdentityTest() throws UnknownHostException {
@@ -95,7 +122,7 @@ protected void runClientApplication(int serverPort) throws Exception {
         HttpURLConnection urlc = null;
         InputStream is = null;
         try {
-            urlc = (HttpURLConnection)url.openConnection(Proxy.NO_PROXY);
+            urlc = (HttpURLConnection) url.openConnection(Proxy.NO_PROXY);
             is = urlc.getInputStream();
         } finally {
             if (is != null) {
@@ -109,31 +136,128 @@ protected void runClientApplication(int serverPort) throws Exception {
 
     @Override
     protected SSLContext createServerSSLContext() throws Exception {
-        return context;
-    }
-
-    @Override
-    protected SSLContext createClientSSLContext() throws Exception {
-        return context;
+        return serverContext;
     }
 
     private static void initialize(String[] args) throws Exception {
-        keystore = args[0];
+        String mode = args[0];
         hostname = args[1];
 
-        String password = "changeit";
-        String keyFilename =
-                System.getProperty("test.src", ".") + "/" + keystore;
-        String trustFilename =
-                System.getProperty("test.src", ".") + "/" + keystore;
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
+        kpg.initialize(2048);
+        KeyPair caKeys = kpg.generateKeyPair();
+        KeyPair serverKeys = kpg.generateKeyPair();
+        KeyPair clientKeys = kpg.generateKeyPair();
+
+        CertificateBuilder serverCertificateBuilder = customCertificateBuilder(
+                "CN=server, O=Some-Org, L=Some-City, ST=Some-State, C=US",
+                serverKeys.getPublic(), caKeys.getPublic())
+                .addBasicConstraintsExt(false, false, -1);
 
-        System.setProperty("javax.net.ssl.keyStore", keyFilename);
-        System.setProperty("javax.net.ssl.keyStorePassword", password);
-        System.setProperty("javax.net.ssl.trustStore", trustFilename);
-        System.setProperty("javax.net.ssl.trustStorePassword", password);
+        if (mode.equalsIgnoreCase("dns")) {
+            serverCertificateBuilder.addSubjectAltNameDNSExt(List.of(hostname));
+        } else if (mode.equalsIgnoreCase("ip")) {
+            serverCertificateBuilder.addSubjectAltNameIPExt(List.of(hostname));
+        } else {
+            fail("Unknown mode: " + mode);
+        }
+
+        X509Certificate trustedCert = createTrustedCert(caKeys);
+
+        X509Certificate serverCert = serverCertificateBuilder.build(
+                trustedCert, caKeys.getPrivate(), "SHA256WithRSA");
+
+        X509Certificate clientCert = customCertificateBuilder(
+                "CN=localhost, OU=SSL-Client, O=Some-Org, L=Some-City, ST=Some-State, C=US",
+                clientKeys.getPublic(), caKeys.getPublic())
+                .addBasicConstraintsExt(false, false, -1)
+                .build(trustedCert, caKeys.getPrivate(), "SHA256WithRSA");
+
+        serverContext = getSSLContext(
+                trustedCert, serverCert, serverKeys.getPrivate());
+
+        SSLContext clientContext = getSSLContext(
+                trustedCert, clientCert, clientKeys.getPrivate());
 
-        context = SSLContext.getDefault();
         HttpsURLConnection.setDefaultSSLSocketFactory(
-                context.getSocketFactory());
+                clientContext.getSocketFactory());
     }
+
+    private static SSLContext getSSLContext(
+            X509Certificate trustedCertificate, X509Certificate keyCertificate,
+            PrivateKey privateKey)
+            throws Exception {
+
+        // create a key store
+        KeyStore ks = KeyStore.getInstance("PKCS12");
+        ks.load(null, null);
+
+        // import the trusted cert
+        ks.setCertificateEntry("TLS Signer", trustedCertificate);
+
+        // generate certificate chain
+        Certificate[] chain = new Certificate[2];
+        chain[0] = keyCertificate;
+        chain[1] = trustedCertificate;
+
+        // import the key entry.
+        final char[] passphrase = "passphrase".toCharArray();
+        ks.setKeyEntry("Whatever", privateKey, passphrase, chain);
+
+        // Using PKIX TrustManager
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
+        tmf.init(ks);
+
+        // Using PKIX KeyManager
+        KeyManagerFactory kmf = KeyManagerFactory.getInstance("PKIX");
+
+        // create SSL context
+        SSLContext ctx = SSLContext.getInstance("TLS");
+        kmf.init(ks, passphrase);
+        ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
+        return ctx;
+    }
+
+    private static X509Certificate createTrustedCert(KeyPair caKeys)
+            throws Exception {
+        SecureRandom random = new SecureRandom();
+
+        KeyIdentifier kid = new KeyIdentifier(caKeys.getPublic());
+        GeneralNames gns = new GeneralNames();
+        GeneralName name = new GeneralName(new X500Name(
+                "O=Some-Org, L=Some-City, ST=Some-State, C=US"));
+        gns.add(name);
+        BigInteger serialNumber = BigInteger.valueOf(
+                random.nextLong(1000000) + 1);
+        return customCertificateBuilder(
+                "O=Some-Org, L=Some-City, ST=Some-State, C=US",
+                caKeys.getPublic(), caKeys.getPublic())
+                .setSerialNumber(serialNumber)
+                .addExtension(new AuthorityKeyIdentifierExtension(kid, gns,
+                        new SerialNumber(serialNumber)))
+                .addBasicConstraintsExt(true, true, -1)
+                .build(null, caKeys.getPrivate(), "SHA256WithRSA");
+    }
+
+    private static CertificateBuilder customCertificateBuilder(
+            String subjectName, PublicKey publicKey, PublicKey caKey)
+            throws CertificateException, IOException {
+        SecureRandom random = new SecureRandom();
+
+        CertificateBuilder builder = new CertificateBuilder()
+                .setSubjectName(subjectName)
+                .setPublicKey(publicKey)
+                .setNotAfter(
+                        Date.from(Instant.now().minus(1, ChronoUnit.HOURS)))
+                .setNotAfter(Date.from(Instant.now().plus(1, ChronoUnit.HOURS)))
+                .setSerialNumber(
+                        BigInteger.valueOf(random.nextLong(1000000) + 1))
+                .addSubjectKeyIdExt(publicKey)
+                .addAuthorityKeyIdExt(caKey);
+        builder.addKeyUsageExt(
+                new boolean[]{true, true, true, true, true, true});
+
+        return builder;
+    }
+
 }
diff --git a/test/jdk/sun/net/www/protocol/https/HttpsClient/dnsstore b/test/jdk/sun/net/www/protocol/https/HttpsClient/dnsstore
deleted file mode 100644
index 5f4fc81c9b7ce7eaa297c14fb1b33ab5616c1fa6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1418
zcmezO_TO6u1_mY|W&~rl;?$zD)FL4J+1c)ltw5<=22D)c4EWf%wAmP07`2!L85vm_
zSelp?@o2HD&+!pE(tE;c?!>)c8LuwC@I@}FWYV3g%hzWZEXoRNOM3QpP0OFVGxC1=
zZ?4UXUn<!m(fGq*zUYOlN&k}ODu0RnJ85O$8TsN{tn)ki4n}I_<Zkv=3Yd8$bd_sm
zt~HObNdFD{Sh0WwUvrP@J;+R6F>&F;X;MA+(vzdSDpmd7_ASo&wqd$F=Uh(@v1!ja
z8*h2e|NOg^Ntt8&?!D@X5!>ATzFa!ru}10R>bEmLW@#>1Tb7!-)6eyNNn`xPR#7|I
z_Z(lo9XR{z!#+>0KT7$<%pH<$(LZOo?!Dap{~>qlrG+Y|+N)e&c2=C15{Wbyt-N(b
zq2yHg6S;R2%U+j=NY=M~*}f-Sv1;GJCE|Oo#qV8v^4pJWr}JliwrXZPy8YJam~5p=
zj52S|URSx@Vh+{2f*x#JARbbmI%DgadkN`pq9QvV#ZGs*#CBUjVc%;7yPErj0ta5m
zg$DcGkDDSUbN8xl{;7*k`Sq`v-V@m{vCbz<U~%2Wq}9ADv^Lx?@kuCj`o*O_qy4V*
z?x{u>)cky^*L%$An_t(iDqbg$dgfj6Ew<)8f*;vm^=8eCKeY4A+z%WtT?3~{bu9e(
z|EkR;!{jUJwx7OwUOFsk`^n*OuS{RxDhru=p%EXRJ$Zii%F}*H)1&<Ya&422YPv7~
z`Mf6Rg5HYx0><lw?)C4rSo*wUZvV;CT$Ag9?(HkP#bjZlZ_aqB)!1uUMNGTd?9@y{
zxp#ju_dfYx<<hvkYKP{U=N9Xar~F>O$WCV77AFSI4gbEXxh}hr5d9`LKxos=k5`gc
zaz<a-xp04Qh;x{%ius*_eXJW_sj|<tJGa=V!&`i}<XpGDym#-^%LOwcc!Xq@RIHj*
z91)<Bb|mTD)?+n>G1U(Ju3HtIx^FZm9z7ewTkjG$X|+`I&VFxjie`<_Gc~XTCge_F
zLT)u^VtluNnTe5!iN#v<nS}u_8>d#AN85K^Mn)D^27@X?ZUas>=1>+kVW!YvLtz6!
z5QjsU%Q-P8GcCU;FEi0l$Up!j$S%z3Tw0J?RFavOZzyRX4ie)M76>lQQ}E49F3K;i
zEG|jSEjAQ05CKVX3-fv<mL)0#=ckpFCl;j|@&oM#iZcsCvz&pPIIn@BfvK^fftj(X
zv00QjuOX0YWC`UCsM{LnBZm~Q0AOzHWiV*$WNK_=II#Hze~X`$)bfY~uOjZ-oed9T
zyH`xuy68Yb(9T)@PtSZ@IHmY)70U!3wM%b2cFBC$lYAjwxymh;>7C^jfrD530@C%&
zBb!4~pD=Bl=w|!ohPh&Fs!i`E|CvSgj#>|=zm7PmK9RjaYjbdAsoqVeo`{9pE!n<Z
zRhaYs<~7T#X%&V{%!~|-izN&o0WB-Y!fU|Y#F>+yoS2i5UtEIha9|WO16{29ZS{>W
z-zHl9l&nm&bu)SL{_)~}9|VGTJxUKSUirHF@(HDdhtA%ZlfHpx^Ipzn_Ci`VZQX{^
zPFWJ2iPx52yK{Emr09;d_Z5Em)ZdX-Z?=hiUS+dULQCmxp;kdoV#BiCiQ6+Yu5McQ
z!u#LSNbhZb6z1zbNn0zc=TYXeLVoY*u#LOlrcZA>FjG8oj=|jHdv5s}Hx*t60MwgF
ATL1t6

diff --git a/test/jdk/sun/net/www/protocol/https/HttpsClient/ipstore b/test/jdk/sun/net/www/protocol/https/HttpsClient/ipstore
deleted file mode 100644
index 04a9508e0a1c4472d60ffc5f2e3fcaa87812093f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1413
zcmezO_TO6u1_mY|W&~rl;?$zD)FL4J+1bf~>wr?b44Rm>8St@jX|pl1FlsRgGBUC<
zurx6(5}mDfMEY-j<1~%b<Y%25RV^p96;C=hVbY%Tvo$@l`O42q2CskhX5O#6AFX}o
zp67V~apSpqb?K=GVvZ_a{wnETaKH5spV*wtKWCMfKi+BAd-U!h5B>H$S*H`r-XsZ`
z9+D8eY5i5Fx!@;v>8C9YJS`_ys=Qsv$h#u5SC+}k^R`1>@?tjCwbFMlOy%c!%Rg=D
z<(X6bW8QImoc!Cn%0S}bjwrJiKjJt|ca~du3Y9GR<N8MKAonB&#`y=Q9g_Cy3OtqQ
z`s(9;w*SY&B<c<R&&v&}sP0i@@|-$L^JGl1md}Eyg2KjX3Ae<k)9pzsCY=12c(wWX
zjKzDI>&q9{=?AY^BzZi|%T(ZY0jGTHso*D9j~(Ev+h%{^!QV-b%6{Abm}cL1=F+#z
zzN>gv-dSCF!gAf@UF)AldrtfP=G5iXHx;ZYHwq^1Uve|=cjy+s1IFF6kF4L9ANXl?
zZ1?A|&ssr|mz}p~M67N}TN?7Nr%ox<>*=%ONhPU?tdFu@v(4w9kRX3bxp80k=YK+Z
zjBiSHijPQY_8H0a<ULZKA#!O`{qw5z-eRX`2-U?VK0fiy^yl8SG5b{O=SO{C^zw&m
zZ_kSjHo@E9zgqQdMsHBJ!6E_SmQ~Xi&SFwlv|&1$S@Z1omB;3{XGC({dj4OWQSJEO
z^s`6Q1n%{pI{#YoUWbSH!SkyhTzOwDF1`J>$93mp^ZzJZ-V#*t=)vw8Ij`(C$!-n1
z?7(zi^2rB}DJIINRomsO&i|cz<XJ%O%6)>|Z3)qnZoOTaZ!9rOKkcco#?IYQMjuWr
zEH+qm#=xt;`=k4J|Ep7tg{Dnf&VJHtq5K+aGd4s26vZn>PHRKDD>r9+lJu;ts+zv+
z!%CLxJ3hR*GEL)fcPi`0UZvyJbItxscdED@C`fu@syBaT>$lEb(`JHGG;4&OsevUh
zA-4b%a)Ut=<I4riOpHuSEY_kg><oC>IJMe5+P?ELGP1BT7*rW@8*s8QhqAB<Gld2l
z3L6N5I2^)U&WSmhY57HYnTdu%1_B^Kc41EE(t^~YlFYn(LrDX1kQkS+KyYcEf^TMW
zQGRh{aY<@!v7wlO2uO-snAa<@EKwmiKdq!Zu_)D$A80pFoLLx}<qYJ+c?}E=OpOf<
z%uGxSO`^nk4S`%EODK0h-PSlCIi!FE0CQt6gF#~_Q)45;zL^)Bi<|0hnl9|xSo6TD
zbARZcm-9O$XQUs~KX@y<RgTNtOIG-&&fJDcuB`$L8M&LqjzsTxeIT(`;#ix$qJMDF
zcMm6?(rD$xP1SexmVa8Cl3^ac^3=K;XVV0(Bnn+z!p}c($A7&QPqtrKH^=Ki1)mZB
zm(!18{0|4$cFgNp6}gp(nUR5UF)*qO_<;c`E6BoOz}C)E4=mA;-3*LfW}stTX3Xb!
z!P4q@lf7<HOsw9Q>sgie<M|@q*V@l>zN4lR&yo4*+nZqh1wCbQ!cJ?a_RkEyDl)Oe
zKXL}^70!giL5(3VUaUKO(<iv<{F&Q6JKSd$GCsJ;!=rmJw<FEUeM#+{74HjlSuGOI
zvejI9VKTchjqQz6@Lq;FI=`%DTK?|;dBsnY#bttHTdCrn+U9qkOqSl^J>LcZpNdJu

diff --git a/test/jdk/sun/security/tools/keytool/PrintSSL.java b/test/jdk/sun/security/tools/keytool/PrintSSL.java
index 7cdc0a4577104..70c0fafac02ee 100644
--- a/test/jdk/sun/security/tools/keytool/PrintSSL.java
+++ b/test/jdk/sun/security/tools/keytool/PrintSSL.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2008, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -53,8 +53,8 @@ public static void main(String[] args) throws Throwable {
         // make sure that "-printcert" works with weak algorithms
         OutputAnalyzer out = SecurityTools.keytool("-genkeypair "
                 + "-keystore keystore -storepass passphrase "
-                + "-keypass passphrase -keyalg rsa -keysize 1024 "
-                + "-sigalg MD5withRSA -alias rsa_alias -dname CN=Server");
+                + "-keypass passphrase -keyalg rsa -keysize 2048 "
+                + "-sigalg SHA256withRSA -alias rsa_alias -dname CN=Server");
         System.out.println(out.getOutput());
         out.shouldHaveExitValue(0);
 
diff --git a/test/lib/jdk/test/lib/security/CertificateBuilder.java b/test/lib/jdk/test/lib/security/CertificateBuilder.java
index 60358c9a4eabf..c86fe1049200c 100644
--- a/test/lib/jdk/test/lib/security/CertificateBuilder.java
+++ b/test/lib/jdk/test/lib/security/CertificateBuilder.java
@@ -43,6 +43,7 @@
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.AuthorityInfoAccessExtension;
 import sun.security.x509.AuthorityKeyIdentifierExtension;
+import sun.security.x509.IPAddressName;
 import sun.security.x509.SubjectKeyIdentifierExtension;
 import sun.security.x509.BasicConstraintsExtension;
 import sun.security.x509.CertificateSerialNumber;
@@ -233,6 +234,26 @@ public CertificateBuilder addSubjectAltNameDNSExt(List<String> dnsNames)
         return this;
     }
 
+    /**
+     * Helper method to add IPAddress types for the SAN extension
+     *
+     * @param IPAddresses A {@code List} of names to add as IPAddress
+     *         types
+     * @throws IOException if an encoding error occurs.
+     */
+    public CertificateBuilder addSubjectAltNameIPExt(List<String> IPAddresses)
+            throws IOException {
+        if (!IPAddresses.isEmpty()) {
+            GeneralNames gNames = new GeneralNames();
+            for (String name : IPAddresses) {
+                gNames.add(new GeneralName(new IPAddressName(name)));
+            }
+            addExtension(new SubjectAlternativeNameExtension(false,
+                    gNames));
+        }
+        return this;
+    }
+
     /**
      * Helper method to add one or more OCSP URIs to the Authority Info Access
      * certificate extension.  Location strings can be in two forms:

From e5e83514e3af4db23dde0143f109a111a090b7fd Mon Sep 17 00:00:00 2001
From: Artur Barashev <artur.barashev@oracle.com>
Date: Thu, 24 Apr 2025 14:21:26 -0400
Subject: [PATCH 4/5] Skip explicit KeyPair initialization and let the provider
 default set it

---
 .../net/www/protocol/https/HttpsClient/ServerIdentityTest.java   | 1 -
 1 file changed, 1 deletion(-)

diff --git a/test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java b/test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java
index 5164acd66a5e2..5803da2510a6d 100644
--- a/test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java
+++ b/test/jdk/sun/net/www/protocol/https/HttpsClient/ServerIdentityTest.java
@@ -144,7 +144,6 @@ private static void initialize(String[] args) throws Exception {
         hostname = args[1];
 
         KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
-        kpg.initialize(2048);
         KeyPair caKeys = kpg.generateKeyPair();
         KeyPair serverKeys = kpg.generateKeyPair();
         KeyPair clientKeys = kpg.generateKeyPair();

From 2b0c5525262ca1f87a956d98ab5900d6ad137189 Mon Sep 17 00:00:00 2001
From: Artur Barashev <artur.barashev@oracle.com>
Date: Tue, 29 Apr 2025 17:47:45 -0400
Subject: [PATCH 5/5] Address review comments

---
 test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java |  3 +--
 test/jdk/sun/security/tools/keytool/PrintSSL.java   | 10 ++++++++--
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java b/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java
index ead2473f8e361..3aa7a98c39403 100644
--- a/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java
+++ b/test/jdk/javax/rmi/ssl/SSLSocketParametersTest.java
@@ -48,8 +48,7 @@
 import javax.rmi.ssl.SslRMIClientSocketFactory;
 import javax.rmi.ssl.SslRMIServerSocketFactory;
 
-public class SSLSocketParametersTest extends SSLContextTemplate implements
-        Serializable {
+public class SSLSocketParametersTest extends SSLContextTemplate {
 
     public SSLSocketParametersTest() throws Exception {
         SSLContext.setDefault(createServerSSLContext());
diff --git a/test/jdk/sun/security/tools/keytool/PrintSSL.java b/test/jdk/sun/security/tools/keytool/PrintSSL.java
index 70c0fafac02ee..0a29b83159cc3 100644
--- a/test/jdk/sun/security/tools/keytool/PrintSSL.java
+++ b/test/jdk/sun/security/tools/keytool/PrintSSL.java
@@ -39,6 +39,7 @@
 import java.net.ServerSocket;
 import java.nio.file.Files;
 import java.nio.file.Paths;
+import java.security.Security;
 import java.util.concurrent.CountDownLatch;
 import javax.net.ssl.SSLServerSocketFactory;
 import javax.net.ssl.SSLSocket;
@@ -48,13 +49,18 @@
 public class PrintSSL {
 
     public static void main(String[] args) throws Throwable {
+        // Using "SunX509" KeyManager which doesn't check peer supported
+        // signature algorithms, so we can make keytool print certificate
+        // with weak MD5withRSA signature algorithm.
+        Security.setProperty("ssl.KeyManagerFactory.algorithm", "SunX509");
+
         Files.deleteIfExists(Paths.get("keystore"));
 
         // make sure that "-printcert" works with weak algorithms
         OutputAnalyzer out = SecurityTools.keytool("-genkeypair "
                 + "-keystore keystore -storepass passphrase "
-                + "-keypass passphrase -keyalg rsa -keysize 2048 "
-                + "-sigalg SHA256withRSA -alias rsa_alias -dname CN=Server");
+                + "-keypass passphrase -keyalg rsa -keysize 1024 "
+                + "-sigalg MD5withRSA -alias rsa_alias -dname CN=Server");
         System.out.println(out.getOutput());
         out.shouldHaveExitValue(0);