Initial revision

git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@102074 138bc75d-0d04-0410-961f-82ee72b054a4

149 files changed, 23886 insertions, 0 deletions

diff --git a/libjava/classpath/java/security/AccessControlContext.java b/libjava/classpath/java/security/AccessControlContext.java
new file mode 100644
index 00000000000..9a6ad208144
--- /dev/null
+++ b/libjava/classpath/java/security/AccessControlContext.java
@@ -0,0 +1,176 @@
+/* AccessControlContext.java --- Access Control Context Class
+   Copyright (C) 1999, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import java.util.HashSet;
+
+/**
+ * AccessControlContext makes system resource access decsion 
+ * based on permission rights.  
+ *
+ * It is used for a specific context and has only one method
+ * checkPermission. It is similar to AccessController except
+ * that it makes decsions based on the current context instead
+ * of the the current thread.
+ *
+ * It is created by call AccessController.getContext method.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ */
+public final class AccessControlContext
+{
+  private final ProtectionDomain[] protectionDomains;
+  private final DomainCombiner combiner;
+
+  /**
+   * Construct a new AccessControlContext with the specified
+   * ProtectionDomains. <code>context</code> must not be 
+   * null and duplicates will be removed.
+   *
+   * @param context The ProtectionDomains to use
+   */
+  public AccessControlContext(ProtectionDomain[] context)
+  {
+    HashSet domains = new HashSet (context.length);
+    for (int i = 0; i < context.length; i++)
+      domains.add (context[i]);
+    protectionDomains = (ProtectionDomain[])
+      domains.toArray (new ProtectionDomain[domains.size()]);
+    combiner = null;
+  }
+
+  /**
+   * Construct a new AccessControlContext with the specified
+   * ProtectionDomains and DomainCombiner
+   *
+   * @since 1.3
+   */
+  public AccessControlContext(AccessControlContext acc,
+			      DomainCombiner combiner)
+  {
+    // XXX check permission to call this.
+    AccessControlContext acc2 = AccessController.getContext();
+    protectionDomains = combiner.combine (acc2.protectionDomains,
+                                          acc.protectionDomains);
+    this.combiner = combiner;
+  }
+
+  AccessControlContext (ProtectionDomain[] domains, AccessControlContext acc,
+                        DomainCombiner combiner)
+  {
+    protectionDomains = combiner.combine (domains, acc.protectionDomains);
+    this.combiner = combiner;
+  }
+
+  /**
+   * Returns the Domain Combiner associated with the AccessControlContext
+   *
+   * @return the DomainCombiner
+   */
+  public DomainCombiner getDomainCombiner()
+  {
+    return combiner;
+  }
+
+  /**
+   * Determines whether or not the specific permission is granted
+   * depending on the context it is within. 
+   *
+   * @param perm a permission to check
+   *
+   * @throws AccessControlException if the permssion is not permitted
+   */
+  public void checkPermission(Permission perm) throws AccessControlException
+  {
+    if (protectionDomains.length == 0)
+      throw new AccessControlException ("permission not granted");
+    for (int i = 0; i < protectionDomains.length; i++)
+      if (!protectionDomains[i].implies(perm))
+        throw new AccessControlException ("permission not granted");
+  }
+
+  /**
+   * Checks if two AccessControlContexts are equal.
+   *
+   * It first checks if obj is an AccessControlContext class, and
+   * then checks if each ProtectionDomain matches.
+   *
+   * @param obj The object to compare this class to
+   *
+   * @return true if equal, false otherwise
+   */
+  public boolean equals(Object obj)
+  {
+    if (obj instanceof AccessControlContext)
+      {
+	AccessControlContext acc = (AccessControlContext) obj;
+
+	if (acc.protectionDomains.length != protectionDomains.length)
+	  return false;
+
+        int i, j;
+        for (i = 0; i < protectionDomains.length; i++)
+          {
+            for (j = 0; j < acc.protectionDomains.length; j++)
+              {
+                if (acc.protectionDomains[j].equals (protectionDomains[i]))
+                  break;
+              }
+            if (j == acc.protectionDomains.length)
+              return false;
+          }
+        return true;
+      }
+    return false;
+  }
+
+  /**
+   * Computes a hash code of this class
+   *
+   * @return a hash code representing this class
+   */
+  public int hashCode()
+  {
+    int h = 0;
+    for (int i = 0; i < protectionDomains.length; i++)
+      h ^= protectionDomains[i].hashCode();
+
+    return h;
+  }
+}
diff --git a/libjava/classpath/java/security/AccessControlException.java b/libjava/classpath/java/security/AccessControlException.java
new file mode 100644
index 00000000000..27aee7c869a
--- /dev/null
+++ b/libjava/classpath/java/security/AccessControlException.java
@@ -0,0 +1,97 @@
+/* AccessControlException.java -- Permission is denied
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This exception is thrown when the <code>AccessController</code> denies
+ * an attempt to perform an operation. This often keeps track of the
+ * permission that was not granted.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see AccessController
+ * @status updated to 1.4
+ */
+public class AccessControlException extends SecurityException
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 5138225684096988535L;
+
+  /**
+   * The <code>Permission</code> associated with this exception.
+   *
+   * @serial the permission
+   */
+  private final Permission perm;
+
+  /**
+   * Create a new instance with a descriptive error message, and a null
+   * <code>Permission</code> object.
+   *
+   * @param msg the descriptive error message
+   */
+  public AccessControlException(String msg)
+  {
+    this(msg, null);
+  }
+
+  /**
+   * Create a new instance with a descriptive error message and an associated
+   * <code>Permission</code> object.
+   *
+   * @param msg the descriptive error message
+   * @param perm the permission that caused this
+   */
+  public AccessControlException(String msg, Permission perm)
+  {
+    super(msg);
+    this.perm = perm;
+  }
+
+  /**
+   * This method returns the <code>Permission</code> object that caused
+   * this exception to be thrown.
+   *
+   * @return the denied permission, or null
+   */
+  public Permission getPermission()
+  {
+    return perm;
+  }
+}
diff --git a/libjava/classpath/java/security/AccessController.java b/libjava/classpath/java/security/AccessController.java
new file mode 100644
index 00000000000..bc9c2deefbb
--- /dev/null
+++ b/libjava/classpath/java/security/AccessController.java
@@ -0,0 +1,221 @@
+/* AccessController.java --- Access control context and permission checker
+   Copyright (C) 2001, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * Access control context and permission checker.
+ * Can check permissions in the access control context of the current thread
+ * through the <code>checkPermission()</code> method.
+ * Manipulates the access control context for code that needs to be executed
+ * the protection domain of the calling class (by explicitly ignoring the
+ * context of the calling code) in the <code>doPrivileged()</code> methods.
+ * And provides a <code>getContext()</code> method which gives the access
+ * control context of the current thread that can be used for checking
+ * permissions at a later time and/or in another thread.
+ *
+ * @author Mark Wielaard (mark@klomp.org)
+ * @since 1.2
+ */
+public final class AccessController
+{
+  /**
+   * This class only has static methods so there is no public contructor.
+   */
+  private AccessController()
+  {
+  }
+
+  /**
+   * Checks wether the access control context of the current thread allows
+   * the given Permission. Throws an <code>AccessControlException</code>
+   * when the permission is not allowed in the current context. Otherwise
+   * returns silently without throwing an exception.
+   *
+   * @param perm the permission to be checked.
+   * @exception AccessControlException thrown if the current context does not
+   * allow the given permission.
+   */
+  public static void checkPermission(Permission perm)
+    throws AccessControlException
+  {
+    getContext().checkPermission(perm);
+  }
+
+  /**
+   * Calls the <code>run()</code> method of the given action with as
+   * (initial) access control context only the protection domain of the
+   * calling class. Calls to <code>checkPermission()</code> in the
+   * <code>run()</code> method ignore all earlier protection domains of
+   * classes in the call chain. Note that the protection domains of classes
+   * called by the code in the <code>run()</code> method are not ignored.
+   *
+   * @param action the <code>PrivilegedAction</code> whose <code>run()</code>
+   * should be be called.
+   * @return the result of the <code>action.run()</code> method.
+   */
+  public static Object doPrivileged(PrivilegedAction action)
+  {
+    VMAccessController.pushContext(null);
+    try
+      {
+        return action.run();
+      }
+    finally
+      {
+        VMAccessController.popContext();
+      }
+  }
+
+  /**
+   * Calls the <code>run()</code> method of the given action with as
+   * (initial) access control context the given context combined with the
+   * protection domain of the calling class. Calls to
+   * <code>checkPermission()</code> in the <code>run()</code> method ignore
+   * all earlier protection domains of classes in the call chain, but add
+   * checks for the protection domains given in the supplied context.
+   *
+   * @param action the <code>PrivilegedAction</code> whose <code>run()</code>
+   * should be be called.
+   * @param context the <code>AccessControlContext</code> whose protection
+   * domains should be added to the protection domain of the calling class.
+   * @return the result of the <code>action.run()</code> method.
+   */
+  public static Object doPrivileged(PrivilegedAction action,
+                                    AccessControlContext context)
+  {
+    VMAccessController.pushContext(context);
+    try
+      {
+        return action.run();
+      }
+    finally
+      {
+        VMAccessController.popContext();
+      }
+  }
+
+  /**
+   * Calls the <code>run()</code> method of the given action with as
+   * (initial) access control context only the protection domain of the
+   * calling class. Calls to <code>checkPermission()</code> in the
+   * <code>run()</code> method ignore all earlier protection domains of
+   * classes in the call chain. Note that the protection domains of classes
+   * called by the code in the <code>run()</code> method are not ignored.
+   * If the <code>run()</code> method throws an exception then this method
+   * will wrap that exception in an <code>PrivilegedActionException</code>.
+   *
+   * @param action the <code>PrivilegedExceptionAction</code> whose
+   * <code>run()</code> should be be called.
+   * @return the result of the <code>action.run()</code> method.
+   * @exception PrivilegedActionException wrapped around any exception that
+   * is thrown in the <code>run()</code> method.
+   */
+  public static Object doPrivileged(PrivilegedExceptionAction action)
+    throws PrivilegedActionException
+  {
+    VMAccessController.pushContext(null);
+    try
+      {
+        return action.run();
+      }
+    catch (Exception e)
+      {
+        throw new PrivilegedActionException(e);
+      }
+    finally
+      {
+        VMAccessController.popContext();
+      }
+  }
+
+  /**
+   * Calls the <code>run()</code> method of the given action with as
+   * (initial) access control context the given context combined with the
+   * protection domain of the calling class. Calls to
+   * <code>checkPermission()</code> in the <code>run()</code> method ignore
+   * all earlier protection domains of classes in the call chain, but add
+   * checks for the protection domains given in the supplied context.
+   * If the <code>run()</code> method throws an exception then this method
+   * will wrap that exception in an <code>PrivilegedActionException</code>.
+   *
+   * @param action the <code>PrivilegedExceptionAction</code> whose
+   * <code>run()</code> should be be called.
+   * @param context the <code>AccessControlContext</code> whose protection
+   * domains should be added to the protection domain of the calling class.
+   * @return the result of the <code>action.run()</code> method.
+   * @exception PrivilegedActionException wrapped around any exception that
+   * is thrown in the <code>run()</code> method.
+   */
+  public static Object doPrivileged(PrivilegedExceptionAction action,
+                                    AccessControlContext context)
+    throws PrivilegedActionException
+  {
+    VMAccessController.pushContext(context);
+    try
+      {
+        return action.run();
+      }
+    catch (Exception e)
+      {
+        throw new PrivilegedActionException(e);
+      }
+    finally
+      {
+        VMAccessController.popContext();
+      }
+  }
+
+  /**
+   * Returns the complete access control context of the current thread.
+   * The returned object encompasses all {@link ProtectionDomain} objects
+   * for all classes in the current call stack, or the set of protection
+   * domains until the last call to {@link
+   * #doPrivileged(java.security.PrivilegedAction)}.
+   *
+   * <p>Additionally, if a call was made to {@link
+   * #doPrivileged(java.security.PrivilegedAction,java.security.AccessControlContext)}
+   * that supplied an {@link AccessControlContext}, then that context
+   * will be intersected with the calculated one.
+   *
+   * @return The context.
+   */
+  public static AccessControlContext getContext()
+  {
+    return VMAccessController.getContext();
+  }
+}
diff --git a/libjava/classpath/java/security/AlgorithmParameterGenerator.java b/libjava/classpath/java/security/AlgorithmParameterGenerator.java
new file mode 100644
index 00000000000..5dc9e3bb274
--- /dev/null
+++ b/libjava/classpath/java/security/AlgorithmParameterGenerator.java
@@ -0,0 +1,302 @@
+/* AlgorithmParameterGenerator.java --- Algorithm Parameter Generator
+   Copyright (C) 1999, 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import gnu.java.security.Engine;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * <p>The <code>AlgorithmParameterGenerator</code> class is used to generate a
+ * set of parameters to be used with a certain algorithm. Parameter generators
+ * are constructed using the <code>getInstance()</code> factory methods (static
+ * methods that return instances of a given class).</p>
+ *
+ * <p>The object that will generate the parameters can be initialized in two
+ * different ways: in an algorithm-independent manner, or in an
+ * algorithm-specific manner:</p>
+ *
+ * <ul>
+ *  <li>The algorithm-independent approach uses the fact that all parameter
+ *  generators share the concept of a <i>"size"</i> and a <i>source of
+ *  randomness</i>. The measure of <i>size</i> is universally shared by all
+ *  algorithm parameters, though it is interpreted differently for different
+ *  algorithms. For example, in the case of parameters for the <i>DSA</i>
+ *  algorithm, <i>"size"</i> corresponds to the size of the prime modulus (in
+ *  bits). When using this approach, algorithm-specific parameter generation
+ *  values - if any - default to some standard values, unless they can be
+ *  derived from the specified size.</li>
+ *  <li>The other approach initializes a parameter generator object using
+ *  algorithm-specific semantics, which are represented by a set of
+ *  algorithm-specific parameter generation values. To generate Diffie-Hellman
+ *  system parameters, for example, the parameter generation values usually
+ *  consist of the size of the prime modulus and the size of the random
+ *  exponent, both specified in number of bits.</li>
+ * </ul>
+ *
+ * <p>In case the client does not explicitly initialize the
+ * <code>AlgorithmParameterGenerator</code> (via a call to an <code>init()</code>
+ * method), each provider must supply (and document) a default initialization.
+ * For example, the <b>GNU</b> provider uses a default modulus prime size of
+ * <code>1024</code> bits for the generation of <i>DSA</i> parameters.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @see AlgorithmParameters
+ * @see AlgorithmParameterSpec
+ */
+public class AlgorithmParameterGenerator
+{
+  /** Service name for algorithm parameter generators. */
+  private static final String ALGORITHM_PARAMETER_GENERATOR =
+    "AlgorithmParameterGenerator";
+
+  private AlgorithmParameterGeneratorSpi paramGenSpi;
+  private Provider provider;
+  private String algorithm;
+
+  /**
+   * Creates an <code>AlgorithmParameterGenerator</code> object.
+   *
+   * @param paramGenSpi the delegate.
+   * @param provider the provider.
+   * @param algorithm the algorithm.
+   */
+  protected AlgorithmParameterGenerator(AlgorithmParameterGeneratorSpi
+					paramGenSpi, Provider provider,
+					String algorithm)
+  {
+    this.paramGenSpi = paramGenSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+  }
+
+  /**
+   * Returns the standard name of the algorithm this parameter generator is
+   * associated with.
+   *
+   * @return the string name of the algorithm.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Generates an <code>AlgorithmParameterGenerator</code> object that
+   * implements the specified digest algorithm. If the default provider package
+   * provides an implementation of the requested digest algorithm, an instance
+   * of <code>AlgorithmParameterGenerator</code> containing that implementation
+   * is returned. If the algorithm is not available in the default package,
+   * other packages are searched.
+   *
+   * @param algorithm the string name of the algorithm this parameter generator
+   * is associated with.
+   * @return the new <code>AlgorithmParameterGenerator</code> object.
+   * @throws NoSuchAlgorithmException if the algorithm is not available in the
+   * environment.
+   */
+  public static AlgorithmParameterGenerator getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+    for (int i = 0; i < p.length; i++)
+      try
+        {
+          return getInstance(algorithm, p[i]);
+        }
+      catch (NoSuchAlgorithmException e)
+	{
+	  // Ignore.
+	}
+
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Generates an <code>AlgorithmParameterGenerator</code> object for the
+   * requested algorithm, as supplied from the specified provider, if such a
+   * parameter generator is available from the provider.
+   *
+   * @param algorithm the string name of the algorithm.
+   * @param provider the string name of the provider.
+   * @return the new <code>AlgorithmParameterGenerator</code> object.
+   * @throws NoSuchAlgorithmException if the <code>algorithm</code> is not
+   * available from the <code>provider</code>.
+   * @throws NoSuchProviderException if the <code>provider</code> is not
+   * available in the environment.
+   * @throws IllegalArgumentException if the <code>provider</code> name is
+   * <code>null</code> or empty.
+   * @see Provider
+   */
+  public static AlgorithmParameterGenerator getInstance(String algorithm,
+							String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    if (provider == null || provider.length() == 0)
+      throw new IllegalArgumentException("Illegal provider");
+
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Generates an AlgorithmParameterGenerator object for the requested
+   * algorithm, as supplied from the specified provider, if such a parameter
+   * generator is available from the provider. Note: the <code>provider</code>
+   * doesn't have to be registered.
+   *
+   * @param algorithm the string name of the algorithm.
+   * @param provider the provider.
+   * @return the new AlgorithmParameterGenerator object.
+   * @throws NoSuchAlgorithmException if the algorithm is not available from
+   * the provider.
+   * @throws IllegalArgumentException if the provider is null.
+   * @since 1.4
+   * @see Provider
+   */
+  public static AlgorithmParameterGenerator getInstance(String algorithm,
+                                                        Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("Illegal provider");
+
+    try
+      {
+	return new AlgorithmParameterGenerator(
+	  (AlgorithmParameterGeneratorSpi) Engine.getInstance(
+	    ALGORITHM_PARAMETER_GENERATOR, algorithm, provider),
+	  provider, algorithm);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+	throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+	throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  /**
+   * Returns the provider of this algorithm parameter generator object.
+   *
+   * @return the provider of this algorithm parameter generator object.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Initializes this parameter generator for a certain <i>size</i>. To create
+   * the parameters, the {@link SecureRandom} implementation of the
+   * highest-priority installed provider is used as the source of randomness.
+   * (If none of the installed providers supply an implementation of
+   * {@link SecureRandom}, a system-provided source of randomness is used.)
+   *
+   * @param size the size (number of bits).
+   */
+  public final void init(int size)
+  {
+    init(size, new SecureRandom());
+  }
+
+  /**
+   * Initializes this parameter generator for a certain size and source of
+   * randomness.
+   *
+   * @param size the size (number of bits).
+   * @param random the source of randomness.
+   */
+  public final void init(int size, SecureRandom random)
+  {
+    paramGenSpi.engineInit(size, random);
+  }
+
+  /**
+   * Initializes this parameter generator with a set of algorithm-specific
+   * parameter generation values. To generate the parameters, the {@link
+   * SecureRandom} implementation of the highest-priority installed provider is
+   * used as the source of randomness. (If none of the installed providers
+   * supply an implementation of {@link SecureRandom}, a system-provided source
+   * of randomness is used.)
+   *
+   * @param genParamSpec the set of algorithm-specific parameter generation
+   * values.
+   * @throws InvalidAlgorithmParameterException if the given parameter
+   * generation values are inappropriate for this parameter generator.
+   */
+  public final void init(AlgorithmParameterSpec genParamSpec)
+    throws InvalidAlgorithmParameterException
+  {
+    init(genParamSpec, new SecureRandom());
+  }
+
+  /**
+   * Initializes this parameter generator with a set of algorithm-specific
+   * parameter generation values.
+   *
+   * @param genParamSpec the set of algorithm-specific parameter generation
+   * values.
+   * @param random the source of randomness.
+   * @throws InvalidAlgorithmParameterException if the given parameter
+   * generation values are inappropriate for this parameter generator.
+   */
+  public final void init(AlgorithmParameterSpec genParamSpec,
+                         SecureRandom random)
+    throws InvalidAlgorithmParameterException
+  {
+    paramGenSpi.engineInit(genParamSpec, random);
+  }
+
+  /**
+   * Generates the parameters.
+   *
+   * @return the new {@link AlgorithmParameters} object.
+   */
+  public final AlgorithmParameters generateParameters()
+  {
+    return paramGenSpi.engineGenerateParameters();
+  }
+}
diff --git a/libjava/classpath/java/security/AlgorithmParameterGeneratorSpi.java b/libjava/classpath/java/security/AlgorithmParameterGeneratorSpi.java
new file mode 100644
index 00000000000..3143ea76b8b
--- /dev/null
+++ b/libjava/classpath/java/security/AlgorithmParameterGeneratorSpi.java
@@ -0,0 +1,94 @@
+/* AlgorithmParameterGeneratorSpi.java --- Algorithm Parameter Generator SPI
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+   AlgorithmParameterGeneratorSpi is the Service Provider 
+   Interface for the AlgorithmParameterGenerator class. 
+   This class is used to generate the algorithm parameters
+   for a specific algorithm.
+
+   @since JDK 1.2
+   @author Mark Benvenuto
+ */
+public abstract class AlgorithmParameterGeneratorSpi
+{
+
+  /**
+     Constructs a new AlgorithmParameterGeneratorSpi
+   */
+  public AlgorithmParameterGeneratorSpi()
+  {
+  }
+
+  /**
+     Initializes the parameter generator with the specified size
+     and SecureRandom
+
+     @param size the size( in number of bits) 
+     @param random the SecureRandom class to use for randomness
+   */
+  protected abstract void engineInit(int size, SecureRandom random);
+
+  /**
+     Initializes the parameter generator with the specified
+     AlgorithmParameterSpec and SecureRandom classes.
+
+     If genParamSpec is an invalid AlgorithmParameterSpec for this
+     AlgorithmParameterGeneratorSpi then it throws
+     InvalidAlgorithmParameterException
+
+     @param genParamSpec the AlgorithmParameterSpec class to use
+     @param random the SecureRandom class to use for randomness
+
+     @throws InvalidAlgorithmParameterException genParamSpec is invalid
+   */
+  protected abstract void engineInit(AlgorithmParameterSpec genParamSpec,
+				     SecureRandom random) throws
+    InvalidAlgorithmParameterException;
+
+
+  /**
+     Generate a new set of AlgorithmParameters.
+
+     @returns a new set of algorithm parameters
+   */
+  protected abstract AlgorithmParameters engineGenerateParameters();
+
+}
diff --git a/libjava/classpath/java/security/AlgorithmParameters.java b/libjava/classpath/java/security/AlgorithmParameters.java
new file mode 100644
index 00000000000..038fbb4bd64
--- /dev/null
+++ b/libjava/classpath/java/security/AlgorithmParameters.java
@@ -0,0 +1,340 @@
+/* AlgorithmParameters.java --- Algorithm Parameters Implementation Class
+   Copyright (C) 1999, 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import gnu.java.security.Engine;
+
+import java.io.IOException;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.InvalidParameterSpecException;
+
+/**
+ * <p>This class is used as an opaque representation of cryptographic
+ * parameters.</p>
+ *
+ * <p>An <code>AlgorithmParameters</code> object for managing the parameters
+ * for a particular algorithm can be obtained by calling one of the
+ * <code>getInstance()</code> factory methods (static methods that return
+ * instances of a given class).</p>
+ *
+ * <p>There are two ways to request such an implementation: by specifying
+ * either just an algorithm name, or both an algorithm name and a package
+ * provider.</p>
+ *
+ * <ul>
+ *    <li>If just an algorithm name is specified, the system will determine if
+ *    there is an AlgorithmParameters implementation for the algorithm requested
+ *    available in the environment, and if there is more than one, if there is
+ *    a preferred one.</li>
+ *    <li>If both an algorithm name and a package provider are specified, the
+ *    system will determine if there is an implementation in the package
+ *    requested, and throw an exception if there is not.</li>
+ * </ul>
+ *
+ * <p>Once an <code>AlgorithmParameters</code> object is returned, it must be
+ * initialized via a call to <code>init()</code>, using an appropriate
+ * parameter specification or parameter encoding.</p>
+ *
+ * <p>A transparent parameter specification is obtained from an
+ * <code>AlgorithmParameters</code> object via a call to
+ * <code>getParameterSpec()</code>, and a byte encoding of the parameters is
+ * obtained via a call to <code>getEncoded()</code>.</p>
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @see AlgorithmParameterSpec
+ * @see java.security.spec.DSAParameterSpec
+ * @see KeyPairGenerator
+ */
+public class AlgorithmParameters
+{
+  /** Service name for algorithm parameters. */
+  private static final String ALGORITHM_PARAMETERS = "AlgorithmParameters";
+
+  private AlgorithmParametersSpi paramSpi;
+  private Provider provider;
+  private String algorithm;
+
+  /**
+   * Creates an <code>AlgorithmParameters</code> object.
+   *
+   * @param paramSpi the delegate.
+   * @param provider the provider.
+   * @param algorithm the algorithm.
+   */
+  protected AlgorithmParameters(AlgorithmParametersSpi paramSpi,
+                                Provider provider, String algorithm)
+  {
+    this.paramSpi = paramSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+  }
+
+  /**
+   * Returns the name of the algorithm associated with this parameter object.
+   *
+   * @return the algorithm name.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * <p>Generates a parameter object for the specified algorithm.</p>
+   *
+   * <p>If the default provider package provides an implementation of the
+   * requested algorithm, an instance of <code>AlgorithmParameters</code>
+   * containing that implementation is returned. If the algorithm is not
+   * available in the default package, other packages are searched.</p>
+   *
+   * <p>The returned parameter object must be initialized via a call to
+   * <code>init()</code>, using an appropriate parameter specification or
+   * parameter encoding.</p>
+   *
+   * @param algorithm the name of the algorithm requested.
+   * @return the new parameter object.
+   * @throws NoSuchAlgorithmException if the algorithm is not available in the
+   * environment.
+   */
+  public static AlgorithmParameters getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+
+    for (int i = 0; i < p.length; i++)
+      try
+        {
+          return getInstance(algorithm, p[i]);
+        }
+      catch (NoSuchAlgorithmException e)
+	{
+	  // Ignore this.
+	}
+
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * <p>Generates a parameter object for the specified algorithm, as supplied
+   * by the specified provider, if such an algorithm is available from the
+   * provider.</p>
+   *
+   * <p>The returned parameter object must be initialized via a call to
+   * <code>init()</code>, using an appropriate parameter specification or
+   * parameter encoding.</p>
+   *
+   * @param algorithm the name of the algorithm requested.
+   * @param provider the name of the provider.
+   * @return the new parameter object.
+   * @throws NoSuchAlgorithmException if the algorithm is not available in the
+   * package supplied by the requested provider.
+   * @throws NoSuchProviderException if the provider is not available in the
+   * environment.
+   * @throws IllegalArgumentException if the provider name is null or empty.
+   * @see Provider
+   */
+  public static AlgorithmParameters getInstance(String algorithm, String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    if (provider == null || provider.length() == 0)
+      throw new IllegalArgumentException("Illegal provider");
+    
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Generates an <code>AlgorithmParameterGenerator</code> object for the
+   * requested algorithm, as supplied from the specified provider, if such a
+   * parameter generator is available from the provider. Note: the
+   * <code>provider</code> doesn't have to be registered.
+   *
+   * @param algorithm the string name of the algorithm.
+   * @param provider the provider.
+   * @return the new <code>AlgorithmParameterGenerator</code> object.
+   * @throws NoSuchAlgorithmException if the <code>algorithm</code> is not
+   * available from the <code>provider</code>.
+   * @throws IllegalArgumentException if the <code>provider</code> is
+   * <code>null</code>.
+   * @since 1.4
+   */
+  public static AlgorithmParameters getInstance(String algorithm,
+                                                Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("Illegal provider");
+
+    try
+      {
+	return new AlgorithmParameters((AlgorithmParametersSpi)
+	  Engine.getInstance(ALGORITHM_PARAMETERS, algorithm, provider),
+	  provider, algorithm);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+	throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+	throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  /**
+   * Returns the provider of this parameter object.
+   *
+   * @return the provider of this parameter object.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Initializes this parameter object using the parameters specified in
+   * <code>paramSpec</code>.
+   *
+   * @param paramSpec the parameter specification.
+   * @throws InvalidParameterSpecException if the given parameter specification
+   * is inappropriate for the initialization of this parameter object, or if
+   * this parameter object has already been initialized.
+   */
+  public final void init(AlgorithmParameterSpec paramSpec)
+    throws InvalidParameterSpecException
+  {
+    paramSpi.engineInit(paramSpec);
+  }
+
+  /**
+   * Imports the specified parameters and decodes them according to the primary
+   * decoding format for parameters. The primary decoding format for parameters
+   * is ASN.1, if an ASN.1 specification for this type of parameters exists.
+   *
+   * @param params the encoded parameters.
+   * @throws IOException on decoding errors, or if this parameter object has
+   * already been initialized.
+   */
+  public final void init(byte[]params) throws IOException
+  {
+    paramSpi.engineInit(params);
+  }
+
+  /**
+   * Imports the parameters from params and decodes them according to the
+   * specified decoding scheme. If <code>format</code> is <code>null</code>,
+   * the primary decoding format for parameters is used. The primary decoding
+   * format is ASN.1, if an ASN.1 specification for these parameters exists.
+   *
+   * @param params the encoded parameters.
+   * @param format the name of the decoding scheme.
+   * @throws IOException on decoding errors, or if this parameter object has
+   * already been initialized.
+   */
+  public final void init(byte[]params, String format) throws IOException
+  {
+    paramSpi.engineInit(params, format);
+  }
+
+  /**
+   * Returns a (transparent) specification of this parameter object.
+   * <code>paramSpec</code> identifies the specification class in which the
+   * parameters should be returned. It could, for example, be
+   * <code>DSAParameterSpec.class</code>, to indicate that the parameters should
+   * be returned in an instance of the {@link java.security.spec.DSAParameterSpec}
+   * class.
+   *
+   * @param paramSpec the specification class in which the parameters should be
+   * returned.
+   * @return the parameter specification.
+   * @throws InvalidParameterSpecException if the requested parameter
+   * specification is inappropriate for this parameter object, or if this
+   * parameter object has not been initialized.
+   */
+  public final AlgorithmParameterSpec getParameterSpec(Class paramSpec)
+    throws InvalidParameterSpecException
+  {
+    return paramSpi.engineGetParameterSpec(paramSpec);
+  }
+
+  /**
+   * Returns the parameters in their primary encoding format. The primary
+   * encoding format for parameters is ASN.1, if an ASN.1 specification for
+   * this type of parameters exists.
+   *
+   * @return the parameters encoded using their primary encoding format.
+   * @throws IOException on encoding errors, or if this parameter object has not
+   * been initialized.
+   */
+  public final byte[] getEncoded() throws IOException
+  {
+    return paramSpi.engineGetEncoded();
+  }
+
+  /**
+   * Returns the parameters encoded in the specified scheme. If format is
+   * <code>null</code>, the primary encoding format for parameters is used. The
+   * primary encoding format is ASN.1, if an ASN.1 specification for these
+   * parameters exists.
+   *
+   * @param format the name of the encoding format.
+   * @return the parameters encoded using the specified encoding scheme.
+   * @throws IOException on encoding errors, or if this parameter object has
+   * not been initialized.
+   */
+  public final byte[] getEncoded(String format) throws IOException
+  {
+    return paramSpi.engineGetEncoded(format);
+  }
+
+  /**
+   * Returns a formatted string describing the parameters.
+   *
+   * @return a formatted string describing the parameters, or <code>null</code>
+   * if this parameter object has not been initialized.
+   */
+  public final String toString()
+  {
+    return paramSpi.engineToString();
+  }
+}
diff --git a/libjava/classpath/java/security/AlgorithmParametersSpi.java b/libjava/classpath/java/security/AlgorithmParametersSpi.java
new file mode 100644
index 00000000000..a9faa154374
--- /dev/null
+++ b/libjava/classpath/java/security/AlgorithmParametersSpi.java
@@ -0,0 +1,149 @@
+/* AlgorithmParametersSpi.java --- Algorithm Parameters SPI
+   Copyright (C) 1999, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import java.io.IOException;
+import java.security.spec.AlgorithmParameterSpec;
+import java.security.spec.InvalidParameterSpecException;
+
+/**
+ * AlgorithmParametersSpi is the Service Provider Interface
+ * for the Algorithm Parameters class. This class is used
+ * to manage the algorithm parameters.
+ *
+ * @since 1.2
+ * @author Mark Benvenuto
+ */
+public abstract class AlgorithmParametersSpi
+{
+  /**
+   * Creates a new instance of AlgorithmParametersSpi
+   */
+  public AlgorithmParametersSpi()
+  {
+  }
+
+  /**
+   * Initializes the engine with the specified 
+   * AlgorithmParameterSpec class.
+   *
+   * @param paramSpec A AlgorithmParameterSpec to initialize with
+   *
+   * @throws InvalidParameterSpecException For an inapporiate
+   * ParameterSpec class
+   */
+  protected abstract void engineInit(AlgorithmParameterSpec paramSpec)
+    throws InvalidParameterSpecException;
+
+  /**
+   * Initializes the engine with the specified 
+   * parameters stored in the byte array and decodes them
+   * according to the ASN.1 specification. If the ASN.1
+   * specification exists then it succeeds or else it throws
+   * IOException.
+   *
+   * @param params Parameters to initialize with
+   *
+   * @throws IOException Decoding Error
+   */
+  protected abstract void engineInit(byte[]params) throws IOException;
+
+  /**
+   * Initializes the engine with the specified 
+   * parameters stored in the byte array and decodes them
+   * according to the specified decoding specification. 
+   * If format is null, then it is decoded using the ASN.1 
+   * specification if it exists or else it throws
+   * IOException.
+   *
+   * @param params Parameters to initialize with
+   * @param format Name of decoding format to use
+   *
+   * @throws IOException Decoding Error
+   */
+  protected abstract void engineInit(byte[]params, String format)
+    throws IOException;
+
+
+  /**
+   * Returns a specification of this AlgorithmParameters object.
+   * paramSpec identifies the class to return the AlgortihmParameters
+   * in.
+   *
+   * @param paramSpec Class to return AlgorithmParameters in
+   *
+   * @return the parameter specification
+   *
+   * @throws InvalidParameterSpecException if the paramSpec is an
+   * invalid parameter class
+   */
+  protected abstract AlgorithmParameterSpec engineGetParameterSpec(Class
+								   paramSpec)
+    throws InvalidParameterSpecException;
+
+
+  /**
+   * Returns the parameters in the default encoding format. 
+   * The primary encoding format is ASN.1 format if it exists
+   * for the specified type.
+   *
+   * @return byte array representing the parameters
+   */
+  protected abstract byte[] engineGetEncoded() throws IOException;
+
+
+  /**
+   * Returns the parameters in the specified encoding format. 
+   * If <code>format</code> is <code>null</code> then the 
+   * primary encoding format is used, the ASN.1 format, 
+   * if it exists for the specified type.
+   *
+   * @return byte array representing the parameters
+   */
+  protected abstract byte[] engineGetEncoded(String format)
+    throws IOException;
+
+  /**
+   * Returns a string describing the parameters in the 
+   * AlgorithmParametersSpi class.
+   *
+   * @return A string representing the format of the parameters.
+   */
+  protected abstract String engineToString();
+}
diff --git a/libjava/classpath/java/security/AllPermission.java b/libjava/classpath/java/security/AllPermission.java
new file mode 100644
index 00000000000..6adcd8c9c96
--- /dev/null
+++ b/libjava/classpath/java/security/AllPermission.java
@@ -0,0 +1,198 @@
+/* AllPermission.java -- Permission to do anything
+   Copyright (C) 1998, 2001, 2002, 2004, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import gnu.java.util.EmptyEnumeration;
+
+import java.util.Collections;
+import java.util.Enumeration;
+
+/**
+ * This class is a permission that implies all other permissions.  Granting
+ * this permission effectively grants all others.  Extreme caution should
+ * be exercised in granting this permission.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @see AccessController
+ * @see Permissions
+ * @see SecurityManager
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public final class AllPermission extends Permission
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = -2916474571451318075L;
+
+  /**
+   * Create a new AllPermission object.
+   */
+  public AllPermission()
+  {
+    super("*");
+  }
+
+  /**
+   * Create a new AllPermission object. The parameters are ignored, as all
+   * permission implies ALL PERMISSION.
+   *
+   * @param name ignored
+   * @param actions ignored
+   */
+  public AllPermission(String name, String actions)
+  {
+    super("*");
+  }
+
+  /**
+   * This method always returns <code>true</code> to indicate that this
+   * permission always implies that any other permission is also granted.
+   *
+   * @param perm ignored
+   * @return true, the permission is implied
+   */
+  public boolean implies(Permission perm)
+  {
+    return true;
+  }
+
+  /**
+   * Checks an object for equality. All AllPermissions are equal.
+   *
+   * @param obj the <code>Object</code> to test for equality
+   */
+  public boolean equals(Object obj)
+  {
+    return obj instanceof AllPermission;
+  }
+
+  /**
+   * This method returns a hash code for this object. This returns 1.
+   *
+   * @return a hash value for this object
+   */
+  public int hashCode()
+  {
+    return 1;
+  }
+
+  /**
+   * This method returns the list of actions associated with this object.
+   * This will always be the empty string ("") for this class.
+   *
+   * @return the action list
+   */
+  public String getActions()
+  {
+    return "";
+  }
+
+  /**
+   * Returns a PermissionCollection which can hold AllPermission.
+   *
+   * @return a permission collection
+   */
+  public PermissionCollection newPermissionCollection()
+  {
+    return new AllPermissionCollection();
+  }
+
+  /**
+   * Implements AllPermission.newPermissionCollection, and obeys serialization
+   * of JDK.
+   *
+   * @author Eric Blake (ebb9@email.byu.edu)
+   */
+  private static final class AllPermissionCollection extends PermissionCollection
+  {
+    /**
+     * Compatible with JDK 1.1+.
+     */
+    private static final long serialVersionUID = -4023755556366636806L;
+
+    /**
+     * Whether an AllPermission has been added to the collection.
+     *
+     * @serial if all permission is in the collection yet
+     */
+    private boolean all_allowed;
+
+    /**
+     * Add an AllPermission.
+     *
+     * @param perm the permission to add
+     * @throws IllegalArgumentException if perm is not an AllPermission
+     * @throws SecurityException if the collection is read-only
+     */
+    public void add(Permission perm)
+    {
+      if (isReadOnly())
+        throw new SecurityException();
+      if (! (perm instanceof AllPermission))
+        throw new IllegalArgumentException();
+      all_allowed = true;
+    }
+
+    /**
+     * Returns true if this collection implies a permission.
+     *
+     * @param perm the permission to check
+     * @return true if this collection contains an AllPermission
+     */
+    public boolean implies(Permission perm)
+    {
+      return all_allowed;
+    }
+
+    /**
+     * Returns an enumeration of the elements in the collection.
+     *
+     * @return the elements in the collection
+     */
+    public Enumeration elements()
+    {
+      return all_allowed
+        ? Collections.enumeration(Collections.singleton(new AllPermission()))
+        : EmptyEnumeration.getInstance();
+    }
+  } // class AllPermissionCollection
+} // class AllPermission
diff --git a/libjava/classpath/java/security/BasicPermission.java b/libjava/classpath/java/security/BasicPermission.java
new file mode 100644
index 00000000000..267a6e292ab
--- /dev/null
+++ b/libjava/classpath/java/security/BasicPermission.java
@@ -0,0 +1,308 @@
+/* BasicPermission.java -- implements a simple named permission
+   Copyright (C) 1998, 1999, 2002, 2003, 2004, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import java.io.Serializable;
+import java.util.Enumeration;
+import java.util.Hashtable;
+
+/**
+ * This class implements a simple model for named permissions without an
+ * associated action list.  That is, either the named permission is granted
+ * or it is not.
+ *
+ * <p>It also supports trailing wildcards to allow the easy granting of
+ * permissions in a hierarchical fashion.  (For example, the name "org.gnu.*"
+ * might grant all permissions under the "org.gnu" permissions hierarchy).
+ * The only valid wildcard character is a '*' which matches anything. It
+ * must be the rightmost element in the permission name and must follow a
+ * '.' or else the Permission name must consist of only a '*'. Any other
+ * occurrence of a '*' is not valid.
+ *
+ * <p>This class ignores the action list.  Subclasses can choose to implement
+ * actions on top of this class if desired.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @see Permission
+ * @see Permissions
+ * @see PermissionCollection
+ * @see RuntimePermission
+ * @see SecurityPermission
+ * @see PropertyPermission
+ * @see AWTPermission
+ * @see NetPermission
+ * @see SecurityManager
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public abstract class BasicPermission extends java.security.Permission
+  implements Serializable
+  // FIXME extends with fully qualified classname as workaround for gcj 3.3.
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 6279438298436773498L;
+
+  /**
+   * Create a new instance with the specified permission name. If the
+   * name is empty an exception is thrown.
+   *
+   * @param name the name of this permission
+   * @throws NullPointerException if name is null
+   * @throws IllegalArgumentException if name is invalid
+   */
+  public BasicPermission(String name)
+  {
+    super(name);
+
+    // This routine used to check for illegal wildcards, but no such
+    // requirement exists in the specification and Sun's runtime
+    // doesn't appear to do it.
+
+    if ("".equals(name))
+      throw new IllegalArgumentException("Empty name");
+  }
+
+  /**
+   * Create a new instance with the specified permission name. If the name
+   * is empty, or contains an illegal wildcard character, an exception is
+   * thrown. The actions parameter is ignored.
+   *
+   * @param name the name of this permission
+   * @param actions ignored
+   * @throws NullPointerException if name is null
+   * @throws IllegalArgumentException if name is invalid
+   */
+  public BasicPermission(String name, String actions)
+  {
+    this(name);
+  }
+
+  /**
+   * This method tests to see if the specified permission is implied by this
+   * permission.  This will be true if the following conditions are met:<ul>
+   * <li>The specified object is an instance of the same class as this
+   * object.</li>
+   * <li>The name of the specified permission is implied by this permission's
+   * name based on wildcard matching. For example, "a.*" implies "a.b".</li>
+   * </ul>
+   *
+   * @param perm the <code>Permission</code> object to test against
+   * @return true if the specified permission is implied
+   */
+  public boolean implies(Permission perm)
+  {
+    if (! getClass().isInstance(perm))
+      return false;
+
+    String otherName = perm.getName();
+    String name = getName();
+
+    if (name.equals(otherName))
+      return true;
+
+    int last = name.length() - 1;
+    return name.charAt(last) == '*'
+      && otherName.startsWith(name.substring(0, last));
+  }
+
+  /**
+   * This method tests to see if this object is equal to the specified
+   * <code>Object</code>.  This will be true if and only if the specified
+   * object meets the following conditions:<ul>
+   * <li>It is an instance of the same class as this.</li>
+   * <li>It has the same name as this permission.</li>
+   * </ul>
+   *
+   * @param obj the <code>Object</code> to test for equality
+   * @return true if obj is semantically equal to this
+   */
+  public boolean equals(Object obj)
+  {
+    return getClass().isInstance(obj)
+      && getName().equals(((BasicPermission) obj).getName());
+  }
+
+  /**
+   * This method returns a hash code for this permission object.  The hash
+   * code returned is the value returned by calling the <code>hashCode</code>
+   * method on the <code>String</code> that is the name of this permission.
+   *
+   * @return a hash value for this object
+   */
+  public int hashCode()
+  {
+    return getName().hashCode();
+  }
+
+  /**
+   * This method returns a list of the actions associated with this
+   * permission.  This method always returns the empty string ("") since
+   * this class ignores actions.
+   *
+   * @return the action list
+   */
+  public String getActions()
+  {
+    return "";
+  }
+
+  /**
+   * This method returns an instance of <code>PermissionCollection</code>
+   * suitable for storing <code>BasicPermission</code> objects.  The
+   * collection returned can only store objects of the same type as this.
+   * Subclasses which use actions must override this method; but a class with
+   * no actions will work fine with this.
+   *
+   * @return a new empty <code>PermissionCollection</code> object
+   */
+  public PermissionCollection newPermissionCollection()
+  {
+    return new BasicPermissionCollection(getClass());
+  }
+
+  /**
+   * Implements AllPermission.newPermissionCollection, and obeys serialization
+   * of JDK.
+   *
+   * @author Eric Blake (ebb9@email.byu.edu)
+   */
+  private static final class BasicPermissionCollection extends PermissionCollection
+  {
+    /**
+     * Compatible with JDK 1.1+.
+     */
+    private static final long serialVersionUID = 739301742472979399L;
+
+    /**
+     * The permissions in the collection.
+     *
+     * @serial a hash mapping name to permissions, all of type permClass
+     */
+    private final Hashtable permissions = new Hashtable();
+
+    /**
+     * If "*" is in the collection.
+     *
+     * @serial true if a permission named "*" is in the collection
+     */
+    private boolean all_allowed;
+
+    /**
+     * The runtime class which all entries in the table must belong to.
+     *
+     * @serial the limiting subclass of this collection
+     */
+    private final Class permClass;
+
+    /**
+     * Construct a collection over the given runtime class.
+     *
+     * @param c the class
+     */
+    BasicPermissionCollection(Class c)
+    {
+      permClass = c;
+    }
+
+    /**
+     * Add a Permission. It must be of the same type as the permission which
+     * created this collection.
+     *
+     * @param perm the permission to add
+     * @throws IllegalArgumentException if perm is not the correct type
+     * @throws SecurityException if the collection is read-only
+     */
+    public void add(Permission perm)
+    {
+      if (isReadOnly())
+        throw new SecurityException("readonly");
+      if (! permClass.isInstance(perm))
+        throw new IllegalArgumentException("Expecting instance of " + permClass);
+      BasicPermission bp = (BasicPermission) perm;
+      String name = bp.getName();
+      if (name.equals("*"))
+        all_allowed = true;
+      permissions.put(name, bp);
+    }
+
+    /**
+     * Returns true if this collection implies the given permission.
+     *
+     * @param permission the permission to check
+     * @return true if it is implied by this
+     */
+    public boolean implies(Permission permission)
+    {
+      if (! permClass.isInstance(permission))
+        return false;
+      if (all_allowed)
+        return true;
+      BasicPermission toImply = (BasicPermission) permission;
+      String name = toImply.getName();
+      if (name.equals("*"))
+        return false;
+      int prefixLength = name.length();
+      if (name.endsWith("*"))
+        prefixLength -= 2;
+
+      while (true)
+        {
+          if (permissions.get(name) != null)
+            return true;
+          prefixLength = name.lastIndexOf('.', prefixLength);
+          if (prefixLength < 0)
+            return false;
+          name = name.substring(0, prefixLength + 1) + '*';
+        }
+    }
+
+    /**
+     * Enumerate over the collection.
+     *
+     * @return an enumeration of the collection contents
+     */
+    public Enumeration elements()
+    {
+      return permissions.elements();
+    }
+  } // class BasicPermissionCollection
+} // class BasicPermission
diff --git a/libjava/classpath/java/security/Certificate.java b/libjava/classpath/java/security/Certificate.java
new file mode 100644
index 00000000000..5cdba6e101b
--- /dev/null
+++ b/libjava/classpath/java/security/Certificate.java
@@ -0,0 +1,125 @@
+/* Certificate.java -- deprecated interface for modeling digital certificates
+   Copyright (C) 1998, 2002, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+
+/**
+ * This interface models a digital certificate which verifies the
+ * authenticity of a party.  This class simply allows certificate
+ * information to be queried, it does not guarantee that the certificate
+ * is valid.
+ *
+ * <p>This class is deprecated in favor of the new java.security.cert package.
+ * It exists for backward compatibility only.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @since 1.1
+ * @deprecated use {@link java.security.cert} instead
+ * @status updated to 1.4
+ */
+public interface Certificate
+{
+  /**
+   * This method returns the <code>Principal</code> that is guaranteeing
+   * this certificate.
+   *
+   * @return the <code>Principal</code> guaranteeing the certificate
+   */
+  Principal getGuarantor();
+
+  /**
+   * This method returns the <code>Principal</code> being guaranteed by
+   * this certificate.
+   *
+   * @return the <code>Principal</code> guaranteed by this certificate
+   */
+  Principal getPrincipal();
+
+  /**
+   * This method returns the public key for the <code>Principal</code> that
+   * is being guaranteed.
+   *
+   * @return the <code>PublicKey</code> of the Principal being guaranteed
+   */
+  PublicKey getPublicKey();
+
+  /**
+   * This method writes the certificate to an <code>OutputStream</code> in
+   * a format that can be understood by the <code>decode</code> method.
+   *
+   * @param out the <code>OutputStream</code> to write to
+   * @throws KeyException if there is a problem with the certificate
+   * @throws IOException if an error occurs writing to the stream
+   * @see #decode(InputStream)
+   * @see #getFormat()
+   */
+  void encode(OutputStream out) throws KeyException, IOException;
+
+  /**
+   * This method reads an encoded certificate from an <code>InputStream</code>.
+   *
+   * @param in the <code>InputStream</code> to read from
+   * @throws KeyException if there is a problem with the certificate data
+   * @throws IOException if an error occurs reading from the stream
+   * @see #encode(OutputStream)
+   * @see #getFormat()
+   */
+  void decode(InputStream in) throws KeyException, IOException;
+
+  /**
+   * This method returns the encoding format of the certificate (e.g., "PGP",
+   * "X.509").  This format is used by the <code>encode</code> and
+   * <code>decode</code> methods.
+   *
+   * @return the encoding format being used
+   */
+  String getFormat();
+
+  /**
+   * This method returns a <code>String</code> representation of the contents
+   * of this certificate.
+   *
+   * @param detail true to provided more detailed information
+   * @return the string representation
+   */
+  String toString(boolean detail);
+} // interface Certificate
diff --git a/libjava/classpath/java/security/CodeSource.java b/libjava/classpath/java/security/CodeSource.java
new file mode 100644
index 00000000000..b516170281c
--- /dev/null
+++ b/libjava/classpath/java/security/CodeSource.java
@@ -0,0 +1,354 @@
+/* CodeSource.java -- Code location and certifcates
+   Copyright (C) 1998, 2002, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+import java.net.SocketPermission;
+import java.net.URL;
+// Note that this overrides Certificate in this package.
+import java.security.cert.Certificate;
+import java.security.cert.CertificateEncodingException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.Iterator;
+
+/**
+ * This class represents a location from which code is loaded (as
+ * represented by a URL), and the list of certificates that are used to
+ * check the signatures of signed code loaded from this source.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public class CodeSource implements Serializable
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 4977541819976013951L;
+
+  /**
+   * This is the URL that represents the code base from which code will
+   * be loaded.
+   *
+   * @serial the code location
+   */
+  private final URL location;
+
+  /** The set of certificates for this code base. */
+  private transient HashSet certs;
+
+  /**
+   * This creates a new instance of <code>CodeSource</code> that loads code
+   * from the specified URL location and which uses the specified certificates
+   * for verifying signatures.
+   *
+   * @param location the location from which code will be loaded
+   * @param certs the list of certificates
+   */
+  public CodeSource(URL location, Certificate[] certs)
+  {
+    this.location = location;
+    if (certs != null)
+      this.certs = new HashSet(Arrays.asList(certs));
+  }
+
+  /**
+   * This method returns a hash value for this object.
+   *
+   * @return a hash value for this object
+   */
+  public int hashCode()
+  {
+    return (location == null ? 0 : location.hashCode())
+      ^ (certs == null ? 0 : certs.hashCode());
+  }
+
+  /**
+   * This method tests the specified <code>Object</code> for equality with
+   * this object.  This will be true if and only if the locations are equal
+   * and the certificate sets are identical (ignoring order).
+   *
+   * @param obj the <code>Object</code> to test against
+   * @return true if the specified object is equal to this one
+   */
+  public boolean equals(Object obj)
+  {
+    if (! (obj instanceof CodeSource))
+      return false;
+    CodeSource cs = (CodeSource) obj;
+    return (certs == null ? cs.certs == null : certs.equals(cs.certs))
+      && (location == null ? cs.location == null
+          : location.equals(cs.location));
+  }
+
+  /**
+   * This method returns the URL specifying the location from which code
+   * will be loaded under this <code>CodeSource</code>.
+   *
+   * @return the code location for this <code>CodeSource</code>
+   */
+  public final URL getLocation()
+  {
+    return location;
+  }
+
+  /**
+   * This method returns the list of digital certificates that can be used
+   * to verify the signatures of code loaded under this
+   * <code>CodeSource</code>.
+   *
+   * @return the certifcate list for this <code>CodeSource</code>
+   */
+  public final Certificate[] getCertificates()
+  {
+    if (certs == null)
+      return null;
+    Certificate[] c = new Certificate[certs.size()];
+    certs.toArray(c);
+    return c;
+  }
+
+  /**
+   * This method tests to see if a specified <code>CodeSource</code> is
+   * implied by this object.  Effectively, to meet this test, the specified
+   * object must have all the certifcates this object has (but may have more),
+   * and must have a location that is a subset of this object's.  In order
+   * for this object to imply the specified object, the following must be
+   * true:
+   *
+   * <ol>
+   * <li><em>codesource</em> must not be <code>null</code>.</li>
+   * <li>If <em>codesource</em> has a certificate list, all of it's
+   *     certificates must be present in the certificate list of this
+   *     code source.</li>
+   * <li>If this object does not have a <code>null</code> location, then
+   *     the following addtional tests must be passed.
+   *
+   *     <ol>
+   *     <li><em>codesource</em> must not have a <code>null</code>
+   *         location.</li>
+   *     <li><em>codesource</em>'s location must be equal to this object's
+   *         location, or
+   *         <ul>
+   *         <li><em>codesource</em>'s location protocol, port, and ref (aka,
+   *             anchor) must equal this objects</li>
+   *         <li><em>codesource</em>'s location host must imply this object's
+   *             location host, as determined by contructing
+   *             <code>SocketPermission</code> objects from each with no
+   *             action list and using that classes's <code>implies</code>
+   *             method</li>
+   *         <li>If this object's location file ends with a '/', then the
+   *             specified object's location file must start with this
+   *             object's location file. Otherwise, the specified object's
+   *             location file must start with this object's location file
+   *             with the '/' character appended to it.</li>
+   *         </ul></li>
+   *     </ol></li>
+   * </ol>
+   *
+   * <p>For example, each of these locations imply the location
+   * "http://java.sun.com/classes/foo.jar":</p>
+   * 
+   * <pre>
+   * http:
+   * http://*.sun.com/classes/*
+   * http://java.sun.com/classes/-
+   * http://java.sun.com/classes/foo.jar
+   * </pre>
+   * 
+   * <p>Note that the code source with null location and null certificates implies
+   * all other code sources.</p>
+   *
+   * @param cs the <code>CodeSource</code> to test against this object
+   * @return true if this specified <code>CodeSource</code> is implied
+   */
+  public boolean implies(CodeSource cs)
+  {
+    if (cs == null)
+      return false;
+    // First check the certificate list.
+    if (certs != null && (cs.certs == null || ! certs.containsAll(cs.certs)))
+      return false;
+    // Next check the location.
+    if (location == null)
+      return true;
+    if (cs.location == null
+        || ! location.getProtocol().equals(cs.location.getProtocol())
+        || (location.getPort() != -1
+            && location.getPort() != cs.location.getPort())
+        || (location.getRef() != null
+            && ! location.getRef().equals(cs.location.getRef())))
+      return false;
+    if (location.getHost() != null)
+      {
+        String their_host = cs.location.getHost();
+        if (their_host == null)
+          return false;
+        SocketPermission our_sockperm =
+          new SocketPermission(location.getHost(), "accept");
+        SocketPermission their_sockperm =
+          new SocketPermission(their_host, "accept");
+        if (! our_sockperm.implies(their_sockperm))
+          return false;
+      }
+    String our_file = location.getFile();
+    if (our_file != null)
+      {
+        if (! our_file.endsWith("/"))
+          our_file += "/";
+        String their_file = cs.location.getFile();
+        if (their_file == null
+            || ! their_file.startsWith(our_file))
+          return false;
+      }
+    return true;
+  }
+
+  /**
+   * This method returns a <code>String</code> that represents this object.
+   * The result is in the format <code>"(" + getLocation()</code> followed
+   * by a space separated list of certificates (or "&lt;no certificates&gt;"),
+   * followed by <code>")"</code>.
+   *
+   * @return a <code>String</code> for this object
+   */
+  public String toString()
+  {
+    StringBuffer sb = new StringBuffer("(").append(location);
+    if (certs == null || certs.isEmpty())
+      sb.append(" <no certificates>");
+    else
+      {
+        Iterator iter = certs.iterator();
+        for (int i = certs.size(); --i >= 0; )
+          sb.append(' ').append(iter.next());
+      }
+    return sb.append(")").toString();
+  }
+
+  /**
+   * Reads this object from a serialization stream.
+   *
+   * @param s the input stream
+   * @throws IOException if reading fails
+   * @throws ClassNotFoundException if deserialization fails
+   * @serialData this reads the location, then expects an int indicating the
+   *             number of certificates. Each certificate is a String type
+   *             followed by an int encoding length, then a byte[] encoding
+   */
+  private void readObject(ObjectInputStream s)
+    throws IOException, ClassNotFoundException
+  {
+    s.defaultReadObject();
+    int count = s.readInt();
+    certs = new HashSet();
+    while (--count >= 0)
+      {
+        String type = (String) s.readObject();
+        int bytes = s.readInt();
+        byte[] encoded = new byte[bytes];
+        for (int i = 0; i < bytes; i++)
+          encoded[i] = s.readByte();
+        ByteArrayInputStream stream = new ByteArrayInputStream(encoded);
+        try
+          {
+            CertificateFactory factory = CertificateFactory.getInstance(type);
+            certs.add(factory.generateCertificate(stream));
+          }
+        catch (CertificateException e)
+          {
+            // XXX Should we ignore this certificate?
+          }
+      }
+  }
+
+  /**
+   * Writes this object to a serialization stream.
+   *
+   * @param s the output stream
+   * @throws IOException if writing fails
+   * @serialData this writes the location, then writes an int indicating the
+   *             number of certificates. Each certificate is a String type
+   *             followed by an int encoding length, then a byte[] encoding
+   */
+  private void writeObject(ObjectOutputStream s) throws IOException
+  {
+    s.defaultWriteObject();
+    if (certs == null)
+      s.writeInt(0);
+    else
+      {
+        int count = certs.size();
+        s.writeInt(count);
+        Iterator iter = certs.iterator();
+        while (--count >= 0)
+          {
+            Certificate c = (Certificate) iter.next();
+            s.writeObject(c.getType());
+            byte[] encoded;
+            try
+              {
+                encoded = c.getEncoded();
+              }
+            catch (CertificateEncodingException e)
+              {
+                // XXX Should we ignore this certificate?
+                encoded = null;
+              }
+            if (encoded == null)
+              s.writeInt(0);
+            else
+              {
+                s.writeInt(encoded.length);
+                for (int i = 0; i < encoded.length; i++)
+                  s.writeByte(encoded[i]);
+              }
+          }
+      }
+  }
+} // class CodeSource
diff --git a/libjava/classpath/java/security/DigestException.java b/libjava/classpath/java/security/DigestException.java
new file mode 100644
index 00000000000..6393e0cc834
--- /dev/null
+++ b/libjava/classpath/java/security/DigestException.java
@@ -0,0 +1,70 @@
+/* DigestException.java -- A generic message digest exception
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This exception indicates that a generic message digest exception has
+ * occurred.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @status updated to 1.4
+ */
+public class DigestException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 5821450303093652515L;
+
+  /**
+   * Create a new instance with no descriptive message.
+   */
+  public DigestException()
+  {
+  }
+
+  /**
+   * Create a new instance with a descriptive error message.
+   *
+   * @param msg the descriptive message
+   */
+  public DigestException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/DigestInputStream.java b/libjava/classpath/java/security/DigestInputStream.java
new file mode 100644
index 00000000000..0d4a9d05dc6
--- /dev/null
+++ b/libjava/classpath/java/security/DigestInputStream.java
@@ -0,0 +1,167 @@
+/* DigestInputStream.java --- An Input stream tied to a message digest
+   Copyright (C) 1999, 2003, 2004, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import java.io.FilterInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+/**
+ * DigestInputStream is a class that ties an InputStream with a 
+ * MessageDigest. The Message Digest is used by the class to 
+ * update it self as bytes are read from the InputStream.
+ *
+ * The updating to the digest depends on the on flag which is set
+ * to true by default to tell the class to update the data
+ * in the message digest.
+ *
+ * @version 0.0
+ * @author Mark Benvenuto (ivymccough@worldnet.att.net)
+ */
+public class DigestInputStream extends FilterInputStream
+{
+  /**
+   * The message digest for the DigestInputStream 
+   */
+  protected MessageDigest digest;
+
+  //Manages the on flag
+  private boolean state = true;
+
+  /**
+   * Constructs a new DigestInputStream.
+   * It associates a MessageDigest with the stream to 
+   * compute the stream as data is written.
+   *
+   * @param stream An InputStream to associate this stream with
+   * @param digest A MessageDigest to hash the stream with
+   */
+  public DigestInputStream(InputStream stream, MessageDigest digest)
+  {
+    super(stream);
+    //this.in = stream;
+    this.digest = digest;
+  }
+
+  /**
+   * Returns the MessageDigest associated with this DigestInputStream 
+   *
+   * @return The MessageDigest used to hash this stream
+   */
+  public MessageDigest getMessageDigest()
+  {
+    return digest;
+  }
+
+  /**
+   * Sets the current MessageDigest to current parameter
+   *
+   * @param digest A MessageDigest to associate with this stream
+   */
+  public void setMessageDigest(MessageDigest digest)
+  {
+    this.digest = digest;
+  }
+
+  /** 
+   * Reads a byte from the input stream and updates the digest.
+   * This method reads the underlying input stream and if the 
+   * on flag is true then updates the message digest.
+   *
+   * @return Returns a byte from the input stream, -1 is returned to indicate that 
+   * the end of stream was reached before this read call
+   *
+   * @throws IOException if an IO error occurs in the underlying input stream,
+   * this error is thrown
+   */
+  public int read() throws IOException
+  {
+    int temp = in.read();
+
+    if (state == true && temp != -1)
+      digest.update((byte) temp);
+
+    return temp;
+  }
+
+  /** 
+   * Reads bytes from the input stream and updates the digest.
+   * This method reads the underlying input stream and if the 
+   * on flag is true then updates the message digest.
+   *
+   * @param b a byte array to store the data from the input stream
+   * @param off an offset to start at in the array
+   * @param len length of data to read
+   * @return Returns count of bytes read, -1 is returned to indicate that 
+   * the end of stream was reached before this read call
+   *
+   * @throws IOException if an IO error occurs in the underlying input stream,
+   * this error is thrown
+   */
+  public int read(byte[]b, int off, int len) throws IOException
+  {
+    int temp = in.read(b, off, len);
+
+    if (state == true && temp != -1)
+      digest.update(b, off, temp);
+
+    return temp;
+  }
+
+  /**
+   * Sets the flag specifing if this DigestInputStream updates the
+   * digest in the write() methods. The default is on;
+   *
+   * @param on True means it digests stream, false means it does not
+   */
+  public void on(boolean on)
+  {
+    state = on;
+  }
+
+  /**
+   * Converts the input stream and underlying message digest to a string.
+   *
+   * @return A string representing the input stream and message digest.
+   */
+  public String toString()
+  {
+    return "[Digest Input Stream] " + digest.toString();
+  }
+}
diff --git a/libjava/classpath/java/security/DigestOutputStream.java b/libjava/classpath/java/security/DigestOutputStream.java
new file mode 100644
index 00000000000..037b39e789c
--- /dev/null
+++ b/libjava/classpath/java/security/DigestOutputStream.java
@@ -0,0 +1,158 @@
+/* DigestOutputStream.java --- An output stream tied to a message digest
+   Copyright (C) 1999, 2004, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+
+/**
+ * DigestOutputStream is a class that ties an OutputStream with a
+ * MessageDigest. The Message Digest is used by the class to update it
+ * self as bytes are written to the OutputStream.
+ *
+ * The updating to the digest depends on the on flag which is set to
+ * true by default that tells the class to update the data in the
+ * message digest.
+ *
+ * @version 0.0
+ * @author Mark Benvenuto (ivymccough@worldnet.att.net)
+ */
+public class DigestOutputStream extends FilterOutputStream
+{
+  /**
+   * The message digest for the DigestOutputStream
+   */
+  protected MessageDigest digest;
+
+  //Manages the on flag
+  private boolean state = true;
+
+  /**
+   * Constructs a new DigestOutputStream.  It associates a
+   * MessageDigest with the stream to compute the stream as data is
+   * written.
+   *
+   * @param stream An OutputStream to associate this stream with
+   * @param digest A MessageDigest to hash the stream with
+   */
+  public DigestOutputStream(OutputStream stream, MessageDigest digest)
+  {
+    super(stream);
+    this.digest = digest;
+  }
+
+  /**
+   * Returns the MessageDigest associated with this DigestOutputStream
+   *
+   * @return The MessageDigest used to hash this stream
+   */
+  public MessageDigest getMessageDigest()
+  {
+    return digest;
+  }
+
+  /**
+   * Sets the current MessageDigest to current parameter
+   *
+   * @param digest A MessageDigest to associate with this stream
+   */
+  public void setMessageDigest(MessageDigest digest)
+  {
+    this.digest = digest;
+  }
+
+
+  /**
+   * Updates the hash if the on flag is true and then writes a byte to
+   * the underlying output stream.
+   *
+   * @param b A byte to write to the output stream
+   *
+   * @exception IOException if the underlying output stream 
+   * cannot write the byte, this is thrown.
+   */
+  public void write(int b) throws IOException
+  {
+    if (state)
+      digest.update((byte) b);
+
+    out.write(b);
+  }
+
+  /**
+   * Updates the hash if the on flag is true and then writes the bytes
+   * to the underlying output stream.
+   *
+   * @param b Bytes to write to the output stream
+   * @param off Offset to start to start at in array
+   * @param len Length of data to write
+   *
+   * @exception IOException if the underlying output stream 
+   * cannot write the bytes, this is thrown.
+   */
+  public void write(byte[]b, int off, int len) throws IOException
+  {
+    if (state)
+      digest.update(b, off, len);
+
+    out.write(b, off, len);
+  }
+
+  /**
+   * Sets the flag specifying if this DigestOutputStream updates the
+   * digest in the write() methods. The default is on;
+   *
+   * @param on True means it digests stream, false means it does not
+   */
+  public void on(boolean on)
+  {
+    state = on;
+  }
+
+  /**
+   * Converts the output stream and underlying message digest to a string.
+   *
+   * @return A string representing the output stream and message digest.
+   */
+  public String toString()
+  {
+    return "[Digest Output Stream] " + digest.toString();
+  }
+}
diff --git a/libjava/classpath/java/security/DomainCombiner.java b/libjava/classpath/java/security/DomainCombiner.java
new file mode 100644
index 00000000000..9ec680c63af
--- /dev/null
+++ b/libjava/classpath/java/security/DomainCombiner.java
@@ -0,0 +1,67 @@
+/* DomainCombiner.java -- Combines ProtectionDomains
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * A public interface used to combine two ProtectionDomains in a new
+ * ProtectionDomain and update the current Protection Domains
+ * associated with the current AccessControlContext.
+ *
+ * It can add, subtract, or update ProtectionDomains or possibly
+ * remove duplicates or any possible complex action but just not add
+ * ones that do not already exist in either array.
+ *
+ * @author Mark Benvenuto
+ * @see AccessControlContext
+ * @see AccessController
+ * @since 1.3
+ * @status updated to 1.4
+ */
+public interface DomainCombiner
+{
+  /**
+   * Combines the current ProtectionDomains of the Thread with new
+   * ProtectionDomains.
+   *
+   * @param currentDomains - the ProtectionDomains for the current thread.
+   * @param assignedDomains - ProtectionsDomains to add
+   * @return a new array of all the ProtectionDomains
+   */
+  ProtectionDomain[] combine(ProtectionDomain[] currentDomains,
+                             ProtectionDomain[] assignedDomains);
+} // interface DomainCombiner
diff --git a/libjava/classpath/java/security/DummyKeyPairGenerator.java b/libjava/classpath/java/security/DummyKeyPairGenerator.java
new file mode 100644
index 00000000000..da8c362eb71
--- /dev/null
+++ b/libjava/classpath/java/security/DummyKeyPairGenerator.java
@@ -0,0 +1,75 @@
+/* DummyKeyPairGenerator.java - Wrapper for KeyPairGeneratorSpi
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+final class DummyKeyPairGenerator extends KeyPairGenerator
+{
+  private KeyPairGeneratorSpi kpgSpi = null;
+
+  public DummyKeyPairGenerator(KeyPairGeneratorSpi kpgSpi, String algorithm)
+  {
+    super(algorithm);
+    this.kpgSpi = kpgSpi;
+  }
+
+  public Object clone() throws CloneNotSupportedException
+  {
+    KeyPairGenerator result = new DummyKeyPairGenerator
+            ((KeyPairGeneratorSpi) kpgSpi.clone(), this.getAlgorithm());
+    result.provider = this.getProvider();
+    return result;
+  }
+
+  public void initialize(int keysize, SecureRandom random)
+  {
+    kpgSpi.initialize(keysize, random);
+  }
+
+  public void initialize(AlgorithmParameterSpec params, SecureRandom random)
+    throws InvalidAlgorithmParameterException
+  {
+    kpgSpi.initialize(params, random);
+  }
+
+  public KeyPair generateKeyPair()
+  {
+    return kpgSpi.generateKeyPair();
+  }
+}
diff --git a/libjava/classpath/java/security/DummyMessageDigest.java b/libjava/classpath/java/security/DummyMessageDigest.java
new file mode 100644
index 00000000000..6cecdcf6801
--- /dev/null
+++ b/libjava/classpath/java/security/DummyMessageDigest.java
@@ -0,0 +1,90 @@
+/* DummyMessageDigest.java - Wrapper for MessageDigestSpi
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+final class DummyMessageDigest extends MessageDigest
+{
+  private MessageDigestSpi mdSpi = null;
+
+  public DummyMessageDigest(MessageDigestSpi mdSpi, String algorithm)
+  {
+    super(algorithm);
+    this.mdSpi = mdSpi;
+  }
+
+  public Object clone() throws CloneNotSupportedException
+  {
+    MessageDigest result = new DummyMessageDigest
+        ((MessageDigestSpi) mdSpi.clone(), this.getAlgorithm());
+    result.provider = this.getProvider();
+    return result;
+  }
+
+  // java.security.MessageDigestSpi abstract methods implementation ---------
+
+  public byte[] engineDigest()
+  {
+    return mdSpi.engineDigest();
+  }
+
+  public int engineDigest(byte[] buf, int offset, int len)
+    throws DigestException
+  {
+    return mdSpi.engineDigest(buf, offset, len);
+  }
+
+  public int engineGetDigestLength()
+  {
+    return mdSpi.engineGetDigestLength();
+  }
+
+  public void engineReset()
+  {
+    mdSpi.engineReset();
+  }
+
+  public void engineUpdate(byte input)
+  {
+    mdSpi.engineUpdate(input);
+  }
+
+  public void engineUpdate(byte[] input, int offset, int len)
+  {
+    mdSpi.engineUpdate(input, offset, len);
+  }
+}
diff --git a/libjava/classpath/java/security/DummySignature.java b/libjava/classpath/java/security/DummySignature.java
new file mode 100644
index 00000000000..b74885c9973
--- /dev/null
+++ b/libjava/classpath/java/security/DummySignature.java
@@ -0,0 +1,102 @@
+/* DummySignature.java - Signature wrapper for SignatureSpi.
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+final class DummySignature extends Signature
+{
+  private SignatureSpi sigSpi = null;
+
+  public DummySignature(SignatureSpi sigSpi, String algorithm)
+  {
+    super(algorithm);
+    this.sigSpi = sigSpi;
+  }
+
+  public Object clone() throws CloneNotSupportedException
+  {
+    Signature result = new DummySignature
+            ((SignatureSpi) sigSpi.clone(), this.getAlgorithm());
+    result.provider = this.getProvider();
+    return result;
+  }
+
+  protected void engineInitVerify(PublicKey publicKey)
+    throws InvalidKeyException
+  {
+    sigSpi.engineInitVerify(publicKey);
+  }
+
+  protected void engineInitSign(PrivateKey privateKey)
+    throws InvalidKeyException
+  {
+    sigSpi.engineInitSign(privateKey);
+  }
+
+  protected void engineUpdate(byte b) throws SignatureException
+  {
+    sigSpi.engineUpdate(b);
+  }
+
+  protected void engineUpdate(byte[]b, int off, int len)
+    throws SignatureException
+  {
+    sigSpi.engineUpdate(b, off, len);
+  }
+
+  protected byte[] engineSign() throws SignatureException
+  {
+    return sigSpi.engineSign();
+  }
+
+  protected boolean engineVerify(byte[]sigBytes) throws SignatureException
+  {
+    return sigSpi.engineVerify(sigBytes);
+  }
+
+  protected void engineSetParameter(String param, Object value)
+    throws InvalidParameterException
+  {
+    sigSpi.engineSetParameter(param, value);
+  }
+
+  protected Object engineGetParameter(String param)
+    throws InvalidParameterException
+  {
+    return sigSpi.engineGetParameter(param);
+  }
+}
diff --git a/libjava/classpath/java/security/GeneralSecurityException.java b/libjava/classpath/java/security/GeneralSecurityException.java
new file mode 100644
index 00000000000..72453ee8cbf
--- /dev/null
+++ b/libjava/classpath/java/security/GeneralSecurityException.java
@@ -0,0 +1,75 @@
+/* GeneralSecurityException.java -- Common superclass of security exceptions
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This class is the common superclass of all security exceptions.  All
+ * exceptions in java.security extend this class with the exception (no
+ * pun intended) of <code>AccessControlException</code> and 
+ * <code>CertificateException</code> (which extend
+ * <code>SecurityException</code>), <code>ProviderException</code>
+ * (<code>RuntimeException</code>), and <code>InvalidParamterException</code>
+ * (<code>IllegalArgumentException</code>).
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @status updated to 1.4
+ */
+public class GeneralSecurityException extends Exception
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 894798122053539237L;
+
+  /**
+   * Create a new instance with no descriptive error message.
+   */
+  public GeneralSecurityException()
+  {
+  }
+
+  /**
+   * Create a new instance with a descriptive error message.
+   *
+   * @param msg the descriptive error message
+   */
+  public GeneralSecurityException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/Guard.java b/libjava/classpath/java/security/Guard.java
new file mode 100644
index 00000000000..4f22360a424
--- /dev/null
+++ b/libjava/classpath/java/security/Guard.java
@@ -0,0 +1,60 @@
+/* Guard.java -- Check access to a guarded object
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This interface specifies a mechanism for querying whether or not
+ * access is allowed to a guarded object.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see GuardedObject
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public interface Guard
+{
+  /**
+   * This method tests whether or not access is allowed to the specified
+   * guarded object. Access is allowed if this method returns silently. If
+   * access is denied, an exception is generated.
+   *
+   * @param obj the <code>Object</code> to test
+   * @throws SecurityException if access to the object is denied
+   */
+  void checkGuard(Object obj);
+} // interface Guard
diff --git a/libjava/classpath/java/security/GuardedObject.java b/libjava/classpath/java/security/GuardedObject.java
new file mode 100644
index 00000000000..5ca08835dc5
--- /dev/null
+++ b/libjava/classpath/java/security/GuardedObject.java
@@ -0,0 +1,121 @@
+/* GuardedObject.java -- An object protected by a Guard
+   Copyright (C) 1998, 2002, 2004, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import java.io.IOException;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+
+/**
+ * This class is an object that is guarded by a <code>Guard</code> object.
+ * The object that is being guarded is retrieved by a call to the only
+ * method in this class - <code>getObject</code>.  That method returns the
+ * guarded <code>Object</code> after first checking with the
+ * <code>Guard</code>.  If the <code>Guard</code> disallows access, an
+ * exception will be thrown.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public class GuardedObject implements Serializable
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = -5240450096227834308L;
+
+  /**
+   * This is the Guard that is protecting the object.
+   *
+   * @serial the guard
+   */
+  private final Guard guard;
+
+  /**
+   * This is the object that is being guarded.
+   *
+   * @serial the protected object
+   */
+  private final Object object;
+
+  /**
+   * This method initializes a new instance of <code>GuardedObject</code>
+   * that protects the specified <code>Object</code> using the specified
+   * <code>Guard</code>. A null guard means there are no restrictions on
+   * accessing the object.
+   *
+   * @param object the <code>Object</code> to guard
+   * @param guard the <code>Guard</code> that is protecting the object
+   */
+  public GuardedObject(Object object, Guard guard)
+  {
+    this.object = object;
+    this.guard = guard;
+  }
+
+  /**
+   * This method first call the <code>checkGuard</code> method on the
+   * <code>Guard</code> object protecting the guarded object.  If the
+   * <code>Guard</code> disallows access, an exception is thrown, otherwise
+   * the <code>Object</code> is returned.
+   *
+   * @return The object being guarded
+   * @throws SecurityException if access is denied
+   */
+  public Object getObject()
+  {
+    if (guard != null)
+      guard.checkGuard(object);
+    return object;
+  }
+
+  /**
+   * Ensures that serialization is legal, by checking the guard.
+   *
+   * @param s the stream to write to
+   * @throws IOException if the underlying stream fails
+   */
+  private void writeObject(ObjectOutputStream s) throws IOException
+  {
+    if (guard != null)
+      guard.checkGuard(object);
+    s.defaultWriteObject();
+  }
+} // class GuardedObject
diff --git a/libjava/classpath/java/security/Identity.java b/libjava/classpath/java/security/Identity.java
new file mode 100644
index 00000000000..26b01a50a6b
--- /dev/null
+++ b/libjava/classpath/java/security/Identity.java
@@ -0,0 +1,407 @@
+/* Identity.java --- Identity Class
+   Copyright (C) 1999, 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import java.io.Serializable;
+import java.util.Vector;
+
+/**
+ * <p>This class represents identities: real-world objects such as people,
+ * companies or organizations whose identities can be authenticated using their
+ * public keys. Identities may also be more abstract (or concrete) constructs,
+ * such as daemon threads or smart cards.</p>
+ *
+ * <p>All Identity objects have a <i>name</i> and a <i>public key</i>. Names
+ * are immutable. <i>Identities</i> may also be <b>scoped</b>. That is, if an
+ * <i>Identity</i> is specified to have a particular <i>scope</i>, then the
+ * <i>name</i> and <i>public key</i> of the <i>Identity</i> are unique within
+ * that <i>scope</i>.</p>
+ *
+ * <p>An <i>Identity</i> also has a <i>set of certificates</i> (all certifying
+ * its own <i>public key</i>). The <i>Principal</i> names specified in these
+ * certificates need not be the same, only the key.</p>
+ *
+ * <p>An <i>Identity</i> can be subclassed, to include postal and email
+ * addresses, telephone numbers, images of faces and logos, and so on.</p>
+ *
+ * @author Mark Benvenuto
+ * @see IdentityScope
+ * @see Signer
+ * @see Principal
+ * @deprecated This class is no longer used. Its functionality has been replaced
+ * by <code>java.security.KeyStore</code>, the <code>java.security.cert</code>
+ * package, and <code>java.security.Principal</code>.
+ */
+public abstract class Identity implements Principal, Serializable
+{
+  private static final long serialVersionUID = 3609922007826600659L;
+
+  private String name;
+  private IdentityScope scope;
+  private PublicKey publicKey;
+  private String info;
+  private Vector certificates;
+
+  /** Constructor for serialization only. */
+  protected Identity()
+  {
+  }
+
+  /**
+   * Constructs an identity with the specified name and scope.
+   *
+   * @param name the identity name.
+   * @param scope the scope of the identity.
+   * @throws KeyManagementException if there is already an identity with the
+   * same name in the scope.
+   */
+  public Identity(String name, IdentityScope scope)
+    throws KeyManagementException
+  {
+    this.name = name;
+    this.scope = scope;
+  }
+
+  /**
+   * Constructs an identity with the specified name and no scope.
+   *
+   * @param name the identity name.
+   */
+  public Identity(String name)
+  {
+    this.name = name;
+    this.scope = null;
+  }
+
+  /**
+   * Returns this identity's name.
+   *
+   * @return the name of this identity.
+   */
+  public final String getName()
+  {
+    return name;
+  }
+
+  /**
+   * Returns this identity's scope.
+   *
+   * @return the scope of this identity.
+   */
+  public final IdentityScope getScope()
+  {
+    return scope;
+  }
+
+  /**
+   * Returns this identity's public key.
+   *
+   * @return the public key for this identity.
+   * @see #setPublicKey(java.security.PublicKey)
+   */
+  public PublicKey getPublicKey()
+  {
+    return publicKey;
+  }
+
+  /**
+   * <p>Sets this identity's public key. The old key and all of this identity's
+   * certificates are removed by this operation.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with <code>"setIdentityPublicKey"</code> as its
+   * argument to see if it's ok to set the public key.</p>
+   *
+   * @param key the public key for this identity.
+   * @throws KeyManagementException if another identity in the identity's scope
+   * has the same public key, or if another exception occurs.
+   * @throws SecurityException if a security manager exists and its
+   * <code>checkSecurityAccess()</code> method doesn't allow setting the public
+   * key.
+   * @see #getPublicKey()
+   * @see SecurityManager#checkSecurityAccess(String)
+   */
+  public void setPublicKey(PublicKey key) throws KeyManagementException
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("setIdentityPublicKey");
+
+    this.publicKey = key;
+  }
+
+  /**
+   * <p>Specifies a general information string for this identity.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with <code>"setIdentityInfo"</code> as its
+   * argument to see if it's ok to specify the information string.</p>
+   *
+   * @param info the information string.
+   * @throws SecurityException if a security manager exists and its
+   * <code>checkSecurityAccess()</code> method doesn't allow setting the
+   * information string.
+   * @see #getInfo()
+   * @see SecurityManager#checkSecurityAccess(String)
+   */
+  public void setInfo(String info)
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("setIdentityInfo");
+
+    this.info = info;
+  }
+
+  /**
+   * Returns general information previously specified for this identity.
+   *
+   * @return general information about this identity.
+   * @see #setInfo(String)
+   */
+  public String getInfo()
+  {
+    return info;
+  }
+
+  /**
+   * <p>Adds a certificate for this identity. If the identity has a public key,
+   * the public key in the certificate must be the same, and if the identity
+   * does not have a public key, the identity's public key is set to be that
+   * specified in the certificate.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with <code>"addIdentityCertificate"</code> as its
+   * argument to see if it's ok to add a certificate.</p>
+   *
+   * @param certificate the certificate to be added.
+   * @throws KeyManagementException if the certificate is not valid, if the
+   * public key in the certificate being added conflicts with this identity's
+   * public key, or if another exception occurs.
+   * @throws SecurityException if a security manager exists and its
+   * <code>checkSecurityAccess()</code> method doesn't allow adding a
+   * certificate.
+   * @see SecurityManager#checkSecurityAccess(String)
+   */
+  public void addCertificate(Certificate certificate)
+    throws KeyManagementException
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("addIdentityCertificate");
+
+    // Check public key of this certificate against the first one in the vector
+    if (certificates.size() > 0)
+      {
+	if (((Certificate) certificates.firstElement()).getPublicKey() != publicKey)
+	  throw new KeyManagementException("Public key does not match");
+      }
+    certificates.addElement(certificate);
+  }
+
+  /**
+   * <p>Removes a certificate from this identity.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with <code>"removeIdentityCertificate"</code> as
+   * its argument to see if it's ok to remove a certificate.</p>
+   *
+   * @param certificate the certificate to be removed.
+   * @throws KeyManagementException if the certificate is missing, or if
+   * another exception occurs.
+   * @throws SecurityException if a security manager exists and its
+   * <code>checkSecurityAccess()</code> method doesn't allow removing a
+   * certificate.
+   * @see SecurityManager#checkSecurityAccess(String)
+   */
+  public void removeCertificate(Certificate certificate)
+    throws KeyManagementException
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("removeIdentityCertificate");
+
+    if (certificates.contains(certificate) == false)
+      throw new KeyManagementException("Certificate not found");
+
+    certificates.removeElement(certificate);
+  }
+
+  /**
+   * Returns a copy of all the certificates for this identity.
+   *
+   * @return a copy of all the certificates for this identity.
+   */
+  public Certificate[] certificates()
+  {
+    Certificate[] certs = new Certificate[certificates.size()];
+    int max = certificates.size();
+    for (int i = 0; i < max; i++)
+      certs[i] = (Certificate) certificates.elementAt(i);
+
+    return certs;
+  }
+
+  /**
+   * Tests for equality between the specified object and this identity. This
+   * first tests to see if the entities actually refer to the same object, in
+   * which case it returns <code>true</code>. Next, it checks to see if the
+   * entities have the same <i>name</i> and the same <i>scope</i>. If they do,
+   * the method returns <code>true</code>. Otherwise, it calls
+   * <code>identityEquals()</code>, which subclasses should override.
+   *
+   * @param identity the object to test for equality with this identity.
+   * @return <code>true</code> if the objects are considered equal, <code>false
+   * </code>otherwise.
+   * @see #identityEquals(Identity)
+   */
+  public final boolean equals(Object identity)
+  {
+    if (identity instanceof Identity)
+      {
+	if (identity == this)
+	  return true;
+
+	if ((((Identity) identity).getName() == this.name) &&
+	    (((Identity) identity).getScope() == this.scope))
+	  return true;
+
+	return identityEquals((Identity) identity);
+      }
+    return false;
+  }
+
+  /**
+   * Tests for equality between the specified <code>identity</code> and this
+   * <i>identity</i>. This method should be overriden by subclasses to test for
+   * equality. The default behavior is to return <code>true</code> if the names
+   * and public keys are equal.
+   *
+   * @param identity the identity to test for equality with this identity.
+   * @return <code>true</code> if the identities are considered equal,
+   * <code>false</code> otherwise.
+   * @see #equals(Object)
+   */
+  protected boolean identityEquals(Identity identity)
+  {
+    return ((identity.getName() == this.name) &&
+	    (identity.getPublicKey() == this.publicKey));
+  }
+
+  /**
+   * <p>Returns a short string describing this identity, telling its name and
+   * its scope (if any).</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with <code>"printIdentity"</code> as its argument
+   * to see if it's ok to return the string.</p>
+   *
+   * @return information about this identity, such as its name and the name of
+   * its scope (if any).
+   * @throws SecurityException if a security manager exists and its
+   * <code>checkSecurityAccess()</code> method doesn't allow returning a string
+   * describing this identity.
+   * @see SecurityManager#checkSecurityAccess(String)
+   */
+  public String toString()
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("printIdentity");
+
+    /* TODO: Insert proper format here */
+    return (name + ":@" + scope + " Public Key: " + publicKey);
+  }
+
+  /**
+   * <p>Returns a string representation of this identity, with optionally more
+   * details than that provided by the <code>toString()</code> method without
+   * any arguments.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with <code>"printIdentity"</code> as its argument
+   * to see if it's ok to return the string.</p>
+   *
+   * @param detailed whether or not to provide detailed information.
+   * @return information about this identity. If detailed is <code>true</code>,
+   * then this method returns more information than that provided by the
+   * <code>toString()</code> method without any arguments.
+   * @throws SecurityException if a security manager exists and its
+   * <code>checkSecurityAccess()</code> method doesn't allow returning a string
+   * describing this identity.
+   * @see #toString()
+   * @see SecurityManager#checkSecurityAccess(String)
+   */
+  public String toString(boolean detailed)
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("printIdentity");
+
+    if (detailed)
+      {
+	/* TODO: Insert proper detailed format here */
+	return (name + ":@" + scope + " Public Key: " + publicKey);
+      }
+    else
+      {
+	/* TODO: Insert proper format here */
+	return (name + ":@" + scope + " Public Key: " + publicKey);
+      }
+  }
+
+  /**
+   * Returns a hashcode for this identity.
+   *
+   * @return a hashcode for this identity.
+   */
+  public int hashCode()
+  {
+    int ret = name.hashCode();
+    if (publicKey != null)
+      ret |= publicKey.hashCode();
+    if (scope != null)
+      ret |= scope.hashCode();
+    if (info != null)
+      ret |= info.hashCode();
+    if (certificates != null)
+      ret |= certificates.hashCode();
+
+    return ret;
+  }
+}
diff --git a/libjava/classpath/java/security/IdentityScope.java b/libjava/classpath/java/security/IdentityScope.java
new file mode 100644
index 00000000000..34dd011e280
--- /dev/null
+++ b/libjava/classpath/java/security/IdentityScope.java
@@ -0,0 +1,226 @@
+/* IdentityScope.java --- IdentityScope Class
+   Copyright (C) 1999, 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import java.util.Enumeration;
+
+/**
+ * <p>This class represents a scope for identities. It is an Identity itself,
+ * and therefore has a name and can have a scope. It can also optionally have a
+ * public key and associated certificates.</p>
+ *
+ * <p>An <code>IdentityScope</code> can contain {@link Identity} objects of all
+ * kinds, including {@link Signer}s. All types of <code>Identity</code> objects
+ * can be retrieved, added, and removed using the same methods. Note that it is
+ * possible, and in fact expected, that different types of identity scopes will
+ * apply different policies for their various operations on the various types of
+ * Identities.</p>
+ *
+ * <p>There is a one-to-one mapping between keys and identities, and there can
+ * only be one copy of one key per scope. For example, suppose Acme Software,
+ * Inc is a software publisher known to a user. Suppose it is an <i>Identity</i>,
+ * that is, it has a public key, and a set of associated certificates. It is
+ * named in the scope using the name "Acme Software". No other named <i>Identity
+ * </i> in the scope has the same public key. Of course, none has the same name
+ * as well.</p>
+ *
+ * @author Mark Benvenuto
+ * @see Identity
+ * @see Signer
+ * @see Principal
+ * @see Key
+ * @deprecated This class is no longer used. Its functionality has been replaced
+ * by <code>java.security.KeyStore</code>, the <code>java.security.cert</code>
+ * package, and <code>java.security.Principal</code>.
+ */
+public abstract class IdentityScope extends Identity
+{
+  private static final long serialVersionUID = -2337346281189773310L;
+  private static IdentityScope systemScope;
+
+  /**
+   * This constructor is used for serialization only and should not be used by
+   * subclasses.
+   */
+  protected IdentityScope()
+  {
+    super();
+  }
+
+  /**
+   * Constructs a new identity scope with the specified name.
+   *
+   * @param name the scope name.
+   */
+  public IdentityScope(String name)
+  {
+    super(name);
+  }
+
+  /**
+   * Constructs a new identity scope with the specified name and scope.
+   *
+   * @param name the scope name.
+   * @param scope the scope for the new identity scope.
+   * @throws KeyManagementException if there is already an identity with the
+   * same name in the scope.
+   */
+  public IdentityScope(String name, IdentityScope scope)
+    throws KeyManagementException
+  {
+    super(name, scope);
+  }
+
+  /**
+   * Returns the system's identity scope.
+   *
+   * @return the system's identity scope.
+   * @see #setSystemScope(IdentityScope)
+   */
+  public static IdentityScope getSystemScope()
+  {
+    if (systemScope == null)
+      {
+	//Load it
+	//systemScope;
+      }
+    return systemScope;
+  }
+
+  /**
+   * Sets the system's identity scope.
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with <code>"setSystemScope"</code> as its argument
+   * to see if it's ok to set the identity scope.</p>
+   *
+   * @param scope the scope to set.
+   * @throws SecurityException if a security manager exists and its
+   * <code>checkSecurityAccess()</code> method doesn't allow setting the
+   * identity scope.
+   * @see #getSystemScope()
+   * @see SecurityManager#checkSecurityAccess(String)
+   */
+  protected static void setSystemScope(IdentityScope scope)
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("setSystemScope");
+
+    systemScope = scope;
+  }
+
+  /**
+   * Returns the number of identities within this identity scope.
+   *
+   * @return the number of identities within this identity scope.
+   */
+  public abstract int size();
+
+  /**
+   * Returns the identity in this scope with the specified name (if any).
+   *
+   * @param name the name of the identity to be retrieved.
+   * @return the identity named name, or <code>null</code> if there are no
+   * identities named name in this scope.
+   */
+  public abstract Identity getIdentity(String name);
+
+  /**
+   * Retrieves the identity whose name is the same as that of the specified
+   * principal. (Note: <code>Identity</code> implements <code>Principal</code>.)
+   *
+   * @param principal the principal corresponding to the identity to be
+   * retrieved.
+   * @return the identity whose name is the same as that of the principal, or
+   * <code>null</code> if there are no identities of the same name in this scope.
+   */
+  public Identity getIdentity(Principal principal)
+  {
+    return getIdentity(principal.getName());
+  }
+
+  /**
+   * Retrieves the identity with the specified public key.
+   *
+   * @param key the public key for the identity to be returned.
+   * @return the identity with the given key, or <code>null</code> if there are
+   * no identities in this scope with that key.
+   */
+  public abstract Identity getIdentity(PublicKey key);
+
+  /**
+   * Adds an identity to this identity scope.
+   *
+   * @param identity the identity to be added.
+   * @throws KeyManagementException if the identity is not valid, a name
+   * conflict occurs, another identity has the same public key as the identity
+   * being added, or another exception occurs.
+   */
+  public abstract void addIdentity(Identity identity)
+    throws KeyManagementException;
+
+  /**
+   * Removes an identity from this identity scope.
+   *
+   * @param identity the identity to be removed.
+   * @throws KeyManagementException if the identity is missing, or another
+   * exception occurs.
+   */
+  public abstract void removeIdentity(Identity identity)
+    throws KeyManagementException;
+
+  /**
+   * Returns an enumeration of all identities in this identity scope.
+   *
+   * @return an enumeration of all identities in this identity scope.
+   */
+  public abstract Enumeration identities();
+
+  /**
+   * Returns a string representation of this identity scope, including its name,
+   * its scope name, and the number of identities in this identity scope.
+   *
+   * @return a string representation of this identity scope.
+   * @see SecurityManager#checkSecurityAccess(String)
+   */
+  public String toString()
+  {
+    return (super.getName() + " " + super.getScope().getName() + " " + size());
+  }
+}
diff --git a/libjava/classpath/java/security/IntersectingDomainCombiner.java b/libjava/classpath/java/security/IntersectingDomainCombiner.java
new file mode 100644
index 00000000000..2bfcfb44233
--- /dev/null
+++ b/libjava/classpath/java/security/IntersectingDomainCombiner.java
@@ -0,0 +1,82 @@
+/* IntersectingDomainCombiner.java --
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import java.util.HashSet;
+
+/**
+ * A trivial implementation of {@link DomainCombiner} that produces the
+ * intersection of the supplied {@link ProtectionDomain} objects.
+ */
+final class IntersectingDomainCombiner implements DomainCombiner
+{
+
+  // Contstant.
+  // -------------------------------------------------------------------------
+
+  static final IntersectingDomainCombiner SINGLETON = new IntersectingDomainCombiner();
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  private IntersectingDomainCombiner()
+  {
+  }
+
+  // Methods.
+  // -------------------------------------------------------------------------
+
+  public ProtectionDomain[] combine (ProtectionDomain[] currentDomains,
+                                     ProtectionDomain[] assignedDomains)
+  {
+    HashSet newDomains = new HashSet ();
+    for (int i = 0; i < currentDomains.length; i++)
+      {
+        if (currentDomains[i] == null)
+          continue;
+        for (int j = 0; j < assignedDomains.length; j++)
+          {
+            if (currentDomains[i].equals (assignedDomains[j]))
+              newDomains.add (currentDomains[i]);
+          }
+      }
+    return (ProtectionDomain[])
+      newDomains.toArray(new ProtectionDomain[newDomains.size()]);
+  }
+}
diff --git a/libjava/classpath/java/security/InvalidAlgorithmParameterException.java b/libjava/classpath/java/security/InvalidAlgorithmParameterException.java
new file mode 100644
index 00000000000..9b726199521
--- /dev/null
+++ b/libjava/classpath/java/security/InvalidAlgorithmParameterException.java
@@ -0,0 +1,73 @@
+/* InvalidAlgorithmParameterException.java -- an invalid parameter to a
+   security algorithm
+   Copyright (C) 2000, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * Thrown for an invalid security algorithm parameter.
+ *
+ * @author Warren Levy (warrenl@cygnus.com)
+ * @since 1.2
+ * @status updated to 1.4
+ */
+public class InvalidAlgorithmParameterException
+  extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = 2864672297499471472L;
+
+  /**
+   * Construct an exception with no message.
+   */
+  public InvalidAlgorithmParameterException()
+  {
+    super();
+  }
+
+  /**
+   * Construct an exception with a message.
+   *
+   * @param msg the message
+   */
+  public InvalidAlgorithmParameterException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/InvalidKeyException.java b/libjava/classpath/java/security/InvalidKeyException.java
new file mode 100644
index 00000000000..cd5845a6181
--- /dev/null
+++ b/libjava/classpath/java/security/InvalidKeyException.java
@@ -0,0 +1,69 @@
+/* InvalidKeyException -- thrown for an invalid key
+   Copyright (C) 2000, 2002 Free Software Foundation
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * Thrown for an invalid key.
+ *
+ * @author Warren Levy (warrenl@cygnus.com)
+ * @status updated to 1.4
+ */
+public class InvalidKeyException extends KeyException
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 5698479920593359816L;
+
+  /**
+   * Construct an exception with no message.
+   */
+  public InvalidKeyException()
+  {
+  }
+
+  /**
+   * Construct an exception with a message.
+   *
+   * @param msg the message
+   */
+  public InvalidKeyException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/InvalidParameterException.java b/libjava/classpath/java/security/InvalidParameterException.java
new file mode 100644
index 00000000000..c5218a04917
--- /dev/null
+++ b/libjava/classpath/java/security/InvalidParameterException.java
@@ -0,0 +1,70 @@
+/* InvalidParameterException.java -- an invalid parameter in the JCA/JCE engine
+   Copyright (C) 2000, 2002 Free Software Foundation
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * Thrown when an invalid parameter is passed to a method of the JCA/JCE
+ * engine classes.
+ *
+ * @author Warren Levy (warrenl@cygnus.com)
+ * @status updated to 1.4
+ */
+public class InvalidParameterException extends IllegalArgumentException
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = -857968536935667808L;
+
+  /**
+   * Construct an exception with no message.
+   */
+  public InvalidParameterException()
+  {
+  }
+
+  /**
+   * Construct an exception with a message.
+   *
+   * @param msg the message
+   */
+  public InvalidParameterException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/Key.java b/libjava/classpath/java/security/Key.java
new file mode 100644
index 00000000000..23652b6e7c4
--- /dev/null
+++ b/libjava/classpath/java/security/Key.java
@@ -0,0 +1,94 @@
+/* Key.java -- A abstract representation of a digital key
+   Copyright (C) 1998, 2000, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import java.io.Serializable;
+
+/**
+ * This interfaces models the base characteristics that all keys must
+ * have.  These are:  a key algorithm, an encoded form, and a format used
+ * to encode the key.  Specific key types inherit from this interface.
+ * Note that since this interface extends <code>Serializable</code>, all
+ * keys may be serialized. Keys are generally obtained through key generators,
+ * including {@link KeyFactory}.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see PublicKey
+ * @see PrivateKey
+ * @see KeyPair
+ * @see KeyPairGenerator
+ * @see KeyFactory
+ * @see KeySpec
+ * @see Identity
+ * @see Signer
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public interface Key extends Serializable
+{
+  /**
+   * The version identifier used for serialization.
+   */
+  long serialVersionUID = 6603384152749567654L;
+
+  /**
+   * This method returns the name of the algorithm for this key.  This is a
+   * <code>String</code> such as "RSA".
+   *
+   * @return the name of the algorithm in use
+   */
+  String getAlgorithm();
+
+  /**
+   * This method returns the name of the encoding format for this key.  This
+   * is the name of the ASN.1 data format used for this key, such as
+   * "X.509" or "PKCS#8".  This method returns <code>null</code> if this key
+   * does not have an encoding format.
+   *
+   * @return the name of the encoding format for this key, or null
+   */
+  String getFormat();
+
+  /**
+   * This method returns the encoded form of the key.  If this key does not
+   * support encoding, this method returns <code>null</code>.
+   *
+   * @return the encoded form of the key, or null
+   */
+  byte[] getEncoded();
+} // interface Key
diff --git a/libjava/classpath/java/security/KeyException.java b/libjava/classpath/java/security/KeyException.java
new file mode 100644
index 00000000000..feaf0249a95
--- /dev/null
+++ b/libjava/classpath/java/security/KeyException.java
@@ -0,0 +1,72 @@
+/* KeyException.java -- Thrown when there is a problem with a key
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This exception is thrown when there is a problem with a key.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see Key
+ * @status updated to 1.4
+ */
+public class KeyException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = -7483676942812432108L;
+
+  /**
+   * This method initializes a new instance of <code>KeyException</code>
+   * with no descriptive message.
+   */
+  public KeyException()
+  {
+  }
+
+  /**
+   * This method initializes a new instance of <code>KeyException</code>
+   * with a descriptive message.
+   *
+   * @param msg the descriptive message
+   */
+  public KeyException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/KeyFactory.java b/libjava/classpath/java/security/KeyFactory.java
new file mode 100644
index 00000000000..64ce841fae8
--- /dev/null
+++ b/libjava/classpath/java/security/KeyFactory.java
@@ -0,0 +1,297 @@
+/* KeyFactory.java --- Key Factory Class
+   Copyright (C) 1999, 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import gnu.java.security.Engine;
+
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
+
+/**
+ * <p>Key factories are used to convert keys (opaque cryptographic keys of type
+ * {@link Key}) into key specifications (transparent representations of the
+ * underlying key material), and vice versa.</p>
+ *
+ * <p>Key factories are bi-directional. That is, they allow you to build an
+ * opaque key object from a given key specification (key material), or to
+ * retrieve the underlying key material of a key object in a suitable format.</p>
+ *
+ * <p>Multiple compatible key specifications may exist for the same key. For
+ * example, a <i>DSA</i> public key may be specified using {@link
+ * java.security.spec.DSAPublicKeySpec} or {@link
+ * java.security.spec.X509EncodedKeySpec}. A key factory can be used to
+ * translate between compatible key specifications.</p>
+ *
+ * <p>The following is an example of how to use a key factory in order to
+ * instantiate a <i>DSA</i> public key from its encoding. Assume Alice has
+ * received a digital signature from Bob. Bob also sent her his public key (in
+ * encoded format) to verify his signature. Alice then performs the following
+ * actions:
+ *
+ * <pre>
+ *  X509EncodedKeySpec bobPubKeySpec = new X509EncodedKeySpec(bobEncodedPubKey);
+ *  KeyFactory keyFactory = KeyFactory.getInstance("DSA");
+ *  PublicKey bobPubKey = keyFactory.generatePublic(bobPubKeySpec);
+ *  Signature sig = Signature.getInstance("DSA");
+ *  sig.initVerify(bobPubKey);
+ *  sig.update(data);
+ *  sig.verify(signature);
+ * </pre>
+ *
+ * @since 1.2
+ * @see Key
+ * @see PublicKey
+ * @see PrivateKey
+ * @see KeySpec
+ * @see java.security.spec.DSAPublicKeySpec
+ * @see java.security.spec.X509EncodedKeySpec
+   @author Mark Benvenuto
+ */
+public class KeyFactory
+{
+  /** The service name for key factories. */
+  private static final String KEY_FACTORY = "KeyFactory";
+
+  private KeyFactorySpi keyFacSpi;
+  private Provider provider;
+  private String algorithm;
+
+  /**
+   * Creates a <code>KeyFactory</code> object.
+   *
+   * @param keyFacSpi the delegate.
+   * @param provider the provider.
+   * @param algorithm the name of the algorithm to associate with this
+   * <code>KeyFactory</code>.
+   */
+  protected KeyFactory(KeyFactorySpi keyFacSpi, Provider provider,
+		       String algorithm)
+  {
+    this.keyFacSpi = keyFacSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+  }
+
+  /**
+   * Generates a <code>KeyFactory</code> object that implements the specified
+   * algorithm. If the default provider package provides an implementation of
+   * the requested algorithm, an instance of <code>KeyFactory</code> containing
+   * that implementation is returned. If the algorithm is not available in the
+   * default package, other packages are searched.
+   *
+   * @param algorithm the name of the requested key algorithm. See Appendix A
+   * in the Java Cryptography Architecture API Specification &amp; Reference
+   * for information about standard algorithm names.
+   * @return a <code>KeyFactory</code> object for the specified algorithm.
+   * @throws NoSuchAlgorithmException if the requested algorithm is not
+   * available in the default provider package or any of the other provider
+   * packages that were searched.
+   */
+  public static KeyFactory getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+    for (int i = 0; i < p.length; i++)
+      try
+        {
+          return getInstance(algorithm, p[i]);
+        }
+      catch (NoSuchAlgorithmException e)
+	{
+	  // Ignore.
+	}
+
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Generates a <code>KeyFactory</code> object for the specified algorithm
+   * from the specified provider.
+   *
+   * @param algorithm the name of the requested key algorithm. See Appendix A
+   * in the Java Cryptography Architecture API Specification &amp; Reference
+   * for information about standard algorithm names.
+   * @param provider the name of the provider.
+   * @return a <code>KeyFactory</code> object for the specified algorithm.
+   * @throws NoSuchAlgorithmException if the algorithm is not available from
+   * the specified provider.
+   * @throws NoSuchProviderException if the provider has not been configured.
+   * @throws IllegalArgumentException if the provider name is null or empty.
+   * @see Provider
+   */
+  public static KeyFactory getInstance(String algorithm, String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    if (provider == null || provider.length() == 0)
+      throw new IllegalArgumentException("Illegal provider");
+
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Generates a <code>KeyFactory</code> object for the specified algorithm from
+   * the specified provider. Note: the <code>provider</code> doesn't have to be
+   * registered.
+   *
+   * @param algorithm the name of the requested key algorithm. See Appendix A
+   * in the Java Cryptography Architecture API Specification &amp; Reference for
+   * information about standard algorithm names.
+   * @param provider the provider.
+   * @return a <code>KeyFactory</code> object for the specified algorithm.
+   * @throws NoSuchAlgorithmException if the algorithm is not available from
+   * the specified provider.
+   * @throws IllegalArgumentException if the <code>provider</code> is
+   * <code>null</code>.
+   * @since 1.4
+   * @see Provider
+   */
+  public static KeyFactory getInstance(String algorithm, Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("Illegal provider");
+
+    try
+      {
+	return new KeyFactory((KeyFactorySpi)
+	  Engine.getInstance(KEY_FACTORY, algorithm, provider),
+          provider, algorithm);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+	throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+	throw new NoSuchAlgorithmException(algorithm);
+      } 
+  }
+
+  /**
+   * Returns the provider of this key factory object.
+   *
+   * @return the provider of this key factory object.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Gets the name of the algorithm associated with this <code>KeyFactory</code>.
+   *
+   * @return the name of the algorithm associated with this
+   * <code>KeyFactory</code>.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Generates a public key object from the provided key specification (key
+   * material).
+   *
+   * @param keySpec the specification (key material) of the public key.
+   * @return the public key.
+   * @throws InvalidKeySpecException if the given key specification is
+   * inappropriate for this key factory to produce a public key.
+   */
+  public final PublicKey generatePublic(KeySpec keySpec)
+    throws InvalidKeySpecException
+  {
+    return keyFacSpi.engineGeneratePublic(keySpec);
+  }
+
+  /**
+   * Generates a private key object from the provided key specification (key
+   * material).
+   *
+   * @param keySpec the specification (key material) of the private key.
+   * @return the private key.
+   * @throws InvalidKeySpecException if the given key specification is
+   * inappropriate for this key factory to produce a private key.
+   */
+  public final PrivateKey generatePrivate(KeySpec keySpec)
+    throws InvalidKeySpecException
+  {
+    return keyFacSpi.engineGeneratePrivate(keySpec);
+  }
+
+  /**
+   * Returns a specification (key material) of the given key object.
+   * <code>keySpec</code> identifies the specification class in which the key
+   * material should be returned. It could, for example, be
+   * <code>DSAPublicKeySpec.class</code>, to indicate that the key material
+   * should be returned in an instance of the {@link
+   * java.security.spec.DSAPublicKeySpec} class.
+   *
+   * @param key the key.
+   * @param keySpec the specification class in which the key material should be
+   * returned.
+   * @return the underlying key specification (key material) in an instance of
+   * the requested specification class.
+   * @throws InvalidKeySpecException if the requested key specification is
+   * inappropriate for the given key, or the given key cannot be processed
+   * (e.g., the given key has an unrecognized algorithm or format).
+   */
+  public final KeySpec getKeySpec(Key key, Class keySpec)
+    throws InvalidKeySpecException
+  {
+    return keyFacSpi.engineGetKeySpec(key, keySpec);
+  }
+
+  /**
+   * Translates a key object, whose provider may be unknown or potentially
+   * untrusted, into a corresponding key object of this key factory.
+   *
+   * @param key the key whose provider is unknown or untrusted.
+   * @return the translated key.
+   * @throws InvalidKeyException if the given key cannot be processed by this
+   * key factory.
+   */
+  public final Key translateKey(Key key) throws InvalidKeyException
+  {
+    return keyFacSpi.engineTranslateKey(key);
+  }
+}
diff --git a/libjava/classpath/java/security/KeyFactorySpi.java b/libjava/classpath/java/security/KeyFactorySpi.java
new file mode 100644
index 00000000000..1894fad08df
--- /dev/null
+++ b/libjava/classpath/java/security/KeyFactorySpi.java
@@ -0,0 +1,133 @@
+/* KeyFactorySpi.java --- Key Factory Service Provider Interface
+   Copyright (C) 1999, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.KeySpec;
+
+/**
+ * KeyFactorySpi is the Service Provider Interface (SPI) for the 
+ * KeyFactory class. This is the interface for providers to 
+ * supply to implement a key factory for an algorithm.
+ *
+ * Key factories are used to convert keys (opaque cryptographic 
+ * keys of type Key) into key specifications (transparent 
+ * representations of the underlying key material).
+ *
+ * Key factories are bi-directional. They allow a key class 
+ * to be converted into a key specification (key material) and
+ * back again.
+ *
+ * For example DSA public keys can be specified as 
+ * DSAPublicKeySpec or X509EncodedKeySpec. The key factory
+ * translate these key specifications. 
+ *
+ * @since JDK 1.2
+ * @author Mark Benvenuto
+ */
+public abstract class KeyFactorySpi
+{
+  /**
+   * Constucts a new KeyFactorySpi.
+   */
+  public KeyFactorySpi()
+  {
+  }
+
+  /**
+   * Generates a public key from the provided key specification.
+   *
+   * @param keySpec key specification
+   *
+   * @return the public key
+   *
+   * @throws InvalidKeySpecException invalid key specification for
+   * this key factory to produce a public key
+   */
+  protected abstract PublicKey engineGeneratePublic(KeySpec keySpec)
+    throws InvalidKeySpecException;
+
+
+  /**
+   * Generates a private key from the provided key specification.
+   *
+   * @param keySpec key specification
+   *
+   * @return the private key
+   *
+   * @throws InvalidKeySpecException invalid key specification for
+   * this key factory to produce a private key
+   */
+  protected abstract PrivateKey engineGeneratePrivate(KeySpec keySpec)
+    throws InvalidKeySpecException;
+
+  /**
+   * Returns a key specification for the given key. keySpec 
+   * identifies the specification class to return the key 
+   * material in.
+   *
+   * @param key the key
+   * @param keySpec the specification class to return the 
+   * key material in.
+   *
+   * @return the key specification in an instance of the requested
+   * specification class
+   *
+   * @throws InvalidKeySpecException the requested key specification
+   * is inappropriate for this key or the key is 
+   * unrecognized.
+   */
+  protected abstract KeySpec engineGetKeySpec(Key key, Class keySpec)
+    throws InvalidKeySpecException;
+
+
+  /**
+   * Translates the key from an unknown or untrusted provider
+   * into a key for this key factory.
+   *
+   * @param the key from an unknown or untrusted provider
+   *
+   * @return the translated key
+   *
+   * @throws InvalidKeySpecException if the key cannot be 
+   * processed by this key factory
+   */
+  protected abstract Key engineTranslateKey(Key key)
+    throws InvalidKeyException;
+}
diff --git a/libjava/classpath/java/security/KeyManagementException.java b/libjava/classpath/java/security/KeyManagementException.java
new file mode 100644
index 00000000000..694b4c242b6
--- /dev/null
+++ b/libjava/classpath/java/security/KeyManagementException.java
@@ -0,0 +1,71 @@
+/* KeyManagementException.java -- an exception in key management
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This exception is thrown whenever a problem related to the management of
+ * security keys is encountered.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see Key
+ * @status updated to 1.4
+ */
+public class KeyManagementException extends KeyException
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 947674216157062695L;
+
+  /**
+   * Create a new instance with no descriptive error message.
+   */
+  public KeyManagementException()
+  {
+  }
+
+  /**
+   * Create a new instance with a descriptive error message.
+   *
+   * @param msg the descriptive error message
+   */
+  public KeyManagementException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/KeyPair.java b/libjava/classpath/java/security/KeyPair.java
new file mode 100644
index 00000000000..bf1a40a23ab
--- /dev/null
+++ b/libjava/classpath/java/security/KeyPair.java
@@ -0,0 +1,87 @@
+/* KeyPair.java --- Key Pair Class
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+import java.io.Serializable;
+
+/**
+   KeyPair serves as a simple container for public and private keys.
+   If properly initialized, this class should be treated like the
+   private key since it contains it and take approriate security
+   measures.
+
+   @author Mark Benvenuto
+ */
+public final class KeyPair implements Serializable
+{
+  private static final long serialVersionUID = -7565189502268009837L;
+
+  private PublicKey publicKey;
+  private PrivateKey privateKey;
+
+  /**
+     Initializes the KeyPair with a pubilc and private key.
+
+     @param publicKey Public Key to store
+     @param privateKey Private Key to store
+   */
+  public KeyPair(PublicKey publicKey, PrivateKey privateKey)
+  {
+    this.publicKey = publicKey;
+    this.privateKey = privateKey;
+  }
+
+  /**
+     Returns the public key stored in the KeyPair
+
+     @return The public key
+   */
+  public PublicKey getPublic()
+  {
+    return publicKey;
+  }
+
+  /**
+     Returns the private key stored in the KeyPair
+
+     @return The private key
+   */
+  public PrivateKey getPrivate()
+  {
+    return privateKey;
+  }
+}
diff --git a/libjava/classpath/java/security/KeyPairGenerator.java b/libjava/classpath/java/security/KeyPairGenerator.java
new file mode 100644
index 00000000000..e6f926e2bf0
--- /dev/null
+++ b/libjava/classpath/java/security/KeyPairGenerator.java
@@ -0,0 +1,401 @@
+/* KeyPairGenerator.java --- Key Pair Generator Class
+   Copyright (C) 1999, 2002, 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import gnu.java.security.Engine;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * <p>The <code>KeyPairGenerator</code> class is used to generate pairs of
+ * public and private keys. Key pair generators are constructed using the
+ * <code>getInstance()</code> factory methods (static methods that return
+ * instances of a given class).</p>
+ *
+ * <p>A Key pair generator for a particular algorithm creates a public/private
+ * key pair that can be used with this algorithm. It also associates
+ * algorithm-specific parameters with each of the generated keys.</p>
+ *
+ * <p>There are two ways to generate a key pair: in an algorithm-independent
+ * manner, and in an algorithm-specific manner. The only difference between the
+ * two is the initialization of the object:</p>
+ *
+ * <ul>
+ * <li><b>Algorithm-Independent Initialization</b><br/>
+ *     All key pair generators share the concepts of a <i>keysize</i> and a
+ *     <i>source of randomness</i>. The <i>keysize</i> is interpreted differently
+ *     for different algorithms (e.g., in the case of the <i>DSA</i> algorithm,
+ *     the <i>keysize</i> corresponds to the length of the modulus). There is an
+ *     <code>initialize()</code> method in this <code>KeyPairGenerator</code>
+ *     class that takes these two universally shared types of arguments. There
+ *     is also one that takes just a <i>keysize</i> argument, and uses the
+ *     {@link SecureRandom} implementation of the highest-priority installed
+ *     provider as the <i>source of randomness</i>. (If none of the installed
+ *     providers supply an implementation of {@link SecureRandom}, a
+ *     system-provided source of randomness is used.)
+ *
+ *     <p>Since no other parameters are specified when you call the above
+ *     algorithm-independent initialize methods, it is up to the provider what
+ *     to do about the algorithm-specific parameters (if any) to be associated
+ *     with each of the keys.</p>
+ *
+ *     <p>If the algorithm is the <i>DSA</i> algorithm, and the <i>keysize</i>
+ *     (modulus size) is <code>512</code>, <code>768</code>, or <code>1024</code>,
+ *     then the <b>GNU</b> provider uses a set of precomputed values for the
+ *     <code>p</code>, <code>q</code>, and <code>g</code> parameters. If the
+ *     <i>modulus size</i> is not one of the above values, the <b>GNU</b>
+ *     provider creates a new set of parameters. Other providers might have
+ *     precomputed parameter sets for more than just the three modulus sizes
+ *     mentioned above. Still others might not have a list of precomputed
+ *     parameters at all and instead always create new parameter sets.</p></li>
+ * <li><b>Algorithm-Specific Initialization</b><br/>
+ *     For situations where a set of algorithm-specific parameters already
+ *     exists (e.g., so-called <i>community parameters</i> in <i>DSA</i>), there
+ *     are two initialize methods that have an {@link AlgorithmParameterSpec}
+ *     argument. One also has a {@link SecureRandom} argument, while the the
+ *     other uses the {@link SecureRandom} implementation of the highest-priority
+ *     installed provider as the source of randomness. (If none of the installed
+ *     providers supply an implementation of {@link SecureRandom}, a
+ *     system-provided source of randomness is used.)</li>
+ * </ul>
+ *
+ * <p>In case the client does not explicitly initialize the
+ * <code>KeyPairGenerator</code> (via a call to an initialize method), each
+ * provider must supply (and document) a default initialization. For example,
+ * the <b>GNU</b> provider uses a default modulus size (keysize) of
+ * <code>1024</code> bits.</p>
+ *
+ * <p>Note that this class is abstract and extends from {@link
+ * KeyPairGeneratorSpi} for historical reasons. Application developers should
+ * only take notice of the methods defined in this <code>KeyPairGenerator</code>
+ * class; all the methods in the superclass are intended for cryptographic
+ * service providers who wish to supply their own implementations of key pair
+ * generators.</p>
+ *
+ * @see Signature
+ * @see KeyPair
+ * @see AlgorithmParameterSpec
+ * @author Mark Benvenuto
+ * @author Casey Marshall
+ */
+public abstract class KeyPairGenerator extends KeyPairGeneratorSpi
+{
+  /** The service name for key pair generators. */
+  private static final String KEY_PAIR_GENERATOR = "KeyPairGenerator";
+
+  Provider provider;
+  private String algorithm;
+
+  /**
+   * Creates a <code>KeyPairGenerator</code> object for the specified 
+   * algorithm.
+   *
+   * @param algorithm the standard string name of the algorithm. 
+   * See Appendix A in the Java Cryptography Architecture API 
+   * Specification &amp; Reference for information about standard 
+   * algorithm names.
+   */
+  protected KeyPairGenerator(String algorithm)
+  {
+    this.algorithm = algorithm;
+    this.provider = null;
+  }
+
+  /**
+   * Returns the standard name of the algorithm for this key pair generator.
+   * See Appendix A in the Java Cryptography Architecture API Specification
+   * &amp; Reference for information about standard algorithm names.
+   *
+   * @return the standard string name of the algorithm.
+   */
+  public String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Generates a <code>KeyPairGenerator</code> object that implements the
+   * specified digest algorithm. If the default provider package provides an
+   * implementation of the requested digest algorithm, an instance of
+   * <code>KeyPairGenerator</code> containing that implementation is returned.
+   * If the algorithm is not available in the default package, other packages
+   * are searched.
+   *
+   * @param algorithm the standard string name of the algorithm. See Appendix A
+   * in the Java Cryptography Architecture API Specification &amp; Reference for
+   * information about standard algorithm names.
+   * @return the new <code>KeyPairGenerator</code> object.
+   * @throws NoSuchAlgorithmException if the algorithm is not available in the
+   * environment.
+   */
+  public static KeyPairGenerator getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, p[i]);
+	  }
+	catch (NoSuchAlgorithmException e)
+	  {
+	    // Ignored.
+	  }
+      }
+
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Generates a <code>KeyPairGenerator</code> object implementing the 
+   * specified algorithm, as supplied from the specified provider, if 
+   * such an algorithm is available from the provider.
+   *
+   * @param algorithm the standard string name of the algorithm. See 
+   * Appendix A in the Java Cryptography Architecture API Specification 
+   * &amp; Reference for information about standard algorithm names.
+   * @param provider the string name of the provider.
+   * @return the new <code>KeyPairGenerator</code> object.
+   * @throws NoSuchAlgorithmException if the algorithm is not available 
+   * from the provider.
+   * @throws NoSuchProviderException if the provider is not available in the
+   * environment.
+   * @throws IllegalArgumentException if the provider name is <code>null</code>
+   * or empty.
+   * @see Provider
+   */
+  public static KeyPairGenerator getInstance(String algorithm, String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Generates a <code>KeyPairGenerator</code> object implementing the specified
+   * algorithm, as supplied from the specified provider, if such an algorithm is
+   * available from the provider. Note: the provider doesn't have to be
+   * registered.
+   *
+   * @param algorithm the standard string name of the algorithm. See Appendix A
+   * in the Java Cryptography Architecture API Specification &amp; Reference for
+   * information about standard algorithm names.
+   * @param provider the provider.
+   * @return the new <code>KeyPairGenerator</code> object.
+   * @throws NoSuchAlgorithmException if the <code>algorithm</code> is not
+   * available from the <code>provider</code>.
+   * @throws IllegalArgumentException if the <code>provider</code> is
+   * <code>null</code>.
+   * @since 1.4
+   * @see Provider
+   */
+  public static KeyPairGenerator getInstance(String algorithm, 
+					     Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("Illegal provider");
+
+    Object o = null;
+    try
+      {
+        o = Engine.getInstance(KEY_PAIR_GENERATOR, algorithm, provider);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+	throw new NoSuchAlgorithmException(algorithm);
+      }
+
+    KeyPairGenerator result = null;
+    if (o instanceof KeyPairGeneratorSpi)
+      {
+	result = new DummyKeyPairGenerator((KeyPairGeneratorSpi) o, algorithm);
+      }
+    else if (o instanceof KeyPairGenerator)
+      {
+        result = (KeyPairGenerator) o;
+        result.algorithm = algorithm;
+      }
+    result.provider = provider;
+    return result;
+  }
+
+  /**
+   * Returns the provider of this key pair generator object.
+   *
+   * @return the provider of this key pair generator object.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Initializes the key pair generator for a certain keysize using a default
+   * parameter set and the {@link SecureRandom} implementation of the
+   * highest-priority installed provider as the source of randomness. (If none
+   * of the installed providers supply an implementation of {@link SecureRandom},
+   * a system-provided source of randomness is used.)
+   *
+   * @param keysize the keysize. This is an algorithm-specific metric, such as
+   * modulus length, specified in number of bits.
+   * @throws InvalidParameterException if the keysize is not supported by this
+   * <code>KeyPairGenerator</code> object.
+   */
+  public void initialize(int keysize)
+  {
+    initialize(keysize, new SecureRandom());
+  }
+
+  /**
+   * Initializes the key pair generator for a certain keysize with the given
+   * source of randomness (and a default parameter set).
+   *
+   * @param keysize the keysize. This is an algorithm-specific metric, such as
+   * modulus length, specified in number of bits.
+   * @param random the source of randomness.
+   * @throws InvalidParameterException if the <code>keysize</code> is not
+   * supported by this <code>KeyPairGenerator</code> object.
+   * @since 1.2
+   */
+  public void initialize(int keysize, SecureRandom random)
+  {
+    initialize(keysize, random);
+  }
+
+  /**
+   * <p>Initializes the key pair generator using the specified parameter set and
+   * the {@link SecureRandom} implementation of the highest-priority installed
+   * provider as the source of randomness. (If none of the installed providers
+   * supply an implementation of {@link SecureRandom}, a system-provided source
+   * of randomness is used.)</p>
+   *
+   * <p>This concrete method has been added to this previously-defined abstract
+   * class. This method calls the
+   * {@link KeyPairGeneratorSpi#initialize(AlgorithmParameterSpec, SecureRandom)}
+   * initialize method, passing it <code>params</code> and a source of
+   * randomness (obtained from the highest-priority installed provider or
+   * system-provided if none of the installed providers supply one). That
+   * initialize method always throws an {@link UnsupportedOperationException}
+   * if it is not overridden by the provider.</p>
+   *
+   * @param params the parameter set used to generate the keys.
+   * @throws InvalidAlgorithmParameterException if the given parameters are
+   * inappropriate for this key pair generator.
+   * @since 1.2
+   */
+  public void initialize(AlgorithmParameterSpec params)
+    throws InvalidAlgorithmParameterException
+  {
+    initialize(params, new SecureRandom());
+  }
+
+  /**
+   * <p>Initializes the key pair generator with the given parameter set and
+   * source of randomness.</p>
+   *
+   * <p>This concrete method has been added to this previously-defined abstract
+   * class. This method calls the
+   * {@link KeyPairGeneratorSpi#initialize(AlgorithmParameterSpec, SecureRandom)}
+   * initialize method, passing it <code>params</code> and <code>random</code>.
+   * That initialize method always throws an {@link UnsupportedOperationException}
+   * if it is not overridden by the provider.</p>
+   *
+   * @param params the parameter set used to generate the keys.
+   * @param random the source of randomness.
+   * @throws InvalidAlgorithmParameterException if the given parameters are
+   * inappropriate for this key pair generator.
+   * @since 1.2
+   */
+  public void initialize(AlgorithmParameterSpec params, SecureRandom random)
+    throws InvalidAlgorithmParameterException
+  {
+    super.initialize(params, random);
+  }
+
+  /**
+   * <p>Generates a key pair.</p>
+   *
+   * <p>If this <code>KeyPairGenerator</code> has not been initialized
+   * explicitly, provider-specific defaults will be used for the size and other
+   * (algorithm-specific) values of the generated keys.</p>
+   *
+   * <p>This will generate a new key pair every time it is called.</p>
+   *
+   * <p>This method is functionally equivalent to {@link #generateKeyPair()}.</p>
+   *
+   * @return the generated key pair.
+   * @since 1.2
+   */
+  public final KeyPair genKeyPair()
+  {
+    try
+      {
+        return getInstance("DSA", "GNU").generateKeyPair();
+      }
+    catch (Exception e)
+      {
+        System.err.println("genKeyPair failed: " + e);
+        e.printStackTrace();
+        return null;
+      }
+  }
+
+  /**
+   * <p>Generates a key pair.</p>
+   *
+   * <p>If this <code>KeyPairGenerator</code> has not been initialized
+   * explicitly, provider-specific defaults will be used for the size and other
+   * (algorithm-specific) values of the generated keys.</p>
+   *
+   * <p>This will generate a new key pair every time it is called.</p>
+   *
+   * <p>This method is functionally equivalent to {@link #genKeyPair()}.</p>
+   *
+   * @return the generated key pair.
+   */
+  public KeyPair generateKeyPair()
+  {
+    return genKeyPair();
+  }
+}
diff --git a/libjava/classpath/java/security/KeyPairGeneratorSpi.java b/libjava/classpath/java/security/KeyPairGeneratorSpi.java
new file mode 100644
index 00000000000..689fbec128e
--- /dev/null
+++ b/libjava/classpath/java/security/KeyPairGeneratorSpi.java
@@ -0,0 +1,102 @@
+/* KeyPairGeneratorSpi.java --- Key Pair Generator SPI Class
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+   KeyPairGeneratorSpi is the interface used to generate key pairs
+   for security algorithms.
+
+   @author Mark Benvenuto
+ */
+public abstract class KeyPairGeneratorSpi
+{
+  /**
+     Constructs a new KeyPairGeneratorSpi
+   */
+  public KeyPairGeneratorSpi()
+  {
+  }
+
+  /**
+     Initialize the KeyPairGeneratorSpi with the specified
+     key size and source of randomness
+
+     @param keysize size of the key to generate
+     @param random A SecureRandom source of randomness  
+   */
+  public abstract void initialize(int keysize, SecureRandom random);
+
+  /**
+     Initialize the KeyPairGeneratorSpi with the specified
+     AlgorithmParameterSpec and source of randomness
+
+     This is a concrete method. It may be overridden by the provider
+     and if the AlgorithmParameterSpec class is invalid
+     throw InvalidAlgorithmParameterException. By default this
+     method just throws UnsupportedOperationException.
+
+     @param params A AlgorithmParameterSpec to intialize with
+     @param random A SecureRandom source of randomness  
+
+     @throws InvalidAlgorithmParameterException
+   */
+  public void initialize(AlgorithmParameterSpec params, SecureRandom random)
+    throws InvalidAlgorithmParameterException
+  {
+    throw new java.lang.UnsupportedOperationException();
+  }
+
+  /**
+     Generates a KeyPair according the rules for the algorithm.
+     Unless intialized, algorithm defaults will be used. It 
+     creates a unique key pair each time.
+
+     @return a key pair
+   */
+  public abstract KeyPair generateKeyPair();
+
+  /**
+   * We override clone here to make it accessible for use by
+   * DummyKeyPairGenerator.
+   */
+  protected Object clone() throws CloneNotSupportedException
+  {
+    return super.clone();
+  }
+}
diff --git a/libjava/classpath/java/security/KeyStore.java b/libjava/classpath/java/security/KeyStore.java
new file mode 100644
index 00000000000..696448728ff
--- /dev/null
+++ b/libjava/classpath/java/security/KeyStore.java
@@ -0,0 +1,507 @@
+/* KeyStore.java --- Key Store Class
+   Copyright (C) 1999, 2002, 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import gnu.java.security.Engine;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.cert.CertificateException;
+import java.util.Date;
+import java.util.Enumeration;
+
+/**
+ * Keystore represents an in-memory collection of keys and 
+ * certificates. There are two types of entries:
+ *
+ * <dl>
+ * <dt>Key Entry</dt>
+ *
+ * <dd><p>This type of keystore entry store sensitive crytographic key
+ * information in a protected format.Typically this is a secret 
+ * key or a private key with a certificate chain.</p></dd>
+ *
+ * <dt>Trusted Ceritificate Entry</dt>
+ *
+ * <dd><p>This type of keystore entry contains a single public key 
+ * certificate belonging to annother entity. It is called trusted
+ * because the keystore owner trusts that the certificates
+ * belongs to the subject (owner) of the certificate.</p></dd>
+ * </dl>
+ *
+ * <p>Entries in a key store are referred to by their "alias": a simple
+ * unique string.
+ *
+ * <p>The structure and persistentence of the key store is not 
+ * specified. Any method could be used to protect sensitive 
+ * (private or secret) keys. Smart cards or integrated 
+ * cryptographic engines could be used or the keystore could 
+ * be simply stored in a file.</p>
+ *
+ * @see java.security.cert.Certificate
+ * @see Key
+ */
+public class KeyStore
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** Service name for key stores. */
+  private static final String KEY_STORE = "KeyStore";
+
+  private KeyStoreSpi keyStoreSpi;
+  private Provider provider;
+  private String type;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+     Creates an instance of KeyStore
+
+     @param keyStoreSpi A KeyStore engine to use
+     @param provider A provider to use
+     @param type The type of KeyStore
+   */
+  protected KeyStore(KeyStoreSpi keyStoreSpi, Provider provider, String type)
+  {
+    this.keyStoreSpi = keyStoreSpi;
+    this.provider = provider;
+    this.type = type;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /** 
+   * Gets an instance of the KeyStore class representing
+   * the specified keystore. If the type is not 
+   * found then, it throws KeyStoreException.
+   *
+   * @param type the type of keystore to choose
+   * @return a KeyStore repesenting the desired type
+   * @throws KeyStoreException if the type of keystore is not implemented
+   *         by providers or the implementation cannot be instantiated.
+   */
+  public static KeyStore getInstance(String type) throws KeyStoreException
+  {
+    Provider[] p = Security.getProviders();
+
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(type, p[i]);
+          }
+        catch (KeyStoreException e)
+          {
+	    // Ignore.
+          }
+      }
+
+    throw new KeyStoreException(type);
+  }
+
+  /** 
+   * Gets an instance of the KeyStore class representing
+   * the specified key store from the specified provider. 
+   * If the type is not found then, it throws KeyStoreException. 
+   * If the provider is not found, then it throws 
+   * NoSuchProviderException.
+   *
+   * @param type the type of keystore to choose
+   * @param provider the provider name
+   * @return a KeyStore repesenting the desired type
+   * @throws KeyStoreException if the type of keystore is not 
+   *          implemented by the given provider
+   * @throws NoSuchProviderException if the provider is not found
+   * @throws IllegalArgumentException if the provider string is 
+   *           null or empty
+   */
+  public static KeyStore getInstance(String type, String provider)
+    throws KeyStoreException, NoSuchProviderException
+  {
+    if (provider == null || provider.length() == 0)
+      throw new IllegalArgumentException("Illegal provider");
+
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+
+    return getInstance(type, p);
+  }
+
+  /** 
+   * Gets an instance of the KeyStore class representing
+   * the specified key store from the specified provider. 
+   * If the type is not found then, it throws KeyStoreException. 
+   * If the provider is not found, then it throws 
+   * NoSuchProviderException.
+   *
+   * @param type the type of keystore to choose
+   * @param provider the keystore provider
+   * @return a KeyStore repesenting the desired type
+   * @throws KeyStoreException if the type of keystore is not 
+   *          implemented by the given provider
+   * @throws IllegalArgumentException if the provider object is null
+   * @since 1.4
+   */
+  public static KeyStore getInstance(String type, Provider provider)
+    throws KeyStoreException 
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("Illegal provider");
+    try
+      {
+        return new KeyStore(
+          (KeyStoreSpi) Engine.getInstance(KEY_STORE, type, provider),
+          provider, type);
+      }
+    catch (NoSuchAlgorithmException nsae)
+      {
+        throw new KeyStoreException(type);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+	throw new KeyStoreException(type);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new KeyStoreException(type);
+      }
+  }
+
+  /**
+   * Returns the default KeyStore type. This method looks up the
+   * type in &lt;JAVA_HOME&gt;/lib/security/java.security with the 
+   * property "keystore.type" or if that fails then "jks" .
+   */
+  public static final String getDefaultType()
+  {
+    // Security reads every property in java.security so it 
+    // will return this property if it exists. 
+    String tmp = Security.getProperty("keystore.type");
+
+    if (tmp == null)
+      tmp = "jks";
+
+    return tmp;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+     Gets the provider that the class is from.
+
+     @return the provider of this class
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+     Returns the type of the KeyStore supported
+
+     @return A string with the type of KeyStore
+   */
+  public final String getType()
+  {
+    return type;
+  }
+
+  /**
+     Returns the key associated with given alias using the 
+     supplied password.
+
+     @param alias an alias for the key to get
+     @param password password to access key with
+
+     @return the requested key, or null otherwise
+
+     @throws NoSuchAlgorithmException if there is no algorithm
+     for recovering the key
+     @throws UnrecoverableKeyException key cannot be reocovered
+     (wrong password).
+   */
+  public final Key getKey(String alias, char[]password)
+    throws KeyStoreException, NoSuchAlgorithmException,
+    UnrecoverableKeyException
+  {
+    return keyStoreSpi.engineGetKey(alias, password);
+  }
+
+  /**
+     Gets a Certificate chain for the specified alias.
+
+     @param alias the alias name
+
+     @return a chain of Certificates ( ordered from the user's 
+     certificate to the Certificate Authority's ) or 
+     null if the alias does not exist or there is no
+     certificate chain for the alias ( the alias refers
+     to a trusted certificate entry or there is no entry).
+   */
+  public final java.security.cert.
+    Certificate[] getCertificateChain(String alias) throws KeyStoreException
+  {
+    return keyStoreSpi.engineGetCertificateChain(alias);
+  }
+
+  /**
+     Gets a Certificate for the specified alias.
+
+     If there is a trusted certificate entry then that is returned.
+     it there is a key entry with a certificate chain then the
+     first certificate is return or else null.
+
+     @param alias the alias name
+
+     @return a Certificate or null if the alias does not exist 
+     or there is no certificate for the alias
+   */
+  public final java.security.cert.Certificate getCertificate(String alias)
+    throws KeyStoreException
+  {
+    return keyStoreSpi.engineGetCertificate(alias);
+  }
+
+  /**
+     Gets entry creation date for the specified alias.
+
+     @param alias the alias name
+
+     @returns the entry creation date or null
+   */
+  public final Date getCreationDate(String alias) throws KeyStoreException
+  {
+    return keyStoreSpi.engineGetCreationDate(alias);
+  }
+
+  /**
+     Assign the key to the alias in the keystore, protecting it
+     with the given password. It will overwrite an existing 
+     entry and if the key is a PrivateKey, also add the 
+     certificate chain representing the corresponding public key.
+
+     @param alias the alias name
+     @param key the key to add
+     @password the password to protect with
+     @param chain the certificate chain for the corresponding
+     public key
+
+     @throws KeyStoreException if it fails
+   */
+  public final void setKeyEntry(String alias, Key key, char[]password,
+				java.security.cert.
+				Certificate[]chain) throws KeyStoreException
+  {
+    keyStoreSpi.engineSetKeyEntry(alias, key, password, chain);
+  }
+
+  /**
+     Assign the key to the alias in the keystore. It will overwrite
+     an existing entry and if the key is a PrivateKey, also 
+     add the certificate chain representing the corresponding 
+     public key.
+
+     @param alias the alias name
+     @param key the key to add
+     @param chain the certificate chain for the corresponding
+     public key
+
+     @throws KeyStoreException if it fails
+   */
+  public final void setKeyEntry(String alias, byte[]key,
+				java.security.cert.
+				Certificate[]chain) throws KeyStoreException
+  {
+    keyStoreSpi.engineSetKeyEntry(alias, key, chain);
+  }
+
+  /**
+     Assign the certificate to the alias in the keystore. It 
+     will overwrite an existing entry.
+
+     @param alias the alias name
+     @param cert the certificate to add
+
+     @throws KeyStoreException if it fails
+   */
+  public final void setCertificateEntry(String alias,
+					java.security.cert.
+					Certificate cert) throws
+    KeyStoreException
+  {
+    keyStoreSpi.engineSetCertificateEntry(alias, cert);
+  }
+
+  /**
+     Deletes the entry for the specified entry.
+
+     @param alias the alias name
+
+     @throws KeyStoreException if it fails
+   */
+  public final void deleteEntry(String alias) throws KeyStoreException
+  {
+    keyStoreSpi.engineDeleteEntry(alias);
+  }
+
+  /**
+     Generates a list of all the aliases in the keystore.
+
+     @return an Enumeration of the aliases
+   */
+  public final Enumeration aliases() throws KeyStoreException
+  {
+    return keyStoreSpi.engineAliases();
+  }
+
+  /**
+     Determines if the keystore contains the specified alias.
+
+     @param alias the alias name
+
+     @return true if it contains the alias, false otherwise
+   */
+  public final boolean containsAlias(String alias) throws KeyStoreException
+  {
+    return keyStoreSpi.engineContainsAlias(alias);
+  }
+
+  /**
+     Returns the number of entries in the keystore.
+
+     @returns the number of keystore entries.
+   */
+  public final int size() throws KeyStoreException
+  {
+    return keyStoreSpi.engineSize();
+  }
+
+  /**
+     Determines if the keystore contains a key entry for 
+     the specified alias.
+
+     @param alias the alias name
+
+     @return true if it is a key entry, false otherwise
+   */
+  public final boolean isKeyEntry(String alias) throws KeyStoreException
+  {
+    return keyStoreSpi.engineIsKeyEntry(alias);
+  }
+
+
+  /**
+     Determines if the keystore contains a certificate entry for 
+     the specified alias.
+
+     @param alias the alias name
+
+     @return true if it is a certificate entry, false otherwise
+   */
+  public final boolean isCertificateEntry(String alias)
+    throws KeyStoreException
+  {
+    return keyStoreSpi.engineIsCertificateEntry(alias);
+  }
+
+  /**
+     Determines if the keystore contains the specified certificate 
+     entry and returns the alias.
+
+     It checks every entry and for a key entry checks only the
+     first certificate in the chain.
+
+     @param cert Certificate to look for
+
+     @return alias of first matching certificate, null if it 
+     does not exist.
+   */
+  public final String getCertificateAlias(java.security.cert.Certificate cert)
+    throws KeyStoreException
+  {
+    return keyStoreSpi.engineGetCertificateAlias(cert);
+  }
+
+  /**
+     Stores the keystore in the specified output stream and it
+     uses the specified key it keep it secure.
+
+     @param stream the output stream to save the keystore to
+     @param password the password to protect the keystore integrity with
+
+     @throws IOException if an I/O error occurs.
+     @throws NoSuchAlgorithmException the data integrity algorithm 
+     used cannot be found.
+     @throws CertificateException if any certificates could not be
+     stored in the output stream.
+   */
+  public final void store(OutputStream stream, char[]password)
+    throws KeyStoreException, IOException, NoSuchAlgorithmException,
+    CertificateException
+  {
+    keyStoreSpi.engineStore(stream, password);
+  }
+
+  /**
+     Loads the keystore from the specified input stream and it
+     uses the specified password to check for integrity if supplied.
+
+     @param stream the input stream to load the keystore from
+     @param password the password to check the keystore integrity with
+
+     @throws IOException if an I/O error occurs.
+     @throws NoSuchAlgorithmException the data integrity algorithm 
+     used cannot be found.
+     @throws CertificateException if any certificates could not be
+     stored in the output stream.
+   */
+  public final void load(InputStream stream, char[]password)
+    throws IOException, NoSuchAlgorithmException, CertificateException
+  {
+    keyStoreSpi.engineLoad(stream, password);
+  }
+
+}
diff --git a/libjava/classpath/java/security/KeyStoreException.java b/libjava/classpath/java/security/KeyStoreException.java
new file mode 100644
index 00000000000..9a0a5354d2c
--- /dev/null
+++ b/libjava/classpath/java/security/KeyStoreException.java
@@ -0,0 +1,70 @@
+/* KeyStoreException.java -- Indicates a problem with the key store
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * Indicates a problem with the key store.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @since 1.2
+ * @status updated to 1.4
+ */
+public class KeyStoreException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = -1119353179322377262L;
+
+  /**
+   * Create a new instance detailed error message.
+   */
+  public KeyStoreException()
+  {
+  }
+
+  /**
+   * Create a new instance with a detailed error message.
+   *
+   * @param msg the descriptive error message
+   */
+  public KeyStoreException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/KeyStoreSpi.java b/libjava/classpath/java/security/KeyStoreSpi.java
new file mode 100644
index 00000000000..a16008f9960
--- /dev/null
+++ b/libjava/classpath/java/security/KeyStoreSpi.java
@@ -0,0 +1,275 @@
+/* KeyStoreSpi.java --- Key Store Service Provider Interface
+   Copyright (C) 1999, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.cert.CertificateException;
+import java.util.Date;
+import java.util.Enumeration;
+
+/**
+ * KeyStoreSpi is the Service Provider Interface (SPI) for the 
+ * KeyStore class. This is the interface for providers to 
+ * supply to implement a keystore for a particular keystore 
+ * type.
+ *
+ * @since 1.2
+ * @author Mark Benvenuto
+ */
+public abstract class KeyStoreSpi
+{
+  /**
+   * Constructs a new KeyStoreSpi
+   */
+  public KeyStoreSpi()
+  {
+  }
+
+  /**
+   * Returns the key associated with given alias using the 
+   * supplied password.
+   *
+   * @param alias an alias for the key to get
+   * @param password password to access key with
+   *
+   * @return the requested key, or null otherwise
+   *
+   * @throws NoSuchAlgorithmException if there is no algorithm
+   * for recovering the key
+   * @throws UnrecoverableKeyException key cannot be reocovered
+   * (wrong password).
+   */
+  public abstract Key engineGetKey(String alias, char[]password)
+    throws NoSuchAlgorithmException, UnrecoverableKeyException;
+
+  /**
+   * Gets a Certificate chain for the specified alias.
+   *
+   * @param alias the alias name
+   *
+   * @return a chain of Certificates ( ordered from the user's 
+   * certificate to the Certificate Authority's ) or 
+   * null if the alias does not exist or there is no
+   * certificate chain for the alias ( the alias refers
+   * to a trusted certificate entry or there is no entry).
+   */
+  public abstract java.security.cert.
+    Certificate[] engineGetCertificateChain(String alias);
+
+
+  /**
+   * Gets a Certificate for the specified alias.
+   *
+   * If there is a trusted certificate entry then that is returned.
+   * it there is a key entry with a certificate chain then the
+   * first certificate is return or else null.
+   *
+   * @param alias the alias name
+   *
+   * @return a Certificate or null if the alias does not exist 
+   * or there is no certificate for the alias
+   */
+  public abstract java.security.cert.
+    Certificate engineGetCertificate(String alias);
+
+  /**
+   * Gets entry creation date for the specified alias.
+   *
+   * @param alias the alias name
+   *
+   * @returns the entry creation date or null
+   */
+  public abstract Date engineGetCreationDate(String alias);
+
+  /**
+   * Assign the key to the alias in the keystore, protecting it
+   * with the given password. It will overwrite an existing 
+   * entry and if the key is a PrivateKey, also add the 
+   * certificate chain representing the corresponding public key.
+   *
+   * @param alias the alias name
+   * @param key the key to add
+   * @password the password to protect with
+   * @param chain the certificate chain for the corresponding
+   * public key
+   *
+   * @throws KeyStoreException if it fails
+   */
+  public abstract void engineSetKeyEntry(String alias, Key key,
+					 char[]password,
+					 java.security.cert.
+					 Certificate[]chain) throws
+    KeyStoreException;
+
+  /**
+   * Assign the key to the alias in the keystore. It will overwrite
+   * an existing entry and if the key is a PrivateKey, also 
+   * add the certificate chain representing the corresponding 
+   * public key.
+   *
+   * @param alias the alias name
+   * @param key the key to add
+   * @param chain the certificate chain for the corresponding
+   * public key
+   *
+   * @throws KeyStoreException if it fails
+   */
+  public abstract void engineSetKeyEntry(String alias, byte[]key,
+					 java.security.cert.
+					 Certificate[]chain) throws
+    KeyStoreException;
+
+
+  /**
+   * Assign the certificate to the alias in the keystore. It 
+   * will overwrite an existing entry.
+   *
+   * @param alias the alias name
+   * @param cert the certificate to add
+   *
+   * @throws KeyStoreException if it fails
+   */
+  public abstract void engineSetCertificateEntry(String alias,
+						 java.security.cert.
+						 Certificate cert) throws
+    KeyStoreException;
+
+  /**
+   * Deletes the entry for the specified entry.
+   *
+   * @param alias the alias name
+   *
+   * @throws KeyStoreException if it fails
+   */
+  public abstract void engineDeleteEntry(String alias)
+    throws KeyStoreException;
+
+  /**
+   * Generates a list of all the aliases in the keystore.
+   *
+   * @return an Enumeration of the aliases
+   */
+  public abstract Enumeration engineAliases();
+
+  /**
+   * Determines if the keystore contains the specified alias.
+   *
+   * @param alias the alias name
+   *
+   * @return true if it contains the alias, false otherwise
+   */
+  public abstract boolean engineContainsAlias(String alias);
+
+  /**
+   * Returns the number of entries in the keystore.
+   *
+   * @returns the number of keystore entries.
+   */
+  public abstract int engineSize();
+
+  /**
+   * Determines if the keystore contains a key entry for 
+   * the specified alias.
+   *
+   * @param alias the alias name
+   *
+   * @return true if it is a key entry, false otherwise
+   */
+  public abstract boolean engineIsKeyEntry(String alias);
+
+  /**
+   * Determines if the keystore contains a certificate entry for 
+   * the specified alias.
+   *
+   * @param alias the alias name
+   *
+   * @return true if it is a certificate entry, false otherwise
+   */
+  public abstract boolean engineIsCertificateEntry(String alias);
+
+  /**
+   * Determines if the keystore contains the specified certificate 
+   * entry and returns the alias.
+   *
+   * It checks every entry and for a key entry checks only the
+   * first certificate in the chain.
+   *
+   * @param cert Certificate to look for
+   *
+   * @return alias of first matching certificate, null if it 
+   * does not exist.
+   */
+  public abstract String engineGetCertificateAlias(java.security.cert.
+						   Certificate cert);
+
+  /**
+   * Stores the keystore in the specified output stream and it
+   * uses the specified key it keep it secure.
+   *
+   * @param stream the output stream to save the keystore to
+   * @param password the password to protect the keystore integrity with
+   *
+   * @throws IOException if an I/O error occurs.
+   * @throws NoSuchAlgorithmException the data integrity algorithm 
+   * used cannot be found.
+   * @throws CertificateException if any certificates could not be
+   * stored in the output stream.
+   */
+  public abstract void engineStore(OutputStream stream, char[]password)
+    throws IOException, NoSuchAlgorithmException, CertificateException;
+
+
+  /**
+   * Loads the keystore from the specified input stream and it
+   * uses the specified password to check for integrity if supplied.
+   *
+   * @param stream the input stream to load the keystore from
+   * @param password the password to check the keystore integrity with
+   *
+   * @throws IOException if an I/O error occurs.
+   * @throws NoSuchAlgorithmException the data integrity algorithm 
+   * used cannot be found.
+   * @throws CertificateException if any certificates could not be
+   * stored in the output stream.
+   */
+  public abstract void engineLoad(InputStream stream, char[]password)
+    throws IOException, NoSuchAlgorithmException, CertificateException;
+}
diff --git a/libjava/classpath/java/security/MessageDigest.java b/libjava/classpath/java/security/MessageDigest.java
new file mode 100644
index 00000000000..8684f2083b1
--- /dev/null
+++ b/libjava/classpath/java/security/MessageDigest.java
@@ -0,0 +1,413 @@
+/* MessageDigest.java --- The message digest interface.
+   Copyright (C) 1999, 2002, 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import gnu.java.security.Engine;
+
+/**
+ * <p>This <code>MessageDigest</code> class provides applications the
+ * functionality of a message digest algorithm, such as <i>MD5</i> or <i>SHA</i>.
+ * Message digests are secure one-way hash functions that take arbitrary-sized
+ * data and output a fixed-length hash value.</p>
+ *
+ * <p>A <code>MessageDigest</code> object starts out initialized. The data is
+ * processed through it using the <code>update()</code> methods. At any point
+ * <code>reset()</code> can be called to reset the digest. Once all the data to
+ * be updated has been updated, one of the <code>digest()</code> methods should
+ * be called to complete the hash computation.</p>
+ *
+ * <p>The <code>digest()</code> method can be called <b>once</b> for a given
+ * number of updates. After <code>digest()</code> has been called, the
+ * <code>MessageDigest</code> object is <b>reset</b> to its initialized state.
+ * </p>
+ *
+ * <p>Implementations are free to implement the {@link Cloneable} interface.
+ * Client applications can test cloneability by attempting cloning and catching
+ * the {@link CloneNotSupportedException}:
+ *
+ * <pre>
+ *    MessageDigest md = MessageDigest.getInstance("SHA");
+ *    try
+ *      {
+ *        md.update(toChapter1);
+ *        MessageDigest tc1 = md.clone();
+ *        byte[] toChapter1Digest = tc1.digest();
+ *        md.update(toChapter2);
+ *        // ...
+ *      }
+ *    catch (CloneNotSupportedException x)
+ *      {
+ *        throw new DigestException("couldn't make digest of partial content");
+ *      }
+ * </pre>
+ *
+ * <p>Note that if a given implementation is not cloneable, it is still possible
+ * to compute intermediate digests by instantiating several instances, if the
+ * number of digests is known in advance.</p>
+ *
+ * <p>Note that this class is abstract and extends from {@link MessageDigestSpi}
+ * for historical reasons. Application developers should only take notice of the
+ * methods defined in this <code>MessageDigest</code> class; all the methods in
+ * the superclass are intended for cryptographic service providers who wish to
+ * supply their own implementations of message digest algorithms.</p>
+ *
+ * @see MessageDigestSpi
+ * @see Provider
+ * @since JDK 1.1
+ */
+public abstract class MessageDigest extends MessageDigestSpi
+{
+  /** The service name for message digests. */
+  private static final String MESSAGE_DIGEST = "MessageDigest";
+
+  private String algorithm;
+  Provider provider;
+  private byte[] lastDigest;
+
+  /**
+   * Creates a message digest with the specified algorithm name.
+   *
+   * @param algorithm the standard name of the digest algorithm.
+   * See Appendix A in the Java Cryptography Architecture API
+   * Specification &amp; Reference for information about standard
+   * algorithm names.
+   */
+  protected MessageDigest(String algorithm)
+  {
+    this.algorithm = algorithm;
+    provider = null;
+  }
+
+  /**
+   * Generates a <code>MessageDigest</code> object that implements the specified
+   * digest algorithm. If the default provider package provides an
+   * implementation of the requested digest algorithm, an instance of
+   * <code>MessageDigest</code> containing that implementation is returned. If
+   * the algorithm is not available in the default package, other packages are
+   * searched.
+   *
+   * @param algorithm the name of the algorithm requested. See Appendix A in the
+   * Java Cryptography Architecture API Specification &amp; Reference for
+   * information about standard algorithm names.
+   * @return a Message Digest object implementing the specified algorithm.
+   * @throws NoSuchAlgorithmException if the algorithm is not available in the
+   * caller's environment.
+   */
+  public static MessageDigest getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, p[i]);
+          }
+        catch (NoSuchAlgorithmException ignored)
+	  {
+	    // Ignore.
+	  }
+      }
+
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Generates a <code>MessageDigest</code> object implementing the specified
+   * algorithm, as supplied from the specified provider, if such an algorithm is
+   * available from the provider.
+   *
+   * @param algorithm the name of the algorithm requested. See Appendix A in the
+   * Java Cryptography Architecture API Specification &amp; Reference for
+   * information about standard algorithm names.
+   * @param provider the name of the provider.
+   * @return a Message Digest object implementing the specified algorithm.
+   * @throws NoSuchAlgorithmException if the algorithm is not available in the
+   * package supplied by the requested provider.
+   * @throws NoSuchProviderException if the provider is not available in the
+   * environment.
+   * @throws IllegalArgumentException if the provider name is null or empty.
+   * @see Provider
+   */
+  public static MessageDigest getInstance(String algorithm, String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    if (provider == null || provider.length() == 0)
+      throw new IllegalArgumentException("Illegal provider");
+
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Generates a <code>MessageDigest</code> object implementing the specified
+   * algorithm, as supplied from the specified provider, if such an algorithm
+   * is available from the provider. Note: the provider doesn't have to be
+   * registered.
+   *
+   * @param algorithm the name of the algorithm requested. See Appendix A in
+   * the Java Cryptography Architecture API Specification &amp; Reference for
+   * information about standard algorithm names.
+   * @param provider the provider.
+   * @return a Message Digest object implementing the specified algorithm.
+   * @throws NoSuchAlgorithmException if the <code>algorithm</code> is not
+   * available in the package supplied by the requested <code>provider</code>.
+   * @throws IllegalArgumentException if the <code>provider</code> is
+   * <code>null</code>.
+   * @since 1.4
+   * @see Provider
+   */
+  public static MessageDigest getInstance(String algorithm, Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("Illegal provider");
+
+    MessageDigest result = null;
+    Object o = null;
+    try
+      {
+        o = Engine.getInstance(MESSAGE_DIGEST, algorithm, provider);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+
+    if (o instanceof MessageDigestSpi)
+      {
+        result = new DummyMessageDigest((MessageDigestSpi) o, algorithm);
+      }
+    else if (o instanceof MessageDigest)
+      {
+        result = (MessageDigest) o;
+        result.algorithm = algorithm;
+      }
+    else
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    result.provider = provider;
+    return result;
+  }
+
+  /**
+   * Returns the provider of this message digest object.
+   *
+   * @return the provider of this message digest object.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Updates the digest using the specified byte.
+   *
+   * @param input the byte with which to update the digest.
+   */
+  public void update(byte input)
+  {
+    engineUpdate(input);
+  }
+
+  /**
+   * Updates the digest using the specified array of bytes, starting at the
+   * specified offset.
+   *
+   * @param input the array of bytes.
+   * @param offset the offset to start from in the array of bytes.
+   * @param len the number of bytes to use, starting at offset.
+   */
+  public void update(byte[] input, int offset, int len)
+  {
+    engineUpdate(input, offset, len);
+  }
+
+  /**
+   * Updates the digest using the specified array of bytes.
+   *
+   * @param input the array of bytes.
+   */
+  public void update(byte[] input)
+  {
+    engineUpdate(input, 0, input.length);
+  }
+
+  /**
+   * Completes the hash computation by performing final operations such as
+   * padding. The digest is reset after this call is made.
+   *
+   * @return the array of bytes for the resulting hash value.
+   */
+  public byte[] digest()
+  {
+    return lastDigest = engineDigest();
+  }
+
+  /**
+   * Completes the hash computation by performing final operations such as
+   * padding. The digest is reset after this call is made.
+   *
+   * @param buf An output buffer for the computed digest.
+   * @param offset The offset into the output buffer to begin storing the digest.
+   * @param len The number of bytes within buf allotted for the digest.
+   * @return The number of bytes placed into buf.
+   * @throws DigestException if an error occurs.
+   */
+  public int digest(byte[] buf, int offset, int len) throws DigestException
+  {
+    return engineDigest(buf, offset, len);
+  }
+
+  /**
+   * Performs a final update on the digest using the specified array of bytes,
+   * then completes the digest computation. That is, this method first calls
+   * <code>update(input)</code>, passing the input array to the <code>update()
+   * </code> method, then calls <code>digest()</code>.
+   *
+   * @param input the input to be updated before the digest is completed.
+   * @return the array of bytes for the resulting hash value.
+   */
+  public byte[] digest(byte[] input)
+  {
+    update(input);
+    return digest();
+  }
+
+  /**
+   * Returns a string representation of this message digest object.
+   *
+   * @return a string representation of the object.
+   */
+  public String toString()
+  {
+    return (getClass()).getName() + " Message Digest <" + digestToString() + ">";
+  }
+
+  /**
+   * Compares two digests for equality. Does a simple byte compare.
+   *
+   * @param digesta one of the digests to compare.
+   * @param digestb the other digest to compare.
+   * @return <code>true</code> if the digests are equal, <code>false</code>
+   * otherwise.
+   */
+  public static boolean isEqual(byte[] digesta, byte[] digestb)
+  {
+    if (digesta.length != digestb.length)
+      return false;
+
+    for (int i = digesta.length - 1; i >= 0; --i)
+      if (digesta[i] != digestb[i])
+        return false;
+
+    return true;
+  }
+
+  /** Resets the digest for further use. */
+  public void reset()
+  {
+    engineReset();
+  }
+
+  /**
+   * Returns a string that identifies the algorithm, independent of
+   * implementation details. The name should be a standard Java Security name
+   * (such as <code>"SHA"</code>, <code>"MD5"</code>, and so on). See Appendix
+   * A in the Java Cryptography Architecture API Specification &amp; Reference
+   * for information about standard algorithm names.
+   *
+   * @return the name of the algorithm.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Returns the length of the digest in bytes, or <code>0</code> if this
+   * operation is not supported by the provider and the implementation is not
+   * cloneable.
+   *
+   * @return the digest length in bytes, or <code>0</code> if this operation is
+   * not supported by the provider and the implementation is not cloneable.
+   * @since 1.2
+   */
+  public final int getDigestLength()
+  {
+    return engineGetDigestLength();
+  }
+
+  /**
+   * Returns a clone if the implementation is cloneable.
+   *
+   * @return a clone if the implementation is cloneable.
+   * @throws CloneNotSupportedException if this is called on an implementation
+   * that does not support {@link Cloneable}.
+   */
+  public Object clone() throws CloneNotSupportedException
+  {
+    return super.clone();
+  }
+
+  private String digestToString()
+  {
+    byte[] digest = lastDigest;
+
+    if (digest == null)
+      return "incomplete";
+
+    StringBuffer buf = new StringBuffer();
+    int len = digest.length;
+    for (int i = 0; i < len; ++i)
+      {
+        byte b = digest[i];
+        byte high = (byte) ((b & 0xff) >>> 4);
+        byte low = (byte) (b & 0xf);
+
+        buf.append(high > 9 ? ('a' - 10) + high : '0' + high);
+        buf.append(low > 9 ? ('a' - 10) + low : '0' + low);
+      }
+
+    return buf.toString();
+  }
+}
diff --git a/libjava/classpath/java/security/MessageDigestSpi.java b/libjava/classpath/java/security/MessageDigestSpi.java
new file mode 100644
index 00000000000..df3bd3ead02
--- /dev/null
+++ b/libjava/classpath/java/security/MessageDigestSpi.java
@@ -0,0 +1,155 @@
+/* MessageDigestSpi.java --- The message digest service provider interface.
+   Copyright (C) 1999, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+   This is the Service Provider Interface (SPI) for MessageDigest
+   class in java.security. It provides the back end functionality
+   for the MessageDigest class so that it can compute message
+   hashes. The default hashes are SHA-1 and MD5. A message hash
+   takes data of arbitrary length and produces a unique number
+   representing it.
+
+   Cryptography service providers who want to implement their
+   own message digest hashes need only to subclass this class.
+
+   The implementation of a Cloneable interface is left to up to
+   the programmer of a subclass.
+
+   @version 0.0
+
+   @author Mark Benvenuto (ivymccough@worldnet.att.net)
+ */
+public abstract class MessageDigestSpi
+{
+  /**
+     Default constructor of the MessageDigestSpi class
+   */
+  public MessageDigestSpi()
+  {
+  }
+
+  /**
+     Returns the length of the digest.  It may be overridden by the
+     provider to return the length of the digest.  Default is to
+     return 0.  It is concrete for backwards compatibility with JDK1.1
+     message digest classes.
+
+     @return Length of Digest in Bytes
+
+     @since 1.2
+   */
+  protected int engineGetDigestLength()
+  {
+    return 0;
+  }
+
+  /**
+     Updates the digest with the specified byte.
+
+     @param input the byte to update digest with
+   */
+  protected abstract void engineUpdate(byte input);
+
+
+  /**
+     Updates the digest with the specified bytes starting with the
+     offset and proceeding for the specified length.
+
+     @param input the byte array to update digest with
+     @param offset the offset of the byte to start with
+     @param len the number of the bytes to update with
+   */
+  protected abstract void engineUpdate(byte[]input, int offset, int len);
+
+  /**
+     Computes the final digest of the stored bytes and returns
+     them. It performs any necessary padding. The message digest
+     should reset sensitive data after performing the digest.
+
+     @return An array of bytes containing the digest
+   */
+  protected abstract byte[] engineDigest();
+
+  /**
+     Computes the final digest of the stored bytes and returns
+     them. It performs any necessary padding. The message digest
+     should reset sensitive data after performing the digest.  This
+     method is left concrete for backwards compatibility with JDK1.1
+     message digest classes.
+
+     @param buf An array of bytes to store the digest
+     @param offset An offset to start storing the digest at
+     @param len The length of the buffer
+     @return Returns the length of the buffer
+
+     @since 1.2
+   */
+  protected int engineDigest(byte[]buf, int offset, int len)
+    throws DigestException
+  {
+    if (engineGetDigestLength() > len)
+      throw new DigestException("Buffer is too small.");
+
+    byte[] tmp = engineDigest();
+    if (tmp.length > len)
+      throw new DigestException("Buffer is too small");
+
+    System.arraycopy(tmp, 0, buf, offset, tmp.length);
+    return tmp.length;
+  }
+
+  /**
+     Resets the digest engine. Reinitializes internal variables
+     and clears sensitive data.
+   */
+  protected abstract void engineReset();
+
+  /**
+     Returns a clone of this class.
+
+     If cloning is not supported, then by default the class throws a
+     CloneNotSupportedException.  The MessageDigestSpi provider
+     implementation has to overload this class in order to be
+     cloneable.
+   */
+  public Object clone() throws CloneNotSupportedException
+  {
+    return super.clone();
+  }
+}
diff --git a/libjava/classpath/java/security/NoSuchAlgorithmException.java b/libjava/classpath/java/security/NoSuchAlgorithmException.java
new file mode 100644
index 00000000000..412d14a16d7
--- /dev/null
+++ b/libjava/classpath/java/security/NoSuchAlgorithmException.java
@@ -0,0 +1,70 @@
+/* NoSuchAlgorithmException.java -- an algorithm was not available
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This exception is thrown when the requested security algorithm is
+ * not available
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @status updated to 1.4
+ */
+public class NoSuchAlgorithmException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = -7443947487218346562L;
+
+  /**
+   * Create a new instance with no descriptive error message.
+   */
+  public NoSuchAlgorithmException()
+  {
+  }
+
+  /**
+   * Create a new instance with a descriptive error message.
+   *
+   * @param msg the descriptive error message
+   */
+  public NoSuchAlgorithmException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/NoSuchProviderException.java b/libjava/classpath/java/security/NoSuchProviderException.java
new file mode 100644
index 00000000000..bd26df5ef07
--- /dev/null
+++ b/libjava/classpath/java/security/NoSuchProviderException.java
@@ -0,0 +1,70 @@
+/* NoSuchProviderException.java -- thrown when a provider is not found
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This exception is thrown when the requested security provider is
+ * not available.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @status updated to 1.4
+ */
+public class NoSuchProviderException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 8488111756688534474L;
+
+  /**
+   * Create a new instance with no descriptive error message.
+   */
+  public NoSuchProviderException()
+  {
+  }
+
+  /**
+   * Create a new instance with a descriptive error message.
+   *
+   * @param msg the descriptive error message
+   */
+  public NoSuchProviderException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/Permission.java b/libjava/classpath/java/security/Permission.java
new file mode 100644
index 00000000000..48f4d52a18c
--- /dev/null
+++ b/libjava/classpath/java/security/Permission.java
@@ -0,0 +1,187 @@
+/* Permission.java -- The superclass for all permission objects
+   Copyright (C) 1998, 2001, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import java.io.Serializable;
+
+/**
+ * This class is the abstract superclass of all classes that implement
+ * the concept of a permission.  A permission consists of a permission name
+ * and optionally a list of actions that relate to the permission.  The
+ * actual meaning of the name of the permission is defined only in the
+ * context of a subclass.  It may name a resource to which access permissions
+ * are granted (for example, the name of a file) or it might represent
+ * something else entirely.  Similarly, the action list only has meaning
+ * within the context of a subclass.  Some permission names may have no
+ * actions associated with them.  That is, you either have the permission
+ * or you don't.
+ *
+ * <p>The most important method in this class is <code>implies</code>.  This
+ * checks whether if one has this permission, then the specified
+ * permission is also implied.  As a conceptual example, consider the
+ * permissions "Read All Files" and "Read File foo".  The permission
+ * "Read All Files" implies that the caller has permission to read the
+ * file foo.
+ *
+ * <p><code>Permission</code>'s must be immutable - do not change their
+ * state after creation.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see Permissions
+ * @see PermissionCollection
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public abstract class Permission implements Guard, Serializable
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = -5636570222231596674L;
+
+  /**
+   * This is the name assigned to this permission object.
+   *
+   * @serial the name of the permission
+   */
+  private String name;
+
+  /**
+   * Create an instance with the specified name.
+   *
+   * @param name the permission name
+   */
+  public Permission(String name)
+  {
+    this.name = name;
+  }
+
+  /**
+   * This method implements the <code>Guard</code> interface for this class.
+   * It calls the <code>checkPermission</code> method in
+   * <code>SecurityManager</code> with this <code>Permission</code> as its
+   * argument.  This method returns silently if the security check succeeds
+   * or throws an exception if it fails.
+   *
+   * @param obj the <code>Object</code> being guarded - ignored by this class
+   * @throws SecurityException if the security check fails
+   * @see GuardedObject
+   * @see SecurityManager#checkPermission(Permission)
+   */
+  public void checkGuard(Object obj)
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkPermission(this);
+  }
+
+  /**
+   * This method tests whether this <code>Permission</code> implies that the
+   * specified <code>Permission</code> is also granted.
+   *
+   * @param perm the <code>Permission</code> to test against
+   * @return true if perm is implied by this
+   */
+  public abstract boolean implies(Permission perm);
+
+  /**
+   * Check to see if this object equals obj. Use <code>implies</code>, rather
+   * than <code>equals</code>, when making access control decisions.
+   *
+   * @param obj the object to compare to
+   */
+  public abstract boolean equals(Object obj);
+
+  /**
+   * This method returns a hash code for this <code>Permission</code>. It
+   * must satisfy the contract of <code>Object.hashCode</code>: it must be
+   * the same for all objects that equals considers to be the same.
+   *
+   * @return a hash value
+   */
+  public abstract int hashCode();
+
+  /**
+   * Get the name of this <code>Permission</code>.
+   *
+   * @return the name
+   */
+  public final String getName()
+  {
+    return name;
+  }
+
+  /**
+   * This method returns the list of actions for this <code>Permission</code>
+   * as a <code>String</code>. The string should be in canonical order, for
+   * example, both <code>new FilePermission(f, "write,read")</code> and
+   * <code>new FilePermission(f, "read,write")</code> have the action list
+   * "read,write".
+   *
+   * @return the action list for this <code>Permission</code>
+   */
+  public abstract String getActions();
+
+  /**
+   * This method returns an empty <code>PermissionCollection</code> object
+   * that can store permissions of this type, or <code>null</code> if no
+   * such collection is defined. Subclasses must override this to provide
+   * an appropriate collection when one is needed to accurately calculate
+   * <code>implies</code>.
+   *
+   * @return a new <code>PermissionCollection</code>
+   */
+  public PermissionCollection newPermissionCollection()
+  {
+    return null;
+  }
+
+  /**
+   * This method returns a <code>String</code> representation of this
+   * <code>Permission</code> object. This is in the format:
+   * <code>'(' + getClass().getName() + ' ' + getName() + ' ' + getActions
+   * + ')'</code>.
+   *
+   * @return this object as a <code>String</code>
+   */
+  public String toString()
+  {
+    return '(' + getClass().getName() + ' ' + getName() + ' '
+      + getActions() + ')';
+  }
+} // class Permission
diff --git a/libjava/classpath/java/security/PermissionCollection.java b/libjava/classpath/java/security/PermissionCollection.java
new file mode 100644
index 00000000000..4e8ffe57948
--- /dev/null
+++ b/libjava/classpath/java/security/PermissionCollection.java
@@ -0,0 +1,167 @@
+/* PermissionCollection.java -- A collection of permission objects
+   Copyright (C) 1998, 2001, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import java.io.Serializable;
+import java.util.Enumeration;
+
+/**
+ * This class models a group of Java permissions.  It has convenient
+ * methods for determining whether or not a given permission is implied
+ * by any of the permissions in this collection.
+ *
+ * <p>Some care must be taken in storing permissions.  First, a collection of
+ * the appropriate type must be created.  This is done by calling the
+ * <code>newPermissionCollection</code> method on an object of the
+ * permission class you wish to add to the collection.  If this method
+ * returns <code>null</code>, any type of <code>PermissionCollection</code>
+ * can be used to store permissions of that type.  However, if a
+ * <code>PermissionCollection</code> collection object is returned, that
+ * type must be used.
+ *
+ * <p>A <code>PermissionCollection</code> returned by the
+ * <code>newPermissionCollection</code> method in a subclass of
+ * <code>Permission</code> is a homogeneous collection.  It only will
+ * hold permissions of one specified type - instances of the class that
+ * created it.  Not all <code>PermissionCollection</code> subclasses
+ * have to hold permissions of only one type however.  For example,
+ * the <code>Permissions</code> class holds permissions of many types.
+ *
+ * <p>Since the <code>newPermissionCollection</code> in <code>Permission</code>
+ * itself returns <code>null</code>, by default a permission can be stored
+ * in any type of collection unless it overrides that method to create its
+ * own collection type.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @see Permission
+ * @see Permissions
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public abstract class PermissionCollection implements Serializable
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = -6727011328946861783L;
+
+  /**
+   * Indicates whether or not this collection is read only.
+   *
+   * @serial if the collection is read-only
+   */
+  private boolean readOnly;
+
+  /**
+   * Create a new collection.
+   */
+  public PermissionCollection()
+  {
+  }
+
+  /**
+   * This method adds a new <code>Permission</code> object to the collection.
+   *
+   * @param perm the <code>Permission</code> to add
+   *
+   * @throws SecurityException if the collection is marked read only
+   * @throws IllegalArgumentException if perm is of the wrong type
+   */
+  public abstract void add(Permission perm);
+
+  /**
+   * This method tests whether the specified <code>Permission</code> object is
+   * implied by this collection of <code>Permission</code> objects.
+   *
+   * @param perm the <code>Permission</code> object to test
+   * @return true if the collection implies perm
+   */
+  public abstract boolean implies(Permission perm);
+
+  /**
+   * This method returns an <code>Enumeration</code> of all the objects in
+   * this collection.
+   *
+   * @return an <code>Enumeration</code> of this collection's objects
+   */
+  public abstract Enumeration elements();
+
+  /**
+   * This method sets this <code>PermissionCollection</code> object to be
+   * read only.  No further permissions can be added to it after calling this
+   * method.
+   */
+  public void setReadOnly()
+  {
+    readOnly = true;
+  }
+
+  /**
+   * This method tests whether or not this <code>PermissionCollection</code>
+   * object is read only.
+   *
+   * @return true if this collection is read only
+   */
+  public boolean isReadOnly()
+  {
+    return readOnly;
+  }
+
+  /**
+   * This method returns a <code>String</code> representation of this
+   * collection.  It is formed by:
+   * <pre>
+   * super.toString()" (\n"
+   *   // enumerate all permissions, one per line
+   * ")\n"
+   * </pre>
+   *
+   * @return a <code>String</code> representing this object
+   */
+  public String toString()
+  {
+    StringBuffer sb = new StringBuffer(super.toString());
+
+    sb.append(" (\n");
+    Enumeration e = elements();
+    while (e.hasMoreElements())
+      sb.append(' ').append(e.nextElement()).append('\n');
+    return sb.append(")\n").toString();
+  }
+} // class PermissionCollection
diff --git a/libjava/classpath/java/security/Permissions.java b/libjava/classpath/java/security/Permissions.java
new file mode 100644
index 00000000000..e3fd06970ab
--- /dev/null
+++ b/libjava/classpath/java/security/Permissions.java
@@ -0,0 +1,254 @@
+/* Permissions.java -- a collection of permission collections
+   Copyright (C) 1998, 2001, 2002, 2004, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import java.io.Serializable;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.NoSuchElementException;
+
+/**
+ * This class is a heterogeneous collection of permissions.  It is
+ * organized as a collection of <code>PermissionCollection</code>'s stored
+ * in a hashtable.  Each individual <code>PermissionCollection</code>
+ * contains permissions of a single type.  If a specific type of
+ * <code>Permission</code> does not provide a collection type to use
+ * via its <code>newPermissionCollection</code> method, then a default
+ * collection type which stores its permissions in a hash table will be
+ * used.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @since 1.1
+ */
+public final class Permissions extends PermissionCollection
+  implements Serializable
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 4858622370623524688L;
+
+  /**
+   * Holds instances of <code>AllPermission</code>.
+   *
+   * @serial the permission collection for AllPermission
+   */
+  private PermissionCollection allPermission;
+
+  // Package-private to avoid a trampoline.
+  /**
+   * This is the <code>Hashtable</code> that contains our collections.
+   *
+   * @serial maps Class to PermissionCollection
+   */
+  final Hashtable perms = new Hashtable();
+
+  /**
+   * This method initializes a new instance of <code>Permissions</code>.
+   */
+  public Permissions()
+  {
+  }
+
+  /**
+   * This method adds a new <code>Permission</code> to this collection.  It
+   * will be stored in a <code>PermissionCollection</code> of the appropriate
+   * type, as determined by calling <code>newPermissionCollection</code> on
+   * the specified permission (if an appropriate collection does not already
+   * exist). If this object does not specify a particular type of collection,
+   * a default collection, which stores in permissions in a hash table, will
+   * be used.
+   *
+   * @param perm the <code>Permission</code> to add
+   * @throws SecurityException if this collection is marked as read only
+   */
+  public void add(Permission perm)
+  {
+    if (isReadOnly())
+      throw new SecurityException("PermissionCollection is read only");
+    if (perm instanceof AllPermission)
+      {
+        if (allPermission == null)
+          {
+            allPermission = perm.newPermissionCollection();
+            allPermission.add(perm);
+            perms.put(perm.getClass(), allPermission);
+          }
+      }
+    else
+      {
+        PermissionCollection pc
+          = (PermissionCollection) perms.get(perm.getClass());
+        if (pc == null)
+          {
+            pc = perm.newPermissionCollection();
+            if (pc == null)
+              pc = new PermissionsHash();
+            perms.put(perm.getClass(), pc);
+          }
+        pc.add(perm);
+      }
+  }
+
+  /**
+   * This method tests whether or not the specified <code>Permission</code>
+   * is implied by this <code>PermissionCollection</code>.
+   *
+   * @param perm the <code>Permission</code> to test
+   * @return true if the specified permission is implied by this
+   */
+  public boolean implies(Permission perm)
+  {
+    if (allPermission != null)
+      return true;
+    PermissionCollection pc
+      = (PermissionCollection) perms.get(perm.getClass());
+    return pc == null ? false : pc.implies(perm);
+  }
+
+  /**
+   * This method returns an <code>Enumeration</code> which contains a
+   * list of all <code>Permission</code> objects contained in this
+   * collection.
+   *
+   * @return an <code>Enumeration</code> of this collection's elements
+   */
+  public Enumeration elements()
+  {
+    return new Enumeration()
+    {
+      Enumeration main_enum = perms.elements();
+      Enumeration sub_enum;
+
+      public boolean hasMoreElements()
+      {
+        if (sub_enum == null)
+          {
+            if (main_enum == null)
+              return false;
+            if (! main_enum.hasMoreElements())
+              {
+                main_enum = null;
+                return false;
+              }
+            PermissionCollection pc =
+              (PermissionCollection) main_enum.nextElement();
+            sub_enum = pc.elements();
+          }
+        if (! sub_enum.hasMoreElements())
+          {
+            sub_enum = null;
+            return hasMoreElements();
+          }
+        return true;
+      }
+
+      public Object nextElement()
+      {
+        if (! hasMoreElements())
+          throw new NoSuchElementException();
+        return sub_enum.nextElement();
+      }
+    };
+  }
+
+  /**
+   * Implements the permission collection for all permissions without one of
+   * their own, and obeys serialization of JDK.
+   *
+   * @author Eric Blake (ebb9@email.byu.edu)
+   */
+  private static final class PermissionsHash extends PermissionCollection
+  {
+    /**
+     * Compatible with JDK 1.1+.
+     */
+    private static final long serialVersionUID = -8491988220802933440L;
+
+    /**
+     * Hashtable where we store permissions.
+     *
+     * @serial the stored permissions, both as key and value
+     */
+    private final Hashtable perms = new Hashtable();
+
+    /**
+     * Add a permission. We don't need to check for read-only, as this
+     * collection is never exposed outside of Permissions, which has already
+     * done that check.
+     *
+     * @param perm the permission to add
+     */
+    public void add(Permission perm)
+    {
+      perms.put(perm, perm);
+    }
+
+    /**
+     * Returns true if perm is in the collection.
+     *
+     * @param perm the permission to check
+     * @return true if it is implied
+     */
+    // FIXME: Should this method be synchronized?
+    public boolean implies(Permission perm)
+    {
+      Enumeration elements = elements();
+      
+      while (elements.hasMoreElements())
+	{
+	  Permission p = (Permission)elements.nextElement();
+	  if (p.implies(perm))
+	    return true;
+	}
+      return false;
+    }
+
+    /**
+     * Return the elements.
+     *
+     * @return the elements
+     */
+    public Enumeration elements()
+    {
+      return perms.elements();
+    }
+  } // class PermissionsHash
+} // class Permissions
diff --git a/libjava/classpath/java/security/Policy.java b/libjava/classpath/java/security/Policy.java
new file mode 100644
index 00000000000..03d9bbb4ed6
--- /dev/null
+++ b/libjava/classpath/java/security/Policy.java
@@ -0,0 +1,310 @@
+/* Policy.java --- Policy Manager Class
+   Copyright (C) 1999, 2003, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+/**
+ * <p>This is an abstract class for representing the system security policy for
+ * a Java application environment (specifying which permissions are available
+ * for code from various sources). That is, the security policy is represented
+ * by a <code>Policy</code> subclass providing an implementation of the abstract
+ * methods in this <code>Policy</code> class.</p>
+ *
+ * <p>There is only one <code>Policy</code> object in effect at any given time.
+ * </p>
+ *
+ * <p>The source location for the policy information utilized by the
+ * <code>Policy</code> object is up to the <code>Policy</code> implementation.
+ * The policy configuration may be stored, for example, as a flat ASCII file, as
+ * a serialized binary file of the <code>Policy</code> class, or as a database.
+ * </p>
+ *
+ * <p>The currently-installed <code>Policy</code> object can be obtained by
+ * calling the <code>getPolicy()</code> method, and it can be changed by a call
+ * to the <code>setPolicy()</code> method (by code with permission to reset the
+ * <code>Policy</code>).</p>
+ *
+ * <p>The <code>refresh()</code> method causes the policy object to refresh /
+ * reload its current configuration.</p>
+ *
+ * <p>This is implementation-dependent. For example, if the policy object stores
+ * its policy in configuration files, calling <code>refresh()</code> will cause
+ * it to re-read the configuration policy files. The refreshed policy may not
+ * have an effect on classes in a particular {@link ProtectionDomain}. This is
+ * dependent on the <code>Policy</code> provider's implementation of the
+ * <code>implies()</code> method and the {@link PermissionCollection} caching
+ * strategy.</p>
+ *
+ * <p>The default <code>Policy</code> implementation can be changed by setting
+ * the value of the <code>"policy.provider"</code> security property (in the
+ * Java security properties file) to the fully qualified name of the desired
+ * <code>Policy</code> implementation class. The Java security properties file
+ * is located in the file named <code>&lt;JAVA_HOME>/lib/security/java.security
+ * </code>, where <code>&lt;JAVA_HOME></code> refers to the directory where the
+ * SDK was installed.</p>
+ *
+ * <p><b>IMPLEMENTATION NOTE:</b> This implementation attempts to read the
+ * System property named <code>policy.provider</code> to find the concrete
+ * implementation of the <code>Policy</code>. If/when this fails, it falls back
+ * to a default implementation, which <b>allows everything</b>.
+ *
+ * @author Mark Benvenuto
+ * @see CodeSource
+ * @see PermissionCollection
+ * @see SecureClassLoader
+ * @since 1.2
+ */
+public abstract class Policy
+{
+  private static Policy currentPolicy;
+
+  /** Map of ProtectionDomains to PermissionCollections for this instance. */
+  private Map pd2pc = null;
+
+  /** Constructs a new <code>Policy</code> object. */
+  public Policy()
+  {
+  }
+
+  /**
+   * Returns the installed <code>Policy</code> object. This value should not be
+   * cached, as it may be changed by a call to <code>setPolicy()</code>. This
+   * method first calls {@link SecurityManager#checkPermission(Permission)} with
+   * a <code>SecurityPermission("getPolicy")</code> permission to ensure it's ok
+   * to get the <code>Policy</code> object.
+   *
+   * @return the installed <code>Policy</code>.
+   * @throws SecurityException if a security manager exists and its
+   * <code>checkPermission()</code> method doesn't allow getting the
+   * <code>Policy</code> object.
+   * @see SecurityManager#checkPermission(Permission)
+   * @see #setPolicy(Policy)
+   */
+  public static Policy getPolicy()
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkPermission(new SecurityPermission("getPolicy"));
+
+    return getCurrentPolicy();
+  }
+
+  /**
+   * Sets the system-wide <code>Policy</code> object. This method first calls
+   * {@link SecurityManager#checkPermission(Permission)} with a
+   * <code>SecurityPermission("setPolicy")</code> permission to ensure it's ok
+   * to set the <code>Policy</code>.
+   *
+   * @param policy the new system <code>Policy</code> object.
+   * @throws SecurityException if a security manager exists and its
+   * <code>checkPermission()</code> method doesn't allow setting the
+   * <code>Policy</code>.
+   * @see SecurityManager#checkPermission(Permission)
+   * @see #getPolicy()
+   */
+  public static void setPolicy(Policy policy)
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkPermission(new SecurityPermission("setPolicy"));
+
+    setup(policy);
+    currentPolicy = policy;
+  }
+
+  private static void setup(final Policy policy)
+  {
+    if (policy.pd2pc == null)
+      policy.pd2pc = Collections.synchronizedMap(new LinkedHashMap());
+
+    ProtectionDomain pd = policy.getClass().getProtectionDomain();
+    if (pd.getCodeSource() != null)
+      {
+        PermissionCollection pc = null;
+        if (currentPolicy != null)
+          pc = currentPolicy.getPermissions(pd);
+
+        if (pc == null) // assume it has all
+          {
+            pc = new Permissions();
+            pc.add(new AllPermission());
+          }
+
+        policy.pd2pc.put(pd, pc); // add the mapping pd -> pc
+      }
+  }
+
+  /**
+   * Ensures/forces loading of the configured policy provider, while bypassing
+   * the {@link SecurityManager} checks for <code>"getPolicy"</code> security
+   * permission.  Needed by {@link ProtectionDomain}.
+   */
+  static Policy getCurrentPolicy()
+  {
+    // FIXME: The class name of the Policy provider should really be sourced
+    // from the "java.security" configuration file. For now, just hard-code
+    // a stub implementation.
+    if (currentPolicy == null)
+      {
+        String pp = System.getProperty ("policy.provider");
+        if (pp != null)
+          try
+            {
+              currentPolicy = (Policy) Class.forName(pp).newInstance();
+            }
+	  catch (Exception e)
+	    {
+	      // Ignored.
+	    }
+
+        if (currentPolicy == null)
+          currentPolicy = new gnu.java.security.provider.DefaultPolicy();
+      }
+    return currentPolicy;
+  }
+
+  /**
+   * Tests if <code>currentPolicy</code> is not <code>null</code>,
+   * thus allowing clients to not force loading of any policy
+   * provider; needed by {@link ProtectionDomain}.
+   */
+  static boolean isLoaded()
+  {
+    return currentPolicy != null;
+  }
+
+  /**
+   * Evaluates the global policy and returns a {@link PermissionCollection}
+   * object specifying the set of permissions allowed for code from the
+   * specified code source.
+   *
+   * @param codesource the {@link CodeSource} associated with the caller. This
+   * encapsulates the original location of the code (where the code came from)
+   * and the public key(s) of its signer.
+   * @return the set of permissions allowed for code from codesource according
+   * to the policy. The returned set of permissions must be a new mutable
+   * instance and it must support heterogeneous {@link Permission} types.
+   */
+  public abstract PermissionCollection getPermissions(CodeSource codesource);
+
+  /**
+   * Evaluates the global policy and returns a {@link PermissionCollection}
+   * object specifying the set of permissions allowed given the characteristics
+   * of the protection domain.
+   *
+   * @param domain the {@link ProtectionDomain} associated with the caller.
+   * @return the set of permissions allowed for the domain according to the
+   * policy. The returned set of permissions must be a new mutable instance and
+   * it must support heterogeneous {@link Permission} types.
+   * @since 1.4
+   * @see ProtectionDomain
+   * @see SecureClassLoader
+   */
+  public PermissionCollection getPermissions(ProtectionDomain domain)
+  {
+    if (domain == null)
+      return new Permissions();
+
+    if (pd2pc == null)
+      setup(this);
+
+    PermissionCollection result = (PermissionCollection) pd2pc.get(domain);
+    if (result != null)
+      {
+        Permissions realResult = new Permissions();
+        for (Enumeration e = result.elements(); e.hasMoreElements(); )
+          realResult.add((Permission) e.nextElement());
+
+        return realResult;
+      }
+
+    result = getPermissions(domain.getCodeSource());
+    if (result == null)
+      result = new Permissions();
+
+    PermissionCollection pc = domain.getPermissions();
+    if (pc != null)
+      for (Enumeration e = pc.elements(); e.hasMoreElements(); )
+        result.add((Permission) e.nextElement());
+
+    return result;
+  }
+
+  /**
+   * Evaluates the global policy for the permissions granted to the {@link
+   * ProtectionDomain} and tests whether the <code>permission</code> is granted.
+   *
+   * @param domain the {@link ProtectionDomain} to test.
+   * @param permission the {@link Permission} object to be tested for
+   * implication.
+   * @return <code>true</code> if <code>permission</code> is a proper subset of
+   * a permission granted to this {@link ProtectionDomain}.
+   * @since 1.4
+   * @see ProtectionDomain
+   */
+  public boolean implies(ProtectionDomain domain, Permission permission)
+  {
+    if (pd2pc == null)
+      setup(this);
+
+    PermissionCollection pc = (PermissionCollection) pd2pc.get(domain);
+    if (pc != null)
+      return pc.implies(permission);
+
+    boolean result = false;
+    pc = getPermissions(domain);
+    if (pc != null)
+      {
+        result = pc.implies(permission);
+        pd2pc.put(domain, pc);
+      }
+
+    return result;
+  }
+
+  /**
+   * Refreshes/reloads the policy configuration. The behavior of this method
+   * depends on the implementation. For example, calling refresh on a file-based
+   * policy will cause the file to be re-read.
+   */
+  public abstract void refresh();
+}
diff --git a/libjava/classpath/java/security/Principal.java b/libjava/classpath/java/security/Principal.java
new file mode 100644
index 00000000000..6d9de6ccd8a
--- /dev/null
+++ b/libjava/classpath/java/security/Principal.java
@@ -0,0 +1,85 @@
+/* Principal.java -- A security entity
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+/**
+ * This interface models an entity (such as a user or a certificate authority)
+ * for the purposes of applying the Java security model.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see X509Certificate
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public interface Principal
+{
+  /**
+   * This method tests another <code>Principal</code> object for equality
+   * with this one.
+   *
+   * @param obj the Object to test for equality
+   * @return true if the specified <code>Principal</code> is equal
+   */
+  boolean equals(Object obj);
+
+  /**
+   * This method returns a <code>String</code> representation of this
+   * <code>Principal</code>.
+   *
+   * @return this <code>Principal</code> represented as a <code>String</code>
+   */
+  String toString();
+
+  /**
+   * This method returns a hash code value for this <code>Principal</code>.
+   * Remember the contract of hashCode - two objects which compare as
+   * equals() must have the same hashCode().
+   *
+   * @return a hash value
+   */
+  int hashCode();
+
+  /**
+   * This method returns a <code>String</code> that names this
+   * <code>Principal</code>.
+   *
+   * @return the name of this <code>Principal</code>
+   */
+  String getName();
+} // interface Principal
diff --git a/libjava/classpath/java/security/PrivateKey.java b/libjava/classpath/java/security/PrivateKey.java
new file mode 100644
index 00000000000..70607c13442
--- /dev/null
+++ b/libjava/classpath/java/security/PrivateKey.java
@@ -0,0 +1,62 @@
+/* PrivateKey.java -- tagging interface for all private keys
+   Copyright (C) 1998, 2001, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+/**
+ * This interface specified no methods.  In simply provides a common
+ * super-interface for all algorithm specific private key values.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see Key
+ * @see PublicKey
+ * @see Certificate
+ * @see Signature#initVerify(PublicKey)
+ * @see DSAPrivateKey
+ * @see RSAPrivateKey
+ * @see RSAPrivateCrtKey
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public interface PrivateKey extends Key
+{
+  /**
+   * The version identifier used for serialization.
+   */
+  long serialVersionUID = 6034044314589513430L;
+} // interface PrivateKey
diff --git a/libjava/classpath/java/security/PrivilegedAction.java b/libjava/classpath/java/security/PrivilegedAction.java
new file mode 100644
index 00000000000..c3a41346f9c
--- /dev/null
+++ b/libjava/classpath/java/security/PrivilegedAction.java
@@ -0,0 +1,64 @@
+/* PrivilegedAction.java -- Perform a privileged action
+   Copyright (C) 1998, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This interface specifes a single <code>run</code> method that
+ * executes a privileged operation.  This method is called by
+ * <code>AccessController.doPrivileged()</code> after that method
+ * activiates the required privileges.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see AccessController
+ * @see PrivilegedExceptionAction
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public interface PrivilegedAction
+{
+  /**
+   * This method performs an operation that requires higher privileges to
+   * perform.  It is called when a section of code invokes
+   * <code>AccessController.doPrivileged()</code>.
+   *
+   * @return obj An implementation dependent return value
+   * @see AccessController#doPrivileged(PrivilegedAction)
+   * @see AccessController#doPrivileged(PrivilegedAction, AccessControlContext)
+   */
+  Object run();
+} // interface PrivilegedAction
diff --git a/libjava/classpath/java/security/PrivilegedActionException.java b/libjava/classpath/java/security/PrivilegedActionException.java
new file mode 100644
index 00000000000..3f08c813065
--- /dev/null
+++ b/libjava/classpath/java/security/PrivilegedActionException.java
@@ -0,0 +1,109 @@
+/* PrivilegedActionException.java -- wrap an exception in a privileged action
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This exception is thrown when an exception is thrown during a
+ * privileged action being performed with the
+ * <code>AccessController.doPrivileged()</code> method.  It wraps the
+ * actual exception thrown in the privileged code.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @see PrivilegedExceptionAction
+ * @see AccessController#doPrivileged(PrivilegedExceptionAction)
+ * @see AccessController#doPrivileged(PrivilegedExceptionAction, AccessControlContext)
+ * @status updated to 1.4
+ */
+public class PrivilegedActionException extends Exception
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 4724086851538908602L;
+
+  /**
+   * This is the actual exception that occurred.
+   *
+   * @serial the wrapped exception
+   */
+  private Exception exception;
+
+  /**
+   * Create a new instance that wraps the specified <code>Exception</code>.
+   *
+   * @param e the <code>Exception</code> to wrap
+   */
+  public PrivilegedActionException(Exception e)
+  {
+    super(e);
+    exception = e;
+  }
+
+  /**
+   * Get the underlying <code>Exception</code> that caused this one. This
+   * is a legacy method, the preferred way is {@link #getCause()}.
+   *
+   * @return the cause
+   */
+  public Exception getException()
+  {
+    return exception;
+  }
+
+  /**
+   * Gets the cause of this exception.
+   *
+   * @return the cause
+   * @since 1.4
+   */
+  public Throwable getCause()
+  {
+    return exception;
+  }
+
+  /**
+   * Convert this to a String.
+   *
+   * @return the string representation
+   */
+  public String toString()
+  {
+    return super.toString();
+  }
+}
diff --git a/libjava/classpath/java/security/PrivilegedExceptionAction.java b/libjava/classpath/java/security/PrivilegedExceptionAction.java
new file mode 100644
index 00000000000..d3d0478fd48
--- /dev/null
+++ b/libjava/classpath/java/security/PrivilegedExceptionAction.java
@@ -0,0 +1,65 @@
+/* PrivilegedExceptionAction.java -- Perform a privileged operation
+   Copyright (C) 1998, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This interface defines a method that is called by
+ * <code>AccessController.doPrivileged()</code> in order to perform a
+ * privileged operation with higher privileges enabled.  This interface
+ * differs from <code>PrivilegedAction</code> in that the <code>run</code>
+ * method in this interface may throw a checked exception.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public interface PrivilegedExceptionAction
+{
+  /**
+   * This method performs an operation that requires higher privileges to
+   * successfully complete.  It is called when a section of code invokes
+   * <code>AccessController.doPrivileged()</code>.
+   *
+   * @return obj An implementation defined return value
+   * @throws Exception An implementation specific exception
+   * @see AccessController#doPrivileged(PrivilegedExceptionAction)
+   * @see AccessController#doPrivileged(PrivilegedExceptionAction,
+   *                                    AccessControlContext)
+   */
+  Object run() throws Exception;
+} // interface PrivilegedExceptionAction
diff --git a/libjava/classpath/java/security/ProtectionDomain.java b/libjava/classpath/java/security/ProtectionDomain.java
new file mode 100644
index 00000000000..a5851b5adf4
--- /dev/null
+++ b/libjava/classpath/java/security/ProtectionDomain.java
@@ -0,0 +1,269 @@
+/* ProtectionDomain.java -- A security domain
+   Copyright (C) 1998, 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * <p>This <code>ProtectionDomain</code> class encapsulates the characteristics
+ * of a domain, which encloses a set of classes whose instances are granted a
+ * set of permissions when being executed on behalf of a given set of
+ * <i>Principals</i>.
+ *
+ * <p>A static set of permissions can be bound to a <code>ProtectionDomain</code>
+ * when it is constructed; such permissions are granted to the domain regardless
+ * of the {@link Policy} in force. However, to support dynamic security
+ * policies, a <code>ProtectionDomain</code> can also be constructed such that
+ * it is dynamically mapped to a set of permissions by the current {@link
+ * Policy} whenever a permission is checked.</p>
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @version 0.0
+ */
+public class ProtectionDomain
+{
+  /** This is the <code>CodeSource</code> for this protection domain. */
+  private CodeSource code_source;
+
+  /** This is the set of permissions granted to this domain. */
+  private PermissionCollection perms;
+
+  /** The {@link ClassLoader} associated with this domain. */
+  private ClassLoader classloader;
+
+  /** The array of Principals associated with this domain.. */
+  private Principal[] principals;
+
+  /** Post 1.4 the policy may be refreshed! use false for pre 1.4. */
+  private boolean staticBinding;
+
+  /**
+   * Creates a new <code>ProtectionDomain</code> with the given {@link
+   * CodeSource} and {@link Permissions}. If the permissions object is not
+   * <code>null</code>, then <code>setReadOnly()</code> will be called on the
+   * passed in {@link Permissions} object. The only permissions granted to this
+   * domain are the ones specified; the current {@link Policy} will not be
+   * consulted.
+   *
+   * @param codesource the codesource associated with this domain.
+   * @param permissions the permissions granted to this domain
+   */
+  public ProtectionDomain(CodeSource codesource, PermissionCollection permissions)
+  {
+    this(codesource, permissions, null, null, true);
+  }
+
+  /**
+   * <p>Creates a new ProtectionDomain qualified by the given CodeSource,
+   * Permissions, ClassLoader and array of Principals. If the permissions
+   * object is not null, then <code>setReadOnly()</code> will be called on the
+   * passed in Permissions object. The permissions granted to this domain are
+   * dynamic; they include both the static permissions passed to this
+   * constructor, and any permissions granted to this domain by the current
+   * Policy at the time a permission is checked.</p>
+   *
+   * <p>This constructor is typically used by {@link ClassLoader}s and {@link
+   * DomainCombiner}s which delegate to <code>Policy</code> to actively
+   * associate the permissions granted to this domain. This constructor affords
+   * the Policy provider the opportunity to augment the supplied
+   * PermissionCollection to reflect policy changes.</p>
+   *
+   * @param codesource the CodeSource associated with this domain.
+   * @param permissions the permissions granted to this domain.
+   * @param classloader the ClassLoader associated with this domain.
+   * @param principals the array of Principals associated with this domain.
+   * @since 1.4
+   * @see Policy#refresh()
+   * @see Policy#getPermissions(ProtectionDomain)
+  */
+  public ProtectionDomain(CodeSource codesource,
+                          PermissionCollection permissions,
+                          ClassLoader classloader, Principal[] principals)
+  {
+    this(codesource, permissions, classloader, principals, false);
+  }
+
+  private ProtectionDomain(CodeSource codesource,
+                           PermissionCollection permissions,
+                           ClassLoader classloader, Principal[] principals,
+                           boolean staticBinding)
+  {
+    super();
+
+    code_source = codesource;
+    if (permissions != null)
+      {
+        perms = permissions;
+        perms.setReadOnly();
+      }
+
+    this.classloader = classloader;
+    this.principals =
+        (principals != null ? (Principal[]) principals.clone() : new Principal[0]);
+    this.staticBinding = staticBinding;
+  }
+
+  /**
+   * Returns the {@link CodeSource} of this domain.
+   *
+   * @return the {@link CodeSource} of this domain which may be <code>null</code>.
+   * @since 1.2
+   */
+  public final CodeSource getCodeSource()
+  {
+    return code_source;
+  }
+
+  /**
+   * Returns the {@link ClassLoader} of this domain.
+   *
+   * @return the {@link ClassLoader} of this domain which may be
+   * <code>null</code>.
+   * @since 1.4
+   */
+  public final ClassLoader getClassLoader()
+  {
+    return this.classloader;
+  }
+
+  /**
+   * Returns an array of principals for this domain.
+   *
+   * @return returns a non-null array of principals for this domain. Changes to
+   * this array will have no impact on the <code>ProtectionDomain</code>.
+   * @since 1.4
+   */
+  public final Principal[] getPrincipals()
+  {
+    return (Principal[]) principals.clone();
+  }
+
+  /**
+   * Returns the static permissions granted to this domain.
+   *
+   * @return the static set of permissions for this domain which may be
+   * <code>null</code>.
+   * @see Policy#refresh()
+   * @see Policy#getPermissions(ProtectionDomain)
+   */
+  public final PermissionCollection getPermissions()
+  {
+    return perms;
+  }
+
+  /**
+   * <p>Check and see if this <code>ProtectionDomain</code> implies the
+   * permissions expressed in the <code>Permission</code> object.</p>
+   *
+   * <p>The set of permissions evaluated is a function of whether the
+   * <code>ProtectionDomain</code> was constructed with a static set of
+   * permissions or it was bound to a dynamically mapped set of permissions.</p>
+   *
+   * <p>If the <code>ProtectionDomain</code> was constructed to a statically
+   * bound {@link PermissionCollection} then the permission will only be checked
+   * against the {@link PermissionCollection} supplied at construction.</p>
+   *
+   * <p>However, if the <code>ProtectionDomain</code> was constructed with the
+   * constructor variant which supports dynamically binding permissions, then
+   * the permission will be checked against the combination of the
+   * {@link PermissionCollection} supplied at construction and the current
+   * {@link Policy} binding.
+   *
+   * @param permission the {@link Permission} object to check.
+   * @return <code>true</code> if <code>permission</code> is implicit to this
+   * <code>ProtectionDomain</code>.
+   */
+  public boolean implies(Permission permission)
+  {
+    if (staticBinding)
+      return (perms == null ? false : perms.implies(permission));
+    // Else dynamically bound.  Do we have it?
+    // NOTE: this will force loading of Policy.currentPolicy
+    return Policy.getCurrentPolicy().implies(this, permission);
+  }
+
+  /**
+   * Convert a <code>ProtectionDomain</code> to a String.
+   *
+   * @return a string representation of the object.
+   */
+  public String toString()
+  {
+    String linesep = System.getProperty("line.separator");
+    StringBuffer sb = new StringBuffer("ProtectionDomain (").append(linesep);
+
+    if (code_source == null)
+      sb.append("CodeSource:null");
+    else
+      sb.append(code_source);
+
+    sb.append(linesep);
+    if (classloader == null)
+      sb.append("ClassLoader:null");
+    else
+      sb.append(classloader);
+
+    sb.append(linesep);
+    sb.append("Principals:");
+    if (principals != null && principals.length > 0)
+      {
+        sb.append("[");
+        Principal pal;
+        for (int i = 0; i < principals.length; i++)
+          {
+            pal = principals[i];
+            sb.append("'").append(pal.getName())
+                .append("' of type ").append(pal.getClass().getName());
+            if (i < principals.length-1)
+              sb.append(", ");
+          }
+        sb.append("]");
+      }
+    else
+      sb.append("none");
+
+    sb.append(linesep);
+    if (!staticBinding) // include all but dont force loading Policy.currentPolicy
+      if (Policy.isLoaded())
+        sb.append(Policy.getCurrentPolicy().getPermissions(this));
+      else // fallback on this one's permissions
+        sb.append(perms);
+    else
+      sb.append(perms);
+
+    return sb.append(linesep).append(")").append(linesep).toString();
+  }
+}
diff --git a/libjava/classpath/java/security/Provider.java b/libjava/classpath/java/security/Provider.java
new file mode 100644
index 00000000000..4ffaa55bcb1
--- /dev/null
+++ b/libjava/classpath/java/security/Provider.java
@@ -0,0 +1,202 @@
+/* Provider.java -- Security provider information
+   Copyright (C) 1998, 1999, 2000, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import java.io.Serializable;
+import java.util.Properties;
+
+/**
+ * This class represents a Java security architecture service provider.
+ * The services provided by a such a provider can range from security
+ * algorithms to key generation.
+ * <p>
+ * Providers are installed by name and version number.  There is one
+ * standard provider supplied with the class library.  This is the
+ * "GNU" provider, which can also be accessed by the alias "SUN" for
+ * compatibility with the JDK.
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public abstract class Provider extends Properties implements Serializable
+{
+  private static final long serialVersionUID = -4298000515446427739L;
+
+  /**
+   * This is a textual description of the provider
+   */
+  private String info;
+
+  /**
+   * This is the name of the provider
+   */
+  private String name;
+
+  /**
+   * This is the version number of the provider
+   */
+  private double version;
+
+  /**
+   * This method initializes a new instance of <code>Provider</code> to have
+   * the specified name, version, and description information.
+   *
+   * @param name The name to assign to this <code>Provider</code>.
+   * @param version The version number for this <code>Provider</code>.
+   * @param info A textual description of this provider.
+   */
+  protected Provider(String name, double version, String info)
+  {
+    this.name = name;
+    this.version = version;
+    this.info = info;
+  }
+
+  /**
+   * This method returns the name assigned to this <code>Provider</code>.
+   *
+   * @return The <code>Provider</code>'s name.
+   */
+  public String getName()
+  {
+    return (name);
+  }
+
+  /**
+   * This method retunrs the version number of this <code>Provider</code>.
+   * 
+   * @return The <code>Provider</code>'s version number.
+   */
+  public double getVersion()
+  {
+    return (version);
+  }
+
+  /**
+   * This method returns a textual description of the <code>Provider</code>.
+   *
+   * @return A description of the <code>Provider</code>.
+   */
+  public String getInfo()
+  {
+    return (info);
+  }
+
+  /**
+   * Sets the key property to have the specified value.
+   * <p>
+   * <bold>NOT IMPLEMENTED YET</bold>[
+   * First, if there is a security manager, its <code>checkSecurityAccess</code>
+   * method is called with the string "putProviderProperty."+name, where name is
+   * the provider name, to see if it's ok to set this provider's property
+   * values.
+   * If the default implementation of <code>checkSecurityAccess</code> is used
+   * (that is, that method is not overriden), then this results in a call to the
+   * security manager's <code>checkPermission</code> method with a
+   * <code>SecurityPermission("putProviderProperty."+name)</code>
+   * permission.<br>]
+   *
+   * @param key The property key.
+   * @param value The property value.
+   *
+   * @return The previous value of the specified property (<code>key</code>),
+   *         or <code>null</code> if it did not have one.
+   * @throws SecurityException If a security manager exists and its
+   * {@link java.lang.SecurityManager.checkSecurityAccess(java.lang.String)}
+   * method denies access to set property values.
+   * @since Classpath 0.4+cvs, JDK 1.2
+   * @see java.lang.Object.equals(Object)
+   * @see java.util.Hashtable.get(Object)
+   */
+  public Object put(Object key, Object value)
+  {
+    return super.put(toCanonicalKey(key), value);
+  }
+  
+  // overrides same in java.util.Hashtable
+  public Object get(Object key)
+  {
+    return super.get(toCanonicalKey(key));
+  }
+
+  /**
+   * This method removes the specified key entry (and its associated value)
+   * from the property mapping list.
+   * 
+   * @param key The key to remove
+   *
+   * @return The previous value for this key, or <code>null</code> if no
+   * previous value.
+   */
+  public Object remove(Object key)
+  {
+    return super.remove(toCanonicalKey(key));
+  }
+
+  /**
+   * This method clears the entire property list such that it no longer
+   * contains the properties used to look up the services provided by
+   * the <code>Provider</code>.
+   */
+  public void clear()
+  {
+    super.clear();
+  }
+
+  /**
+   * This method returns a <code>String</code> representation of this
+   * object.  This will include the <code>Provider</code> name and
+   * version number.
+   *
+   * @return A <code>String</code> representation of this object.
+   */
+  public String toString()
+  {
+    return (getClass().getName() + ": name=" + getName() + " version=" +
+	    version);
+  }
+  
+  private Object toCanonicalKey(Object key)
+  {
+    if (key.getClass().isAssignableFrom(String.class)) // is it ours?
+      return ((String) key).toUpperCase(); // use default locale
+    else
+      return key;
+  }
+}
diff --git a/libjava/classpath/java/security/ProviderException.java b/libjava/classpath/java/security/ProviderException.java
new file mode 100644
index 00000000000..2dafcec3495
--- /dev/null
+++ b/libjava/classpath/java/security/ProviderException.java
@@ -0,0 +1,70 @@
+/* ProviderException.java -- Generic security provider runtime exception
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This exception indicates that a runtime problem was encounterd with
+ * a security provider. 
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @status updated to 1.4
+ */
+public class ProviderException extends RuntimeException
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 5256023526693665674L;
+
+  /**
+   * Create an instance with no descriptive error message.
+   */
+  public ProviderException()
+  {
+  }
+
+  /**
+   * Create an instance with a descriptive error message.
+   *
+   * @param msg the descriptive error message
+   */
+  public ProviderException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/PublicKey.java b/libjava/classpath/java/security/PublicKey.java
new file mode 100644
index 00000000000..9bf14584089
--- /dev/null
+++ b/libjava/classpath/java/security/PublicKey.java
@@ -0,0 +1,60 @@
+/* PublicKey.java -- tagging interface for all public keys
+   Copyright (C) 1998, 2001, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This interface specified no methods.  In simply provides a common
+ * super-interface for all algorithm specific public key values.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see Key
+ * @see PrivateKey
+ * @see Certificate
+ * @see Signature#initVerify(PublicKey)
+ * @see DSAPublicKey
+ * @see RSAPublicKey
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public interface PublicKey extends Key
+{
+  /**
+   * The version identifier used for serialization.
+   */
+  long serialVersionUID = 7187392471159151072L;
+} // interface PublicKey
diff --git a/libjava/classpath/java/security/SecureClassLoader.java b/libjava/classpath/java/security/SecureClassLoader.java
new file mode 100644
index 00000000000..9d1fac79749
--- /dev/null
+++ b/libjava/classpath/java/security/SecureClassLoader.java
@@ -0,0 +1,128 @@
+/* SecureClassLoader.java --- A Secure Class Loader
+   Copyright (C) 1999, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * A Secure Class Loader for loading classes with additional 
+ * support for specifying code source and permissions when
+ * they are retrieved by the system policy handler.
+ *
+ * @since 1.2
+ *
+ * @author Mark Benvenuto
+ */
+public class SecureClassLoader extends ClassLoader
+{
+  java.util.WeakHashMap protectionDomainCache = new java.util.WeakHashMap();
+
+  protected SecureClassLoader(ClassLoader parent)
+  {
+    super(parent);
+    SecurityManager sm = System.getSecurityManager();
+    if(sm != null)
+      sm.checkCreateClassLoader();
+  }
+
+  protected SecureClassLoader()
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if(sm != null)
+      sm.checkCreateClassLoader();
+  }
+
+  /** 
+   * Creates a class using an array of bytes and a 
+   * CodeSource.
+   *
+   * @param name the name to give the class.  null if unknown.
+   * @param b the data representing the classfile, in classfile format.
+   * @param off the offset into the data where the classfile starts.
+   * @param len the length of the classfile data in the array.
+   * @param cs the CodeSource for the class or null when unknown.
+   *
+   * @return the class that was defined and optional CodeSource.
+   *
+   * @exception ClassFormatError if the byte array is not in proper classfile format.
+   */
+  protected final Class defineClass(String name, byte[] b, int off, int len,
+				    CodeSource cs)
+  {
+    if (cs != null)
+      {
+	ProtectionDomain protectionDomain;
+	  
+	synchronized (protectionDomainCache)
+	  {
+	    protectionDomain = (ProtectionDomain)protectionDomainCache.get(cs);
+	  }
+
+	if (protectionDomain == null)
+	  {
+	    protectionDomain 
+	      = new ProtectionDomain(cs, getPermissions(cs), this, null);
+	    synchronized (protectionDomainCache)
+	      {
+		ProtectionDomain domain 
+		  = (ProtectionDomain)protectionDomainCache.get(cs);
+		if (domain == null)
+		  protectionDomainCache.put(cs, protectionDomain);
+		else
+		  protectionDomain = domain;
+	      }
+	  }
+	return super.defineClass(name, b, off, len, protectionDomain);
+      } 
+    else
+      return super.defineClass(name, b, off, len);
+  }
+
+  /**
+   * Returns a PermissionCollection for the specified CodeSource.
+   * The default implementation invokes 
+   * java.security.Policy.getPermissions.
+   *
+   * This method is called by defineClass that takes a CodeSource
+   * arguement to build a proper ProtectionDomain for the class
+   * being defined.
+   */
+  protected PermissionCollection getPermissions(CodeSource cs)
+  {
+    Policy policy = Policy.getCurrentPolicy();
+    return policy.getPermissions(cs);
+  }
+}
diff --git a/libjava/classpath/java/security/SecureRandom.java b/libjava/classpath/java/security/SecureRandom.java
new file mode 100644
index 00000000000..3ee3a841d26
--- /dev/null
+++ b/libjava/classpath/java/security/SecureRandom.java
@@ -0,0 +1,380 @@
+/* SecureRandom.java --- Secure Random class implementation
+   Copyright (C) 1999, 2001, 2002, 2003, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import gnu.java.security.Engine;
+
+import java.util.Enumeration;
+import java.util.Random;
+
+/**
+ * An interface to a cryptographically secure pseudo-random number
+ * generator (PRNG). Random (or at least unguessable) numbers are used
+ * in all areas of security and cryptography, from the generation of
+ * keys and initialization vectors to the generation of random padding
+ * bytes.
+ *
+ * @author Mark Benvenuto (ivymccough@worldnet.att.net)
+ * @author Casey Marshall
+ */
+public class SecureRandom extends Random
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** Service name for PRNGs. */
+  private static final String SECURE_RANDOM = "SecureRandom";
+
+  private static final long serialVersionUID = 4940670005562187L;
+
+  //Serialized Field
+  long counter = 0;		//Serialized
+  Provider provider = null;
+  byte[] randomBytes = null;	//Always null
+  int randomBytesUsed = 0;
+  SecureRandomSpi secureRandomSpi = null;
+  byte[] state = null;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+     Default constructor for SecureRandom. It constructs a 
+     new SecureRandom by instantating the first SecureRandom 
+     algorithm in the default security provier. 
+
+     It is not seeded and should be seeded using setSeed or else
+     on the first call to getnextBytes it will force a seed.
+
+     It is maintained for backwards compatibility and programs
+     should use {@link #getInstance(java.lang.String)}.
+   */
+  public SecureRandom()
+  {
+    Provider[] p = Security.getProviders();
+
+    //Format of Key: SecureRandom.algname
+    String key;
+
+    String classname = null;
+    int i;
+    Enumeration e;
+    for (i = 0; i < p.length; i++)
+      {
+        e = p[i].propertyNames();
+        while (e.hasMoreElements())
+          {
+            key = (String) e.nextElement();
+            if (key.startsWith("SECURERANDOM."))
+              {
+                if ((classname = p[i].getProperty(key)) != null)
+                  {
+                    try
+                      {
+                        secureRandomSpi = (SecureRandomSpi) Class.
+                          forName(classname).newInstance();
+                        provider = p[i];
+                        return;
+                      }
+                    catch (ThreadDeath death)
+                      {
+                        throw death;
+                      }
+                    catch (Throwable t)
+		      {
+			// Ignore.
+		      }
+                  }
+              }
+          }
+      }
+
+    // Nothing found. Fall back to SHA1PRNG
+    secureRandomSpi = new gnu.java.security.provider.SHA1PRNG();
+  }
+
+  /**
+     A constructor for SecureRandom. It constructs a new 
+     SecureRandom by instantating the first SecureRandom algorithm 
+     in the default security provier. 
+
+     It is seeded with the passed function and is useful if the user
+     has access to hardware random device (like a radiation detector).
+
+     It is maintained for backwards compatibility and programs
+     should use getInstance.
+
+     @param seed Seed bytes for class
+   */
+  public SecureRandom(byte[] seed)
+  {
+    this();
+    setSeed(seed);
+  }
+
+  /**
+     A constructor for SecureRandom. It constructs a new 
+     SecureRandom using the specified SecureRandomSpi from
+     the specified security provier. 
+
+     @param secureRandomSpi A SecureRandomSpi class
+     @param provider A Provider class
+   */
+  protected SecureRandom(SecureRandomSpi secureRandomSpi, Provider provider)
+  {
+    this.secureRandomSpi = secureRandomSpi;
+    this.provider = provider;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns an instance of a SecureRandom. It creates the class from
+   * the first provider that implements it.
+   *
+   * @param algorithm The algorithm name.
+   * @return A new SecureRandom implementing the given algorithm.
+   * @throws NoSuchAlgorithmException If no installed provider implements
+   *         the given algorithm.
+   */
+  public static SecureRandom getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+    
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, p[i]);
+          }
+        catch (NoSuchAlgorithmException e)
+          {
+	    // Ignore.
+          }
+      }
+
+    // None found.
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Returns an instance of a SecureRandom. It creates the class
+   * for the specified algorithm from the named provider.
+   *
+   * @param algorithm The algorithm name.
+   * @param provider  The provider name.
+   * @return A new SecureRandom implementing the chosen algorithm.
+   * @throws NoSuchAlgorithmException If the named provider does not implement
+   *         the algorithm, or if the implementation cannot be
+   *         instantiated.
+   * @throws NoSuchProviderException If no provider named
+   *         <code>provider</code> is currently installed.
+   * @throws IllegalArgumentException If <code>provider</code> is null
+   *         or is empty.
+   */
+  public static SecureRandom getInstance(String algorithm, String provider)
+  throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    if (provider == null || provider.length() == 0)
+      throw new IllegalArgumentException("Illegal provider");
+
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+    
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Returns an instance of a SecureRandom. It creates the class for
+   * the specified algorithm from the given provider.
+   *
+   * @param algorithm The SecureRandom algorithm to create.
+   * @param provider  The provider to get the instance from.
+   * @throws NoSuchAlgorithmException If the algorithm cannot be found, or
+   *         if the class cannot be instantiated.
+   * @throws IllegalArgumentException If <code>provider</code> is null.
+   */
+  public static SecureRandom getInstance(String algorithm, Provider provider)
+  throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("Illegal provider");
+    try
+      {
+        return new SecureRandom((SecureRandomSpi)
+          Engine.getInstance(SECURE_RANDOM, algorithm, provider),
+          provider);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+	throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+     Returns the provider being used by the current SecureRandom class.
+
+     @return The provider from which this SecureRandom was attained
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+     Seeds the SecureRandom. The class is re-seeded for each call and 
+     each seed builds on the previous seed so as not to weaken security.
+
+     @param seed seed bytes to seed with
+   */
+  public void setSeed(byte[] seed)
+  {
+    secureRandomSpi.engineSetSeed(seed);
+  }
+
+  /**
+     Seeds the SecureRandom. The class is re-seeded for each call and 
+     each seed builds on the previous seed so as not to weaken security.
+
+     @param seed 8 seed bytes to seed with
+   */
+  public void setSeed(long seed)
+  {
+    // This particular setSeed will be called by Random.Random(), via
+    // our own constructor, before secureRandomSpi is initialized.  In
+    // this case we can't call a method on secureRandomSpi, and we
+    // definitely don't want to throw a NullPointerException.
+    // Therefore we test.
+    if (secureRandomSpi != null)
+      {
+        byte[] tmp = { (byte) (0xff & (seed >> 56)),
+		       (byte) (0xff & (seed >> 48)),
+		       (byte) (0xff & (seed >> 40)),
+		       (byte) (0xff & (seed >> 32)),
+		       (byte) (0xff & (seed >> 24)),
+		       (byte) (0xff & (seed >> 16)),
+		       (byte) (0xff & (seed >> 8)),
+		       (byte) (0xff & seed)
+        };
+        secureRandomSpi.engineSetSeed(tmp);
+      }
+  }
+
+  /**
+     Generates a user specified number of bytes. This function
+     is the basis for all the random functions.
+
+     @param bytes array to store generated bytes in
+   */
+  public void nextBytes(byte[] bytes)
+  {
+    randomBytesUsed += bytes.length;
+    counter++;
+    secureRandomSpi.engineNextBytes(bytes);
+  }
+
+  /**
+     Generates an integer containing the user specified
+     number of random bits. It is right justified and padded
+     with zeros.
+
+     @param numBits number of random bits to get, 0 <= numBits <= 32;
+
+     @return the random bits
+   */
+  protected final int next(int numBits)
+  {
+    if (numBits == 0)
+      return 0;
+
+    byte[] tmp = new byte[numBits / 8 + (1 * (numBits % 8))];
+
+    secureRandomSpi.engineNextBytes(tmp);
+    randomBytesUsed += tmp.length;
+    counter++;
+
+    int ret = 0;
+
+    for (int i = 0; i < tmp.length; i++)
+      ret |= (tmp[i] & 0xFF) << (8 * i);
+
+    long mask = (1L << numBits) - 1;
+    return (int) (ret & mask);
+  }
+
+  /**
+     Returns the given number of seed bytes. This method is
+     maintained only for backwards capability. 
+
+     @param numBytes number of seed bytes to get
+
+     @return an array containing the seed bytes
+   */
+  public static byte[] getSeed(int numBytes)
+  {
+    byte[] tmp = new byte[numBytes];
+
+    new Random().nextBytes(tmp);
+    return tmp;
+    //return secureRandomSpi.engineGenerateSeed( numBytes );
+  }
+
+  /**
+     Returns the specified number of seed bytes.
+
+     @param numBytes number of seed bytes to get
+
+     @return an array containing the seed bytes
+   */
+  public byte[] generateSeed(int numBytes)
+  {
+    return secureRandomSpi.engineGenerateSeed(numBytes);
+  }
+
+}
diff --git a/libjava/classpath/java/security/SecureRandomSpi.java b/libjava/classpath/java/security/SecureRandomSpi.java
new file mode 100644
index 00000000000..7759097a456
--- /dev/null
+++ b/libjava/classpath/java/security/SecureRandomSpi.java
@@ -0,0 +1,85 @@
+/* SecureRandomSpi.java --- Secure Random Service Provider Interface
+   Copyright (C) 1999, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+import java.io.Serializable;
+
+/**
+   SecureRandomSpi is the Service Provider Interface for SecureRandom
+   providers. It provides an interface for providers to the 
+   SecureRandom engine to write their own pseudo-random number
+   generator.
+
+   @since JDK 1.2       
+
+   @author Mark Benvenuto (ivymccough@worldnet.att.net)
+ */
+public abstract class SecureRandomSpi implements Serializable
+{
+  private static final long serialVersionUID = -2991854161009191830L;
+
+  /**
+     Default Constructor for SecureRandomSpi
+   */
+  public SecureRandomSpi()
+  {
+  }
+
+  /**
+     Updates the seed for SecureRandomSpi but does not reset seed. 
+     It does to this so repeated called never decrease randomness.
+   */
+  protected abstract void engineSetSeed(byte[] seed);
+
+  /**
+     Gets a user specified number of bytes depending on the length
+     of the array?
+
+     @param bytes array to fill with random bytes
+   */
+  protected abstract void engineNextBytes(byte[] bytes);
+
+  /**
+     Gets a user specified number of bytes specified by the 
+     parameter.
+
+     @param numBytes number of random bytes to generate
+
+     @return an array full of random bytes
+   */
+  protected abstract byte[] engineGenerateSeed(int numBytes);
+}
diff --git a/libjava/classpath/java/security/Security.java b/libjava/classpath/java/security/Security.java
new file mode 100644
index 00000000000..54b97923efd
--- /dev/null
+++ b/libjava/classpath/java/security/Security.java
@@ -0,0 +1,740 @@
+/* Security.java --- Java base security class implementation
+   Copyright (C) 1999, 2001, 2002, 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import gnu.classpath.SystemProperties;
+
+import gnu.classpath.Configuration;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedHashSet;
+import java.util.Map;
+import java.util.Properties;
+import java.util.Set;
+import java.util.Vector;
+
+/**
+ * This class centralizes all security properties and common security methods.
+ * One of its primary uses is to manage providers.
+ *
+ * @author Mark Benvenuto (ivymccough@worldnet.att.net)
+ */
+public final class Security
+{
+  private static final String ALG_ALIAS = "Alg.Alias.";
+
+  private static Vector providers = new Vector();
+  private static Properties secprops = new Properties();
+  
+  static
+    {
+      String base = SystemProperties.getProperty("gnu.classpath.home.url");
+      String vendor = SystemProperties.getProperty("gnu.classpath.vm.shortname");
+
+      // Try VM specific security file
+      boolean loaded = loadProviders (base, vendor);
+    
+      // Append classpath standard provider if possible
+      if (!loadProviders (base, "classpath")
+	  && !loaded
+	  && providers.size() == 0)
+	  {
+	      if (Configuration.DEBUG)
+		  {
+		      /* No providers found and both security files failed to
+		       * load properly. Give a warning in case of DEBUG is
+		       * enabled. Could be done with java.util.logging later.
+		       */
+		      System.err.println
+			  ("WARNING: could not properly read security provider files:");
+		      System.err.println
+			  ("         " + base + "/security/" + vendor
+			   + ".security");
+		      System.err.println
+			  ("         " + base + "/security/" + "classpath"
+			   + ".security");
+		      System.err.println
+			  ("         Falling back to standard GNU security provider");
+		  }
+	      providers.addElement (new gnu.java.security.provider.Gnu());
+	  }
+    }
+  // This class can't be instantiated.
+  private Security()
+  {
+  }
+
+  /**
+   * Tries to load the vender specific security providers from the given
+   * base URL. Returns true if the resource could be read and completely
+   * parsed successfully, false otherwise.
+   */
+  private static boolean loadProviders(String baseUrl, String vendor)
+  {
+    if (baseUrl == null || vendor == null)
+      return false;
+
+    boolean result = true;
+    String secfilestr = baseUrl + "/security/" + vendor + ".security";
+    try
+      {
+	InputStream fin = new URL(secfilestr).openStream();
+	secprops.load(fin);
+
+	int i = 1;
+	String name;
+	while ((name = secprops.getProperty("security.provider." + i)) != null)
+	  {
+	    Exception exception = null;
+	    try
+	      {
+		providers.addElement(Class.forName(name).newInstance());
+	      }
+	    catch (ClassNotFoundException x)
+	      {
+	        exception = x;
+	      }
+	    catch (InstantiationException x)
+	      {
+	        exception = x;
+	      }
+	    catch (IllegalAccessException x)
+	      {
+	        exception = x;
+	      }
+
+	    if (exception != null)
+	      {
+		System.err.println ("WARNING: Error loading security provider "
+				    + name + ": " + exception);
+		result = false;
+	      }
+	    i++;
+	  }
+      }
+    catch (IOException ignored)
+      {
+	result = false;
+      }
+
+    return result;
+  }
+
+  /**
+   * Gets a specified property for an algorithm. The algorithm name should be a
+   * standard name. See Appendix A in the Java Cryptography Architecture API
+   * Specification &amp; Reference for information about standard algorithm
+   * names. One possible use is by specialized algorithm parsers, which may map
+   * classes to algorithms which they understand (much like {@link Key} parsers
+   * do).
+   *
+   * @param algName the algorithm name.
+   * @param propName the name of the property to get.
+   * @return the value of the specified property.
+   * @deprecated This method used to return the value of a proprietary property
+   * in the master file of the "SUN" Cryptographic Service Provider in order to
+   * determine how to parse algorithm-specific parameters. Use the new
+   * provider-based and algorithm-independent {@link AlgorithmParameters} and
+   * {@link KeyFactory} engine classes (introduced in the Java 2 platform)
+   * instead.
+   */
+  public static String getAlgorithmProperty(String algName, String propName)
+  {
+    if (algName == null || propName == null)
+      return null;
+
+    String property = String.valueOf(propName) + "." + String.valueOf(algName);
+    Provider p;
+    for (Iterator i = providers.iterator(); i.hasNext(); )
+      {
+        p = (Provider) i.next();
+        for (Iterator j = p.keySet().iterator(); j.hasNext(); )
+          {
+            String key = (String) j.next();
+            if (key.equalsIgnoreCase(property))
+              return p.getProperty(key);
+          }
+      }
+    return null;
+  }
+
+  /**
+   * <p>Adds a new provider, at a specified position. The position is the
+   * preference order in which providers are searched for requested algorithms.
+   * Note that it is not guaranteed that this preference will be respected. The
+   * position is 1-based, that is, <code>1</code> is most preferred, followed by
+   * <code>2</code>, and so on.</p>
+   *
+   * <p>If the given provider is installed at the requested position, the
+   * provider that used to be at that position, and all providers with a
+   * position greater than position, are shifted up one position (towards the
+   * end of the list of installed providers).</p>
+   *
+   * <p>A provider cannot be added if it is already installed.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with the string <code>"insertProvider."+provider.
+   * getName()</code> to see if it's ok to add a new provider. If the default
+   * implementation of <code>checkSecurityAccess()</code> is used (i.e., that
+   * method is not overriden), then this will result in a call to the security
+   * manager's <code>checkPermission()</code> method with a
+   * <code>SecurityPermission("insertProvider."+provider.getName())</code>
+   * permission.</p>
+   *
+   * @param provider the provider to be added.
+   * @param position the preference position that the caller would like for
+   * this provider.
+   * @return the actual preference position in which the provider was added, or
+   * <code>-1</code> if the provider was not added because it is already
+   * installed.
+   * @throws SecurityException if a security manager exists and its
+   * {@link SecurityManager#checkSecurityAccess(String)} method denies access
+   * to add a new provider.
+   * @see #getProvider(String)
+   * @see #removeProvider(String)
+   * @see SecurityPermission
+   */
+  public static int insertProviderAt(Provider provider, int position)
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("insertProvider." + provider.getName());
+
+    position--;
+    int max = providers.size ();
+    for (int i = 0; i < max; i++)
+      {
+	if (((Provider) providers.elementAt(i)).getName().equals(provider.getName()))
+	  return -1;
+      }
+
+    if (position < 0)
+      position = 0;
+    if (position > max)
+      position = max;
+
+    providers.insertElementAt(provider, position);
+
+    return position + 1;
+  }
+
+  /**
+   * <p>Adds a provider to the next position available.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with the string <code>"insertProvider."+provider.
+   * getName()</code> to see if it's ok to add a new provider. If the default
+   * implementation of <code>checkSecurityAccess()</code> is used (i.e., that
+   * method is not overriden), then this will result in a call to the security
+   * manager's <code>checkPermission()</code> method with a
+   * <code>SecurityPermission("insertProvider."+provider.getName())</code>
+   * permission.</p>
+   *
+   * @param provider the provider to be added.
+   * @return the preference position in which the provider was added, or
+   * <code>-1</code> if the provider was not added because it is already
+   * installed.
+   * @throws SecurityException if a security manager exists and its
+   * {@link SecurityManager#checkSecurityAccess(String)} method denies access
+   * to add a new provider.
+   * @see #getProvider(String)
+   * @see #removeProvider(String)
+   * @see SecurityPermission
+   */
+  public static int addProvider(Provider provider)
+  {
+    return insertProviderAt (provider, providers.size () + 1);
+  }
+
+  /**
+   * <p>Removes the provider with the specified name.</p>
+   *
+   * <p>When the specified provider is removed, all providers located at a
+   * position greater than where the specified provider was are shifted down
+   * one position (towards the head of the list of installed providers).</p>
+   *
+   * <p>This method returns silently if the provider is not installed.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with the string <code>"removeProvider."+name</code>
+   * to see if it's ok to remove the provider. If the default implementation of
+   * <code>checkSecurityAccess()</code> is used (i.e., that method is not
+   * overriden), then this will result in a call to the security manager's
+   * <code>checkPermission()</code> method with a <code>SecurityPermission(
+   * "removeProvider."+name)</code> permission.</p>
+   *
+   * @param name the name of the provider to remove.
+   * @throws SecurityException if a security manager exists and its
+   * {@link SecurityManager#checkSecurityAccess(String)} method denies access
+   * to remove the provider.
+   * @see #getProvider(String)
+   * @see #addProvider(Provider)
+   */
+  public static void removeProvider(String name)
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("removeProvider." + name);
+
+    int max = providers.size ();
+    for (int i = 0; i < max; i++)
+      {
+	if (((Provider) providers.elementAt(i)).getName().equals(name))
+	  {
+	    providers.remove(i);
+	    break;
+	  }
+      }
+  }
+
+  /**
+   * Returns an array containing all the installed providers. The order of the
+   * providers in the array is their preference order.
+   *
+   * @return an array of all the installed providers.
+   */
+  public static Provider[] getProviders()
+  {
+    Provider[] array = new Provider[providers.size ()];
+    providers.copyInto (array);
+    return array;
+  }
+
+  /**
+   * Returns the provider installed with the specified name, if any. Returns
+   * <code>null</code> if no provider with the specified name is installed.
+   *
+   * @param name the name of the provider to get.
+   * @return the provider of the specified name.
+   * @see #removeProvider(String)
+   * @see #addProvider(Provider)
+   */
+  public static Provider getProvider(String name)
+  {
+    Provider p;
+    int max = providers.size ();
+    for (int i = 0; i < max; i++)
+      {
+	p = (Provider) providers.elementAt(i);
+	if (p.getName().equals(name))
+	  return p;
+      }
+    return null;
+  }
+
+  /**
+   * <p>Gets a security property value.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkPermission()</code>
+   * method is called with a <code>SecurityPermission("getProperty."+key)</code>
+   * permission to see if it's ok to retrieve the specified security property
+   * value.</p>
+   *
+   * @param key the key of the property being retrieved.
+   * @return the value of the security property corresponding to key.
+   * @throws SecurityException if a security manager exists and its
+   * {@link SecurityManager#checkPermission(Permission)} method denies access
+   * to retrieve the specified security property value.
+   * @see #setProperty(String, String)
+   * @see SecurityPermission
+   */
+  public static String getProperty(String key)
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("getProperty." + key);
+
+    return secprops.getProperty(key);
+  }
+
+  /**
+   * <p>Sets a security property value.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkPermission()</code>
+   * method is called with a <code>SecurityPermission("setProperty."+key)</code>
+   * permission to see if it's ok to set the specified security property value.
+   * </p>
+   *
+   * @param key the name of the property to be set.
+   * @param datnum the value of the property to be set.
+   * @throws SecurityException if a security manager exists and its
+   * {@link SecurityManager#checkPermission(Permission)} method denies access
+   * to set the specified security property value.
+   * @see #getProperty(String)
+   * @see SecurityPermission
+   */
+  public static void setProperty(String key, String datnum)
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("setProperty." + key);
+
+    secprops.put(key, datnum);
+  }
+
+  /**
+   * Returns a Set of Strings containing the names of all available algorithms
+   * or types for the specified Java cryptographic service (e.g., Signature,
+   * MessageDigest, Cipher, Mac, KeyStore). Returns an empty Set if there is no
+   * provider that supports the specified service. For a complete list of Java
+   * cryptographic services, please see the Java Cryptography Architecture API
+   * Specification &amp; Reference. Note: the returned set is immutable.
+   *
+   * @param serviceName the name of the Java cryptographic service (e.g.,
+   * Signature, MessageDigest, Cipher, Mac, KeyStore). Note: this parameter is
+   * case-insensitive.
+   * @return a Set of Strings containing the names of all available algorithms
+   * or types for the specified Java cryptographic service or an empty set if
+   * no provider supports the specified service.
+   * @since 1.4
+   */
+  public static Set getAlgorithms(String serviceName)
+  {
+    HashSet result = new HashSet();
+    if (serviceName == null || serviceName.length() == 0)
+      return result;
+
+    serviceName = serviceName.trim();
+    if (serviceName.length() == 0)
+      return result;
+
+    serviceName = serviceName.toUpperCase()+".";
+    Provider[] providers = getProviders();
+    int ndx;
+    for (int i = 0; i < providers.length; i++)
+      for (Enumeration e = providers[i].propertyNames(); e.hasMoreElements(); )
+        {
+          String service = ((String) e.nextElement()).trim();
+          if (service.toUpperCase().startsWith(serviceName))
+            {
+              service = service.substring(serviceName.length()).trim();
+              ndx = service.indexOf(' '); // get rid of attributes
+              if (ndx != -1)
+                service = service.substring(0, ndx);
+              result.add(service);
+            }
+        }
+    return Collections.unmodifiableSet(result);
+  }
+
+  /**
+   * <p>Returns an array containing all installed providers that satisfy the
+   * specified selection criterion, or <code>null</code> if no such providers
+   * have been installed. The returned providers are ordered according to their
+   * preference order.</p>
+   *
+   * <p>A cryptographic service is always associated with a particular
+   * algorithm or type. For example, a digital signature service is always
+   * associated with a particular algorithm (e.g., <i>DSA</i>), and a
+   * CertificateFactory service is always associated with a particular
+   * certificate type (e.g., <i>X.509</i>).</p>
+   *
+   * <p>The selection criterion must be specified in one of the following two
+   * formats:</p>
+   *
+   * <ul>
+   *    <li><p>&lt;crypto_service&gt;.&lt;algorithm_or_type&gt;</p>
+   *    <p>The cryptographic service name must not contain any dots.</p>
+   *    <p>A provider satisfies the specified selection criterion iff the
+   *    provider implements the specified algorithm or type for the specified
+   *    cryptographic service.</p>
+   *    <p>For example, "CertificateFactory.X.509" would be satisfied by any
+   *    provider that supplied a CertificateFactory implementation for X.509
+   *    certificates.</p></li>
+   *
+   *    <li><p>&lt;crypto_service&gt;.&lt;algorithm_or_type&gt; &lt;attribute_name&gt;:&lt;attribute_value&gt;</p>
+   *    <p>The cryptographic service name must not contain any dots. There must
+   *    be one or more space charaters between the the &lt;algorithm_or_type&gt;
+   *    and the &lt;attribute_name&gt;.</p>
+   *    <p>A provider satisfies this selection criterion iff the provider
+   *    implements the specified algorithm or type for the specified
+   *    cryptographic service and its implementation meets the constraint
+   *    expressed by the specified attribute name/value pair.</p>
+   *    <p>For example, "Signature.SHA1withDSA KeySize:1024" would be satisfied
+   *    by any provider that implemented the SHA1withDSA signature algorithm
+   *    with a keysize of 1024 (or larger).</p></li>
+   * </ul>
+   *
+   * <p>See Appendix A in the Java Cryptogaphy Architecture API Specification
+   * &amp; Reference for information about standard cryptographic service names,
+   * standard algorithm names and standard attribute names.</p>
+   *
+   * @param filter the criterion for selecting providers. The filter is case-
+   * insensitive.
+   * @return all the installed providers that satisfy the selection criterion,
+   * or null if no such providers have been installed.
+   * @throws InvalidParameterException if the filter is not in the required
+   * format.
+   * @see #getProviders(Map)
+   */
+  public static Provider[] getProviders(String filter)
+  {
+    if (providers == null || providers.isEmpty())
+      return null;
+
+    if (filter == null || filter.length() == 0)
+      return getProviders();
+
+    HashMap map = new HashMap(1);
+    int i = filter.indexOf(':');
+    if (i == -1) // <service>.<algorithm>
+      map.put(filter, "");
+    else // <service>.<algorithm> <attribute>:<value>
+      map.put(filter.substring(0, i), filter.substring(i+1));
+
+    return getProviders(map);
+  }
+
+ /**
+  * <p>Returns an array containing all installed providers that satisfy the
+  * specified selection criteria, or <code>null</code> if no such providers
+  * have been installed. The returned providers are ordered according to their
+  * preference order.</p>
+  *
+  * <p>The selection criteria are represented by a map. Each map entry
+  * represents a selection criterion. A provider is selected iff it satisfies
+  * all selection criteria. The key for any entry in such a map must be in one
+  * of the following two formats:</p>
+  *
+  * <ul>
+  *    <li><p>&lt;crypto_service&gt;.&lt;algorithm_or_type&gt;</p>
+  *    <p>The cryptographic service name must not contain any dots.</p>
+  *    <p>The value associated with the key must be an empty string.</p>
+  *    <p>A provider satisfies this selection criterion iff the provider
+  *    implements the specified algorithm or type for the specified
+  *    cryptographic service.</p></li>
+  *
+  *    <li><p>&lt;crypto_service&gt;.&lt;algorithm_or_type&gt; &lt;attribute_name&gt;</p>
+  *    <p>The cryptographic service name must not contain any dots. There must
+  *    be one or more space charaters between the &lt;algorithm_or_type&gt; and
+  *    the &lt;attribute_name&gt;.</p>
+  *    <p>The value associated with the key must be a non-empty string. A
+  *    provider satisfies this selection criterion iff the provider implements
+  *    the specified algorithm or type for the specified cryptographic service
+  *    and its implementation meets the constraint expressed by the specified
+  *    attribute name/value pair.</p></li>
+  * </ul>
+  *
+  * <p>See Appendix A in the Java Cryptogaphy Architecture API Specification
+  * &amp; Reference for information about standard cryptographic service names,
+  * standard algorithm names and standard attribute names.</p>
+  *
+  * @param filter the criteria for selecting providers. The filter is case-
+  * insensitive.
+  * @return all the installed providers that satisfy the selection criteria,
+  * or <code>null</code> if no such providers have been installed.
+  * @throws InvalidParameterException if the filter is not in the required
+  * format.
+  * @see #getProviders(String)
+  */
+  public static Provider[] getProviders(Map filter)
+  {
+    if (providers == null || providers.isEmpty())
+      return null;
+
+    if (filter == null)
+      return getProviders();
+
+    Set querries = filter.keySet();
+    if (querries == null || querries.isEmpty())
+      return getProviders();
+
+    LinkedHashSet result = new LinkedHashSet(providers); // assume all
+    int dot, ws;
+    String querry, service, algorithm, attribute, value;
+    LinkedHashSet serviceProviders = new LinkedHashSet(); // preserve insertion order
+    for (Iterator i = querries.iterator(); i.hasNext(); )
+      {
+        querry = (String) i.next();
+        if (querry == null) // all providers
+          continue;
+
+        querry = querry.trim();
+        if (querry.length() == 0) // all providers
+          continue;
+
+        dot = querry.indexOf('.');
+        if (dot == -1) // syntax error
+          throw new InvalidParameterException(
+              "missing dot in '" + String.valueOf(querry)+"'");
+
+        value = (String) filter.get(querry);
+        // deconstruct querry into [service, algorithm, attribute]
+        if (value == null || value.trim().length() == 0) // <service>.<algorithm>
+          {
+            value = null;
+            attribute = null;
+            service = querry.substring(0, dot).trim();
+            algorithm = querry.substring(dot+1).trim();
+          }
+        else // <service>.<algorithm> <attribute>
+          {
+            ws = querry.indexOf(' ');
+            if (ws == -1)
+              throw new InvalidParameterException(
+                  "value (" + String.valueOf(value) +
+                  ") is not empty, but querry (" + String.valueOf(querry) +
+                  ") is missing at least one space character");
+            value = value.trim();
+            attribute = querry.substring(ws+1).trim();
+            // was the dot in the attribute?
+            if (attribute.indexOf('.') != -1)
+              throw new InvalidParameterException(
+                  "attribute_name (" + String.valueOf(attribute) +
+                  ") in querry (" + String.valueOf(querry) + ") contains a dot");
+
+            querry = querry.substring(0, ws).trim();
+            service = querry.substring(0, dot).trim();
+            algorithm = querry.substring(dot+1).trim();
+          }
+
+        // service and algorithm must not be empty
+        if (service.length() == 0)
+          throw new InvalidParameterException(
+              "<crypto_service> in querry (" + String.valueOf(querry) +
+              ") is empty");
+
+        if (algorithm.length() == 0)
+          throw new InvalidParameterException(
+              "<algorithm_or_type> in querry (" + String.valueOf(querry) +
+              ") is empty");
+
+        selectProviders(service, algorithm, attribute, value, result, serviceProviders);
+        result.retainAll(serviceProviders); // eval next retaining found providers
+        if (result.isEmpty()) // no point continuing
+          break;
+      }
+
+    if (result.isEmpty())
+      return null;
+
+    return (Provider[]) result.toArray(new Provider[0]);
+  }
+
+  private static void selectProviders(String svc, String algo, String attr,
+                                      String val, LinkedHashSet providerSet,
+                                      LinkedHashSet result)
+  {
+    result.clear(); // ensure we start with an empty result set
+    for (Iterator i = providerSet.iterator(); i.hasNext(); )
+      {
+        Provider p = (Provider) i.next();
+        if (provides(p, svc, algo, attr, val))
+          result.add(p);
+      }
+  }
+
+  private static boolean provides(Provider p, String svc, String algo,
+                                  String attr, String val)
+  {
+    Iterator it;
+    String serviceDotAlgorithm = null;
+    String key = null;
+    String realVal;
+    boolean found = false;
+    // if <svc>.<algo> <attr> is in the set then so is <svc>.<algo>
+    // but it may be stored under an alias <algo>. resolve
+    outer: for (int r = 0; r < 3; r++) // guard against circularity
+      {
+        serviceDotAlgorithm = (svc+"."+String.valueOf(algo)).trim();
+        for (it = p.keySet().iterator(); it.hasNext(); )
+          {
+            key = (String) it.next();
+            if (key.equalsIgnoreCase(serviceDotAlgorithm)) // eureka
+              {
+                found = true;
+                break outer;
+              }
+            // it may be there but as an alias
+            if (key.equalsIgnoreCase(ALG_ALIAS + serviceDotAlgorithm))
+              {
+                algo = p.getProperty(key);
+                continue outer;
+              }
+            // else continue inner
+          }
+      }
+
+    if (!found)
+      return false;
+
+    // found a candidate for the querry.  do we have an attr to match?
+    if (val == null) // <service>.<algorithm> querry
+      return true;
+
+    // <service>.<algorithm> <attribute>; find the key entry that match
+    String realAttr;
+    int limit = serviceDotAlgorithm.length() + 1;
+    for (it = p.keySet().iterator(); it.hasNext(); )
+      {
+        key = (String) it.next();
+        if (key.length() <= limit)
+          continue;
+
+        if (key.substring(0, limit).equalsIgnoreCase(serviceDotAlgorithm+" "))
+          {
+            realAttr = key.substring(limit).trim();
+            if (! realAttr.equalsIgnoreCase(attr))
+              continue;
+
+            // eveything matches so far.  do the value
+            realVal = p.getProperty(key);
+            if (realVal == null)
+              return false;
+
+            realVal = realVal.trim();
+            // is it a string value?
+            if (val.equalsIgnoreCase(realVal))
+              return true;
+
+            // assume value is a number. cehck for greater-than-or-equal
+            return (new Integer(val).intValue() >= new Integer(realVal).intValue());
+          }
+      }
+
+    return false;
+  }
+}
diff --git a/libjava/classpath/java/security/SecurityPermission.java b/libjava/classpath/java/security/SecurityPermission.java
new file mode 100644
index 00000000000..6aba18f346e
--- /dev/null
+++ b/libjava/classpath/java/security/SecurityPermission.java
@@ -0,0 +1,178 @@
+/* SecurityPermission.java -- Class for named security permissions
+   Copyright (C) 1998, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This class provides a mechanism for specified named permissions
+ * related to the Java security framework.  These permissions have no
+ * associated actions list.  They are either granted or not granted.
+ *
+ * <p>The list of valid permission names is:<br>
+ * <table border=1>
+ * <tr><th>Permission Name</th><th>Permission Allows</th><th>Risks</th</tr>
+ * <tr>
+ *   <td><code>createAccessControlContext</code></td>
+ *   <td>Allows creation of an AccessControlContext</td>
+ *   <td>The new control context can have a rogue DomainCombiner, leading
+ *       to a privacy leak</td></tr>
+ * <tr>
+ *   <td><code>getDomainCombiner</code></td>
+ *   <td>Get a DomainCombiner from an AccessControlContext</td>
+ *   <td>Access to a DomainCombiner can lead to a privacy leak</td></tr>
+ * <tr>
+ *   <td><code>getPolicy</code></td>
+ *   <td>Allows retrieval of the system security policy</td>
+ *   <td>Malicious code can use information from the policy to better plan
+ *       an attack</td></tr>
+ * <tr>
+ *   <td><code>setPolicy</code></td>
+ *   <td>Allows the security policy to be changed</td>
+ *   <td>Malicious code can give itself any permission it wants</td></tr>
+ * <tr>
+ *   <td><code>getProperty.</code><em>key</em></td>
+ *   <td>Retrieve the property specified by the key</td>
+ *   <td>Malicious code can use information from the property to better plan
+ *       an attack</td></tr>
+ * <tr>
+ *   <td><code>setProperty.</code><em>key</em></td>
+ *   <td>Allows changing of the value of all properties implied by key</td>
+ *   <td>Malicious code can insert rogue classes to steal keys or recreate
+ *       the security policy with whatever permissions it desires</td></tr>
+ * <tr>
+ *   <td><code>insertProvider.</code><em>key</em></td>
+ *   <td>Allows the named provider to be added</td>
+ *   <td>Malicious code can insert rogue providers that steal data</td></tr>
+ * <tr>
+ *   <td><code>removeProvider.</code><em>key</em></td>
+ *   <td>Allows the named provider to be removed</td>
+ *   <td>A missing provider can cripple code that relies on it</td></tr>
+ * <tr>
+ *   <td><code>setSystemScope</code></td>
+ *   <td>Allows the system identity scope to be set</td>
+ *   <td>Malicious code can add certificates not available in the original
+ *       identity scope, to gain more permissions</td></tr>
+ * <tr>
+ *   <td><code>setIdentityPublicKey</code></td>
+ *   <td>Allows the public key of an Identity to be set</td>
+ *   <td>Malicious code can install its own key to gain permissions not
+ *       allowed by the original identity scope</td></tr>
+ * <tr>
+ *   <td><code>SetIdentityInfo</code></td>
+ *   <td>Allows the description of an Identity to be set</td>
+ *   <td>Malicious code can spoof users into trusting a fake identity</td></tr>
+ * <tr>
+ *   <td><code>addIdentityCertificate</code></td>
+ *   <td>Allows a certificate to be set for the public key of an identity</td>
+ *   <td>The public key can become trusted to a wider audience than originally
+ *       intended</td></tr>
+ * <tr>
+ *   <td><code>removeIdentityCertificate</code></td>
+ *   <td>Allows removal of a certificate from an identity's public key</td>
+ *   <td>The public key can become less trusted than it should be</td></tr>
+ * <tr>
+ *   <td><code>printIdentity</code></td>
+ *   <td>View the name of the identity and scope, and whether they are
+ *       trusted</td>
+ *   <td>The scope may include a filename, which provides an entry point for
+ *       further security breaches</td></tr>
+ * <tr>
+ *   <td><code>clearProviderProperties.</code><em>key</em></td>
+ *   <td>Allows the properties of the named provider to be cleared</td>
+ *   <td>This can disable parts of the program which depend on finding the
+ *       provider</td></tr>
+ * <tr>
+ *   <td><code>putProviderProperty.</code><em>key</em></td>
+ *   <td>Allows the properties of the named provider to be changed</td>
+ *   <td>Malicious code can replace the implementation of a provider</td></tr>
+ * <tr>
+ *   <td><code>removeProviderProperty.</code><em>key</em></td>
+ *   <td>Allows the properties of the named provider to be deleted</td>
+ *   <td>This can disable parts of the program which depend on finding the
+ *       provider</td></tr>
+ * <tr>
+ *   <td><code>getSignerPrivateKey</code></td>
+ *   <td>Allows the retrieval of the private key for a signer</td>
+ *   <td>Anyone that can access the private key can claim to be the
+ *       Signer</td></tr>
+ * <tr>
+ *   <td><code>setSignerKeyPair</code></td>
+ *   <td>Allows the public and private key of a Signer to be changed</td>
+ *   <td>The replacement might be a weaker encryption, or the attacker
+ *       can use knowledge of the replaced key to decrypt an entire
+ *       communication session</td></tr>
+ * </table>
+ *
+ * <p>There is some degree of security risk in granting any of these
+ * permissions. Some of them can completely compromise system security.
+ * Please exercise extreme caution in granting these permissions.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see Permission
+ * @see SecurityManager
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public final class SecurityPermission extends BasicPermission
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 5236109936224050470L;
+
+  /**
+   * Create a new instance with the specified name.
+   *
+   * @param name the name to assign to this permission
+   */
+  public SecurityPermission(String name)
+  {
+    super(name);
+  }
+
+  /**
+   * Create a new instance with the specified name. As SecurityPermission
+   * carries no actions, the second parameter is ignored.
+   *
+   * @param name the name to assign to this permission
+   * @param actions ignored
+   */
+  public SecurityPermission(String name, String actions)
+  {
+    super(name);
+  }
+} // class SecurityPermission
diff --git a/libjava/classpath/java/security/Signature.java b/libjava/classpath/java/security/Signature.java
new file mode 100644
index 00000000000..852c959220f
--- /dev/null
+++ b/libjava/classpath/java/security/Signature.java
@@ -0,0 +1,636 @@
+/* Signature.java --- Signature Class
+   Copyright (C) 1999, 2002, 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+import gnu.java.security.Engine;
+
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * <p>This <code>Signature</code> class is used to provide applications the
+ * functionality of a digital signature algorithm. Digital signatures are used
+ * for authentication and integrity assurance of digital data.</p>
+ *
+ * <p>The signature algorithm can be, among others, the NIST standard <i>DSS</i>,
+ * using <i>DSA</i> and <i>SHA-1</i>. The <i>DSA</i> algorithm using the
+ * <i>SHA-1</i> message digest algorithm can be specified as <code>SHA1withDSA
+ * </code>. In the case of <i>RSA</i>, there are multiple choices for the
+ * message digest algorithm, so the signing algorithm could be specified as, for
+ * example, <code>MD2withRSA</code>, <code>MD5withRSA</code>, or
+ * <code>SHA1withRSA</code>. The algorithm name must be specified, as there is
+ * no default.</p>
+ *
+ * <p>Like other algorithm-based classes in Java Security, <code>Signature</code>
+ * provides implementation-independent algorithms, whereby a caller (application
+ * code) requests a particular signature algorithm and is handed back a properly
+ * initialized <code>Signature</code> object. It is also possible, if desired,
+ * to request a particular algorithm from a particular provider. See the
+ * <code>getInstance()</code> methods.</p>
+ *
+ * <p>Thus, there are two ways to request a <code>Signature</code> algorithm
+ * object: by specifying either just an algorithm name, or both an algorithm
+ * name and a package provider.</p>
+ *
+ * <p>If just an algorithm name is specified, the system will determine if there
+ * is an implementation of the algorithm requested available in the environment,
+ * and if there is more than one, if there is a preferred one.</p>
+ *
+ * <p>If both an algorithm name and a package provider are specified, the system
+ * will determine if there is an implementation of the algorithm in the package
+ * requested, and throw an exception if there is not.</p>
+ *
+ * <p>A <code>Signature</code> object can be used to generate and verify digital
+ * signatures.</p>
+ *
+ * <p>There are three phases to the use of a <code>Signature</code> object for
+ * either signing data or verifying a signature:</p>
+ *
+ * <ol>
+ * <li>Initialization, with either
+ *     <ul>
+ *     <li>a public key, which initializes the signature for verification
+ *         (see <code>initVerify()</code>), or</li>
+ *     <li>a private key (and optionally a Secure Random Number Generator),
+ *         which initializes the signature for signing (see
+ *         {@link #initSign(PrivateKey)} and {@link #initSign(PrivateKey, SecureRandom)}
+ *         ).</li>
+ *     </ul></li>
+ * <li>Updating<br/>
+ *     Depending on the type of initialization, this will update the bytes to
+ *     be signed or verified. See the update methods.<br/></li>
+ * <li>Signing or Verifying a signature on all updated bytes. See the
+ *     <code>sign()</code> methods and the <code>verify()</code> method.</li>
+ *  </ol>
+ *
+ * <p>Note that this class is abstract and extends from {@link SignatureSpi} for
+ * historical reasons. Application developers should only take notice of the
+ * methods defined in this <code>Signature</code> class; all the methods in the
+ * superclass are intended for cryptographic service providers who wish to
+ * supply their own implementations of digital signature algorithms.
+ *
+ * @author Mark Benvenuto  (ivymccough@worldnet.att.net)
+ */
+public abstract class Signature extends SignatureSpi
+{
+  /** Service name for signatures. */
+  private static final String SIGNATURE = "Signature";
+
+  /**
+   * Possible <code>state</code> value, signifying that this signature object
+   * has not yet been initialized.
+   */
+  protected static final int UNINITIALIZED = 0;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Possible <code>state</code> value, signifying that this signature object
+   * has been initialized for signing.
+   */
+  protected static final int SIGN = 2;
+
+  /**
+   * Possible <code>state</code> value, signifying that this signature object
+   * has been initialized for verification.
+   */
+  protected static final int VERIFY = 3;
+
+  /** Current state of this signature object. */
+  protected int state = UNINITIALIZED;
+
+  private String algorithm;
+  Provider provider;
+
+  /**
+   * Creates a <code>Signature</code> object for the specified algorithm.
+   *
+   * @param algorithm the standard string name of the algorithm. See Appendix A
+   * in the Java Cryptography Architecture API Specification &amp; Reference for
+   * information about standard algorithm names.
+   */
+  protected Signature(String algorithm)
+  {
+    this.algorithm = algorithm;
+    state = UNINITIALIZED;
+  }
+
+  /**
+   * Generates a <code>Signature</code> object that implements the specified
+   * digest algorithm. If the default provider package provides an
+   * implementation of the requested digest algorithm, an instance of
+   * <code>Signature</code> containing that implementation is returned. If the
+   * algorithm is not available in the default package, other packages are
+   * searched.
+   *
+   * @param algorithm the standard name of the algorithm requested. See Appendix
+   * A in the Java Cryptography Architecture API Specification &amp; Reference
+   * for information about standard algorithm names.
+   * @return the new Signature object.
+   * @throws NoSuchAlgorithmException if the algorithm is not available in the
+   * environment.
+   */
+  public static Signature getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, p[i]);
+          }
+	catch (NoSuchAlgorithmException e)
+	  {
+	    // Ignored.
+	  }
+      }
+
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Generates a <code>Signature</code> object implementing the specified
+   * algorithm, as supplied from the specified provider, if such an algorithm
+   * is available from the provider.
+   *
+   * @param algorithm the name of the algorithm requested. See Appendix A in
+   * the Java Cryptography Architecture API Specification &amp; Reference for
+   * information about standard algorithm names.
+   * @param provider the name of the provider.
+   * @return the new <code>Signature</code> object.
+   * @throws NoSuchAlgorithmException if the algorithm is not available in the
+   * package supplied by the requested provider.
+   * @throws NoSuchProviderException if the provider is not available in the
+   * environment.
+   * @throws IllegalArgumentException if the provider name is <code>null</code>
+   * or empty.
+   * @see Provider
+   */
+  public static Signature getInstance(String algorithm, String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    if (provider == null || provider.length() == 0)
+      throw new IllegalArgumentException("Illegal provider");
+
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Generates a <code>Signature</code> object implementing the specified
+   * algorithm, as supplied from the specified provider, if such an algorithm
+   * is available from the provider. Note: the provider doesn't have to be
+   * registered.
+   *
+   * @param algorithm the name of the algorithm requested. See Appendix A in
+   * the Java Cryptography Architecture API Specification &amp; Reference for
+   * information about standard algorithm names.
+   * @param provider the provider.
+   * @return the new <code>Signature</code> object.
+   * @throws NoSuchAlgorithmException if the <code>algorithm</code> is not
+   * available in the package supplied by the requested <code>provider</code>.
+   * @throws IllegalArgumentException if the <code>provider</code> is
+   * <code>null</code>.
+   * @since 1.4
+   * @see Provider
+   */
+  public static Signature getInstance(String algorithm, Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("Illegal provider");
+
+    Signature result = null;
+    Object o = null;
+    try
+      {
+        o = Engine.getInstance(SIGNATURE, algorithm, provider);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+
+    if (o instanceof SignatureSpi)
+      {
+        result = new DummySignature((SignatureSpi) o, algorithm);
+      }
+    else if (o instanceof Signature)
+      {
+        result = (Signature) o;
+        result.algorithm = algorithm;
+      }
+    else
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    result.provider = provider;
+    return result;
+  }
+
+  /**
+   * Returns the provider of this signature object.
+   *
+   * @return the provider of this signature object.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Initializes this object for verification. If this method is called again
+   * with a different argument, it negates the effect of this call.
+   *
+   * @param publicKey the public key of the identity whose signature is going
+   * to be verified.
+   * @throws InvalidKeyException if the key is invalid.
+   */
+  public final void initVerify(PublicKey publicKey) throws InvalidKeyException
+  {
+    state = VERIFY;
+    engineInitVerify(publicKey);
+  }
+
+  /**
+   * <p>Initializes this object for verification, using the public key from the
+   * given certificate.</p>
+   *
+   * <p>If the certificate is of type <i>X.509</i> and has a <i>key usage</i>
+   * extension field marked as <i>critical</i>, and the value of the <i>key
+   * usage</i> extension field implies that the public key in the certificate
+   * and its corresponding private key are not supposed to be used for digital
+   * signatures, an {@link InvalidKeyException} is thrown.</p>
+   *
+   * @param certificate the certificate of the identity whose signature is
+   * going to be verified.
+   * @throws InvalidKeyException if the public key in the certificate is not
+   * encoded properly or does not include required parameter information or
+   * cannot be used for digital signature purposes.
+   */
+  public final void initVerify(Certificate certificate)
+    throws InvalidKeyException
+  {
+    state = VERIFY;
+    if (certificate.getType().equals("X509"))
+      {
+        X509Certificate cert = (X509Certificate) certificate;
+        boolean[]array = cert.getKeyUsage();
+        if (array != null && array[0] == false)
+          throw new InvalidKeyException(
+              "KeyUsage of this Certificate indicates it cannot be used for digital signing");
+      }
+    this.initVerify(certificate.getPublicKey());
+  }
+
+  /**
+   * Initialize this object for signing. If this method is called again with a
+   * different argument, it negates the effect of this call.
+   *
+   * @param privateKey the private key of the identity whose signature is going
+   * to be generated.
+   * @throws InvalidKeyException if the key is invalid.
+   */
+  public final void initSign(PrivateKey privateKey) throws InvalidKeyException
+  {
+    state = SIGN;
+    engineInitSign(privateKey);
+  }
+
+  /**
+   * Initialize this object for signing. If this method is called again with a
+   * different argument, it negates the effect of this call.
+   *
+   * @param privateKey the private key of the identity whose signature is going
+   * to be generated.
+   * @param random the source of randomness for this signature.
+   * @throws InvalidKeyException if the key is invalid.
+   */
+  public final void initSign(PrivateKey privateKey, SecureRandom random)
+    throws InvalidKeyException
+  {
+    state = SIGN;
+    engineInitSign(privateKey, random);
+  }
+
+  /**
+   * <p>Returns the signature bytes of all the data updated. The format of the
+   * signature depends on the underlying signature scheme.</p>
+   *
+   * <p>A call to this method resets this signature object to the state it was
+   * in when previously initialized for signing via a call to
+   * <code>initSign(PrivateKey)</code>. That is, the object is reset and
+   * available to generate another signature from the same signer, if desired,
+   * via new calls to <code>update()</code> and <code>sign()</code>.</p>
+   *
+   * @return the signature bytes of the signing operation's result.
+   * @throws SignatureException if this signature object is not initialized
+   * properly.
+   */
+  public final byte[] sign() throws SignatureException
+  {
+    if (state == SIGN)
+      return engineSign();
+    else
+      throw new SignatureException();
+  }
+
+  /**
+   * <p>Finishes the signature operation and stores the resulting signature
+   * bytes in the provided buffer <code>outbuf</code>, starting at <code>offset
+   * </code>. The format of the signature depends on the underlying signature
+   * scheme.</p>
+   *
+   * <p>This signature object is reset to its initial state (the state it was
+   * in after a call to one of the <code>initSign()</code> methods) and can be
+   * reused to generate further signatures with the same private key.</p>
+   *
+   * @param outbuf buffer for the signature result.
+   * @param offset offset into outbuf where the signature is stored.
+   * @param len number of bytes within outbuf allotted for the signature.
+   * @return the number of bytes placed into outbuf.
+   * @throws SignatureException if an error occurs or len is less than the
+   * actual signature length.
+   * @since 1.2
+   */
+  public final int sign(byte[] outbuf, int offset, int len)
+    throws SignatureException
+  {
+    if (state == SIGN)
+      return engineSign(outbuf, offset, len);
+    else
+      throw new SignatureException();
+  }
+
+  /**
+   * <p>Verifies the passed-in signature.</p>
+   *
+   * <p>A call to this method resets this signature object to the state it was
+   * in when previously initialized for verification via a call to
+   * <code>initVerify(PublicKey)</code>. That is, the object is reset and
+   * available to verify another signature from the identity whose public key
+   * was specified in the call to <code>initVerify()</code>.</p>
+   *
+   * @param signature the signature bytes to be verified.
+   * @return <code>true</code> if the signature was verified, <code>false</code>
+   * if not.
+   * @throws SignatureException if this signature object is not initialized
+   * properly, or the passed-in signature is improperly encoded or of the wrong
+   * type, etc.
+   */
+  public final boolean verify(byte[]signature) throws SignatureException
+  {
+    if (state == VERIFY)
+      return engineVerify(signature);
+    else
+      throw new SignatureException();
+  }
+
+  /**
+   * <p>Verifies the passed-in <code>signature</code> in the specified array of
+   * bytes, starting at the specified <code>offset</code>.</p>
+   *
+   * <p>A call to this method resets this signature object to the state it was
+   * in when previously initialized for verification via a call to
+   * <code>initVerify(PublicKey)</code>. That is, the object is reset and
+   * available to verify another signature from the identity whose public key
+   * was specified in the call to <code>initVerify()</code>.</p>
+   *
+   * @param signature the signature bytes to be verified.
+   * @param offset the offset to start from in the array of bytes.
+   * @param length the number of bytes to use, starting at offset.
+   * @return <code>true</code> if the signature was verified, <code>false</code>
+   * if not.
+   * @throws SignatureException if this signature object is not initialized
+   * properly, or the passed-in <code>signature</code> is improperly encoded or
+   * of the wrong type, etc.
+   * @throws IllegalArgumentException if the <code>signature</code> byte array
+   * is <code>null</code>, or the <code>offset</code> or <code>length</code> is
+   * less than <code>0</code>, or the sum of the <code>offset</code> and
+   * <code>length</code> is greater than the length of the <code>signature</code>
+   * byte array.
+   */
+  public final boolean verify(byte[] signature, int offset, int length)
+    throws SignatureException
+  {
+    if (state != VERIFY)
+      throw new SignatureException("illegal state");
+
+    if (signature == null)
+      throw new IllegalArgumentException("signature is null");
+    if (offset < 0)
+      throw new IllegalArgumentException("offset is less than 0");
+    if (length < 0)
+      throw new IllegalArgumentException("length is less than 0");
+    if (offset + length < signature.length)
+      throw new IllegalArgumentException("range is out of bounds");
+
+    return engineVerify(signature, offset, length);
+  }
+
+  /**
+   * Updates the data to be signed or verified by a byte.
+   *
+   * @param b the byte to use for the update.
+   * @throws SignatureException if this signature object is not initialized
+   * properly.
+   */
+  public final void update(byte b) throws SignatureException
+  {
+    if (state != UNINITIALIZED)
+      engineUpdate(b);
+    else
+      throw new SignatureException();
+  }
+
+  /**
+   * Updates the data to be signed or verified, using the specified array of
+   * bytes.
+   *
+   * @param data the byte array to use for the update.
+   * @throws SignatureException if this signature object is not initialized
+   * properly.
+   */
+  public final void update(byte[]data) throws SignatureException
+  {
+    if (state != UNINITIALIZED)
+      engineUpdate(data, 0, data.length);
+    else
+      throw new SignatureException();
+  }
+
+  /**
+   * Updates the data to be signed or verified, using the specified array of
+   * bytes, starting at the specified offset.
+   *
+   * @param data the array of bytes.
+   * @param off the offset to start from in the array of bytes.
+   * @param len the number of bytes to use, starting at offset.
+   * @throws SignatureException if this signature object is not initialized
+   * properly.
+   */
+  public final void update(byte[]data, int off, int len)
+    throws SignatureException
+  {
+    if (state != UNINITIALIZED)
+      engineUpdate(data, off, len);
+    else
+      throw new SignatureException();
+  }
+
+  /**
+   * Returns the name of the algorithm for this signature object.
+   *
+   * @return the name of the algorithm for this signature object.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Returns a string representation of this signature object, providing
+   * information that includes the state of the object and the name of the
+   * algorithm used.
+   *
+   * @return a string representation of this signature object.
+   */
+  public String toString()
+  {
+    return (algorithm + " Signature");
+  }
+
+  /**
+   * Sets the specified algorithm parameter to the specified value. This method
+   * supplies a general-purpose mechanism through which it is possible to set
+   * the various parameters of this object. A parameter may be any settable
+   * parameter for the algorithm, such as a parameter size, or a source of
+   * random bits for signature generation (if appropriate), or an indication of
+   * whether or not to perform a specific but optional computation. A uniform
+   * algorithm-specific naming scheme for each parameter is desirable but left
+   * unspecified at this time.
+   *
+   * @param param the string identifier of the parameter.
+   * @param value the parameter value.
+   * @throws InvalidParameterException if param is an invalid parameter for this
+   * signature algorithm engine, the parameter is already set and cannot be set
+   * again, a security exception occurs, and so on.
+   * @see #getParameter(String)
+   * @deprecated Use setParameter(AlgorithmParameterSpec).
+   */
+  public final void setParameter(String param, Object value)
+    throws InvalidParameterException
+  {
+    engineSetParameter(param, value);
+  }
+
+  /**
+   * Initializes this signature engine with the specified parameter set.
+   *
+   * @param params the parameters.
+   * @throws InvalidAlgorithmParameterException if the given parameters are
+   * inappropriate for this signature engine.
+   * @see #getParameters()
+   */
+  public final void setParameter(AlgorithmParameterSpec params)
+    throws InvalidAlgorithmParameterException
+  {
+    engineSetParameter(params);
+  }
+
+  /**
+   * <p>Returns the parameters used with this signature object.</p>
+   *
+   * <p>The returned parameters may be the same that were used to initialize
+   * this signature, or may contain a combination of default and randomly
+   * generated parameter values used by the underlying signature implementation
+   * if this signature requires algorithm parameters but was not initialized
+   * with any.
+   *
+   * @return the parameters used with this signature, or <code>null</code> if
+   * this signature does not use any parameters.
+   * @see #setParameter(AlgorithmParameterSpec)
+   */
+  public final AlgorithmParameters getParameters()
+  {
+    return engineGetParameters();
+  }
+
+  /**
+   * Gets the value of the specified algorithm parameter. This method supplies
+   * a general-purpose mechanism through which it is possible to get the various
+   * parameters of this object. A parameter may be any settable parameter for
+   * the algorithm, such as a parameter size, or a source of random bits for
+   * signature generation (if appropriate), or an indication of whether or not
+   * to perform a specific but optional computation. A uniform
+   * algorithm-specific naming scheme for each parameter is desirable but left
+   * unspecified at this time.
+   *
+   * @param param the string name of the parameter.
+   * @return the object that represents the parameter value, or null if there
+   * is none.
+   * @throws InvalidParameterException if param is an invalid parameter for this
+   * engine, or another exception occurs while trying to get this parameter.
+   * @see #setParameter(String, Object)
+   * @deprecated
+   */
+  public final Object getParameter(String param)
+    throws InvalidParameterException
+  {
+    return engineGetParameter(param);
+  }
+
+  /**
+   * Returns a clone if the implementation is cloneable.
+   *
+   * @return a clone if the implementation is cloneable.
+   * @throws CloneNotSupportedException if this is called on an implementation
+   * that does not support {@link Cloneable}.
+   */
+  public Object clone() throws CloneNotSupportedException
+  {
+    return super.clone();
+  }
+}
diff --git a/libjava/classpath/java/security/SignatureException.java b/libjava/classpath/java/security/SignatureException.java
new file mode 100644
index 00000000000..e294c16c3f6
--- /dev/null
+++ b/libjava/classpath/java/security/SignatureException.java
@@ -0,0 +1,70 @@
+/* SignatureException.java -- Generic error in signature
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This exception is thrown when a problem is encountered with a
+ * digital signature.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @status updated to 1.4
+ */
+public class SignatureException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 7509989324975124438L;
+
+  /**
+   * Create an instance with no descriptive error message.
+   */
+  public SignatureException()
+  {
+  }
+
+  /**
+   * Create an instance with a descriptive error message.
+   *
+   * @param msg the message
+   */
+  public SignatureException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/SignatureSpi.java b/libjava/classpath/java/security/SignatureSpi.java
new file mode 100644
index 00000000000..471a73d17cd
--- /dev/null
+++ b/libjava/classpath/java/security/SignatureSpi.java
@@ -0,0 +1,302 @@
+/* SignatureSpi.java --- Signature Service Provider Interface
+   Copyright (C) 1999, 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * <p>This class defines the <i>Service Provider Interface (SPI)</i> for the
+ * {@link Signature} class, which is used to provide the functionality of a
+ * digital signature algorithm. Digital signatures are used for authentication
+ * and integrity assurance of digital data.</p>
+ *
+ * <p>All the abstract methods in this class must be implemented by each
+ * cryptographic service provider who wishes to supply the implementation of a
+ * particular signature algorithm.
+ *
+ * @author Mark Benvenuto (ivymccough@worldnet.att.net)
+ * @since 1.2
+ * @see Signature
+ */
+public abstract class SignatureSpi
+{
+  /** Application-specified source of randomness. */
+  protected SecureRandom appRandom;
+
+  public SignatureSpi()
+  {
+    appRandom = null;
+  }
+
+  /**
+   * Initializes this signature object with the specified public key for
+   * verification operations.
+   *
+   * @param publicKey the public key of the identity whose signature is going
+   * to be verified.
+   * @throws InvalidKeyException if the key is improperly encoded, parameters
+   * are missing, and so on.
+   */
+  protected abstract void engineInitVerify(PublicKey publicKey)
+    throws InvalidKeyException;
+
+  /**
+   * Initializes this signature object with the specified private key for
+   * signing operations.
+   *
+   * @param privateKey the private key of the identity whose signature will be
+   * generated.
+   * @throws InvalidKeyException if the key is improperly encoded, parameters
+   * are missing, and so on.
+   */
+  protected abstract void engineInitSign(PrivateKey privateKey)
+    throws InvalidKeyException;
+
+  /**
+   * <p>Initializes this signature object with the specified private key and
+   * source of randomness for signing operations.</p>
+   *
+   * <p>This concrete method has been added to this previously-defined abstract
+   * class. (For backwards compatibility, it cannot be abstract.)</p>
+   *
+   * @param privateKey the private key of the identity whose signature will be
+   * generated.
+   * @param random the source of randomness.
+   * @throws InvalidKeyException if the key is improperly encoded, parameters
+   * are missing, and so on.
+   * @since 1.2
+   */
+  protected void engineInitSign(PrivateKey privateKey, SecureRandom random)
+    throws InvalidKeyException
+  {
+    appRandom = random;
+    engineInitSign(privateKey);
+  }
+
+  /**
+   * Updates the data to be signed or verified using the specified byte.
+   *
+   * @param b the byte to use for the update.
+   * @throws SignatureException if the engine is not initialized properly.
+   */
+  protected abstract void engineUpdate(byte b) throws SignatureException;
+
+  /**
+   * Updates the data to be signed or verified, using the specified array of
+   * bytes, starting at the specified offset.
+   *
+   * @param b the array of bytes.
+   * @param off the offset to start from in the array of bytes.
+   * @param len the number of bytes to use, starting at offset.
+   * @throws SignatureException if the engine is not initialized properly.
+   */
+  protected abstract void engineUpdate(byte[] b, int off, int len)
+    throws SignatureException;
+
+  /**
+   * Returns the signature bytes of all the data updated so far. The format of
+   * the signature depends on the underlying signature scheme.
+   *
+   * @return the signature bytes of the signing operation's result.
+   * @throws SignatureException if the engine is not initialized properly.
+   */
+  protected abstract byte[] engineSign() throws SignatureException;
+
+  /**
+   * <p>Finishes this signature operation and stores the resulting signature
+   * bytes in the provided buffer <code>outbuf</code>, starting at <code>offset
+   * </code>. The format of the signature depends on the underlying signature
+   * scheme.</p>
+   *
+   * <p>The signature implementation is reset to its initial state (the state it
+   * was in after a call to one of the <code>engineInitSign()</code> methods)
+   * and can be reused to generate further signatures with the same private key.
+   * This method should be abstract, but we leave it concrete for binary
+   * compatibility. Knowledgeable providers should override this method.</p>
+   *
+   * @param outbuf buffer for the signature result.
+   * @param offset offset into outbuf where the signature is stored.
+   * @param len number of bytes within outbuf allotted for the signature. Both
+   * this default implementation and the <b>GNU</b> provider do not return
+   * partial digests. If the value of this parameter is less than the actual
+   * signature length, this method will throw a {@link SignatureException}. This
+   * parameter is ignored if its value is greater than or equal to the actual
+   * signature length.
+   * @return the number of bytes placed into <code>outbuf</code>.
+   * @throws SignatureException if an error occurs or len is less than the
+   * actual signature length.
+   * @since 1.2
+   */
+  protected int engineSign(byte[] outbuf, int offset, int len)
+    throws SignatureException
+  {
+    byte[] tmp = engineSign();
+    if (tmp.length > len)
+      throw new SignatureException("Invalid Length");
+
+    System.arraycopy(outbuf, offset, tmp, 0, tmp.length);
+    return tmp.length;
+  }
+
+  /**
+   * Verifies the passed-in signature.
+   *
+   * @param sigBytes the signature bytes to be verified.
+   * @return <code>true</code> if the signature was verified, <code>false</code>
+   * if not.
+   * @throws SignatureException if the engine is not initialized properly, or
+   * the passed-in signature is improperly encoded or of the wrong type, etc.
+   */
+  protected abstract boolean engineVerify(byte[] sigBytes)
+    throws SignatureException;
+
+  /**
+   * <p>Verifies the passed-in <code>signature</code> in the specified array of
+   * bytes, starting at the specified <code>offset</code>.</p>
+   *
+   * <p>Note: Subclasses should overwrite the default implementation.</p>
+   *
+   * @param sigBytes the signature bytes to be verified.
+   * @param offset the offset to start from in the array of bytes.
+   * @param length the number of bytes to use, starting at offset.
+   * @return <code>true</code> if the signature was verified, <code>false</code>
+   * if not.
+   * @throws SignatureException if the engine is not initialized properly, or
+   * the passed-in <code>signature</code> is improperly encoded or of the wrong
+   * type, etc.
+   */
+  protected boolean engineVerify(byte[] sigBytes, int offset, int length)
+    throws SignatureException
+  {
+    byte[] tmp = new byte[length];
+    System.arraycopy(sigBytes, offset, tmp, 0, length);
+    return engineVerify(tmp);
+  }
+
+  /**
+   * Sets the specified algorithm parameter to the specified value. This method
+   * supplies a general-purpose mechanism through which it is possible to set
+   * the various parameters of this object. A parameter may be any settable
+   * parameter for the algorithm, such as a parameter size, or a source of
+   * random bits for signature generation (if appropriate), or an indication of
+   * whether or not to perform a specific but optional computation. A uniform
+   * algorithm-specific naming scheme for each parameter is desirable but left
+   * unspecified at this time.
+   *
+   * @param param the string identifier of the parameter.
+   * @param value the parameter value.
+   * @throws InvalidParameterException if <code>param</code> is an invalid
+   * parameter for this signature algorithm engine, the parameter is already set
+   * and cannot be set again, a security exception occurs, and so on.
+   * @deprecated Replaced by engineSetParameter(AlgorithmParameterSpec).
+   */
+  protected abstract void engineSetParameter(String param, Object value)
+    throws InvalidParameterException;
+
+  /**
+   * This method is overridden by providers to initialize this signature engine
+   * with the specified parameter set.
+   *
+   * @param params the parameters.
+   * @throws UnsupportedOperationException if this method is not overridden by
+   * a provider.
+   * @throws InvalidAlgorithmParameterException if this method is overridden by
+   * a provider and the the given parameters are inappropriate for this
+   * signature engine.
+   */
+  protected void engineSetParameter(AlgorithmParameterSpec params)
+    throws InvalidAlgorithmParameterException
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * <p>This method is overridden by providers to return the parameters used
+   * with this signature engine, or <code>null</code> if this signature engine
+   * does not use any parameters.</p>
+   *
+   * <p>The returned parameters may be the same that were used to initialize
+   * this signature engine, or may contain a combination of default and randomly
+   * generated parameter values used by the underlying signature implementation
+   * if this signature engine requires algorithm parameters but was not
+   * initialized with any.</p>
+   *
+   * @return the parameters used with this signature engine, or <code>null</code>
+   * if this signature engine does not use any parameters.
+   * @throws UnsupportedOperationException if this method is not overridden by
+   * a provider.
+   */
+  protected AlgorithmParameters engineGetParameters()
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * Gets the value of the specified algorithm parameter. This method supplies
+   * a general-purpose mechanism through which it is possible to get the various
+   * parameters of this object. A parameter may be any settable parameter for
+   * the algorithm, such as a parameter size, or a source of random bits for
+   * signature generation (if appropriate), or an indication of whether or not
+   * to perform a specific but optional computation. A uniform algorithm-specific
+   * naming scheme for each parameter is desirable but left unspecified at this
+   * time.
+   *
+   * @param param the string name of the parameter.
+   * @return the object that represents the parameter value, or <code>null</code>
+   * if there is none.
+   * @throws InvalidParameterException if <code>param</code> is an invalid
+   * parameter for this engine, or another exception occurs while trying to get
+   * this parameter.
+   * @deprecated
+   */
+  protected abstract Object engineGetParameter(String param)
+    throws InvalidParameterException;
+
+  /**
+   * Returns a clone if the implementation is cloneable.
+   *
+   * @return a clone if the implementation is cloneable.
+   * @throws CloneNotSupportedException if this is called on an implementation
+   * that does not support {@link Cloneable}.
+   * @see Cloneable
+   */
+  public Object clone() throws CloneNotSupportedException
+  {
+    return super.clone();
+  }
+}
diff --git a/libjava/classpath/java/security/SignedObject.java b/libjava/classpath/java/security/SignedObject.java
new file mode 100644
index 00000000000..d565b2ea3b4
--- /dev/null
+++ b/libjava/classpath/java/security/SignedObject.java
@@ -0,0 +1,240 @@
+/* SignedObject.java --- Signed Object Class
+   Copyright (C) 1999, 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInput;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+
+/**
+ * <p><code>SignedObject</code> is a class for the purpose of creating authentic
+ * runtime objects whose integrity cannot be compromised without being detected.
+ * </p>
+ *
+ * <p>More specifically, a <code>SignedObject</code> contains another
+ * {@link Serializable} object, the (to-be-)signed object and its signature.</p>
+ *
+ * <p>The signed object is a <i>"deep copy"</i> (in serialized form) of an
+ * original object. Once the copy is made, further manipulation of the original
+ * object has no side effect on the copy.</p>
+ *
+ * <p>The underlying signing algorithm is designated by the {@link Signature}
+ * object passed to the constructor and the <code>verify()</code> method. A
+ * typical usage for signing is the following:</p>
+ *
+ * <pre>
+ * Signature signingEngine = Signature.getInstance(algorithm, provider);
+ * SignedObject so = new SignedObject(myobject, signingKey, signingEngine);
+ * </pre>
+ *
+ * <p>A typical usage for verification is the following (having received
+ * <code>SignedObject</code> so):</p>
+ *
+ * <pre>
+ * Signature verificationEngine = Signature.getInstance(algorithm, provider);
+ * if (so.verify(publickey, verificationEngine))
+ *   try
+ *     {
+ *       Object myobj = so.getObject();
+ *     }
+ *   catch (ClassNotFoundException ignored) {};
+ * </pre>
+ *
+ * <p>Several points are worth noting. First, there is no need to initialize the
+ * signing or verification engine, as it will be re-initialized inside the
+ * constructor and the <code>verify()</code> method. Secondly, for verification
+ * to succeed, the specified public key must be the public key corresponding to
+ * the private key used to generate the <code>SignedObject</code>.</p>
+ *
+ * <p>More importantly, for flexibility reasons, the <code>constructor</code>
+ * and <code>verify()</code> method allow for customized signature engines,
+ * which can implement signature algorithms that are not installed formally as
+ * part of a crypto provider. However, it is crucial that the programmer writing
+ * the verifier code be aware what {@link Signature} engine is being used, as
+ * its own implementation of the <code>verify()</code> method is invoked to
+ * verify a signature. In other words, a malicious {@link Signature} may choose
+ * to always return <code>true</code> on verification in an attempt to bypass a
+ * security check.</p>
+ *
+ * <p>The signature algorithm can be, among others, the NIST standard <i>DSS</i>,
+ * using <i>DSA</i> and <i>SHA-1</i>. The algorithm is specified using the same
+ * convention as that for signatures. The <i>DSA</i> algorithm using the
+ * <i>SHA-1</i> message digest algorithm can be specified, for example, as
+ * <code>"SHA/DSA"</code> or <code>"SHA-1/DSA"</code> (they are equivalent). In
+ * the case of <i>RSA</i>, there are multiple choices for the message digest
+ * algorithm, so the signing algorithm could be specified as, for example,
+ * <code>"MD2/RSA"</code>, <code>"MD5/RSA"</code> or <code>"SHA-1/RSA"</code>.
+ * The algorithm name must be specified, as there is no default.</p>
+ *
+ * <p>The name of the Cryptography Package Provider is designated also by the
+ * {@link Signature} parameter to the <code>constructor</code> and the <code>
+ * verify()</code> method. If the provider is not specified, the default
+ * provider is used. Each installation can be configured to use a particular
+ * provider as default.</p>
+ *
+ * <p>Potential applications of <code>SignedObject</code> include:</p>
+ *
+ * <ul>
+ *  <li>It can be used internally to any Java runtime as an unforgeable
+ *  authorization token -- one that can be passed around without the fear that
+ *  the token can be maliciously modified without being detected.</li>
+ *  <li>It can be used to sign and serialize data/object for storage outside the
+ *  Java runtime (e.g., storing critical access control data on disk).</li>
+ *  <li>Nested <i>SignedObjects</i> can be used to construct a logical sequence
+ *  of signatures, resembling a chain of authorization and delegation.</li>
+ * </ul>
+ *
+ * @author Mark Benvenuto (ivymccough@worldnet.att.net)
+ * @since 1.2
+ * @see Signature
+ */
+public final class SignedObject implements Serializable
+{
+  private static final long serialVersionUID = 720502720485447167L;
+
+  /** @serial */
+  private byte[] content;
+  /** @serial */
+  private byte[] signature;
+  /** @serial */
+  private String thealgorithm;
+
+  /**
+   * Constructs a <code>SignedObject</code> from any {@link Serializable}
+   * object. The given object is signed with the given signing key, using the
+   * designated signature engine.
+   *
+   * @param object the object to be signed.
+   * @param signingKey the private key for signing.
+   * @param signingEngine the signature signing engine.
+   * @throws IOException if an error occurs during serialization.
+   * @throws InvalidKeyException if the key is invalid.
+   * @throws SignatureException if signing fails.
+   */
+  public SignedObject(Serializable object, PrivateKey signingKey,
+		      Signature signingEngine)
+    throws IOException, InvalidKeyException, SignatureException
+  {
+    thealgorithm = signingEngine.getAlgorithm();
+
+    ByteArrayOutputStream ostream = new ByteArrayOutputStream();
+    ObjectOutputStream p = new ObjectOutputStream(ostream);
+    p.writeObject(object);
+    p.flush();
+    p.close();
+
+    content = ostream.toByteArray();
+
+    signingEngine.initSign(signingKey);
+    signingEngine.update(content);
+    signature = signingEngine.sign();
+  }
+
+  /**
+   * Retrieves the encapsulated object. The encapsulated object is de-serialized
+   * before it is returned.
+   *
+   * @return the encapsulated object.
+   * @throws IOException if an error occurs during de-serialization.
+   * @throws ClassNotFoundException if an error occurs during de-serialization.
+   */
+  public Object getObject() throws IOException, ClassNotFoundException
+  {
+    ByteArrayInputStream bais = new ByteArrayInputStream(content);
+    ObjectInput oi = new ObjectInputStream(bais);
+    Object obj = oi.readObject();
+    oi.close();
+    bais.close();
+
+    return obj;
+  }
+
+  /**
+   * Retrieves the signature on the signed object, in the form of a byte array.
+   *
+   * @return a copy of the signature.
+   */
+  public byte[] getSignature()
+  {
+    return (byte[]) signature.clone();
+
+  }
+
+  /**
+   * Retrieves the name of the signature algorithm.
+   *
+   * @return the signature algorithm name.
+   */
+  public String getAlgorithm()
+  {
+    return thealgorithm;
+  }
+
+  /**
+   * Verifies that the signature in this <code>SignedObject</code> is the valid
+   * signature for the object stored inside, with the given verification key,
+   * using the designated verification engine.
+   *
+   * @param verificationKey the public key for verification.
+   * @param verificationEngine the signature verification engine.
+   * @return <code>true</code> if the signature is valid, <code>false</code>
+   * otherwise.
+   * @throws SignatureException if signature verification failed.
+   * @throws InvalidKeyException if the verification key is invalid.
+   */
+  public boolean verify(PublicKey verificationKey, Signature verificationEngine)
+    throws InvalidKeyException, SignatureException
+  {
+    verificationEngine.initVerify(verificationKey);
+    verificationEngine.update(content);
+    return verificationEngine.verify(signature);
+  }
+
+  /** Called to restore the state of the SignedObject from a stream. */
+  private void readObject(ObjectInputStream s)
+    throws IOException, ClassNotFoundException
+  {
+    s.defaultReadObject();
+    content = (byte[]) content.clone();
+    signature = (byte[]) signature.clone();
+  }
+}
diff --git a/libjava/classpath/java/security/Signer.java b/libjava/classpath/java/security/Signer.java
new file mode 100644
index 00000000000..ae1463db84c
--- /dev/null
+++ b/libjava/classpath/java/security/Signer.java
@@ -0,0 +1,164 @@
+/* Signer.java --- Signer Class
+   Copyright (C) 1999, 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * <p>This class is used to represent an {@link Identity} that can also
+ * digitally sign data.</p>
+ *
+ * <p>The management of a signer's private keys is an important and sensitive
+ * issue that should be handled by subclasses as appropriate to their intended
+ * use.</p>
+ *
+ * @author Mark Benvenuto (ivymccough@worldnet.att.net)
+ * @deprecated This class is no longer used. Its functionality has been replaced
+ * by <code>java.security.KeyStore</code>, the <code>java.security.cert</code>
+ * package, and <code>java.security.Principal</code>.
+ */
+public abstract class Signer extends Identity
+{
+  private static final long serialVersionUID = -1763464102261361480L;
+  private PrivateKey privateKey = null;
+
+  /**
+   * Creates a <code>Signer</code>. This constructor should only be used for
+   * serialization.
+   */
+  protected Signer()
+  {
+  }
+
+  /**
+   * Creates a <code>Signer</code> with the specified identity name.
+   *
+   * @param name the identity name.
+   */
+  public Signer(String name)
+  {
+    super(name);
+  }
+
+  /**
+   * Creates a <code>Signer</code> with the specified identity name and scope.
+   *
+   * @param name the identity name.
+   * @param scope the scope of the identity.
+   * @throws KeyManagementException if there is already an identity with the
+   * same name in the scope.
+   */
+  public Signer(String name, IdentityScope scope) throws KeyManagementException
+  {
+    super(name, scope);
+  }
+
+  /**
+   * <p>Returns this signer's private key.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with <code>"getSignerPrivateKey"</code> as its
+   * argument to see if it's ok to return the private key.</p>
+   *
+   * @return this signer's private key, or <code>null</code> if the private key
+   * has not yet been set.
+   * @throws SecurityException if a security manager exists and its
+   * <code>checkSecurityAccess()</code> method doesn't allow returning the
+   * private key.
+   * @see SecurityManager#checkSecurityAccess(String)
+   */
+  public PrivateKey getPrivateKey()
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("getSignerPrivateKey");
+
+    return privateKey;
+  }
+
+  /**
+   * <p>Sets the key pair (public key and private key) for this signer.</p>
+   *
+   * <p>First, if there is a security manager, its <code>checkSecurityAccess()
+   * </code> method is called with <code>"setSignerKeyPair"</code> as its
+   * argument to see if it's ok to set the key pair.</p>
+   *
+   * @param pair an initialized key pair.
+   * @throws InvalidParameterException if the key pair is not properly
+   * initialized.
+   * @throws KeyException if the key pair cannot be set for any other reason.
+   * @throws SecurityException if a security manager exists and its
+   * <code>checkSecurityAccess()</code> method doesn't allow setting the key
+   * pair.
+   * @see SecurityManager#checkSecurityAccess(String)
+   */
+  public final void setKeyPair(KeyPair pair)
+    throws InvalidParameterException, KeyException
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSecurityAccess("setSignerKeyPair");
+
+    try
+      {
+        if (pair.getPublic() != null)
+          setPublicKey(pair.getPublic());
+        else
+          throw new InvalidParameterException();
+
+      }
+    catch (KeyManagementException kme)
+      {
+        throw new KeyException();
+      }
+
+    if (pair.getPrivate() != null)
+        privateKey = pair.getPrivate();
+    else
+      throw new InvalidParameterException();
+  }
+
+  /**
+   * Returns a string of information about the signer.
+   *
+   * @return a string of information about the signer.
+   * @see SecurityManager#checkSecurityAccess(String)
+   */
+  public String toString()
+  {
+    return (getName() + ": " + privateKey);
+  }
+}
diff --git a/libjava/classpath/java/security/UnrecoverableKeyException.java b/libjava/classpath/java/security/UnrecoverableKeyException.java
new file mode 100644
index 00000000000..6759c3c7b91
--- /dev/null
+++ b/libjava/classpath/java/security/UnrecoverableKeyException.java
@@ -0,0 +1,71 @@
+/* UnrecoverableKeyException.java -- Cannot recover a key from the key store
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security;
+
+/**
+ * This exception is thrown when a key cannot be recovered from the key
+ * store.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @since 1.2
+ * @status updated to 1.4
+ */
+public class UnrecoverableKeyException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = 7275063078190151277L;
+
+  /**
+   * Create an instance with no descriptive error message.
+   */
+  public UnrecoverableKeyException()
+  {
+  }
+
+  /**
+   * Create an instance with a descriptive error message.
+   *
+   * @param msg the descriptive error message
+   */
+  public UnrecoverableKeyException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/UnresolvedPermission.java b/libjava/classpath/java/security/UnresolvedPermission.java
new file mode 100644
index 00000000000..d3f671a9c06
--- /dev/null
+++ b/libjava/classpath/java/security/UnresolvedPermission.java
@@ -0,0 +1,304 @@
+/* UnresolvedPermission.java -- Placeholder for unresolved permissions
+   Copyright (C) 1998, 2001, 2002, 2004, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security;
+
+// All uses of Certificate in this file refer to the one in the listed
+// package, not this one.
+import java.security.cert.Certificate;
+import java.util.Arrays;
+import java.util.Enumeration;
+import java.util.Hashtable;
+import java.util.NoSuchElementException;
+import java.util.Vector;
+
+/**
+ * This class is used to hold instances of all permissions that cannot
+ * be resolved to available permission classes when the security
+ * <code>Policy</code> object is instantiated.  This may happen when the
+ * necessary security class has not yet been downloaded from the network.
+ *
+ * <p>Instances of this class are re-resolved when
+ * <code>AccessController</code> check is done.  At that time, a scan is
+ * made of all existing <code>UnresolvedPermission</code> objects and they
+ * are converted to objects of the appropriate permission type if the class
+ * for that type is then available.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see Permission
+ * @see Permissions
+ * @see PermissionCollection
+ * @see Policy
+ * @since 1.1
+ * @status updated to 1.4
+ */
+public final class UnresolvedPermission extends Permission
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = -4821973115467008846L;
+
+  /**
+   * The list of actions associated with this permission object.
+   *
+   * @serial the permission actions
+   */
+  private final String actions;
+
+  /**
+   * The list of <code>Certificates</code> associated with this object.
+   */
+  private final transient Certificate[] certs;
+
+  /**
+   * The name of the class this object should be resolved to.
+   *
+   * @serial the fully-qualified classname of the resolved type
+   */
+  // Package visible for use by UnresolvedPermissionCollection.
+  final String type;
+
+  /**
+   * The name of the permission.
+   *
+   * @serial the permission name
+   */
+  private final String name;
+
+  /**
+   * Create a new instance with all the information necessary to resolve it
+   * to an instance of the proper class at a future time.
+   *
+   * @param type the fully-qualified name of the class of this permission
+   * @param name the name of this permission
+   * @param actions the action list for this permission
+   * @param certs the list of certificates that sign this permission
+   */
+  public UnresolvedPermission(String type, String name, String actions,
+                              Certificate[] certs)
+  {
+    super(name);
+    this.name = name;
+    this.type = type;
+    this.actions = actions;
+    this.certs = certs;
+  }
+
+  /**
+   * This method returns <code>false</code> always to indicate that this
+   * permission does not imply the specified permission.  An
+   * <code>UnresolvedPermission</code> never grants any permissions.
+   *
+   * @param perm the <code>Permission</code> object to test
+   * @return false; until a permission is resolved, it implies nothing
+   */
+  public boolean implies(Permission perm)
+  {
+    return false;
+  }
+
+  /**
+   * This method tests this permission for equality against the specified
+   * <code>Object</code>. This will be true if and only if the following
+   * conditions are met:<ul>
+   * <li>The specified <code>Object</code> is an UnresolvedPermission</li>
+   * <li>The specified permission has the same type (i.e., desired class name)
+   *     as this permission.</li>
+   * <li>The specified permission has the same name as this one.</li>
+   * <li>The specified permissoin has the same action list as this one.</li>
+   * <li>The specified permission has the same certificate list as this
+   *     one.</li>
+   * </ul>
+   *
+   * @param obj the <code>Object</code> to test for equality
+   * @return true if the specified object is equal to this one
+   */
+  public boolean equals(Object obj)
+  {
+    if (! (obj instanceof UnresolvedPermission))
+      return (false);
+    UnresolvedPermission up = (UnresolvedPermission) obj;
+    return up.name.equals(name) && up.actions.equals(actions)
+      && up.type.equals(type) && Arrays.equals(up.certs, certs);
+  }
+
+  /**
+   * Returns a hash code value for this object. Following the lead of
+   * Permission, this returns the hashcode of the permission name.
+   *
+   * @return A hash value
+   */
+  public int hashCode()
+  {
+    return name.hashCode();
+  }
+
+  /**
+   * This method returns the list of actions associated with this
+   * permission.
+   *
+   * @return the action list
+   */
+  public String getActions()
+  {
+    return actions;
+  }
+
+  /**
+   * This method returns a <code>String</code> representation of this
+   * class.  The format is: '(unresolved "ClassName "name" "actions")'
+   *
+   * @return  <code>String</code> representation of this object
+   */
+  public String toString()
+  {
+    return "(unresolved " + type + ' ' + name + ' ' + actions + ')';
+  }
+
+  /**
+   * This class returns a <code>PermissionCollection</code> object that can
+   * be used to store instances of <code>UnresolvedPermission</code>.
+   *
+   * @return a new <code>PermissionCollection</code>
+   */
+  public PermissionCollection newPermissionCollection()
+  {
+    return new UnresolvedPermissionCollection();
+  }
+} // class UnresolvedPermission
+
+/**
+ * Implements the permission collection for unresolved permissions, and
+ * obeys serialization of JDK.
+ *
+ * @author Eric Blake (ebb9@email.byu.edu)
+ */
+class UnresolvedPermissionCollection extends PermissionCollection
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = -7176153071733132400L;
+
+  // Package-private to avoid a trampoline.
+  /**
+   * Hashtable where we store permissions.
+   *
+   * @serial map of typename to a Vector of permissions (you'd think Sun
+   *         would document this better!)
+   */
+  final Hashtable permissions = new Hashtable();
+
+  /**
+   * Add a permission.
+   *
+   * @param perm the permission to add
+   * @throws IllegalArgumentException if perm is not an UnresolvedPermission
+   * @throws SecurityException if the collection is read-only
+   */
+  public void add(Permission perm)
+  {
+    if (isReadOnly())
+      throw new SecurityException();
+    if (! (perm instanceof UnresolvedPermission))
+      throw new IllegalArgumentException();
+    UnresolvedPermission up = (UnresolvedPermission) perm;
+    Vector v = (Vector) permissions.get(up.type);
+    if (v == null)
+      {
+        v = new Vector();
+        permissions.put(up.type, v);
+      }
+    v.add(up);
+  }
+
+  /**
+   * Returns true if perm is implied by the collection.
+   *
+   * @param perm the permission to check
+   * @return false; unresolved permissions imply nothing
+   */
+  public boolean implies(Permission perm)
+  {
+    return false;
+  }
+
+  /**
+   * Return the elements.
+   *
+   * @return the elements
+   */
+  public Enumeration elements()
+  {
+    return new Enumeration()
+    {
+      Enumeration main_enum = permissions.elements();
+      Enumeration sub_enum;
+
+      public boolean hasMoreElements()
+      {
+        if (sub_enum == null)
+          {
+            if (main_enum == null)
+              return false;
+            if (! main_enum.hasMoreElements())
+              {
+                main_enum = null;
+                return false;
+              }
+            Vector v = (Vector) main_enum.nextElement();
+            sub_enum = v.elements();
+          }
+        if (! sub_enum.hasMoreElements())
+          {
+            sub_enum = null;
+            return hasMoreElements();
+          }
+        return true;
+      }
+
+      public Object nextElement()
+      {
+        if (! hasMoreElements())
+          throw new NoSuchElementException();
+        return sub_enum.nextElement();
+      }
+    };
+  }
+} // class UnresolvedPermissionCollection
diff --git a/libjava/classpath/java/security/acl/Acl.java b/libjava/classpath/java/security/acl/Acl.java
new file mode 100644
index 00000000000..ff139afd6c0
--- /dev/null
+++ b/libjava/classpath/java/security/acl/Acl.java
@@ -0,0 +1,153 @@
+/* Acl.java -- An access control list
+   Copyright (C) 1998 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.acl;
+
+import java.security.Principal;
+import java.util.Enumeration;
+
+/**
+ * A Java access control list (ACL) is a group of individual ACL entries.
+ * These entries consist of a <code>Principal</code> and a list of
+ * permissions this <code>Principal</code> is either granted or denied.
+ * A given <code>Principal</code> can have at most one positive ACL entry
+ * (i.e., one that grants permissions) and one negative ACL entry (i.e., one
+ * that denies permissions).  If a given permission is both granted and
+ * denied, the ACL treats it as if it were never granted or denied.  If
+ * both a <code>Principal</code> and a <code>Group</code> to which the
+ * <code>Principal</code> belongs have an ACL entry, the permissions for
+ * the individual <code>Principal</code> take precedence over the 
+ * permissions of the <code>Group</code> if there is a conflict.
+ * <p>
+ * Additionally, the ACL interface extends the <code>Owner</code> interface
+ * and so an ACL has owners.  Actions which modify the ACL are restricted
+ * to owners.
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface Acl extends Owner
+{
+
+  /**
+   * This method returns the name of this ACL.
+   *
+   * @return The name of this ACL
+   */
+  String getName();
+
+  /**
+   * This method sets the name of the ACL
+   *
+   * @param caller The <code>Principal</code> requesting the action.
+   * @param name The new name for this ACL.
+   *
+   * @exception NotOwnerException If the caller is not an owner of this ACL.
+   */
+  void setName(Principal caller, String name)
+    throws NotOwnerException;
+
+  /**
+   * This method adds the specified entry to the ACL
+   *
+   * @param caller The <code>Principal</code> requesting the addition
+   * @param entry The ACL entry to add
+   *
+   * @return <code>true</code> if the entry was added, <code>false</code>
+   * if there is already an entry of the same type for the
+   * <code>Principal</code>.
+   *
+   * @exception NotOwnerException If the caller is not an owner of this ACL.
+   */
+  boolean addEntry(Principal caller, AclEntry entry) 
+    throws NotOwnerException;
+
+  /**
+   * This method delets the specified entry from the ACL
+   *
+   * @param caller The <code>Principal</code> requesting the deletion.
+   * @param entry The ACL entry to delete
+   *
+   * @return <code>true</code> if the entry was deleted, or <code>false</code>
+   * if this entry was not part of the ACL to begin with
+   *
+   * @exception NotOwnerException If the caller is not an owner of this ACL.
+   */
+  boolean removeEntry(Principal caller, AclEntry entry)
+    throws NotOwnerException;
+
+  /**
+   * This method returns a list of all the entries in the ACL as an
+   * <code>Enumeration</code>.
+   *
+   * @return An enumeration of the ACL entries
+   */
+  Enumeration entries();
+
+  /**
+   * This method tests whether or not the specified <code>Principal</code>
+   * has the specified <code>Permission</code>
+   *
+   * @param user The <code>Principal</code> to test
+   * @param perm The <code>Permission</code> to test for
+   *
+   * @return <code>true</code> if the user has been granted the permission,
+   * <code>false</code> otherwise
+   */
+  boolean checkPermission(Principal user, Permission perm);
+
+  /**
+   * This method returns a list of <code>Permission</code>'s that are granted
+   * to a particular <code>Principal</code>.  This includes any permissions
+   * that are granted to <code>Group</code>'s to which the <code>Principal</code>
+   * belongs unless they are overridden by a negative ACL.  This permission
+   * list is returned as an <code>Enumeration</code>.
+   *
+   * @param user The <code>Principal</code> to retrieve permissions for.
+   *
+   * @return A list of permissions for the <code>Principal</code>.
+   */
+  Enumeration getPermissions(Principal user);
+
+  /**
+   * This method returns the ACL as a <code>String</code>
+   *
+   * @return A <code>String</code> representation of this ACL
+   */
+  String toString();
+}
diff --git a/libjava/classpath/java/security/acl/AclEntry.java b/libjava/classpath/java/security/acl/AclEntry.java
new file mode 100644
index 00000000000..7b1bcf54db9
--- /dev/null
+++ b/libjava/classpath/java/security/acl/AclEntry.java
@@ -0,0 +1,143 @@
+/* AclEntry.java -- An entry in an ACL list.
+   Copyright (C) 1998 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.acl;
+
+import java.security.Principal;
+import java.util.Enumeration;
+
+/**
+ * This interface models an entry in an access control list (ACL).  Java
+ * ACL's consist of a list of entries, where each consists of a 
+ * <code>Principal</code> and a list of <code>Permission</code>'s which
+ * have been granted to that <code>Principal</code>.  An ACL can also
+ * be <em>negative</em>, which indicates that the list of 
+ * <code>Permission</code>'s is a list of permissions that are <em>not</em>
+ * granted to the <code>Principal</code>.  A <code>Principal</code> can
+ * have at most one regular (or positive) ACL entry and one negative
+ * ACL entry.
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface AclEntry extends Cloneable
+{
+ /**
+   * This method returns the <code>Principal</code> associated with this
+   * ACL entry.
+   *
+   * @return The <code>Principal</code> for this ACL entry
+   */
+  Principal getPrincipal();
+
+  /**
+   * This method sets ths <code>Principal</code> associated with this
+   * ACL entry.  This operation will only succeed if there is not already
+   * a <code>Principal</code> assigned.
+   *
+   * @param user The <code>Principal</code> for this ACL entry
+   *
+   * @return <code>true</code> if the <code>Principal</code> was successfully set or <code>false</code> if this entry already has a <code>Principal</code>.
+   */
+  boolean setPrincipal(Principal user);
+
+  /**
+   * This method sets this ACL entry to be a <em>negative</em> entry, indicating
+   * that it contains a list of permissions that are <em>not</em> granted
+   * to the entry's <code>Principal</code>.  Note that there is no way to
+   * undo this operation.
+   */
+  void setNegativePermissions();
+
+  /**
+   * This method tests whether or not this ACL entry is a negative entry or not.
+   *
+   * @return <code>true</code> if this ACL entry is negative, <code>false</code> otherwise
+   */
+  boolean isNegative();
+
+  /**
+   * This method adds the specified permission to this ACL entry.
+   *
+   * @param perm The <code>Permission</code> to add
+   *
+   * @return <code>true</code> if the permission was added or <code>false</code> if it was already set for this entry
+   */
+  boolean addPermission(Permission permission);
+
+  /**
+   * This method deletes the specified permission to this ACL entry.
+   *
+   * @param perm The <code>Permission</code> to delete from this ACL entry.
+   *
+   * @return <code>true</code> if the permission was successfully deleted or <code>false</code> if the permission was not part of this ACL to begin with
+   */
+  boolean removePermission(Permission perm);
+
+  /**
+   * This method tests whether or not the specified permission is associated
+   * with this ACL entry.
+   *
+   * @param perm The <code>Permission</code> to test
+   *
+   * @return <code>true</code> if this permission is associated with this entry or <code>false</code> otherwise
+   */
+  boolean checkPermission(Permission permission);
+
+  /**
+   * This method returns a list of all <code>Permission</code> objects
+   * associated with this ACL entry as an <code>Enumeration</code>.
+   *
+   * @return A list of permissions for this ACL entry
+   */
+  Enumeration permissions();
+
+  /**
+   * This method returns this object as a <code>String</code>.
+   *
+   * @return A <code>String</code> representation of this object
+   */
+  String toString();
+
+  /**
+   * This method returns a clone of this ACL entry
+   *
+   * @return A clone of this ACL entry
+   */
+  Object clone();
+}
diff --git a/libjava/classpath/java/security/acl/AclNotFoundException.java b/libjava/classpath/java/security/acl/AclNotFoundException.java
new file mode 100644
index 00000000000..9a16d9c50b0
--- /dev/null
+++ b/libjava/classpath/java/security/acl/AclNotFoundException.java
@@ -0,0 +1,60 @@
+/* AclNotFoundException.java -- thrown when an ACL is not found
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.acl;
+
+/**
+ * This exception is thrown when a requested access control list (ACL) is
+ * not found.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @status updated to 1.4
+ */
+public class AclNotFoundException extends Exception
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = 5684295034092681791L;
+
+  /**
+   * Initializes a new instance of this class with no descriptive message
+   */
+  public AclNotFoundException()
+  {
+  }
+}
diff --git a/libjava/classpath/java/security/acl/Group.java b/libjava/classpath/java/security/acl/Group.java
new file mode 100644
index 00000000000..3ffdf15a4ce
--- /dev/null
+++ b/libjava/classpath/java/security/acl/Group.java
@@ -0,0 +1,90 @@
+/* Group.java -- Represents a group of Principals
+   Copyright (C) 1998, 2001 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.acl;
+
+import java.security.Principal;
+import java.util.Enumeration;
+
+/**
+ * This interface represents a group of <code>Principals</code>.  Note that
+ * since this interface extends <code>Principal</code>, a <code>Group</code>
+ * can be used where ever a <code>Principal</code> is requested.  This
+ * includes arguments to the methods in this interface.
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface Group extends Principal
+{
+  /**
+   * This method adds a new <code>Principal</code> to this group.
+   *
+   * @param user The new <code>Principal</code> to add
+   *
+   * @return <code>true</code> if the user was successfully added or <code>false</code> if the user is already a member
+   */
+  boolean addMember(Principal user);
+
+  /**
+   * This method deletes a member from the group.
+   *
+   * @param user The <code>Principal</code> to delete
+   *
+   * @return <code>true</code> if the user was successfully deleted or <code>false</code> if the user is not a member of the group
+   */
+  boolean removeMember(Principal user);
+
+  /**
+   * This method tests whether or not a given <code>Principal</code> is a
+   * member of this group.
+   *
+   * @param user The <code>Principal</code> to test for membership
+   *
+   * @return <code>true</code> if the user is member, <code>false</code> otherwise
+   */
+  boolean isMember(Principal member);
+
+  /**
+   * This method returns a list of all members of the group as an 
+   * <code>Enumeration</code>.
+   *
+   * @return The list of all members of the group
+   */
+  Enumeration members();
+}
diff --git a/libjava/classpath/java/security/acl/LastOwnerException.java b/libjava/classpath/java/security/acl/LastOwnerException.java
new file mode 100644
index 00000000000..95272445997
--- /dev/null
+++ b/libjava/classpath/java/security/acl/LastOwnerException.java
@@ -0,0 +1,62 @@
+/* LastOwnerException.java -- User attempted to delete last ACL owner
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.acl;
+
+/**
+ * This exception is thrown when an attempt is made to delete the last owner
+ * of an access control list (ACL)
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @see Owner#deleteOwner(java.security.Principal, java.security.Principal)
+ * @status updated to 1.4
+ */
+public class LastOwnerException extends Exception
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = -5141997548211140359L;
+
+  /**
+   * Initialize a new instance of <code>LastOwnerException</code> that does
+   * not have a log message.
+   */
+  public LastOwnerException()
+  {
+  }
+}
diff --git a/libjava/classpath/java/security/acl/NotOwnerException.java b/libjava/classpath/java/security/acl/NotOwnerException.java
new file mode 100644
index 00000000000..bea94763e4b
--- /dev/null
+++ b/libjava/classpath/java/security/acl/NotOwnerException.java
@@ -0,0 +1,62 @@
+/* NotOwnerException.java -- Attempt to modify an unowned ACL
+   Copyright (C) 1998, 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.acl;
+
+/**
+ * This exception is thrown whenever an operation is attempted that requires
+ * the caller to be the owner of the access control list (ACL) when the caller
+ * is in fact not the owner of the ACL.
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ * @status updated to 1.4
+ */
+public class NotOwnerException extends Exception
+{
+  /**
+   * Compatible with JDK 1.1+.
+   */
+  private static final long serialVersionUID = -5555597911163362399L;
+
+  /**
+   * Initializes a new instance of <code>NotOwnerException</code> that does
+   * not have a descriptive message.
+   */
+  public NotOwnerException()
+  {
+  }
+}
diff --git a/libjava/classpath/java/security/acl/Owner.java b/libjava/classpath/java/security/acl/Owner.java
new file mode 100644
index 00000000000..df1605b2e4f
--- /dev/null
+++ b/libjava/classpath/java/security/acl/Owner.java
@@ -0,0 +1,95 @@
+/* Owner.java -- ACL owner
+   Copyright (C) 1998 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.acl;
+
+import java.security.Principal;
+
+/**
+ * This interface provides a mechanism for maintaining a list of owners
+ * of an access control list (ACL).  Since a <code>Principal</code> must
+ * be an owner in order to modify the owner list, a mechanism must be
+ * provided to specify the initial owner of the ACL.  The proper way to do
+ * this is for the implementing class to specify the initial owner in
+ * the contructor for that class.
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface Owner
+{
+  /**
+   * This method adds an owner to the access control list (ACL).  Only a
+   * <code>Principal</code> who is already an owner can perform this operation.
+   *
+   * @param caller The <code>Principal</code> who is requesting that an owner be added
+   * @param owner The <code>Principal</code> to add as a new owner
+   *
+   * @param <code>true</code> if the new owner was successfully added or <code>false</code> if the specified new owner is already an owner
+   *
+   * @exception NotOwnerException If the caller is not already an owner of this ACL
+   */
+  boolean addOwner(Principal caller, Principal owner) 
+    throws NotOwnerException;
+
+  /**
+   * This method delets an owner from the access control list (ACL).  Only a
+   * <code>Principal</code> who is an owner can perform this operation.  An
+   * owner can delete itself from the list.  If there is only one
+   * owner remaining on this list, any attempt to delete it will throw an
+   * exception.
+   *
+   * @param caller The <code>Principal</code> who is requesting that an owner be deleted
+   * @param owner The <code>Principal</code> to delete as an owner
+   *
+   * @param <code>true</code> if the new owner was successfully deleted or <code>false</code> if the specified owner is not currently an owner
+   *
+   * @exception NotOwnerException If the caller is not already an owner of this ACL
+   * @exception LastOwnerException If completing the operation would delete the last ACL owner
+   */
+  boolean deleteOwner(Principal caller, Principal owner) 
+    throws NotOwnerException, LastOwnerException;
+
+  /**
+   * This method tests whether or not a given <code>Principal</code> is an
+   * owner of this access control list (ACL).
+   *
+   * @return <code>true</code> if the <code>Principal</code> is an owner, <code>false</code> otherwise
+   */
+  boolean isOwner(Principal owner);
+}
diff --git a/libjava/classpath/java/security/acl/Permission.java b/libjava/classpath/java/security/acl/Permission.java
new file mode 100644
index 00000000000..e5ba2913890
--- /dev/null
+++ b/libjava/classpath/java/security/acl/Permission.java
@@ -0,0 +1,67 @@
+/* Permission.java -- Information about an ACL permission
+   Copyright (C) 1998 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.acl;
+
+/**
+ * This interface provides information about a permission that can be
+ * granted.  Note that this is <em>not</em> the same as the class
+ * <code>java.security.Permission</code>.
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface Permission
+{
+  /**
+   * This method tests whether or not a specified <code>Permission</code>
+   * (passed as an <code>Object</code>) is the same as this permission.
+   *
+   * @param perm The permission to check for equality
+   *
+   * @return <code>true</code> if the specified permission is the same as this one, <code>false</code> otherwise
+   */
+  boolean equals (Object perm);
+
+  /**
+   * This method returns this <code>Permission</code> as a <code>String</code>.
+   *
+   * @return A <code>String</code> representing this permission.
+   */
+  String toString();
+}
diff --git a/libjava/classpath/java/security/acl/package.html b/libjava/classpath/java/security/acl/package.html
new file mode 100644
index 00000000000..19facf190b2
--- /dev/null
+++ b/libjava/classpath/java/security/acl/package.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<!-- package.html - describes classes in java.security.acl package.
+   Copyright (C) 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. -->
+
+<html>
+<head><title>GNU Classpath - java.security.acl</title></head>
+
+<body>
+<p></p>
+
+</body>
+</html>
diff --git a/libjava/classpath/java/security/cert/CRL.java b/libjava/classpath/java/security/cert/CRL.java
new file mode 100644
index 00000000000..e763663f52c
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CRL.java
@@ -0,0 +1,98 @@
+/* CRL.java --- Certificate Revocation List
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+   Certificate Revocation List class for managing CRLs that
+   have different formats but the same general use. They
+   all serve as lists of revoked certificates and can
+   be queried for a given certificate.
+   
+   Specialized CRLs extend this class.
+   
+   @author Mark Benvenuto
+   
+   @since JDK 1.2
+*/
+public abstract class CRL
+{
+
+  private String type;
+
+  /**
+     Creates a new CRL for the specified type. An example
+     is "X.509".
+
+     @param type the standard name for the CRL type. 
+  */
+  protected CRL(String type)
+  {
+    this.type = type;
+  }
+
+  /**
+     Returns the CRL type.
+
+     @return a string representing the CRL type
+  */
+  public final String getType()
+  {
+    return type;
+  }
+
+  /**
+     Returns a string representing the CRL.
+
+     @return a string representing the CRL.
+  */
+  public abstract String toString();
+
+  /**
+     Determines whether or not the specified Certificate
+     is revoked.
+
+     @param cert A certificate to check if it is revoked
+
+     @return true if the certificate is revoked,
+     false otherwise.	
+  */
+  public abstract boolean isRevoked(Certificate cert);
+
+
+}
diff --git a/libjava/classpath/java/security/cert/CRLException.java b/libjava/classpath/java/security/cert/CRLException.java
new file mode 100644
index 00000000000..f3addfe9594
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CRLException.java
@@ -0,0 +1,73 @@
+/* CRLException.java -- Certificate Revocation List Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Exception for a Certificate Revocation List.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @status updated to 1.4
+*/
+public class CRLException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = -6694728944094197147L;
+
+  /**
+   * Constructs an CRLExceptionwithout a message string.
+   */
+  public CRLException()
+  {
+  }
+
+  /**
+   * Constructs an CRLException with a message string.
+   *
+   * @param msg a message to display with exception
+   */
+  public CRLException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CRLSelector.java b/libjava/classpath/java/security/cert/CRLSelector.java
new file mode 100644
index 00000000000..1fa5a207dfc
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CRLSelector.java
@@ -0,0 +1,69 @@
+/* CRLSelector.java -- matches CRLs against criteria.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * A generic interface to classes that match certificate revocation
+ * lists (CRLs) to some given criteria. Implementations of this
+ * interface are useful for finding {@link CRL} objects in a {@link
+ * CertStore}.
+ *
+ * @see CertStore
+ * @see CertSelector
+ * @see X509CRLSelector
+ */
+public interface CRLSelector extends Cloneable
+{
+
+  /**
+   * Returns a clone of this instance.
+   *
+   * @return The clone.
+   */
+  Object clone();
+
+  /**
+   * Match a given certificate revocation list to this selector's
+   * criteria, returning true if it matches, false otherwise.
+   *
+   * @param crl The certificate revocation list to test.
+   * @return The boolean result of this test.
+   */
+  boolean match(CRL crl);
+}
diff --git a/libjava/classpath/java/security/cert/CertPath.java b/libjava/classpath/java/security/cert/CertPath.java
new file mode 100644
index 00000000000..e818763aab4
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPath.java
@@ -0,0 +1,252 @@
+/* CertPath.java -- a sequence of certificates
+   Copyright (C) 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.cert;
+
+import java.io.ByteArrayInputStream;
+import java.io.NotSerializableException;
+import java.io.ObjectStreamException;
+import java.io.Serializable;
+import java.util.Iterator;
+import java.util.List;
+
+/**
+ * This class represents an immutable sequence, or path, of security
+ * certificates. The path type must match the type of each certificate in the
+ * path, or in other words, for all instances of cert in a certpath object,
+ * <code>cert.getType().equals(certpath.getType())</code> will return true.
+ *
+ * <p>Since this class is immutable, it is thread-safe. During serialization,
+ * the path is consolidated into a {@link CertPathRep}, which preserves the
+ * data regardless of the underlying implementation of the path.
+ *
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @since 1.4
+ * @status updated to 1.4
+ */
+public abstract class CertPath implements Serializable
+{
+  /**
+   * The serialized representation of a path.
+   *
+   * @author Eric Blake (ebb9@email.byu.edu)
+   */
+  protected static class CertPathRep implements Serializable
+  {
+    /**
+     * Compatible with JDK 1.4+.
+     */
+    private static final long serialVersionUID = 3015633072427920915L;
+
+    /**
+     * The certificate type.
+     *
+     * @serial the type of the certificate path
+     */
+    private final String type;
+
+    /**
+     * The encoded form of the path.
+     *
+     * @serial the encoded form
+     */
+    private final byte[] data;
+
+    /**
+     * Create the new serial representation.
+     *
+     * @param type the path type
+     * @param data the encoded path data
+     */
+    protected CertPathRep(String type, byte[] data)
+    {
+      this.type = type;
+      this.data = data;
+    }
+
+    /**
+     * Decode the data into an actual {@link CertPath} upon deserialization.
+     *
+     * @return the replacement object
+     * @throws ObjectStreamException if replacement fails
+     */
+    protected Object readResolve() throws ObjectStreamException
+    {
+      try
+        {
+          return CertificateFactory.getInstance(type)
+            .generateCertPath(new ByteArrayInputStream(data));
+        }
+      catch (CertificateException e)
+        {
+          throw (ObjectStreamException)
+            new NotSerializableException("java.security.cert.CertPath: "
+                                         + type).initCause(e);
+        }
+    }
+  } // class CertPathRep
+
+  /**
+   * Compatible with JDK 1.4+.
+   */
+  private static final long serialVersionUID = 6068470306649138683L;
+
+  /**
+   * The path type.
+   *
+   * @serial the type of all certificates in this path
+   */
+  private final String type;
+
+  /**
+   * Create a certificate path with the given type. Most code should use
+   * {@link CertificateFactory} to create CertPaths.
+   *
+   * @param type the type of the path
+   */
+  protected CertPath(String type)
+  {
+    this.type = type;
+  }
+
+  /**
+   * Get the (non-null) type of all certificates in the path.
+   *
+   * @return the path certificate type
+   */
+  public String getType()
+  {
+    return type;
+  }
+
+  /**
+   * Get an immutable iterator over the path encodings (all String names),
+   * starting with the default encoding. The iterator will throw an
+   * <code>UnsupportedOperationException</code> if an attempt is made to
+   * remove items from the list.
+   *
+   * @return the iterator of supported encodings in the path
+   */
+  public abstract Iterator getEncodings();
+
+  /**
+   * Compares this path to another for semantic equality. To be equal, both
+   * must be instances of CertPath, with the same type, and identical
+   * certificate lists. Overriding classes must not change this behavior.
+   *
+   * @param o the object to compare to
+   * @return true if the two are equal
+   */
+  public boolean equals(Object o)
+  {
+    if (! (o instanceof CertPath))
+      return false;
+    CertPath cp = (CertPath) o;
+    return type.equals(cp.type)
+      && getCertificates().equals(cp.getCertificates());
+  }
+
+  /**
+   * Returns the hashcode of this certificate path. This is defined as:<br>
+   * <code>31 * getType().hashCode() + getCertificates().hashCode()</code>.
+   *
+   * @return the hashcode
+   */
+  public int hashCode()
+  {
+    return 31 * type.hashCode() + getCertificates().hashCode();
+  }
+
+  public String toString()
+  {
+    List l = getCertificates();
+    int size = l.size();
+    int i = 0;
+    StringBuffer result = new StringBuffer(type);
+    result.append(" Cert Path: length = ").append(size).append(".\n[\n");
+    while (--size >= 0)
+      result.append(l.get(i++)).append('\n');
+    return result.append("\n]").toString();
+  }
+
+  /**
+   * Returns the encoded form of this path, via the default encoding.
+   *
+   * @return the encoded form
+   * @throws CertificateEncodingException if encoding fails
+   */
+  public abstract byte[] getEncoded() throws CertificateEncodingException;
+
+  /**
+   * Returns the encoded form of this path, via the specified encoding.
+   *
+   * @param encoding the encoding to use
+   * @return the encoded form
+   * @throws CertificateEncodingException if encoding fails or does not exist
+   */
+  public abstract byte[] getEncoded(String encoding)
+    throws CertificateEncodingException;
+
+  /**
+   * Returns the immutable, thread-safe list of certificates in this path.
+   *
+   * @return the list of certificates, non-null but possibly empty
+   */
+  public abstract List getCertificates();
+
+  /**
+   * Serializes the path in its encoded form, to ensure reserialization with
+   * the appropriate factory object without worrying about list implementation.
+   * The result will always be an instance of {@link CertPathRep}.
+   *
+   * @return the replacement object
+   * @throws ObjectStreamException if the replacement creation fails
+   */
+  protected Object writeReplace() throws ObjectStreamException
+  {
+    try
+      {
+        return new CertPathRep(type, getEncoded());
+      }
+    catch (CertificateEncodingException e)
+      {
+        throw (ObjectStreamException)
+          new NotSerializableException("java.security.cert.CertPath: "
+                                       + type).initCause(e);
+      }
+  }
+} // class CertPath
diff --git a/libjava/classpath/java/security/cert/CertPathBuilder.java b/libjava/classpath/java/security/cert/CertPathBuilder.java
new file mode 100644
index 00000000000..f6965205f53
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathBuilder.java
@@ -0,0 +1,238 @@
+/* CertPathBuilder.java -- bulids CertPath objects from Certificates.
+   Copyright (C) 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.security.Engine;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.Security;
+
+/**
+ * This class builds certificate paths (also called certificate chains),
+ * which can be used to establish trust for a particular certificate by
+ * building a path from a trusted certificate (a trust anchor) to the
+ * untrusted certificate.
+ *
+ * @see CertPath
+ */
+public class CertPathBuilder
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** Service name for CertPathBuilder. */
+  private static final String CERT_PATH_BUILDER = "CertPathBuilder";
+
+  /** The underlying implementation. */
+  private CertPathBuilderSpi cpbSpi;
+
+  /** The provider of this implementation. */
+  private Provider provider;
+
+  /** The name of this implementation. */
+  private String algorithm;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new CertPathBuilder.
+   *
+   * @param cpbSpi    The underlying implementation.
+   * @param provider  The provider of the implementation.
+   * @param algorithm This implementation's name.
+   */
+  protected CertPathBuilder(CertPathBuilderSpi cpbSpi, Provider provider,
+                            String algorithm)
+  {
+    this.cpbSpi = cpbSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the default cert path builder type.
+   *
+   * <p>This value can be set at run-time by the security property
+   * <code>"certpathbuilder.type"</code>. If this property is not set,
+   * then the value returned is <code>"PKIX"</code>.
+   *
+   * @return The default CertPathBuilder algorithm.
+   */
+  public static final String getDefaultType()
+  {
+    String type = Security.getProperty("certpathbuilder.type");
+    if (type == null)
+      type = "PKIX";
+    return type;
+  }
+
+  /**
+   * Get an instance of a named CertPathBuilder, from the first provider
+   * that implements it.
+   *
+   * @param algorithm The name of the CertPathBuilder to create.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If no installed provider
+   *   implements the named algorithm.
+   */
+  public static CertPathBuilder getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, p[i]);
+          }
+        catch (NoSuchAlgorithmException e)
+          {
+	    // Ignored.
+          }
+      }
+
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Get an instance of a named CertPathBuilder from the named
+   * provider.
+   *
+   * @param algorithm The name of the CertPathBuilder to create.
+   * @param provider  The name of the provider from which to get the
+   *   implementation.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If no installed provider
+   *   implements the named algorithm.
+   * @throws NoSuchProviderException If the named provider does not
+   *   exist.
+   */
+  public static CertPathBuilder getInstance(String algorithm, String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Get an instance of a named CertPathBuilder from the specified
+   * provider.
+   *
+   * @param algorithm The name of the CertPathBuilder to create.
+   * @param provider  The provider from which to get the implementation.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If no installed provider
+   *   implements the named algorithm.
+   * @throws IllegalArgumentException If <i>provider</i> in
+   *   <tt>null</tt>.
+   */
+  public static CertPathBuilder getInstance(String algorithm, Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("null provider");
+    try
+      {
+        return new CertPathBuilder((CertPathBuilderSpi)
+          Engine.getInstance(CERT_PATH_BUILDER, algorithm, provider),
+          provider, algorithm);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the name of this CertPathBuilder algorithm.
+   *
+   * @return The algorithm name.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Return the provider of this instance's implementation.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Builds a certificate path. The {@link CertPathParameters} parameter
+   * passed to this method is implementation-specific, but in general
+   * should contain some number of certificates and some number of
+   * trusted certificates (or "trust anchors").
+   *
+   * @param params The parameters.
+   * @retrun The certificate path result.
+   * @throws CertPathBuilderException If the certificate path cannot be
+   *   built.
+   * @throws InvalidAlgorithmParameterException If the implementation
+   *   rejects the specified parameters.
+   */
+  public final CertPathBuilderResult build(CertPathParameters params)
+    throws CertPathBuilderException, InvalidAlgorithmParameterException
+  {
+    return cpbSpi.engineBuild(params);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertPathBuilderException.java b/libjava/classpath/java/security/cert/CertPathBuilderException.java
new file mode 100644
index 00000000000..98515101025
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathBuilderException.java
@@ -0,0 +1,159 @@
+/* CertPathBuilderException.java -- wraps an exception during certificate
+   path building
+   Copyright (C) 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.security.GeneralSecurityException;
+
+/**
+ * Indicates a problem while using a <code>CertPathBuilder</code>, wrapping
+ * the lower exception. This class is not thread-safe.
+ *
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @see CertPathBuilder
+ * @since 1.4
+ * @status updated to 1.4
+*/
+public class CertPathBuilderException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.4+.
+   */
+  private static final long serialVersionUID = 5316471420178794402L;
+
+  /**
+   * Create an exception without a message. The cause may be initialized.
+   */
+  public CertPathBuilderException()
+  {
+  }
+
+  /**
+   * Create an exception with a message. The cause may be initialized.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertPathBuilderException(String msg)
+  {
+    super(msg);
+  }
+
+  /**
+   * Create an exception with a cause. The message will be
+   * <code>cause == null ? null : cause.toString()</code>.
+   *
+   * @param cause the cause
+   */
+  public CertPathBuilderException(Throwable cause)
+  {
+    this(cause == null ? null : cause.toString(), cause);
+  }
+
+  /**
+   * Create an exception with a cause and a message.
+   *
+   * @param msg the message
+   * @param cause the cause
+   */
+  public CertPathBuilderException(String msg, Throwable cause)
+  {
+    super(msg);
+    initCause(cause);
+  }
+
+  /**
+   * Get the detail message.
+   *
+   * @return the detail message
+   */
+  public String getMessage()
+  {
+    return super.getMessage();
+  }
+
+  /**
+   * Get the cause, null if unknown.
+   *
+   * @return the cause
+   */
+  public Throwable getCause()
+  {
+    return super.getCause();
+  }
+
+  /**
+   * Convert this to a string, including its cause.
+   *
+   * @return the string conversion
+   */
+  public String toString()
+  {
+    return super.toString();
+  }
+
+  /**
+   * Print the stack trace to <code>System.err</code>.
+   */
+  public void printStackTrace()
+  {
+    super.printStackTrace();
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintStream stream)
+  {
+    super.printStackTrace(stream);
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintWriter stream)
+  {
+    super.printStackTrace(stream);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertPathBuilderResult.java b/libjava/classpath/java/security/cert/CertPathBuilderResult.java
new file mode 100644
index 00000000000..737ba9431b3
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathBuilderResult.java
@@ -0,0 +1,63 @@
+/* CertPathBuilderResult -- results from building cert paths.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * A standard interface for the result of building a certificate path.
+ * All implementations of this class must provide a way to get the
+ * certificate path, but may also define additional methods for
+ * returning other result data generated by the certificate path
+ * builder.
+ */
+public interface CertPathBuilderResult extends Cloneable {
+
+	/**
+   * Creates a copy of this builder result.
+   *
+   * @return The copy.
+   */
+	Object clone();
+
+  /**
+   * Get the certificate path that was built.
+   *
+   * @retrn The certificate path.
+   */
+	CertPath getCertPath();
+}
diff --git a/libjava/classpath/java/security/cert/CertPathBuilderSpi.java b/libjava/classpath/java/security/cert/CertPathBuilderSpi.java
new file mode 100644
index 00000000000..afc7fc07366
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathBuilderSpi.java
@@ -0,0 +1,74 @@
+/* CertPathBuilderSpi -- CertPathBuilder service provider interface.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.cert;
+
+/**
+ * The {@link CertPathBuilder} <i>Service Provider Interface</i>
+ * (<b>SPI</b>).
+ *
+ * @see CertPathBuilder
+ */
+public abstract class CertPathBuilderSpi {
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new CertPathBuilderSpi.
+   */
+  public CertPathBuilderSpi() {
+    super();
+  }
+
+  // Abstract methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a certificate path from the specified parameters.
+   *
+   * @param params The parameters to use.
+   * @return The certificate path result.
+   * @throws CertPathBuilderException If the certificate path cannot be
+   *   built.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *   implementation rejects the specified parameters.
+   */
+  public abstract CertPathBuilderResult engineBuild(CertPathParameters params)
+  throws CertPathBuilderException,
+         java.security.InvalidAlgorithmParameterException;
+}
diff --git a/libjava/classpath/java/security/cert/CertPathParameters.java b/libjava/classpath/java/security/cert/CertPathParameters.java
new file mode 100644
index 00000000000..62a5cb6a69e
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathParameters.java
@@ -0,0 +1,58 @@
+/* CertPathParameters.java -- parameters for CertPathBuilder.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.cert;
+
+/**
+ * Parameters for generating and validating certificate paths. This
+ * class does not define any methods (except a required cloneable
+ * interface) and is provided only to provide type safety for
+ * implementations. Concrete implementations implement this interface
+ * in accord with thier own needs.
+ *
+ * @see CertPathBuilder
+ * @see CertPathValidator
+ */
+public interface CertPathParameters extends Cloneable {
+
+   /**
+    * Makes a copy of this CertPathParameters instance.
+    *
+    * @return The copy.
+    */
+   Object clone();
+}
diff --git a/libjava/classpath/java/security/cert/CertPathValidator.java b/libjava/classpath/java/security/cert/CertPathValidator.java
new file mode 100644
index 00000000000..5fed19e9a78
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathValidator.java
@@ -0,0 +1,249 @@
+/* CertPathValidator -- validates certificate paths.
+   Copyright (C) 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.security.Engine;
+
+import java.security.AccessController;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivilegedAction;
+import java.security.Provider;
+import java.security.Security;
+
+/**
+ * Generic interface to classes that validate certificate paths.
+ *
+ * <p>Using this class is similar to all the provider-based security
+ * classes; the method of interest, {@link
+ * #validate(java.security.cert.CertPath,java.security.cert.CertPathParameters)},
+ * which takes provider-specific implementations of {@link
+ * CertPathParameters}, and return provider-specific implementations of
+ * {@link CertPathValidatorResult}.
+ *
+ * @since JDK 1.4
+ * @see CertPath
+ */
+public class CertPathValidator {
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** Service name for CertPathValidator. */
+  private static final String CERT_PATH_VALIDATOR = "CertPathValidator";
+
+  /** The underlying implementation. */
+  private final CertPathValidatorSpi validatorSpi;
+
+  /** The provider of this implementation. */
+  private final Provider provider;
+
+  /** The algorithm's name. */
+  private final String algorithm;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new CertPathValidator.
+   *
+   * @param validatorSpi The underlying implementation.
+   * @param provider     The provider of the implementation.
+   * @param algorithm    The algorithm name.
+   */
+  protected CertPathValidator(CertPathValidatorSpi validatorSpi,
+                              Provider provider, String algorithm)
+  {
+    this.validatorSpi = validatorSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the default validator type.
+   *
+   * <p>This value may be set at run-time via the security property
+   * "certpathvalidator.type", or the value "PKIX" if this property is
+   * not set.
+   *
+   * @return The default validator type.
+   */
+  public static synchronized String getDefaultType() {
+    String type = (String) AccessController.doPrivileged(
+      new PrivilegedAction()
+        {
+          public Object run()
+          {
+            return Security.getProperty("certpathvalidator.type");
+          }
+        }
+    );
+    if (type == null)
+      type = "PKIX";
+    return type;
+  }
+
+  /**
+   * Get an instance of the given validator from the first provider that
+   * implements it.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If no installed provider
+   * implements the requested algorithm.
+   */
+  public static CertPathValidator getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, p[i]);
+          }
+        catch (NoSuchAlgorithmException e)
+          {
+	    // Ignored.
+          }
+      }
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Get an instance of the given validator from the named provider.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @param provider  The name of the provider from which to get the
+   * implementation.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If the named provider does not
+   * implement the algorithm.
+   * @throws NoSuchProviderException If no provider named
+   * <i>provider</i> is installed.
+   */
+  public static CertPathValidator getInstance(String algorithm,
+                                              String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Get an instance of the given validator from the given provider.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @param provider  The provider from which to get the implementation.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If the provider does not implement
+   * the algorithm.
+   * @throws IllegalArgumentException If <i>provider</i> is null.
+   */
+  public static CertPathValidator getInstance(String algorithm,
+                                              Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("null provider");
+
+    try
+      {
+        return new CertPathValidator((CertPathValidatorSpi)
+          Engine.getInstance(CERT_PATH_VALIDATOR, algorithm, provider),
+          provider, algorithm);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the name of this validator.
+   *
+   * @return This validator's name.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Return the provider of this implementation.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Attempt to validate a certificate path.
+   *
+   * @param certPath The path to validate.
+   * @param params   The algorithm-specific parameters.
+   * @return The result of this validation attempt.
+   * @throws CertPathValidatorException If the certificate path cannot
+   * be validated.
+   * @throws InvalidAlgorithmParameterException If this implementation
+   * rejects the specified parameters.
+   */
+  public final CertPathValidatorResult validate(CertPath certPath,
+                                                CertPathParameters params)
+    throws CertPathValidatorException, InvalidAlgorithmParameterException
+  {
+    return validatorSpi.engineValidate(certPath, params);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertPathValidatorException.java b/libjava/classpath/java/security/cert/CertPathValidatorException.java
new file mode 100644
index 00000000000..f3195be296f
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathValidatorException.java
@@ -0,0 +1,226 @@
+/* CertPathValidatorException.java -- wraps an exception during validation
+   of a CertPath
+   Copyright (C) 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.security.GeneralSecurityException;
+
+/**
+ * Indicates a problem while validating a certification path. In addition,
+ * it can store the path an index in that path that caused the problem. This
+ * class is not thread-safe.
+ *
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @see CertPathValidator
+ * @since 1.4
+ * @status updated to 1.4
+*/
+public class CertPathValidatorException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.4+.
+   */
+  private static final long serialVersionUID = -3083180014971893139L;
+
+  /**
+   * The index of the certificate path that failed, or -1.
+   *
+   * @serial the failed index
+   */
+  private final int index;
+
+  /**
+   * The <code>CertPath</code> that failed.
+   *
+   * @serial the object being validated at time of failure
+   */
+  private final CertPath certPath;
+
+  /**
+   * Create an exception without a message. The cause may be initialized. The
+   * index is set to -1 and the failed CertPath object to null.
+   */
+  public CertPathValidatorException()
+  {
+    this((String) null);
+  }
+
+  /**
+   * Create an exception with a message. The cause may be initialized. The
+   * index is set to -1 and the failed CertPath object to null.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertPathValidatorException(String msg)
+  {
+    super(msg);
+    index = -1;
+    certPath = null;
+  }
+
+  /**
+   * Create an exception with a cause. The message will be
+   * <code>cause == null ? null : cause.toString()</code>. The index is set
+   * to -1 and the failed CertPath object to null.
+   *
+   * @param cause the cause
+   */
+  public CertPathValidatorException(Throwable cause)
+  {
+    this(cause == null ? null : cause.toString(), cause, null, -1);
+  }
+
+  /**
+   * Create an exception with a cause and a message. The index is set to -1
+   * and the failed CertPath object to null.
+   *
+   * @param msg the message
+   * @param cause the cause
+   */
+  public CertPathValidatorException(String msg, Throwable cause)
+  {
+    this(msg, cause, null, -1);
+  }
+
+  /**
+   * Create an exception with a cause, message, failed object, and index of
+   * failure in that CertPath.
+   *
+   * @param msg the message
+   * @param cause the cause
+   * @param certPath the path that was being validated, or null
+   * @param index the index of the path, or -1
+   * @throws IndexOutOfBoundsException if index is &lt; -1 or
+   *         &gt; certPath.getCertificates().size()
+   * @throws IllegalArgumentException if certPath is null but index != -1
+   */
+  public CertPathValidatorException(String msg, Throwable cause,
+                                    CertPath certPath, int index)
+  {
+    super(msg);
+    initCause(cause);
+    if (index < -1 || (certPath != null
+                       && index >= certPath.getCertificates().size()))
+      throw new IndexOutOfBoundsException();
+    if ((certPath == null) != (index == -1))
+      throw new IllegalArgumentException();
+    this.certPath = certPath;
+    this.index = index;
+  }
+
+  /**
+   * Get the detail message.
+   *
+   * @return the detail message
+   */
+  public String getMessage()
+  {
+    return super.getMessage();
+  }
+
+  /**
+   * Get the certificate path that had the failure, or null.
+   *
+   * @return the culprit path
+   */
+  public CertPath getCertPath()
+  {
+    return certPath;
+  }
+
+  /**
+   * Get the index that failed, or -1.
+   *
+   * @return the colprit index
+   */
+  public int getIndex()
+  {
+    return index;
+  }
+
+  /**
+   * Get the cause, null if unknown.
+   *
+   * @return the cause
+   */
+  public Throwable getCause()
+  {
+    return super.getCause();
+  }
+
+  /**
+   * Convert this to a string, including its cause.
+   *
+   * @return the string conversion
+   */
+  public String toString()
+  {
+    return super.toString();
+  }
+
+  /**
+   * Print the stack trace to <code>System.err</code>.
+   */
+  public void printStackTrace()
+  {
+    super.printStackTrace();
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintStream stream)
+  {
+    super.printStackTrace(stream);
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintWriter stream)
+  {
+    super.printStackTrace(stream);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertPathValidatorResult.java b/libjava/classpath/java/security/cert/CertPathValidatorResult.java
new file mode 100644
index 00000000000..71aaf89bc18
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathValidatorResult.java
@@ -0,0 +1,63 @@
+/* CertPathValidatorResult -- result of validating certificate paths
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Interface to the result of calling {@link
+ * CertPathValidator#validate(java.security.cert.CertPath,java.security.cert.CertPathParameters)}.
+ *
+ * <p>This interface defines no methods other than the required
+ * {@link java.lang.Cloneable} interface, and is intended to group and
+ * provide type safety for validator results. Providers that implement
+ * a certificate path validator must also provide an implementation of
+ * this interface, possibly defining additional methods.
+ *
+ * @since JDK 1.4
+ * @see CertPathValidator
+ */
+public interface CertPathValidatorResult extends Cloneable
+{
+
+  /**
+   * Returns a copy of this validator result.
+   *
+   * @return The copy.
+   */
+  Object clone();
+}
diff --git a/libjava/classpath/java/security/cert/CertPathValidatorSpi.java b/libjava/classpath/java/security/cert/CertPathValidatorSpi.java
new file mode 100644
index 00000000000..8d18b49dac4
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathValidatorSpi.java
@@ -0,0 +1,79 @@
+/* CertPathValidatorSpi -- cert path validator service provider interface
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * The <i>service provider interface</i> (<b>SPI</b>) for the {@link
+ * CertPathValidator} class. Providers implementing certificate path
+ * validators must subclass this class and implement its abstract
+ * methods.
+ */
+public abstract class CertPathValidatorSpi
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Default constructor.
+   */
+  public CertPathValidatorSpi()
+  {
+    super();
+  }
+
+  // Abstract methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Attempt to validate a certificate path.
+   *
+   * @param certPath The path to validate.
+   * @param params   The algorithm-specific parameters.
+   * @return The result of this validation attempt.
+   * @throws CertPathValidatorException If the certificate path cannot
+   * be validated.
+   * @throws InvalidAlgorithmParameterException If this implementation
+   * rejects the specified parameters.
+   */
+  public abstract CertPathValidatorResult
+  engineValidate(CertPath certPath, CertPathParameters params)
+  throws CertPathValidatorException,
+         java.security.InvalidAlgorithmParameterException;
+}
diff --git a/libjava/classpath/java/security/cert/CertSelector.java b/libjava/classpath/java/security/cert/CertSelector.java
new file mode 100644
index 00000000000..aea614ad95e
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertSelector.java
@@ -0,0 +1,58 @@
+/* CertSelector.java -- certificate selector interface.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+public interface CertSelector extends Cloneable
+{
+
+  /**
+   * Returns a copy of this CertSelector.
+   *
+   * @return The copy.
+   */
+  Object clone();
+
+  /**
+   * Match a certificate according to this selector's criteria.
+   *
+   * @param cert The certificate to match.
+   * @return true if the certificate matches thin criteria.
+   */
+  boolean match(Certificate cert);
+}
diff --git a/libjava/classpath/java/security/cert/CertStore.java b/libjava/classpath/java/security/cert/CertStore.java
new file mode 100644
index 00000000000..864da868f19
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertStore.java
@@ -0,0 +1,294 @@
+/* CertStore -- stores and retrieves certificates.
+   Copyright (C) 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.security.Engine;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivilegedAction;
+import java.security.Provider;
+import java.security.Security;
+import java.util.Collection;
+
+/**
+ * A CertStore is a read-only repository for certificates and
+ * certificate revocation lists.
+ *
+ * @since JDK 1.4
+ */
+public class CertStore
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** Service name for CertStore. */
+  private static final String CERT_STORE = "CertStore";
+
+  /** The underlying implementation. */
+  private CertStoreSpi storeSpi;
+
+  /** This implementation's provider. */
+  private Provider provider;
+
+  /** The name of this key store type. */
+  private String type;
+
+  /** The parameters used to initialize this instance, if any. */
+  private CertStoreParameters params;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new CertStore.
+   *
+   * @param storeSpi The underlying implementation.
+   * @param provider The provider of this implementation.
+   * @param type     The type of CertStore this class represents.
+   * @param params   The parameters used to initialize this instance, if any.
+   */
+  protected CertStore(CertStoreSpi storeSpi, Provider provider, String type,
+                      CertStoreParameters params)
+  {
+    this.storeSpi = storeSpi;
+    this.provider = provider;
+    this.type = type;
+    this.params = params;
+  }
+
+// Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the default certificate store type.
+   *
+   * <p>This value can be set at run-time via the security property
+   * "certstore.type"; if not specified than the default type will be
+   * "LDAP".
+   *
+   * @return The default CertStore type.
+   */
+  public static final synchronized String getDefaultType()
+  {
+    String type = null;
+    type = (String) java.security.AccessController.doPrivileged(
+      new PrivilegedAction() {
+        public Object run() {
+          return Security.getProperty("certstore.type");
+        }
+      }
+    );
+    if (type == null)
+      type = "LDAP";
+    return type;
+  }
+
+  /**
+   * Get an instance of the given certificate store from the first
+   * installed provider.
+   *
+   * @param type     The type of CertStore to create.
+   * @param params   The parameters to initialize this cert store with.
+   * @return The new instance.
+   * @throws InvalidAlgorithmParameterException If the instance rejects
+   *         the specified parameters.
+   * @throws NoSuchAlgorithmException If no installed provider
+   *         implements the specified CertStore.
+   * @throws IllegalArgumentException If <i>provider</i> is null.
+   */
+  public static CertStore getInstance(String type, CertStoreParameters params)
+    throws InvalidAlgorithmParameterException, NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(type, params, p[i]);
+          }
+        catch (NoSuchAlgorithmException e)
+          {
+	    // Ignored.
+          }
+      }
+
+    throw new NoSuchAlgorithmException(type);
+  }
+
+  /**
+   * Get an instance of the given certificate store from the named
+   * provider.
+   *
+   * @param type     The type of CertStore to create.
+   * @param params   The parameters to initialize this cert store with.
+   * @param provider The name of the provider from which to get the
+   *        implementation.
+   * @return The new instance.
+   * @throws InvalidAlgorithmParameterException If the instance rejects
+   *         the specified parameters.
+   * @throws NoSuchAlgorithmException If the specified provider does not
+   *         implement the specified CertStore.
+   * @throws NoSuchProviderException If no provider named
+   *         <i>provider</i> is installed.
+   * @throws IllegalArgumentException If <i>provider</i> is null.
+   */
+  public static CertStore getInstance(String type, CertStoreParameters params,
+                                      String provider)
+    throws InvalidAlgorithmParameterException, NoSuchAlgorithmException,
+           NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+    return getInstance(type, params, p);
+  }
+
+  /**
+   * Get an instance of the given certificate store from the given
+   * provider.
+   *
+   * @param type     The type of CertStore to create.
+   * @param params   The parameters to initialize this cert store with.
+   * @param provider The provider from which to get the implementation.
+   * @return The new instance.
+   * @throws InvalidAlgorithmParameterException If the instance rejects
+   *         the specified parameters.
+   * @throws NoSuchAlgorithmException If the specified provider does not
+   *         implement the specified CertStore.
+   * @throws IllegalArgumentException If <i>provider</i> is null.
+   */
+  public static CertStore getInstance(String type, CertStoreParameters params,
+                                      Provider provider)
+    throws InvalidAlgorithmParameterException, NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("null provider");
+
+    try
+      {
+        return new CertStore((CertStoreSpi) Engine.getInstance(CERT_STORE,
+          type, provider, new Object[] { params }), provider, type, params);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(type);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+        Throwable cause = ite.getCause();
+        if (cause instanceof InvalidAlgorithmParameterException)
+          throw (InvalidAlgorithmParameterException) cause;
+        else
+          throw new NoSuchAlgorithmException(type);
+      }
+  }
+
+// Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the type of certificate store this instance represents.
+   *
+   * @return The CertStore type.
+   */
+  public final String getType()
+  {
+    return type;
+  }
+
+  /**
+   * Return the provider of this implementation.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Get the parameters this instance was created with, if any. The
+   * parameters will be cloned before they are returned.
+   *
+   * @return The parameters, or null.
+   */
+  public final CertStoreParameters getCertStoreParameters()
+  {
+    return params != null ? (CertStoreParameters) params.clone() : null;
+  }
+
+  /**
+   * Get a collection of certificates from this CertStore, optionally
+   * filtered by the specified CertSelector. The Collection returned may
+   * be empty, but will never be null.
+   *
+   * <p>Implementations may not allow a null argument, even if no
+   * filtering is desired.
+   *
+   * @param selector The certificate selector.
+   * @return The collection of certificates.
+   * @throws CertStoreException If the certificates cannot be retrieved.
+   */
+  public final Collection getCertificates(CertSelector selector)
+    throws CertStoreException
+  {
+    return storeSpi.engineGetCertificates(selector);
+  }
+
+  /**
+   * Get a collection of certificate revocation lists from this CertStore,
+   * optionally filtered by the specified CRLSelector. The Collection
+   * returned may be empty, but will never be null.
+   *
+   * <p>Implementations may not allow a null argument, even if no
+   * filtering is desired.
+   *
+   * @param selector The certificate selector.
+   * @return The collection of certificate revocation lists.
+   * @throws CertStoreException If the CRLs cannot be retrieved.
+   */
+  public final Collection getCRLs(CRLSelector selector)
+    throws CertStoreException
+  {
+    return storeSpi.engineGetCRLs(selector);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertStoreException.java b/libjava/classpath/java/security/cert/CertStoreException.java
new file mode 100644
index 00000000000..a4d8b7a46e1
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertStoreException.java
@@ -0,0 +1,159 @@
+/* CertStoreException.java -- wraps an exception during certificate storage
+   Copyright (C) 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.security.GeneralSecurityException;
+
+/**
+ * Indicates a problem while retrieving certificates and CRLs from
+ * <code>CertStore</code>, wrapping the lower exception. This class is not
+ * thread-safe.
+ *
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @see CertStore
+ * @since 1.4
+ * @status updated to 1.4
+*/
+public class CertStoreException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.4+.
+   */
+  private static final long serialVersionUID = 2395296107471573245L;
+
+  /**
+   * Create an exception without a message. The cause may be initialized.
+   */
+  public CertStoreException()
+  {
+  }
+
+  /**
+   * Create an exception with a message. The cause may be initialized.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertStoreException(String msg)
+  {
+    super(msg);
+  }
+
+  /**
+   * Create an exception with a cause. The message will be
+   * <code>cause == null ? null : cause.toString()</code>.
+   *
+   * @param cause the cause
+   */
+  public CertStoreException(Throwable cause)
+  {
+    this(cause == null ? null : cause.toString(), cause);
+  }
+
+  /**
+   * Create an exception with a cause and a message.
+   *
+   * @param msg the message
+   * @param cause the cause
+   */
+  public CertStoreException(String msg, Throwable cause)
+  {
+    super(msg);
+    initCause(cause);
+  }
+
+  /**
+   * Get the detail message.
+   *
+   * @return the detail message
+   */
+  public String getMessage()
+  {
+    return super.getMessage();
+  }
+
+  /**
+   * Get the cause, null if unknown.
+   *
+   * @return the cause
+   */
+  public Throwable getCause()
+  {
+    return super.getCause();
+  }
+
+  /**
+   * Convert this to a string, including its cause.
+   *
+   * @return the string conversion
+   */
+  public String toString()
+  {
+    return super.toString();
+  }
+
+  /**
+   * Print the stack trace to <code>System.err</code>.
+   */
+  public void printStackTrace()
+  {
+    super.printStackTrace();
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintStream stream)
+  {
+    super.printStackTrace(stream);
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintWriter stream)
+  {
+    super.printStackTrace(stream);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertStoreParameters.java b/libjava/classpath/java/security/cert/CertStoreParameters.java
new file mode 100644
index 00000000000..aab22f01fda
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertStoreParameters.java
@@ -0,0 +1,60 @@
+/* CertStoreParameters -- interface to CertStore parameters.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Parameters used when creating instances of {@link CertStore}. This
+ * class does not define any methods (except a required cloneable
+ * interface) and is provided only to provide type safety for
+ * implementations. Concrete implementations implement this interface
+ * in accord with thier own needs.
+ *
+ * @see LDAPCertStoreParameters
+ * @see CollectionCertStoreParameters
+ */
+public interface CertStoreParameters extends Cloneable
+{
+
+  /**
+   * Create a copy of these parameters.
+   *
+   * @return The copy.
+   */
+  Object clone();
+}
diff --git a/libjava/classpath/java/security/cert/CertStoreSpi.java b/libjava/classpath/java/security/cert/CertStoreSpi.java
new file mode 100644
index 00000000000..eca0e866ca1
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertStoreSpi.java
@@ -0,0 +1,102 @@
+/* CertStoreSpi -- certificate store service provider interface.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.util.Collection;
+
+/**
+ * The <i>service provider interface</i> (<b>SPI</b>) for the {@link
+ * CertStore} class.
+ *
+ * <p>Providers wishing to implement a CertStore must subclass this
+ * class, implementing all the abstract methods. Providers may also
+ * implement the {@link CertStoreParameters} interface, if they require
+ * parameters.
+ *
+ * @since JDK 1.4
+ * @see CertStore
+ * @see CollectionCertStoreParameters
+ * @see LDAPCertStoreParameters
+ */
+public abstract class CertStoreSpi
+{
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new CertStoreSpi.
+   *
+   * @param params The parameters to initialize this instance with, or
+   *        null if no parameters are required.
+   * @throws InvalidAlgorithmParameterException If the specified
+   *         parameters are inappropriate for this class.
+   */
+  public CertStoreSpi(CertStoreParameters params)
+    throws java.security.InvalidAlgorithmParameterException
+  {
+    super();
+  }
+
+  // Abstract methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the certificates from this store, filtering them through the
+   * specified CertSelector.
+   *
+   * @param selector The CertSelector to filter certificates.
+   * @return A (non-null) collection of certificates.
+   * @throws CertStoreException If the certificates cannot be retrieved.
+   */
+  public abstract Collection engineGetCertificates(CertSelector selector)
+  throws CertStoreException;
+
+  /**
+   * Get the certificate revocation list from this store, filtering them
+   * through the specified CRLSelector.
+   *
+   * @param selector The CRLSelector to filter certificate revocation
+   *        lists.
+   * @return A (non-null) collection of certificate revocation list.
+   * @throws CertStoreException If the CRLs cannot be retrieved.
+   */
+  public abstract Collection engineGetCRLs(CRLSelector selector)
+  throws CertStoreException;
+}
diff --git a/libjava/classpath/java/security/cert/Certificate.java b/libjava/classpath/java/security/cert/Certificate.java
new file mode 100644
index 00000000000..f8456f97ae5
--- /dev/null
+++ b/libjava/classpath/java/security/cert/Certificate.java
@@ -0,0 +1,306 @@
+/* Certificate.java --- Certificate class
+   Copyright (C) 1999, 2003, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.io.ByteArrayInputStream;
+import java.io.InvalidObjectException;
+import java.io.ObjectStreamException;
+import java.io.Serializable;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.SignatureException;
+
+/**
+ * The Certificate class is an abstract class used to manage 
+ * identity certificates. An identity certificate is a
+ * combination of a principal and a public key which is 
+ * certified by another principal. This is the puprose of 
+ * Certificate Authorities (CA).
+ * 
+ * <p>This class is used to manage different types of certificates
+ * but have important common puposes. Different types of 
+ * certificates like X.509 and OpenPGP share general certificate
+ * functions (like encoding and verifying) and information like
+ * public keys.
+ * 
+ * <p>X.509, OpenPGP, and SDSI can be implemented by subclassing this
+ * class even though they differ in storage methods and information
+ * stored.
+ *
+ * @see CertificateFactory
+ * @see X509Certificate
+ * @since JDK 1.2
+ * @author Mark Benvenuto
+ * @author Casey Marshall
+ */
+public abstract class Certificate implements Serializable
+{
+  private static final long serialVersionUID = -6751606818319535583L;
+	
+  private String type;
+
+  /**
+     Constructs a new certificate of the specified type. An example
+     is "X.509".
+
+     @param type a valid standard name for a certificate.
+  */
+  protected Certificate(String type)
+  {
+    this.type = type;
+  }
+
+  /**
+     Returns the Certificate type.
+
+     @return a string representing the Certificate type
+  */
+  public final String getType()
+  {
+    return type;
+  }
+
+  /**
+     Compares this Certificate to other. It checks if the
+     object if instanceOf Certificate and then checks if
+     the encoded form matches.
+
+     @param other An Object to test for equality
+
+     @return true if equal, false otherwise
+  */
+  public boolean equals(Object other)
+  {
+    if( other instanceof Certificate ) {
+      try {
+	Certificate x = (Certificate) other;
+	if( getEncoded().length != x.getEncoded().length )
+	  return false;
+
+	byte[] b1 = getEncoded();
+	byte[] b2 = x.getEncoded();
+
+	for( int i = 0; i < b1.length; i++ )
+	  if( b1[i] != b2[i] )
+	    return false;
+
+      } catch( CertificateEncodingException cee ) { 
+	return false;
+      }
+      return true;
+    }
+    return false;
+  }
+
+  /**
+     Returns a hash code for this Certificate in its encoded
+     form.
+
+     @return A hash code of this class
+  */
+  public int hashCode()
+  {
+    return super.hashCode();
+  }
+
+  /**
+     Gets the DER ASN.1 encoded format for this Certificate.
+     It assumes each certificate has only one encoding format.
+     Ex: X.509 is encoded as ASN.1 DER
+
+     @return byte array containg encoded form
+
+     @throws CertificateEncodingException if an error occurs
+  */
+  public abstract byte[] getEncoded() throws CertificateEncodingException;
+
+  /**
+     Verifies that this Certificate was properly signed with the
+     PublicKey that corresponds to its private key. 
+
+     @param key PublicKey to verify with
+
+     @throws CertificateException encoding error
+     @throws NoSuchAlgorithmException unsupported algorithm
+     @throws InvalidKeyException incorrect key
+     @throws NoSuchProviderException no provider
+     @throws SignatureException signature error
+  */
+  public abstract void verify(PublicKey key)
+    throws CertificateException,
+    NoSuchAlgorithmException,
+    InvalidKeyException,
+    NoSuchProviderException,
+    SignatureException;
+
+  /**
+     Verifies that this Certificate was properly signed with the
+     PublicKey that corresponds to its private key and uses
+     the signature engine provided by the provider. 
+
+     @param key PublicKey to verify with
+     @param sigProvider Provider to use for signature algorithm
+
+     @throws CertificateException encoding error
+     @throws NoSuchAlgorithmException unsupported algorithm
+     @throws InvalidKeyException incorrect key
+     @throws NoSuchProviderException incorrect provider
+     @throws SignatureException signature error
+  */
+  public abstract void verify(PublicKey key,
+			      String sigProvider)
+    throws CertificateException,
+    NoSuchAlgorithmException,
+    InvalidKeyException,
+    NoSuchProviderException,
+    SignatureException;
+
+  /**
+     Returns a string representing the Certificate.
+
+     @return a string representing the Certificate.
+  */
+  public abstract String toString();
+
+
+  /**
+     Returns the public key stored in the Certificate.
+
+     @return The public key
+  */
+  public abstract PublicKey getPublicKey();
+
+  // Protected methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns a replacement for this certificate to be serialized. This
+   * method returns the equivalent to the following for this class:
+   *
+   * <blockquote>
+   * <pre>new CertificateRep(getType(), getEncoded());</pre>
+   * </blockquote>
+   *
+   * <p>This thusly replaces the certificate with its name and its
+   * encoded form, which can be deserialized later with the {@link
+   * CertificateFactory} implementation for this certificate's type.
+   *
+   * @return The replacement object to be serialized.
+   * @throws ObjectStreamException If the replacement could not be
+   * created.
+   */
+  protected Object writeReplace() throws ObjectStreamException
+  {
+    try
+      {
+        return new CertificateRep(getType(), getEncoded());
+      }
+    catch (CertificateEncodingException cee)
+      {
+        throw new InvalidObjectException(cee.toString());
+      }
+  }
+
+  // Inner class.
+  // ------------------------------------------------------------------------
+
+  /**
+     Certificate.CertificateRep is an inner class used to provide an alternate
+     storage mechanism for serialized Certificates.
+  */
+  protected static class CertificateRep implements java.io.Serializable
+  {
+
+    /** From JDK1.4. */
+    private static final long serialVersionUID = -8563758940495660020L;
+  
+    /** The certificate type, e.g. "X.509". */
+    private String type;
+
+    /** The encoded certificate data. */
+    private byte[] data;
+
+    /**
+     * Create an alternative representation of this certificate. The
+     * <code>(type, data)</code> pair is typically the certificate's
+     * type as returned by {@link Certificate#getType()} (i.e. the
+     * canonical name of the certificate type) and the encoded form as
+     * returned by {@link Certificate#getEncoded()}.
+     *
+     * <p>For example, X.509 certificates would create an instance of
+     * this class with the parameters "X.509" and the ASN.1
+     * representation of the certificate, encoded as DER bytes.
+     *
+     * @param type The certificate type.
+     * @param data The encoded certificate data.
+     */
+    protected CertificateRep(String type, byte[] data)
+    {
+      this.type = type;
+      this.data = data;
+    }
+
+    /**
+     * Deserialize this certificate replacement into the appropriate
+     * certificate object. That is, this method attempts to create a
+     * {@link CertificateFactory} for this certificate's type, then
+     * attempts to parse the encoded data with that factory, returning
+     * the resulting certificate.
+     *
+     * @return The deserialized certificate.
+     * @throws ObjectStreamException If there is no appropriate
+     * certificate factory for the given type, or if the encoded form
+     * cannot be parsed.
+     */
+    protected Object readResolve() throws ObjectStreamException
+    {
+      try
+        {
+          CertificateFactory fact = CertificateFactory.getInstance(type);
+          return fact.generateCertificate(new ByteArrayInputStream(data));
+        }
+      catch (Exception e)
+        {
+          throw new InvalidObjectException(e.toString());
+        }
+    }
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertificateEncodingException.java b/libjava/classpath/java/security/cert/CertificateEncodingException.java
new file mode 100644
index 00000000000..0bb0c26d358
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateEncodingException.java
@@ -0,0 +1,71 @@
+/* CertificateEncodingException.java -- Certificate Encoding Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Exception for a Certificate Encoding.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @status updated to 1.4
+ */
+public class CertificateEncodingException extends CertificateException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = 6219492851589449162L;
+
+  /**
+   * Constructs an exception without a message string.
+   */
+  public CertificateEncodingException()
+  {
+  }
+
+  /**
+   * Constructs an exception with a message string.
+   *
+   * @param msg A message to display with exception
+   */
+  public CertificateEncodingException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertificateException.java b/libjava/classpath/java/security/cert/CertificateException.java
new file mode 100644
index 00000000000..3e075ddaf35
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateException.java
@@ -0,0 +1,74 @@
+/* CertificateException.java -- Certificate Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Exception for a Certificate.
+ *
+ * @author Mark Benvenuto
+ * @see Certificate
+ * @since 1.2
+ * @status updated to 1.4
+ */
+public class CertificateException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = 3192535253797119798L;
+
+  /**
+   * Constructs an exception without a message string.
+   */
+  public CertificateException()
+  {
+  }
+
+  /**
+   * Constructs an exception with a message string.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertificateException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertificateExpiredException.java b/libjava/classpath/java/security/cert/CertificateExpiredException.java
new file mode 100644
index 00000000000..5b37142b5ec
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateExpiredException.java
@@ -0,0 +1,71 @@
+/* CertificateExpiredException.java --- Certificate Expired Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Exception for a Certificate Expiring.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @status updated to 1.4
+ */
+public class CertificateExpiredException extends CertificateException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = 9071001339691533771L;
+
+  /**
+   * Constructs an exception without a message string.
+   */
+  public CertificateExpiredException()
+  {
+  }
+
+  /**
+   * Constructs an exception with a message string.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertificateExpiredException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertificateFactory.java b/libjava/classpath/java/security/cert/CertificateFactory.java
new file mode 100644
index 00000000000..aedeff53573
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateFactory.java
@@ -0,0 +1,358 @@
+/* CertificateFactory.java -- Certificate Factory Class
+   Copyright (C) 1999, 2002, 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.security.Engine;
+
+import java.io.InputStream;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.Security;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
+
+/**
+ * This class implements the CertificateFactory class interface used to
+ * generate certificates, certificate revocation lists (CRLs), and certificate
+ * paths objects from their encoded forms.
+ *
+ * @author Mark Benvenuto
+ * @author Casey Marshall
+ * @since JDK 1.2
+ * @status Fully compatible with JDK 1.4.
+ */
+public class CertificateFactory
+{
+
+  /** The service name for certificate factories. */
+  private static final String CERTIFICATE_FACTORY = "CertificateFactory";
+
+  private CertificateFactorySpi certFacSpi;
+  private Provider provider;
+  private String type;
+
+  /**
+   * Creates an instance of CertificateFactory.
+   *
+   * @param certFacSpi The underlying CertificateFactory engine.
+   * @param provider   The provider of this implementation.
+   * @param type       The type of Certificate this factory creates.
+   */
+  protected CertificateFactory(CertificateFactorySpi certFacSpi,
+                               Provider provider, String type)
+  {
+    this.certFacSpi = certFacSpi;
+    this.provider = provider;
+    this.type = type;
+  }
+
+// Class methods.
+  // ------------------------------------------------------------------------
+
+  /** 
+   * Gets an instance of the CertificateFactory class representing
+   * the specified certificate factory. If the type is not 
+   * found then, it throws CertificateException.
+   *
+   * @param type     The type of certificate factory to create.
+   * @return a CertificateFactory repesenting the desired type
+   * @throws CertificateException If the type of certificate is not
+   *    implemented by any installed provider.
+   */
+  public static final CertificateFactory getInstance(String type)
+    throws CertificateException
+  {
+    Provider[] p = Security.getProviders();
+
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(type, p[i]);
+          }
+        catch (CertificateException e)
+          {
+	    // Ignored.
+          }
+      }
+
+    throw new CertificateException(type);
+  }
+
+  /** 
+   * Gets an instance of the CertificateFactory class representing
+   * the specified certificate factory from the specified provider. 
+   * If the type is not found then, it throws {@link CertificateException}. 
+   * If the provider is not found, then it throws 
+   * {@link java.security.NoSuchProviderException}.
+   *
+   * @param type     The type of certificate factory to create.
+   * @param provider The name of the provider from which to get the
+   *        implementation.
+   * @return A CertificateFactory for the desired type.
+   * @throws CertificateException If the type of certificate is not
+   *         implemented by the named provider.
+   * @throws NoSuchProviderException If the named provider is not installed.
+   */
+  public static final CertificateFactory getInstance(String type,
+                                                     String provider) 
+    throws CertificateException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if( p == null)
+      throw new NoSuchProviderException(provider);
+
+    return getInstance(type, p);
+  }
+
+  /**
+   * Get a certificate factory for the given certificate type from the
+   * given provider.
+   *
+   * @param type     The type of certificate factory to create.
+   * @param provider The provider from which to get the implementation.
+   * @return A CertificateFactory for the desired type.
+   * @throws CertificateException If the type of certificate is not
+   *         implemented by the provider.
+   * @throws IllegalArgumentException If the provider is null.
+   */
+  public static final CertificateFactory getInstance(String type,
+                                                     Provider provider)
+    throws CertificateException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("null provider");
+
+    try
+      {
+        return new CertificateFactory((CertificateFactorySpi)
+          Engine.getInstance(CERTIFICATE_FACTORY, type, provider),
+          provider, type);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new CertificateException(type);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+        throw new CertificateException(type);
+      }
+    catch (NoSuchAlgorithmException nsae)
+      {
+        throw new CertificateException(nsae.getMessage());
+      }
+  }
+
+// Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Gets the provider of this implementation.
+   *
+   * @return The provider of this implementation.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Returns the type of the certificate this factory creates.
+   *
+   * @return A string with the type of certificate
+   */
+  public final String getType()
+  {
+    return type;
+  }
+
+  /**
+   * Generates a Certificate from the encoded data read
+   * from an InputStream.
+   *
+   * <p>The input stream must contain only one certificate.
+   *
+   * <p>If there exists a specialized certificate class for the
+   * certificate format handled by the certificate factory
+   * then the return Ceritificate should be a typecast of it.
+   * Ex: A X.509 CertificateFactory should return X509Certificate.
+   *
+   * <p>For X.509 certificates, the certificate in inStream must be
+   * DER encoded and supplied in binary or printable (Base64) 
+   * encoding. If the certificate is in Base64 encoding, it must be 
+   * bounded by -----BEGINCERTIFICATE-----, and 
+   * -----END CERTIFICATE-----. 
+   *
+   * @param inStream An input stream containing the certificate data.
+   * @return A certificate initialized from the decoded InputStream data.
+   * @throws CertificateException If an error occurs decoding the
+   *   certificate.
+   */
+  public final Certificate generateCertificate(InputStream inStream)
+    throws CertificateException
+  {
+    return certFacSpi.engineGenerateCertificate(inStream);
+  }
+
+  /**
+   * Returns a collection of certificates that were read from the 
+   * input stream. It may be empty, have only one, or have 
+   * multiple certificates.
+   *
+   * For a X.509 certificate factory, the stream may contain a
+   * single DER encoded certificate or a PKCS#7 certificate 
+   * chain. This is a PKCS#7 <I>SignedData</I> object with the 
+   * most significant field being <I>certificates</I>. If no 
+   * CRLs are present, then an empty collection is returned.
+	 *
+   * @param inStream An input stream containing the certificate data.
+   * @return A collection of certificates initialized from the decoded
+   *   InputStream data.
+   * @throws CertificateException If an error occurs decoding the
+   *   certificates.
+   */
+  public final Collection generateCertificates(InputStream inStream)
+    throws CertificateException
+  {
+    return certFacSpi.engineGenerateCertificates(inStream);
+  }
+
+  /**
+   * Generates a CRL based on the encoded data read
+   * from the InputStream.
+   *
+   * <p>The input stream must contain only one CRL.
+   *
+   * <p>If there exists a specialized CRL class for the
+   * CRL format handled by the certificate factory
+   * then the return CRL should be a typecast of it.
+   * Ex: A X.509 CertificateFactory should return X509CRL.
+   *
+   * @param inStream An input stream containing the CRL data.
+   * @return A CRL initialized from the decoded InputStream data.
+   * @throws CRLException If an error occurs decoding the CRL.
+   */
+  public final CRL generateCRL(InputStream inStream)
+    throws CRLException
+  {
+    return certFacSpi.engineGenerateCRL(inStream);
+  }
+
+  /**
+   * <p>Generates CRLs based on the encoded data read
+   * from the InputStream.
+   *
+   * <p>For a X.509 certificate factory, the stream may contain a
+   * single DER encoded CRL or a PKCS#7 CRL set. This is a 
+   * PKCS#7 <I>SignedData</I> object with the most significant 
+   * field being <I>crls</I>. If no CRLs are present, then an
+   * empty collection is returned.
+   *
+   * @param inStream an input stream containing the CRLs.
+   * @return a collection of CRLs initialized from the decoded
+   *    InputStream data.
+   * @throws CRLException If an error occurs decoding the CRLs.
+   */
+  public final Collection generateCRLs(InputStream inStream)
+    throws CRLException
+  {
+    return certFacSpi.engineGenerateCRLs( inStream );
+  }
+
+  /**
+   * Generate a {@link CertPath} and initialize it with data parsed from
+   * the input stream. The default encoding of this factory is used.
+   *
+   * @param inStream The InputStream containing the CertPath data.
+   * @return A CertPath initialized from the input stream data.
+   * @throws CertificateException If an error occurs decoding the
+   * CertPath.
+   */
+  public final CertPath generateCertPath(InputStream inStream)
+    throws CertificateException
+  {
+    return certFacSpi.engineGenerateCertPath(inStream);
+  }
+
+  /**
+   * Generate a {@link CertPath} and initialize it with data parsed from
+   * the input stream, using the specified encoding.
+   *
+   * @param inStream The InputStream containing the CertPath data.
+   * @param encoding The encoding of the InputStream data.
+   * @return A CertPath initialized from the input stream data.
+   * @throws CertificateException If an error occurs decoding the
+   *   CertPath.
+   */
+  public final CertPath generateCertPath(InputStream inStream, String encoding)
+    throws CertificateException
+  {
+    return certFacSpi.engineGenerateCertPath(inStream, encoding);
+  }
+
+  /**
+   * Generate a {@link CertPath} and initialize it with the certificates
+   * in the {@link java.util.List} argument.
+   *
+   * @param certificates The list of certificates with which to create
+   *   the CertPath.
+   * @return A CertPath initialized from the certificates.
+   * @throws CertificateException If an error occurs generating the
+   *   CertPath.
+   */
+  public final CertPath generateCertPath(List certificates)
+    throws CertificateException
+  {
+    return certFacSpi.engineGenerateCertPath(certificates);
+  }
+
+  /**
+   * Returns an Iterator of CertPath encodings supported by this
+   * factory, with the default encoding first. The returned Iterator
+   * cannot be modified.
+   *
+   * @return The Iterator of supported encodings.
+   */
+  public final Iterator getCertPathEncodings()
+  {
+    return certFacSpi.engineGetCertPathEncodings();
+  }
+} // class CertificateFactory
diff --git a/libjava/classpath/java/security/cert/CertificateFactorySpi.java b/libjava/classpath/java/security/cert/CertificateFactorySpi.java
new file mode 100644
index 00000000000..beea9646a67
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateFactorySpi.java
@@ -0,0 +1,225 @@
+/* CertificateFactorySpi.java --- Certificate Factory Class
+   Copyright (C) 1999,2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.io.InputStream;
+
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
+
+/**
+   CertificateFactorySpi is the abstract class Service Provider
+   Interface (SPI) for the CertificateFactory class. A provider
+   must implement all the abstract methods if they wish to 
+   supply a certificate factory for a particular certificate
+   type. Ex: X.509
+   
+   Certificate factories are used to generate certificates and
+   certificate revocation lists (CRL) from their encoding.
+   
+   @since JDK 1.2
+   
+   @author Mark Benvenuto
+ */
+public abstract class CertificateFactorySpi
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Constructs a new CertificateFactorySpi
+   */
+  public CertificateFactorySpi()
+  {}
+
+  // Abstract methods.
+  // ------------------------------------------------------------------------
+
+  /**
+     Generates a Certificate based on the encoded data read
+     from the InputStream.
+
+     The input stream must contain only one certificate.
+
+     If there exists a specialized certificate class for the
+     certificate format handled by the certificate factory
+     then the return Ceritificate should be a typecast of it.
+     Ex: A X.509 CertificateFactory should return X509Certificate.
+
+     For X.509 certificates, the certificate in inStream must be
+     DER encoded and supplied in binary or printable (Base64) 
+     encoding. If the certificate is in Base64 encoding, it must be 
+     bounded by -----BEGIN CERTIFICATE-----, and 
+     -----END CERTIFICATE-----. 
+
+     @param inStream an input stream containing the certificate data
+
+     @return a certificate initialized with InputStream data.
+
+     @throws CertificateException Certificate parsing error
+  */
+  public abstract Certificate engineGenerateCertificate(InputStream inStream)
+    throws CertificateException;
+
+  /**
+     Returns a collection of certificates that were read from the 
+     input stream. It may be empty, have only one, or have 
+     multiple certificates.
+
+     For a X.509 certificate factory, the stream may contain a
+     single DER encoded certificate or a PKCS#7 certificate 
+     chain. This is a PKCS#7 <I>SignedData</I> object with the 
+     most significant field being <I>certificates</I>. If no 
+     CRLs are present, then an empty collection is returned.
+	
+     @param inStream an input stream containing the certificates
+
+     @return a collection of certificates initialized with 
+     the InputStream data.
+
+     @throws CertificateException Certificate parsing error
+  */
+  public abstract Collection engineGenerateCertificates(InputStream inStream)
+    throws CertificateException;
+
+  /**
+     Generates a CRL based on the encoded data read
+     from the InputStream.
+
+     The input stream must contain only one CRL.
+
+     If there exists a specialized CRL class for the
+     CRL format handled by the certificate factory
+     then the return CRL should be a typecast of it.
+     Ex: A X.509 CertificateFactory should return X509CRL.
+
+     @param inStream an input stream containing the CRL data
+
+     @return a CRL initialized with InputStream data.
+
+     @throws CRLException CRL parsing error
+  */
+  public abstract CRL engineGenerateCRL(InputStream inStream)
+    throws CRLException;
+
+  /**
+     Generates CRLs based on the encoded data read
+     from the InputStream.
+
+     For a X.509 certificate factory, the stream may contain a
+     single DER encoded CRL or a PKCS#7 CRL set. This is a 
+     PKCS#7 <I>SignedData</I> object with the most significant 
+     field being <I>crls</I>. If no CRLs are present, then an
+     empty collection is returned.
+
+     @param inStream an input stream containing the CRLs
+
+     @return a collection of CRLs initialized with 
+     the InputStream data.
+
+     @throws CRLException CRL parsing error
+  */
+  public abstract Collection engineGenerateCRLs(InputStream inStream)
+    throws CRLException;
+
+  // 1.4 instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Generate a {@link CertPath} and initialize it with data parsed from
+   * the input stream. The default encoding of this factory is used.
+   *
+   * @param inStream The InputStream containing the CertPath data.
+   * @return A CertPath initialized from the input stream data.
+   * @throws CertificateException If an error occurs decoding the
+   * CertPath.
+   */
+  public CertPath engineGenerateCertPath(InputStream inStream)
+    throws CertificateException
+  {
+    throw new UnsupportedOperationException("not implemented");
+  }
+
+  /**
+   * Generate a {@link CertPath} and initialize it with data parsed from
+   * the input stream, using the specified encoding.
+   *
+   * @param inStream The InputStream containing the CertPath data.
+   * @param encoding The encoding of the InputStream data.
+   * @return A CertPath initialized from the input stream data.
+   * @throws CertificateException If an error occurs decoding the
+   *   CertPath.
+   */
+  public CertPath engineGenerateCertPath(InputStream inStream, String encoding)
+    throws CertificateException
+  {
+    throw new UnsupportedOperationException("not implemented");
+  }
+
+  /**
+   * Generate a {@link CertPath} and initialize it with the certificates
+   * in the {@link java.util.List} argument.
+   *
+   * @param certificates The list of certificates with which to create
+   *   the CertPath.
+   * @return A CertPath initialized from the certificates.
+   * @throws CertificateException If an error occurs generating the
+   *   CertPath.
+   */
+  public CertPath engineGenerateCertPath(List certificates)
+    throws CertificateException
+  {
+    throw new UnsupportedOperationException("not implemented");
+  }
+
+  /**
+   * Returns an Iterator of CertPath encodings supported by this
+   * factory, with the default encoding first. The returned Iterator
+   * cannot be modified.
+   *
+   * @return The Iterator of supported encodings.
+   */
+  public Iterator engineGetCertPathEncodings()
+  {
+    throw new UnsupportedOperationException("not implemented");
+  }
+}
+
diff --git a/libjava/classpath/java/security/cert/CertificateNotYetValidException.java b/libjava/classpath/java/security/cert/CertificateNotYetValidException.java
new file mode 100644
index 00000000000..dfb4b483785
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateNotYetValidException.java
@@ -0,0 +1,71 @@
+/* CertificateNotYetValidException.java -- Certificate Not Yet Valid Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Exception for a Certificate that is not yet valid.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @status updated to 1.4
+*/
+public class CertificateNotYetValidException extends CertificateException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = 4355919900041064702L;
+
+  /**
+   * Constructs an exception without a message string.
+   */
+  public CertificateNotYetValidException()
+  {
+  }
+
+  /**
+   * Constructs an exception with a message string.
+   *
+   * @param msg A message to display with exception
+   */
+  public CertificateNotYetValidException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertificateParsingException.java b/libjava/classpath/java/security/cert/CertificateParsingException.java
new file mode 100644
index 00000000000..61faa44386e
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateParsingException.java
@@ -0,0 +1,71 @@
+/* CertificateParsingException.java -- Certificate Parsing Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Exception for parsing a DER-encoded Certificate.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @status updated to 1.4
+*/
+public class CertificateParsingException extends CertificateException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = -7989222416793322029L;
+
+  /**
+   * Constructs an exception without a message string.
+   */
+  public CertificateParsingException()
+  {
+  }
+
+  /**
+   * Constructs an exception with a message string.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertificateParsingException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CollectionCertStoreParameters.java b/libjava/classpath/java/security/cert/CollectionCertStoreParameters.java
new file mode 100644
index 00000000000..bac1e3b3e4f
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CollectionCertStoreParameters.java
@@ -0,0 +1,121 @@
+/* CollectionCertStoreParameters -- collection-based cert store parameters
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+
+/**
+ * An implementation of {@link CertStoreParameters} with a simple,
+ * in-memory {@link Collection} of certificates and certificate
+ * revocation list.
+ *
+ * <p>Note that this class is not thread-safe, and its underlying
+ * collection may be changed at any time.
+ *
+ * @see CertStore
+ */
+public class CollectionCertStoreParameters implements CertStoreParameters
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** The underlying collection. */
+  private final Collection collection;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new CollectionCertStoreParameters with an empty,
+   * immutable collection.
+   */
+  public CollectionCertStoreParameters()
+  {
+    this(Collections.EMPTY_LIST);
+  }
+
+  /**
+   * Create a new CollectionCertStoreParameters with the specified
+   * collection. The argument is not copied, and subsequent changes to
+   * the collection will change this class's collection.
+   *
+   * @param collection The collection.
+   * @throws NullPointerException If <i>collection</i> is null.
+   */
+  public CollectionCertStoreParameters(Collection collection)
+  {
+    if (collection == null)
+      throw new NullPointerException();
+    this.collection = collection;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  public Object clone()
+  {
+    return new CollectionCertStoreParameters(new ArrayList(collection));
+  }
+
+  /**
+   * Return the underlying collection. The collection is not copied
+   * before being returned, so callers may update the collection that is
+   * returned.
+   *
+   * @return The collection.
+   */
+  public Collection getCollection()
+  {
+    return collection;
+  }
+
+  /**
+   * Return a string representation of these parameters.
+   *
+   * @return The string representation of these parameters.
+   */
+  public String toString()
+  {
+    return "CollectionCertStoreParameters: [ collection: "
+      + collection + " ]";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/LDAPCertStoreParameters.java b/libjava/classpath/java/security/cert/LDAPCertStoreParameters.java
new file mode 100644
index 00000000000..4414e65a092
--- /dev/null
+++ b/libjava/classpath/java/security/cert/LDAPCertStoreParameters.java
@@ -0,0 +1,140 @@
+/* LDAPCertStoreParameters.java -- LDAP CertStore parameters.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Parameters for CertStores that are retrieved via the <i>lightweight
+ * directory access protocol</i> (<b>LDAP</b>).
+ *
+ * @see CertStore
+ */
+public class LDAPCertStoreParameters implements CertStoreParameters
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** The default LDAP port. */
+  private static final int LDAP_PORT = 389;
+
+  /** The server name. */
+  private final String serverName;
+
+  /** The LDAP port. */
+  private final int port;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new LDAPCertStoreParameters object, with a servername of
+   * "localhost" and a port of 389.
+   */
+  public LDAPCertStoreParameters()
+  {
+    this("localhost", LDAP_PORT);
+  }
+
+  /**
+   * Create a new LDAPCertStoreParameters object, with a specified
+   * server name and a port of 389.
+   *
+   * @param serverName The LDAP server name.
+   * @throws NullPointerException If <i>serverName</i> is null.
+   */
+  public LDAPCertStoreParameters(String serverName)
+  {
+    this(serverName, LDAP_PORT);
+  }
+
+  /**
+   * Create a new LDAPCertStoreParameters object, with a specified
+   * server name and port.
+   *
+   * @param serverName The LDAP server name.
+   * @param port       The LDAP port.
+   * @throws NullPointerException If <i>serverName</i> is null.
+   */
+  public LDAPCertStoreParameters(String serverName, int port)
+  {
+    if (serverName == null)
+      throw new NullPointerException();
+    this.serverName = serverName;
+    this.port = port;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  public Object clone()
+  {
+    return new LDAPCertStoreParameters(serverName, port);
+  }
+
+  /**
+   * Return the server name.
+   *
+   * @return The server name.
+   */
+  public String getServerName()
+  {
+    return serverName;
+  }
+
+  /**
+   * Return the port.
+   *
+   * @return the port.
+   */
+  public int getPort()
+  {
+    return port;
+  }
+
+  /**
+   * Return a string representation of these parameters.
+   *
+   * @return The string representation of these parameters.
+   */
+  public String toString()
+  {
+    return "LDAPCertStoreParameters: [ serverName: " + serverName
+      + "; port: " + port + " ]";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/PKIXBuilderParameters.java b/libjava/classpath/java/security/cert/PKIXBuilderParameters.java
new file mode 100644
index 00000000000..38b3df5e78a
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PKIXBuilderParameters.java
@@ -0,0 +1,145 @@
+/* PKIXBuilderParameters.java -- parameters for PKIX cert path builders
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+
+import java.util.Set;
+
+/**
+ * Parameters for building certificate paths using the PKIX algorithm.
+ *
+ * @see CertPathBuilder
+ */
+public class PKIXBuilderParameters extends PKIXParameters
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The maximum path length. */
+  private int maxPathLength;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new PKIXBuilderParameters object, populating the trusted
+   * certificates set with all X.509 certificates found in the given key
+   * store. All certificates found in the key store are assumed to be
+   * trusted by this constructor.
+   *
+   * @param keystore The key store.
+   * @param targetConstraints The target certificate constraints.
+   * @throws KeyStoreException If the certificates cannot be retrieved
+   *         from the key store.
+   * @throws InvalidAlgorithmParameterException If there are no
+   *         certificates in the key store.
+   * @throws NullPointerException If <i>keystore</i> is null.
+   */
+  public PKIXBuilderParameters(KeyStore keystore,
+                               CertSelector targetConstraints)
+    throws KeyStoreException, InvalidAlgorithmParameterException
+  {
+    super(keystore);
+    setTargetCertConstraints(targetConstraints);
+    maxPathLength = 5;
+  }
+
+  /**
+   * Create a new PKIXBuilderParameters object, populating the trusted
+   * certificates set with the elements of the given set, each of which
+   * must be a {@link TrustAnchor}.
+   *
+   * @param trustAnchors The set of trust anchors.
+   * @param targetConstraints The target certificate constraints.
+   * @throws InvalidAlgorithmParameterException If there are no
+   *         certificates in the set.
+   * @throws NullPointerException If <i>trustAnchors</i> is null.
+   * @throws ClassCastException If every element in <i>trustAnchors</i>
+   *         is not a {@link TrustAnchor}.
+   */
+  public PKIXBuilderParameters(Set trustAnchors, CertSelector targetConstraints)
+    throws InvalidAlgorithmParameterException
+  {
+    super(trustAnchors);
+    setTargetCertConstraints(targetConstraints);
+    maxPathLength = 5;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the maximum length of certificate paths to build.
+   *
+   * <p>If this value is 0 it is taken to mean that the certificate path
+   * should contain only one certificate. A value of -1 means that the
+   * certificate path length is unconstrained. The default value is 5.
+   *
+   * @return The maximum path length.
+   */
+  public int getMaxPathLength()
+  {
+    return maxPathLength;
+  }
+
+  /**
+   * Sets the maximum length of certificate paths to build.
+   *
+   * @param maxPathLength The new path length.
+   * @throws IllegalArgumentException If <i>maxPathLength</i> is less
+   *         than -1.
+   */
+  public void setMaxPathLength(int maxPathLength)
+  {
+    if (maxPathLength < -1)
+      throw new IllegalArgumentException();
+    this.maxPathLength = maxPathLength;
+  }
+
+  public String toString()
+  {
+    StringBuffer buf = new StringBuffer(super.toString());
+    buf.insert(buf.length() - 2, "; Max Path Length=" + maxPathLength);
+    return buf.toString();
+  }
+}
diff --git a/libjava/classpath/java/security/cert/PKIXCertPathBuilderResult.java b/libjava/classpath/java/security/cert/PKIXCertPathBuilderResult.java
new file mode 100644
index 00000000000..5091dd41298
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PKIXCertPathBuilderResult.java
@@ -0,0 +1,102 @@
+/* PKIXCertPathBuilderResult.java -- PKIX cert path bulider result
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * The result of calling the {@link
+ * CertPathBuilder#build(java.security.cert.CertPathParameters)} method
+ * of PKIX {@link CertPathBuilder}s.
+ *
+ * @see CertPathBuilder
+ * @see CertPathBuilderResult
+ */
+public class PKIXCertPathBuilderResult extends PKIXCertPathValidatorResult
+  implements CertPathBuilderResult
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The certificate path. */
+  private CertPath certPath;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new PKIXCertPathBuilderResult.
+   *
+   * @param certPath         The certificate path.
+   * @param trustAnchor      The trust anchor.
+   * @param policyTree       The root node of the policy tree.
+   * @param subjectPublicKey The public key.
+   * @throws NullPointerException If <i>certPath</i>, <i>trustAnchor</i> or
+   *         <i>subjectPublicKey</i> is null.
+   */
+  public PKIXCertPathBuilderResult(CertPath certPath,
+                                   TrustAnchor trustAnchor,
+                                   PolicyNode policyTree,
+                                   java.security.PublicKey subjectPublicKey)
+  {
+    super(trustAnchor, policyTree, subjectPublicKey);
+    if (certPath == null)
+      throw new NullPointerException();
+    this.certPath = certPath;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the certificate path that was built.
+   *
+   * @return The certificate path that was built.
+   */
+  public CertPath getCertPath()
+  {
+    return certPath;
+  }
+
+  public String toString()
+  {
+    StringBuffer buf = new StringBuffer(super.toString());
+    buf.insert(buf.length() - 2, "; CertPath=" + certPath);
+    return buf.toString();
+  }
+}
diff --git a/libjava/classpath/java/security/cert/PKIXCertPathChecker.java b/libjava/classpath/java/security/cert/PKIXCertPathChecker.java
new file mode 100644
index 00000000000..7a33576e1bb
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PKIXCertPathChecker.java
@@ -0,0 +1,133 @@
+/* PKIXCertPathChecker.java -- checks X.509 certificate paths.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.util.Collection;
+import java.util.Set;
+
+/**
+ * A validator for X.509 certificates when approving certificate chains.
+ *
+ * <p>Concrete subclasses can be passed to the {@link
+ * PKIXParameters#setCertPathCheckers(java.util.List)} and {@link
+ * PKIXParameters#addCertPathChecker(java.security.cert.PKIXCertPathChecker}
+ * methods, which are then used to set up PKIX certificate chain
+ * builders or validators. These classes then call the {@link
+ * #check(java.security.cert.Certificate,java.util.Collection)} method
+ * of this class, performing whatever checks on the certificate,
+ * throwing an exception if any check fails.
+ *
+ * <p>Subclasses of this must be able to perform their checks in the
+ * backward direction -- from the most-trusted certificate to the target
+ * -- and may optionally support forward checking -- from the target to
+ * the most-trusted certificate.
+ *
+ * @see PKIXParameters
+ */
+public abstract class PKIXCertPathChecker implements Cloneable
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /** Default constructor. */
+  protected PKIXCertPathChecker()
+  {
+    super();
+  }
+
+  // Cloneable interface.
+  // ------------------------------------------------------------------------
+
+  public Object clone()
+  {
+    try
+      {
+        return super.clone();
+      }
+    catch (CloneNotSupportedException cnse)
+      {
+        throw new InternalError(cnse.getMessage());
+      }
+  }
+
+  // Abstract methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Initialize this PKIXCertPathChecker. If subclasses support forward
+   * checking, a value of true can be passed to this method, and
+   * certificates can be validated from the target certificate to the
+   * most-trusted certifcate.
+   *
+   * @param forward The direction of this PKIXCertPathChecker.
+   * @throws CertPathValidatorException If <i>forward</i> is true and
+   *         this class does not support forward checking.
+   */
+  public abstract void init(boolean forward) throws CertPathValidatorException;
+
+  /**
+   * Returns whether or not this class supports forward checking.
+   *
+   * @return Whether or not this class supports forward checking.
+   */
+  public abstract boolean isForwardCheckingSupported();
+
+  /**
+   * Returns an immutable set of X.509 extension object identifiers (OIDs)
+   * supported by this PKIXCertPathChecker.
+   *
+   * @return An immutable set of Strings of the supported X.509 OIDs, or
+   *         null if no extensions are supported.
+   */
+  public abstract Set getSupportedExtensions();
+
+  /**
+   * Checks a certificate, removing any critical extensions that are
+   * resolved in this check.
+   *
+   * @param cert               The certificate to check.
+   * @param unresolvedCritExts The (mutable) collection of as-of-yet
+   *        unresolved critical extensions, as OID strings.
+   * @throws CertPathValidatorException If this certificate fails this
+   *         check.
+   */
+  public abstract void check(Certificate cert, Collection unresolvedCritExts)
+  throws CertPathValidatorException;
+}
diff --git a/libjava/classpath/java/security/cert/PKIXCertPathValidatorResult.java b/libjava/classpath/java/security/cert/PKIXCertPathValidatorResult.java
new file mode 100644
index 00000000000..5a1660c3bc9
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PKIXCertPathValidatorResult.java
@@ -0,0 +1,142 @@
+/* PKIXCertPathValidatorResult.java -- PKIX cert path builder result
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.security.PublicKey;
+
+/**
+ * Results returned by the {@link
+ * CertPathValidator#validate(java.security.cert.CertPath,java.security.cert.CertPathParameters)}
+ * method for PKIX {@link CertPathValidator}s.
+ *
+ * @see CertPathValidator
+ */
+public class PKIXCertPathValidatorResult implements CertPathValidatorResult
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The trust anchor. */
+  private final TrustAnchor trustAnchor;
+
+  /** The root node of the policy tree. */
+  private final PolicyNode policyTree;
+
+  /** The subject's public key. */
+  private final PublicKey subjectPublicKey;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new PKIXCertPathValidatorResult.
+   *
+   * @param trustAnchor      The trust anchor.
+   * @param policyTree       The root node of the policy tree.
+   * @param subjectPublicKey The public key.
+   * @throws NullPointerException If either <i>trustAnchor</i> or
+   *         <i>subjectPublicKey</i> is null.
+   */
+  public PKIXCertPathValidatorResult(TrustAnchor trustAnchor,
+                                     PolicyNode policyTree,
+                                     PublicKey subjectPublicKey)
+  {
+    if (trustAnchor == null || subjectPublicKey == null)
+      throw new NullPointerException();
+    this.trustAnchor = trustAnchor;
+    this.policyTree = policyTree;
+    this.subjectPublicKey = subjectPublicKey;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the trust anchor.
+   *
+   * @return The trust anchor.
+   */
+  public TrustAnchor getTrustAnchor()
+  {
+    return trustAnchor;
+  }
+
+  /**
+   * Returns the root node of the policy tree.
+   *
+   * @return The root node of the policy tree.
+   */
+  public PolicyNode getPolicyTree()
+  {
+    return policyTree;
+  }
+
+  /**
+   * Returns the subject public key.
+   *
+   * @return The subject public key.
+   */
+  public PublicKey getPublicKey()
+  {
+    return subjectPublicKey;
+  }
+
+  /**
+   * Returns a copy of this object.
+   *
+   * @return The copy.
+   */
+  public Object clone()
+  {
+    return new PKIXCertPathValidatorResult(trustAnchor, policyTree,
+                                           subjectPublicKey);
+  }
+
+  /**
+   * Returns a printable string representation of this result.
+   *
+   * @return A printable string representation of this result.
+   */
+  public String toString()
+  {
+    return "[ Trust Anchor=" + trustAnchor + "; Policy Tree="
+      + policyTree + "; Subject Public Key=" + subjectPublicKey + " ]";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/PKIXParameters.java b/libjava/classpath/java/security/cert/PKIXParameters.java
new file mode 100644
index 00000000000..4a987115a29
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PKIXParameters.java
@@ -0,0 +1,546 @@
+/* PKIXParameters.java -- parameters for the PKIX cert path algorithm
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+
+import java.util.Collections;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * Parameters for verifying certificate paths using the PKIX
+ * (Public-Key Infrastructure (X.509)) algorithm.
+ *
+ * @see CertPathBulider
+ */
+public class PKIXParameters implements CertPathParameters
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The trusted certificates. */
+  private final Set trustAnchors;
+
+  /** The set of initial policy identifiers. */
+  private final Set initPolicies;
+
+  /** The list of certificate stores. */
+  private final List certStores;
+
+  /** The list of path checkers. */
+  private final List pathCheckers;
+
+  /** The revocation enabled flag. */
+  private boolean revocationEnabled;
+
+  /** The explicit policy required flag. */
+  private boolean exPolicyRequired;
+
+  /** The policy mapping inhibited flag. */
+  private boolean policyMappingInhibited;
+
+  /** The any policy inhibited flag. */
+  private boolean anyPolicyInhibited;
+
+  /** The policy qualifiers rejected flag. */
+  private boolean policyQualRejected;
+
+  /** The target validation date. */
+  private Date date;
+
+  /** The signature algorithm provider. */
+  private String sigProvider;
+
+  /** The target constraints. */
+  private CertSelector targetConstraints;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new PKIXParameters object, populating the trusted
+   * certificates set with all certificates found in the given key
+   * store. All certificates found in the key store are assumed to be
+   * trusted by this constructor.
+   *
+   * @param keystore The key store.
+   * @throws KeyStoreException If the certificates cannot be retrieved
+   *         from the key store.
+   * @throws InvalidAlgorithmParameterException If there are no
+   *         certificates in the key store.
+   * @throws NullPointerException If <i>keystore</i> is null.
+   */
+  public PKIXParameters(KeyStore keystore)
+    throws KeyStoreException, InvalidAlgorithmParameterException
+  {
+    this();
+    for (Enumeration e = keystore.aliases(); e.hasMoreElements(); )
+      {
+        String alias = (String) e.nextElement();
+        if (!keystore.isCertificateEntry(alias))
+          continue;
+        Certificate cert = keystore.getCertificate(alias);
+        if (cert instanceof X509Certificate)
+          trustAnchors.add(new TrustAnchor((X509Certificate) cert, null));
+      }
+    if (trustAnchors.isEmpty())
+      throw new InvalidAlgorithmParameterException("no certs in the key store");
+  }
+
+  /**
+   * Create a new PKIXParameters object, populating the trusted
+   * certificates set with the elements of the given set, each of which
+   * must be a {@link TrustAnchor}.
+   *
+   * @param trustAnchors The set of trust anchors.
+   * @throws InvalidAlgorithmParameterException If there are no
+   *         certificates in the set.
+   * @throws NullPointerException If <i>trustAnchors</i> is null.
+   * @throws ClassCastException If every element in <i>trustAnchors</i>
+   *         is not a {@link TrustAnchor}.
+   */
+  public PKIXParameters(Set trustAnchors)
+    throws InvalidAlgorithmParameterException
+  {
+    this();
+    setTrustAnchors(trustAnchors);
+  }
+
+  /**
+   * Default constructor.
+   */
+  private PKIXParameters()
+  {
+    trustAnchors = new HashSet();
+    initPolicies = new HashSet();
+    certStores = new LinkedList();
+    pathCheckers = new LinkedList();
+    revocationEnabled = true;
+    exPolicyRequired = false;
+    policyMappingInhibited = false;
+    anyPolicyInhibited = false;
+    policyQualRejected = true;
+  }
+
+  /**
+   * Copying constructor for cloning.
+   *
+   * @param that The instance being cloned.
+   */
+  private PKIXParameters(PKIXParameters that)
+  {
+    this();
+    this.trustAnchors.addAll(that.trustAnchors);
+    this.initPolicies.addAll(that.initPolicies);
+    this.certStores.addAll(that.certStores);
+    this.pathCheckers.addAll(that.pathCheckers);
+    this.revocationEnabled = that.revocationEnabled;
+    this.exPolicyRequired = that.exPolicyRequired;
+    this.policyMappingInhibited = that.policyMappingInhibited;
+    this.anyPolicyInhibited = that.anyPolicyInhibited;
+    this.policyQualRejected = that.policyQualRejected;
+    this.date = that.date;
+    this.sigProvider = that.sigProvider;
+    this.targetConstraints = that.targetConstraints != null
+      ? (CertSelector) that.targetConstraints.clone() : null;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns an immutable set of trust anchors. The set returned will
+   * never be null and will never be empty.
+   *
+   * @return A (never null, never empty) immutable set of trust anchors.
+   */
+  public Set getTrustAnchors()
+  {
+    return Collections.unmodifiableSet(trustAnchors);
+  }
+
+  /**
+   * Sets the trust anchors of this class, replacing the current trust
+   * anchors with those in the given set. The supplied set is copied to
+   * prevent modification.
+   *
+   * @param trustAnchors The new set of trust anchors.
+   * @throws InvalidAlgorithmParameterException If there are no
+   *         certificates in the set.
+   * @throws NullPointerException If <i>trustAnchors</i> is null.
+   * @throws ClassCastException If every element in <i>trustAnchors</i>
+   *         is not a {@link TrustAnchor}.
+   */
+  public void setTrustAnchors(Set trustAnchors)
+    throws InvalidAlgorithmParameterException
+  {
+    if (trustAnchors.isEmpty())
+      throw new InvalidAlgorithmParameterException("no trust anchors");
+    this.trustAnchors.clear();
+    for (Iterator i = trustAnchors.iterator(); i.hasNext(); )
+      {
+        this.trustAnchors.add((TrustAnchor) i.next());
+      }
+  }
+
+  /**
+   * Returns the set of initial policy identifiers (as OID strings). If
+   * any policy is accepted, this method returns the empty set.
+   *
+   * @return An immutable set of initial policy OID strings, or the
+   *         empty set if any policy is acceptable.
+   */
+  public Set getInitialPolicies()
+  {
+    return Collections.unmodifiableSet(initPolicies);
+  }
+
+  /**
+   * Sets the initial policy identifiers (as OID strings). If the
+   * argument is null or the empty set, then any policy identifier will
+   * be accepted.
+   *
+   * @param initPolicies The new set of policy strings, or null.
+   * @throws ClassCastException If any element in <i>initPolicies</i> is
+   *         not a string.
+   */
+  public void setInitialPolicies(Set initPolicies)
+  {
+    this.initPolicies.clear();
+    if (initPolicies == null)
+      return;
+    for (Iterator i = initPolicies.iterator(); i.hasNext(); )
+      {
+        this.initPolicies.add((String) i.next());
+      }
+  }
+
+  /**
+   * Add a {@link CertStore} to the list of cert stores.
+   *
+   * @param store The CertStore to add.
+   */
+  public void addCertStore(CertStore store)
+  {
+    if (store != null)
+      certStores.add(store);
+  }
+
+  /**
+   * Returns an immutable list of cert stores. This method never returns
+   * null.
+   *
+   * @return The list of cert stores.
+   */
+  public List getCertStores()
+  {
+    return Collections.unmodifiableList(certStores);
+  }
+
+  /**
+   * Set the cert stores. If the argument is null the list of cert
+   * stores will be empty.
+   *
+   * @param certStores The cert stores.
+   */
+  public void setCertStores(List certStores)
+  {
+    this.certStores.clear();
+    if (certStores == null)
+      return;
+    for (Iterator i = certStores.iterator(); i.hasNext(); )
+      {
+        this.certStores.add((CertStore) i.next());
+      }
+  }
+
+  /**
+   * Returns the value of the <i>revocation enabled</i> flag. The default
+   * value for this flag is <code>true</code>.
+   *
+   * @return The <i>revocation enabled</i> flag.
+   */
+  public boolean isRevocationEnabled()
+  {
+    return revocationEnabled;
+  }
+
+  /**
+   * Sets the value of the <i>revocation enabled</i> flag.
+   *
+   * @param value The new value.
+   */
+  public void setRevocationEnabled(boolean value)
+  {
+    revocationEnabled = value;
+  }
+
+  /**
+   * Returns the value of the <i>explicit policy required</i> flag. The
+   * default value of this flag is <code>false</code>.
+   *
+   * @return The <i>explicit policy required</i> flag.
+   */
+  public boolean isExplicitPolicyRequired()
+  {
+    return exPolicyRequired;
+  }
+
+  /**
+   * Sets the value of the <i>explicit policy required</i> flag.
+   *
+   * @param value The new value.
+   */
+  public void setExplicitPolicyRequired(boolean value)
+  {
+    exPolicyRequired = value;
+  }
+
+  /**
+   * Returns the value of the <i>policy mapping inhibited</i> flag. The
+   * default value of this flag is <code>false</code>.
+   *
+   * @return The <i>policy mapping inhibited</i> flag.
+   */
+  public boolean isPolicyMappingInhibited()
+  {
+    return policyMappingInhibited;
+  }
+
+  /**
+   * Sets the value of the <i>policy mapping inhibited</i> flag.
+   *
+   * @param value The new value.
+   */
+  public void setPolicyMappingInhibited(boolean value)
+  {
+    policyMappingInhibited = value;
+  }
+
+  /**
+   * Returns the value of the <i>any policy inhibited</i> flag. The
+   * default value of this flag is <code>false</code>.
+   *
+   * @return The <i>any policy inhibited</i> flag.
+   */
+  public boolean isAnyPolicyInhibited()
+  {
+    return anyPolicyInhibited;
+  }
+
+  /**
+   * Sets the value of the <i>any policy inhibited</i> flag.
+   *
+   * @param value The new value.
+   */
+  public void setAnyPolicyInhibited(boolean value)
+  {
+    anyPolicyInhibited = value;
+  }
+
+  /**
+   * Returns the value of the <i>policy qualifiers enabled</i> flag. The
+   * default value of this flag is <code>true</code>.
+   *
+   * @return The <i>policy qualifiers enabled</i> flag.
+   */
+  public boolean getPolicyQualifiersRejected()
+  {
+    return policyQualRejected;
+  }
+
+  /**
+   * Sets the value of the <i>policy qualifiers enabled</i> flag.
+   *
+   * @param value The new value.
+   */
+  public void setPolicyQualifiersRejected(boolean value)
+  {
+    policyQualRejected = value;
+  }
+
+  /**
+   * Returns the date for which the certificate path should be
+   * validated, or null if the current time should be used. The date
+   * object is copied to prevent subsequent modification.
+   *
+   * @return The date, or null if not set.
+   */
+  public Date getDate()
+  {
+    return date != null ? (Date) date.clone() : null;
+  }
+
+  /**
+   * Sets the date for which the certificate path should be validated,
+   * or null if the current time should be used.
+   *
+   * @param date The new date, or null.
+   */
+  public void setDate(Date date)
+  {
+    if (date != null)
+      this.date = (Date) date.clone();
+    else
+      this.date = null;
+  }
+
+  /**
+   * Add a certificate path checker.
+   *
+   * @param checker The certificate path checker to add.
+   */
+  public void addCertPathChecker(PKIXCertPathChecker checker)
+  {
+    if (checker != null)
+      pathCheckers.add(checker);
+  }
+
+  /**
+   * Returns an immutable list of all certificate path checkers.
+   *
+   * @return An immutable list of all certificate path checkers.
+   */
+  public List getCertPathCheckers()
+  {
+    return Collections.unmodifiableList(pathCheckers);
+  }
+
+  /**
+   * Sets the certificate path checkers. If the argument is null, the
+   * list of checkers will merely be cleared.
+   *
+   * @param pathCheckers The new list of certificate path checkers.
+   * @throws ClassCastException If any element of <i>pathCheckers</i> is
+   *         not a {@link PKIXCertPathChecker}.
+   */
+  public void setCertPathCheckers(List pathCheckers)
+  {
+    this.pathCheckers.clear();
+    if (pathCheckers == null)
+      return;
+    for (Iterator i = pathCheckers.iterator(); i.hasNext(); )
+      {
+        this.pathCheckers.add((PKIXCertPathChecker) i.next());
+      }
+  }
+
+  /**
+   * Returns the signature algorithm provider, or null if not set.
+   *
+   * @return The signature algorithm provider, or null if not set.
+   */
+  public String getSigProvider()
+  {
+    return sigProvider;
+  }
+
+  /**
+   * Sets the signature algorithm provider, or null if there is no
+   * preferred provider.
+   *
+   * @param sigProvider The signature provider name.
+   */
+  public void setSigProvider(String sigProvider)
+  {
+    this.sigProvider = sigProvider;
+  }
+
+  /**
+   * Returns the constraints placed on the target certificate, or null
+   * if there are none. The target constraints are copied to prevent
+   * subsequent modification.
+   *
+   * @return The target constraints, or null.
+   */
+  public CertSelector getTargetCertConstraints()
+  {
+    return targetConstraints != null
+      ? (CertSelector) targetConstraints.clone() : null;
+  }
+
+  /**
+   * Sets the constraints placed on the target certificate.
+   *
+   * @param targetConstraints The target constraints.
+   */
+  public void setTargetCertConstraints(CertSelector targetConstraints)
+  {
+    this.targetConstraints = targetConstraints != null
+      ? (CertSelector) targetConstraints.clone() : null;
+  }
+
+  /**
+   * Returns a copy of these parameters.
+   *
+   * @return The copy.
+   */
+  public Object clone()
+  {
+    return new PKIXParameters(this);
+  }
+
+  /**
+   * Returns a printable representation of these parameters.
+   *
+   * @return A printable representation of these parameters.
+   */
+  public String toString() {
+    return "[ Trust Anchors: " + trustAnchors + "; Initial Policy OIDs="
+      + (initPolicies != null ? initPolicies.toString() : "any")
+      + "; Validity Date=" + date + "; Signature Provider="
+      + sigProvider + "; Default Revocation Enabled=" + revocationEnabled
+      + "; Explicit Policy Required=" + exPolicyRequired
+      + "; Policy Mapping Inhibited=" + policyMappingInhibited
+      + "; Any Policy Inhibited=" + anyPolicyInhibited
+      + "; Policy Qualifiers Rejected=" + policyQualRejected
+      + "; Target Cert Contstraints=" + targetConstraints
+      + "; Certification Path Checkers=" + pathCheckers
+      + "; CertStores=" + certStores + " ]";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/PolicyNode.java b/libjava/classpath/java/security/cert/PolicyNode.java
new file mode 100644
index 00000000000..58d411cd3ad
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PolicyNode.java
@@ -0,0 +1,102 @@
+/* PolicyNode.java -- a single node in a policy tree
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+public interface PolicyNode
+{
+
+  /**
+   * Get the iterator of the child nodes of this node. The returned
+   * iterator is (naturally) unmodifiable.
+   *
+   * @return An iterator over the child nodes.
+   */
+  java.util.Iterator getChildren();
+
+  /**
+   * Get the depth of this node within the tree, starting at 0 for the
+   * root node.
+   *
+   * @return The depth of this node.
+   */
+  int getDepth();
+
+  /**
+   * Returns a set of policies (string OIDs) that will satisfy this
+   * node's policy. The root node should always return the singleton set
+   * with the element "any-policy".
+   *
+   * @return The set of expected policies.
+   */
+  java.util.Set getExpectedPolicies();
+
+  /**
+   * Returns the parent node of this node, or null if this is the root
+   * node.
+   *
+   * @return The parent node, or null.
+   */
+  PolicyNode getParent();
+
+  /**
+   * Returns a set of {@link PolicyQualifierInfo} objects that qualify
+   * the valid policy of this node. The root node should always return
+   * the empty set.
+   *
+   * @return The set of {@link PolicyQualifierInfo} objects.
+   */
+  java.util.Set getPolicyQualifiers();
+
+  /**
+   * Get the policy OID this node represents. The root node should return
+   * the special value "any-policy".
+   *
+   * @return The policy of this node.
+   */
+  String getValidPolicy();
+
+  /**
+   * Return the criticality flag of this policy node. Nodes who return
+   * true for this method should be considered critical. The root node
+   * is never critical.
+   *
+   * @return The criticality flag.
+   */
+  boolean isCritical();
+}
diff --git a/libjava/classpath/java/security/cert/PolicyQualifierInfo.java b/libjava/classpath/java/security/cert/PolicyQualifierInfo.java
new file mode 100644
index 00000000000..7dcf2315632
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PolicyQualifierInfo.java
@@ -0,0 +1,168 @@
+/* PolicyQualifierInfo.java -- policy qualifier info object.
+   Copyright (C) 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.io.ASN1ParsingException;
+import gnu.java.security.OID;
+import gnu.java.security.der.DERReader;
+import gnu.java.security.der.DERValue;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+/**
+ * The PolicyQualifierInfo X.509 certificate extension.
+ * PolicyQualifierInfo objects are represented by the ASN.1 structure:
+ *
+ * <pre>
+ * PolicyQualifierInfo ::= SEQUENCE {
+ *    policyQualifierId   PolicyQualifierId,
+ *    qualifier           ANY DEFINED BY policyQualifierId
+ * }
+ *
+ * PolicyQualifierId ::= OBJECT IDENTIFIER
+ * </pre>
+ *
+ * @since JDK 1.4
+ */
+public final class PolicyQualifierInfo
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The <code>policyQualifierId</code> field. */
+  private OID oid;
+
+  /** The DER encoded form of this object. */
+  private byte[] encoded;
+
+  /** The DER encoded form of the <code>qualifier</code> field. */
+  private DERValue qualifier;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new PolicyQualifierInfo object from the DER encoded form
+   * passed in the byte array. The argument is copied.
+   *
+   * <p>The ASN.1 form of PolicyQualifierInfo is:
+<pre>
+PolicyQualifierInfo ::= SEQUENCE {
+   policyQualifierId     PolicyQualifierId,
+   qualifier             ANY DEFINED BY policyQualifierId
+}
+
+PolicyQualifierId ::= OBJECT IDENTIFIER
+</pre>
+   *
+   * @param encoded The DER encoded form.
+   * @throws IOException If the structure cannot be parsed from the
+   *         encoded bytes.
+   */
+  public PolicyQualifierInfo(byte[] encoded) throws IOException
+  {
+    if (encoded == null)
+      throw new IOException("null bytes");
+    this.encoded = (byte[]) encoded.clone();
+    DERReader in = new DERReader(new ByteArrayInputStream(this.encoded));
+    DERValue qualInfo = in.read();
+    if (!qualInfo.isConstructed())
+      throw new ASN1ParsingException("malformed PolicyQualifierInfo");
+    DERValue val = in.read();
+    if (!(val.getValue() instanceof OID))
+      throw new ASN1ParsingException("value read not an OBJECT IDENTIFIER");
+    oid = (OID) val.getValue();
+    if (val.getEncodedLength() < val.getLength())
+      qualifier = in.read();
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the <code>policyQualifierId</code> field of this structure,
+   * as a dotted-decimal representation of the object identifier.
+   *
+   * @return This structure's OID field.
+   */
+  public String getPolicyQualifierId()
+  {
+    return oid.toString();
+  }
+
+  /**
+   * Returns the DER encoded form of this object; the contents of the
+   * returned byte array are equivalent to those that were passed to the
+   * constructor. The byte array is cloned every time this method is
+   * called.
+   *
+   * @return The encoded form.
+   */
+  public byte[] getEncoded()
+  {
+    return (byte[]) encoded.clone();
+  }
+
+  /**
+   * Get the <code>qualifier</code> field of this object, as a DER
+   * encoded byte array. The byte array returned is cloned every time
+   * this method is called.
+   *
+   * @return The encoded qualifier.
+   */
+  public byte[] getPolicyQualifier()
+  {
+    if (qualifier == null)
+      return new byte[0];
+    return qualifier.getEncoded();
+  }
+
+  /**
+   * Returns a printable string representation of this object.
+   *
+   * @return The string representation.
+   */
+  public String toString()
+  {
+    return "PolicyQualifierInfo { policyQualifierId ::= " + oid
+      + ", qualifier ::= " + qualifier + " }";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/TrustAnchor.java b/libjava/classpath/java/security/cert/TrustAnchor.java
new file mode 100644
index 00000000000..2110ed5181d
--- /dev/null
+++ b/libjava/classpath/java/security/cert/TrustAnchor.java
@@ -0,0 +1,185 @@
+/* TrustAnchor.java -- an ultimately-trusted certificate.
+   Copyright (C) 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.security.x509.X500DistinguishedName;
+
+import java.security.PublicKey;
+
+/**
+ * An ultimately-trusted certificate to serve as the root of a
+ * certificate chain.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public class TrustAnchor
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The certificate authority's distinguished name. */
+  private final X500DistinguishedName caName;
+
+  /** The certficate authority's public key. */
+  private final PublicKey caKey;
+
+  /** The certficate authority's certificate. */
+  private final X509Certificate trustedCert;
+
+  /** The encoded name constraints bytes. */
+  private final byte[] nameConstraints;
+
+  // Constnuctors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new trust anchor from a certificate and (optional) name
+   * constraints.
+   *
+   * <p>If the <i>nameConstraints</i> argument in non-null, it will be
+   * copied to prevent modification.
+   *
+   * @param trustedCert The trusted certificate.
+   * @param nameConstraints The encoded nameConstraints.
+   */
+  public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)
+  {
+    if (trustedCert == null)
+      throw new NullPointerException();
+    this.trustedCert = trustedCert;
+    caName = null;
+    caKey = null;
+    if (nameConstraints != null)
+      this.nameConstraints = (byte[]) nameConstraints.clone();
+    else
+      this.nameConstraints = null;
+  }
+
+  /**
+   * Create a new trust anchor from a certificate authority's
+   * distinguished name, public key, and (optional) name constraints.
+   *
+   * <p>If the <i>nameConstraints</i> argument in non-null, it will be
+   * copied to prevent modification.
+   *
+   * @params caName The CA's distinguished name.
+   * @params caKey The CA's public key.
+   * @params nameConstraints The encoded nameConstraints.
+   */
+  public TrustAnchor(String caName, PublicKey caKey, byte[] nameConstraints)
+  {
+    if (caName == null || caKey == null)
+      throw new NullPointerException();
+    if (caName.length() == 0)
+      throw new IllegalArgumentException();
+    trustedCert = null;
+    this.caName = new X500DistinguishedName(caName);
+    this.caKey = caKey;
+    if (nameConstraints != null)
+      this.nameConstraints = (byte[]) nameConstraints.clone();
+    else
+      this.nameConstraints = null;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the trusted certificate, or null if none was specified.
+   *
+   * @return The trusted certificate.
+   */
+  public final X509Certificate getTrustedCert()
+  {
+    return trustedCert;
+  }
+
+  /**
+   * Return the certificate authority's distinguished name, or null if
+   * none was specified.
+   *
+   * @return The CA's distinguished name.
+   */
+  public final String getCAName()
+  {
+    if (caName != null)
+      return caName.toString();
+    return null;
+  }
+
+  /**
+   * Return the certificate authority's public key, or null if none was
+   * specified.
+   *
+   * @return The CA's public key.
+   */
+  public final PublicKey getCAPublicKey()
+  {
+    return caKey;
+  }
+
+  /**
+   * Return the encoded name constraints, or null if none was specified.
+   *
+   * <p>The name constraints byte array is copied when this method is
+   * called to prevent modification.
+   *
+   * @return The encoded name constraints.
+   */
+  public final byte[] getNameConstraints()
+  {
+    if (nameConstraints == null)
+      return null;
+    return (byte[]) nameConstraints.clone();
+  }
+
+  /**
+   * Return a printable representation of this trust anchor.
+   *
+   * @return The printable representation.
+   */
+  public String toString()
+  {
+    if (trustedCert == null)
+      return "[ Trusted CA Public Key=" + caKey + ", Trusted CA Issuer Name="
+        + caName.toString() + " ]";
+    return "[ Trusted CA Certificate=" + trustedCert + " ]";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/X509CRL.java b/libjava/classpath/java/security/cert/X509CRL.java
new file mode 100644
index 00000000000..5657b3eb3f5
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509CRL.java
@@ -0,0 +1,397 @@
+/* X509CRL.java --- X.509 Certificate Revocation List
+   Copyright (C) 1999, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.SignatureException;
+import java.util.Date;
+import java.util.Set;
+
+import javax.security.auth.x500.X500Principal;
+
+/**
+   The X509CRL class is the abstract class used to manage
+   X.509 Certificate Revocation Lists. The CRL is a list of
+   time stamped entries which indicate which lists have been
+   revoked. The list is signed by a Certificate Authority (CA)
+   and made publically available in a repository.
+   
+   Each revoked certificate in the CRL is identified by its 
+   certificate serial number. When a piece of code uses a 
+   certificate, the certificates validity is checked by 
+   validating its signature and determing that it is not
+   only a recently acquired CRL. The recently aquired CRL
+   is depends on the local policy in affect. The CA issues
+   a new CRL periodically and entries are removed as the 
+   certificate expiration date is reached
+   
+   
+   A description of the X.509 v2 CRL follows below from rfc2459.
+   
+   "The X.509 v2 CRL syntax is as follows.  For signature calculation,
+   the data that is to be signed is ASN.1 DER encoded.  ASN.1 DER
+   encoding is a tag, length, value encoding system for each element.
+   
+	   CertificateList  ::=  SEQUENCE  {
+        	tbsCertList          TBSCertList,
+	        signatureAlgorithm   AlgorithmIdentifier,
+        	signatureValue       BIT STRING  }
+	
+	   TBSCertList  ::=  SEQUENCE  {
+        	version                 Version OPTIONAL,
+                                     -- if present, shall be v2
+	        signature               AlgorithmIdentifier,
+        	issuer                  Name,
+	        thisUpdate              Time,
+	        nextUpdate              Time OPTIONAL,
+	        revokedCertificates     SEQUENCE OF SEQUENCE  {
+	             userCertificate         CertificateSerialNumber,
+	             revocationDate          Time,
+	             crlEntryExtensions      Extensions OPTIONAL
+	                                           -- if present, shall be v2
+	                                  }  OPTIONAL,
+	        crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
+	                                           -- if present, shall be v2
+	                                  }"
+
+	@author Mark Benvenuto
+
+	@since JDK 1.2
+*/
+public abstract class X509CRL extends CRL implements X509Extension
+{
+
+  /**
+     Constructs a new X509CRL.
+  */
+  protected X509CRL()
+  {
+    super("X.509");
+  }
+
+  /**
+     Compares this X509CRL to other. It checks if the
+     object if instanceOf X509CRL and then checks if
+     the encoded form matches.
+
+     @param other An Object to test for equality
+
+     @return true if equal, false otherwise
+  */
+  public boolean equals(Object other)
+  {
+    if( other instanceof X509CRL ) {
+      try {
+	X509CRL x = (X509CRL) other;
+	if( getEncoded().length != x.getEncoded().length )
+	  return false;
+
+	byte[] b1 = getEncoded();
+	byte[] b2 = x.getEncoded();
+
+	for( int i = 0; i < b1.length; i++ )
+	  if( b1[i] != b2[i] )
+	    return false;
+
+      } catch( CRLException crle ) { 
+	return false;
+      }
+      return true;
+    }
+    return false;
+  }
+
+  /**
+     Returns a hash code for this X509CRL in its encoded
+     form.
+
+     @return A hash code of this class
+  */
+  public int hashCode()
+  {
+    return super.hashCode();
+  }
+
+  /**
+     Gets the DER ASN.1 encoded format for this X.509 CRL.
+
+     @return byte array containg encoded form
+
+     @throws CRLException if an error occurs
+  */
+  public abstract byte[] getEncoded() throws CRLException;
+
+  /**
+     Verifies that this CRL was properly signed with the
+     PublicKey that corresponds to its private key. 
+
+     @param key PublicKey to verify with
+
+     @throws CRLException encoding error
+     @throws NoSuchAlgorithmException unsupported algorithm
+     @throws InvalidKeyException incorrect key
+     @throws NoSuchProviderException no provider
+     @throws SignatureException signature error
+  */
+  public abstract void verify(PublicKey key)
+    throws CRLException,
+    NoSuchAlgorithmException,
+    InvalidKeyException,
+    NoSuchProviderException,
+    SignatureException;
+
+  /**
+     Verifies that this CRL was properly signed with the
+     PublicKey that corresponds to its private key and uses
+     the signature engine provided by the provider. 
+
+     @param key PublicKey to verify with
+     @param sigProvider Provider to use for signature algorithm
+
+     @throws CRLException encoding error
+     @throws NoSuchAlgorithmException unsupported algorithm
+     @throws InvalidKeyException incorrect key
+     @throws NoSuchProviderException incorrect provider
+     @throws SignatureException signature error
+  */
+  public abstract void verify(PublicKey key,
+			      String sigProvider)
+    throws CRLException,
+    NoSuchAlgorithmException,
+    InvalidKeyException,
+    NoSuchProviderException,
+    SignatureException;
+
+  /**
+     Gets the version of this CRL.
+
+     The ASN.1 encoding is:
+
+     version                 Version OPTIONAL,
+     -- if present, shall be v2
+
+     Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+
+     Consult rfc2459 for more information.
+
+     @return the version number, Ex: 1 or 2
+  */
+  public abstract int getVersion();
+
+  /**
+     Returns the issuer (issuer distinguished name) of the CRL.
+     The issuer is the entity who signed and issued the 
+     Certificate Revocation List.
+
+     The ASN.1 DER encoding is:
+
+     issuer                  Name,
+
+     Name ::= CHOICE {
+     RDNSequence }
+
+     RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+     RelativeDistinguishedName ::=
+     SET OF AttributeTypeAndValue
+
+     AttributeTypeAndValue ::= SEQUENCE {
+     type     AttributeType,
+     value    AttributeValue }
+
+     AttributeType ::= OBJECT IDENTIFIER
+
+     AttributeValue ::= ANY DEFINED BY AttributeType
+
+     DirectoryString ::= CHOICE {
+     teletexString           TeletexString (SIZE (1..MAX)),
+     printableString         PrintableString (SIZE (1..MAX)),
+     universalString         UniversalString (SIZE (1..MAX)),
+     utf8String              UTF8String (SIZE (1.. MAX)),
+     bmpString               BMPString (SIZE (1..MAX)) }
+
+     Consult rfc2459 for more information.
+
+     @return the issuer in the Principal class
+  */
+  public abstract Principal getIssuerDN();
+
+  /**
+     Returns the thisUpdate date of the CRL.
+
+     The ASN.1 DER encoding is:
+
+     thisUpdate              Time,
+
+     Time ::= CHOICE {
+     utcTime        UTCTime,
+     generalTime    GeneralizedTime }
+
+     Consult rfc2459 for more information.
+
+     @return the thisUpdate date
+  */
+  public abstract Date getThisUpdate();
+
+  /*
+    Gets the nextUpdate field
+
+    The ASN.1 DER encoding is:
+
+    nextUpdate              Time OPTIONAL,
+
+    Time ::= CHOICE {
+    utcTime        UTCTime,
+    generalTime    GeneralizedTime }
+
+    Consult rfc2459 for more information.
+
+    @return the nextUpdate date
+  */
+  public abstract Date getNextUpdate();
+
+  /**
+     Gets the requeste dX509Entry for the specified
+     certificate serial number.
+
+     @return a X509CRLEntry representing the X.509 CRL entry
+  */
+  public abstract X509CRLEntry getRevokedCertificate(BigInteger serialNumber);
+
+  /**
+     Returns a Set of revoked certificates.
+
+     @return a set of revoked certificates.
+  */
+  public abstract Set getRevokedCertificates();
+
+  /**
+     Returns the DER ASN.1 encoded tbsCertList which is 
+     the basic information of the list and associated certificates
+     in the encoded state. See top for more information.
+
+     The ASN.1 DER encoding is:
+
+     tbsCertList          TBSCertList,
+
+     Consult rfc2459 for more information.
+
+     @return byte array representing tbsCertList
+  */
+  public abstract byte[] getTBSCertList() throws CRLException;
+
+
+  /**
+     Returns the signature for the CRL. 
+
+     The ASN.1 DER encoding is:
+
+     signatureValue       BIT STRING
+
+     Consult rfc2459 for more information.
+  */
+  public abstract byte[] getSignature();
+
+  /**
+     Returns the signature algorithm used to sign the CRL. 
+     An examples is "SHA-1/DSA".
+
+     The ASN.1 DER encoding is:
+
+     signatureAlgorithm   AlgorithmIdentifier,
+
+     AlgorithmIdentifier  ::=  SEQUENCE  {
+     algorithm               OBJECT IDENTIFIER,
+     parameters              ANY DEFINED BY algorithm OPTIONAL  }
+
+     Consult rfc2459 for more information.
+
+     The algorithm name is determined from the OID.
+
+     @return a string with the signature algorithm name
+  */
+  public abstract String getSigAlgName();
+
+  /**
+     Returns the OID for the signature algorithm used.
+     Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
+
+     The ASN.1 DER encoding for the example is:
+
+     id-dsa-with-sha1 ID  ::=  {
+     iso(1) member-body(2) us(840) x9-57 (10040)
+     x9cm(4) 3 }
+
+     Consult rfc2459 for more information.
+
+     @return a string containing the OID.
+  */
+  public abstract String getSigAlgOID();
+
+  /**
+     Returns the AlgorithmParameters in the encoded form
+     for the signature algorithm used. 
+
+     If access to the parameters is need, create an 
+     instance of AlgorithmParameters.
+
+     @return byte array containing algorithm parameters, null
+     if no parameters are present in CRL
+  */
+  public abstract byte[] getSigAlgParams();
+
+  // 1.4 instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the X.500 distinguished name of this CRL's issuer.
+   *
+   * @return The issuer's X.500 distinguished name.
+   * @since JDK 1.4
+   */
+  public X500Principal getIssuerX500Principal()
+  {
+    throw new UnsupportedOperationException();
+  }
+}
diff --git a/libjava/classpath/java/security/cert/X509CRLEntry.java b/libjava/classpath/java/security/cert/X509CRLEntry.java
new file mode 100644
index 00000000000..4c9cada4747
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509CRLEntry.java
@@ -0,0 +1,169 @@
+/* X509CRLEntry.java --- X.509 Certificate Revocation List Entry
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.math.BigInteger;
+import java.util.Date;
+
+/**
+	Abstract class for entries in the CRL (Certificate Revocation 
+	List). The ASN.1 definition for <I>revokedCertificates</I> is
+
+        revokedCertificates     SEQUENCE OF SEQUENCE  {
+             userCertificate         CertificateSerialNumber,
+             revocationDate          Time,
+             crlEntryExtensions      Extensions OPTIONAL
+                                           -- if present, shall be v2
+                                  }  OPTIONAL,
+
+	CertificateSerialNumber  ::=  INTEGER
+
+	Time ::= CHOICE {
+             utcTime        UTCTime,
+	     generalTime    GeneralizedTime }
+
+	Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+
+	Extension  ::=  SEQUENCE  {
+	     extnID      OBJECT IDENTIFIER,
+             critical    BOOLEAN DEFAULT FALSE,
+             extnValue   OCTET STRING  }
+ 
+	For more information consult rfc2459.
+
+	@author Mark Benvenuto
+
+	@since JDK 1.2
+*/
+public abstract class X509CRLEntry implements X509Extension
+{
+
+  /**
+     Creates a new X509CRLEntry
+  */
+  public X509CRLEntry()
+  {}
+
+  /**
+     Compares this X509CRLEntry to other. It checks if the
+     object if instanceOf X509CRLEntry and then checks if
+     the encoded form( the inner SEQUENCE) matches.
+
+     @param other An Object to test for equality
+
+     @return true if equal, false otherwise
+  */
+  public boolean equals(Object other)
+  {
+    if( other instanceof X509CRLEntry ) {
+      try {
+	X509CRLEntry xe = (X509CRLEntry) other;
+	if( getEncoded().length != xe.getEncoded().length )
+	  return false;
+
+	byte[] b1 = getEncoded();
+	byte[] b2 = xe.getEncoded();
+
+	for( int i = 0; i < b1.length; i++ )
+	  if( b1[i] != b2[i] )
+	    return false;
+
+      } catch( CRLException crle ) { 
+	return false;
+      }
+      return true;
+    }
+    return false;
+  }
+
+  /**
+     Returns a hash code for this X509CRLEntry in its encoded
+     form.
+
+     @return A hash code of this class
+  */
+  public int hashCode()
+  {
+    return super.hashCode();
+  }
+
+  /**
+     Gets the DER ASN.1 encoded format for this CRL Entry,
+     the inner SEQUENCE.
+
+     @return byte array containg encoded form
+
+     @throws CRLException if an error occurs
+  */
+  public abstract byte[] getEncoded() throws CRLException;
+
+  /**
+     Gets the serial number for <I>userCertificate</I> in
+     this X509CRLEntry.
+
+     @return the serial number for this X509CRLEntry.
+  */
+  public abstract BigInteger getSerialNumber();
+
+
+  /**
+     Gets the revocation date in <I>revocationDate</I> for
+     this X509CRLEntry.
+
+     @return the revocation date for this X509CRLEntry.
+  */
+  public abstract Date getRevocationDate();
+
+
+  /**
+     Checks if this X509CRLEntry has extensions.
+
+     @return true if it has extensions, false otherwise
+  */
+  public abstract boolean hasExtensions();
+
+
+  /**
+     Returns a string that represents this X509CRLEntry.
+
+     @return a string representing this X509CRLEntry.
+  */
+  public abstract String toString();
+
+}
diff --git a/libjava/classpath/java/security/cert/X509CRLSelector.java b/libjava/classpath/java/security/cert/X509CRLSelector.java
new file mode 100644
index 00000000000..3c79fba9cb8
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509CRLSelector.java
@@ -0,0 +1,440 @@
+/* X509CRLSelector.java -- selects X.509 CRLs by criteria.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.classpath.SystemProperties;
+import gnu.java.security.der.DERReader;
+import gnu.java.security.der.DERValue;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.math.BigInteger;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
+import javax.security.auth.x500.X500Principal;
+
+/**
+ * A class for matching X.509 certificate revocation lists by criteria.
+ *
+ * <p>Use of this class requires extensive knowledge of the Internet
+ * Engineering Task Force's Public Key Infrastructure (X.509). The primary
+ * document describing this standard is <a
+ * href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
+ * Public Key Infrastructure Certificate and Certificate Revocation List
+ * (CRL) Profile</a>.
+ *
+ * <p>Note that this class is not thread-safe. If multiple threads will
+ * use or modify this class then they need to synchronize on the object.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class X509CRLSelector implements CRLSelector, Cloneable
+{
+
+  // Fields.
+  // -------------------------------------------------------------------------
+
+  private static final String CRL_NUMBER_ID = "2.5.29.20";
+
+  private List issuerNames;
+  private BigInteger maxCrlNumber;
+  private BigInteger minCrlNumber;
+  private Date date;
+  private X509Certificate cert;
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Creates a new CRL selector with no criteria enabled; i.e., every CRL
+   * will be matched.
+   */
+  public X509CRLSelector()
+  {
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Add an issuer name to the set of issuer names criteria, as the DER
+   * encoded form.
+   *
+   * @param name The name to add, as DER bytes.
+   * @throws IOException If the argument is not a valid DER-encoding.
+   */
+  public void addIssuerName(byte[] name) throws IOException
+  {
+    X500Principal p = null;
+    try
+      {
+        p = new X500Principal(name);
+      }
+    catch (IllegalArgumentException iae)
+      {
+        IOException ioe = new IOException("malformed name");
+        ioe.initCause(iae);
+        throw ioe;
+      }
+    if (issuerNames == null)
+      issuerNames = new LinkedList();
+    issuerNames.add(p);
+  }
+
+  /**
+   * Add an issuer name to the set of issuer names criteria, as a
+   * String representation.
+   *
+   * @param name The name to add.
+   * @throws IOException If the argument is not a valid name.
+   */
+  public void addIssuerName(String name) throws IOException
+  {
+    X500Principal p = null;
+    try
+      {
+        p = new X500Principal(name);
+      }
+    catch (IllegalArgumentException iae)
+      {
+        IOException ioe = new IOException("malformed name: " + name);
+        ioe.initCause(iae);
+        throw ioe;
+      }
+    if (issuerNames == null)
+      issuerNames = new LinkedList();
+    issuerNames.add(p);
+  }
+
+  /**
+   * Sets the issuer names criterion. Pass <code>null</code> to clear this
+   * value. CRLs matched by this selector must have an issuer name in this
+   * set.
+   *
+   * @param names The issuer names.
+   * @throws IOException If any of the elements in the collection is not
+   *         a valid name.
+   */
+  public void setIssuerNames(Collection names) throws IOException
+  {
+    if (names == null)
+      {
+        issuerNames = null;
+        return;
+      }
+    List l = new ArrayList(names.size());
+    for (Iterator it = names.iterator(); it.hasNext(); )
+      {
+        Object o = it.next();
+        if (o instanceof X500Principal)
+          l.add(o);
+        else if (o instanceof String)
+          {
+            try
+              {
+                l.add(new X500Principal((String) o));
+              }
+            catch (IllegalArgumentException iae)
+              {
+                IOException ioe = new IOException("malformed name: " + o);
+                ioe.initCause(iae);
+                throw ioe;
+              }
+          }
+        else if (o instanceof byte[])
+          {
+            try
+              {
+                l.add(new X500Principal((byte[]) o));
+              }
+            catch (IllegalArgumentException iae)
+              {
+                IOException ioe = new IOException("malformed name");
+                ioe.initCause(iae);
+                throw ioe;
+              }
+          }
+        else if (o instanceof InputStream)
+          {
+            try
+              {
+                l.add(new X500Principal((InputStream) o));
+              }
+            catch (IllegalArgumentException iae)
+              {
+                IOException ioe = new IOException("malformed name");
+                ioe.initCause(iae);
+                throw ioe;
+              }
+          }
+        else
+          throw new IOException("not a valid name: " +
+                                (o != null ? o.getClass().getName() : "null"));
+
+      }
+    issuerNames = l;
+  }
+
+  /**
+   * Returns the set of issuer names that are matched by this selector,
+   * or <code>null</code> if this criteria is not set. The returned
+   * collection is not modifiable.
+   *
+   * @return The set of issuer names.
+   */
+  public Collection getIssuerNames()
+  {
+    if (issuerNames != null)
+      return Collections.unmodifiableList(issuerNames);
+    else
+      return null;
+  }
+
+  /**
+   * Returns the maximum value of the CRLNumber extension present in
+   * CRLs matched by this selector, or <code>null</code> if this
+   * criteria is not set.
+   *
+   * @return The maximum CRL number.
+   */
+  public BigInteger getMaxCRL()
+  {
+    return maxCrlNumber;
+  }
+
+  /**
+   * Returns the minimum value of the CRLNumber extension present in
+   * CRLs matched by this selector, or <code>null</code> if this
+   * criteria is not set.
+   *
+   * @return The minimum CRL number.
+   */
+  public BigInteger getMinCRL()
+  {
+    return minCrlNumber;
+  }
+
+  /**
+   * Sets the maximum value of the CRLNumber extension present in CRLs
+   * matched by this selector. Specify <code>null</code> to clear this
+   * criterion.
+   *
+   * @param maxCrlNumber The maximum CRL number.
+   */
+  public void setMaxCRLNumber(BigInteger maxCrlNumber)
+  {
+    this.maxCrlNumber = maxCrlNumber;
+  }
+
+  /**
+   * Sets the minimum value of the CRLNumber extension present in CRLs
+   * matched by this selector. Specify <code>null</code> to clear this
+   * criterion.
+   *
+   * @param minCrlNumber The minimum CRL number.
+   */
+  public void setMinCRLNumber(BigInteger minCrlNumber)
+  {
+    this.minCrlNumber = minCrlNumber;
+  }
+
+  /**
+   * Returns the date when this CRL must be valid; that is, the date
+   * must be after the thisUpdate date, but before the nextUpdate date.
+   * Returns <code>null</code> if this criterion is not set.
+   *
+   * @return The date.
+   */
+  public Date getDateAndTime()
+  {
+    return date != null ? (Date) date.clone() : null;
+  }
+
+  /**
+   * Sets the date at which this CRL must be valid. Specify
+   * <code>null</code> to clear this criterion.
+   *
+   * @param date The date.
+   */
+  public void setDateAndTime(Date date)
+  {
+    this.date = date != null ? (Date) date.clone() : null;
+  }
+
+  /**
+   * Returns the certificate being checked, or <code>null</code> if this
+   * value is not set.
+   *
+   * @return The certificate.
+   */
+  public X509Certificate getCertificateChecking()
+  {
+    return cert;
+  }
+
+  /**
+   * Sets the certificate being checked. This is not a criterion, but
+   * info used by certificate store implementations to aid in searching.
+   *
+   * @param cert The certificate.
+   */
+  public void setCertificateChecking(X509Certificate cert)
+  {
+    this.cert = cert;
+  }
+
+  /**
+   * Returns a string representation of this selector. The string will
+   * only describe the enabled criteria, so if none are enabled this will
+   * return a string that contains little else besides the class name.
+   *
+   * @return The string.
+   */
+  public String toString()
+  {
+    StringBuffer str = new StringBuffer(X509CRLSelector.class.getName());
+    String nl = SystemProperties.getProperty("line.separator");
+    String eol = ";" + nl;
+
+    str.append(" {").append(nl);
+    if (issuerNames != null)
+      str.append("  issuer names = ").append(issuerNames).append(eol);
+    if (maxCrlNumber != null)
+      str.append("  max CRL = ").append(maxCrlNumber).append(eol);
+    if (minCrlNumber != null)
+      str.append("  min CRL = ").append(minCrlNumber).append(eol);
+    if (date != null)
+      str.append("  date = ").append(date).append(eol);
+    if (cert != null)
+      str.append("  certificate = ").append(cert).append(eol);
+    str.append("}").append(nl);
+    return str.toString();
+  }
+
+  /**
+   * Checks a CRL against the criteria of this selector, returning
+   * <code>true</code> if the given CRL matches all the criteria.
+   *
+   * @param _crl The CRL being checked.
+   * @return True if the CRL matches, false otherwise.
+   */
+  public boolean match(CRL _crl)
+  {
+    if (!(_crl instanceof X509CRL))
+      return false;
+    X509CRL crl = (X509CRL) _crl;
+    if (issuerNames != null)
+      {
+        if (!issuerNames.contains(crl.getIssuerX500Principal()))
+          return false;
+      }
+    BigInteger crlNumber = null;
+    if (maxCrlNumber != null)
+      {
+        byte[] b = crl.getExtensionValue(CRL_NUMBER_ID);
+        if (b == null)
+          return false;
+        try
+          {
+            DERValue val = DERReader.read(b);
+            if (!(val.getValue() instanceof BigInteger))
+              return false;
+            crlNumber = (BigInteger) val.getValue();
+          }
+        catch (IOException ioe)
+          {
+            return false;
+          }
+        if (maxCrlNumber.compareTo(crlNumber) < 0)
+          return false;
+      }
+    if (minCrlNumber != null)
+      {
+        if (crlNumber == null)
+          {
+            byte[] b = crl.getExtensionValue(CRL_NUMBER_ID);
+            if (b == null)
+              return false;
+            try
+              {
+                DERValue val = DERReader.read(b);
+                if (!(val.getValue() instanceof BigInteger))
+                  return false;
+                crlNumber = (BigInteger) val.getValue();
+              }
+            catch (IOException ioe)
+              {
+                return false;
+              }
+          }
+        if (minCrlNumber.compareTo(crlNumber) > 0)
+          return false;
+      }
+    if (date != null)
+      {
+        if (date.compareTo(crl.getThisUpdate()) < 0 ||
+            date.compareTo(crl.getNextUpdate()) > 0)
+          return false;
+      }
+    return true;
+  }
+
+  /**
+   * Returns a copy of this object.
+   *
+   * @return The copy.
+   */
+  public Object clone()
+  {
+    try
+      {
+        return super.clone();
+      }
+    catch (CloneNotSupportedException shouldNotHappen)
+      {
+        throw new Error(shouldNotHappen);
+      }
+  }
+}
diff --git a/libjava/classpath/java/security/cert/X509CertSelector.java b/libjava/classpath/java/security/cert/X509CertSelector.java
new file mode 100644
index 00000000000..4149a37643d
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509CertSelector.java
@@ -0,0 +1,1106 @@
+/* X509CertSelector.java -- selects X.509 certificates by criteria.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.classpath.SystemProperties;
+import gnu.java.security.OID;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.PublicKey;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+
+import javax.security.auth.x500.X500Principal;
+
+/**
+ * A concrete implementation of {@link CertSelector} for X.509 certificates,
+ * which allows a number of criteria to be set when accepting certificates,
+ * from validity dates, to issuer and subject distinguished names, to some
+ * of the various X.509 extensions.
+ *
+ * <p>Use of this class requires extensive knowledge of the Internet
+ * Engineering Task Force's Public Key Infrastructure (X.509). The primary
+ * document describing this standard is <a
+ * href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
+ * Public Key Infrastructure Certificate and Certificate Revocation List
+ * (CRL) Profile</a>.
+ *
+ * <p>Note that this class is not thread-safe. If multiple threads will
+ * use or modify this class then they need to synchronize on the object.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class X509CertSelector implements CertSelector, Cloneable
+{
+
+  // Constants and fields.
+  // -------------------------------------------------------------------------
+
+  private static final String AUTH_KEY_ID = "2.5.29.35";
+  private static final String SUBJECT_KEY_ID = "2.5.29.14";
+  private static final String NAME_CONSTRAINTS_ID = "2.5.29.30";
+
+  private int basicConstraints;
+  private X509Certificate cert;
+  private BigInteger serialNo;
+  private X500Principal issuer;
+  private X500Principal subject;
+  private byte[] subjectKeyId;
+  private byte[] authKeyId;
+  private boolean[] keyUsage;
+  private Date certValid;
+  private OID sigId;
+  private PublicKey subjectKey;
+  private X509EncodedKeySpec subjectKeySpec;
+  private Set keyPurposeSet;
+  private List altNames;
+  private boolean matchAllNames;
+  private byte[] nameConstraints;
+  private Set policy;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new X.509 certificate selector. The new selector will be
+   * empty, and will accept any certificate (provided that it is an
+   * {@link X509Certificate}).
+   */
+  public X509CertSelector()
+  {
+    basicConstraints = -1;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the certificate criterion, or <code>null</code> if this value
+   * was not set.
+   *
+   * @return The certificate.
+   */
+  public X509Certificate getCertificate()
+  {
+    return cert;
+  }
+
+  /**
+   * Sets the certificate criterion. If set, only certificates that are
+   * equal to the certificate passed here will be accepted.
+   *
+   * @param cert The certificate.
+   */
+  public void setCertificate(X509Certificate cert)
+  {
+    this.cert = cert;
+  }
+
+  /**
+   * Returns the serial number criterion, or <code>null</code> if this
+   * value was not set.
+   *
+   * @return The serial number.
+   */
+  public BigInteger getSerialNumber()
+  {
+    return serialNo;
+  }
+
+  /**
+   * Sets the serial number of the desired certificate. Only certificates that
+   * contain this serial number are accepted.
+   *
+   * @param serialNo The serial number.
+   */
+  public void setSerialNumber(BigInteger serialNo)
+  {
+    this.serialNo = serialNo;
+  }
+
+  /**
+   * Returns the issuer criterion as a string, or <code>null</code> if this
+   * value was not set.
+   *
+   * @return The issuer.
+   */
+  public String getIssuerAsString()
+  {
+    if (issuer != null)
+      return issuer.getName();
+    else
+      return null;
+  }
+
+  /**
+   * Returns the issuer criterion as a sequence of DER bytes, or
+   * <code>null</code> if this value was not set.
+   *
+   * @return The issuer.
+   */
+  public byte[] getIssuerAsBytes() throws IOException
+  {
+    if (issuer != null)
+      return issuer.getEncoded();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the issuer, specified as a string representation of the issuer's
+   * distinguished name. Only certificates issued by this issuer will
+   * be accepted.
+   *
+   * @param name The string representation of the issuer's distinguished name.
+   * @throws IOException If the given name is incorrectly formatted.
+   */
+  public void setIssuer(String name) throws IOException
+  {
+    if (name != null)
+      {
+        try
+          {
+            issuer = new X500Principal(name);
+          }
+        catch (IllegalArgumentException iae)
+          {
+            throw new IOException(iae.getMessage());
+          }
+      }
+    else
+      issuer = null;
+  }
+
+  /**
+   * Sets the issuer, specified as the DER encoding of the issuer's
+   * distinguished name. Only certificates issued by this issuer will
+   * be accepted.
+   *
+   * @param name The DER encoding of the issuer's distinguished name.
+   * @throws IOException If the given name is incorrectly formatted.
+   */
+  public void setIssuer(byte[] name) throws IOException
+  {
+    if (name != null)
+      {
+        try
+          {
+            issuer = new X500Principal(name);
+          }
+        catch (IllegalArgumentException iae)
+          {
+            throw new IOException(iae.getMessage());
+          }
+      }
+    else
+      issuer = null;
+  }
+
+  /**
+   * Returns the subject criterion as a string, of <code>null</code> if
+   * this value was not set.
+   *
+   * @return The subject.
+   */
+  public String getSubjectAsString()
+  {
+    if (subject != null)
+      return subject.getName();
+    else
+      return null;
+  }
+
+  /**
+   * Returns the subject criterion as a sequence of DER bytes, or
+   * <code>null</code> if this value is not set.
+   *
+   * @return The subject.
+   */
+  public byte[] getSubjectAsBytes() throws IOException
+  {
+    if (subject != null)
+      return subject.getEncoded();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the subject, specified as a string representation of the
+   * subject's distinguished name. Only certificates with the given
+   * subject will be accepted.
+   *
+   * @param name The string representation of the subject's distinguished name.
+   * @throws IOException If the given name is incorrectly formatted.
+   */
+  public void setSubject(String name) throws IOException
+  {
+    if (name != null)
+      {
+        try
+          {
+            subject = new X500Principal(name);
+          }
+        catch (IllegalArgumentException iae)
+          {
+            throw new IOException(iae.getMessage());
+          }
+      }
+    else
+      subject = null;
+  }
+
+  /**
+   * Sets the subject, specified as the DER encoding of the subject's
+   * distinguished name. Only certificates with the given subject will
+   * be accepted.
+   *
+   * @param name The DER encoding of the subject's distinguished name.
+   * @throws IOException If the given name is incorrectly formatted.
+   */
+  public void setSubject(byte[] name) throws IOException
+  {
+    if (name != null)
+      {
+        try
+          {
+            subject = new X500Principal(name);
+          }
+        catch (IllegalArgumentException iae)
+          {
+            throw new IOException(iae.getMessage());
+          }
+      }
+    else
+      subject = null;
+  }
+
+  /**
+   * Returns the subject key identifier criterion, or <code>null</code> if
+   * this value was not set. Note that the byte array is cloned to prevent
+   * modification.
+   *
+   * @return The subject key identifier.
+   */
+  public byte[] getSubjectKeyIdentifier()
+  {
+    if (subjectKeyId != null)
+      return (byte[]) subjectKeyId.clone();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the subject key identifier criterion, or <code>null</code> to clear
+   * this criterion. Note that the byte array is cloned to prevent modification.
+   *
+   * @param subjectKeyId The subject key identifier.
+   */
+  public void setSubjectKeyIdentifier(byte[] subjectKeyId)
+  {
+    this.subjectKeyId = subjectKeyId != null ? (byte[]) subjectKeyId.clone() :
+      null;
+  }
+
+  /**
+   * Returns the authority key identifier criterion, or <code>null</code> if
+   * this value was not set. Note that the byte array is cloned to prevent
+   * modification.
+   *
+   * @return The authority key identifier.
+   */
+  public byte[] getAuthorityKeyIdentifier()
+  {
+    if (authKeyId != null)
+      return (byte[]) authKeyId.clone();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the authority key identifier criterion, or <code>null</code> to clear
+   * this criterion. Note that the byte array is cloned to prevent modification.
+   *
+   * @param subjectKeyId The subject key identifier.
+   */
+  public void setAuthorityKeyIdentifier(byte[] authKeyId)
+  {
+    this.authKeyId = authKeyId != null ? (byte[]) authKeyId.clone() : null;
+  }
+
+  /**
+   * Returns the date at which certificates must be valid, or <code>null</code>
+   * if this criterion was not set.
+   *
+   * @return The target certificate valitity date.
+   */
+  public Date getCertificateValid()
+  {
+    if (certValid != null)
+      return (Date) certValid.clone();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the date at which certificates must be valid. Specify
+   * <code>null</code> to clear this criterion.
+   *
+   * @param certValid The certificate validity date.
+   */
+  public void setCertificateValid(Date certValid)
+  {
+    this.certValid = certValid != null ? (Date) certValid.clone() : null;
+  }
+
+  /**
+   * This method, and its related X.509 certificate extension &mdash; the
+   * private key usage period &mdash; is not supported under the Internet
+   * PKI for X.509 certificates (PKIX), described in RFC 3280. As such, this
+   * method is not supported either.
+   *
+   * <p>Do not use this method. It is not deprecated, as it is not deprecated
+   * in the Java standard, but it is basically a no-operation and simply
+   * returns <code>null</code>.
+   *
+   * @return Null.
+   */
+  public Date getPrivateKeyValid()
+  {
+    return null;
+  }
+
+  /**
+   * This method, and its related X.509 certificate extension &mdash; the
+   * private key usage period &mdash; is not supported under the Internet
+   * PKI for X.509 certificates (PKIX), described in RFC 3280. As such, this
+   * method is not supported either.
+   *
+   * <p>Do not use this method. It is not deprecated, as it is not deprecated
+   * in the Java standard, but it is basically a no-operation.
+   *
+   * @param UNUSED Is silently ignored.
+   */
+  public void setPrivateKeyValid(Date UNUSED)
+  {
+  }
+
+  /**
+   * Returns the public key algorithm ID that matching certificates must have,
+   * or <code>null</code> if this criterion was not set.
+   *
+   * @return The public key algorithm ID.
+   */
+  public String getSubjectPublicKeyAlgID()
+  {
+    return String.valueOf(sigId);
+  }
+
+  /**
+   * Sets the public key algorithm ID that matching certificates must have.
+   * Specify <code>null</code> to clear this criterion.
+   *
+   * @param sigId The public key ID.
+   * @throws IOException If the specified ID is not a valid object identifier.
+   */
+  public void setSubjectPublicKeyAlgID(String sigId) throws IOException
+  {
+    if (sigId != null)
+      {
+        try
+          {
+            OID oid = new OID(sigId);
+            int[] comp = oid.getIDs();
+            if (!checkOid(comp))
+              throw new IOException("malformed OID: " + sigId);
+            this.sigId = oid;
+          }
+        catch (IllegalArgumentException iae)
+          {
+            IOException ioe = new IOException("malformed OID: " + sigId);
+            ioe.initCause(iae);
+            throw ioe;
+          }
+      }
+    else
+      this.sigId = null;
+  }
+
+  /**
+   * Returns the subject public key criterion, or <code>null</code> if this
+   * value is not set.
+   *
+   * @return The subject public key.
+   */
+  public PublicKey getSubjectPublicKey()
+  {
+    return subjectKey;
+  }
+
+  /**
+   * Sets the subject public key criterion as an opaque representation.
+   * Specify <code>null</code> to clear this criterion.
+   *
+   * @param key The public key.
+   */
+  public void setSubjectPublicKey(PublicKey key)
+  {
+    this.subjectKey = key;
+    if (key == null)
+      {
+        subjectKeySpec = null;
+        return;
+      }
+    try
+      {
+        KeyFactory enc = KeyFactory.getInstance("X.509");
+        subjectKeySpec = (X509EncodedKeySpec)
+          enc.getKeySpec(key, X509EncodedKeySpec.class);
+      }
+    catch (Exception x)
+      {
+        subjectKey = null;
+        subjectKeySpec = null;
+      }
+  }
+
+  /**
+   * Sets the subject public key criterion as a DER-encoded key. Specify
+   * <code>null</code> to clear this value.
+   *
+   * @param key The DER-encoded key bytes.
+   * @throws IOException If the argument is not a valid DER-encoded key.
+   */
+  public void setSubjectPublicKey(byte[] key) throws IOException
+  {
+    if (key == null)
+      {
+        subjectKey = null;
+        subjectKeySpec = null;
+        return;
+      }
+    try
+      {
+        subjectKeySpec = new X509EncodedKeySpec(key);
+        KeyFactory enc = KeyFactory.getInstance("X.509");
+        subjectKey = enc.generatePublic(subjectKeySpec);
+      }
+    catch (Exception x)
+      {
+        subjectKey = null;
+        subjectKeySpec = null;
+        IOException ioe = new IOException(x.getMessage());
+        ioe.initCause(x);
+        throw ioe;
+      }
+  }
+
+  /**
+   * Returns the public key usage criterion, or <code>null</code> if this
+   * value is not set. Note that the array is cloned to prevent modification.
+   *
+   * @return The public key usage.
+   */
+  public boolean[] getKeyUsage()
+  {
+    if (keyUsage != null)
+      return (boolean[]) keyUsage.clone();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the public key usage criterion. Specify <code>null</code> to clear
+   * this value.
+   *
+   * @param keyUsage The public key usage.
+   */
+  public void setKeyUsage(boolean[] keyUsage)
+  {
+    this.keyUsage = keyUsage != null ? (boolean[]) keyUsage.clone() : null;
+  }
+
+  /**
+   * Returns the set of extended key purpose IDs, as an unmodifiable set
+   * of OID strings. Returns <code>null</code> if this criterion is not
+   * set.
+   *
+   * @return The set of key purpose OIDs (strings).
+   */
+  public Set getExtendedKeyUsage()
+  {
+    if (keyPurposeSet != null)
+      return Collections.unmodifiableSet(keyPurposeSet);
+    else
+      return null;
+  }
+
+  /**
+   * Sets the extended key usage criterion, as a set of OID strings. Specify
+   * <code>null</code> to clear this value.
+   *
+   * @param keyPurposeSet The set of key purpose OIDs.
+   * @throws IOException If any element of the set is not a valid OID string.
+   */
+  public void setExtendedKeyUsage(Set keyPurposeSet) throws IOException
+  {
+    if (keyPurposeSet == null)
+      {
+        this.keyPurposeSet = null;
+        return;
+      }
+    Set s = new HashSet();
+    for (Iterator it = keyPurposeSet.iterator(); it.hasNext(); )
+      {
+        Object o = it.next();
+        if (!(o instanceof String))
+          throw new IOException("not a string: " + o);
+        try
+          {
+            OID oid = new OID((String) o);
+            int[] comp = oid.getIDs();
+            if (!checkOid(comp))
+              throw new IOException("malformed OID: " + o);
+          }
+        catch (IllegalArgumentException iae)
+          {
+            IOException ioe = new IOException("malformed OID: " + o);
+            ioe.initCause(iae);
+            throw ioe;
+          }
+      }
+    this.keyPurposeSet = s;
+  }
+
+  /**
+   * Returns whether or not all specified alternative names must match.
+   * If false, a certificate is considered a match if <em>one</em> of the
+   * specified alternative names matches.
+   *
+   * @return true if all names must match.
+   */
+  public boolean getMatchAllSubjectAltNames()
+  {
+    return matchAllNames;
+  }
+
+  /**
+   * Sets whether or not all subject alternative names must be matched.
+   * If false, then a certificate will be considered a match if one
+   * alternative name matches.
+   *
+   * @param matchAllNames Whether or not all alternative names must be
+   *        matched.
+   */
+  public void setMatchAllSubjectAltNames(boolean matchAllNames)
+  {
+    this.matchAllNames = matchAllNames;
+  }
+
+  /**
+   * Sets the subject alternative names critertion. Each element of the
+   * argument must be a {@link java.util.List} that contains exactly two
+   * elements: the first an {@link Integer}, representing the type of
+   * name, and the second either a {@link String} or a byte array,
+   * representing the name itself.
+   *
+   * @param altNames The alternative names.
+   * @throws IOException If any element of the argument is invalid.
+   */
+  public void setSubjectAlternativeNames(Collection altNames)
+    throws IOException
+  {
+    if (altNames == null)
+      {
+        this.altNames = null;
+        return;
+      }
+    List l = new ArrayList(altNames.size());
+    for (Iterator it = altNames.iterator(); it.hasNext(); )
+      {
+        Object o = it.next();
+        if (!(o instanceof List) || ((List) o).size() != 2 ||
+            !(((List) o).get(0) instanceof Integer) ||
+            !(((List) o).get(1) instanceof String) ||
+            !(((List) o).get(1) instanceof byte[]))
+          throw new IOException("illegal alternative name: " + o);
+        Integer i = (Integer) ((List) o).get(0);
+        if (i.intValue() < 0 || i.intValue() > 8)
+          throw new IOException("illegal alternative name: " + o +
+                                ", bad id: " + i);
+        l.add(new ArrayList((List) o));
+      }
+    this.altNames = l;
+  }
+
+  /**
+   * Add a name to the subject alternative names criterion.
+   *
+   * @param id The type of name this is. Must be in the range [0,8].
+   * @param name The name.
+   * @throws IOException If the id is out of range, or if the name
+   *   is null.
+   */
+  public void addSubjectAlternativeName(int id, String name)
+    throws IOException
+  {
+    if (id < 0 || id > 8 || name == null)
+      throw new IOException("illegal alternative name");
+    if (altNames == null)
+      altNames = new LinkedList();
+    ArrayList l = new ArrayList(2);
+    l.add(new Integer(id));
+    l.add(name);
+    altNames.add(l);
+  }
+
+  /**
+   * Add a name, as DER-encoded bytes, to the subject alternative names
+   * criterion.
+   *
+   * @param id The type of name this is.
+   */
+  public void addSubjectAlternativeName(int id, byte[] name)
+    throws IOException
+  {
+    if (id < 0 || id > 8 || name == null)
+      throw new IOException("illegal alternative name");
+    if (altNames == null)
+      altNames = new LinkedList();
+    ArrayList l = new ArrayList(2);
+    l.add(new Integer(id));
+    l.add(name);
+    altNames.add(l);
+  }
+
+  /**
+   * Returns the name constraints criterion, or <code>null</code> if this
+   * value is not set. Note that the byte array is cloned to prevent
+   * modification.
+   *
+   * @return The name constraints.
+   */
+  public byte[] getNameConstraints()
+  {
+    if (nameConstraints != null)
+      return (byte[]) nameConstraints.clone();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the name constraints criterion; specify <code>null</code> to
+   * clear this criterion. Note that if non-null, the argument will be
+   * cloned to prevent modification.
+   *
+   * @param nameConstraints The new name constraints.
+   * @throws IOException If the argument is not a valid DER-encoded
+   *         name constraints.
+   */
+  public void setNameConstraints(byte[] nameConstraints)
+    throws IOException
+  {
+    // FIXME check if the argument is valid.
+    this.nameConstraints = nameConstraints != null
+      ? (byte[]) nameConstraints.clone() : null;
+  }
+
+  /**
+   * Returns the basic constraints criterion, or -1 if this value is not set.
+   *
+   * @return The basic constraints.
+   */
+  public int getBasicConstraints()
+  {
+    return basicConstraints;
+  }
+
+  /**
+   * Sets the basic constraints criterion. Specify -1 to clear this parameter.
+   *
+   * @param basicConstraints The new basic constraints value.
+   */
+  public void setBasicConstraints(int basicConstraints)
+  {
+    if (basicConstraints < -1)
+      basicConstraints = -1;
+    this.basicConstraints = basicConstraints;
+  }
+
+  // The last two criteria not yet implemented are certificate policies
+  // and path-to-names. Both of these are somewhat advanced extensions
+  // (you could probably count the applications that actually use them
+  //  on one hand), and they both have no support in the X509Certificate
+  // class.
+  //
+  // Not having support in X509Certificate is not always a problem; for
+  // example, we can compare DER-encoded values as byte arrays for some
+  // extensions. We can't, however, compare them if they are specified
+  // in a set (as policies are). We need to parse the actual value in the
+  // certificate, and check it against the specified set.
+
+  // FIXME
+//   public void setPolicy(Set policy) throws IOException
+//   {
+//     if (policy != null)
+//       {
+//         for (Iterator it = policy.iterator(); it.hasNext(); )
+//           try
+//             {
+//               OID oid = new OID((String) it.next());
+//               int[] i = oid.getIDs();
+//               if (!checkOid(i))
+//                 throw new IOException("invalid OID");
+//             }
+//           catch (Exception x)
+//             {
+//               throw new IOException("invalid OID");
+//             }
+//       }
+//     this.policy = policy != null ? new HashSet(policy) : null;
+//   }
+
+  // FIXME
+//   public void setPathToNames(Collection names) throws IOException
+//   {
+//     if (names == null)
+//       {
+//         this.names = null;
+//         return;
+//       }
+//     for (Iterator it = names.iterator(); it.hasNext(); )
+//       {
+//         try
+//           {
+//             List l = (List) it.next();
+//             if (l.get(1) instanceof String)
+//               addPathToName(((Integer)l.get(0)).intValue(), (String)l.get(1));
+//             else
+//               addPathToName(((Integer)l.get(0)).intValue(), (byte[])l.get(1));
+//           }
+//         catch (Exception x)
+//           {
+//            this.names = null;
+//             throw new IOException("invalid names");
+//           }
+//       }
+//   }
+
+  // FIXME
+//   public void addPathToName(int id, String name) throws IOException
+//   {
+//   }
+
+  // FIXME
+//   public void addPathToName(int id, byte[] name) throws IOException
+//   {
+//   }
+
+  // FIXME
+//   public Collection getSubjectAlternativeNames()
+//   {
+//     return null;
+//   }
+
+  // FIXME
+//   public Set getPolicy()
+//   {
+//     return null;
+//   }
+
+  // FIXME
+//   public Collection getPathToNames()
+//   {
+//     return null;
+//   }
+
+  /**
+   * Match a certificate. This method will check the given certificate
+   * against all the enabled criteria of this selector, and will return
+   * <code>true</code> if the given certificate matches.
+   *
+   * @param certificate The certificate to check.
+   * @return true if the certificate matches all criteria.
+   */
+  public boolean match(Certificate certificate)
+  {
+    if (!(certificate instanceof X509Certificate))
+      return false;
+    X509Certificate cert = (X509Certificate) certificate;
+    if (this.cert != null)
+      {
+        try
+          {
+            byte[] e1 = this.cert.getEncoded();
+            byte[] e2 = cert.getEncoded();
+            if (!Arrays.equals(e1, e2))
+              return false;
+          }
+        catch (CertificateEncodingException cee)
+          {
+            return false;
+          }
+      }
+    if (serialNo != null)
+      {
+        if (!serialNo.equals(cert.getSerialNumber()))
+          return false;
+      }
+    if (certValid != null)
+      {
+        try
+          {
+            cert.checkValidity(certValid);
+          }
+        catch (CertificateException ce)
+          {
+            return false;
+          }
+      }
+    if (issuer != null)
+      {
+        if (!issuer.equals(cert.getIssuerX500Principal()))
+          return false;
+      }
+    if (subject != null)
+      {
+        if (!subject.equals(cert.getSubjectX500Principal()))
+          return false;
+      }
+    if (sigId != null)
+      {
+        if (!sigId.equals(cert.getSigAlgOID()))
+          return false;
+      }
+    if (subjectKeyId != null)
+      {
+        byte[] b = cert.getExtensionValue(SUBJECT_KEY_ID);
+        if (!Arrays.equals(b, subjectKeyId))
+          return false;
+      }
+    if (authKeyId != null)
+      {
+        byte[] b = cert.getExtensionValue(AUTH_KEY_ID);
+        if (!Arrays.equals(b, authKeyId))
+          return false;
+      }
+    if (keyUsage != null)
+      {
+        boolean[] b = cert.getKeyUsage();
+        if (!Arrays.equals(b, keyUsage))
+          return false;
+      }
+    if (basicConstraints >= 0)
+      {
+        if (cert.getBasicConstraints() != basicConstraints)
+          return false;
+      }
+    if (keyPurposeSet != null)
+      {
+        List kp = null;
+        try
+          {
+            kp = cert.getExtendedKeyUsage();
+          }
+        catch (CertificateParsingException cpe)
+          {
+            return false;
+          }
+        if (kp == null)
+          return false;
+        for (Iterator it = keyPurposeSet.iterator(); it.hasNext(); )
+          {
+            if (!kp.contains(it.next()))
+              return false;
+          }
+      }
+    if (altNames != null)
+      {
+        Collection an = null;
+        try
+          {
+            an = cert.getSubjectAlternativeNames();
+          }
+        catch (CertificateParsingException cpe)
+          {
+            return false;
+          }
+        if (an == null)
+          return false;
+        int match = 0;
+        for (Iterator it = altNames.iterator(); it.hasNext(); )
+          {
+            List l = (List) it.next();
+            Integer id = (Integer) l.get(0);
+            String s = null;
+            byte[] b = null;
+            if (l.get(1) instanceof String)
+              s = (String) l.get(1);
+            else if (l.get(1) instanceof byte[])
+              b = (byte[]) l.get(1);
+            else
+              return false;
+            for (Iterator it2 = an.iterator(); it2.hasNext(); )
+              {
+                Object o = it2.next();
+                if (!(o instanceof List))
+                  continue;
+                List l2 = (List) o;
+                if (l2.size() != 2)
+                  continue;
+                if (!id.equals(l2.get(0)))
+                  continue;
+                if (s != null && (l2.get(1) instanceof String) &&
+                    s.equals(l2.get(1)))
+                  match++;
+                else if (b != null && (l2.get(1) instanceof byte[]) &&
+                         Arrays.equals(b, (byte[]) l2.get(1)))
+                  match++;
+              }
+            if (match == 0 || (matchAllNames && match != altNames.size()))
+              return false;
+          }
+      }
+    if (nameConstraints != null)
+      {
+        byte[] nc = cert.getExtensionValue(NAME_CONSTRAINTS_ID);
+        if (!Arrays.equals(nameConstraints, nc))
+          return false;
+      }
+
+    // FIXME check policies.
+    // FIXME check path-to-names.
+
+    return true;
+  }
+
+  public String toString()
+  {
+    StringBuffer str = new StringBuffer(X509CertSelector.class.getName());
+    String nl = SystemProperties.getProperty("line.separator");
+    String eol = ";" + nl;
+    str.append(" {").append(nl);
+    if (cert != null)
+      str.append("  certificate = ").append(cert).append(eol);
+    if (basicConstraints >= 0)
+      str.append("  basic constraints = ").append(basicConstraints).append(eol);
+    if (serialNo != null)
+      str.append("  serial number = ").append(serialNo).append(eol);
+    if (certValid != null)
+      str.append("  valid date = ").append(certValid).append(eol);
+    if (issuer != null)
+      str.append("  issuer = ").append(issuer).append(eol);
+    if (subject != null)
+      str.append("  subject = ").append(subject).append(eol);
+    if (sigId != null)
+      str.append("  signature OID = ").append(sigId).append(eol);
+    if (subjectKey != null)
+      str.append("  subject public key = ").append(subjectKey).append(eol);
+    if (subjectKeyId != null)
+      {
+        str.append("  subject key ID = ");
+        for (int i = 0; i < subjectKeyId.length; i++)
+          {
+            str.append(Character.forDigit((subjectKeyId[i] & 0xF0) >>> 8, 16));
+            str.append(Character.forDigit((subjectKeyId[i] & 0x0F), 16));
+            if (i < subjectKeyId.length - 1)
+              str.append(':');
+          }
+        str.append(eol);
+      }
+    if (authKeyId != null)
+      {
+        str.append("  authority key ID = ");
+        for (int i = 0; i < authKeyId.length; i++)
+          {
+            str.append(Character.forDigit((authKeyId[i] & 0xF0) >>> 8, 16));
+            str.append(Character.forDigit((authKeyId[i] & 0x0F), 16));
+            if (i < authKeyId.length - 1)
+              str.append(':');
+          }
+        str.append(eol);
+      }
+    if (keyUsage != null)
+      {
+        str.append("  key usage = ");
+        for (int i = 0; i < keyUsage.length; i++)
+          str.append(keyUsage[i] ? '1' : '0');
+        str.append(eol);
+      }
+    if (keyPurposeSet != null)
+      str.append("  key purpose = ").append(keyPurposeSet).append(eol);
+    if (altNames != null)
+      str.append("  alternative names = ").append(altNames).append(eol);
+    if (nameConstraints != null)
+      str.append("  name constraints = <blob of data>").append(eol);
+    str.append("}").append(nl);
+    return str.toString();
+  }
+
+  public Object clone()
+  {
+    try
+      {
+        return super.clone();
+      }
+    catch (CloneNotSupportedException shouldNotHappen)
+      {
+        throw new Error(shouldNotHappen);
+      }
+  }
+
+  // Own methods.
+  // -------------------------------------------------------------------------
+
+  private static boolean checkOid(int[] oid)
+  {
+    return (oid != null && oid.length > 2 &&
+            (oid[0] >= 0 && oid[0] <= 2) && (oid[1] >= 0 && oid[1] <= 39));
+  }
+}
diff --git a/libjava/classpath/java/security/cert/X509Certificate.java b/libjava/classpath/java/security/cert/X509Certificate.java
new file mode 100644
index 00000000000..f6c6fcfb9a4
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509Certificate.java
@@ -0,0 +1,588 @@
+/* X509Certificate.java --- X.509 Certificate class
+   Copyright (C) 1999,2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.math.BigInteger;
+import java.security.Principal;
+import java.util.Date;
+
+/**
+ * X509Certificate is the abstract class for X.509 certificates.
+ * This provides a stanard class interface for accessing all 
+ * the attributes of X.509 certificates.
+ *
+ * <p>In June 1996, the basic X.509 v3 format was finished by 
+ * ISO/IEC and ANSI X.9. The ASN.1 DER format is below:
+ *
+ * <blockquote><pre>
+ * Certificate  ::=  SEQUENCE  {
+ *   tbsCertificate       TBSCertificate,
+ *   signatureAlgorithm   AlgorithmIdentifier,
+ *   signatureValue       BIT STRING  }
+ * </pre></blockquote>
+ *
+ * <p>These certificates are widely used in various Internet 
+ * protocols to support authentication. It is used in 
+ * Privacy Enhanced Mail (PEM), Transport Layer Security (TLS),
+ * Secure Sockets Layer (SSL), code signing for trusted software
+ * distribution, and Secure Electronic Transactions (SET).
+ *
+ * <p>The certificates are managed and vouched for by 
+ * <I>Certificate Authorities</I> (CAs). CAs are companies or 
+ * groups that create certificates by placing the data in the 
+ * X.509 certificate format and signing it with their private
+ * key. CAs serve as trusted third parties by certifying that
+ * the person or group specified in the certificate is who
+ * they say they are. 
+ *
+ * <p>The ASN.1 defintion for <I>tbsCertificate</I> is
+ * 
+ * <blockquote><pre>
+ * TBSCertificate  ::=  SEQUENCE  {
+ *   version         [0]  EXPLICIT Version DEFAULT v1,
+ *   serialNumber         CertificateSerialNumber,
+ *   signature            AlgorithmIdentifier,
+ *   issuer               Name,
+ *   validity             Validity,
+ *   subject              Name,
+ *   subjectPublicKeyInfo SubjectPublicKeyInfo,
+ *   issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                        -- If present, version shall be v2 or v3
+ *   subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                        -- If present, version shall be v2 or v3
+ *   extensions      [3]  EXPLICIT Extensions OPTIONAL
+ *                        -- If present, version shall be v3
+ * }
+ *
+ * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+ *
+ * CertificateSerialNumber  ::=  INTEGER
+ *
+ * Validity ::= SEQUENCE {
+ *   notBefore      Time,
+ *   notAfter       Time }
+ *
+ * Time ::= CHOICE {
+ *   utcTime        UTCTime,
+ *   generalTime    GeneralizedTime }
+ *
+ * UniqueIdentifier  ::=  BIT STRING
+ *
+ * SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *   algorithm            AlgorithmIdentifier,
+ *   subjectPublicKey     BIT STRING  }
+ *
+ * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+ *
+ * Extension  ::=  SEQUENCE  {
+ *   extnID      OBJECT IDENTIFIER,
+ *   critical    BOOLEAN DEFAULT FALSE,
+ *   extnValue   OCTET STRING  }
+ * </pre></blockquote>
+ * 
+ * Certificates are created with the CertificateFactory.
+ *
+ * <p>References:
+ *
+ * <ol>
+ * <li>Olivier Dubuisson, Philippe Fouquart (Translator) <i>ASN.1 -
+ * Communication between heterogeneous systems</i>, (C) September 2000,
+ * Morgan Kaufmann Publishers, ISBN 0-12-6333361-0. Available on-line at
+ * <a
+ * href="http://www.oss.com/asn1/dubuisson.html">http://www.oss.com/asn1/dubuisson.html</a></li>
+ * <li>R. Housley et al, <i><a href="http://www.ietf.org/rfc/rfc3280.txt">RFC
+ * 3280: Internet X.509 Public Key Infrastructure Certificate and CRL
+ * Profile</a></i>.</li>
+ * </ol>
+ *
+ * @since JDK 1.2
+ * @author Mark Benvenuto
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public abstract class X509Certificate
+  extends java.security.cert.Certificate  // XXX workaround for gcj bug #17845
+  implements X509Extension
+{
+  private static final long serialVersionUID = -2491127588187038216L;
+
+  /**
+   * Constructs a new certificate of the specified type.
+   */
+  protected X509Certificate()
+  {
+    super( "X.509" );
+  }
+
+  /**
+     Checks the validity of the X.509 certificate. It is valid
+     if the current date and time are within the period specified
+     by the certificate.
+
+     The ASN.1 DER encoding is:
+
+     validity             Validity,
+
+     Validity ::= SEQUENCE {
+     notBefore      Time,
+     notAfter       Time }
+
+     Time ::= CHOICE {
+     utcTime        UTCTime,
+     generalTime    GeneralizedTime }
+
+     Consult rfc2459 for more information.
+
+     @throws CertificateExpiredException if the certificate expired
+     @throws CertificateNotYetValidException if the certificate is 
+     not yet valid
+  */
+  public abstract void checkValidity()
+    throws CertificateExpiredException,
+    CertificateNotYetValidException;
+
+  /**
+     Checks the validity of the X.509 certificate for the 
+     specified time and date. It is valid if the specified 
+     date and time are within the period specified by 
+     the certificate.
+
+     @throws CertificateExpiredException if the certificate expired 
+     based on the date
+     @throws CertificateNotYetValidException if the certificate is 
+     not yet valid based on the date
+  */
+  public abstract void checkValidity(Date date)
+    throws CertificateExpiredException,
+    CertificateNotYetValidException;
+
+  /**
+     Returns the version of this certificate.
+
+     The ASN.1 DER encoding is:
+
+     version         [0]  EXPLICIT Version DEFAULT v1,
+
+     Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+
+     Consult rfc2459 for more information.
+
+     @return version number of certificate	
+  */
+  public abstract int getVersion();
+
+  /**
+     Gets the serial number for serial Number in
+     this Certifcate. It must be a unique number 
+     unique other serial numbers from the granting CA.
+
+     The ASN.1 DER encoding is:
+
+     serialNumber         CertificateSerialNumber,
+
+     CertificateSerialNumber  ::=  INTEGER
+
+     Consult rfc2459 for more information.
+
+     @return the serial number for this X509CRLEntry.
+  */
+  public abstract BigInteger getSerialNumber();
+
+  /**
+     Returns the issuer (issuer distinguished name) of the 
+     Certificate. The issuer is the entity who signed 
+     and issued the Certificate.
+
+     The ASN.1 DER encoding is:
+
+     issuer                  Name,
+
+     Name ::= CHOICE {
+     RDNSequence }
+
+     RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+     RelativeDistinguishedName ::=
+     SET OF AttributeTypeAndValue
+
+     AttributeTypeAndValue ::= SEQUENCE {
+     type     AttributeType,
+     value    AttributeValue }
+
+     AttributeType ::= OBJECT IDENTIFIER
+
+     AttributeValue ::= ANY DEFINED BY AttributeType
+
+     DirectoryString ::= CHOICE {
+     teletexString           TeletexString (SIZE (1..MAX)),
+     printableString         PrintableString (SIZE (1..MAX)),
+     universalString         UniversalString (SIZE (1..MAX)),
+     utf8String              UTF8String (SIZE (1.. MAX)),
+     bmpString               BMPString (SIZE (1..MAX)) }
+
+     Consult rfc2459 for more information.
+
+     @return the issuer in the Principal class
+  */
+  public abstract Principal getIssuerDN();
+
+  /**
+     Returns the subject (subject distinguished name) of the 
+     Certificate. The subject is the entity who the Certificate
+     identifies.
+
+     The ASN.1 DER encoding is:
+
+     subject              Name,
+
+     Consult rfc2459 for more information.
+
+     @return the issuer in the Principal class
+  */
+  public abstract Principal getSubjectDN();
+
+  /**
+     Returns the date that this certificate is not to be used
+     before, <I>notBefore</I>.
+
+     The ASN.1 DER encoding is:
+
+     validity             Validity,
+
+     Validity ::= SEQUENCE {
+     notBefore      Time,
+     notAfter       Time }
+
+     Time ::= CHOICE {
+     utcTime        UTCTime,
+     generalTime    GeneralizedTime }
+
+     Consult rfc2459 for more information.
+
+     @return the date <I>notBefore</I>
+  */
+  public abstract Date getNotBefore();
+
+  /**
+     Returns the date that this certificate is not to be used
+     after, <I>notAfter</I>.
+
+     @return the date <I>notAfter</I>
+  */
+  public abstract Date getNotAfter();
+
+
+  /**
+     Returns the <I>tbsCertificate</I> from the certificate.
+
+     @return the DER encoded tbsCertificate
+
+     @throws CertificateEncodingException if encoding error occurred
+  */
+  public abstract byte[] getTBSCertificate() throws CertificateEncodingException;
+
+  /**
+     Returns the signature in its raw DER encoded format.
+
+     The ASN.1 DER encoding is:
+
+     signatureValue       BIT STRING
+
+     Consult rfc2459 for more information.
+
+     @return byte array representing signature
+  */
+  public abstract byte[] getSignature();
+
+  /**
+     Returns the signature algorithm used to sign the CRL. 
+     An examples is "SHA-1/DSA".
+
+     The ASN.1 DER encoding is:
+
+     signatureAlgorithm   AlgorithmIdentifier,
+
+     AlgorithmIdentifier  ::=  SEQUENCE  {
+     algorithm               OBJECT IDENTIFIER,
+     parameters              ANY DEFINED BY algorithm OPTIONAL  }
+
+     Consult rfc2459 for more information.
+
+     The algorithm name is determined from the OID.
+
+     @return a string with the signature algorithm name
+  */
+  public abstract String getSigAlgName();
+
+
+  /**
+     Returns the OID for the signature algorithm used.
+     Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
+
+     The ASN.1 DER encoding for the example is:
+
+     id-dsa-with-sha1 ID  ::=  {
+     iso(1) member-body(2) us(840) x9-57 (10040)
+     x9cm(4) 3 }
+
+     Consult rfc2459 for more information.
+
+     @return a string containing the OID.
+  */
+  public abstract String getSigAlgOID();
+
+
+  /**
+     Returns the AlgorithmParameters in the encoded form
+     for the signature algorithm used. 
+
+     If access to the parameters is need, create an 
+     instance of AlgorithmParameters.
+
+     @return byte array containing algorithm parameters, null
+     if no parameters are present in certificate
+  */
+  public abstract byte[] getSigAlgParams();
+
+
+  /**
+     Returns the issuer unique ID for this certificate.
+
+     The ASN.1 DER encoding is:
+
+     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+     -- If present, version shall be v2 or v3
+
+     UniqueIdentifier  ::=  BIT STRING
+	
+     Consult rfc2459 for more information.
+
+     @return bit representation of <I>issuerUniqueID</I>
+  */
+  public abstract boolean[] getIssuerUniqueID();
+
+  /**
+     Returns the subject unique ID for this certificate.
+
+     The ASN.1 DER encoding is:
+
+     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+     -- If present, version shall be v2 or v3
+
+     UniqueIdentifier  ::=  BIT STRING
+	
+     Consult rfc2459 for more information.
+
+     @return bit representation of <I>subjectUniqueID</I>
+  */
+  public abstract boolean[] getSubjectUniqueID();
+
+  /**
+     Returns a boolean array representing the <I>KeyUsage</I> 
+     extension for the certificate. The KeyUsage (OID = 2.5.29.15)
+     defines the purpose of the key in the certificate.
+
+     The ASN.1 DER encoding is:
+
+     id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
+
+     KeyUsage ::= BIT STRING {
+     digitalSignature        (0),
+     nonRepudiation          (1),
+     keyEncipherment         (2),
+     dataEncipherment        (3),
+     keyAgreement            (4),
+     keyCertSign             (5),
+     cRLSign                 (6),
+     encipherOnly            (7),
+     decipherOnly            (8) }
+
+     Consult rfc2459 for more information.
+
+     @return bit representation of <I>KeyUsage</I>
+  */
+  public abstract boolean[] getKeyUsage();
+
+  /**
+     Returns the certificate constraints path length from the
+     critical BasicConstraints extension, (OID = 2.5.29.19).	
+
+     The basic constraints extensions is used to determine if 
+     the subject of the certificate is a Certificate Authority (CA) 
+     and how deep the certification path may exist. The 
+     <I>pathLenConstraint</I> only takes affect if <I>cA</I>
+     is set to true. "A value of zero indicates that only an 
+     end-entity certificate may follow in the path." (rfc2459)
+	
+     The ASN.1 DER encoding is:
+
+     id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
+
+     BasicConstraints ::= SEQUENCE {
+     cA                      BOOLEAN DEFAULT FALSE,
+     pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+
+     Consult rfc2459 for more information.
+
+     @return the length of the path constraint if BasicConstraints
+     is present and cA is TRUE. Otherwise returns -1.
+  */
+  public abstract int getBasicConstraints();
+
+  // 1.4 instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the <code>ExtendedKeyUsage</code> extension of this
+   * certificate, or null if there is no extension present. The returned
+   * value is a {@link java.util.List} strings representing the object
+   * identifiers of the extended key usages. This extension has the OID
+   * 2.5.29.37.
+   *
+   * <p>The ASN.1 definition for this extension is:
+   *
+   * <blockquote><pre> 
+   * ExtendedKeyUsage ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+   *
+   * KeyPurposeId ::= OBJECT IDENTIFIER
+   * </pre></blockquote>
+   *
+   * @return The list of extension OIDs, or null if there are none
+   * present in this certificate.
+   * @throws CertificateParsingException If this extension cannot be
+   * parsed from its encoded form.
+   */
+  public java.util.List getExtendedKeyUsage()
+    throws CertificateParsingException
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * Returns the alternative names for this certificate's subject (the
+   * owner), or null if there are none.
+   *
+   * <p>This is an X.509 extension with OID 2.5.29.17 and is defined by
+   * the ASN.1 construction:
+   *
+   * <blockquote><pre>
+   * SubjectAltNames ::= GeneralNames
+   *
+   * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+   *
+   * GeneralName ::= CHOICE {
+   *   otherName                 [0]   OtherName,
+   *   rfc822Name                [1]   IA5String,
+   *   dNSName                   [2]   IA5String,
+   *   x400Address               [3]   ORAddress,
+   *   directoryName             [4]   Name,
+   *   ediPartyName              [5]   EDIPartyName,
+   *   uniformResourceIdentifier [6]   IA5String,
+   *   iPAddress                 [7]   OCTET STRING,
+   *   registeredID              [8]   OBJECT IDENTIFIER
+   * }
+   * </pre></blockquote>
+   *
+   * <p>The returned collection contains one or more two-element Lists,
+   * with the first object being an Integer representing the choice
+   * above (with value 0 through 8) and the second being an (a) String
+   * if the <code>GeneralName</code> is a rfc822Name, dNSName,
+   * uniformResourceIdentifier, iPAddress, or registeredID, or (b) a
+   * byte array of the DER encoded form for any others.
+   *
+   * @return The collection of alternative names, or null if there are
+   * none.
+   * @throws CertificateParsingException If the encoded extension cannot
+   * be parsed.
+   * @since JDK 1.4
+   */
+  public java.util.Collection getSubjectAlternativeNames()
+    throws CertificateParsingException
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * Returns the alternative names for this certificate's issuer, or
+   * null if there are none.
+   *
+   * <p>This is an X.509 extension with OID 2.5.29.18, and is defined by
+   * the ASN.1 construction:
+   *
+   * <blockquote><pre>
+   * IssuerAltNames ::= GeneralNames
+   * </pre></blockquote>
+   *
+   * <p>The <code>GeneralNames</code> construct and the form of the
+   * returned collection are the same as with {@link
+   * #getSubjectAlternativeNames()}.
+   *
+   * @return The collection of alternative names, or null if there are
+   * none.
+   * @throws CertificateParsingException If the encoded extension cannot
+   * be parsed.
+   * @since JDK 1.4
+   */
+  public java.util.Collection getIssuerAlternativeNames()
+    throws CertificateParsingException
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * Returns the X.500 distinguished name of this certificate's subject.
+   *
+   * @return The subject's X.500 distinguished name.
+   * @since JDK 1.4
+   */
+  public javax.security.auth.x500.X500Principal getSubjectX500Principal()
+  {
+    throw new UnsupportedOperationException();
+  }
+ 
+  /**
+   * Returns the X.500 distinguished name of this certificate's issuer.
+   *
+   * @return The issuer's X.500 distinguished name.
+   * @since JDK 1.4
+   */
+  public javax.security.auth.x500.X500Principal getIssuerX500Principal()
+  {
+    throw new UnsupportedOperationException();
+  }
+}
diff --git a/libjava/classpath/java/security/cert/X509Extension.java b/libjava/classpath/java/security/cert/X509Extension.java
new file mode 100644
index 00000000000..d2cb80a9f57
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509Extension.java
@@ -0,0 +1,113 @@
+/* X509Extension.java --- X.509 Extension
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+import java.util.Set;
+
+/**
+	Public interface for the X.509 Extension.
+
+	This is used for X.509 v3 Certificates and CRL v2 (Certificate
+	Revocation Lists) for managing attributes assoicated with
+	Certificates, for managing the hierarchy of certificates,
+	and for managing the distribution of CRL. This extension
+	format is used to define private extensions.
+
+	Each extensions for a certificate or CRL must be marked
+	either critical or non-critical. If the certificate/CRL 
+	system encounters a critical extension not recognized then 
+	it must reject the certificate. A non-critical extension
+	may be just ignored if not recognized.
+
+
+	The ASN.1 definition for this class is: 
+
+	 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+
+	 Extension  ::=  SEQUENCE  {
+	     extnId        OBJECT IDENTIFIER,
+	     critical      BOOLEAN DEFAULT FALSE,
+	     extnValue     OCTET STRING
+	                   -- contains a DER encoding of a value
+	                   -- of the type registered for use with
+	                   -- the extnId object identifier value
+	 }
+ 	
+	@author Mark Benvenuto
+
+	@since JDK 1.2
+*/
+public interface X509Extension
+{
+
+  /**
+     Returns true if the certificate contains a critical extension
+     that is not supported.
+
+     @return true if has unsupported extension, false otherwise	
+  */
+  boolean hasUnsupportedCriticalExtension();
+
+  /**
+     Returns a set of the CRITICAL extension OIDs from the 
+     certificate/CRL that the object implementing this interface
+     manages.
+
+     @return A Set containing the OIDs. If there are no CRITICAL
+     extensions or extensions at all this returns null.
+  */
+  Set getCriticalExtensionOIDs();
+
+  /**
+     Returns a set of the NON-CRITICAL extension OIDs from the 
+     certificate/CRL that the object implementing this interface
+     manages.
+
+     @return A Set containing the OIDs. If there are no NON-CRITICAL
+     extensions or extensions at all this returns null.
+  */
+  Set getNonCriticalExtensionOIDs();
+
+  /**
+     Returns the DER encoded OCTET string for the specified
+     extension value identified by a OID. The OID is a string
+     of number separated by periods. Ex: 12.23.45.67
+  */
+  byte[] getExtensionValue(String oid);
+
+}
diff --git a/libjava/classpath/java/security/cert/package.html b/libjava/classpath/java/security/cert/package.html
new file mode 100644
index 00000000000..14b12d16cc3
--- /dev/null
+++ b/libjava/classpath/java/security/cert/package.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<!-- package.html - describes classes in java.security.cert package.
+   Copyright (C) 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. -->
+
+<html>
+<head><title>GNU Classpath - java.security.cert</title></head>
+
+<body>
+<p></p>
+
+</body>
+</html>
diff --git a/libjava/classpath/java/security/interfaces/DSAKey.java b/libjava/classpath/java/security/interfaces/DSAKey.java
new file mode 100644
index 00000000000..c6e819eb0e5
--- /dev/null
+++ b/libjava/classpath/java/security/interfaces/DSAKey.java
@@ -0,0 +1,56 @@
+/* DSAKey.java -- Interface for Digital Signature Algorithm key
+   Copyright (C) 1998 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.interfaces;
+
+/**
+ * This interface is implemented by a class to return the parameters
+ * of a Digital Signature Algorithm (DSA) public or private key.
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface DSAKey
+{
+  /**
+   * This method returns non-secret parameters of the DSA key
+   *
+   * @return The DSA parameters
+   */
+  DSAParams getParams();
+}
diff --git a/libjava/classpath/java/security/interfaces/DSAKeyPairGenerator.java b/libjava/classpath/java/security/interfaces/DSAKeyPairGenerator.java
new file mode 100644
index 00000000000..e657c54b4e6
--- /dev/null
+++ b/libjava/classpath/java/security/interfaces/DSAKeyPairGenerator.java
@@ -0,0 +1,85 @@
+/* DSAKeyPairGenerator.java -- Initialize a DSA key generator
+   Copyright (C) 1998, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.interfaces;
+
+import java.security.InvalidParameterException;
+import java.security.SecureRandom;
+
+/**
+ * This interface contains methods for intializing a Digital Signature
+ * Algorithm key generation engine.  The initialize methods may be called
+ * any number of times.  If no explicity initialization call is made, then
+ * the engine defaults to generating 1024-bit keys using pre-calculated
+ * base, prime, and subprime values.
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface DSAKeyPairGenerator
+{
+  /**
+   * Initializes the key generator with the specified DSA parameters and
+   * random bit source
+   *
+   * @param params The DSA parameters to use
+   * @param random The random bit source to use
+   *
+   * @exception InvalidParameterException If the parameters passed are not valid
+   */
+  void initialize (DSAParams params, SecureRandom random)
+    throws InvalidParameterException;
+
+  /**
+   * Initializes the key generator to a give modulus.  If the <code>genParams</code>
+   * value is <code>true</code> then new base, prime, and subprime values
+   * will be generated for the given modulus.  If not, the pre-calculated
+   * values will be used.  If no pre-calculated values exist for the specified
+   * modulus, an exception will be thrown.  It is guaranteed that there will
+   * always be pre-calculated values for all modulus values between 512 and
+   * 1024 bits inclusives.
+   *
+   * @param modlen The modulus length
+   * @param genParams <code>true</code> to generate new DSA parameters, <code>false</code> otherwise
+   * @param random The random bit source to use
+   *
+   * @exception InvalidParameterException If a parameter is invalid
+   */
+  void initialize (int modlen, boolean genParams, SecureRandom random)
+    throws InvalidParameterException;
+}
diff --git a/libjava/classpath/java/security/interfaces/DSAParams.java b/libjava/classpath/java/security/interfaces/DSAParams.java
new file mode 100644
index 00000000000..42baeeb9570
--- /dev/null
+++ b/libjava/classpath/java/security/interfaces/DSAParams.java
@@ -0,0 +1,72 @@
+/* DSAParams.java -- Digital Signature Algorithm parameter access
+   Copyright (C) 1998 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.interfaces;
+
+import java.math.BigInteger;
+
+/**
+ * This interface allows the Digital Signature Algorithm (DSA) parameters
+ * to be queried.
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface DSAParams
+{
+  /**
+   * Returns the base, or 'g' value
+   *
+   * @return The DSA base value
+   */
+  BigInteger getG();
+
+  /**
+   * Returns the prime, or 'p' value
+   *
+   * @return The DSA prime value
+   */
+  BigInteger getP();
+
+  /**
+   * Returns the subprime, or 'q' value
+   *
+   * @return The DSA subprime value
+   */
+  BigInteger getQ();
+}
diff --git a/libjava/classpath/java/security/interfaces/DSAPrivateKey.java b/libjava/classpath/java/security/interfaces/DSAPrivateKey.java
new file mode 100644
index 00000000000..d79b34b9043
--- /dev/null
+++ b/libjava/classpath/java/security/interfaces/DSAPrivateKey.java
@@ -0,0 +1,61 @@
+/* DSAPublicKey.java -- A Digital Signature Algorithm private key
+   Copyright (C) 1998, 2000, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.interfaces;
+
+import java.math.BigInteger;
+import java.security.PrivateKey;
+
+/**
+ * This interface models a Digital Signature Algorithm (DSA) private key
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface DSAPrivateKey extends DSAKey, PrivateKey
+{
+  /**
+   * The version identifier used for serialization.
+   */
+  long serialVersionUID = 7776497482533790279L;
+
+  /**
+   * This method returns the value of the DSA private key
+   */
+  BigInteger getX();
+}
diff --git a/libjava/classpath/java/security/interfaces/DSAPublicKey.java b/libjava/classpath/java/security/interfaces/DSAPublicKey.java
new file mode 100644
index 00000000000..d73e189f607
--- /dev/null
+++ b/libjava/classpath/java/security/interfaces/DSAPublicKey.java
@@ -0,0 +1,61 @@
+/* DSAPublicKey.java -- A Digital Signature Algorithm public key
+   Copyright (C) 1998, 2000, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.interfaces;
+
+import java.math.BigInteger;
+import java.security.PublicKey;
+
+/**
+ * This interface models a Digital Signature Algorithm (DSA) public key
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface DSAPublicKey extends DSAKey, PublicKey
+{
+  /**
+   * The version identifier used for serialization.
+   */
+  long serialVersionUID = 1234526332779022332L;
+
+  /**
+   * This method returns the value of the DSA public key
+   */
+  BigInteger getY();
+}
diff --git a/libjava/classpath/java/security/interfaces/RSAKey.java b/libjava/classpath/java/security/interfaces/RSAKey.java
new file mode 100644
index 00000000000..485fa81e05a
--- /dev/null
+++ b/libjava/classpath/java/security/interfaces/RSAKey.java
@@ -0,0 +1,57 @@
+/* RSAKey.java --- A generic RSA Key interface
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.interfaces;
+
+import java.math.BigInteger;
+
+/**
+   A generic RSA Key interface for public and private keys
+
+   @since JDK 1.3
+
+   @author Mark Benvenuto
+ */
+public interface RSAKey
+{
+  /**
+     Generates a modulus.
+
+     @returns a modulus
+   */
+  BigInteger getModulus();
+}
diff --git a/libjava/classpath/java/security/interfaces/RSAMultiPrimePrivateCrtKey.java b/libjava/classpath/java/security/interfaces/RSAMultiPrimePrivateCrtKey.java
new file mode 100644
index 00000000000..d80b962d012
--- /dev/null
+++ b/libjava/classpath/java/security/interfaces/RSAMultiPrimePrivateCrtKey.java
@@ -0,0 +1,111 @@
+/* RSAMultiPrimePrivateCrtKey.java --
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.interfaces;
+
+import java.math.BigInteger;
+import java.security.spec.RSAOtherPrimeInfo;
+
+/**
+ * The interface to an RSA multi-prime private key, as defined in the PKCS#1
+ * v2.1, using the <i>Chinese Remainder Theorem</i> (CRT) information values.
+ *
+ * @since 1.4
+ * @see java.security.spec.RSAPrivateKeySpec
+ * @see java.security.spec.RSAMultiPrimePrivateCrtKeySpec
+ * @see RSAPrivateKey
+ * @see RSAPrivateCrtKey
+ */
+public interface RSAMultiPrimePrivateCrtKey extends RSAPrivateKey
+{
+  // Constants
+  // --------------------------------------------------------------------------
+  long serialVersionUID = 618058533534628008L;
+
+  // Methods
+  // --------------------------------------------------------------------------
+
+  /**
+   * Returns the public exponent.
+   *
+   * @return the public exponent.
+   */
+  BigInteger getPublicExponent();
+
+  /**
+   * Returns the primeP.
+   *
+   * @return the primeP.
+   */
+  BigInteger getPrimeP();
+
+  /**
+   * Returns the primeQ.
+   *
+   * @return the primeQ.
+   */
+  BigInteger getPrimeQ();
+
+  /**
+   * Returns the primeExponentP.
+   *
+   * @return the primeExponentP.
+   */
+  BigInteger getPrimeExponentP();
+
+  /**
+   * Returns the primeExponentQ.
+   *
+   * @return the primeExponentQ.
+   */
+  BigInteger getPrimeExponentQ();
+
+  /**
+   * Returns the crtCoefficient.
+   *
+   * @return the crtCoefficient.
+   */
+  BigInteger getCrtCoefficient();
+
+  /**
+   * Returns the otherPrimeInfo or <code>null</code> if there are only two
+   * prime factors (p and q).
+   *
+   * @return the otherPrimeInfo.
+   */
+  RSAOtherPrimeInfo[] getOtherPrimeInfo();
+}
diff --git a/libjava/classpath/java/security/interfaces/RSAPrivateCrtKey.java b/libjava/classpath/java/security/interfaces/RSAPrivateCrtKey.java
new file mode 100644
index 00000000000..96a1496cf92
--- /dev/null
+++ b/libjava/classpath/java/security/interfaces/RSAPrivateCrtKey.java
@@ -0,0 +1,95 @@
+/* RSAPrivateCrtKey.java -- An RSA private key in CRT format
+   Copyright (C) 1998 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.interfaces;
+
+import java.math.BigInteger;
+
+/**
+ * This interface provides access to information about an RSA private
+ * key in Chinese Remainder Theorem (CRT) format.
+ *
+ * @version 0.0
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface RSAPrivateCrtKey extends RSAPrivateKey
+{
+  long serialVersionUID = -5682214253527700368L;
+
+  /**
+   * Returns the public exponent for this key
+   *
+   * @return The public exponent for this key
+   */
+  BigInteger getPublicExponent();
+
+  /**
+   * Returns the primeP value
+   *
+   * @return The primeP value
+   */
+  BigInteger getPrimeP();
+
+  /**
+   * Returns the primeQ value
+   *
+   * @return The primeQ value
+   */
+  BigInteger getPrimeQ();
+
+  /**
+   * Returns the primeExponentP
+   *
+   * @return The primeExponentP
+   */
+  BigInteger getPrimeExponentP();
+
+  /**
+   * Returns the primeExponentQ
+   *
+   * @return The primeExponentQ
+   */
+  BigInteger getPrimeExponentQ();
+
+  /**
+   * Returns the CRT coefficient
+   *
+   * @return The CRT coefficient
+   */
+  BigInteger getCrtCoefficient();
+}
diff --git a/libjava/classpath/java/security/interfaces/RSAPrivateKey.java b/libjava/classpath/java/security/interfaces/RSAPrivateKey.java
new file mode 100644
index 00000000000..514987625a5
--- /dev/null
+++ b/libjava/classpath/java/security/interfaces/RSAPrivateKey.java
@@ -0,0 +1,60 @@
+/* RSAPrivateKey.java -- An RSA private key
+   Copyright (C) 1998, 1999, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.interfaces;
+
+import java.math.BigInteger;
+import java.security.PrivateKey;
+
+/**
+ * This interface provides access to information about an RSA private key.
+ *
+ * @version 0.1
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface RSAPrivateKey extends PrivateKey, RSAKey
+{
+  long serialVersionUID = 5187144804936595022L;
+
+  /**
+   * Returns the private exponent value for this key
+   *
+   * @return The private exponent value for this key
+   */
+  BigInteger getPrivateExponent();
+}
diff --git a/libjava/classpath/java/security/interfaces/RSAPublicKey.java b/libjava/classpath/java/security/interfaces/RSAPublicKey.java
new file mode 100644
index 00000000000..5fb569d1dec
--- /dev/null
+++ b/libjava/classpath/java/security/interfaces/RSAPublicKey.java
@@ -0,0 +1,60 @@
+/* RSAPublicKey.java -- An RSA public key
+   Copyright (C) 1998, 1999, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.interfaces;
+
+import java.math.BigInteger;
+import java.security.PublicKey;
+
+/**
+ * This interface provides access to information about an RSA public key.
+ *
+ * @version 0.1
+ *
+ * @author Aaron M. Renn (arenn@urbanophile.com)
+ */
+public interface RSAPublicKey extends PublicKey, RSAKey
+{
+  long serialVersionUID = -8727434096241101194L;
+
+  /**
+   * Returns the public exponent value for this key
+   *
+   * @return The public exponent value for this key
+   */
+  BigInteger getPublicExponent();
+}
diff --git a/libjava/classpath/java/security/interfaces/package.html b/libjava/classpath/java/security/interfaces/package.html
new file mode 100644
index 00000000000..aab0d63752e
--- /dev/null
+++ b/libjava/classpath/java/security/interfaces/package.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<!-- package.html - describes classes in java.security.interfaces package.
+   Copyright (C) 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. -->
+
+<html>
+<head><title>GNU Classpath - java.security.interfaces</title></head>
+
+<body>
+<p></p>
+
+</body>
+</html>
diff --git a/libjava/classpath/java/security/package.html b/libjava/classpath/java/security/package.html
new file mode 100644
index 00000000000..328b7044b81
--- /dev/null
+++ b/libjava/classpath/java/security/package.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<!-- package.html - describes classes in java.security package.
+   Copyright (C) 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. -->
+
+<html>
+<head><title>GNU Classpath - java.security</title></head>
+
+<body>
+<p></p>
+
+</body>
+</html>
diff --git a/libjava/classpath/java/security/spec/AlgorithmParameterSpec.java b/libjava/classpath/java/security/spec/AlgorithmParameterSpec.java
new file mode 100644
index 00000000000..25506f55cfe
--- /dev/null
+++ b/libjava/classpath/java/security/spec/AlgorithmParameterSpec.java
@@ -0,0 +1,52 @@
+/* AlgorithmParameterSpec.java --- Algorithm Parameter Spec Interface
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+
+/**
+	A transparent interface for Algorithm Parameter Specifications. 
+	It contains no member functions. It is used to group
+	algorithm parameter classes.
+
+	@since JDK 1.2
+
+	@author Mark Benvenuto
+*/
+public interface AlgorithmParameterSpec
+{
+}
diff --git a/libjava/classpath/java/security/spec/DSAParameterSpec.java b/libjava/classpath/java/security/spec/DSAParameterSpec.java
new file mode 100644
index 00000000000..7e263291c03
--- /dev/null
+++ b/libjava/classpath/java/security/spec/DSAParameterSpec.java
@@ -0,0 +1,101 @@
+/* DSAParameterSpec.java --- DSA Parameter Specificaton class
+   Copyright (C) 1999, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+
+import java.math.BigInteger;
+import java.security.interfaces.DSAParams;
+
+/**
+ * DSA Parameter class Specification. Used to maintain the DSA
+ * Parameters.
+ *
+ * @since 1.2
+ *
+ * @author Mark Benvenuto
+*/
+public class DSAParameterSpec implements AlgorithmParameterSpec, DSAParams
+{
+  private BigInteger p = null;
+  private BigInteger q = null;
+  private BigInteger g = null;
+
+  /**
+   * Constructs a new DSAParameterSpec with the specified p, q, and g.
+   *
+   * @param p the prime
+   * @param q the sub-prime
+   * @param g the base
+   */
+  public DSAParameterSpec(BigInteger p, BigInteger q, BigInteger g) 
+  {
+    this.p = p;
+    this.q = q;
+    this.g = g;
+  }
+  
+  /**
+   * Returns p for the DSA algorithm.
+   *
+   * @return Returns the requested BigInteger
+   */
+  public BigInteger getP() 
+  {
+    return this.p;
+  }
+
+  /**
+   * Returns p for the DSA algorithm.
+   *
+   * @return Returns the requested BigInteger
+   */
+  public BigInteger getQ() 
+  {
+    return this.q;
+  }
+
+  /**
+   * Returns g for the DSA algorithm.
+   *
+   * @return Returns the requested BigInteger
+   */
+  public BigInteger getG()
+  {
+    return this.g;
+  }
+}
\ No newline at end of file
diff --git a/libjava/classpath/java/security/spec/DSAPrivateKeySpec.java b/libjava/classpath/java/security/spec/DSAPrivateKeySpec.java
new file mode 100644
index 00000000000..7415fa11a45
--- /dev/null
+++ b/libjava/classpath/java/security/spec/DSAPrivateKeySpec.java
@@ -0,0 +1,113 @@
+/* DSAPrivateKeySpec.java --- DSA Private Key Specificaton class
+   Copyright (C) 1999, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+import java.math.BigInteger;
+
+/**
+	DSA Private Key class Specification. Used to maintain the DSA
+	Private Keys.
+
+	@since JDK 1.2
+
+	@author Mark Benvenuto
+*/
+public class DSAPrivateKeySpec implements KeySpec 
+{
+  private BigInteger x = null;
+  private BigInteger p = null;
+  private BigInteger q = null;
+  private BigInteger g = null;
+
+  /**
+     Constructs a new DSAPrivateKeySpec with the specified x, p, q, and g.
+
+     @param x the private key
+     @param p the prime
+     @param q the sub-prime
+     @param g the base
+  */
+  public DSAPrivateKeySpec(BigInteger x, BigInteger p, BigInteger q, BigInteger g) 
+  {
+    this.x = x;
+    this.p = p;
+    this.q = q;
+    this.g = g;
+  }
+
+  /**
+     Returns private key x for the DSA algorithm.
+
+     @return Returns the requested BigInteger
+  */
+  public BigInteger getX() 
+  {
+    return this.x;
+  }
+
+  /**
+     Returns p for the DSA algorithm.
+
+     @return Returns the requested BigInteger
+  */
+  public BigInteger getP() 
+  {
+    return this.p;
+  }
+
+  /**
+     Returns p for the DSA algorithm.
+
+     @return Returns the requested BigInteger
+  */
+  public BigInteger getQ() 
+  {
+    return this.q;
+  }
+
+  /**
+     Returns g for the DSA algorithm.
+
+     @return Returns the requested BigInteger
+  */
+  public BigInteger getG() 
+  {
+    return this.g;
+  }
+
+}
diff --git a/libjava/classpath/java/security/spec/DSAPublicKeySpec.java b/libjava/classpath/java/security/spec/DSAPublicKeySpec.java
new file mode 100644
index 00000000000..ac1310c1caa
--- /dev/null
+++ b/libjava/classpath/java/security/spec/DSAPublicKeySpec.java
@@ -0,0 +1,113 @@
+/* DSAPublicKeySpec.java --- DSA Public Key Specificaton class
+   Copyright (C) 1999, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+import java.math.BigInteger;
+
+/**
+	DSA Public Key class Specification. Used to maintain the DSA
+	Public Keys.
+
+	@since JDK 1.2
+
+	@author Mark Benvenuto
+*/
+public class DSAPublicKeySpec implements KeySpec 
+{
+  private BigInteger y = null;
+  private BigInteger p = null;
+  private BigInteger q = null;
+  private BigInteger g = null;
+
+  /**
+     Constructs a new DSAPublicKeySpec with the specified y, p, q, and g.
+
+     @param y the public key
+     @param p the prime
+     @param q the sub-prime
+     @param g the base
+  */
+  public DSAPublicKeySpec(BigInteger y, BigInteger p, BigInteger q, BigInteger g) 
+  {
+    this.y = y;
+    this.p = p;
+    this.q = q;
+    this.g = g;
+  }
+
+  /**
+     Returns public key y for the DSA algorithm.
+
+     @return Returns the requested BigInteger
+  */
+  public BigInteger getY() 
+  {
+    return this.y;
+  }
+
+  /**
+     Returns p for the DSA algorithm.
+
+     @return Returns the requested BigInteger
+  */
+  public BigInteger getP() 
+  {
+    return this.p;
+  }
+
+  /**
+     Returns p for the DSA algorithm.
+
+     @return Returns the requested BigInteger
+  */
+  public BigInteger getQ() 
+  {
+    return this.q;
+  }
+
+  /**
+     Returns g for the DSA algorithm.
+
+     @return Returns the requested BigInteger
+  */
+  public BigInteger getG() 
+  {
+    return this.g;
+  }
+
+}
diff --git a/libjava/classpath/java/security/spec/EncodedKeySpec.java b/libjava/classpath/java/security/spec/EncodedKeySpec.java
new file mode 100644
index 00000000000..c5baf55fd7a
--- /dev/null
+++ b/libjava/classpath/java/security/spec/EncodedKeySpec.java
@@ -0,0 +1,85 @@
+/* EncodedKeySpec.java --- Encoded Key Specificaton class
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+
+/**
+	Encoded Key Specification class which is used to store 
+	byte encoded keys.
+
+	@since JDK 1.2
+
+	@author Mark Benvenuto
+*/
+public abstract class EncodedKeySpec implements KeySpec
+{
+
+  private byte[] encodedKey;
+
+  /**
+     Constructs a new EncodedKeySpec with the specified encoded key.
+
+     @param encodedKey A key to store
+  */
+  public EncodedKeySpec(byte[] encodedKey) 
+  {
+    this.encodedKey = encodedKey;
+  }
+
+  /**
+     Gets the encoded key in byte format.
+
+     @returns the encoded key
+  */
+  public byte[] getEncoded() 
+  {
+    return this.encodedKey;
+  }
+
+  /**
+     Returns the name of the key format used.
+
+     This name is the format such as "PKCS#8" or "X.509" which
+     if it matches a Key class name of the same type can be 
+     transformed using the apporiate KeyFactory. 
+
+     @return a string representing the name
+  */
+  public abstract String getFormat();
+
+}
diff --git a/libjava/classpath/java/security/spec/InvalidKeySpecException.java b/libjava/classpath/java/security/spec/InvalidKeySpecException.java
new file mode 100644
index 00000000000..c2ec6b03b5a
--- /dev/null
+++ b/libjava/classpath/java/security/spec/InvalidKeySpecException.java
@@ -0,0 +1,74 @@
+/* InvalidKeySpecException.java -- invalid KeySpec Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Exception for an invalid key specification.
+ *
+ * @author Mark Benvenuto
+ * @see KeySpec
+ * @since 1.2
+ * @status updated to 1.4
+ */
+public class InvalidKeySpecException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = 3546139293998810778L;
+
+  /**
+   * Constructs an InvalidKeySpecException without a message string.
+   */
+  public InvalidKeySpecException()
+  {
+  }
+
+  /**
+   * Constructs an InvalidKeySpecException with a message string.
+   *
+   * @param msg a message to display with exception
+   */
+  public InvalidKeySpecException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/spec/InvalidParameterSpecException.java b/libjava/classpath/java/security/spec/InvalidParameterSpecException.java
new file mode 100644
index 00000000000..481e11e306b
--- /dev/null
+++ b/libjava/classpath/java/security/spec/InvalidParameterSpecException.java
@@ -0,0 +1,76 @@
+/* InvalidParameterSpecException.java --- invalid ParameterSpec Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Exception for an invalid algorithm specification.
+ *
+ * @author Mark Benvenuto
+ * @see AlogorithmParameters
+ * @see AlogorithmParameterSpec
+ * @see DSAParameterSpec
+ * @since 1.2
+ * @status updated to 1.4
+*/
+public class InvalidParameterSpecException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = -970468769593399342L;
+
+  /**
+   * Constructs an InvalidParameterSpecException without a message string.
+   */
+  public InvalidParameterSpecException() 
+  {
+  }
+
+  /**
+   * Constructs an InvalidParameterSpecException with a message string.
+   *
+   * @param msg a message to display with exception
+   */
+  public InvalidParameterSpecException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/spec/KeySpec.java b/libjava/classpath/java/security/spec/KeySpec.java
new file mode 100644
index 00000000000..93f1a6db277
--- /dev/null
+++ b/libjava/classpath/java/security/spec/KeySpec.java
@@ -0,0 +1,52 @@
+/* KeySpec.java --- Key Specification interface
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+
+/**
+	A transparent interface for Key Specifications.
+	It contains no member functions. It is used to group
+	key classes.
+
+	@since JDK 1.2
+
+	@author Mark Benvenuto
+*/
+public interface KeySpec 
+{
+}
diff --git a/libjava/classpath/java/security/spec/PKCS8EncodedKeySpec.java b/libjava/classpath/java/security/spec/PKCS8EncodedKeySpec.java
new file mode 100644
index 00000000000..4a4f1eccea7
--- /dev/null
+++ b/libjava/classpath/java/security/spec/PKCS8EncodedKeySpec.java
@@ -0,0 +1,81 @@
+/* PKCS8EncodedKeySpec.java --- PKCS8 Encoded Key Specificaton class
+   Copyright (C) 1999, 2001 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+
+/**
+	PKCS8 Encoded Key Specification class which is used to store 
+	"PKCS#8" byte encoded keys.
+
+	@since JDK 1.2
+
+	@author Mark Benvenuto
+*/
+public class PKCS8EncodedKeySpec extends EncodedKeySpec
+{
+  /**
+     Constructs a new PKCS8EncodedKeySpec with the specified encoded key.
+
+     @param encodedKey A key to store, assumed to be "PKCS#8"
+  */
+  public PKCS8EncodedKeySpec(byte[] encodedKey)
+  {
+    super( encodedKey );
+  }
+
+  /**
+	Gets the encoded key in byte format.
+
+	@returns the encoded key
+*/
+  public byte[] getEncoded()
+  {
+    return super.getEncoded();
+  }
+
+  /**
+	Returns the name of the key format used which is "PKCS#8"
+
+	@return a string representing the name
+*/
+  public final String getFormat()
+  {
+    return "PKCS#8";
+  }
+
+}
diff --git a/libjava/classpath/java/security/spec/PSSParameterSpec.java b/libjava/classpath/java/security/spec/PSSParameterSpec.java
new file mode 100644
index 00000000000..7a14a24fbe4
--- /dev/null
+++ b/libjava/classpath/java/security/spec/PSSParameterSpec.java
@@ -0,0 +1,90 @@
+/* PSSParameterSpec.java --
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.spec;
+
+/**
+ * This class specifies a parameter spec for RSA PSS encoding scheme, as
+ * defined in the PKCS#1 v2.1.
+ *
+ * @since 1.4
+ * @see AlgorithmParameterSpec
+ * @see java.security.Signature
+ */
+public class PSSParameterSpec implements AlgorithmParameterSpec
+{
+  // Constants and fields
+  // --------------------------------------------------------------------------
+
+  private int saltLen;
+
+  // Constructor(s)
+  // --------------------------------------------------------------------------
+
+  /**
+   * Creates a new <code>PSSParameterSpec</code> given the salt length as
+   * defined in PKCS#1.
+   *
+   * @param saltLen the length of salt in bits to be used in PKCS#1 PSS encoding.
+   * @throws IllegalArgumentException if <code>saltLen</code> is less than
+   * <code>0</code>.
+   */
+  public PSSParameterSpec(int saltLen)
+  {
+    super();
+
+    if (saltLen < 0)
+      throw new IllegalArgumentException();
+    this.saltLen = saltLen;
+  }
+
+  // Class methods
+  // --------------------------------------------------------------------------
+
+  // Instance methods
+  // --------------------------------------------------------------------------
+
+  /**
+   * Returns the salt length in bits.
+   *
+   * @return the salt length.
+   */
+  public int getSaltLength()
+  {
+    return this.saltLen;
+  }
+}
diff --git a/libjava/classpath/java/security/spec/RSAKeyGenParameterSpec.java b/libjava/classpath/java/security/spec/RSAKeyGenParameterSpec.java
new file mode 100644
index 00000000000..0df8dec783e
--- /dev/null
+++ b/libjava/classpath/java/security/spec/RSAKeyGenParameterSpec.java
@@ -0,0 +1,97 @@
+/* RSAKeyGenParameterSpec.java --- RSA Key Generator Parameter Spec Class
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+import java.math.BigInteger;
+
+/**
+   This class generates a set of RSA Key parameters used in the generation
+   of RSA keys.
+
+   @since JDK 1.3
+
+   @author Mark Benvenuto
+*/
+public class RSAKeyGenParameterSpec implements AlgorithmParameterSpec
+{
+  private int keysize;
+  private BigInteger publicExponent;
+
+  /**
+     Public Exponent F0 = 3
+  */
+  public static final BigInteger F0 = new BigInteger("3");
+
+  /**
+     Public Exponent F4 = 3
+  */
+  public static final BigInteger F4 = new BigInteger("65537");
+
+  /**
+     Create a new RSAKeyGenParameterSpec to store the RSA key's keysize 
+     and public exponent
+
+     @param keysize Modulus size of key in bits
+     @param publicExponent - the exponent
+  */
+  public RSAKeyGenParameterSpec(int keysize, BigInteger publicExponent)
+  {
+    this.keysize = keysize;
+    this.publicExponent = publicExponent;
+  }
+    
+  /**
+     Return the size of the key.
+
+     @return the size of the key.
+  */
+  public int getKeysize()
+  {
+    return keysize;
+  }
+    
+  /**
+     Return the public exponent.
+
+     @return the public exponent.
+  */
+  public BigInteger getPublicExponent()
+  {
+    return publicExponent;
+  }
+}
diff --git a/libjava/classpath/java/security/spec/RSAMultiPrimePrivateCrtKeySpec.java b/libjava/classpath/java/security/spec/RSAMultiPrimePrivateCrtKeySpec.java
new file mode 100644
index 00000000000..519a0291373
--- /dev/null
+++ b/libjava/classpath/java/security/spec/RSAMultiPrimePrivateCrtKeySpec.java
@@ -0,0 +1,217 @@
+/* PSSParameterSpec.java --
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.spec;
+
+import java.math.BigInteger;
+
+/**
+ * This class specifies an RSA multi-prime private key, as defined in the
+ * PKCS#1 v2.1, using the <i>Chinese Remainder Theorem</i> (CRT) information
+ * values for efficiency.
+ *
+ * @since 1.4
+ * @see java.security.Key
+ * @see java.security.KeyFactory
+ * @see KeySpec
+ * @see PKCS8EncodedKeySpec
+ * @see RSAPrivateKeySpec
+ * @see RSAPublicKeySpec
+ * @see RSAOtherPrimeInfo
+ */
+public class RSAMultiPrimePrivateCrtKeySpec extends RSAPrivateKeySpec
+{
+  // Constants and fields
+  // --------------------------------------------------------------------------
+
+  private BigInteger publicExponent;
+  private BigInteger primeP;
+  private BigInteger primeQ;
+  private BigInteger primeExponentP;
+  private BigInteger primeExponentQ;
+  private BigInteger crtCoefficient;
+  private RSAOtherPrimeInfo[] otherPrimeInfo;
+
+  // Constructor(s)
+  // --------------------------------------------------------------------------
+
+  /**
+   * <p>Creates a new <code>RSAMultiPrimePrivateCrtKeySpec</code> given the
+   * modulus, publicExponent, privateExponent, primeP, primeQ, primeExponentP,
+   * primeExponentQ, crtCoefficient, and otherPrimeInfo as defined in PKCS#1
+   * v2.1.</p>
+   *
+   * <p>Note that <code>otherPrimeInfo</code> is cloned when constructing this
+   * object.</p>
+   *
+   * @param modulus the modulus n.
+   * @param publicExponent the public exponent e.
+   * @param privateExponent the private exponent d.
+   * @param primeP the prime factor p of n.
+   * @param primeQ the prime factor q of n.
+   * @param primeExponentP this is d mod (p-1).
+   * @param primeExponentQ this is d mod (q-1).
+   * @param crtCoefficient the Chinese Remainder Theorem coefficient q-1 mod p.
+   * @param otherPrimeInfo triplets of the rest of primes, <code>null</code>
+   * can be specified if there are only two prime factors (p and q).
+   * @throws NullPointerException if any of the parameters, i.e. modulus,
+   * publicExponent, privateExponent, primeP, primeQ, primeExponentP,
+   * primeExponentQ, crtCoefficient, is <code>null</code>.
+   * @throws IllegalArgumentException if an empty, i.e. 0-length,
+   * otherPrimeInfo is specified.
+   */
+  public RSAMultiPrimePrivateCrtKeySpec(BigInteger modulus,
+                                        BigInteger publicExponent,
+                                        BigInteger privateExponent,
+                                        BigInteger primeP,
+                                        BigInteger primeQ,
+                                        BigInteger primeExponentP,
+                                        BigInteger primeExponentQ,
+                                        BigInteger crtCoefficient,
+                                        RSAOtherPrimeInfo[] otherPrimeInfo)
+  {
+    super(modulus, privateExponent);
+
+    if (modulus == null)
+      throw new NullPointerException("modulus");
+    if (publicExponent == null)
+      throw new NullPointerException("publicExponent");
+    if (privateExponent == null)
+      throw new NullPointerException("privateExponent");
+    if (primeP == null)
+      throw new NullPointerException("primeP");
+    if (primeQ == null)
+      throw new NullPointerException("primeQ");
+    if (primeExponentP == null)
+      throw new NullPointerException("primeExponentP");
+    if (primeExponentQ == null)
+      throw new NullPointerException("primeExponentQ");
+    if (crtCoefficient == null)
+      throw new NullPointerException("crtCoefficient");
+    if (otherPrimeInfo != null)
+      if (otherPrimeInfo.length == 0)
+        throw new IllegalArgumentException();
+      else
+        this.otherPrimeInfo = (RSAOtherPrimeInfo[]) otherPrimeInfo.clone();
+
+    this.publicExponent = publicExponent;
+    this.primeP = primeP;
+    this.primeQ = primeQ;
+    this.primeExponentP = primeExponentP;
+    this.primeExponentQ = primeExponentQ;
+    this.crtCoefficient = crtCoefficient;
+  }
+
+  // Class methods
+  // --------------------------------------------------------------------------
+
+  // Instance methods
+  // --------------------------------------------------------------------------
+
+  /**
+   * Returns the public exponent.
+   *
+   * @return the public exponent.
+   */
+  public BigInteger getPublicExponent()
+  {
+    return this.publicExponent;
+  }
+
+  /**
+   * Returns the primeP.
+   *
+   * @return the primeP.
+   */
+  public BigInteger getPrimeP()
+  {
+    return this.primeP;
+  }
+
+  /**
+   * Returns the primeQ.
+   *
+   * @return the primeQ.
+   */
+  public BigInteger getPrimeQ()
+  {
+    return this.primeQ;
+  }
+
+  /**
+   * Returns the primeExponentP.
+   *
+   * @return the primeExponentP.
+   */
+  public BigInteger getPrimeExponentP()
+  {
+    return this.primeExponentP;
+  }
+
+  /**
+   * Returns the primeExponentQ.
+   *
+   * @return the primeExponentQ.
+   */
+  public BigInteger getPrimeExponentQ()
+  {
+    return this.primeExponentQ;
+  }
+
+  /**
+   * Returns the crtCoefficient.
+   *
+   * @return the crtCoefficient.
+   */
+  public BigInteger getCrtCoefficient()
+  {
+    return this.crtCoefficient;
+  }
+
+  /**
+   * Returns a copy of the otherPrimeInfo or <code>null</code> if there are
+   * only two prime factors (p and q).
+   *
+   * @return the otherPrimeInfo.
+   */
+  public RSAOtherPrimeInfo[] getOtherPrimeInfo()
+  {
+    return this.otherPrimeInfo == null
+        ? null
+        : (RSAOtherPrimeInfo[]) this.otherPrimeInfo.clone();
+  }
+}
diff --git a/libjava/classpath/java/security/spec/RSAOtherPrimeInfo.java b/libjava/classpath/java/security/spec/RSAOtherPrimeInfo.java
new file mode 100644
index 00000000000..654bcb574d8
--- /dev/null
+++ b/libjava/classpath/java/security/spec/RSAOtherPrimeInfo.java
@@ -0,0 +1,133 @@
+/* RSAOtherPrimeInfo.java --
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.spec;
+
+import java.math.BigInteger;
+
+/**
+ * This class represents the triplet (prime, exponent, and coefficient) inside
+ * RSA's OtherPrimeInfo structure, as defined in the PKCS#1 v2.1. The ASN.1
+ * syntax of RSA's OtherPrimeInfo is as follows:
+ *
+ * <pre>
+ *  OtherPrimeInfo ::= SEQUENCE {
+ *    prime INTEGER,
+ *    exponent INTEGER,
+ *    coefficient INTEGER
+ *  }
+ * </pre>
+ *
+ * @since 1.4
+ * @see RSAPrivateCrtKeySpec
+ * @see java.security.interfaces.RSAMultiPrimePrivateCrtKey
+ */
+public class RSAOtherPrimeInfo
+{
+  // Constants and fields
+  // --------------------------------------------------------------------------
+
+  private BigInteger prime;
+  private BigInteger primeExponent;
+  private BigInteger crtCoefficient;
+
+  // Constructor(s)
+  // --------------------------------------------------------------------------
+
+  /**
+   * Creates a new <code>RSAOtherPrimeInfo</code> given the prime,
+   * primeExponent, and crtCoefficient as defined in PKCS#1.
+   *
+   * @param prime the prime factor of n.
+   * @param primeExponent the exponent.
+   * @param crtCoefficient the Chinese Remainder Theorem coefficient.
+   * @throws NullPointerException if any of the parameters, i.e. prime,
+   * primeExponent, crtCoefficient, is <code>null</code>.
+   */
+  public RSAOtherPrimeInfo(BigInteger prime, BigInteger primeExponent,
+                           BigInteger crtCoefficient)
+  {
+    super();
+
+    if (prime == null)
+      throw new NullPointerException("prime");
+    if (primeExponent == null)
+      throw new NullPointerException("primeExponent");
+    if (crtCoefficient == null)
+      throw new NullPointerException("crtCoefficient");
+
+    this.prime = prime;
+    this.primeExponent = primeExponent;
+    this.crtCoefficient = crtCoefficient;
+  }
+
+  // Class methods
+  // --------------------------------------------------------------------------
+
+  // Instance methods
+  // --------------------------------------------------------------------------
+
+  /**
+   * Returns the prime.
+   *
+   * @return the prime.
+   */
+  public final BigInteger getPrime()
+  {
+    return this.prime;
+  }
+
+  /**
+   * Returns the prime's exponent.
+   *
+   * @return the primeExponent.
+   */
+  public final BigInteger getExponent()
+  {
+    return this.primeExponent;
+  }
+
+  /**
+   * Returns the prime's crtCoefficient.
+   *
+   * @return the crtCoefficient.
+   */
+  public final BigInteger getCrtCoefficient()
+  {
+    return this.crtCoefficient;
+  }
+}
diff --git a/libjava/classpath/java/security/spec/RSAPrivateCrtKeySpec.java b/libjava/classpath/java/security/spec/RSAPrivateCrtKeySpec.java
new file mode 100644
index 00000000000..a904c305d65
--- /dev/null
+++ b/libjava/classpath/java/security/spec/RSAPrivateCrtKeySpec.java
@@ -0,0 +1,151 @@
+/* RSAPrivateCrtKeySpec.java --- RSA Private Certificate Key Specificaton class
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+import java.math.BigInteger;
+
+/**
+	RSA Private Certificate Key class Specification. Used to 
+	maintain the RSA Private Certificate Keys with the 
+	<I>Chinese Remainder Theorem</I>(CRT) as specified by PKCS#1.
+
+	@since JDK 1.2
+
+	@author Mark Benvenuto
+*/
+public class RSAPrivateCrtKeySpec extends RSAPrivateKeySpec
+{
+  private BigInteger publicExponent;
+  private BigInteger primeP;
+  private BigInteger primeQ;
+  private BigInteger primeExponentP;
+  private BigInteger primeExponentQ;
+  private BigInteger crtCoefficient;
+
+  /**
+     Constructs a new RSAPrivateKeySpec with the specified
+     variables.
+
+     @param modulus the RSA modulus
+     @param publicExponent the public key exponent
+     @param privateExponent the private key exponent
+     @param primeP the prime P
+     @param primeQ the prime Q
+     @param primeExponentP the prime exponent P
+     @param primeExponentQ the prime exponent P
+     @param crtCoefficient the CRT coefficient
+  */
+  public RSAPrivateCrtKeySpec(BigInteger modulus,
+			      BigInteger publicExponent,
+			      BigInteger privateExponent,
+			      BigInteger primeP,
+			      BigInteger primeQ,
+			      BigInteger primeExponentP,
+			      BigInteger primeExponentQ,
+			      BigInteger crtCoefficient)
+  {
+    super( modulus, privateExponent);
+    this.publicExponent = publicExponent;
+    this.primeP = primeP;
+    this.primeQ = primeQ;
+    this.primeExponentP = primeExponentP;
+    this.primeExponentQ = primeExponentQ;
+    this.crtCoefficient = crtCoefficient;
+  }
+
+  /**
+     Gets the RSA public exponent.
+
+     @return the RSA public exponent
+  */
+  public BigInteger getPublicExponent()
+  {
+    return this.publicExponent;
+  }
+
+  /**
+     Gets the RSA prime P.
+
+     @return the RSA prime P
+  */
+  public BigInteger getPrimeP()
+  {
+    return this.primeP;
+  }
+
+  /**
+     Gets the RSA prime Q.
+
+     @return the RSA prime Q
+  */
+  public BigInteger getPrimeQ()
+  {
+    return this.primeQ;
+  }
+
+  /**
+     Gets the RSA prime exponent P.
+
+     @return the RSA prime exponent P
+  */
+  public BigInteger getPrimeExponentP()
+  {
+    return this.primeExponentP;
+  }
+
+  /**
+     Gets the RSA prime exponent P.
+
+     @return the RSA prime exponent Q
+  */
+  public BigInteger getPrimeExponentQ()
+  {
+    return this.primeExponentQ;
+  }
+
+  /**
+     Gets the RSA CRT coefficient.
+
+     @return the RSA CRT coefficient
+  */
+  public BigInteger getCrtCoefficient()
+  {
+    return this.crtCoefficient;
+  }
+
+}
diff --git a/libjava/classpath/java/security/spec/RSAPrivateKeySpec.java b/libjava/classpath/java/security/spec/RSAPrivateKeySpec.java
new file mode 100644
index 00000000000..d29f261cfb3
--- /dev/null
+++ b/libjava/classpath/java/security/spec/RSAPrivateKeySpec.java
@@ -0,0 +1,88 @@
+/* RSAPrivateKeySpec.java --- RSA Private Key Specificaton class
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+import java.math.BigInteger;
+
+/**
+	RSA Private Key class Specification. Used to maintain the RSA
+	Private Keys.
+
+	@since JDK 1.2
+
+	@author Mark Benvenuto
+*/
+public class RSAPrivateKeySpec implements KeySpec
+{
+  private BigInteger modulus;
+  private BigInteger privateExponent;
+
+  /**
+     Constructs a new RSAPrivateKeySpec with the specified
+     modulus and privateExponent.
+
+     @param modulus the RSA modulus
+     @param privateExponent the private key exponent
+  */
+  public RSAPrivateKeySpec(BigInteger modulus, BigInteger privateExponent)
+  {
+    this.modulus = modulus;
+    this.privateExponent = privateExponent;
+  }
+
+  /**
+     Gets the RSA modulus.
+
+     @return the RSA modulus
+  */
+  public BigInteger getModulus()
+  {
+    return this.modulus;
+  }
+
+  /**
+     Gets the RSA private exponent.
+
+     @return the RSA private exponent
+  */
+  public BigInteger getPrivateExponent()
+  {
+    return this.privateExponent;
+  }
+
+}
diff --git a/libjava/classpath/java/security/spec/RSAPublicKeySpec.java b/libjava/classpath/java/security/spec/RSAPublicKeySpec.java
new file mode 100644
index 00000000000..21283aa643b
--- /dev/null
+++ b/libjava/classpath/java/security/spec/RSAPublicKeySpec.java
@@ -0,0 +1,88 @@
+/* RSAPublicKeySpec.java --- RSA Public Key Specificaton class
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+import java.math.BigInteger;
+
+/**
+	RSA Public Key class Specification. Used to maintain the RSA
+	Public Keys.
+
+	@since JDK 1.2
+
+	@author Mark Benvenuto
+*/
+public class RSAPublicKeySpec implements KeySpec
+{
+  private BigInteger modulus;
+  private BigInteger publicExponent;
+
+  /**
+     Constructs a new RSAPublicKeySpec with the specified
+     modulus and publicExponent.
+
+     @param modulus the RSA modulus
+     @param publicExponent the public key exponent
+  */
+  public RSAPublicKeySpec(BigInteger modulus, BigInteger publicExponent)
+  {
+    this.modulus = modulus;
+    this.publicExponent = publicExponent;
+  }
+
+  /**
+     Gets the RSA modulus.
+
+     @return the RSA modulus
+  */
+  public BigInteger getModulus()
+  {
+    return this.modulus;
+  }
+
+  /**
+     Gets the RSA public exponent.
+
+     @return the RSA public exponent
+  */
+  public BigInteger getPublicExponent()
+  {
+    return this.publicExponent;
+  }
+
+}
diff --git a/libjava/classpath/java/security/spec/X509EncodedKeySpec.java b/libjava/classpath/java/security/spec/X509EncodedKeySpec.java
new file mode 100644
index 00000000000..de35960296d
--- /dev/null
+++ b/libjava/classpath/java/security/spec/X509EncodedKeySpec.java
@@ -0,0 +1,82 @@
+/* X509EncodedKeySpec.java --- X.509 Encoded Key Specificaton class
+   Copyright (C) 1999, 2001 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.spec;
+
+/**
+	X.509 Encoded Key Specification class which is used to store 
+	"X.509" byte encoded keys.
+
+	@since JDK 1.2
+
+	@author Mark Benvenuto
+*/
+public class X509EncodedKeySpec extends EncodedKeySpec
+{
+
+  /**
+     Constructs a new X509EncodedKeySpec with the specified encoded key.
+
+     @param encodedKey A key to store, assumed to be "X.509"
+  */
+  public X509EncodedKeySpec(byte[] encodedKey)
+  {
+    super( encodedKey );
+  }
+
+  /**
+     Gets the encoded key in byte format.
+
+     @returns the encoded key
+  */
+  public byte[] getEncoded()
+  {
+    return super.getEncoded();
+  }
+
+  /**
+     Returns the name of the key format used which is "X.509"
+
+     @return a string representing the name
+  */
+  public final String getFormat()
+  {
+    return "X.509";
+  }
+
+}
diff --git a/libjava/classpath/java/security/spec/package.html b/libjava/classpath/java/security/spec/package.html
new file mode 100644
index 00000000000..8e818896a15
--- /dev/null
+++ b/libjava/classpath/java/security/spec/package.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<!-- package.html - describes classes in java.security.spec package.
+   Copyright (C) 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. -->
+
+<html>
+<head><title>GNU Classpath - java.security.spec</title></head>
+
+<body>
+<p></p>
+
+</body>
+</html>