Initial revision

From-SVN: r102074

43 files changed, 8264 insertions, 0 deletions

diff --git a/libjava/classpath/java/security/cert/CRL.java b/libjava/classpath/java/security/cert/CRL.java
new file mode 100644
index 00000000000..e763663f52c
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CRL.java
@@ -0,0 +1,98 @@
+/* CRL.java --- Certificate Revocation List
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+   Certificate Revocation List class for managing CRLs that
+   have different formats but the same general use. They
+   all serve as lists of revoked certificates and can
+   be queried for a given certificate.
+   
+   Specialized CRLs extend this class.
+   
+   @author Mark Benvenuto
+   
+   @since JDK 1.2
+*/
+public abstract class CRL
+{
+
+  private String type;
+
+  /**
+     Creates a new CRL for the specified type. An example
+     is "X.509".
+
+     @param type the standard name for the CRL type. 
+  */
+  protected CRL(String type)
+  {
+    this.type = type;
+  }
+
+  /**
+     Returns the CRL type.
+
+     @return a string representing the CRL type
+  */
+  public final String getType()
+  {
+    return type;
+  }
+
+  /**
+     Returns a string representing the CRL.
+
+     @return a string representing the CRL.
+  */
+  public abstract String toString();
+
+  /**
+     Determines whether or not the specified Certificate
+     is revoked.
+
+     @param cert A certificate to check if it is revoked
+
+     @return true if the certificate is revoked,
+     false otherwise.	
+  */
+  public abstract boolean isRevoked(Certificate cert);
+
+
+}
diff --git a/libjava/classpath/java/security/cert/CRLException.java b/libjava/classpath/java/security/cert/CRLException.java
new file mode 100644
index 00000000000..f3addfe9594
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CRLException.java
@@ -0,0 +1,73 @@
+/* CRLException.java -- Certificate Revocation List Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Exception for a Certificate Revocation List.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @status updated to 1.4
+*/
+public class CRLException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = -6694728944094197147L;
+
+  /**
+   * Constructs an CRLExceptionwithout a message string.
+   */
+  public CRLException()
+  {
+  }
+
+  /**
+   * Constructs an CRLException with a message string.
+   *
+   * @param msg a message to display with exception
+   */
+  public CRLException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CRLSelector.java b/libjava/classpath/java/security/cert/CRLSelector.java
new file mode 100644
index 00000000000..1fa5a207dfc
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CRLSelector.java
@@ -0,0 +1,69 @@
+/* CRLSelector.java -- matches CRLs against criteria.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * A generic interface to classes that match certificate revocation
+ * lists (CRLs) to some given criteria. Implementations of this
+ * interface are useful for finding {@link CRL} objects in a {@link
+ * CertStore}.
+ *
+ * @see CertStore
+ * @see CertSelector
+ * @see X509CRLSelector
+ */
+public interface CRLSelector extends Cloneable
+{
+
+  /**
+   * Returns a clone of this instance.
+   *
+   * @return The clone.
+   */
+  Object clone();
+
+  /**
+   * Match a given certificate revocation list to this selector's
+   * criteria, returning true if it matches, false otherwise.
+   *
+   * @param crl The certificate revocation list to test.
+   * @return The boolean result of this test.
+   */
+  boolean match(CRL crl);
+}
diff --git a/libjava/classpath/java/security/cert/CertPath.java b/libjava/classpath/java/security/cert/CertPath.java
new file mode 100644
index 00000000000..e818763aab4
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPath.java
@@ -0,0 +1,252 @@
+/* CertPath.java -- a sequence of certificates
+   Copyright (C) 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.cert;
+
+import java.io.ByteArrayInputStream;
+import java.io.NotSerializableException;
+import java.io.ObjectStreamException;
+import java.io.Serializable;
+import java.util.Iterator;
+import java.util.List;
+
+/**
+ * This class represents an immutable sequence, or path, of security
+ * certificates. The path type must match the type of each certificate in the
+ * path, or in other words, for all instances of cert in a certpath object,
+ * <code>cert.getType().equals(certpath.getType())</code> will return true.
+ *
+ * <p>Since this class is immutable, it is thread-safe. During serialization,
+ * the path is consolidated into a {@link CertPathRep}, which preserves the
+ * data regardless of the underlying implementation of the path.
+ *
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @since 1.4
+ * @status updated to 1.4
+ */
+public abstract class CertPath implements Serializable
+{
+  /**
+   * The serialized representation of a path.
+   *
+   * @author Eric Blake (ebb9@email.byu.edu)
+   */
+  protected static class CertPathRep implements Serializable
+  {
+    /**
+     * Compatible with JDK 1.4+.
+     */
+    private static final long serialVersionUID = 3015633072427920915L;
+
+    /**
+     * The certificate type.
+     *
+     * @serial the type of the certificate path
+     */
+    private final String type;
+
+    /**
+     * The encoded form of the path.
+     *
+     * @serial the encoded form
+     */
+    private final byte[] data;
+
+    /**
+     * Create the new serial representation.
+     *
+     * @param type the path type
+     * @param data the encoded path data
+     */
+    protected CertPathRep(String type, byte[] data)
+    {
+      this.type = type;
+      this.data = data;
+    }
+
+    /**
+     * Decode the data into an actual {@link CertPath} upon deserialization.
+     *
+     * @return the replacement object
+     * @throws ObjectStreamException if replacement fails
+     */
+    protected Object readResolve() throws ObjectStreamException
+    {
+      try
+        {
+          return CertificateFactory.getInstance(type)
+            .generateCertPath(new ByteArrayInputStream(data));
+        }
+      catch (CertificateException e)
+        {
+          throw (ObjectStreamException)
+            new NotSerializableException("java.security.cert.CertPath: "
+                                         + type).initCause(e);
+        }
+    }
+  } // class CertPathRep
+
+  /**
+   * Compatible with JDK 1.4+.
+   */
+  private static final long serialVersionUID = 6068470306649138683L;
+
+  /**
+   * The path type.
+   *
+   * @serial the type of all certificates in this path
+   */
+  private final String type;
+
+  /**
+   * Create a certificate path with the given type. Most code should use
+   * {@link CertificateFactory} to create CertPaths.
+   *
+   * @param type the type of the path
+   */
+  protected CertPath(String type)
+  {
+    this.type = type;
+  }
+
+  /**
+   * Get the (non-null) type of all certificates in the path.
+   *
+   * @return the path certificate type
+   */
+  public String getType()
+  {
+    return type;
+  }
+
+  /**
+   * Get an immutable iterator over the path encodings (all String names),
+   * starting with the default encoding. The iterator will throw an
+   * <code>UnsupportedOperationException</code> if an attempt is made to
+   * remove items from the list.
+   *
+   * @return the iterator of supported encodings in the path
+   */
+  public abstract Iterator getEncodings();
+
+  /**
+   * Compares this path to another for semantic equality. To be equal, both
+   * must be instances of CertPath, with the same type, and identical
+   * certificate lists. Overriding classes must not change this behavior.
+   *
+   * @param o the object to compare to
+   * @return true if the two are equal
+   */
+  public boolean equals(Object o)
+  {
+    if (! (o instanceof CertPath))
+      return false;
+    CertPath cp = (CertPath) o;
+    return type.equals(cp.type)
+      && getCertificates().equals(cp.getCertificates());
+  }
+
+  /**
+   * Returns the hashcode of this certificate path. This is defined as:<br>
+   * <code>31 * getType().hashCode() + getCertificates().hashCode()</code>.
+   *
+   * @return the hashcode
+   */
+  public int hashCode()
+  {
+    return 31 * type.hashCode() + getCertificates().hashCode();
+  }
+
+  public String toString()
+  {
+    List l = getCertificates();
+    int size = l.size();
+    int i = 0;
+    StringBuffer result = new StringBuffer(type);
+    result.append(" Cert Path: length = ").append(size).append(".\n[\n");
+    while (--size >= 0)
+      result.append(l.get(i++)).append('\n');
+    return result.append("\n]").toString();
+  }
+
+  /**
+   * Returns the encoded form of this path, via the default encoding.
+   *
+   * @return the encoded form
+   * @throws CertificateEncodingException if encoding fails
+   */
+  public abstract byte[] getEncoded() throws CertificateEncodingException;
+
+  /**
+   * Returns the encoded form of this path, via the specified encoding.
+   *
+   * @param encoding the encoding to use
+   * @return the encoded form
+   * @throws CertificateEncodingException if encoding fails or does not exist
+   */
+  public abstract byte[] getEncoded(String encoding)
+    throws CertificateEncodingException;
+
+  /**
+   * Returns the immutable, thread-safe list of certificates in this path.
+   *
+   * @return the list of certificates, non-null but possibly empty
+   */
+  public abstract List getCertificates();
+
+  /**
+   * Serializes the path in its encoded form, to ensure reserialization with
+   * the appropriate factory object without worrying about list implementation.
+   * The result will always be an instance of {@link CertPathRep}.
+   *
+   * @return the replacement object
+   * @throws ObjectStreamException if the replacement creation fails
+   */
+  protected Object writeReplace() throws ObjectStreamException
+  {
+    try
+      {
+        return new CertPathRep(type, getEncoded());
+      }
+    catch (CertificateEncodingException e)
+      {
+        throw (ObjectStreamException)
+          new NotSerializableException("java.security.cert.CertPath: "
+                                       + type).initCause(e);
+      }
+  }
+} // class CertPath
diff --git a/libjava/classpath/java/security/cert/CertPathBuilder.java b/libjava/classpath/java/security/cert/CertPathBuilder.java
new file mode 100644
index 00000000000..f6965205f53
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathBuilder.java
@@ -0,0 +1,238 @@
+/* CertPathBuilder.java -- bulids CertPath objects from Certificates.
+   Copyright (C) 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.security.Engine;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.Security;
+
+/**
+ * This class builds certificate paths (also called certificate chains),
+ * which can be used to establish trust for a particular certificate by
+ * building a path from a trusted certificate (a trust anchor) to the
+ * untrusted certificate.
+ *
+ * @see CertPath
+ */
+public class CertPathBuilder
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** Service name for CertPathBuilder. */
+  private static final String CERT_PATH_BUILDER = "CertPathBuilder";
+
+  /** The underlying implementation. */
+  private CertPathBuilderSpi cpbSpi;
+
+  /** The provider of this implementation. */
+  private Provider provider;
+
+  /** The name of this implementation. */
+  private String algorithm;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new CertPathBuilder.
+   *
+   * @param cpbSpi    The underlying implementation.
+   * @param provider  The provider of the implementation.
+   * @param algorithm This implementation's name.
+   */
+  protected CertPathBuilder(CertPathBuilderSpi cpbSpi, Provider provider,
+                            String algorithm)
+  {
+    this.cpbSpi = cpbSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the default cert path builder type.
+   *
+   * <p>This value can be set at run-time by the security property
+   * <code>"certpathbuilder.type"</code>. If this property is not set,
+   * then the value returned is <code>"PKIX"</code>.
+   *
+   * @return The default CertPathBuilder algorithm.
+   */
+  public static final String getDefaultType()
+  {
+    String type = Security.getProperty("certpathbuilder.type");
+    if (type == null)
+      type = "PKIX";
+    return type;
+  }
+
+  /**
+   * Get an instance of a named CertPathBuilder, from the first provider
+   * that implements it.
+   *
+   * @param algorithm The name of the CertPathBuilder to create.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If no installed provider
+   *   implements the named algorithm.
+   */
+  public static CertPathBuilder getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, p[i]);
+          }
+        catch (NoSuchAlgorithmException e)
+          {
+	    // Ignored.
+          }
+      }
+
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Get an instance of a named CertPathBuilder from the named
+   * provider.
+   *
+   * @param algorithm The name of the CertPathBuilder to create.
+   * @param provider  The name of the provider from which to get the
+   *   implementation.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If no installed provider
+   *   implements the named algorithm.
+   * @throws NoSuchProviderException If the named provider does not
+   *   exist.
+   */
+  public static CertPathBuilder getInstance(String algorithm, String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Get an instance of a named CertPathBuilder from the specified
+   * provider.
+   *
+   * @param algorithm The name of the CertPathBuilder to create.
+   * @param provider  The provider from which to get the implementation.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If no installed provider
+   *   implements the named algorithm.
+   * @throws IllegalArgumentException If <i>provider</i> in
+   *   <tt>null</tt>.
+   */
+  public static CertPathBuilder getInstance(String algorithm, Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("null provider");
+    try
+      {
+        return new CertPathBuilder((CertPathBuilderSpi)
+          Engine.getInstance(CERT_PATH_BUILDER, algorithm, provider),
+          provider, algorithm);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the name of this CertPathBuilder algorithm.
+   *
+   * @return The algorithm name.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Return the provider of this instance's implementation.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Builds a certificate path. The {@link CertPathParameters} parameter
+   * passed to this method is implementation-specific, but in general
+   * should contain some number of certificates and some number of
+   * trusted certificates (or "trust anchors").
+   *
+   * @param params The parameters.
+   * @retrun The certificate path result.
+   * @throws CertPathBuilderException If the certificate path cannot be
+   *   built.
+   * @throws InvalidAlgorithmParameterException If the implementation
+   *   rejects the specified parameters.
+   */
+  public final CertPathBuilderResult build(CertPathParameters params)
+    throws CertPathBuilderException, InvalidAlgorithmParameterException
+  {
+    return cpbSpi.engineBuild(params);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertPathBuilderException.java b/libjava/classpath/java/security/cert/CertPathBuilderException.java
new file mode 100644
index 00000000000..98515101025
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathBuilderException.java
@@ -0,0 +1,159 @@
+/* CertPathBuilderException.java -- wraps an exception during certificate
+   path building
+   Copyright (C) 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.security.GeneralSecurityException;
+
+/**
+ * Indicates a problem while using a <code>CertPathBuilder</code>, wrapping
+ * the lower exception. This class is not thread-safe.
+ *
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @see CertPathBuilder
+ * @since 1.4
+ * @status updated to 1.4
+*/
+public class CertPathBuilderException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.4+.
+   */
+  private static final long serialVersionUID = 5316471420178794402L;
+
+  /**
+   * Create an exception without a message. The cause may be initialized.
+   */
+  public CertPathBuilderException()
+  {
+  }
+
+  /**
+   * Create an exception with a message. The cause may be initialized.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertPathBuilderException(String msg)
+  {
+    super(msg);
+  }
+
+  /**
+   * Create an exception with a cause. The message will be
+   * <code>cause == null ? null : cause.toString()</code>.
+   *
+   * @param cause the cause
+   */
+  public CertPathBuilderException(Throwable cause)
+  {
+    this(cause == null ? null : cause.toString(), cause);
+  }
+
+  /**
+   * Create an exception with a cause and a message.
+   *
+   * @param msg the message
+   * @param cause the cause
+   */
+  public CertPathBuilderException(String msg, Throwable cause)
+  {
+    super(msg);
+    initCause(cause);
+  }
+
+  /**
+   * Get the detail message.
+   *
+   * @return the detail message
+   */
+  public String getMessage()
+  {
+    return super.getMessage();
+  }
+
+  /**
+   * Get the cause, null if unknown.
+   *
+   * @return the cause
+   */
+  public Throwable getCause()
+  {
+    return super.getCause();
+  }
+
+  /**
+   * Convert this to a string, including its cause.
+   *
+   * @return the string conversion
+   */
+  public String toString()
+  {
+    return super.toString();
+  }
+
+  /**
+   * Print the stack trace to <code>System.err</code>.
+   */
+  public void printStackTrace()
+  {
+    super.printStackTrace();
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintStream stream)
+  {
+    super.printStackTrace(stream);
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintWriter stream)
+  {
+    super.printStackTrace(stream);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertPathBuilderResult.java b/libjava/classpath/java/security/cert/CertPathBuilderResult.java
new file mode 100644
index 00000000000..737ba9431b3
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathBuilderResult.java
@@ -0,0 +1,63 @@
+/* CertPathBuilderResult -- results from building cert paths.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * A standard interface for the result of building a certificate path.
+ * All implementations of this class must provide a way to get the
+ * certificate path, but may also define additional methods for
+ * returning other result data generated by the certificate path
+ * builder.
+ */
+public interface CertPathBuilderResult extends Cloneable {
+
+	/**
+   * Creates a copy of this builder result.
+   *
+   * @return The copy.
+   */
+	Object clone();
+
+  /**
+   * Get the certificate path that was built.
+   *
+   * @retrn The certificate path.
+   */
+	CertPath getCertPath();
+}
diff --git a/libjava/classpath/java/security/cert/CertPathBuilderSpi.java b/libjava/classpath/java/security/cert/CertPathBuilderSpi.java
new file mode 100644
index 00000000000..afc7fc07366
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathBuilderSpi.java
@@ -0,0 +1,74 @@
+/* CertPathBuilderSpi -- CertPathBuilder service provider interface.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.cert;
+
+/**
+ * The {@link CertPathBuilder} <i>Service Provider Interface</i>
+ * (<b>SPI</b>).
+ *
+ * @see CertPathBuilder
+ */
+public abstract class CertPathBuilderSpi {
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new CertPathBuilderSpi.
+   */
+  public CertPathBuilderSpi() {
+    super();
+  }
+
+  // Abstract methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a certificate path from the specified parameters.
+   *
+   * @param params The parameters to use.
+   * @return The certificate path result.
+   * @throws CertPathBuilderException If the certificate path cannot be
+   *   built.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *   implementation rejects the specified parameters.
+   */
+  public abstract CertPathBuilderResult engineBuild(CertPathParameters params)
+  throws CertPathBuilderException,
+         java.security.InvalidAlgorithmParameterException;
+}
diff --git a/libjava/classpath/java/security/cert/CertPathParameters.java b/libjava/classpath/java/security/cert/CertPathParameters.java
new file mode 100644
index 00000000000..62a5cb6a69e
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathParameters.java
@@ -0,0 +1,58 @@
+/* CertPathParameters.java -- parameters for CertPathBuilder.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+package java.security.cert;
+
+/**
+ * Parameters for generating and validating certificate paths. This
+ * class does not define any methods (except a required cloneable
+ * interface) and is provided only to provide type safety for
+ * implementations. Concrete implementations implement this interface
+ * in accord with thier own needs.
+ *
+ * @see CertPathBuilder
+ * @see CertPathValidator
+ */
+public interface CertPathParameters extends Cloneable {
+
+   /**
+    * Makes a copy of this CertPathParameters instance.
+    *
+    * @return The copy.
+    */
+   Object clone();
+}
diff --git a/libjava/classpath/java/security/cert/CertPathValidator.java b/libjava/classpath/java/security/cert/CertPathValidator.java
new file mode 100644
index 00000000000..5fed19e9a78
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathValidator.java
@@ -0,0 +1,249 @@
+/* CertPathValidator -- validates certificate paths.
+   Copyright (C) 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.security.Engine;
+
+import java.security.AccessController;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivilegedAction;
+import java.security.Provider;
+import java.security.Security;
+
+/**
+ * Generic interface to classes that validate certificate paths.
+ *
+ * <p>Using this class is similar to all the provider-based security
+ * classes; the method of interest, {@link
+ * #validate(java.security.cert.CertPath,java.security.cert.CertPathParameters)},
+ * which takes provider-specific implementations of {@link
+ * CertPathParameters}, and return provider-specific implementations of
+ * {@link CertPathValidatorResult}.
+ *
+ * @since JDK 1.4
+ * @see CertPath
+ */
+public class CertPathValidator {
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** Service name for CertPathValidator. */
+  private static final String CERT_PATH_VALIDATOR = "CertPathValidator";
+
+  /** The underlying implementation. */
+  private final CertPathValidatorSpi validatorSpi;
+
+  /** The provider of this implementation. */
+  private final Provider provider;
+
+  /** The algorithm's name. */
+  private final String algorithm;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new CertPathValidator.
+   *
+   * @param validatorSpi The underlying implementation.
+   * @param provider     The provider of the implementation.
+   * @param algorithm    The algorithm name.
+   */
+  protected CertPathValidator(CertPathValidatorSpi validatorSpi,
+                              Provider provider, String algorithm)
+  {
+    this.validatorSpi = validatorSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the default validator type.
+   *
+   * <p>This value may be set at run-time via the security property
+   * "certpathvalidator.type", or the value "PKIX" if this property is
+   * not set.
+   *
+   * @return The default validator type.
+   */
+  public static synchronized String getDefaultType() {
+    String type = (String) AccessController.doPrivileged(
+      new PrivilegedAction()
+        {
+          public Object run()
+          {
+            return Security.getProperty("certpathvalidator.type");
+          }
+        }
+    );
+    if (type == null)
+      type = "PKIX";
+    return type;
+  }
+
+  /**
+   * Get an instance of the given validator from the first provider that
+   * implements it.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If no installed provider
+   * implements the requested algorithm.
+   */
+  public static CertPathValidator getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, p[i]);
+          }
+        catch (NoSuchAlgorithmException e)
+          {
+	    // Ignored.
+          }
+      }
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Get an instance of the given validator from the named provider.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @param provider  The name of the provider from which to get the
+   * implementation.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If the named provider does not
+   * implement the algorithm.
+   * @throws NoSuchProviderException If no provider named
+   * <i>provider</i> is installed.
+   */
+  public static CertPathValidator getInstance(String algorithm,
+                                              String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Get an instance of the given validator from the given provider.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @param provider  The provider from which to get the implementation.
+   * @return The new instance.
+   * @throws NoSuchAlgorithmException If the provider does not implement
+   * the algorithm.
+   * @throws IllegalArgumentException If <i>provider</i> is null.
+   */
+  public static CertPathValidator getInstance(String algorithm,
+                                              Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("null provider");
+
+    try
+      {
+        return new CertPathValidator((CertPathValidatorSpi)
+          Engine.getInstance(CERT_PATH_VALIDATOR, algorithm, provider),
+          provider, algorithm);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the name of this validator.
+   *
+   * @return This validator's name.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Return the provider of this implementation.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Attempt to validate a certificate path.
+   *
+   * @param certPath The path to validate.
+   * @param params   The algorithm-specific parameters.
+   * @return The result of this validation attempt.
+   * @throws CertPathValidatorException If the certificate path cannot
+   * be validated.
+   * @throws InvalidAlgorithmParameterException If this implementation
+   * rejects the specified parameters.
+   */
+  public final CertPathValidatorResult validate(CertPath certPath,
+                                                CertPathParameters params)
+    throws CertPathValidatorException, InvalidAlgorithmParameterException
+  {
+    return validatorSpi.engineValidate(certPath, params);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertPathValidatorException.java b/libjava/classpath/java/security/cert/CertPathValidatorException.java
new file mode 100644
index 00000000000..f3195be296f
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathValidatorException.java
@@ -0,0 +1,226 @@
+/* CertPathValidatorException.java -- wraps an exception during validation
+   of a CertPath
+   Copyright (C) 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.security.GeneralSecurityException;
+
+/**
+ * Indicates a problem while validating a certification path. In addition,
+ * it can store the path an index in that path that caused the problem. This
+ * class is not thread-safe.
+ *
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @see CertPathValidator
+ * @since 1.4
+ * @status updated to 1.4
+*/
+public class CertPathValidatorException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.4+.
+   */
+  private static final long serialVersionUID = -3083180014971893139L;
+
+  /**
+   * The index of the certificate path that failed, or -1.
+   *
+   * @serial the failed index
+   */
+  private final int index;
+
+  /**
+   * The <code>CertPath</code> that failed.
+   *
+   * @serial the object being validated at time of failure
+   */
+  private final CertPath certPath;
+
+  /**
+   * Create an exception without a message. The cause may be initialized. The
+   * index is set to -1 and the failed CertPath object to null.
+   */
+  public CertPathValidatorException()
+  {
+    this((String) null);
+  }
+
+  /**
+   * Create an exception with a message. The cause may be initialized. The
+   * index is set to -1 and the failed CertPath object to null.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertPathValidatorException(String msg)
+  {
+    super(msg);
+    index = -1;
+    certPath = null;
+  }
+
+  /**
+   * Create an exception with a cause. The message will be
+   * <code>cause == null ? null : cause.toString()</code>. The index is set
+   * to -1 and the failed CertPath object to null.
+   *
+   * @param cause the cause
+   */
+  public CertPathValidatorException(Throwable cause)
+  {
+    this(cause == null ? null : cause.toString(), cause, null, -1);
+  }
+
+  /**
+   * Create an exception with a cause and a message. The index is set to -1
+   * and the failed CertPath object to null.
+   *
+   * @param msg the message
+   * @param cause the cause
+   */
+  public CertPathValidatorException(String msg, Throwable cause)
+  {
+    this(msg, cause, null, -1);
+  }
+
+  /**
+   * Create an exception with a cause, message, failed object, and index of
+   * failure in that CertPath.
+   *
+   * @param msg the message
+   * @param cause the cause
+   * @param certPath the path that was being validated, or null
+   * @param index the index of the path, or -1
+   * @throws IndexOutOfBoundsException if index is &lt; -1 or
+   *         &gt; certPath.getCertificates().size()
+   * @throws IllegalArgumentException if certPath is null but index != -1
+   */
+  public CertPathValidatorException(String msg, Throwable cause,
+                                    CertPath certPath, int index)
+  {
+    super(msg);
+    initCause(cause);
+    if (index < -1 || (certPath != null
+                       && index >= certPath.getCertificates().size()))
+      throw new IndexOutOfBoundsException();
+    if ((certPath == null) != (index == -1))
+      throw new IllegalArgumentException();
+    this.certPath = certPath;
+    this.index = index;
+  }
+
+  /**
+   * Get the detail message.
+   *
+   * @return the detail message
+   */
+  public String getMessage()
+  {
+    return super.getMessage();
+  }
+
+  /**
+   * Get the certificate path that had the failure, or null.
+   *
+   * @return the culprit path
+   */
+  public CertPath getCertPath()
+  {
+    return certPath;
+  }
+
+  /**
+   * Get the index that failed, or -1.
+   *
+   * @return the colprit index
+   */
+  public int getIndex()
+  {
+    return index;
+  }
+
+  /**
+   * Get the cause, null if unknown.
+   *
+   * @return the cause
+   */
+  public Throwable getCause()
+  {
+    return super.getCause();
+  }
+
+  /**
+   * Convert this to a string, including its cause.
+   *
+   * @return the string conversion
+   */
+  public String toString()
+  {
+    return super.toString();
+  }
+
+  /**
+   * Print the stack trace to <code>System.err</code>.
+   */
+  public void printStackTrace()
+  {
+    super.printStackTrace();
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintStream stream)
+  {
+    super.printStackTrace(stream);
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintWriter stream)
+  {
+    super.printStackTrace(stream);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertPathValidatorResult.java b/libjava/classpath/java/security/cert/CertPathValidatorResult.java
new file mode 100644
index 00000000000..71aaf89bc18
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathValidatorResult.java
@@ -0,0 +1,63 @@
+/* CertPathValidatorResult -- result of validating certificate paths
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Interface to the result of calling {@link
+ * CertPathValidator#validate(java.security.cert.CertPath,java.security.cert.CertPathParameters)}.
+ *
+ * <p>This interface defines no methods other than the required
+ * {@link java.lang.Cloneable} interface, and is intended to group and
+ * provide type safety for validator results. Providers that implement
+ * a certificate path validator must also provide an implementation of
+ * this interface, possibly defining additional methods.
+ *
+ * @since JDK 1.4
+ * @see CertPathValidator
+ */
+public interface CertPathValidatorResult extends Cloneable
+{
+
+  /**
+   * Returns a copy of this validator result.
+   *
+   * @return The copy.
+   */
+  Object clone();
+}
diff --git a/libjava/classpath/java/security/cert/CertPathValidatorSpi.java b/libjava/classpath/java/security/cert/CertPathValidatorSpi.java
new file mode 100644
index 00000000000..8d18b49dac4
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertPathValidatorSpi.java
@@ -0,0 +1,79 @@
+/* CertPathValidatorSpi -- cert path validator service provider interface
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * The <i>service provider interface</i> (<b>SPI</b>) for the {@link
+ * CertPathValidator} class. Providers implementing certificate path
+ * validators must subclass this class and implement its abstract
+ * methods.
+ */
+public abstract class CertPathValidatorSpi
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Default constructor.
+   */
+  public CertPathValidatorSpi()
+  {
+    super();
+  }
+
+  // Abstract methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Attempt to validate a certificate path.
+   *
+   * @param certPath The path to validate.
+   * @param params   The algorithm-specific parameters.
+   * @return The result of this validation attempt.
+   * @throws CertPathValidatorException If the certificate path cannot
+   * be validated.
+   * @throws InvalidAlgorithmParameterException If this implementation
+   * rejects the specified parameters.
+   */
+  public abstract CertPathValidatorResult
+  engineValidate(CertPath certPath, CertPathParameters params)
+  throws CertPathValidatorException,
+         java.security.InvalidAlgorithmParameterException;
+}
diff --git a/libjava/classpath/java/security/cert/CertSelector.java b/libjava/classpath/java/security/cert/CertSelector.java
new file mode 100644
index 00000000000..aea614ad95e
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertSelector.java
@@ -0,0 +1,58 @@
+/* CertSelector.java -- certificate selector interface.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+public interface CertSelector extends Cloneable
+{
+
+  /**
+   * Returns a copy of this CertSelector.
+   *
+   * @return The copy.
+   */
+  Object clone();
+
+  /**
+   * Match a certificate according to this selector's criteria.
+   *
+   * @param cert The certificate to match.
+   * @return true if the certificate matches thin criteria.
+   */
+  boolean match(Certificate cert);
+}
diff --git a/libjava/classpath/java/security/cert/CertStore.java b/libjava/classpath/java/security/cert/CertStore.java
new file mode 100644
index 00000000000..864da868f19
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertStore.java
@@ -0,0 +1,294 @@
+/* CertStore -- stores and retrieves certificates.
+   Copyright (C) 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.security.Engine;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivilegedAction;
+import java.security.Provider;
+import java.security.Security;
+import java.util.Collection;
+
+/**
+ * A CertStore is a read-only repository for certificates and
+ * certificate revocation lists.
+ *
+ * @since JDK 1.4
+ */
+public class CertStore
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** Service name for CertStore. */
+  private static final String CERT_STORE = "CertStore";
+
+  /** The underlying implementation. */
+  private CertStoreSpi storeSpi;
+
+  /** This implementation's provider. */
+  private Provider provider;
+
+  /** The name of this key store type. */
+  private String type;
+
+  /** The parameters used to initialize this instance, if any. */
+  private CertStoreParameters params;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new CertStore.
+   *
+   * @param storeSpi The underlying implementation.
+   * @param provider The provider of this implementation.
+   * @param type     The type of CertStore this class represents.
+   * @param params   The parameters used to initialize this instance, if any.
+   */
+  protected CertStore(CertStoreSpi storeSpi, Provider provider, String type,
+                      CertStoreParameters params)
+  {
+    this.storeSpi = storeSpi;
+    this.provider = provider;
+    this.type = type;
+    this.params = params;
+  }
+
+// Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the default certificate store type.
+   *
+   * <p>This value can be set at run-time via the security property
+   * "certstore.type"; if not specified than the default type will be
+   * "LDAP".
+   *
+   * @return The default CertStore type.
+   */
+  public static final synchronized String getDefaultType()
+  {
+    String type = null;
+    type = (String) java.security.AccessController.doPrivileged(
+      new PrivilegedAction() {
+        public Object run() {
+          return Security.getProperty("certstore.type");
+        }
+      }
+    );
+    if (type == null)
+      type = "LDAP";
+    return type;
+  }
+
+  /**
+   * Get an instance of the given certificate store from the first
+   * installed provider.
+   *
+   * @param type     The type of CertStore to create.
+   * @param params   The parameters to initialize this cert store with.
+   * @return The new instance.
+   * @throws InvalidAlgorithmParameterException If the instance rejects
+   *         the specified parameters.
+   * @throws NoSuchAlgorithmException If no installed provider
+   *         implements the specified CertStore.
+   * @throws IllegalArgumentException If <i>provider</i> is null.
+   */
+  public static CertStore getInstance(String type, CertStoreParameters params)
+    throws InvalidAlgorithmParameterException, NoSuchAlgorithmException
+  {
+    Provider[] p = Security.getProviders();
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(type, params, p[i]);
+          }
+        catch (NoSuchAlgorithmException e)
+          {
+	    // Ignored.
+          }
+      }
+
+    throw new NoSuchAlgorithmException(type);
+  }
+
+  /**
+   * Get an instance of the given certificate store from the named
+   * provider.
+   *
+   * @param type     The type of CertStore to create.
+   * @param params   The parameters to initialize this cert store with.
+   * @param provider The name of the provider from which to get the
+   *        implementation.
+   * @return The new instance.
+   * @throws InvalidAlgorithmParameterException If the instance rejects
+   *         the specified parameters.
+   * @throws NoSuchAlgorithmException If the specified provider does not
+   *         implement the specified CertStore.
+   * @throws NoSuchProviderException If no provider named
+   *         <i>provider</i> is installed.
+   * @throws IllegalArgumentException If <i>provider</i> is null.
+   */
+  public static CertStore getInstance(String type, CertStoreParameters params,
+                                      String provider)
+    throws InvalidAlgorithmParameterException, NoSuchAlgorithmException,
+           NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+    return getInstance(type, params, p);
+  }
+
+  /**
+   * Get an instance of the given certificate store from the given
+   * provider.
+   *
+   * @param type     The type of CertStore to create.
+   * @param params   The parameters to initialize this cert store with.
+   * @param provider The provider from which to get the implementation.
+   * @return The new instance.
+   * @throws InvalidAlgorithmParameterException If the instance rejects
+   *         the specified parameters.
+   * @throws NoSuchAlgorithmException If the specified provider does not
+   *         implement the specified CertStore.
+   * @throws IllegalArgumentException If <i>provider</i> is null.
+   */
+  public static CertStore getInstance(String type, CertStoreParameters params,
+                                      Provider provider)
+    throws InvalidAlgorithmParameterException, NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("null provider");
+
+    try
+      {
+        return new CertStore((CertStoreSpi) Engine.getInstance(CERT_STORE,
+          type, provider, new Object[] { params }), provider, type, params);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(type);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+        Throwable cause = ite.getCause();
+        if (cause instanceof InvalidAlgorithmParameterException)
+          throw (InvalidAlgorithmParameterException) cause;
+        else
+          throw new NoSuchAlgorithmException(type);
+      }
+  }
+
+// Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the type of certificate store this instance represents.
+   *
+   * @return The CertStore type.
+   */
+  public final String getType()
+  {
+    return type;
+  }
+
+  /**
+   * Return the provider of this implementation.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Get the parameters this instance was created with, if any. The
+   * parameters will be cloned before they are returned.
+   *
+   * @return The parameters, or null.
+   */
+  public final CertStoreParameters getCertStoreParameters()
+  {
+    return params != null ? (CertStoreParameters) params.clone() : null;
+  }
+
+  /**
+   * Get a collection of certificates from this CertStore, optionally
+   * filtered by the specified CertSelector. The Collection returned may
+   * be empty, but will never be null.
+   *
+   * <p>Implementations may not allow a null argument, even if no
+   * filtering is desired.
+   *
+   * @param selector The certificate selector.
+   * @return The collection of certificates.
+   * @throws CertStoreException If the certificates cannot be retrieved.
+   */
+  public final Collection getCertificates(CertSelector selector)
+    throws CertStoreException
+  {
+    return storeSpi.engineGetCertificates(selector);
+  }
+
+  /**
+   * Get a collection of certificate revocation lists from this CertStore,
+   * optionally filtered by the specified CRLSelector. The Collection
+   * returned may be empty, but will never be null.
+   *
+   * <p>Implementations may not allow a null argument, even if no
+   * filtering is desired.
+   *
+   * @param selector The certificate selector.
+   * @return The collection of certificate revocation lists.
+   * @throws CertStoreException If the CRLs cannot be retrieved.
+   */
+  public final Collection getCRLs(CRLSelector selector)
+    throws CertStoreException
+  {
+    return storeSpi.engineGetCRLs(selector);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertStoreException.java b/libjava/classpath/java/security/cert/CertStoreException.java
new file mode 100644
index 00000000000..a4d8b7a46e1
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertStoreException.java
@@ -0,0 +1,159 @@
+/* CertStoreException.java -- wraps an exception during certificate storage
+   Copyright (C) 2002, 2005  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.security.GeneralSecurityException;
+
+/**
+ * Indicates a problem while retrieving certificates and CRLs from
+ * <code>CertStore</code>, wrapping the lower exception. This class is not
+ * thread-safe.
+ *
+ * @author Eric Blake (ebb9@email.byu.edu)
+ * @see CertStore
+ * @since 1.4
+ * @status updated to 1.4
+*/
+public class CertStoreException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.4+.
+   */
+  private static final long serialVersionUID = 2395296107471573245L;
+
+  /**
+   * Create an exception without a message. The cause may be initialized.
+   */
+  public CertStoreException()
+  {
+  }
+
+  /**
+   * Create an exception with a message. The cause may be initialized.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertStoreException(String msg)
+  {
+    super(msg);
+  }
+
+  /**
+   * Create an exception with a cause. The message will be
+   * <code>cause == null ? null : cause.toString()</code>.
+   *
+   * @param cause the cause
+   */
+  public CertStoreException(Throwable cause)
+  {
+    this(cause == null ? null : cause.toString(), cause);
+  }
+
+  /**
+   * Create an exception with a cause and a message.
+   *
+   * @param msg the message
+   * @param cause the cause
+   */
+  public CertStoreException(String msg, Throwable cause)
+  {
+    super(msg);
+    initCause(cause);
+  }
+
+  /**
+   * Get the detail message.
+   *
+   * @return the detail message
+   */
+  public String getMessage()
+  {
+    return super.getMessage();
+  }
+
+  /**
+   * Get the cause, null if unknown.
+   *
+   * @return the cause
+   */
+  public Throwable getCause()
+  {
+    return super.getCause();
+  }
+
+  /**
+   * Convert this to a string, including its cause.
+   *
+   * @return the string conversion
+   */
+  public String toString()
+  {
+    return super.toString();
+  }
+
+  /**
+   * Print the stack trace to <code>System.err</code>.
+   */
+  public void printStackTrace()
+  {
+    super.printStackTrace();
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintStream stream)
+  {
+    super.printStackTrace(stream);
+  }
+
+  /**
+   * Print the stack trace to a stream.
+   *
+   * @param stream the stream
+   */
+  public void printStackTrace(PrintWriter stream)
+  {
+    super.printStackTrace(stream);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertStoreParameters.java b/libjava/classpath/java/security/cert/CertStoreParameters.java
new file mode 100644
index 00000000000..aab22f01fda
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertStoreParameters.java
@@ -0,0 +1,60 @@
+/* CertStoreParameters -- interface to CertStore parameters.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Parameters used when creating instances of {@link CertStore}. This
+ * class does not define any methods (except a required cloneable
+ * interface) and is provided only to provide type safety for
+ * implementations. Concrete implementations implement this interface
+ * in accord with thier own needs.
+ *
+ * @see LDAPCertStoreParameters
+ * @see CollectionCertStoreParameters
+ */
+public interface CertStoreParameters extends Cloneable
+{
+
+  /**
+   * Create a copy of these parameters.
+   *
+   * @return The copy.
+   */
+  Object clone();
+}
diff --git a/libjava/classpath/java/security/cert/CertStoreSpi.java b/libjava/classpath/java/security/cert/CertStoreSpi.java
new file mode 100644
index 00000000000..eca0e866ca1
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertStoreSpi.java
@@ -0,0 +1,102 @@
+/* CertStoreSpi -- certificate store service provider interface.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.util.Collection;
+
+/**
+ * The <i>service provider interface</i> (<b>SPI</b>) for the {@link
+ * CertStore} class.
+ *
+ * <p>Providers wishing to implement a CertStore must subclass this
+ * class, implementing all the abstract methods. Providers may also
+ * implement the {@link CertStoreParameters} interface, if they require
+ * parameters.
+ *
+ * @since JDK 1.4
+ * @see CertStore
+ * @see CollectionCertStoreParameters
+ * @see LDAPCertStoreParameters
+ */
+public abstract class CertStoreSpi
+{
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new CertStoreSpi.
+   *
+   * @param params The parameters to initialize this instance with, or
+   *        null if no parameters are required.
+   * @throws InvalidAlgorithmParameterException If the specified
+   *         parameters are inappropriate for this class.
+   */
+  public CertStoreSpi(CertStoreParameters params)
+    throws java.security.InvalidAlgorithmParameterException
+  {
+    super();
+  }
+
+  // Abstract methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the certificates from this store, filtering them through the
+   * specified CertSelector.
+   *
+   * @param selector The CertSelector to filter certificates.
+   * @return A (non-null) collection of certificates.
+   * @throws CertStoreException If the certificates cannot be retrieved.
+   */
+  public abstract Collection engineGetCertificates(CertSelector selector)
+  throws CertStoreException;
+
+  /**
+   * Get the certificate revocation list from this store, filtering them
+   * through the specified CRLSelector.
+   *
+   * @param selector The CRLSelector to filter certificate revocation
+   *        lists.
+   * @return A (non-null) collection of certificate revocation list.
+   * @throws CertStoreException If the CRLs cannot be retrieved.
+   */
+  public abstract Collection engineGetCRLs(CRLSelector selector)
+  throws CertStoreException;
+}
diff --git a/libjava/classpath/java/security/cert/Certificate.java b/libjava/classpath/java/security/cert/Certificate.java
new file mode 100644
index 00000000000..f8456f97ae5
--- /dev/null
+++ b/libjava/classpath/java/security/cert/Certificate.java
@@ -0,0 +1,306 @@
+/* Certificate.java --- Certificate class
+   Copyright (C) 1999, 2003, 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.io.ByteArrayInputStream;
+import java.io.InvalidObjectException;
+import java.io.ObjectStreamException;
+import java.io.Serializable;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.SignatureException;
+
+/**
+ * The Certificate class is an abstract class used to manage 
+ * identity certificates. An identity certificate is a
+ * combination of a principal and a public key which is 
+ * certified by another principal. This is the puprose of 
+ * Certificate Authorities (CA).
+ * 
+ * <p>This class is used to manage different types of certificates
+ * but have important common puposes. Different types of 
+ * certificates like X.509 and OpenPGP share general certificate
+ * functions (like encoding and verifying) and information like
+ * public keys.
+ * 
+ * <p>X.509, OpenPGP, and SDSI can be implemented by subclassing this
+ * class even though they differ in storage methods and information
+ * stored.
+ *
+ * @see CertificateFactory
+ * @see X509Certificate
+ * @since JDK 1.2
+ * @author Mark Benvenuto
+ * @author Casey Marshall
+ */
+public abstract class Certificate implements Serializable
+{
+  private static final long serialVersionUID = -6751606818319535583L;
+	
+  private String type;
+
+  /**
+     Constructs a new certificate of the specified type. An example
+     is "X.509".
+
+     @param type a valid standard name for a certificate.
+  */
+  protected Certificate(String type)
+  {
+    this.type = type;
+  }
+
+  /**
+     Returns the Certificate type.
+
+     @return a string representing the Certificate type
+  */
+  public final String getType()
+  {
+    return type;
+  }
+
+  /**
+     Compares this Certificate to other. It checks if the
+     object if instanceOf Certificate and then checks if
+     the encoded form matches.
+
+     @param other An Object to test for equality
+
+     @return true if equal, false otherwise
+  */
+  public boolean equals(Object other)
+  {
+    if( other instanceof Certificate ) {
+      try {
+	Certificate x = (Certificate) other;
+	if( getEncoded().length != x.getEncoded().length )
+	  return false;
+
+	byte[] b1 = getEncoded();
+	byte[] b2 = x.getEncoded();
+
+	for( int i = 0; i < b1.length; i++ )
+	  if( b1[i] != b2[i] )
+	    return false;
+
+      } catch( CertificateEncodingException cee ) { 
+	return false;
+      }
+      return true;
+    }
+    return false;
+  }
+
+  /**
+     Returns a hash code for this Certificate in its encoded
+     form.
+
+     @return A hash code of this class
+  */
+  public int hashCode()
+  {
+    return super.hashCode();
+  }
+
+  /**
+     Gets the DER ASN.1 encoded format for this Certificate.
+     It assumes each certificate has only one encoding format.
+     Ex: X.509 is encoded as ASN.1 DER
+
+     @return byte array containg encoded form
+
+     @throws CertificateEncodingException if an error occurs
+  */
+  public abstract byte[] getEncoded() throws CertificateEncodingException;
+
+  /**
+     Verifies that this Certificate was properly signed with the
+     PublicKey that corresponds to its private key. 
+
+     @param key PublicKey to verify with
+
+     @throws CertificateException encoding error
+     @throws NoSuchAlgorithmException unsupported algorithm
+     @throws InvalidKeyException incorrect key
+     @throws NoSuchProviderException no provider
+     @throws SignatureException signature error
+  */
+  public abstract void verify(PublicKey key)
+    throws CertificateException,
+    NoSuchAlgorithmException,
+    InvalidKeyException,
+    NoSuchProviderException,
+    SignatureException;
+
+  /**
+     Verifies that this Certificate was properly signed with the
+     PublicKey that corresponds to its private key and uses
+     the signature engine provided by the provider. 
+
+     @param key PublicKey to verify with
+     @param sigProvider Provider to use for signature algorithm
+
+     @throws CertificateException encoding error
+     @throws NoSuchAlgorithmException unsupported algorithm
+     @throws InvalidKeyException incorrect key
+     @throws NoSuchProviderException incorrect provider
+     @throws SignatureException signature error
+  */
+  public abstract void verify(PublicKey key,
+			      String sigProvider)
+    throws CertificateException,
+    NoSuchAlgorithmException,
+    InvalidKeyException,
+    NoSuchProviderException,
+    SignatureException;
+
+  /**
+     Returns a string representing the Certificate.
+
+     @return a string representing the Certificate.
+  */
+  public abstract String toString();
+
+
+  /**
+     Returns the public key stored in the Certificate.
+
+     @return The public key
+  */
+  public abstract PublicKey getPublicKey();
+
+  // Protected methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns a replacement for this certificate to be serialized. This
+   * method returns the equivalent to the following for this class:
+   *
+   * <blockquote>
+   * <pre>new CertificateRep(getType(), getEncoded());</pre>
+   * </blockquote>
+   *
+   * <p>This thusly replaces the certificate with its name and its
+   * encoded form, which can be deserialized later with the {@link
+   * CertificateFactory} implementation for this certificate's type.
+   *
+   * @return The replacement object to be serialized.
+   * @throws ObjectStreamException If the replacement could not be
+   * created.
+   */
+  protected Object writeReplace() throws ObjectStreamException
+  {
+    try
+      {
+        return new CertificateRep(getType(), getEncoded());
+      }
+    catch (CertificateEncodingException cee)
+      {
+        throw new InvalidObjectException(cee.toString());
+      }
+  }
+
+  // Inner class.
+  // ------------------------------------------------------------------------
+
+  /**
+     Certificate.CertificateRep is an inner class used to provide an alternate
+     storage mechanism for serialized Certificates.
+  */
+  protected static class CertificateRep implements java.io.Serializable
+  {
+
+    /** From JDK1.4. */
+    private static final long serialVersionUID = -8563758940495660020L;
+  
+    /** The certificate type, e.g. "X.509". */
+    private String type;
+
+    /** The encoded certificate data. */
+    private byte[] data;
+
+    /**
+     * Create an alternative representation of this certificate. The
+     * <code>(type, data)</code> pair is typically the certificate's
+     * type as returned by {@link Certificate#getType()} (i.e. the
+     * canonical name of the certificate type) and the encoded form as
+     * returned by {@link Certificate#getEncoded()}.
+     *
+     * <p>For example, X.509 certificates would create an instance of
+     * this class with the parameters "X.509" and the ASN.1
+     * representation of the certificate, encoded as DER bytes.
+     *
+     * @param type The certificate type.
+     * @param data The encoded certificate data.
+     */
+    protected CertificateRep(String type, byte[] data)
+    {
+      this.type = type;
+      this.data = data;
+    }
+
+    /**
+     * Deserialize this certificate replacement into the appropriate
+     * certificate object. That is, this method attempts to create a
+     * {@link CertificateFactory} for this certificate's type, then
+     * attempts to parse the encoded data with that factory, returning
+     * the resulting certificate.
+     *
+     * @return The deserialized certificate.
+     * @throws ObjectStreamException If there is no appropriate
+     * certificate factory for the given type, or if the encoded form
+     * cannot be parsed.
+     */
+    protected Object readResolve() throws ObjectStreamException
+    {
+      try
+        {
+          CertificateFactory fact = CertificateFactory.getInstance(type);
+          return fact.generateCertificate(new ByteArrayInputStream(data));
+        }
+      catch (Exception e)
+        {
+          throw new InvalidObjectException(e.toString());
+        }
+    }
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertificateEncodingException.java b/libjava/classpath/java/security/cert/CertificateEncodingException.java
new file mode 100644
index 00000000000..0bb0c26d358
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateEncodingException.java
@@ -0,0 +1,71 @@
+/* CertificateEncodingException.java -- Certificate Encoding Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Exception for a Certificate Encoding.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @status updated to 1.4
+ */
+public class CertificateEncodingException extends CertificateException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = 6219492851589449162L;
+
+  /**
+   * Constructs an exception without a message string.
+   */
+  public CertificateEncodingException()
+  {
+  }
+
+  /**
+   * Constructs an exception with a message string.
+   *
+   * @param msg A message to display with exception
+   */
+  public CertificateEncodingException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertificateException.java b/libjava/classpath/java/security/cert/CertificateException.java
new file mode 100644
index 00000000000..3e075ddaf35
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateException.java
@@ -0,0 +1,74 @@
+/* CertificateException.java -- Certificate Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Exception for a Certificate.
+ *
+ * @author Mark Benvenuto
+ * @see Certificate
+ * @since 1.2
+ * @status updated to 1.4
+ */
+public class CertificateException extends GeneralSecurityException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = 3192535253797119798L;
+
+  /**
+   * Constructs an exception without a message string.
+   */
+  public CertificateException()
+  {
+  }
+
+  /**
+   * Constructs an exception with a message string.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertificateException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertificateExpiredException.java b/libjava/classpath/java/security/cert/CertificateExpiredException.java
new file mode 100644
index 00000000000..5b37142b5ec
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateExpiredException.java
@@ -0,0 +1,71 @@
+/* CertificateExpiredException.java --- Certificate Expired Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Exception for a Certificate Expiring.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @status updated to 1.4
+ */
+public class CertificateExpiredException extends CertificateException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = 9071001339691533771L;
+
+  /**
+   * Constructs an exception without a message string.
+   */
+  public CertificateExpiredException()
+  {
+  }
+
+  /**
+   * Constructs an exception with a message string.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertificateExpiredException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertificateFactory.java b/libjava/classpath/java/security/cert/CertificateFactory.java
new file mode 100644
index 00000000000..aedeff53573
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateFactory.java
@@ -0,0 +1,358 @@
+/* CertificateFactory.java -- Certificate Factory Class
+   Copyright (C) 1999, 2002, 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.security.Engine;
+
+import java.io.InputStream;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.Security;
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
+
+/**
+ * This class implements the CertificateFactory class interface used to
+ * generate certificates, certificate revocation lists (CRLs), and certificate
+ * paths objects from their encoded forms.
+ *
+ * @author Mark Benvenuto
+ * @author Casey Marshall
+ * @since JDK 1.2
+ * @status Fully compatible with JDK 1.4.
+ */
+public class CertificateFactory
+{
+
+  /** The service name for certificate factories. */
+  private static final String CERTIFICATE_FACTORY = "CertificateFactory";
+
+  private CertificateFactorySpi certFacSpi;
+  private Provider provider;
+  private String type;
+
+  /**
+   * Creates an instance of CertificateFactory.
+   *
+   * @param certFacSpi The underlying CertificateFactory engine.
+   * @param provider   The provider of this implementation.
+   * @param type       The type of Certificate this factory creates.
+   */
+  protected CertificateFactory(CertificateFactorySpi certFacSpi,
+                               Provider provider, String type)
+  {
+    this.certFacSpi = certFacSpi;
+    this.provider = provider;
+    this.type = type;
+  }
+
+// Class methods.
+  // ------------------------------------------------------------------------
+
+  /** 
+   * Gets an instance of the CertificateFactory class representing
+   * the specified certificate factory. If the type is not 
+   * found then, it throws CertificateException.
+   *
+   * @param type     The type of certificate factory to create.
+   * @return a CertificateFactory repesenting the desired type
+   * @throws CertificateException If the type of certificate is not
+   *    implemented by any installed provider.
+   */
+  public static final CertificateFactory getInstance(String type)
+    throws CertificateException
+  {
+    Provider[] p = Security.getProviders();
+
+    for (int i = 0; i < p.length; i++)
+      {
+        try
+          {
+            return getInstance(type, p[i]);
+          }
+        catch (CertificateException e)
+          {
+	    // Ignored.
+          }
+      }
+
+    throw new CertificateException(type);
+  }
+
+  /** 
+   * Gets an instance of the CertificateFactory class representing
+   * the specified certificate factory from the specified provider. 
+   * If the type is not found then, it throws {@link CertificateException}. 
+   * If the provider is not found, then it throws 
+   * {@link java.security.NoSuchProviderException}.
+   *
+   * @param type     The type of certificate factory to create.
+   * @param provider The name of the provider from which to get the
+   *        implementation.
+   * @return A CertificateFactory for the desired type.
+   * @throws CertificateException If the type of certificate is not
+   *         implemented by the named provider.
+   * @throws NoSuchProviderException If the named provider is not installed.
+   */
+  public static final CertificateFactory getInstance(String type,
+                                                     String provider) 
+    throws CertificateException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if( p == null)
+      throw new NoSuchProviderException(provider);
+
+    return getInstance(type, p);
+  }
+
+  /**
+   * Get a certificate factory for the given certificate type from the
+   * given provider.
+   *
+   * @param type     The type of certificate factory to create.
+   * @param provider The provider from which to get the implementation.
+   * @return A CertificateFactory for the desired type.
+   * @throws CertificateException If the type of certificate is not
+   *         implemented by the provider.
+   * @throws IllegalArgumentException If the provider is null.
+   */
+  public static final CertificateFactory getInstance(String type,
+                                                     Provider provider)
+    throws CertificateException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("null provider");
+
+    try
+      {
+        return new CertificateFactory((CertificateFactorySpi)
+          Engine.getInstance(CERTIFICATE_FACTORY, type, provider),
+          provider, type);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new CertificateException(type);
+      }
+    catch (java.lang.reflect.InvocationTargetException ite)
+      {
+        throw new CertificateException(type);
+      }
+    catch (NoSuchAlgorithmException nsae)
+      {
+        throw new CertificateException(nsae.getMessage());
+      }
+  }
+
+// Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Gets the provider of this implementation.
+   *
+   * @return The provider of this implementation.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Returns the type of the certificate this factory creates.
+   *
+   * @return A string with the type of certificate
+   */
+  public final String getType()
+  {
+    return type;
+  }
+
+  /**
+   * Generates a Certificate from the encoded data read
+   * from an InputStream.
+   *
+   * <p>The input stream must contain only one certificate.
+   *
+   * <p>If there exists a specialized certificate class for the
+   * certificate format handled by the certificate factory
+   * then the return Ceritificate should be a typecast of it.
+   * Ex: A X.509 CertificateFactory should return X509Certificate.
+   *
+   * <p>For X.509 certificates, the certificate in inStream must be
+   * DER encoded and supplied in binary or printable (Base64) 
+   * encoding. If the certificate is in Base64 encoding, it must be 
+   * bounded by -----BEGINCERTIFICATE-----, and 
+   * -----END CERTIFICATE-----. 
+   *
+   * @param inStream An input stream containing the certificate data.
+   * @return A certificate initialized from the decoded InputStream data.
+   * @throws CertificateException If an error occurs decoding the
+   *   certificate.
+   */
+  public final Certificate generateCertificate(InputStream inStream)
+    throws CertificateException
+  {
+    return certFacSpi.engineGenerateCertificate(inStream);
+  }
+
+  /**
+   * Returns a collection of certificates that were read from the 
+   * input stream. It may be empty, have only one, or have 
+   * multiple certificates.
+   *
+   * For a X.509 certificate factory, the stream may contain a
+   * single DER encoded certificate or a PKCS#7 certificate 
+   * chain. This is a PKCS#7 <I>SignedData</I> object with the 
+   * most significant field being <I>certificates</I>. If no 
+   * CRLs are present, then an empty collection is returned.
+	 *
+   * @param inStream An input stream containing the certificate data.
+   * @return A collection of certificates initialized from the decoded
+   *   InputStream data.
+   * @throws CertificateException If an error occurs decoding the
+   *   certificates.
+   */
+  public final Collection generateCertificates(InputStream inStream)
+    throws CertificateException
+  {
+    return certFacSpi.engineGenerateCertificates(inStream);
+  }
+
+  /**
+   * Generates a CRL based on the encoded data read
+   * from the InputStream.
+   *
+   * <p>The input stream must contain only one CRL.
+   *
+   * <p>If there exists a specialized CRL class for the
+   * CRL format handled by the certificate factory
+   * then the return CRL should be a typecast of it.
+   * Ex: A X.509 CertificateFactory should return X509CRL.
+   *
+   * @param inStream An input stream containing the CRL data.
+   * @return A CRL initialized from the decoded InputStream data.
+   * @throws CRLException If an error occurs decoding the CRL.
+   */
+  public final CRL generateCRL(InputStream inStream)
+    throws CRLException
+  {
+    return certFacSpi.engineGenerateCRL(inStream);
+  }
+
+  /**
+   * <p>Generates CRLs based on the encoded data read
+   * from the InputStream.
+   *
+   * <p>For a X.509 certificate factory, the stream may contain a
+   * single DER encoded CRL or a PKCS#7 CRL set. This is a 
+   * PKCS#7 <I>SignedData</I> object with the most significant 
+   * field being <I>crls</I>. If no CRLs are present, then an
+   * empty collection is returned.
+   *
+   * @param inStream an input stream containing the CRLs.
+   * @return a collection of CRLs initialized from the decoded
+   *    InputStream data.
+   * @throws CRLException If an error occurs decoding the CRLs.
+   */
+  public final Collection generateCRLs(InputStream inStream)
+    throws CRLException
+  {
+    return certFacSpi.engineGenerateCRLs( inStream );
+  }
+
+  /**
+   * Generate a {@link CertPath} and initialize it with data parsed from
+   * the input stream. The default encoding of this factory is used.
+   *
+   * @param inStream The InputStream containing the CertPath data.
+   * @return A CertPath initialized from the input stream data.
+   * @throws CertificateException If an error occurs decoding the
+   * CertPath.
+   */
+  public final CertPath generateCertPath(InputStream inStream)
+    throws CertificateException
+  {
+    return certFacSpi.engineGenerateCertPath(inStream);
+  }
+
+  /**
+   * Generate a {@link CertPath} and initialize it with data parsed from
+   * the input stream, using the specified encoding.
+   *
+   * @param inStream The InputStream containing the CertPath data.
+   * @param encoding The encoding of the InputStream data.
+   * @return A CertPath initialized from the input stream data.
+   * @throws CertificateException If an error occurs decoding the
+   *   CertPath.
+   */
+  public final CertPath generateCertPath(InputStream inStream, String encoding)
+    throws CertificateException
+  {
+    return certFacSpi.engineGenerateCertPath(inStream, encoding);
+  }
+
+  /**
+   * Generate a {@link CertPath} and initialize it with the certificates
+   * in the {@link java.util.List} argument.
+   *
+   * @param certificates The list of certificates with which to create
+   *   the CertPath.
+   * @return A CertPath initialized from the certificates.
+   * @throws CertificateException If an error occurs generating the
+   *   CertPath.
+   */
+  public final CertPath generateCertPath(List certificates)
+    throws CertificateException
+  {
+    return certFacSpi.engineGenerateCertPath(certificates);
+  }
+
+  /**
+   * Returns an Iterator of CertPath encodings supported by this
+   * factory, with the default encoding first. The returned Iterator
+   * cannot be modified.
+   *
+   * @return The Iterator of supported encodings.
+   */
+  public final Iterator getCertPathEncodings()
+  {
+    return certFacSpi.engineGetCertPathEncodings();
+  }
+} // class CertificateFactory
diff --git a/libjava/classpath/java/security/cert/CertificateFactorySpi.java b/libjava/classpath/java/security/cert/CertificateFactorySpi.java
new file mode 100644
index 00000000000..beea9646a67
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateFactorySpi.java
@@ -0,0 +1,225 @@
+/* CertificateFactorySpi.java --- Certificate Factory Class
+   Copyright (C) 1999,2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.io.InputStream;
+
+import java.util.Collection;
+import java.util.Iterator;
+import java.util.List;
+
+/**
+   CertificateFactorySpi is the abstract class Service Provider
+   Interface (SPI) for the CertificateFactory class. A provider
+   must implement all the abstract methods if they wish to 
+   supply a certificate factory for a particular certificate
+   type. Ex: X.509
+   
+   Certificate factories are used to generate certificates and
+   certificate revocation lists (CRL) from their encoding.
+   
+   @since JDK 1.2
+   
+   @author Mark Benvenuto
+ */
+public abstract class CertificateFactorySpi
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Constructs a new CertificateFactorySpi
+   */
+  public CertificateFactorySpi()
+  {}
+
+  // Abstract methods.
+  // ------------------------------------------------------------------------
+
+  /**
+     Generates a Certificate based on the encoded data read
+     from the InputStream.
+
+     The input stream must contain only one certificate.
+
+     If there exists a specialized certificate class for the
+     certificate format handled by the certificate factory
+     then the return Ceritificate should be a typecast of it.
+     Ex: A X.509 CertificateFactory should return X509Certificate.
+
+     For X.509 certificates, the certificate in inStream must be
+     DER encoded and supplied in binary or printable (Base64) 
+     encoding. If the certificate is in Base64 encoding, it must be 
+     bounded by -----BEGIN CERTIFICATE-----, and 
+     -----END CERTIFICATE-----. 
+
+     @param inStream an input stream containing the certificate data
+
+     @return a certificate initialized with InputStream data.
+
+     @throws CertificateException Certificate parsing error
+  */
+  public abstract Certificate engineGenerateCertificate(InputStream inStream)
+    throws CertificateException;
+
+  /**
+     Returns a collection of certificates that were read from the 
+     input stream. It may be empty, have only one, or have 
+     multiple certificates.
+
+     For a X.509 certificate factory, the stream may contain a
+     single DER encoded certificate or a PKCS#7 certificate 
+     chain. This is a PKCS#7 <I>SignedData</I> object with the 
+     most significant field being <I>certificates</I>. If no 
+     CRLs are present, then an empty collection is returned.
+	
+     @param inStream an input stream containing the certificates
+
+     @return a collection of certificates initialized with 
+     the InputStream data.
+
+     @throws CertificateException Certificate parsing error
+  */
+  public abstract Collection engineGenerateCertificates(InputStream inStream)
+    throws CertificateException;
+
+  /**
+     Generates a CRL based on the encoded data read
+     from the InputStream.
+
+     The input stream must contain only one CRL.
+
+     If there exists a specialized CRL class for the
+     CRL format handled by the certificate factory
+     then the return CRL should be a typecast of it.
+     Ex: A X.509 CertificateFactory should return X509CRL.
+
+     @param inStream an input stream containing the CRL data
+
+     @return a CRL initialized with InputStream data.
+
+     @throws CRLException CRL parsing error
+  */
+  public abstract CRL engineGenerateCRL(InputStream inStream)
+    throws CRLException;
+
+  /**
+     Generates CRLs based on the encoded data read
+     from the InputStream.
+
+     For a X.509 certificate factory, the stream may contain a
+     single DER encoded CRL or a PKCS#7 CRL set. This is a 
+     PKCS#7 <I>SignedData</I> object with the most significant 
+     field being <I>crls</I>. If no CRLs are present, then an
+     empty collection is returned.
+
+     @param inStream an input stream containing the CRLs
+
+     @return a collection of CRLs initialized with 
+     the InputStream data.
+
+     @throws CRLException CRL parsing error
+  */
+  public abstract Collection engineGenerateCRLs(InputStream inStream)
+    throws CRLException;
+
+  // 1.4 instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Generate a {@link CertPath} and initialize it with data parsed from
+   * the input stream. The default encoding of this factory is used.
+   *
+   * @param inStream The InputStream containing the CertPath data.
+   * @return A CertPath initialized from the input stream data.
+   * @throws CertificateException If an error occurs decoding the
+   * CertPath.
+   */
+  public CertPath engineGenerateCertPath(InputStream inStream)
+    throws CertificateException
+  {
+    throw new UnsupportedOperationException("not implemented");
+  }
+
+  /**
+   * Generate a {@link CertPath} and initialize it with data parsed from
+   * the input stream, using the specified encoding.
+   *
+   * @param inStream The InputStream containing the CertPath data.
+   * @param encoding The encoding of the InputStream data.
+   * @return A CertPath initialized from the input stream data.
+   * @throws CertificateException If an error occurs decoding the
+   *   CertPath.
+   */
+  public CertPath engineGenerateCertPath(InputStream inStream, String encoding)
+    throws CertificateException
+  {
+    throw new UnsupportedOperationException("not implemented");
+  }
+
+  /**
+   * Generate a {@link CertPath} and initialize it with the certificates
+   * in the {@link java.util.List} argument.
+   *
+   * @param certificates The list of certificates with which to create
+   *   the CertPath.
+   * @return A CertPath initialized from the certificates.
+   * @throws CertificateException If an error occurs generating the
+   *   CertPath.
+   */
+  public CertPath engineGenerateCertPath(List certificates)
+    throws CertificateException
+  {
+    throw new UnsupportedOperationException("not implemented");
+  }
+
+  /**
+   * Returns an Iterator of CertPath encodings supported by this
+   * factory, with the default encoding first. The returned Iterator
+   * cannot be modified.
+   *
+   * @return The Iterator of supported encodings.
+   */
+  public Iterator engineGetCertPathEncodings()
+  {
+    throw new UnsupportedOperationException("not implemented");
+  }
+}
+
diff --git a/libjava/classpath/java/security/cert/CertificateNotYetValidException.java b/libjava/classpath/java/security/cert/CertificateNotYetValidException.java
new file mode 100644
index 00000000000..dfb4b483785
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateNotYetValidException.java
@@ -0,0 +1,71 @@
+/* CertificateNotYetValidException.java -- Certificate Not Yet Valid Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Exception for a Certificate that is not yet valid.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @status updated to 1.4
+*/
+public class CertificateNotYetValidException extends CertificateException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = 4355919900041064702L;
+
+  /**
+   * Constructs an exception without a message string.
+   */
+  public CertificateNotYetValidException()
+  {
+  }
+
+  /**
+   * Constructs an exception with a message string.
+   *
+   * @param msg A message to display with exception
+   */
+  public CertificateNotYetValidException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CertificateParsingException.java b/libjava/classpath/java/security/cert/CertificateParsingException.java
new file mode 100644
index 00000000000..61faa44386e
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CertificateParsingException.java
@@ -0,0 +1,71 @@
+/* CertificateParsingException.java -- Certificate Parsing Exception
+   Copyright (C) 1999, 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Exception for parsing a DER-encoded Certificate.
+ *
+ * @author Mark Benvenuto
+ * @since 1.2
+ * @status updated to 1.4
+*/
+public class CertificateParsingException extends CertificateException
+{
+  /**
+   * Compatible with JDK 1.2+.
+   */
+  private static final long serialVersionUID = -7989222416793322029L;
+
+  /**
+   * Constructs an exception without a message string.
+   */
+  public CertificateParsingException()
+  {
+  }
+
+  /**
+   * Constructs an exception with a message string.
+   *
+   * @param msg a message to display with exception
+   */
+  public CertificateParsingException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/libjava/classpath/java/security/cert/CollectionCertStoreParameters.java b/libjava/classpath/java/security/cert/CollectionCertStoreParameters.java
new file mode 100644
index 00000000000..bac1e3b3e4f
--- /dev/null
+++ b/libjava/classpath/java/security/cert/CollectionCertStoreParameters.java
@@ -0,0 +1,121 @@
+/* CollectionCertStoreParameters -- collection-based cert store parameters
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+
+/**
+ * An implementation of {@link CertStoreParameters} with a simple,
+ * in-memory {@link Collection} of certificates and certificate
+ * revocation list.
+ *
+ * <p>Note that this class is not thread-safe, and its underlying
+ * collection may be changed at any time.
+ *
+ * @see CertStore
+ */
+public class CollectionCertStoreParameters implements CertStoreParameters
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** The underlying collection. */
+  private final Collection collection;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new CollectionCertStoreParameters with an empty,
+   * immutable collection.
+   */
+  public CollectionCertStoreParameters()
+  {
+    this(Collections.EMPTY_LIST);
+  }
+
+  /**
+   * Create a new CollectionCertStoreParameters with the specified
+   * collection. The argument is not copied, and subsequent changes to
+   * the collection will change this class's collection.
+   *
+   * @param collection The collection.
+   * @throws NullPointerException If <i>collection</i> is null.
+   */
+  public CollectionCertStoreParameters(Collection collection)
+  {
+    if (collection == null)
+      throw new NullPointerException();
+    this.collection = collection;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  public Object clone()
+  {
+    return new CollectionCertStoreParameters(new ArrayList(collection));
+  }
+
+  /**
+   * Return the underlying collection. The collection is not copied
+   * before being returned, so callers may update the collection that is
+   * returned.
+   *
+   * @return The collection.
+   */
+  public Collection getCollection()
+  {
+    return collection;
+  }
+
+  /**
+   * Return a string representation of these parameters.
+   *
+   * @return The string representation of these parameters.
+   */
+  public String toString()
+  {
+    return "CollectionCertStoreParameters: [ collection: "
+      + collection + " ]";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/LDAPCertStoreParameters.java b/libjava/classpath/java/security/cert/LDAPCertStoreParameters.java
new file mode 100644
index 00000000000..4414e65a092
--- /dev/null
+++ b/libjava/classpath/java/security/cert/LDAPCertStoreParameters.java
@@ -0,0 +1,140 @@
+/* LDAPCertStoreParameters.java -- LDAP CertStore parameters.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * Parameters for CertStores that are retrieved via the <i>lightweight
+ * directory access protocol</i> (<b>LDAP</b>).
+ *
+ * @see CertStore
+ */
+public class LDAPCertStoreParameters implements CertStoreParameters
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** The default LDAP port. */
+  private static final int LDAP_PORT = 389;
+
+  /** The server name. */
+  private final String serverName;
+
+  /** The LDAP port. */
+  private final int port;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new LDAPCertStoreParameters object, with a servername of
+   * "localhost" and a port of 389.
+   */
+  public LDAPCertStoreParameters()
+  {
+    this("localhost", LDAP_PORT);
+  }
+
+  /**
+   * Create a new LDAPCertStoreParameters object, with a specified
+   * server name and a port of 389.
+   *
+   * @param serverName The LDAP server name.
+   * @throws NullPointerException If <i>serverName</i> is null.
+   */
+  public LDAPCertStoreParameters(String serverName)
+  {
+    this(serverName, LDAP_PORT);
+  }
+
+  /**
+   * Create a new LDAPCertStoreParameters object, with a specified
+   * server name and port.
+   *
+   * @param serverName The LDAP server name.
+   * @param port       The LDAP port.
+   * @throws NullPointerException If <i>serverName</i> is null.
+   */
+  public LDAPCertStoreParameters(String serverName, int port)
+  {
+    if (serverName == null)
+      throw new NullPointerException();
+    this.serverName = serverName;
+    this.port = port;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  public Object clone()
+  {
+    return new LDAPCertStoreParameters(serverName, port);
+  }
+
+  /**
+   * Return the server name.
+   *
+   * @return The server name.
+   */
+  public String getServerName()
+  {
+    return serverName;
+  }
+
+  /**
+   * Return the port.
+   *
+   * @return the port.
+   */
+  public int getPort()
+  {
+    return port;
+  }
+
+  /**
+   * Return a string representation of these parameters.
+   *
+   * @return The string representation of these parameters.
+   */
+  public String toString()
+  {
+    return "LDAPCertStoreParameters: [ serverName: " + serverName
+      + "; port: " + port + " ]";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/PKIXBuilderParameters.java b/libjava/classpath/java/security/cert/PKIXBuilderParameters.java
new file mode 100644
index 00000000000..38b3df5e78a
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PKIXBuilderParameters.java
@@ -0,0 +1,145 @@
+/* PKIXBuilderParameters.java -- parameters for PKIX cert path builders
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+
+import java.util.Set;
+
+/**
+ * Parameters for building certificate paths using the PKIX algorithm.
+ *
+ * @see CertPathBuilder
+ */
+public class PKIXBuilderParameters extends PKIXParameters
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The maximum path length. */
+  private int maxPathLength;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new PKIXBuilderParameters object, populating the trusted
+   * certificates set with all X.509 certificates found in the given key
+   * store. All certificates found in the key store are assumed to be
+   * trusted by this constructor.
+   *
+   * @param keystore The key store.
+   * @param targetConstraints The target certificate constraints.
+   * @throws KeyStoreException If the certificates cannot be retrieved
+   *         from the key store.
+   * @throws InvalidAlgorithmParameterException If there are no
+   *         certificates in the key store.
+   * @throws NullPointerException If <i>keystore</i> is null.
+   */
+  public PKIXBuilderParameters(KeyStore keystore,
+                               CertSelector targetConstraints)
+    throws KeyStoreException, InvalidAlgorithmParameterException
+  {
+    super(keystore);
+    setTargetCertConstraints(targetConstraints);
+    maxPathLength = 5;
+  }
+
+  /**
+   * Create a new PKIXBuilderParameters object, populating the trusted
+   * certificates set with the elements of the given set, each of which
+   * must be a {@link TrustAnchor}.
+   *
+   * @param trustAnchors The set of trust anchors.
+   * @param targetConstraints The target certificate constraints.
+   * @throws InvalidAlgorithmParameterException If there are no
+   *         certificates in the set.
+   * @throws NullPointerException If <i>trustAnchors</i> is null.
+   * @throws ClassCastException If every element in <i>trustAnchors</i>
+   *         is not a {@link TrustAnchor}.
+   */
+  public PKIXBuilderParameters(Set trustAnchors, CertSelector targetConstraints)
+    throws InvalidAlgorithmParameterException
+  {
+    super(trustAnchors);
+    setTargetCertConstraints(targetConstraints);
+    maxPathLength = 5;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the maximum length of certificate paths to build.
+   *
+   * <p>If this value is 0 it is taken to mean that the certificate path
+   * should contain only one certificate. A value of -1 means that the
+   * certificate path length is unconstrained. The default value is 5.
+   *
+   * @return The maximum path length.
+   */
+  public int getMaxPathLength()
+  {
+    return maxPathLength;
+  }
+
+  /**
+   * Sets the maximum length of certificate paths to build.
+   *
+   * @param maxPathLength The new path length.
+   * @throws IllegalArgumentException If <i>maxPathLength</i> is less
+   *         than -1.
+   */
+  public void setMaxPathLength(int maxPathLength)
+  {
+    if (maxPathLength < -1)
+      throw new IllegalArgumentException();
+    this.maxPathLength = maxPathLength;
+  }
+
+  public String toString()
+  {
+    StringBuffer buf = new StringBuffer(super.toString());
+    buf.insert(buf.length() - 2, "; Max Path Length=" + maxPathLength);
+    return buf.toString();
+  }
+}
diff --git a/libjava/classpath/java/security/cert/PKIXCertPathBuilderResult.java b/libjava/classpath/java/security/cert/PKIXCertPathBuilderResult.java
new file mode 100644
index 00000000000..5091dd41298
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PKIXCertPathBuilderResult.java
@@ -0,0 +1,102 @@
+/* PKIXCertPathBuilderResult.java -- PKIX cert path bulider result
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+/**
+ * The result of calling the {@link
+ * CertPathBuilder#build(java.security.cert.CertPathParameters)} method
+ * of PKIX {@link CertPathBuilder}s.
+ *
+ * @see CertPathBuilder
+ * @see CertPathBuilderResult
+ */
+public class PKIXCertPathBuilderResult extends PKIXCertPathValidatorResult
+  implements CertPathBuilderResult
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The certificate path. */
+  private CertPath certPath;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new PKIXCertPathBuilderResult.
+   *
+   * @param certPath         The certificate path.
+   * @param trustAnchor      The trust anchor.
+   * @param policyTree       The root node of the policy tree.
+   * @param subjectPublicKey The public key.
+   * @throws NullPointerException If <i>certPath</i>, <i>trustAnchor</i> or
+   *         <i>subjectPublicKey</i> is null.
+   */
+  public PKIXCertPathBuilderResult(CertPath certPath,
+                                   TrustAnchor trustAnchor,
+                                   PolicyNode policyTree,
+                                   java.security.PublicKey subjectPublicKey)
+  {
+    super(trustAnchor, policyTree, subjectPublicKey);
+    if (certPath == null)
+      throw new NullPointerException();
+    this.certPath = certPath;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the certificate path that was built.
+   *
+   * @return The certificate path that was built.
+   */
+  public CertPath getCertPath()
+  {
+    return certPath;
+  }
+
+  public String toString()
+  {
+    StringBuffer buf = new StringBuffer(super.toString());
+    buf.insert(buf.length() - 2, "; CertPath=" + certPath);
+    return buf.toString();
+  }
+}
diff --git a/libjava/classpath/java/security/cert/PKIXCertPathChecker.java b/libjava/classpath/java/security/cert/PKIXCertPathChecker.java
new file mode 100644
index 00000000000..7a33576e1bb
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PKIXCertPathChecker.java
@@ -0,0 +1,133 @@
+/* PKIXCertPathChecker.java -- checks X.509 certificate paths.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.util.Collection;
+import java.util.Set;
+
+/**
+ * A validator for X.509 certificates when approving certificate chains.
+ *
+ * <p>Concrete subclasses can be passed to the {@link
+ * PKIXParameters#setCertPathCheckers(java.util.List)} and {@link
+ * PKIXParameters#addCertPathChecker(java.security.cert.PKIXCertPathChecker}
+ * methods, which are then used to set up PKIX certificate chain
+ * builders or validators. These classes then call the {@link
+ * #check(java.security.cert.Certificate,java.util.Collection)} method
+ * of this class, performing whatever checks on the certificate,
+ * throwing an exception if any check fails.
+ *
+ * <p>Subclasses of this must be able to perform their checks in the
+ * backward direction -- from the most-trusted certificate to the target
+ * -- and may optionally support forward checking -- from the target to
+ * the most-trusted certificate.
+ *
+ * @see PKIXParameters
+ */
+public abstract class PKIXCertPathChecker implements Cloneable
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /** Default constructor. */
+  protected PKIXCertPathChecker()
+  {
+    super();
+  }
+
+  // Cloneable interface.
+  // ------------------------------------------------------------------------
+
+  public Object clone()
+  {
+    try
+      {
+        return super.clone();
+      }
+    catch (CloneNotSupportedException cnse)
+      {
+        throw new InternalError(cnse.getMessage());
+      }
+  }
+
+  // Abstract methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Initialize this PKIXCertPathChecker. If subclasses support forward
+   * checking, a value of true can be passed to this method, and
+   * certificates can be validated from the target certificate to the
+   * most-trusted certifcate.
+   *
+   * @param forward The direction of this PKIXCertPathChecker.
+   * @throws CertPathValidatorException If <i>forward</i> is true and
+   *         this class does not support forward checking.
+   */
+  public abstract void init(boolean forward) throws CertPathValidatorException;
+
+  /**
+   * Returns whether or not this class supports forward checking.
+   *
+   * @return Whether or not this class supports forward checking.
+   */
+  public abstract boolean isForwardCheckingSupported();
+
+  /**
+   * Returns an immutable set of X.509 extension object identifiers (OIDs)
+   * supported by this PKIXCertPathChecker.
+   *
+   * @return An immutable set of Strings of the supported X.509 OIDs, or
+   *         null if no extensions are supported.
+   */
+  public abstract Set getSupportedExtensions();
+
+  /**
+   * Checks a certificate, removing any critical extensions that are
+   * resolved in this check.
+   *
+   * @param cert               The certificate to check.
+   * @param unresolvedCritExts The (mutable) collection of as-of-yet
+   *        unresolved critical extensions, as OID strings.
+   * @throws CertPathValidatorException If this certificate fails this
+   *         check.
+   */
+  public abstract void check(Certificate cert, Collection unresolvedCritExts)
+  throws CertPathValidatorException;
+}
diff --git a/libjava/classpath/java/security/cert/PKIXCertPathValidatorResult.java b/libjava/classpath/java/security/cert/PKIXCertPathValidatorResult.java
new file mode 100644
index 00000000000..5a1660c3bc9
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PKIXCertPathValidatorResult.java
@@ -0,0 +1,142 @@
+/* PKIXCertPathValidatorResult.java -- PKIX cert path builder result
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.security.PublicKey;
+
+/**
+ * Results returned by the {@link
+ * CertPathValidator#validate(java.security.cert.CertPath,java.security.cert.CertPathParameters)}
+ * method for PKIX {@link CertPathValidator}s.
+ *
+ * @see CertPathValidator
+ */
+public class PKIXCertPathValidatorResult implements CertPathValidatorResult
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The trust anchor. */
+  private final TrustAnchor trustAnchor;
+
+  /** The root node of the policy tree. */
+  private final PolicyNode policyTree;
+
+  /** The subject's public key. */
+  private final PublicKey subjectPublicKey;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new PKIXCertPathValidatorResult.
+   *
+   * @param trustAnchor      The trust anchor.
+   * @param policyTree       The root node of the policy tree.
+   * @param subjectPublicKey The public key.
+   * @throws NullPointerException If either <i>trustAnchor</i> or
+   *         <i>subjectPublicKey</i> is null.
+   */
+  public PKIXCertPathValidatorResult(TrustAnchor trustAnchor,
+                                     PolicyNode policyTree,
+                                     PublicKey subjectPublicKey)
+  {
+    if (trustAnchor == null || subjectPublicKey == null)
+      throw new NullPointerException();
+    this.trustAnchor = trustAnchor;
+    this.policyTree = policyTree;
+    this.subjectPublicKey = subjectPublicKey;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the trust anchor.
+   *
+   * @return The trust anchor.
+   */
+  public TrustAnchor getTrustAnchor()
+  {
+    return trustAnchor;
+  }
+
+  /**
+   * Returns the root node of the policy tree.
+   *
+   * @return The root node of the policy tree.
+   */
+  public PolicyNode getPolicyTree()
+  {
+    return policyTree;
+  }
+
+  /**
+   * Returns the subject public key.
+   *
+   * @return The subject public key.
+   */
+  public PublicKey getPublicKey()
+  {
+    return subjectPublicKey;
+  }
+
+  /**
+   * Returns a copy of this object.
+   *
+   * @return The copy.
+   */
+  public Object clone()
+  {
+    return new PKIXCertPathValidatorResult(trustAnchor, policyTree,
+                                           subjectPublicKey);
+  }
+
+  /**
+   * Returns a printable string representation of this result.
+   *
+   * @return A printable string representation of this result.
+   */
+  public String toString()
+  {
+    return "[ Trust Anchor=" + trustAnchor + "; Policy Tree="
+      + policyTree + "; Subject Public Key=" + subjectPublicKey + " ]";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/PKIXParameters.java b/libjava/classpath/java/security/cert/PKIXParameters.java
new file mode 100644
index 00000000000..4a987115a29
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PKIXParameters.java
@@ -0,0 +1,546 @@
+/* PKIXParameters.java -- parameters for the PKIX cert path algorithm
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+
+import java.util.Collections;
+import java.util.Date;
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * Parameters for verifying certificate paths using the PKIX
+ * (Public-Key Infrastructure (X.509)) algorithm.
+ *
+ * @see CertPathBulider
+ */
+public class PKIXParameters implements CertPathParameters
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The trusted certificates. */
+  private final Set trustAnchors;
+
+  /** The set of initial policy identifiers. */
+  private final Set initPolicies;
+
+  /** The list of certificate stores. */
+  private final List certStores;
+
+  /** The list of path checkers. */
+  private final List pathCheckers;
+
+  /** The revocation enabled flag. */
+  private boolean revocationEnabled;
+
+  /** The explicit policy required flag. */
+  private boolean exPolicyRequired;
+
+  /** The policy mapping inhibited flag. */
+  private boolean policyMappingInhibited;
+
+  /** The any policy inhibited flag. */
+  private boolean anyPolicyInhibited;
+
+  /** The policy qualifiers rejected flag. */
+  private boolean policyQualRejected;
+
+  /** The target validation date. */
+  private Date date;
+
+  /** The signature algorithm provider. */
+  private String sigProvider;
+
+  /** The target constraints. */
+  private CertSelector targetConstraints;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new PKIXParameters object, populating the trusted
+   * certificates set with all certificates found in the given key
+   * store. All certificates found in the key store are assumed to be
+   * trusted by this constructor.
+   *
+   * @param keystore The key store.
+   * @throws KeyStoreException If the certificates cannot be retrieved
+   *         from the key store.
+   * @throws InvalidAlgorithmParameterException If there are no
+   *         certificates in the key store.
+   * @throws NullPointerException If <i>keystore</i> is null.
+   */
+  public PKIXParameters(KeyStore keystore)
+    throws KeyStoreException, InvalidAlgorithmParameterException
+  {
+    this();
+    for (Enumeration e = keystore.aliases(); e.hasMoreElements(); )
+      {
+        String alias = (String) e.nextElement();
+        if (!keystore.isCertificateEntry(alias))
+          continue;
+        Certificate cert = keystore.getCertificate(alias);
+        if (cert instanceof X509Certificate)
+          trustAnchors.add(new TrustAnchor((X509Certificate) cert, null));
+      }
+    if (trustAnchors.isEmpty())
+      throw new InvalidAlgorithmParameterException("no certs in the key store");
+  }
+
+  /**
+   * Create a new PKIXParameters object, populating the trusted
+   * certificates set with the elements of the given set, each of which
+   * must be a {@link TrustAnchor}.
+   *
+   * @param trustAnchors The set of trust anchors.
+   * @throws InvalidAlgorithmParameterException If there are no
+   *         certificates in the set.
+   * @throws NullPointerException If <i>trustAnchors</i> is null.
+   * @throws ClassCastException If every element in <i>trustAnchors</i>
+   *         is not a {@link TrustAnchor}.
+   */
+  public PKIXParameters(Set trustAnchors)
+    throws InvalidAlgorithmParameterException
+  {
+    this();
+    setTrustAnchors(trustAnchors);
+  }
+
+  /**
+   * Default constructor.
+   */
+  private PKIXParameters()
+  {
+    trustAnchors = new HashSet();
+    initPolicies = new HashSet();
+    certStores = new LinkedList();
+    pathCheckers = new LinkedList();
+    revocationEnabled = true;
+    exPolicyRequired = false;
+    policyMappingInhibited = false;
+    anyPolicyInhibited = false;
+    policyQualRejected = true;
+  }
+
+  /**
+   * Copying constructor for cloning.
+   *
+   * @param that The instance being cloned.
+   */
+  private PKIXParameters(PKIXParameters that)
+  {
+    this();
+    this.trustAnchors.addAll(that.trustAnchors);
+    this.initPolicies.addAll(that.initPolicies);
+    this.certStores.addAll(that.certStores);
+    this.pathCheckers.addAll(that.pathCheckers);
+    this.revocationEnabled = that.revocationEnabled;
+    this.exPolicyRequired = that.exPolicyRequired;
+    this.policyMappingInhibited = that.policyMappingInhibited;
+    this.anyPolicyInhibited = that.anyPolicyInhibited;
+    this.policyQualRejected = that.policyQualRejected;
+    this.date = that.date;
+    this.sigProvider = that.sigProvider;
+    this.targetConstraints = that.targetConstraints != null
+      ? (CertSelector) that.targetConstraints.clone() : null;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns an immutable set of trust anchors. The set returned will
+   * never be null and will never be empty.
+   *
+   * @return A (never null, never empty) immutable set of trust anchors.
+   */
+  public Set getTrustAnchors()
+  {
+    return Collections.unmodifiableSet(trustAnchors);
+  }
+
+  /**
+   * Sets the trust anchors of this class, replacing the current trust
+   * anchors with those in the given set. The supplied set is copied to
+   * prevent modification.
+   *
+   * @param trustAnchors The new set of trust anchors.
+   * @throws InvalidAlgorithmParameterException If there are no
+   *         certificates in the set.
+   * @throws NullPointerException If <i>trustAnchors</i> is null.
+   * @throws ClassCastException If every element in <i>trustAnchors</i>
+   *         is not a {@link TrustAnchor}.
+   */
+  public void setTrustAnchors(Set trustAnchors)
+    throws InvalidAlgorithmParameterException
+  {
+    if (trustAnchors.isEmpty())
+      throw new InvalidAlgorithmParameterException("no trust anchors");
+    this.trustAnchors.clear();
+    for (Iterator i = trustAnchors.iterator(); i.hasNext(); )
+      {
+        this.trustAnchors.add((TrustAnchor) i.next());
+      }
+  }
+
+  /**
+   * Returns the set of initial policy identifiers (as OID strings). If
+   * any policy is accepted, this method returns the empty set.
+   *
+   * @return An immutable set of initial policy OID strings, or the
+   *         empty set if any policy is acceptable.
+   */
+  public Set getInitialPolicies()
+  {
+    return Collections.unmodifiableSet(initPolicies);
+  }
+
+  /**
+   * Sets the initial policy identifiers (as OID strings). If the
+   * argument is null or the empty set, then any policy identifier will
+   * be accepted.
+   *
+   * @param initPolicies The new set of policy strings, or null.
+   * @throws ClassCastException If any element in <i>initPolicies</i> is
+   *         not a string.
+   */
+  public void setInitialPolicies(Set initPolicies)
+  {
+    this.initPolicies.clear();
+    if (initPolicies == null)
+      return;
+    for (Iterator i = initPolicies.iterator(); i.hasNext(); )
+      {
+        this.initPolicies.add((String) i.next());
+      }
+  }
+
+  /**
+   * Add a {@link CertStore} to the list of cert stores.
+   *
+   * @param store The CertStore to add.
+   */
+  public void addCertStore(CertStore store)
+  {
+    if (store != null)
+      certStores.add(store);
+  }
+
+  /**
+   * Returns an immutable list of cert stores. This method never returns
+   * null.
+   *
+   * @return The list of cert stores.
+   */
+  public List getCertStores()
+  {
+    return Collections.unmodifiableList(certStores);
+  }
+
+  /**
+   * Set the cert stores. If the argument is null the list of cert
+   * stores will be empty.
+   *
+   * @param certStores The cert stores.
+   */
+  public void setCertStores(List certStores)
+  {
+    this.certStores.clear();
+    if (certStores == null)
+      return;
+    for (Iterator i = certStores.iterator(); i.hasNext(); )
+      {
+        this.certStores.add((CertStore) i.next());
+      }
+  }
+
+  /**
+   * Returns the value of the <i>revocation enabled</i> flag. The default
+   * value for this flag is <code>true</code>.
+   *
+   * @return The <i>revocation enabled</i> flag.
+   */
+  public boolean isRevocationEnabled()
+  {
+    return revocationEnabled;
+  }
+
+  /**
+   * Sets the value of the <i>revocation enabled</i> flag.
+   *
+   * @param value The new value.
+   */
+  public void setRevocationEnabled(boolean value)
+  {
+    revocationEnabled = value;
+  }
+
+  /**
+   * Returns the value of the <i>explicit policy required</i> flag. The
+   * default value of this flag is <code>false</code>.
+   *
+   * @return The <i>explicit policy required</i> flag.
+   */
+  public boolean isExplicitPolicyRequired()
+  {
+    return exPolicyRequired;
+  }
+
+  /**
+   * Sets the value of the <i>explicit policy required</i> flag.
+   *
+   * @param value The new value.
+   */
+  public void setExplicitPolicyRequired(boolean value)
+  {
+    exPolicyRequired = value;
+  }
+
+  /**
+   * Returns the value of the <i>policy mapping inhibited</i> flag. The
+   * default value of this flag is <code>false</code>.
+   *
+   * @return The <i>policy mapping inhibited</i> flag.
+   */
+  public boolean isPolicyMappingInhibited()
+  {
+    return policyMappingInhibited;
+  }
+
+  /**
+   * Sets the value of the <i>policy mapping inhibited</i> flag.
+   *
+   * @param value The new value.
+   */
+  public void setPolicyMappingInhibited(boolean value)
+  {
+    policyMappingInhibited = value;
+  }
+
+  /**
+   * Returns the value of the <i>any policy inhibited</i> flag. The
+   * default value of this flag is <code>false</code>.
+   *
+   * @return The <i>any policy inhibited</i> flag.
+   */
+  public boolean isAnyPolicyInhibited()
+  {
+    return anyPolicyInhibited;
+  }
+
+  /**
+   * Sets the value of the <i>any policy inhibited</i> flag.
+   *
+   * @param value The new value.
+   */
+  public void setAnyPolicyInhibited(boolean value)
+  {
+    anyPolicyInhibited = value;
+  }
+
+  /**
+   * Returns the value of the <i>policy qualifiers enabled</i> flag. The
+   * default value of this flag is <code>true</code>.
+   *
+   * @return The <i>policy qualifiers enabled</i> flag.
+   */
+  public boolean getPolicyQualifiersRejected()
+  {
+    return policyQualRejected;
+  }
+
+  /**
+   * Sets the value of the <i>policy qualifiers enabled</i> flag.
+   *
+   * @param value The new value.
+   */
+  public void setPolicyQualifiersRejected(boolean value)
+  {
+    policyQualRejected = value;
+  }
+
+  /**
+   * Returns the date for which the certificate path should be
+   * validated, or null if the current time should be used. The date
+   * object is copied to prevent subsequent modification.
+   *
+   * @return The date, or null if not set.
+   */
+  public Date getDate()
+  {
+    return date != null ? (Date) date.clone() : null;
+  }
+
+  /**
+   * Sets the date for which the certificate path should be validated,
+   * or null if the current time should be used.
+   *
+   * @param date The new date, or null.
+   */
+  public void setDate(Date date)
+  {
+    if (date != null)
+      this.date = (Date) date.clone();
+    else
+      this.date = null;
+  }
+
+  /**
+   * Add a certificate path checker.
+   *
+   * @param checker The certificate path checker to add.
+   */
+  public void addCertPathChecker(PKIXCertPathChecker checker)
+  {
+    if (checker != null)
+      pathCheckers.add(checker);
+  }
+
+  /**
+   * Returns an immutable list of all certificate path checkers.
+   *
+   * @return An immutable list of all certificate path checkers.
+   */
+  public List getCertPathCheckers()
+  {
+    return Collections.unmodifiableList(pathCheckers);
+  }
+
+  /**
+   * Sets the certificate path checkers. If the argument is null, the
+   * list of checkers will merely be cleared.
+   *
+   * @param pathCheckers The new list of certificate path checkers.
+   * @throws ClassCastException If any element of <i>pathCheckers</i> is
+   *         not a {@link PKIXCertPathChecker}.
+   */
+  public void setCertPathCheckers(List pathCheckers)
+  {
+    this.pathCheckers.clear();
+    if (pathCheckers == null)
+      return;
+    for (Iterator i = pathCheckers.iterator(); i.hasNext(); )
+      {
+        this.pathCheckers.add((PKIXCertPathChecker) i.next());
+      }
+  }
+
+  /**
+   * Returns the signature algorithm provider, or null if not set.
+   *
+   * @return The signature algorithm provider, or null if not set.
+   */
+  public String getSigProvider()
+  {
+    return sigProvider;
+  }
+
+  /**
+   * Sets the signature algorithm provider, or null if there is no
+   * preferred provider.
+   *
+   * @param sigProvider The signature provider name.
+   */
+  public void setSigProvider(String sigProvider)
+  {
+    this.sigProvider = sigProvider;
+  }
+
+  /**
+   * Returns the constraints placed on the target certificate, or null
+   * if there are none. The target constraints are copied to prevent
+   * subsequent modification.
+   *
+   * @return The target constraints, or null.
+   */
+  public CertSelector getTargetCertConstraints()
+  {
+    return targetConstraints != null
+      ? (CertSelector) targetConstraints.clone() : null;
+  }
+
+  /**
+   * Sets the constraints placed on the target certificate.
+   *
+   * @param targetConstraints The target constraints.
+   */
+  public void setTargetCertConstraints(CertSelector targetConstraints)
+  {
+    this.targetConstraints = targetConstraints != null
+      ? (CertSelector) targetConstraints.clone() : null;
+  }
+
+  /**
+   * Returns a copy of these parameters.
+   *
+   * @return The copy.
+   */
+  public Object clone()
+  {
+    return new PKIXParameters(this);
+  }
+
+  /**
+   * Returns a printable representation of these parameters.
+   *
+   * @return A printable representation of these parameters.
+   */
+  public String toString() {
+    return "[ Trust Anchors: " + trustAnchors + "; Initial Policy OIDs="
+      + (initPolicies != null ? initPolicies.toString() : "any")
+      + "; Validity Date=" + date + "; Signature Provider="
+      + sigProvider + "; Default Revocation Enabled=" + revocationEnabled
+      + "; Explicit Policy Required=" + exPolicyRequired
+      + "; Policy Mapping Inhibited=" + policyMappingInhibited
+      + "; Any Policy Inhibited=" + anyPolicyInhibited
+      + "; Policy Qualifiers Rejected=" + policyQualRejected
+      + "; Target Cert Contstraints=" + targetConstraints
+      + "; Certification Path Checkers=" + pathCheckers
+      + "; CertStores=" + certStores + " ]";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/PolicyNode.java b/libjava/classpath/java/security/cert/PolicyNode.java
new file mode 100644
index 00000000000..58d411cd3ad
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PolicyNode.java
@@ -0,0 +1,102 @@
+/* PolicyNode.java -- a single node in a policy tree
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+public interface PolicyNode
+{
+
+  /**
+   * Get the iterator of the child nodes of this node. The returned
+   * iterator is (naturally) unmodifiable.
+   *
+   * @return An iterator over the child nodes.
+   */
+  java.util.Iterator getChildren();
+
+  /**
+   * Get the depth of this node within the tree, starting at 0 for the
+   * root node.
+   *
+   * @return The depth of this node.
+   */
+  int getDepth();
+
+  /**
+   * Returns a set of policies (string OIDs) that will satisfy this
+   * node's policy. The root node should always return the singleton set
+   * with the element "any-policy".
+   *
+   * @return The set of expected policies.
+   */
+  java.util.Set getExpectedPolicies();
+
+  /**
+   * Returns the parent node of this node, or null if this is the root
+   * node.
+   *
+   * @return The parent node, or null.
+   */
+  PolicyNode getParent();
+
+  /**
+   * Returns a set of {@link PolicyQualifierInfo} objects that qualify
+   * the valid policy of this node. The root node should always return
+   * the empty set.
+   *
+   * @return The set of {@link PolicyQualifierInfo} objects.
+   */
+  java.util.Set getPolicyQualifiers();
+
+  /**
+   * Get the policy OID this node represents. The root node should return
+   * the special value "any-policy".
+   *
+   * @return The policy of this node.
+   */
+  String getValidPolicy();
+
+  /**
+   * Return the criticality flag of this policy node. Nodes who return
+   * true for this method should be considered critical. The root node
+   * is never critical.
+   *
+   * @return The criticality flag.
+   */
+  boolean isCritical();
+}
diff --git a/libjava/classpath/java/security/cert/PolicyQualifierInfo.java b/libjava/classpath/java/security/cert/PolicyQualifierInfo.java
new file mode 100644
index 00000000000..7dcf2315632
--- /dev/null
+++ b/libjava/classpath/java/security/cert/PolicyQualifierInfo.java
@@ -0,0 +1,168 @@
+/* PolicyQualifierInfo.java -- policy qualifier info object.
+   Copyright (C) 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.io.ASN1ParsingException;
+import gnu.java.security.OID;
+import gnu.java.security.der.DERReader;
+import gnu.java.security.der.DERValue;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+
+/**
+ * The PolicyQualifierInfo X.509 certificate extension.
+ * PolicyQualifierInfo objects are represented by the ASN.1 structure:
+ *
+ * <pre>
+ * PolicyQualifierInfo ::= SEQUENCE {
+ *    policyQualifierId   PolicyQualifierId,
+ *    qualifier           ANY DEFINED BY policyQualifierId
+ * }
+ *
+ * PolicyQualifierId ::= OBJECT IDENTIFIER
+ * </pre>
+ *
+ * @since JDK 1.4
+ */
+public final class PolicyQualifierInfo
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The <code>policyQualifierId</code> field. */
+  private OID oid;
+
+  /** The DER encoded form of this object. */
+  private byte[] encoded;
+
+  /** The DER encoded form of the <code>qualifier</code> field. */
+  private DERValue qualifier;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new PolicyQualifierInfo object from the DER encoded form
+   * passed in the byte array. The argument is copied.
+   *
+   * <p>The ASN.1 form of PolicyQualifierInfo is:
+<pre>
+PolicyQualifierInfo ::= SEQUENCE {
+   policyQualifierId     PolicyQualifierId,
+   qualifier             ANY DEFINED BY policyQualifierId
+}
+
+PolicyQualifierId ::= OBJECT IDENTIFIER
+</pre>
+   *
+   * @param encoded The DER encoded form.
+   * @throws IOException If the structure cannot be parsed from the
+   *         encoded bytes.
+   */
+  public PolicyQualifierInfo(byte[] encoded) throws IOException
+  {
+    if (encoded == null)
+      throw new IOException("null bytes");
+    this.encoded = (byte[]) encoded.clone();
+    DERReader in = new DERReader(new ByteArrayInputStream(this.encoded));
+    DERValue qualInfo = in.read();
+    if (!qualInfo.isConstructed())
+      throw new ASN1ParsingException("malformed PolicyQualifierInfo");
+    DERValue val = in.read();
+    if (!(val.getValue() instanceof OID))
+      throw new ASN1ParsingException("value read not an OBJECT IDENTIFIER");
+    oid = (OID) val.getValue();
+    if (val.getEncodedLength() < val.getLength())
+      qualifier = in.read();
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the <code>policyQualifierId</code> field of this structure,
+   * as a dotted-decimal representation of the object identifier.
+   *
+   * @return This structure's OID field.
+   */
+  public String getPolicyQualifierId()
+  {
+    return oid.toString();
+  }
+
+  /**
+   * Returns the DER encoded form of this object; the contents of the
+   * returned byte array are equivalent to those that were passed to the
+   * constructor. The byte array is cloned every time this method is
+   * called.
+   *
+   * @return The encoded form.
+   */
+  public byte[] getEncoded()
+  {
+    return (byte[]) encoded.clone();
+  }
+
+  /**
+   * Get the <code>qualifier</code> field of this object, as a DER
+   * encoded byte array. The byte array returned is cloned every time
+   * this method is called.
+   *
+   * @return The encoded qualifier.
+   */
+  public byte[] getPolicyQualifier()
+  {
+    if (qualifier == null)
+      return new byte[0];
+    return qualifier.getEncoded();
+  }
+
+  /**
+   * Returns a printable string representation of this object.
+   *
+   * @return The string representation.
+   */
+  public String toString()
+  {
+    return "PolicyQualifierInfo { policyQualifierId ::= " + oid
+      + ", qualifier ::= " + qualifier + " }";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/TrustAnchor.java b/libjava/classpath/java/security/cert/TrustAnchor.java
new file mode 100644
index 00000000000..2110ed5181d
--- /dev/null
+++ b/libjava/classpath/java/security/cert/TrustAnchor.java
@@ -0,0 +1,185 @@
+/* TrustAnchor.java -- an ultimately-trusted certificate.
+   Copyright (C) 2003, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.java.security.x509.X500DistinguishedName;
+
+import java.security.PublicKey;
+
+/**
+ * An ultimately-trusted certificate to serve as the root of a
+ * certificate chain.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public class TrustAnchor
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The certificate authority's distinguished name. */
+  private final X500DistinguishedName caName;
+
+  /** The certficate authority's public key. */
+  private final PublicKey caKey;
+
+  /** The certficate authority's certificate. */
+  private final X509Certificate trustedCert;
+
+  /** The encoded name constraints bytes. */
+  private final byte[] nameConstraints;
+
+  // Constnuctors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new trust anchor from a certificate and (optional) name
+   * constraints.
+   *
+   * <p>If the <i>nameConstraints</i> argument in non-null, it will be
+   * copied to prevent modification.
+   *
+   * @param trustedCert The trusted certificate.
+   * @param nameConstraints The encoded nameConstraints.
+   */
+  public TrustAnchor(X509Certificate trustedCert, byte[] nameConstraints)
+  {
+    if (trustedCert == null)
+      throw new NullPointerException();
+    this.trustedCert = trustedCert;
+    caName = null;
+    caKey = null;
+    if (nameConstraints != null)
+      this.nameConstraints = (byte[]) nameConstraints.clone();
+    else
+      this.nameConstraints = null;
+  }
+
+  /**
+   * Create a new trust anchor from a certificate authority's
+   * distinguished name, public key, and (optional) name constraints.
+   *
+   * <p>If the <i>nameConstraints</i> argument in non-null, it will be
+   * copied to prevent modification.
+   *
+   * @params caName The CA's distinguished name.
+   * @params caKey The CA's public key.
+   * @params nameConstraints The encoded nameConstraints.
+   */
+  public TrustAnchor(String caName, PublicKey caKey, byte[] nameConstraints)
+  {
+    if (caName == null || caKey == null)
+      throw new NullPointerException();
+    if (caName.length() == 0)
+      throw new IllegalArgumentException();
+    trustedCert = null;
+    this.caName = new X500DistinguishedName(caName);
+    this.caKey = caKey;
+    if (nameConstraints != null)
+      this.nameConstraints = (byte[]) nameConstraints.clone();
+    else
+      this.nameConstraints = null;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the trusted certificate, or null if none was specified.
+   *
+   * @return The trusted certificate.
+   */
+  public final X509Certificate getTrustedCert()
+  {
+    return trustedCert;
+  }
+
+  /**
+   * Return the certificate authority's distinguished name, or null if
+   * none was specified.
+   *
+   * @return The CA's distinguished name.
+   */
+  public final String getCAName()
+  {
+    if (caName != null)
+      return caName.toString();
+    return null;
+  }
+
+  /**
+   * Return the certificate authority's public key, or null if none was
+   * specified.
+   *
+   * @return The CA's public key.
+   */
+  public final PublicKey getCAPublicKey()
+  {
+    return caKey;
+  }
+
+  /**
+   * Return the encoded name constraints, or null if none was specified.
+   *
+   * <p>The name constraints byte array is copied when this method is
+   * called to prevent modification.
+   *
+   * @return The encoded name constraints.
+   */
+  public final byte[] getNameConstraints()
+  {
+    if (nameConstraints == null)
+      return null;
+    return (byte[]) nameConstraints.clone();
+  }
+
+  /**
+   * Return a printable representation of this trust anchor.
+   *
+   * @return The printable representation.
+   */
+  public String toString()
+  {
+    if (trustedCert == null)
+      return "[ Trusted CA Public Key=" + caKey + ", Trusted CA Issuer Name="
+        + caName.toString() + " ]";
+    return "[ Trusted CA Certificate=" + trustedCert + " ]";
+  }
+}
diff --git a/libjava/classpath/java/security/cert/X509CRL.java b/libjava/classpath/java/security/cert/X509CRL.java
new file mode 100644
index 00000000000..5657b3eb3f5
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509CRL.java
@@ -0,0 +1,397 @@
+/* X509CRL.java --- X.509 Certificate Revocation List
+   Copyright (C) 1999, 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Principal;
+import java.security.PublicKey;
+import java.security.SignatureException;
+import java.util.Date;
+import java.util.Set;
+
+import javax.security.auth.x500.X500Principal;
+
+/**
+   The X509CRL class is the abstract class used to manage
+   X.509 Certificate Revocation Lists. The CRL is a list of
+   time stamped entries which indicate which lists have been
+   revoked. The list is signed by a Certificate Authority (CA)
+   and made publically available in a repository.
+   
+   Each revoked certificate in the CRL is identified by its 
+   certificate serial number. When a piece of code uses a 
+   certificate, the certificates validity is checked by 
+   validating its signature and determing that it is not
+   only a recently acquired CRL. The recently aquired CRL
+   is depends on the local policy in affect. The CA issues
+   a new CRL periodically and entries are removed as the 
+   certificate expiration date is reached
+   
+   
+   A description of the X.509 v2 CRL follows below from rfc2459.
+   
+   "The X.509 v2 CRL syntax is as follows.  For signature calculation,
+   the data that is to be signed is ASN.1 DER encoded.  ASN.1 DER
+   encoding is a tag, length, value encoding system for each element.
+   
+	   CertificateList  ::=  SEQUENCE  {
+        	tbsCertList          TBSCertList,
+	        signatureAlgorithm   AlgorithmIdentifier,
+        	signatureValue       BIT STRING  }
+	
+	   TBSCertList  ::=  SEQUENCE  {
+        	version                 Version OPTIONAL,
+                                     -- if present, shall be v2
+	        signature               AlgorithmIdentifier,
+        	issuer                  Name,
+	        thisUpdate              Time,
+	        nextUpdate              Time OPTIONAL,
+	        revokedCertificates     SEQUENCE OF SEQUENCE  {
+	             userCertificate         CertificateSerialNumber,
+	             revocationDate          Time,
+	             crlEntryExtensions      Extensions OPTIONAL
+	                                           -- if present, shall be v2
+	                                  }  OPTIONAL,
+	        crlExtensions           [0]  EXPLICIT Extensions OPTIONAL
+	                                           -- if present, shall be v2
+	                                  }"
+
+	@author Mark Benvenuto
+
+	@since JDK 1.2
+*/
+public abstract class X509CRL extends CRL implements X509Extension
+{
+
+  /**
+     Constructs a new X509CRL.
+  */
+  protected X509CRL()
+  {
+    super("X.509");
+  }
+
+  /**
+     Compares this X509CRL to other. It checks if the
+     object if instanceOf X509CRL and then checks if
+     the encoded form matches.
+
+     @param other An Object to test for equality
+
+     @return true if equal, false otherwise
+  */
+  public boolean equals(Object other)
+  {
+    if( other instanceof X509CRL ) {
+      try {
+	X509CRL x = (X509CRL) other;
+	if( getEncoded().length != x.getEncoded().length )
+	  return false;
+
+	byte[] b1 = getEncoded();
+	byte[] b2 = x.getEncoded();
+
+	for( int i = 0; i < b1.length; i++ )
+	  if( b1[i] != b2[i] )
+	    return false;
+
+      } catch( CRLException crle ) { 
+	return false;
+      }
+      return true;
+    }
+    return false;
+  }
+
+  /**
+     Returns a hash code for this X509CRL in its encoded
+     form.
+
+     @return A hash code of this class
+  */
+  public int hashCode()
+  {
+    return super.hashCode();
+  }
+
+  /**
+     Gets the DER ASN.1 encoded format for this X.509 CRL.
+
+     @return byte array containg encoded form
+
+     @throws CRLException if an error occurs
+  */
+  public abstract byte[] getEncoded() throws CRLException;
+
+  /**
+     Verifies that this CRL was properly signed with the
+     PublicKey that corresponds to its private key. 
+
+     @param key PublicKey to verify with
+
+     @throws CRLException encoding error
+     @throws NoSuchAlgorithmException unsupported algorithm
+     @throws InvalidKeyException incorrect key
+     @throws NoSuchProviderException no provider
+     @throws SignatureException signature error
+  */
+  public abstract void verify(PublicKey key)
+    throws CRLException,
+    NoSuchAlgorithmException,
+    InvalidKeyException,
+    NoSuchProviderException,
+    SignatureException;
+
+  /**
+     Verifies that this CRL was properly signed with the
+     PublicKey that corresponds to its private key and uses
+     the signature engine provided by the provider. 
+
+     @param key PublicKey to verify with
+     @param sigProvider Provider to use for signature algorithm
+
+     @throws CRLException encoding error
+     @throws NoSuchAlgorithmException unsupported algorithm
+     @throws InvalidKeyException incorrect key
+     @throws NoSuchProviderException incorrect provider
+     @throws SignatureException signature error
+  */
+  public abstract void verify(PublicKey key,
+			      String sigProvider)
+    throws CRLException,
+    NoSuchAlgorithmException,
+    InvalidKeyException,
+    NoSuchProviderException,
+    SignatureException;
+
+  /**
+     Gets the version of this CRL.
+
+     The ASN.1 encoding is:
+
+     version                 Version OPTIONAL,
+     -- if present, shall be v2
+
+     Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+
+     Consult rfc2459 for more information.
+
+     @return the version number, Ex: 1 or 2
+  */
+  public abstract int getVersion();
+
+  /**
+     Returns the issuer (issuer distinguished name) of the CRL.
+     The issuer is the entity who signed and issued the 
+     Certificate Revocation List.
+
+     The ASN.1 DER encoding is:
+
+     issuer                  Name,
+
+     Name ::= CHOICE {
+     RDNSequence }
+
+     RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+     RelativeDistinguishedName ::=
+     SET OF AttributeTypeAndValue
+
+     AttributeTypeAndValue ::= SEQUENCE {
+     type     AttributeType,
+     value    AttributeValue }
+
+     AttributeType ::= OBJECT IDENTIFIER
+
+     AttributeValue ::= ANY DEFINED BY AttributeType
+
+     DirectoryString ::= CHOICE {
+     teletexString           TeletexString (SIZE (1..MAX)),
+     printableString         PrintableString (SIZE (1..MAX)),
+     universalString         UniversalString (SIZE (1..MAX)),
+     utf8String              UTF8String (SIZE (1.. MAX)),
+     bmpString               BMPString (SIZE (1..MAX)) }
+
+     Consult rfc2459 for more information.
+
+     @return the issuer in the Principal class
+  */
+  public abstract Principal getIssuerDN();
+
+  /**
+     Returns the thisUpdate date of the CRL.
+
+     The ASN.1 DER encoding is:
+
+     thisUpdate              Time,
+
+     Time ::= CHOICE {
+     utcTime        UTCTime,
+     generalTime    GeneralizedTime }
+
+     Consult rfc2459 for more information.
+
+     @return the thisUpdate date
+  */
+  public abstract Date getThisUpdate();
+
+  /*
+    Gets the nextUpdate field
+
+    The ASN.1 DER encoding is:
+
+    nextUpdate              Time OPTIONAL,
+
+    Time ::= CHOICE {
+    utcTime        UTCTime,
+    generalTime    GeneralizedTime }
+
+    Consult rfc2459 for more information.
+
+    @return the nextUpdate date
+  */
+  public abstract Date getNextUpdate();
+
+  /**
+     Gets the requeste dX509Entry for the specified
+     certificate serial number.
+
+     @return a X509CRLEntry representing the X.509 CRL entry
+  */
+  public abstract X509CRLEntry getRevokedCertificate(BigInteger serialNumber);
+
+  /**
+     Returns a Set of revoked certificates.
+
+     @return a set of revoked certificates.
+  */
+  public abstract Set getRevokedCertificates();
+
+  /**
+     Returns the DER ASN.1 encoded tbsCertList which is 
+     the basic information of the list and associated certificates
+     in the encoded state. See top for more information.
+
+     The ASN.1 DER encoding is:
+
+     tbsCertList          TBSCertList,
+
+     Consult rfc2459 for more information.
+
+     @return byte array representing tbsCertList
+  */
+  public abstract byte[] getTBSCertList() throws CRLException;
+
+
+  /**
+     Returns the signature for the CRL. 
+
+     The ASN.1 DER encoding is:
+
+     signatureValue       BIT STRING
+
+     Consult rfc2459 for more information.
+  */
+  public abstract byte[] getSignature();
+
+  /**
+     Returns the signature algorithm used to sign the CRL. 
+     An examples is "SHA-1/DSA".
+
+     The ASN.1 DER encoding is:
+
+     signatureAlgorithm   AlgorithmIdentifier,
+
+     AlgorithmIdentifier  ::=  SEQUENCE  {
+     algorithm               OBJECT IDENTIFIER,
+     parameters              ANY DEFINED BY algorithm OPTIONAL  }
+
+     Consult rfc2459 for more information.
+
+     The algorithm name is determined from the OID.
+
+     @return a string with the signature algorithm name
+  */
+  public abstract String getSigAlgName();
+
+  /**
+     Returns the OID for the signature algorithm used.
+     Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
+
+     The ASN.1 DER encoding for the example is:
+
+     id-dsa-with-sha1 ID  ::=  {
+     iso(1) member-body(2) us(840) x9-57 (10040)
+     x9cm(4) 3 }
+
+     Consult rfc2459 for more information.
+
+     @return a string containing the OID.
+  */
+  public abstract String getSigAlgOID();
+
+  /**
+     Returns the AlgorithmParameters in the encoded form
+     for the signature algorithm used. 
+
+     If access to the parameters is need, create an 
+     instance of AlgorithmParameters.
+
+     @return byte array containing algorithm parameters, null
+     if no parameters are present in CRL
+  */
+  public abstract byte[] getSigAlgParams();
+
+  // 1.4 instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the X.500 distinguished name of this CRL's issuer.
+   *
+   * @return The issuer's X.500 distinguished name.
+   * @since JDK 1.4
+   */
+  public X500Principal getIssuerX500Principal()
+  {
+    throw new UnsupportedOperationException();
+  }
+}
diff --git a/libjava/classpath/java/security/cert/X509CRLEntry.java b/libjava/classpath/java/security/cert/X509CRLEntry.java
new file mode 100644
index 00000000000..4c9cada4747
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509CRLEntry.java
@@ -0,0 +1,169 @@
+/* X509CRLEntry.java --- X.509 Certificate Revocation List Entry
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.math.BigInteger;
+import java.util.Date;
+
+/**
+	Abstract class for entries in the CRL (Certificate Revocation 
+	List). The ASN.1 definition for <I>revokedCertificates</I> is
+
+        revokedCertificates     SEQUENCE OF SEQUENCE  {
+             userCertificate         CertificateSerialNumber,
+             revocationDate          Time,
+             crlEntryExtensions      Extensions OPTIONAL
+                                           -- if present, shall be v2
+                                  }  OPTIONAL,
+
+	CertificateSerialNumber  ::=  INTEGER
+
+	Time ::= CHOICE {
+             utcTime        UTCTime,
+	     generalTime    GeneralizedTime }
+
+	Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+
+	Extension  ::=  SEQUENCE  {
+	     extnID      OBJECT IDENTIFIER,
+             critical    BOOLEAN DEFAULT FALSE,
+             extnValue   OCTET STRING  }
+ 
+	For more information consult rfc2459.
+
+	@author Mark Benvenuto
+
+	@since JDK 1.2
+*/
+public abstract class X509CRLEntry implements X509Extension
+{
+
+  /**
+     Creates a new X509CRLEntry
+  */
+  public X509CRLEntry()
+  {}
+
+  /**
+     Compares this X509CRLEntry to other. It checks if the
+     object if instanceOf X509CRLEntry and then checks if
+     the encoded form( the inner SEQUENCE) matches.
+
+     @param other An Object to test for equality
+
+     @return true if equal, false otherwise
+  */
+  public boolean equals(Object other)
+  {
+    if( other instanceof X509CRLEntry ) {
+      try {
+	X509CRLEntry xe = (X509CRLEntry) other;
+	if( getEncoded().length != xe.getEncoded().length )
+	  return false;
+
+	byte[] b1 = getEncoded();
+	byte[] b2 = xe.getEncoded();
+
+	for( int i = 0; i < b1.length; i++ )
+	  if( b1[i] != b2[i] )
+	    return false;
+
+      } catch( CRLException crle ) { 
+	return false;
+      }
+      return true;
+    }
+    return false;
+  }
+
+  /**
+     Returns a hash code for this X509CRLEntry in its encoded
+     form.
+
+     @return A hash code of this class
+  */
+  public int hashCode()
+  {
+    return super.hashCode();
+  }
+
+  /**
+     Gets the DER ASN.1 encoded format for this CRL Entry,
+     the inner SEQUENCE.
+
+     @return byte array containg encoded form
+
+     @throws CRLException if an error occurs
+  */
+  public abstract byte[] getEncoded() throws CRLException;
+
+  /**
+     Gets the serial number for <I>userCertificate</I> in
+     this X509CRLEntry.
+
+     @return the serial number for this X509CRLEntry.
+  */
+  public abstract BigInteger getSerialNumber();
+
+
+  /**
+     Gets the revocation date in <I>revocationDate</I> for
+     this X509CRLEntry.
+
+     @return the revocation date for this X509CRLEntry.
+  */
+  public abstract Date getRevocationDate();
+
+
+  /**
+     Checks if this X509CRLEntry has extensions.
+
+     @return true if it has extensions, false otherwise
+  */
+  public abstract boolean hasExtensions();
+
+
+  /**
+     Returns a string that represents this X509CRLEntry.
+
+     @return a string representing this X509CRLEntry.
+  */
+  public abstract String toString();
+
+}
diff --git a/libjava/classpath/java/security/cert/X509CRLSelector.java b/libjava/classpath/java/security/cert/X509CRLSelector.java
new file mode 100644
index 00000000000..3c79fba9cb8
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509CRLSelector.java
@@ -0,0 +1,440 @@
+/* X509CRLSelector.java -- selects X.509 CRLs by criteria.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.classpath.SystemProperties;
+import gnu.java.security.der.DERReader;
+import gnu.java.security.der.DERValue;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.math.BigInteger;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Date;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+
+import javax.security.auth.x500.X500Principal;
+
+/**
+ * A class for matching X.509 certificate revocation lists by criteria.
+ *
+ * <p>Use of this class requires extensive knowledge of the Internet
+ * Engineering Task Force's Public Key Infrastructure (X.509). The primary
+ * document describing this standard is <a
+ * href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
+ * Public Key Infrastructure Certificate and Certificate Revocation List
+ * (CRL) Profile</a>.
+ *
+ * <p>Note that this class is not thread-safe. If multiple threads will
+ * use or modify this class then they need to synchronize on the object.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class X509CRLSelector implements CRLSelector, Cloneable
+{
+
+  // Fields.
+  // -------------------------------------------------------------------------
+
+  private static final String CRL_NUMBER_ID = "2.5.29.20";
+
+  private List issuerNames;
+  private BigInteger maxCrlNumber;
+  private BigInteger minCrlNumber;
+  private Date date;
+  private X509Certificate cert;
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Creates a new CRL selector with no criteria enabled; i.e., every CRL
+   * will be matched.
+   */
+  public X509CRLSelector()
+  {
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Add an issuer name to the set of issuer names criteria, as the DER
+   * encoded form.
+   *
+   * @param name The name to add, as DER bytes.
+   * @throws IOException If the argument is not a valid DER-encoding.
+   */
+  public void addIssuerName(byte[] name) throws IOException
+  {
+    X500Principal p = null;
+    try
+      {
+        p = new X500Principal(name);
+      }
+    catch (IllegalArgumentException iae)
+      {
+        IOException ioe = new IOException("malformed name");
+        ioe.initCause(iae);
+        throw ioe;
+      }
+    if (issuerNames == null)
+      issuerNames = new LinkedList();
+    issuerNames.add(p);
+  }
+
+  /**
+   * Add an issuer name to the set of issuer names criteria, as a
+   * String representation.
+   *
+   * @param name The name to add.
+   * @throws IOException If the argument is not a valid name.
+   */
+  public void addIssuerName(String name) throws IOException
+  {
+    X500Principal p = null;
+    try
+      {
+        p = new X500Principal(name);
+      }
+    catch (IllegalArgumentException iae)
+      {
+        IOException ioe = new IOException("malformed name: " + name);
+        ioe.initCause(iae);
+        throw ioe;
+      }
+    if (issuerNames == null)
+      issuerNames = new LinkedList();
+    issuerNames.add(p);
+  }
+
+  /**
+   * Sets the issuer names criterion. Pass <code>null</code> to clear this
+   * value. CRLs matched by this selector must have an issuer name in this
+   * set.
+   *
+   * @param names The issuer names.
+   * @throws IOException If any of the elements in the collection is not
+   *         a valid name.
+   */
+  public void setIssuerNames(Collection names) throws IOException
+  {
+    if (names == null)
+      {
+        issuerNames = null;
+        return;
+      }
+    List l = new ArrayList(names.size());
+    for (Iterator it = names.iterator(); it.hasNext(); )
+      {
+        Object o = it.next();
+        if (o instanceof X500Principal)
+          l.add(o);
+        else if (o instanceof String)
+          {
+            try
+              {
+                l.add(new X500Principal((String) o));
+              }
+            catch (IllegalArgumentException iae)
+              {
+                IOException ioe = new IOException("malformed name: " + o);
+                ioe.initCause(iae);
+                throw ioe;
+              }
+          }
+        else if (o instanceof byte[])
+          {
+            try
+              {
+                l.add(new X500Principal((byte[]) o));
+              }
+            catch (IllegalArgumentException iae)
+              {
+                IOException ioe = new IOException("malformed name");
+                ioe.initCause(iae);
+                throw ioe;
+              }
+          }
+        else if (o instanceof InputStream)
+          {
+            try
+              {
+                l.add(new X500Principal((InputStream) o));
+              }
+            catch (IllegalArgumentException iae)
+              {
+                IOException ioe = new IOException("malformed name");
+                ioe.initCause(iae);
+                throw ioe;
+              }
+          }
+        else
+          throw new IOException("not a valid name: " +
+                                (o != null ? o.getClass().getName() : "null"));
+
+      }
+    issuerNames = l;
+  }
+
+  /**
+   * Returns the set of issuer names that are matched by this selector,
+   * or <code>null</code> if this criteria is not set. The returned
+   * collection is not modifiable.
+   *
+   * @return The set of issuer names.
+   */
+  public Collection getIssuerNames()
+  {
+    if (issuerNames != null)
+      return Collections.unmodifiableList(issuerNames);
+    else
+      return null;
+  }
+
+  /**
+   * Returns the maximum value of the CRLNumber extension present in
+   * CRLs matched by this selector, or <code>null</code> if this
+   * criteria is not set.
+   *
+   * @return The maximum CRL number.
+   */
+  public BigInteger getMaxCRL()
+  {
+    return maxCrlNumber;
+  }
+
+  /**
+   * Returns the minimum value of the CRLNumber extension present in
+   * CRLs matched by this selector, or <code>null</code> if this
+   * criteria is not set.
+   *
+   * @return The minimum CRL number.
+   */
+  public BigInteger getMinCRL()
+  {
+    return minCrlNumber;
+  }
+
+  /**
+   * Sets the maximum value of the CRLNumber extension present in CRLs
+   * matched by this selector. Specify <code>null</code> to clear this
+   * criterion.
+   *
+   * @param maxCrlNumber The maximum CRL number.
+   */
+  public void setMaxCRLNumber(BigInteger maxCrlNumber)
+  {
+    this.maxCrlNumber = maxCrlNumber;
+  }
+
+  /**
+   * Sets the minimum value of the CRLNumber extension present in CRLs
+   * matched by this selector. Specify <code>null</code> to clear this
+   * criterion.
+   *
+   * @param minCrlNumber The minimum CRL number.
+   */
+  public void setMinCRLNumber(BigInteger minCrlNumber)
+  {
+    this.minCrlNumber = minCrlNumber;
+  }
+
+  /**
+   * Returns the date when this CRL must be valid; that is, the date
+   * must be after the thisUpdate date, but before the nextUpdate date.
+   * Returns <code>null</code> if this criterion is not set.
+   *
+   * @return The date.
+   */
+  public Date getDateAndTime()
+  {
+    return date != null ? (Date) date.clone() : null;
+  }
+
+  /**
+   * Sets the date at which this CRL must be valid. Specify
+   * <code>null</code> to clear this criterion.
+   *
+   * @param date The date.
+   */
+  public void setDateAndTime(Date date)
+  {
+    this.date = date != null ? (Date) date.clone() : null;
+  }
+
+  /**
+   * Returns the certificate being checked, or <code>null</code> if this
+   * value is not set.
+   *
+   * @return The certificate.
+   */
+  public X509Certificate getCertificateChecking()
+  {
+    return cert;
+  }
+
+  /**
+   * Sets the certificate being checked. This is not a criterion, but
+   * info used by certificate store implementations to aid in searching.
+   *
+   * @param cert The certificate.
+   */
+  public void setCertificateChecking(X509Certificate cert)
+  {
+    this.cert = cert;
+  }
+
+  /**
+   * Returns a string representation of this selector. The string will
+   * only describe the enabled criteria, so if none are enabled this will
+   * return a string that contains little else besides the class name.
+   *
+   * @return The string.
+   */
+  public String toString()
+  {
+    StringBuffer str = new StringBuffer(X509CRLSelector.class.getName());
+    String nl = SystemProperties.getProperty("line.separator");
+    String eol = ";" + nl;
+
+    str.append(" {").append(nl);
+    if (issuerNames != null)
+      str.append("  issuer names = ").append(issuerNames).append(eol);
+    if (maxCrlNumber != null)
+      str.append("  max CRL = ").append(maxCrlNumber).append(eol);
+    if (minCrlNumber != null)
+      str.append("  min CRL = ").append(minCrlNumber).append(eol);
+    if (date != null)
+      str.append("  date = ").append(date).append(eol);
+    if (cert != null)
+      str.append("  certificate = ").append(cert).append(eol);
+    str.append("}").append(nl);
+    return str.toString();
+  }
+
+  /**
+   * Checks a CRL against the criteria of this selector, returning
+   * <code>true</code> if the given CRL matches all the criteria.
+   *
+   * @param _crl The CRL being checked.
+   * @return True if the CRL matches, false otherwise.
+   */
+  public boolean match(CRL _crl)
+  {
+    if (!(_crl instanceof X509CRL))
+      return false;
+    X509CRL crl = (X509CRL) _crl;
+    if (issuerNames != null)
+      {
+        if (!issuerNames.contains(crl.getIssuerX500Principal()))
+          return false;
+      }
+    BigInteger crlNumber = null;
+    if (maxCrlNumber != null)
+      {
+        byte[] b = crl.getExtensionValue(CRL_NUMBER_ID);
+        if (b == null)
+          return false;
+        try
+          {
+            DERValue val = DERReader.read(b);
+            if (!(val.getValue() instanceof BigInteger))
+              return false;
+            crlNumber = (BigInteger) val.getValue();
+          }
+        catch (IOException ioe)
+          {
+            return false;
+          }
+        if (maxCrlNumber.compareTo(crlNumber) < 0)
+          return false;
+      }
+    if (minCrlNumber != null)
+      {
+        if (crlNumber == null)
+          {
+            byte[] b = crl.getExtensionValue(CRL_NUMBER_ID);
+            if (b == null)
+              return false;
+            try
+              {
+                DERValue val = DERReader.read(b);
+                if (!(val.getValue() instanceof BigInteger))
+                  return false;
+                crlNumber = (BigInteger) val.getValue();
+              }
+            catch (IOException ioe)
+              {
+                return false;
+              }
+          }
+        if (minCrlNumber.compareTo(crlNumber) > 0)
+          return false;
+      }
+    if (date != null)
+      {
+        if (date.compareTo(crl.getThisUpdate()) < 0 ||
+            date.compareTo(crl.getNextUpdate()) > 0)
+          return false;
+      }
+    return true;
+  }
+
+  /**
+   * Returns a copy of this object.
+   *
+   * @return The copy.
+   */
+  public Object clone()
+  {
+    try
+      {
+        return super.clone();
+      }
+    catch (CloneNotSupportedException shouldNotHappen)
+      {
+        throw new Error(shouldNotHappen);
+      }
+  }
+}
diff --git a/libjava/classpath/java/security/cert/X509CertSelector.java b/libjava/classpath/java/security/cert/X509CertSelector.java
new file mode 100644
index 00000000000..4149a37643d
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509CertSelector.java
@@ -0,0 +1,1106 @@
+/* X509CertSelector.java -- selects X.509 certificates by criteria.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import gnu.classpath.SystemProperties;
+import gnu.java.security.OID;
+
+import java.io.IOException;
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.PublicKey;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.Date;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Set;
+
+import javax.security.auth.x500.X500Principal;
+
+/**
+ * A concrete implementation of {@link CertSelector} for X.509 certificates,
+ * which allows a number of criteria to be set when accepting certificates,
+ * from validity dates, to issuer and subject distinguished names, to some
+ * of the various X.509 extensions.
+ *
+ * <p>Use of this class requires extensive knowledge of the Internet
+ * Engineering Task Force's Public Key Infrastructure (X.509). The primary
+ * document describing this standard is <a
+ * href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
+ * Public Key Infrastructure Certificate and Certificate Revocation List
+ * (CRL) Profile</a>.
+ *
+ * <p>Note that this class is not thread-safe. If multiple threads will
+ * use or modify this class then they need to synchronize on the object.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class X509CertSelector implements CertSelector, Cloneable
+{
+
+  // Constants and fields.
+  // -------------------------------------------------------------------------
+
+  private static final String AUTH_KEY_ID = "2.5.29.35";
+  private static final String SUBJECT_KEY_ID = "2.5.29.14";
+  private static final String NAME_CONSTRAINTS_ID = "2.5.29.30";
+
+  private int basicConstraints;
+  private X509Certificate cert;
+  private BigInteger serialNo;
+  private X500Principal issuer;
+  private X500Principal subject;
+  private byte[] subjectKeyId;
+  private byte[] authKeyId;
+  private boolean[] keyUsage;
+  private Date certValid;
+  private OID sigId;
+  private PublicKey subjectKey;
+  private X509EncodedKeySpec subjectKeySpec;
+  private Set keyPurposeSet;
+  private List altNames;
+  private boolean matchAllNames;
+  private byte[] nameConstraints;
+  private Set policy;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new X.509 certificate selector. The new selector will be
+   * empty, and will accept any certificate (provided that it is an
+   * {@link X509Certificate}).
+   */
+  public X509CertSelector()
+  {
+    basicConstraints = -1;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the certificate criterion, or <code>null</code> if this value
+   * was not set.
+   *
+   * @return The certificate.
+   */
+  public X509Certificate getCertificate()
+  {
+    return cert;
+  }
+
+  /**
+   * Sets the certificate criterion. If set, only certificates that are
+   * equal to the certificate passed here will be accepted.
+   *
+   * @param cert The certificate.
+   */
+  public void setCertificate(X509Certificate cert)
+  {
+    this.cert = cert;
+  }
+
+  /**
+   * Returns the serial number criterion, or <code>null</code> if this
+   * value was not set.
+   *
+   * @return The serial number.
+   */
+  public BigInteger getSerialNumber()
+  {
+    return serialNo;
+  }
+
+  /**
+   * Sets the serial number of the desired certificate. Only certificates that
+   * contain this serial number are accepted.
+   *
+   * @param serialNo The serial number.
+   */
+  public void setSerialNumber(BigInteger serialNo)
+  {
+    this.serialNo = serialNo;
+  }
+
+  /**
+   * Returns the issuer criterion as a string, or <code>null</code> if this
+   * value was not set.
+   *
+   * @return The issuer.
+   */
+  public String getIssuerAsString()
+  {
+    if (issuer != null)
+      return issuer.getName();
+    else
+      return null;
+  }
+
+  /**
+   * Returns the issuer criterion as a sequence of DER bytes, or
+   * <code>null</code> if this value was not set.
+   *
+   * @return The issuer.
+   */
+  public byte[] getIssuerAsBytes() throws IOException
+  {
+    if (issuer != null)
+      return issuer.getEncoded();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the issuer, specified as a string representation of the issuer's
+   * distinguished name. Only certificates issued by this issuer will
+   * be accepted.
+   *
+   * @param name The string representation of the issuer's distinguished name.
+   * @throws IOException If the given name is incorrectly formatted.
+   */
+  public void setIssuer(String name) throws IOException
+  {
+    if (name != null)
+      {
+        try
+          {
+            issuer = new X500Principal(name);
+          }
+        catch (IllegalArgumentException iae)
+          {
+            throw new IOException(iae.getMessage());
+          }
+      }
+    else
+      issuer = null;
+  }
+
+  /**
+   * Sets the issuer, specified as the DER encoding of the issuer's
+   * distinguished name. Only certificates issued by this issuer will
+   * be accepted.
+   *
+   * @param name The DER encoding of the issuer's distinguished name.
+   * @throws IOException If the given name is incorrectly formatted.
+   */
+  public void setIssuer(byte[] name) throws IOException
+  {
+    if (name != null)
+      {
+        try
+          {
+            issuer = new X500Principal(name);
+          }
+        catch (IllegalArgumentException iae)
+          {
+            throw new IOException(iae.getMessage());
+          }
+      }
+    else
+      issuer = null;
+  }
+
+  /**
+   * Returns the subject criterion as a string, of <code>null</code> if
+   * this value was not set.
+   *
+   * @return The subject.
+   */
+  public String getSubjectAsString()
+  {
+    if (subject != null)
+      return subject.getName();
+    else
+      return null;
+  }
+
+  /**
+   * Returns the subject criterion as a sequence of DER bytes, or
+   * <code>null</code> if this value is not set.
+   *
+   * @return The subject.
+   */
+  public byte[] getSubjectAsBytes() throws IOException
+  {
+    if (subject != null)
+      return subject.getEncoded();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the subject, specified as a string representation of the
+   * subject's distinguished name. Only certificates with the given
+   * subject will be accepted.
+   *
+   * @param name The string representation of the subject's distinguished name.
+   * @throws IOException If the given name is incorrectly formatted.
+   */
+  public void setSubject(String name) throws IOException
+  {
+    if (name != null)
+      {
+        try
+          {
+            subject = new X500Principal(name);
+          }
+        catch (IllegalArgumentException iae)
+          {
+            throw new IOException(iae.getMessage());
+          }
+      }
+    else
+      subject = null;
+  }
+
+  /**
+   * Sets the subject, specified as the DER encoding of the subject's
+   * distinguished name. Only certificates with the given subject will
+   * be accepted.
+   *
+   * @param name The DER encoding of the subject's distinguished name.
+   * @throws IOException If the given name is incorrectly formatted.
+   */
+  public void setSubject(byte[] name) throws IOException
+  {
+    if (name != null)
+      {
+        try
+          {
+            subject = new X500Principal(name);
+          }
+        catch (IllegalArgumentException iae)
+          {
+            throw new IOException(iae.getMessage());
+          }
+      }
+    else
+      subject = null;
+  }
+
+  /**
+   * Returns the subject key identifier criterion, or <code>null</code> if
+   * this value was not set. Note that the byte array is cloned to prevent
+   * modification.
+   *
+   * @return The subject key identifier.
+   */
+  public byte[] getSubjectKeyIdentifier()
+  {
+    if (subjectKeyId != null)
+      return (byte[]) subjectKeyId.clone();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the subject key identifier criterion, or <code>null</code> to clear
+   * this criterion. Note that the byte array is cloned to prevent modification.
+   *
+   * @param subjectKeyId The subject key identifier.
+   */
+  public void setSubjectKeyIdentifier(byte[] subjectKeyId)
+  {
+    this.subjectKeyId = subjectKeyId != null ? (byte[]) subjectKeyId.clone() :
+      null;
+  }
+
+  /**
+   * Returns the authority key identifier criterion, or <code>null</code> if
+   * this value was not set. Note that the byte array is cloned to prevent
+   * modification.
+   *
+   * @return The authority key identifier.
+   */
+  public byte[] getAuthorityKeyIdentifier()
+  {
+    if (authKeyId != null)
+      return (byte[]) authKeyId.clone();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the authority key identifier criterion, or <code>null</code> to clear
+   * this criterion. Note that the byte array is cloned to prevent modification.
+   *
+   * @param subjectKeyId The subject key identifier.
+   */
+  public void setAuthorityKeyIdentifier(byte[] authKeyId)
+  {
+    this.authKeyId = authKeyId != null ? (byte[]) authKeyId.clone() : null;
+  }
+
+  /**
+   * Returns the date at which certificates must be valid, or <code>null</code>
+   * if this criterion was not set.
+   *
+   * @return The target certificate valitity date.
+   */
+  public Date getCertificateValid()
+  {
+    if (certValid != null)
+      return (Date) certValid.clone();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the date at which certificates must be valid. Specify
+   * <code>null</code> to clear this criterion.
+   *
+   * @param certValid The certificate validity date.
+   */
+  public void setCertificateValid(Date certValid)
+  {
+    this.certValid = certValid != null ? (Date) certValid.clone() : null;
+  }
+
+  /**
+   * This method, and its related X.509 certificate extension &mdash; the
+   * private key usage period &mdash; is not supported under the Internet
+   * PKI for X.509 certificates (PKIX), described in RFC 3280. As such, this
+   * method is not supported either.
+   *
+   * <p>Do not use this method. It is not deprecated, as it is not deprecated
+   * in the Java standard, but it is basically a no-operation and simply
+   * returns <code>null</code>.
+   *
+   * @return Null.
+   */
+  public Date getPrivateKeyValid()
+  {
+    return null;
+  }
+
+  /**
+   * This method, and its related X.509 certificate extension &mdash; the
+   * private key usage period &mdash; is not supported under the Internet
+   * PKI for X.509 certificates (PKIX), described in RFC 3280. As such, this
+   * method is not supported either.
+   *
+   * <p>Do not use this method. It is not deprecated, as it is not deprecated
+   * in the Java standard, but it is basically a no-operation.
+   *
+   * @param UNUSED Is silently ignored.
+   */
+  public void setPrivateKeyValid(Date UNUSED)
+  {
+  }
+
+  /**
+   * Returns the public key algorithm ID that matching certificates must have,
+   * or <code>null</code> if this criterion was not set.
+   *
+   * @return The public key algorithm ID.
+   */
+  public String getSubjectPublicKeyAlgID()
+  {
+    return String.valueOf(sigId);
+  }
+
+  /**
+   * Sets the public key algorithm ID that matching certificates must have.
+   * Specify <code>null</code> to clear this criterion.
+   *
+   * @param sigId The public key ID.
+   * @throws IOException If the specified ID is not a valid object identifier.
+   */
+  public void setSubjectPublicKeyAlgID(String sigId) throws IOException
+  {
+    if (sigId != null)
+      {
+        try
+          {
+            OID oid = new OID(sigId);
+            int[] comp = oid.getIDs();
+            if (!checkOid(comp))
+              throw new IOException("malformed OID: " + sigId);
+            this.sigId = oid;
+          }
+        catch (IllegalArgumentException iae)
+          {
+            IOException ioe = new IOException("malformed OID: " + sigId);
+            ioe.initCause(iae);
+            throw ioe;
+          }
+      }
+    else
+      this.sigId = null;
+  }
+
+  /**
+   * Returns the subject public key criterion, or <code>null</code> if this
+   * value is not set.
+   *
+   * @return The subject public key.
+   */
+  public PublicKey getSubjectPublicKey()
+  {
+    return subjectKey;
+  }
+
+  /**
+   * Sets the subject public key criterion as an opaque representation.
+   * Specify <code>null</code> to clear this criterion.
+   *
+   * @param key The public key.
+   */
+  public void setSubjectPublicKey(PublicKey key)
+  {
+    this.subjectKey = key;
+    if (key == null)
+      {
+        subjectKeySpec = null;
+        return;
+      }
+    try
+      {
+        KeyFactory enc = KeyFactory.getInstance("X.509");
+        subjectKeySpec = (X509EncodedKeySpec)
+          enc.getKeySpec(key, X509EncodedKeySpec.class);
+      }
+    catch (Exception x)
+      {
+        subjectKey = null;
+        subjectKeySpec = null;
+      }
+  }
+
+  /**
+   * Sets the subject public key criterion as a DER-encoded key. Specify
+   * <code>null</code> to clear this value.
+   *
+   * @param key The DER-encoded key bytes.
+   * @throws IOException If the argument is not a valid DER-encoded key.
+   */
+  public void setSubjectPublicKey(byte[] key) throws IOException
+  {
+    if (key == null)
+      {
+        subjectKey = null;
+        subjectKeySpec = null;
+        return;
+      }
+    try
+      {
+        subjectKeySpec = new X509EncodedKeySpec(key);
+        KeyFactory enc = KeyFactory.getInstance("X.509");
+        subjectKey = enc.generatePublic(subjectKeySpec);
+      }
+    catch (Exception x)
+      {
+        subjectKey = null;
+        subjectKeySpec = null;
+        IOException ioe = new IOException(x.getMessage());
+        ioe.initCause(x);
+        throw ioe;
+      }
+  }
+
+  /**
+   * Returns the public key usage criterion, or <code>null</code> if this
+   * value is not set. Note that the array is cloned to prevent modification.
+   *
+   * @return The public key usage.
+   */
+  public boolean[] getKeyUsage()
+  {
+    if (keyUsage != null)
+      return (boolean[]) keyUsage.clone();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the public key usage criterion. Specify <code>null</code> to clear
+   * this value.
+   *
+   * @param keyUsage The public key usage.
+   */
+  public void setKeyUsage(boolean[] keyUsage)
+  {
+    this.keyUsage = keyUsage != null ? (boolean[]) keyUsage.clone() : null;
+  }
+
+  /**
+   * Returns the set of extended key purpose IDs, as an unmodifiable set
+   * of OID strings. Returns <code>null</code> if this criterion is not
+   * set.
+   *
+   * @return The set of key purpose OIDs (strings).
+   */
+  public Set getExtendedKeyUsage()
+  {
+    if (keyPurposeSet != null)
+      return Collections.unmodifiableSet(keyPurposeSet);
+    else
+      return null;
+  }
+
+  /**
+   * Sets the extended key usage criterion, as a set of OID strings. Specify
+   * <code>null</code> to clear this value.
+   *
+   * @param keyPurposeSet The set of key purpose OIDs.
+   * @throws IOException If any element of the set is not a valid OID string.
+   */
+  public void setExtendedKeyUsage(Set keyPurposeSet) throws IOException
+  {
+    if (keyPurposeSet == null)
+      {
+        this.keyPurposeSet = null;
+        return;
+      }
+    Set s = new HashSet();
+    for (Iterator it = keyPurposeSet.iterator(); it.hasNext(); )
+      {
+        Object o = it.next();
+        if (!(o instanceof String))
+          throw new IOException("not a string: " + o);
+        try
+          {
+            OID oid = new OID((String) o);
+            int[] comp = oid.getIDs();
+            if (!checkOid(comp))
+              throw new IOException("malformed OID: " + o);
+          }
+        catch (IllegalArgumentException iae)
+          {
+            IOException ioe = new IOException("malformed OID: " + o);
+            ioe.initCause(iae);
+            throw ioe;
+          }
+      }
+    this.keyPurposeSet = s;
+  }
+
+  /**
+   * Returns whether or not all specified alternative names must match.
+   * If false, a certificate is considered a match if <em>one</em> of the
+   * specified alternative names matches.
+   *
+   * @return true if all names must match.
+   */
+  public boolean getMatchAllSubjectAltNames()
+  {
+    return matchAllNames;
+  }
+
+  /**
+   * Sets whether or not all subject alternative names must be matched.
+   * If false, then a certificate will be considered a match if one
+   * alternative name matches.
+   *
+   * @param matchAllNames Whether or not all alternative names must be
+   *        matched.
+   */
+  public void setMatchAllSubjectAltNames(boolean matchAllNames)
+  {
+    this.matchAllNames = matchAllNames;
+  }
+
+  /**
+   * Sets the subject alternative names critertion. Each element of the
+   * argument must be a {@link java.util.List} that contains exactly two
+   * elements: the first an {@link Integer}, representing the type of
+   * name, and the second either a {@link String} or a byte array,
+   * representing the name itself.
+   *
+   * @param altNames The alternative names.
+   * @throws IOException If any element of the argument is invalid.
+   */
+  public void setSubjectAlternativeNames(Collection altNames)
+    throws IOException
+  {
+    if (altNames == null)
+      {
+        this.altNames = null;
+        return;
+      }
+    List l = new ArrayList(altNames.size());
+    for (Iterator it = altNames.iterator(); it.hasNext(); )
+      {
+        Object o = it.next();
+        if (!(o instanceof List) || ((List) o).size() != 2 ||
+            !(((List) o).get(0) instanceof Integer) ||
+            !(((List) o).get(1) instanceof String) ||
+            !(((List) o).get(1) instanceof byte[]))
+          throw new IOException("illegal alternative name: " + o);
+        Integer i = (Integer) ((List) o).get(0);
+        if (i.intValue() < 0 || i.intValue() > 8)
+          throw new IOException("illegal alternative name: " + o +
+                                ", bad id: " + i);
+        l.add(new ArrayList((List) o));
+      }
+    this.altNames = l;
+  }
+
+  /**
+   * Add a name to the subject alternative names criterion.
+   *
+   * @param id The type of name this is. Must be in the range [0,8].
+   * @param name The name.
+   * @throws IOException If the id is out of range, or if the name
+   *   is null.
+   */
+  public void addSubjectAlternativeName(int id, String name)
+    throws IOException
+  {
+    if (id < 0 || id > 8 || name == null)
+      throw new IOException("illegal alternative name");
+    if (altNames == null)
+      altNames = new LinkedList();
+    ArrayList l = new ArrayList(2);
+    l.add(new Integer(id));
+    l.add(name);
+    altNames.add(l);
+  }
+
+  /**
+   * Add a name, as DER-encoded bytes, to the subject alternative names
+   * criterion.
+   *
+   * @param id The type of name this is.
+   */
+  public void addSubjectAlternativeName(int id, byte[] name)
+    throws IOException
+  {
+    if (id < 0 || id > 8 || name == null)
+      throw new IOException("illegal alternative name");
+    if (altNames == null)
+      altNames = new LinkedList();
+    ArrayList l = new ArrayList(2);
+    l.add(new Integer(id));
+    l.add(name);
+    altNames.add(l);
+  }
+
+  /**
+   * Returns the name constraints criterion, or <code>null</code> if this
+   * value is not set. Note that the byte array is cloned to prevent
+   * modification.
+   *
+   * @return The name constraints.
+   */
+  public byte[] getNameConstraints()
+  {
+    if (nameConstraints != null)
+      return (byte[]) nameConstraints.clone();
+    else
+      return null;
+  }
+
+  /**
+   * Sets the name constraints criterion; specify <code>null</code> to
+   * clear this criterion. Note that if non-null, the argument will be
+   * cloned to prevent modification.
+   *
+   * @param nameConstraints The new name constraints.
+   * @throws IOException If the argument is not a valid DER-encoded
+   *         name constraints.
+   */
+  public void setNameConstraints(byte[] nameConstraints)
+    throws IOException
+  {
+    // FIXME check if the argument is valid.
+    this.nameConstraints = nameConstraints != null
+      ? (byte[]) nameConstraints.clone() : null;
+  }
+
+  /**
+   * Returns the basic constraints criterion, or -1 if this value is not set.
+   *
+   * @return The basic constraints.
+   */
+  public int getBasicConstraints()
+  {
+    return basicConstraints;
+  }
+
+  /**
+   * Sets the basic constraints criterion. Specify -1 to clear this parameter.
+   *
+   * @param basicConstraints The new basic constraints value.
+   */
+  public void setBasicConstraints(int basicConstraints)
+  {
+    if (basicConstraints < -1)
+      basicConstraints = -1;
+    this.basicConstraints = basicConstraints;
+  }
+
+  // The last two criteria not yet implemented are certificate policies
+  // and path-to-names. Both of these are somewhat advanced extensions
+  // (you could probably count the applications that actually use them
+  //  on one hand), and they both have no support in the X509Certificate
+  // class.
+  //
+  // Not having support in X509Certificate is not always a problem; for
+  // example, we can compare DER-encoded values as byte arrays for some
+  // extensions. We can't, however, compare them if they are specified
+  // in a set (as policies are). We need to parse the actual value in the
+  // certificate, and check it against the specified set.
+
+  // FIXME
+//   public void setPolicy(Set policy) throws IOException
+//   {
+//     if (policy != null)
+//       {
+//         for (Iterator it = policy.iterator(); it.hasNext(); )
+//           try
+//             {
+//               OID oid = new OID((String) it.next());
+//               int[] i = oid.getIDs();
+//               if (!checkOid(i))
+//                 throw new IOException("invalid OID");
+//             }
+//           catch (Exception x)
+//             {
+//               throw new IOException("invalid OID");
+//             }
+//       }
+//     this.policy = policy != null ? new HashSet(policy) : null;
+//   }
+
+  // FIXME
+//   public void setPathToNames(Collection names) throws IOException
+//   {
+//     if (names == null)
+//       {
+//         this.names = null;
+//         return;
+//       }
+//     for (Iterator it = names.iterator(); it.hasNext(); )
+//       {
+//         try
+//           {
+//             List l = (List) it.next();
+//             if (l.get(1) instanceof String)
+//               addPathToName(((Integer)l.get(0)).intValue(), (String)l.get(1));
+//             else
+//               addPathToName(((Integer)l.get(0)).intValue(), (byte[])l.get(1));
+//           }
+//         catch (Exception x)
+//           {
+//            this.names = null;
+//             throw new IOException("invalid names");
+//           }
+//       }
+//   }
+
+  // FIXME
+//   public void addPathToName(int id, String name) throws IOException
+//   {
+//   }
+
+  // FIXME
+//   public void addPathToName(int id, byte[] name) throws IOException
+//   {
+//   }
+
+  // FIXME
+//   public Collection getSubjectAlternativeNames()
+//   {
+//     return null;
+//   }
+
+  // FIXME
+//   public Set getPolicy()
+//   {
+//     return null;
+//   }
+
+  // FIXME
+//   public Collection getPathToNames()
+//   {
+//     return null;
+//   }
+
+  /**
+   * Match a certificate. This method will check the given certificate
+   * against all the enabled criteria of this selector, and will return
+   * <code>true</code> if the given certificate matches.
+   *
+   * @param certificate The certificate to check.
+   * @return true if the certificate matches all criteria.
+   */
+  public boolean match(Certificate certificate)
+  {
+    if (!(certificate instanceof X509Certificate))
+      return false;
+    X509Certificate cert = (X509Certificate) certificate;
+    if (this.cert != null)
+      {
+        try
+          {
+            byte[] e1 = this.cert.getEncoded();
+            byte[] e2 = cert.getEncoded();
+            if (!Arrays.equals(e1, e2))
+              return false;
+          }
+        catch (CertificateEncodingException cee)
+          {
+            return false;
+          }
+      }
+    if (serialNo != null)
+      {
+        if (!serialNo.equals(cert.getSerialNumber()))
+          return false;
+      }
+    if (certValid != null)
+      {
+        try
+          {
+            cert.checkValidity(certValid);
+          }
+        catch (CertificateException ce)
+          {
+            return false;
+          }
+      }
+    if (issuer != null)
+      {
+        if (!issuer.equals(cert.getIssuerX500Principal()))
+          return false;
+      }
+    if (subject != null)
+      {
+        if (!subject.equals(cert.getSubjectX500Principal()))
+          return false;
+      }
+    if (sigId != null)
+      {
+        if (!sigId.equals(cert.getSigAlgOID()))
+          return false;
+      }
+    if (subjectKeyId != null)
+      {
+        byte[] b = cert.getExtensionValue(SUBJECT_KEY_ID);
+        if (!Arrays.equals(b, subjectKeyId))
+          return false;
+      }
+    if (authKeyId != null)
+      {
+        byte[] b = cert.getExtensionValue(AUTH_KEY_ID);
+        if (!Arrays.equals(b, authKeyId))
+          return false;
+      }
+    if (keyUsage != null)
+      {
+        boolean[] b = cert.getKeyUsage();
+        if (!Arrays.equals(b, keyUsage))
+          return false;
+      }
+    if (basicConstraints >= 0)
+      {
+        if (cert.getBasicConstraints() != basicConstraints)
+          return false;
+      }
+    if (keyPurposeSet != null)
+      {
+        List kp = null;
+        try
+          {
+            kp = cert.getExtendedKeyUsage();
+          }
+        catch (CertificateParsingException cpe)
+          {
+            return false;
+          }
+        if (kp == null)
+          return false;
+        for (Iterator it = keyPurposeSet.iterator(); it.hasNext(); )
+          {
+            if (!kp.contains(it.next()))
+              return false;
+          }
+      }
+    if (altNames != null)
+      {
+        Collection an = null;
+        try
+          {
+            an = cert.getSubjectAlternativeNames();
+          }
+        catch (CertificateParsingException cpe)
+          {
+            return false;
+          }
+        if (an == null)
+          return false;
+        int match = 0;
+        for (Iterator it = altNames.iterator(); it.hasNext(); )
+          {
+            List l = (List) it.next();
+            Integer id = (Integer) l.get(0);
+            String s = null;
+            byte[] b = null;
+            if (l.get(1) instanceof String)
+              s = (String) l.get(1);
+            else if (l.get(1) instanceof byte[])
+              b = (byte[]) l.get(1);
+            else
+              return false;
+            for (Iterator it2 = an.iterator(); it2.hasNext(); )
+              {
+                Object o = it2.next();
+                if (!(o instanceof List))
+                  continue;
+                List l2 = (List) o;
+                if (l2.size() != 2)
+                  continue;
+                if (!id.equals(l2.get(0)))
+                  continue;
+                if (s != null && (l2.get(1) instanceof String) &&
+                    s.equals(l2.get(1)))
+                  match++;
+                else if (b != null && (l2.get(1) instanceof byte[]) &&
+                         Arrays.equals(b, (byte[]) l2.get(1)))
+                  match++;
+              }
+            if (match == 0 || (matchAllNames && match != altNames.size()))
+              return false;
+          }
+      }
+    if (nameConstraints != null)
+      {
+        byte[] nc = cert.getExtensionValue(NAME_CONSTRAINTS_ID);
+        if (!Arrays.equals(nameConstraints, nc))
+          return false;
+      }
+
+    // FIXME check policies.
+    // FIXME check path-to-names.
+
+    return true;
+  }
+
+  public String toString()
+  {
+    StringBuffer str = new StringBuffer(X509CertSelector.class.getName());
+    String nl = SystemProperties.getProperty("line.separator");
+    String eol = ";" + nl;
+    str.append(" {").append(nl);
+    if (cert != null)
+      str.append("  certificate = ").append(cert).append(eol);
+    if (basicConstraints >= 0)
+      str.append("  basic constraints = ").append(basicConstraints).append(eol);
+    if (serialNo != null)
+      str.append("  serial number = ").append(serialNo).append(eol);
+    if (certValid != null)
+      str.append("  valid date = ").append(certValid).append(eol);
+    if (issuer != null)
+      str.append("  issuer = ").append(issuer).append(eol);
+    if (subject != null)
+      str.append("  subject = ").append(subject).append(eol);
+    if (sigId != null)
+      str.append("  signature OID = ").append(sigId).append(eol);
+    if (subjectKey != null)
+      str.append("  subject public key = ").append(subjectKey).append(eol);
+    if (subjectKeyId != null)
+      {
+        str.append("  subject key ID = ");
+        for (int i = 0; i < subjectKeyId.length; i++)
+          {
+            str.append(Character.forDigit((subjectKeyId[i] & 0xF0) >>> 8, 16));
+            str.append(Character.forDigit((subjectKeyId[i] & 0x0F), 16));
+            if (i < subjectKeyId.length - 1)
+              str.append(':');
+          }
+        str.append(eol);
+      }
+    if (authKeyId != null)
+      {
+        str.append("  authority key ID = ");
+        for (int i = 0; i < authKeyId.length; i++)
+          {
+            str.append(Character.forDigit((authKeyId[i] & 0xF0) >>> 8, 16));
+            str.append(Character.forDigit((authKeyId[i] & 0x0F), 16));
+            if (i < authKeyId.length - 1)
+              str.append(':');
+          }
+        str.append(eol);
+      }
+    if (keyUsage != null)
+      {
+        str.append("  key usage = ");
+        for (int i = 0; i < keyUsage.length; i++)
+          str.append(keyUsage[i] ? '1' : '0');
+        str.append(eol);
+      }
+    if (keyPurposeSet != null)
+      str.append("  key purpose = ").append(keyPurposeSet).append(eol);
+    if (altNames != null)
+      str.append("  alternative names = ").append(altNames).append(eol);
+    if (nameConstraints != null)
+      str.append("  name constraints = <blob of data>").append(eol);
+    str.append("}").append(nl);
+    return str.toString();
+  }
+
+  public Object clone()
+  {
+    try
+      {
+        return super.clone();
+      }
+    catch (CloneNotSupportedException shouldNotHappen)
+      {
+        throw new Error(shouldNotHappen);
+      }
+  }
+
+  // Own methods.
+  // -------------------------------------------------------------------------
+
+  private static boolean checkOid(int[] oid)
+  {
+    return (oid != null && oid.length > 2 &&
+            (oid[0] >= 0 && oid[0] <= 2) && (oid[1] >= 0 && oid[1] <= 39));
+  }
+}
diff --git a/libjava/classpath/java/security/cert/X509Certificate.java b/libjava/classpath/java/security/cert/X509Certificate.java
new file mode 100644
index 00000000000..f6c6fcfb9a4
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509Certificate.java
@@ -0,0 +1,588 @@
+/* X509Certificate.java --- X.509 Certificate class
+   Copyright (C) 1999,2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+
+import java.math.BigInteger;
+import java.security.Principal;
+import java.util.Date;
+
+/**
+ * X509Certificate is the abstract class for X.509 certificates.
+ * This provides a stanard class interface for accessing all 
+ * the attributes of X.509 certificates.
+ *
+ * <p>In June 1996, the basic X.509 v3 format was finished by 
+ * ISO/IEC and ANSI X.9. The ASN.1 DER format is below:
+ *
+ * <blockquote><pre>
+ * Certificate  ::=  SEQUENCE  {
+ *   tbsCertificate       TBSCertificate,
+ *   signatureAlgorithm   AlgorithmIdentifier,
+ *   signatureValue       BIT STRING  }
+ * </pre></blockquote>
+ *
+ * <p>These certificates are widely used in various Internet 
+ * protocols to support authentication. It is used in 
+ * Privacy Enhanced Mail (PEM), Transport Layer Security (TLS),
+ * Secure Sockets Layer (SSL), code signing for trusted software
+ * distribution, and Secure Electronic Transactions (SET).
+ *
+ * <p>The certificates are managed and vouched for by 
+ * <I>Certificate Authorities</I> (CAs). CAs are companies or 
+ * groups that create certificates by placing the data in the 
+ * X.509 certificate format and signing it with their private
+ * key. CAs serve as trusted third parties by certifying that
+ * the person or group specified in the certificate is who
+ * they say they are. 
+ *
+ * <p>The ASN.1 defintion for <I>tbsCertificate</I> is
+ * 
+ * <blockquote><pre>
+ * TBSCertificate  ::=  SEQUENCE  {
+ *   version         [0]  EXPLICIT Version DEFAULT v1,
+ *   serialNumber         CertificateSerialNumber,
+ *   signature            AlgorithmIdentifier,
+ *   issuer               Name,
+ *   validity             Validity,
+ *   subject              Name,
+ *   subjectPublicKeyInfo SubjectPublicKeyInfo,
+ *   issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                        -- If present, version shall be v2 or v3
+ *   subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+ *                        -- If present, version shall be v2 or v3
+ *   extensions      [3]  EXPLICIT Extensions OPTIONAL
+ *                        -- If present, version shall be v3
+ * }
+ *
+ * Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+ *
+ * CertificateSerialNumber  ::=  INTEGER
+ *
+ * Validity ::= SEQUENCE {
+ *   notBefore      Time,
+ *   notAfter       Time }
+ *
+ * Time ::= CHOICE {
+ *   utcTime        UTCTime,
+ *   generalTime    GeneralizedTime }
+ *
+ * UniqueIdentifier  ::=  BIT STRING
+ *
+ * SubjectPublicKeyInfo  ::=  SEQUENCE  {
+ *   algorithm            AlgorithmIdentifier,
+ *   subjectPublicKey     BIT STRING  }
+ *
+ * Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+ *
+ * Extension  ::=  SEQUENCE  {
+ *   extnID      OBJECT IDENTIFIER,
+ *   critical    BOOLEAN DEFAULT FALSE,
+ *   extnValue   OCTET STRING  }
+ * </pre></blockquote>
+ * 
+ * Certificates are created with the CertificateFactory.
+ *
+ * <p>References:
+ *
+ * <ol>
+ * <li>Olivier Dubuisson, Philippe Fouquart (Translator) <i>ASN.1 -
+ * Communication between heterogeneous systems</i>, (C) September 2000,
+ * Morgan Kaufmann Publishers, ISBN 0-12-6333361-0. Available on-line at
+ * <a
+ * href="http://www.oss.com/asn1/dubuisson.html">http://www.oss.com/asn1/dubuisson.html</a></li>
+ * <li>R. Housley et al, <i><a href="http://www.ietf.org/rfc/rfc3280.txt">RFC
+ * 3280: Internet X.509 Public Key Infrastructure Certificate and CRL
+ * Profile</a></i>.</li>
+ * </ol>
+ *
+ * @since JDK 1.2
+ * @author Mark Benvenuto
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public abstract class X509Certificate
+  extends java.security.cert.Certificate  // XXX workaround for gcj bug #17845
+  implements X509Extension
+{
+  private static final long serialVersionUID = -2491127588187038216L;
+
+  /**
+   * Constructs a new certificate of the specified type.
+   */
+  protected X509Certificate()
+  {
+    super( "X.509" );
+  }
+
+  /**
+     Checks the validity of the X.509 certificate. It is valid
+     if the current date and time are within the period specified
+     by the certificate.
+
+     The ASN.1 DER encoding is:
+
+     validity             Validity,
+
+     Validity ::= SEQUENCE {
+     notBefore      Time,
+     notAfter       Time }
+
+     Time ::= CHOICE {
+     utcTime        UTCTime,
+     generalTime    GeneralizedTime }
+
+     Consult rfc2459 for more information.
+
+     @throws CertificateExpiredException if the certificate expired
+     @throws CertificateNotYetValidException if the certificate is 
+     not yet valid
+  */
+  public abstract void checkValidity()
+    throws CertificateExpiredException,
+    CertificateNotYetValidException;
+
+  /**
+     Checks the validity of the X.509 certificate for the 
+     specified time and date. It is valid if the specified 
+     date and time are within the period specified by 
+     the certificate.
+
+     @throws CertificateExpiredException if the certificate expired 
+     based on the date
+     @throws CertificateNotYetValidException if the certificate is 
+     not yet valid based on the date
+  */
+  public abstract void checkValidity(Date date)
+    throws CertificateExpiredException,
+    CertificateNotYetValidException;
+
+  /**
+     Returns the version of this certificate.
+
+     The ASN.1 DER encoding is:
+
+     version         [0]  EXPLICIT Version DEFAULT v1,
+
+     Version  ::=  INTEGER  {  v1(0), v2(1), v3(2)  }
+
+     Consult rfc2459 for more information.
+
+     @return version number of certificate	
+  */
+  public abstract int getVersion();
+
+  /**
+     Gets the serial number for serial Number in
+     this Certifcate. It must be a unique number 
+     unique other serial numbers from the granting CA.
+
+     The ASN.1 DER encoding is:
+
+     serialNumber         CertificateSerialNumber,
+
+     CertificateSerialNumber  ::=  INTEGER
+
+     Consult rfc2459 for more information.
+
+     @return the serial number for this X509CRLEntry.
+  */
+  public abstract BigInteger getSerialNumber();
+
+  /**
+     Returns the issuer (issuer distinguished name) of the 
+     Certificate. The issuer is the entity who signed 
+     and issued the Certificate.
+
+     The ASN.1 DER encoding is:
+
+     issuer                  Name,
+
+     Name ::= CHOICE {
+     RDNSequence }
+
+     RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
+
+     RelativeDistinguishedName ::=
+     SET OF AttributeTypeAndValue
+
+     AttributeTypeAndValue ::= SEQUENCE {
+     type     AttributeType,
+     value    AttributeValue }
+
+     AttributeType ::= OBJECT IDENTIFIER
+
+     AttributeValue ::= ANY DEFINED BY AttributeType
+
+     DirectoryString ::= CHOICE {
+     teletexString           TeletexString (SIZE (1..MAX)),
+     printableString         PrintableString (SIZE (1..MAX)),
+     universalString         UniversalString (SIZE (1..MAX)),
+     utf8String              UTF8String (SIZE (1.. MAX)),
+     bmpString               BMPString (SIZE (1..MAX)) }
+
+     Consult rfc2459 for more information.
+
+     @return the issuer in the Principal class
+  */
+  public abstract Principal getIssuerDN();
+
+  /**
+     Returns the subject (subject distinguished name) of the 
+     Certificate. The subject is the entity who the Certificate
+     identifies.
+
+     The ASN.1 DER encoding is:
+
+     subject              Name,
+
+     Consult rfc2459 for more information.
+
+     @return the issuer in the Principal class
+  */
+  public abstract Principal getSubjectDN();
+
+  /**
+     Returns the date that this certificate is not to be used
+     before, <I>notBefore</I>.
+
+     The ASN.1 DER encoding is:
+
+     validity             Validity,
+
+     Validity ::= SEQUENCE {
+     notBefore      Time,
+     notAfter       Time }
+
+     Time ::= CHOICE {
+     utcTime        UTCTime,
+     generalTime    GeneralizedTime }
+
+     Consult rfc2459 for more information.
+
+     @return the date <I>notBefore</I>
+  */
+  public abstract Date getNotBefore();
+
+  /**
+     Returns the date that this certificate is not to be used
+     after, <I>notAfter</I>.
+
+     @return the date <I>notAfter</I>
+  */
+  public abstract Date getNotAfter();
+
+
+  /**
+     Returns the <I>tbsCertificate</I> from the certificate.
+
+     @return the DER encoded tbsCertificate
+
+     @throws CertificateEncodingException if encoding error occurred
+  */
+  public abstract byte[] getTBSCertificate() throws CertificateEncodingException;
+
+  /**
+     Returns the signature in its raw DER encoded format.
+
+     The ASN.1 DER encoding is:
+
+     signatureValue       BIT STRING
+
+     Consult rfc2459 for more information.
+
+     @return byte array representing signature
+  */
+  public abstract byte[] getSignature();
+
+  /**
+     Returns the signature algorithm used to sign the CRL. 
+     An examples is "SHA-1/DSA".
+
+     The ASN.1 DER encoding is:
+
+     signatureAlgorithm   AlgorithmIdentifier,
+
+     AlgorithmIdentifier  ::=  SEQUENCE  {
+     algorithm               OBJECT IDENTIFIER,
+     parameters              ANY DEFINED BY algorithm OPTIONAL  }
+
+     Consult rfc2459 for more information.
+
+     The algorithm name is determined from the OID.
+
+     @return a string with the signature algorithm name
+  */
+  public abstract String getSigAlgName();
+
+
+  /**
+     Returns the OID for the signature algorithm used.
+     Example "1.2.840.10040.4.3" is return for SHA-1 with DSA.\
+
+     The ASN.1 DER encoding for the example is:
+
+     id-dsa-with-sha1 ID  ::=  {
+     iso(1) member-body(2) us(840) x9-57 (10040)
+     x9cm(4) 3 }
+
+     Consult rfc2459 for more information.
+
+     @return a string containing the OID.
+  */
+  public abstract String getSigAlgOID();
+
+
+  /**
+     Returns the AlgorithmParameters in the encoded form
+     for the signature algorithm used. 
+
+     If access to the parameters is need, create an 
+     instance of AlgorithmParameters.
+
+     @return byte array containing algorithm parameters, null
+     if no parameters are present in certificate
+  */
+  public abstract byte[] getSigAlgParams();
+
+
+  /**
+     Returns the issuer unique ID for this certificate.
+
+     The ASN.1 DER encoding is:
+
+     issuerUniqueID  [1]  IMPLICIT UniqueIdentifier OPTIONAL,
+     -- If present, version shall be v2 or v3
+
+     UniqueIdentifier  ::=  BIT STRING
+	
+     Consult rfc2459 for more information.
+
+     @return bit representation of <I>issuerUniqueID</I>
+  */
+  public abstract boolean[] getIssuerUniqueID();
+
+  /**
+     Returns the subject unique ID for this certificate.
+
+     The ASN.1 DER encoding is:
+
+     subjectUniqueID [2]  IMPLICIT UniqueIdentifier OPTIONAL,
+     -- If present, version shall be v2 or v3
+
+     UniqueIdentifier  ::=  BIT STRING
+	
+     Consult rfc2459 for more information.
+
+     @return bit representation of <I>subjectUniqueID</I>
+  */
+  public abstract boolean[] getSubjectUniqueID();
+
+  /**
+     Returns a boolean array representing the <I>KeyUsage</I> 
+     extension for the certificate. The KeyUsage (OID = 2.5.29.15)
+     defines the purpose of the key in the certificate.
+
+     The ASN.1 DER encoding is:
+
+     id-ce-keyUsage OBJECT IDENTIFIER ::=  { id-ce 15 }
+
+     KeyUsage ::= BIT STRING {
+     digitalSignature        (0),
+     nonRepudiation          (1),
+     keyEncipherment         (2),
+     dataEncipherment        (3),
+     keyAgreement            (4),
+     keyCertSign             (5),
+     cRLSign                 (6),
+     encipherOnly            (7),
+     decipherOnly            (8) }
+
+     Consult rfc2459 for more information.
+
+     @return bit representation of <I>KeyUsage</I>
+  */
+  public abstract boolean[] getKeyUsage();
+
+  /**
+     Returns the certificate constraints path length from the
+     critical BasicConstraints extension, (OID = 2.5.29.19).	
+
+     The basic constraints extensions is used to determine if 
+     the subject of the certificate is a Certificate Authority (CA) 
+     and how deep the certification path may exist. The 
+     <I>pathLenConstraint</I> only takes affect if <I>cA</I>
+     is set to true. "A value of zero indicates that only an 
+     end-entity certificate may follow in the path." (rfc2459)
+	
+     The ASN.1 DER encoding is:
+
+     id-ce-basicConstraints OBJECT IDENTIFIER ::=  { id-ce 19 }
+
+     BasicConstraints ::= SEQUENCE {
+     cA                      BOOLEAN DEFAULT FALSE,
+     pathLenConstraint       INTEGER (0..MAX) OPTIONAL }
+
+     Consult rfc2459 for more information.
+
+     @return the length of the path constraint if BasicConstraints
+     is present and cA is TRUE. Otherwise returns -1.
+  */
+  public abstract int getBasicConstraints();
+
+  // 1.4 instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the <code>ExtendedKeyUsage</code> extension of this
+   * certificate, or null if there is no extension present. The returned
+   * value is a {@link java.util.List} strings representing the object
+   * identifiers of the extended key usages. This extension has the OID
+   * 2.5.29.37.
+   *
+   * <p>The ASN.1 definition for this extension is:
+   *
+   * <blockquote><pre> 
+   * ExtendedKeyUsage ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
+   *
+   * KeyPurposeId ::= OBJECT IDENTIFIER
+   * </pre></blockquote>
+   *
+   * @return The list of extension OIDs, or null if there are none
+   * present in this certificate.
+   * @throws CertificateParsingException If this extension cannot be
+   * parsed from its encoded form.
+   */
+  public java.util.List getExtendedKeyUsage()
+    throws CertificateParsingException
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * Returns the alternative names for this certificate's subject (the
+   * owner), or null if there are none.
+   *
+   * <p>This is an X.509 extension with OID 2.5.29.17 and is defined by
+   * the ASN.1 construction:
+   *
+   * <blockquote><pre>
+   * SubjectAltNames ::= GeneralNames
+   *
+   * GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
+   *
+   * GeneralName ::= CHOICE {
+   *   otherName                 [0]   OtherName,
+   *   rfc822Name                [1]   IA5String,
+   *   dNSName                   [2]   IA5String,
+   *   x400Address               [3]   ORAddress,
+   *   directoryName             [4]   Name,
+   *   ediPartyName              [5]   EDIPartyName,
+   *   uniformResourceIdentifier [6]   IA5String,
+   *   iPAddress                 [7]   OCTET STRING,
+   *   registeredID              [8]   OBJECT IDENTIFIER
+   * }
+   * </pre></blockquote>
+   *
+   * <p>The returned collection contains one or more two-element Lists,
+   * with the first object being an Integer representing the choice
+   * above (with value 0 through 8) and the second being an (a) String
+   * if the <code>GeneralName</code> is a rfc822Name, dNSName,
+   * uniformResourceIdentifier, iPAddress, or registeredID, or (b) a
+   * byte array of the DER encoded form for any others.
+   *
+   * @return The collection of alternative names, or null if there are
+   * none.
+   * @throws CertificateParsingException If the encoded extension cannot
+   * be parsed.
+   * @since JDK 1.4
+   */
+  public java.util.Collection getSubjectAlternativeNames()
+    throws CertificateParsingException
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * Returns the alternative names for this certificate's issuer, or
+   * null if there are none.
+   *
+   * <p>This is an X.509 extension with OID 2.5.29.18, and is defined by
+   * the ASN.1 construction:
+   *
+   * <blockquote><pre>
+   * IssuerAltNames ::= GeneralNames
+   * </pre></blockquote>
+   *
+   * <p>The <code>GeneralNames</code> construct and the form of the
+   * returned collection are the same as with {@link
+   * #getSubjectAlternativeNames()}.
+   *
+   * @return The collection of alternative names, or null if there are
+   * none.
+   * @throws CertificateParsingException If the encoded extension cannot
+   * be parsed.
+   * @since JDK 1.4
+   */
+  public java.util.Collection getIssuerAlternativeNames()
+    throws CertificateParsingException
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * Returns the X.500 distinguished name of this certificate's subject.
+   *
+   * @return The subject's X.500 distinguished name.
+   * @since JDK 1.4
+   */
+  public javax.security.auth.x500.X500Principal getSubjectX500Principal()
+  {
+    throw new UnsupportedOperationException();
+  }
+ 
+  /**
+   * Returns the X.500 distinguished name of this certificate's issuer.
+   *
+   * @return The issuer's X.500 distinguished name.
+   * @since JDK 1.4
+   */
+  public javax.security.auth.x500.X500Principal getIssuerX500Principal()
+  {
+    throw new UnsupportedOperationException();
+  }
+}
diff --git a/libjava/classpath/java/security/cert/X509Extension.java b/libjava/classpath/java/security/cert/X509Extension.java
new file mode 100644
index 00000000000..d2cb80a9f57
--- /dev/null
+++ b/libjava/classpath/java/security/cert/X509Extension.java
@@ -0,0 +1,113 @@
+/* X509Extension.java --- X.509 Extension
+   Copyright (C) 1999 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+ 
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package java.security.cert;
+import java.util.Set;
+
+/**
+	Public interface for the X.509 Extension.
+
+	This is used for X.509 v3 Certificates and CRL v2 (Certificate
+	Revocation Lists) for managing attributes assoicated with
+	Certificates, for managing the hierarchy of certificates,
+	and for managing the distribution of CRL. This extension
+	format is used to define private extensions.
+
+	Each extensions for a certificate or CRL must be marked
+	either critical or non-critical. If the certificate/CRL 
+	system encounters a critical extension not recognized then 
+	it must reject the certificate. A non-critical extension
+	may be just ignored if not recognized.
+
+
+	The ASN.1 definition for this class is: 
+
+	 Extensions  ::=  SEQUENCE SIZE (1..MAX) OF Extension
+
+	 Extension  ::=  SEQUENCE  {
+	     extnId        OBJECT IDENTIFIER,
+	     critical      BOOLEAN DEFAULT FALSE,
+	     extnValue     OCTET STRING
+	                   -- contains a DER encoding of a value
+	                   -- of the type registered for use with
+	                   -- the extnId object identifier value
+	 }
+ 	
+	@author Mark Benvenuto
+
+	@since JDK 1.2
+*/
+public interface X509Extension
+{
+
+  /**
+     Returns true if the certificate contains a critical extension
+     that is not supported.
+
+     @return true if has unsupported extension, false otherwise	
+  */
+  boolean hasUnsupportedCriticalExtension();
+
+  /**
+     Returns a set of the CRITICAL extension OIDs from the 
+     certificate/CRL that the object implementing this interface
+     manages.
+
+     @return A Set containing the OIDs. If there are no CRITICAL
+     extensions or extensions at all this returns null.
+  */
+  Set getCriticalExtensionOIDs();
+
+  /**
+     Returns a set of the NON-CRITICAL extension OIDs from the 
+     certificate/CRL that the object implementing this interface
+     manages.
+
+     @return A Set containing the OIDs. If there are no NON-CRITICAL
+     extensions or extensions at all this returns null.
+  */
+  Set getNonCriticalExtensionOIDs();
+
+  /**
+     Returns the DER encoded OCTET string for the specified
+     extension value identified by a OID. The OID is a string
+     of number separated by periods. Ex: 12.23.45.67
+  */
+  byte[] getExtensionValue(String oid);
+
+}
diff --git a/libjava/classpath/java/security/cert/package.html b/libjava/classpath/java/security/cert/package.html
new file mode 100644
index 00000000000..14b12d16cc3
--- /dev/null
+++ b/libjava/classpath/java/security/cert/package.html
@@ -0,0 +1,46 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<!-- package.html - describes classes in java.security.cert package.
+   Copyright (C) 2002 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+02110-1301 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. -->
+
+<html>
+<head><title>GNU Classpath - java.security.cert</title></head>
+
+<body>
+<p></p>
+
+</body>
+</html>