121 files changed, 19014 insertions, 30 deletions

diff --git a/javax/crypto/BadPaddingException.java b/javax/crypto/BadPaddingException.java
new file mode 100644
index 000000000..d15224f3e
--- /dev/null
+++ b/javax/crypto/BadPaddingException.java
@@ -0,0 +1,79 @@
+/* BadPaddingException -- Signals bad padding bytes on decryption.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * This exception is thrown during decryption when the decrypted input
+ * does not have the proper padding bytes that are expected by the padding
+ * mechanism.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class BadPaddingException extends GeneralSecurityException
+{
+
+  // Constant.
+  // ------------------------------------------------------------------------
+
+  /** Serialization constant. */
+  private static final long serialVersionUID = -5315033893984728443L;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new bad padding exception with no detail message.
+   */
+  public BadPaddingException()
+  {
+    super();
+  }
+
+  /**
+   * Creates a new bad padding exception with a detail message.
+   *
+   * @param message The detail message.
+   */
+  public BadPaddingException(String message)
+  {
+    super(message);
+  }
+}
diff --git a/javax/crypto/Cipher.java b/javax/crypto/Cipher.java
new file mode 100644
index 000000000..d768d6ad7
--- /dev/null
+++ b/javax/crypto/Cipher.java
@@ -0,0 +1,1097 @@
+/* Cipher.java -- Interface to a cryptographic cipher.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.AlgorithmParameters;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.security.spec.AlgorithmParameterSpec;
+
+import java.util.Enumeration;
+import java.util.StringTokenizer;
+
+import gnu.java.security.Engine;
+
+/**
+ * <p>This class implements a cryptographic cipher for transforming
+ * data.</p>
+ *
+ * <p>Ciphers cannot be instantiated directly; rather one of the
+ * <code>getInstance</code> must be used to instantiate a given
+ * <i>transformation</i>, optionally with a specific provider.</p>
+ *
+ * <p>A transformation is of the form:</p>
+ *
+ * <ul>
+ * <li><i>algorithm</i>/<i>mode</i>/<i>padding</i>, or</li>
+ * <li><i>algorithm</i>
+ * </ul>
+ *
+ * <p>where <i>algorithm</i> is the base name of a cryptographic cipher
+ * (such as "AES"), <i>mode</i> is the abbreviated name of a block
+ * cipher mode (such as "CBC" for cipher block chaining mode), and
+ * <i>padding</i> is the name of a padding scheme (such as
+ * "PKCS5Padding"). If only the algorithm name is supplied, then the
+ * provider-specific default mode and padding will be used.</p>
+ *
+ * <p>An example transformation is:</p>
+ *
+ * <blockquote><code>Cipher c =
+ * Cipher.getInstance("AES/CBC/PKCS5Padding");</code></blockquote>
+ *
+ * <p>Finally, when requesting a block cipher in stream cipher mode
+ * (such as <acronym title="Advanced Encryption Standard">AES</acronym>
+ * in OFB or CFB mode) the number of bits to be processed
+ * at a time may be specified by appending it to the name of the mode;
+ * e.g. <code>"AES/OFB8/NoPadding"</code>. If no such number is
+ * specified a provider-specific default value is used.</p>
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @see java.security.KeyGenerator
+ * @see javax.crypto.SecretKey
+ */
+public class Cipher
+{
+
+  // Constants and variables.
+  // ------------------------------------------------------------------------
+
+  private static final String SERVICE = "Cipher";
+
+  /**
+   * The decryption operation mode.
+   */
+  public static final int DECRYPT_MODE = 2;
+
+  /**
+   * The encryption operation mode.
+   */
+  public static final int ENCRYPT_MODE = 1;
+
+  /**
+   * Constant for when the key to be unwrapped is a private key.
+   */
+  public static final int PRIVATE_KEY = 2;
+
+  /**
+   * Constant for when the key to be unwrapped is a public key.
+   */
+  public static final int PUBLIC_KEY = 1;
+
+  /**
+   * Constant for when the key to be unwrapped is a secret key.
+   */
+  public static final int SECRET_KEY = 3;
+
+  /**
+   * The key unwrapping operation mode.
+   */
+  public static final int UNWRAP_MODE = 4;
+
+  /**
+   * The key wrapping operation mode.
+   */
+  public static final int WRAP_MODE = 3;
+
+  /**
+   * The uninitialized state. This state signals that any of the
+   * <code>init</code> methods have not been called, and therefore no
+   * transformations can be done.
+   */
+  private static final int INITIAL_STATE = 0;
+
+  /** The underlying cipher service provider interface. */
+  private CipherSpi cipherSpi;
+
+  /** The provider from which this instance came. */
+  private Provider provider;
+
+  /** The transformation requested. */
+  private String transformation;
+
+  /** Our current state (encrypting, wrapping, etc.) */
+  private int state;
+
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * <p>Creates a new cipher instance for the given transformation.</p>
+   *
+   * <p>The installed providers are tried in order for an
+   * implementation, and the first appropriate instance is returned. If
+   * no installed provider can provide the implementation, an
+   * appropriate exception is thrown.</p>
+   *
+   * @param transformation The transformation to create.
+   * @return An appropriate cipher for this transformation.
+   * @throws java.security.NoSuchAlgorithmException If no installed
+   *         provider can supply the appropriate cipher or mode.
+   * @throws javax.crypto.NoSuchPaddingException If no installed
+   *         provider can supply the appropriate padding.
+   */
+  public static final Cipher getInstance(String transformation)
+    throws NoSuchAlgorithmException, NoSuchPaddingException
+  {
+    Provider[] providers = Security.getProviders();
+    NoSuchPaddingException ex = null;
+    String msg = "";
+    for (int i = 0; i < providers.length; i++)
+      {
+        try
+          {
+            return getInstance(transformation, providers[i]);
+          }
+        catch (NoSuchAlgorithmException nsae)
+          {
+            msg = nsae.getMessage();
+            ex = null;
+          }
+        catch (NoSuchPaddingException nspe)
+          {
+            ex = nspe;
+          }
+      }
+    if (ex != null)
+      {
+        throw ex;
+      }
+    throw new NoSuchAlgorithmException(msg);
+  }
+
+  /**
+   * <p>Creates a new cipher instance for the given transformation and
+   * the named provider.</p>
+   *
+   * @param transformation The transformation to create.
+   * @param provider       The name of the provider to use.
+   * @return An appropriate cipher for this transformation.
+   * @throws java.security.NoSuchAlgorithmException If the provider cannot
+   *         supply the appropriate cipher or mode.
+   * @throws java.security.NoSuchProviderException If the named provider
+   *         is not installed.
+   * @throws javax.crypto.NoSuchPaddingException If the provider cannot
+   *         supply the appropriate padding.
+   */
+  public static final Cipher getInstance(String transformation, String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException,
+           NoSuchPaddingException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      {
+        throw new NoSuchProviderException(provider);
+      }
+    return getInstance(transformation, p);
+  }
+
+  /**
+   * Creates a new cipher instance for the given transform and the given
+   * provider.
+   *
+   * @param transformation The transformation to create.
+   * @param provider       The provider to use.
+   * @return An appropriate cipher for this transformation.
+   * @throws java.security.NoSuchAlgorithmException If the given
+   *         provider cannot supply the appropriate cipher or mode.
+   * @throws javax.crypto.NoSuchPaddingException If the given
+   *         provider cannot supply the appropriate padding scheme.
+   */
+  public static final Cipher getInstance(String transformation, Provider provider)
+    throws NoSuchAlgorithmException, NoSuchPaddingException
+  {
+    CipherSpi result = null;
+    String key = null;
+    String alg = null, mode = null, pad = null;
+    String msg = "";
+    if (transformation.indexOf('/') < 0)
+      {
+        try
+          {
+            result = (CipherSpi) Engine.getInstance(SERVICE, transformation,
+                                                    provider);
+            return new Cipher(result, provider, transformation);
+          }
+        catch (Exception e)
+          {
+            msg = e.getMessage();
+          }
+      }
+    else
+      {
+        StringTokenizer tok = new StringTokenizer(transformation, "/");
+        if (tok.countTokens() != 3)
+          {
+            throw new NoSuchAlgorithmException("badly formed transformation");
+          }
+        alg = tok.nextToken();
+        mode = tok.nextToken();
+        pad = tok.nextToken();
+        try
+          {
+            result = (CipherSpi) Engine.getInstance(SERVICE, transformation,
+                                                    provider);
+            return new Cipher(result, provider, transformation);
+          }
+        catch (Exception e)
+          {
+            msg = e.getMessage();
+          }
+        try
+          {
+            result = (CipherSpi) Engine.getInstance(SERVICE, alg + '/' + mode,
+                                                    provider);
+            result.engineSetPadding(pad);
+            return new Cipher(result, provider, transformation);
+          }
+        catch (Exception e)
+          {
+            if (e instanceof NoSuchPaddingException)
+              {
+                throw (NoSuchPaddingException) e;
+              }
+            msg = e.getMessage();
+          }
+        try
+          {
+            result = (CipherSpi) Engine.getInstance(SERVICE, alg + "//" + pad,
+                                                    provider);
+            result.engineSetMode(mode);
+            return new Cipher(result, provider, transformation);
+          }
+        catch (Exception e)
+          {
+            msg = e.getMessage();
+          }
+        try
+          {
+            result = (CipherSpi) Engine.getInstance(SERVICE, alg, provider);
+            result.engineSetMode(mode);
+            result.engineSetPadding(pad);
+            return new Cipher(result, provider, transformation);
+          }
+        catch (Exception e)
+          {
+            if (e instanceof NoSuchPaddingException)
+              {
+                throw (NoSuchPaddingException) e;
+              }
+            msg = e.getMessage();
+          }
+      }
+    throw new NoSuchAlgorithmException(transformation + ": " + msg);
+  }
+
+// Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a cipher.
+   *
+   * @param cipherSpi The underlying implementation of the cipher.
+   * @param provider  The provider of this cipher implementation.
+   * @param transformation The transformation this cipher performs.
+   */
+  protected
+  Cipher(CipherSpi cipherSpi, Provider provider, String transformation)
+  {
+    this.cipherSpi = cipherSpi;
+    this.provider = provider;
+    this.transformation = transformation;
+    state = INITIAL_STATE;
+  }
+
+// Public instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the name that this cipher instance was created with; this is
+   * equivalent to the "transformation" argument given to any of the
+   * {@link #getInstance()} methods.
+   *
+   * @return The cipher name.
+   */
+  public final String getAlgorithm()
+  {
+    return transformation;
+  }
+
+  /**
+   * Return the size of blocks, in bytes, that this cipher processes.
+   *
+   * @return The block size.
+   */
+  public final int getBlockSize()
+  {
+    if (cipherSpi != null)
+      {
+        return cipherSpi.engineGetBlockSize();
+      }
+    return 1;
+  }
+
+  /**
+   * Return the currently-operating {@link ExemptionMechanism}.
+   *
+   * @return null, currently.
+   */
+  public final ExemptionMechanism getExemptionMechanism()
+  {
+    return null;
+  }
+
+  /**
+   * Return the <i>initialization vector</i> that this instance was
+   * initialized with.
+   *
+   * @return The IV.
+   */
+  public final byte[] getIV()
+  {
+    if (cipherSpi != null)
+      {
+        return cipherSpi.engineGetIV();
+      }
+    return null;
+  }
+
+  /**
+   * Return the {@link java.security.AlgorithmParameters} that this
+   * instance was initialized with.
+   *
+   * @return The parameters.
+   */
+  public final AlgorithmParameters getParameters()
+  {
+    if (cipherSpi != null) {
+      return cipherSpi.engineGetParameters();
+    }
+    return null;
+  }
+
+  /**
+   * Return this cipher's provider.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Finishes a multi-part transformation, and returns the final
+   * transformed bytes.
+   *
+   * @return The final transformed bytes.
+   * @throws java.lang.IllegalStateException If this instance has not
+   *         been initialized, or if a <tt>doFinal</tt> call has already
+   *         been made.
+   * @throws javax.crypto.IllegalBlockSizeException If this instance has
+   *         no padding and the input is not a multiple of this cipher's
+   *         block size.
+   * @throws javax.crypto.BadPaddingException If this instance is
+   *         decrypting and the padding bytes do not match this
+   *         instance's padding scheme.
+   */
+  public final byte[] doFinal()
+    throws IllegalStateException, IllegalBlockSizeException, BadPaddingException
+  {
+    return doFinal(new byte[0], 0, 0);
+  }
+
+  /**
+   * Finishes a multi-part transformation or does an entire
+   * transformation on the input, and returns the transformed bytes.
+   *
+   * @param input The final input bytes.
+   * @return The final transformed bytes.
+   * @throws java.lang.IllegalStateException If this instance has not
+   *         been initialized, or if a <tt>doFinal</tt> call has already
+   *         been made.
+   * @throws javax.crypto.IllegalBlockSizeException If this instance has
+   *         no padding and the input is not a multiple of this cipher's
+   *         block size.
+   * @throws javax.crypto.BadPaddingException If this instance is
+   *         decrypting and the padding bytes do not match this
+   *         instance's padding scheme.
+   */
+  public final byte[] doFinal(byte[] input)
+    throws IllegalStateException, IllegalBlockSizeException, BadPaddingException
+  {
+    return doFinal(input, 0, input.length);
+  }
+
+  /**
+   * Finishes a multi-part transformation or does an entire
+   * transformation on the input, and returns the transformed bytes.
+   *
+   * @param input       The final input bytes.
+   * @param inputOffset The index in the input bytes to start.
+   * @param inputLength The number of bytes to read from the input.
+   * @return The final transformed bytes.
+   * @throws java.lang.IllegalStateException If this instance has not
+   *         been initialized, or if a <tt>doFinal</tt> call has already
+   *         been made.
+   * @throws javax.crypto.IllegalBlockSizeException If this instance has
+   *         no padding and the input is not a multiple of this cipher's
+   *         block size.
+   * @throws javax.crypto.BadPaddingException If this instance is
+   *         decrypting and the padding bytes do not match this
+   *         instance's padding scheme.
+   */
+  public final byte[] doFinal(byte[] input, int inputOffset, int inputLength)
+    throws IllegalStateException, IllegalBlockSizeException, BadPaddingException
+  {
+    if (cipherSpi == null)
+      {
+        byte[] b = new byte[inputLength];
+        System.arraycopy(input, inputOffset, b, 0, inputLength);
+        return b;
+      }
+    if (state != ENCRYPT_MODE && state != DECRYPT_MODE)
+      {
+        throw new IllegalStateException("neither encrypting nor decrypting");
+      }
+    state = INITIAL_STATE;
+    return cipherSpi.engineDoFinal(input, inputOffset, inputLength);
+  }
+
+  /**
+   * Finishes a multi-part transformation and stores the transformed
+   * bytes into the given array.
+   *
+   * @param output       The destination for the transformed bytes.
+   * @param outputOffset The offset in <tt>output</tt> to start storing
+   *        bytes.
+   * @return The number of bytes placed into the output array.
+   * @throws java.lang.IllegalStateException If this instance has not
+   *         been initialized, or if a <tt>doFinal</tt> call has already
+   *         been made.
+   * @throws javax.crypto.IllegalBlockSizeException If this instance has
+   *         no padding and the input is not a multiple of this cipher's
+   *         block size.
+   * @throws javax.crypto.BadPaddingException If this instance is
+   *         decrypting and the padding bytes do not match this
+   *         instance's padding scheme.
+   * @throws javax.crypto.ShortBufferException If the output array is
+   *         not large enough to hold the transformed bytes.
+   */
+  public final int doFinal(byte[] output, int outputOffset)
+    throws IllegalStateException, IllegalBlockSizeException, BadPaddingException,
+           ShortBufferException
+  {
+    if (cipherSpi == null)
+      {
+        return 0;
+      }
+    if (state != ENCRYPT_MODE && state != DECRYPT_MODE)
+      {
+        throw new IllegalStateException("neither encrypting nor decrypting");
+      }
+    state = INITIAL_STATE;
+    return cipherSpi.engineDoFinal(new byte[0], 0, 0, output, outputOffset);
+  }
+
+  /**
+   * Finishes a multi-part transformation or transforms a portion of a
+   * byte array, and stores the result in the given byte array.
+   *
+   * @param input        The input bytes.
+   * @param inputOffset  The index in <tt>input</tt> to start.
+   * @param inputLength  The number of bytes to transform.
+   * @param output       The output buffer.
+   * @param outputOffset The index in <tt>output</tt> to start.
+   * @return The number of bytes placed into the output array.
+   * @throws java.lang.IllegalStateException If this instance has not
+   *         been initialized, or if a <tt>doFinal</tt> call has already
+   *         been made.
+   * @throws javax.crypto.IllegalBlockSizeException If this instance has
+   *         no padding and the input is not a multiple of this cipher's
+   *         block size.
+   * @throws javax.crypto.BadPaddingException If this instance is
+   *         decrypting and the padding bytes do not match this
+   *         instance's padding scheme.
+   * @throws javax.crypto.ShortBufferException If the output array is
+   *         not large enough to hold the transformed bytes.
+   */
+  public final int doFinal(byte[] input, int inputOffset, int inputLength,
+                           byte[] output, int outputOffset)
+    throws IllegalStateException, IllegalBlockSizeException, BadPaddingException,
+           ShortBufferException
+  {
+    if (cipherSpi == null)
+      {
+        if (inputLength > output.length - outputOffset)
+          {
+            throw new ShortBufferException();
+          }
+        System.arraycopy(input, inputOffset, output, outputOffset, inputLength);
+        return inputLength;
+      }
+    if (state != ENCRYPT_MODE && state != DECRYPT_MODE)
+      {
+        throw new IllegalStateException("neither encrypting nor decrypting");
+      }
+    state = INITIAL_STATE;
+    return cipherSpi.engineDoFinal(input, inputOffset, inputLength,
+                                   output, outputOffset);
+  }
+
+  public final int doFinal(byte[] input, int inputOffset, int inputLength,
+                           byte[] output)
+    throws IllegalStateException, IllegalBlockSizeException, BadPaddingException,
+           ShortBufferException
+  {
+    return doFinal(input, inputOffset, inputLength, output, 0);
+  }
+
+  /**
+   * Returns the size an output buffer needs to be if this cipher is
+   * updated with a number of bytes.
+   *
+   * @param inputLength The input length.
+   * @return The output length given this input length.
+   * @throws java.lang.IllegalStateException If this instance has not
+   *         been initialized, or if a <tt>doFinal</tt> call has already
+   *         been made.
+   */
+  public final int getOutputSize(int inputLength) throws IllegalStateException
+  {
+    if (cipherSpi == null)
+      {
+        return inputLength;
+      }
+    if (state != ENCRYPT_MODE && state != DECRYPT_MODE)
+      {
+        throw new IllegalStateException("neither encrypting nor decrypting");
+      }
+    return cipherSpi.engineGetOutputSize(inputLength);
+  }
+
+  /**
+   * <p>Initialize this cipher with the public key from the given
+   * certificate.</p>
+   *
+   * <p>The cipher will be initialized for encryption, decryption, key
+   * wrapping, or key unwrapping, depending upon whether the
+   * <code>opmode</code> argument is {@link #ENCRYPT_MODE}, {@link
+   * #DECRYPT_MODE}, {@link #WRAP_MODE}, or {@link #UNWRAP_MODE},
+   * respectively.</p>
+   *
+   * <p>As per the Java 1.4 specification, if <code>cert</code> is an
+   * instance of an {@link java.security.cert.X509Certificate} and its
+   * <i>key usage</i> extension field is incompatible with
+   * <code>opmode</code> then an {@link
+   * java.security.InvalidKeyException} is thrown.</p>
+   *
+   * <p>If this cipher requires any random bytes (for example for an
+   * initilization vector) than the {@link java.security.SecureRandom}
+   * with the highest priority is used as the source of these bytes.</p>
+   *
+   * <p>A call to any of the <code>init</code> methods overrides the
+   * state of the instance, and is equivalent to creating a new instance
+   * and calling its <code>init</code> method.</p>
+   *
+   * @param opmode      The operation mode to use.
+   * @param certificate The certificate.
+   * @throws java.security.InvalidKeyException If the underlying cipher
+   *         instance rejects the certificate's public key, or if the
+   *         public key cannot be used as described above.
+   */
+  public final void init(int opmode, Certificate certificate)
+    throws InvalidKeyException
+  {
+    init(opmode, certificate, new SecureRandom());
+  }
+
+  /**
+   * <p>Initialize this cipher with the supplied key.</p>
+   *
+   * <p>The cipher will be initialized for encryption, decryption, key
+   * wrapping, or key unwrapping, depending upon whether the
+   * <code>opmode</code> argument is {@link #ENCRYPT_MODE}, {@link
+   * #DECRYPT_MODE}, {@link #WRAP_MODE}, or {@link #UNWRAP_MODE},
+   * respectively.</p>
+   *
+   * <p>If this cipher requires any random bytes (for example for an
+   * initilization vector) than the {@link java.security.SecureRandom}
+   * with the highest priority is used as the source of these bytes.</p>
+   *
+   * <p>A call to any of the <code>init</code> methods overrides the
+   * state of the instance, and is equivalent to creating a new instance
+   * and calling its <code>init</code> method.</p>
+   *
+   * @param opmode The operation mode to use.
+   * @param key    The key.
+   * @throws java.security.InvalidKeyException If the underlying cipher
+   *         instance rejects the given key.
+   */
+  public final void init(int opmode, Key key) throws InvalidKeyException
+  {
+    state = opmode;
+    if (cipherSpi != null)
+      {
+        cipherSpi.engineInit(opmode, key, new SecureRandom());
+      }
+  }
+
+  /**
+   * <p>Initialize this cipher with the public key from the given
+   * certificate and the specified source of randomness.</p>
+   *
+   * <p>The cipher will be initialized for encryption, decryption, key
+   * wrapping, or key unwrapping, depending upon whether the
+   * <code>opmode</code> argument is {@link #ENCRYPT_MODE}, {@link
+   * #DECRYPT_MODE}, {@link #WRAP_MODE}, or {@link #UNWRAP_MODE},
+   * respectively.</p>
+   *
+   * <p>As per the Java 1.4 specification, if <code>cert</code> is an
+   * instance of an {@link java.security.cert.X509Certificate} and its
+   * <i>key usage</i> extension field is incompatible with
+   * <code>opmode</code> then an {@link
+   * java.security.InvalidKeyException} is thrown.</p>
+   *
+   * <p>If this cipher requires any random bytes (for example for an
+   * initilization vector) than the {@link java.security.SecureRandom}
+   * with the highest priority is used as the source of these bytes.</p>
+   *
+   * <p>A call to any of the <code>init</code> methods overrides the
+   * state of the instance, and is equivalent to creating a new instance
+   * and calling its <code>init</code> method.</p>
+   *
+   * @param opmode      The operation mode to use.
+   * @param certificate The certificate.
+   * @param random      The source of randomness.
+   * @throws java.security.InvalidKeyException If the underlying cipher
+   *         instance rejects the certificate's public key, or if the
+   *         public key cannot be used as described above.
+   */
+  public final void
+  init(int opmode, Certificate certificate, SecureRandom random)
+  throws InvalidKeyException
+  {
+    if (certificate instanceof X509Certificate)
+      {
+        boolean[] keyInfo = ((X509Certificate) certificate).getKeyUsage();
+        if (keyInfo != null)
+          {
+            switch (opmode)
+              {
+              case DECRYPT_MODE:
+                if (!keyInfo[3])
+                  {
+                    throw new InvalidKeyException(
+                      "the certificate's key cannot be used for transforming data");
+                  }
+                if (keyInfo[7])
+                  {
+                    throw new InvalidKeyException(
+                      "the certificate's key can only be used for encryption");
+                  }
+                break;
+
+              case ENCRYPT_MODE:
+                if (!keyInfo[3])
+                  {
+                    throw new InvalidKeyException(
+                      "the certificate's key cannot be used for transforming data");
+                  }
+                if (keyInfo[8])
+                  {
+                    throw new InvalidKeyException(
+                      "the certificate's key can only be used for decryption");
+                  }
+                break;
+
+              case UNWRAP_MODE:
+                if (!keyInfo[2] || keyInfo[7])
+                  {
+                    throw new InvalidKeyException(
+                      "the certificate's key cannot be used for key unwrapping");
+                  }
+                break;
+
+              case WRAP_MODE:
+                if (!keyInfo[2] || keyInfo[8])
+                  {
+                    throw new InvalidKeyException(
+                      "the certificate's key cannot be used for key wrapping");
+                  }
+                break;
+              }
+          }
+      }
+    init(opmode, certificate.getPublicKey(), random);
+  }
+
+  /**
+   * <p>Initialize this cipher with the supplied key and source of
+   * randomness.</p>
+   *
+   * <p>The cipher will be initialized for encryption, decryption, key
+   * wrapping, or key unwrapping, depending upon whether the
+   * <code>opmode</code> argument is {@link #ENCRYPT_MODE}, {@link
+   * #DECRYPT_MODE}, {@link #WRAP_MODE}, or {@link #UNWRAP_MODE},
+   * respectively.</p>
+   *
+   * <p>A call to any of the <code>init</code> methods overrides the
+   * state of the instance, and is equivalent to creating a new instance
+   * and calling its <code>init</code> method.</p>
+   *
+   * @param opmode The operation mode to use.
+   * @param key    The key.
+   * @param random The source of randomness to use.
+   * @throws java.security.InvalidKeyException If the underlying cipher
+   *         instance rejects the given key.
+   */
+  public final void init(int opmode, Key key, SecureRandom random)
+    throws InvalidKeyException
+  {
+    state = opmode;
+    if (cipherSpi != null)
+      {
+        cipherSpi.engineInit(opmode, key, random);
+      }
+  }
+
+  /**
+   * <p>Initialize this cipher with the supplied key and parameters.</p>
+   *
+   * <p>The cipher will be initialized for encryption, decryption, key
+   * wrapping, or key unwrapping, depending upon whether the
+   * <code>opmode</code> argument is {@link #ENCRYPT_MODE}, {@link
+   * #DECRYPT_MODE}, {@link #WRAP_MODE}, or {@link #UNWRAP_MODE},
+   * respectively.</p>
+   *
+   * <p>If this cipher requires any random bytes (for example for an
+   * initilization vector) then the {@link java.security.SecureRandom}
+   * with the highest priority is used as the source of these bytes.</p>
+   *
+   * <p>A call to any of the <code>init</code> methods overrides the
+   * state of the instance, and is equivalent to creating a new instance
+   * and calling its <code>init</code> method.</p>
+   *
+   * @param opmode The operation mode to use.
+   * @param key    The key.
+   * @param params The algorithm parameters to initialize this instance
+   *               with.
+   * @throws java.security.InvalidKeyException If the underlying cipher
+   *         instance rejects the given key.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         supplied parameters are inappropriate for this cipher.
+   */
+  public final void init(int opmode, Key key, AlgorithmParameters params)
+    throws InvalidKeyException, InvalidAlgorithmParameterException
+  {
+    init(opmode, key, params, new SecureRandom());
+  }
+
+  /**
+   * <p>Initialize this cipher with the supplied key and parameters.</p>
+   *
+   * <p>The cipher will be initialized for encryption, decryption, key
+   * wrapping, or key unwrapping, depending upon whether the
+   * <code>opmode</code> argument is {@link #ENCRYPT_MODE}, {@link
+   * #DECRYPT_MODE}, {@link #WRAP_MODE}, or {@link #UNWRAP_MODE},
+   * respectively.</p>
+   *
+   * <p>If this cipher requires any random bytes (for example for an
+   * initilization vector) then the {@link java.security.SecureRandom}
+   * with the highest priority is used as the source of these bytes.</p>
+   *
+   * <p>A call to any of the <code>init</code> methods overrides the
+   * state of the instance, and is equivalent to creating a new instance
+   * and calling its <code>init</code> method.</p>
+   *
+   * @param opmode The operation mode to use.
+   * @param key    The key.
+   * @param params The algorithm parameters to initialize this instance
+   *               with.
+   * @throws java.security.InvalidKeyException If the underlying cipher
+   *         instance rejects the given key.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         supplied parameters are inappropriate for this cipher.
+   */
+  public final void init(int opmode, Key key, AlgorithmParameterSpec params)
+    throws InvalidKeyException, InvalidAlgorithmParameterException
+  {
+    init(opmode, key, params, new SecureRandom());
+  }
+
+  /**
+   * <p>Initialize this cipher with the supplied key, parameters, and
+   * source of randomness.</p>
+   *
+   * <p>The cipher will be initialized for encryption, decryption, key
+   * wrapping, or key unwrapping, depending upon whether the
+   * <code>opmode</code> argument is {@link #ENCRYPT_MODE}, {@link
+   * #DECRYPT_MODE}, {@link #WRAP_MODE}, or {@link #UNWRAP_MODE},
+   * respectively.</p>
+   *
+   * <p>A call to any of the <code>init</code> methods overrides the
+   * state of the instance, and is equivalent to creating a new instance
+   * and calling its <code>init</code> method.</p>
+   *
+   * @param opmode The operation mode to use.
+   * @param key    The key.
+   * @param params The algorithm parameters to initialize this instance
+   *               with.
+   * @param random The source of randomness to use.
+   * @throws java.security.InvalidKeyException If the underlying cipher
+   *         instance rejects the given key.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         supplied parameters are inappropriate for this cipher.
+   */
+  public final void init(int opmode, Key key, AlgorithmParameters params,
+                         SecureRandom random)
+    throws InvalidKeyException, InvalidAlgorithmParameterException
+  {
+    state = opmode;
+    if (cipherSpi != null)
+      {
+        cipherSpi.engineInit(opmode, key, params, random);
+      }
+  }
+
+  /**
+   * <p>Initialize this cipher with the supplied key, parameters, and
+   * source of randomness.</p>
+   *
+   * <p>The cipher will be initialized for encryption, decryption, key
+   * wrapping, or key unwrapping, depending upon whether the
+   * <code>opmode</code> argument is {@link #ENCRYPT_MODE}, {@link
+   * #DECRYPT_MODE}, {@link #WRAP_MODE}, or {@link #UNWRAP_MODE},
+   * respectively.</p>
+   *
+   * <p>A call to any of the <code>init</code> methods overrides the
+   * state of the instance, and is equivalent to creating a new instance
+   * and calling its <code>init</code> method.</p>
+   *
+   * @param opmode The operation mode to use.
+   * @param key    The key.
+   * @param params The algorithm parameters to initialize this instance
+   *               with.
+   * @param random The source of randomness to use.
+   * @throws java.security.InvalidKeyException If the underlying cipher
+   *         instance rejects the given key.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         supplied parameters are inappropriate for this cipher.
+   */
+  public final void init(int opmode, Key key, AlgorithmParameterSpec params,
+                         SecureRandom random)
+    throws InvalidKeyException, InvalidAlgorithmParameterException
+  {
+    state = opmode;
+    if (cipherSpi != null)
+      {
+        cipherSpi.engineInit(opmode, key, params, random);
+      }
+  }
+
+  /**
+   * Unwrap a previously-wrapped key.
+   *
+   * @param wrappedKey          The wrapped key.
+   * @param wrappedKeyAlgorithm The algorithm with which the key was
+   *        wrapped.
+   * @param wrappedKeyType      The type of key (public, private, or
+   *        secret) that this wrapped key respresents.
+   * @return The unwrapped key.
+   * @throws java.lang.IllegalStateException If this instance has not be
+   *         initialized for unwrapping.
+   * @throws java.security.InvalidKeyException If <code>wrappedKey</code>
+   *         is not a wrapped key, if the algorithm cannot unwrap this
+   *         key, or if the unwrapped key's type differs from the
+   *         specified type.
+   * @throws java.security.NoSuchAlgorithmException If
+   *         <code>wrappedKeyAlgorithm</code> is not a valid algorithm
+   *         name.
+   */
+  public final Key unwrap(byte[] wrappedKey, String wrappedKeyAlgorithm,
+                          int wrappedKeyType)
+    throws IllegalStateException, InvalidKeyException, NoSuchAlgorithmException
+  {
+    if (cipherSpi == null)
+      {
+        return null;
+      }
+    if (state != UNWRAP_MODE)
+      {
+        throw new IllegalStateException("instance is not for unwrapping");
+      }
+    return cipherSpi.engineUnwrap(wrappedKey, wrappedKeyAlgorithm,
+                                  wrappedKeyType);
+  }
+
+  /**
+   * Continue a multi-part transformation on an entire byte array,
+   * returning the transformed bytes.
+   *
+   * @param input The input bytes.
+   * @return The transformed bytes.
+   * @throws java.lang.IllegalStateException If this cipher was not
+   *         initialized for encryption or decryption.
+   */
+  public final byte[] update(byte[] input) throws IllegalStateException
+  {
+    return update(input, 0, input.length);
+  }
+
+  /**
+   * Continue a multi-part transformation on part of a byte array,
+   * returning the transformed bytes.
+   *
+   * @param input       The input bytes.
+   * @param inputOffset The index in the input to start.
+   * @param inputLength The number of bytes to transform.
+   * @return The transformed bytes.
+   * @throws java.lang.IllegalStateException If this cipher was not
+   *         initialized for encryption or decryption.
+   */
+  public final byte[] update(byte[] input, int inputOffset, int inputLength)
+    throws IllegalStateException
+  {
+    if (cipherSpi == null)
+      {
+        byte[] b = new byte[inputLength];
+        System.arraycopy(input, inputOffset, b, 0, inputLength);
+        return b;
+      }
+    if (state != ENCRYPT_MODE && state != DECRYPT_MODE)
+      {
+        throw new IllegalStateException(
+          "cipher is not for encrypting or decrypting");
+      }
+    return cipherSpi.engineUpdate(input, inputOffset, inputLength);
+  }
+
+  /**
+   * Continue a multi-part transformation on part of a byte array,
+   * placing the transformed bytes into the given array.
+   *
+   * @param input       The input bytes.
+   * @param inputOffset The index in the input to start.
+   * @param inputLength The number of bytes to transform.
+   * @param output      The output byte array.
+   * @return The number of transformed bytes.
+   * @throws java.lang.IllegalStateException If this cipher was not
+   *         initialized for encryption or decryption.
+   * @throws javax.security.ShortBufferException If there is not enough
+   *         room in the output array to hold the transformed bytes.
+   */
+  public final int update(byte[] input, int inputOffset, int inputLength,
+                          byte[] output)
+    throws IllegalStateException, ShortBufferException
+  {
+    return update(input, inputOffset, inputLength, output, 0);
+  }
+
+  /**
+   * Continue a multi-part transformation on part of a byte array,
+   * placing the transformed bytes into the given array.
+   *
+   * @param input        The input bytes.
+   * @param inputOffset  The index in the input to start.
+   * @param inputLength  The number of bytes to transform.
+   * @param output       The output byte array.
+   * @param outputOffset The index in the output array to start.
+   * @return The number of transformed bytes.
+   * @throws java.lang.IllegalStateException If this cipher was not
+   *         initialized for encryption or decryption.
+   * @throws javax.security.ShortBufferException If there is not enough
+   *         room in the output array to hold the transformed bytes.
+   */
+  public final int update(byte[] input, int inputOffset, int inputLength,
+                          byte[] output, int outputOffset)
+    throws IllegalStateException, ShortBufferException
+  {
+    if (cipherSpi == null)
+      {
+        if (inputLength > output.length - outputOffset)
+          {
+            throw new ShortBufferException();
+          }
+        System.arraycopy(input, inputOffset, output, outputOffset, inputLength);
+        return inputLength;
+      }
+    if (state != ENCRYPT_MODE && state != DECRYPT_MODE)
+      {
+        throw new IllegalStateException(
+          "cipher is not for encrypting or decrypting");
+      }
+    return cipherSpi.engineUpdate(input, inputOffset, inputLength,
+                                  output, outputOffset);
+  }
+
+  /**
+   * Wrap a key.
+   *
+   * @param key The key to wrap.
+   * @return The wrapped key.
+   * @throws java.lang.IllegalStateException If this instance was not
+   *         initialized for key wrapping.
+   * @throws javax.crypto.IllegalBlockSizeException If this instance has
+   *         no padding and the key is not a multiple of the block size.
+   * @throws java.security.InvalidKeyException If this instance cannot
+   *         wrap this key.
+   */
+  public final byte[] wrap(Key key)
+    throws IllegalStateException, IllegalBlockSizeException, InvalidKeyException
+  {
+    if (cipherSpi == null)
+      {
+        return null;
+      }
+    if (state != WRAP_MODE)
+      {
+        throw new IllegalStateException("instance is not for key wrapping");
+      }
+    return cipherSpi.engineWrap(key);
+  }
+}
diff --git a/javax/crypto/CipherInputStream.java b/javax/crypto/CipherInputStream.java
new file mode 100644
index 000000000..c01cb47ac
--- /dev/null
+++ b/javax/crypto/CipherInputStream.java
@@ -0,0 +1,383 @@
+/* CipherInputStream.java -- Filters input through a cipher.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.io.FilterInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+/**
+ * This is an {@link java.io.InputStream} that filters its data
+ * through a {@link Cipher} before returning it. The <code>Cipher</code>
+ * argument must have been initialized before it is passed to the
+ * constructor.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class CipherInputStream extends FilterInputStream
+{
+
+  // Constants and variables.
+  // ------------------------------------------------------------------------
+
+  /**
+   * The underlying {@link Cipher} instance.
+   */
+  private Cipher cipher;
+
+  /**
+   * Data that has been transformed but not read.
+   */
+  private byte[] outBuffer;
+
+  /**
+   * The offset into {@link #outBuffer} where valid data starts.
+   */
+  private int outOffset;
+
+  /**
+   * The number of valid bytes in the {@link #outBuffer}.
+   */
+  private int outLength;
+
+  /**
+   * Byte buffer that is filled with raw data from the underlying input
+   * stream.
+   */
+  private byte[][] inBuffer;
+
+  /**
+   * The amount of bytes in inBuffer[0] that may be input to the cipher.
+   */
+  private int inLength;
+
+  /**
+   * We set this when the cipher block size is 1, meaning that we can
+   * transform any amount of data.
+   */
+  private boolean isStream;
+
+  private static final int VIRGIN = 0;  // I am born.
+  private static final int LIVING = 1;  // I am nailed to the hull.
+  private static final int DYING  = 2;  // I am eaten by sharks.
+  private static final int DEAD   = 3;
+  private int state;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new input stream with a source input stream and cipher.
+   *
+   * @param in     The underlying input stream.
+   * @param cipher The cipher to filter data through.
+   */
+  public CipherInputStream(InputStream in, Cipher cipher)
+  {
+    this(in);
+    this.cipher = cipher;
+    if (!(isStream = cipher.getBlockSize() == 1))
+      {
+        inBuffer = new byte[2][];
+        inBuffer[0] = new byte[cipher.getBlockSize()];
+        inBuffer[1] = new byte[cipher.getBlockSize()];
+        inLength = 0;
+        outBuffer = new byte[cipher.getBlockSize()];
+        outOffset = outLength = 0;
+        state = VIRGIN;
+      }
+  }
+
+  /**
+   * Creates a new input stream without a cipher. This constructor is
+   * <code>protected</code> because this class does not work without an
+   * underlying cipher.
+   *
+   * @param in The underlying input stream.
+   */
+  protected CipherInputStream(InputStream in)
+  {
+    super(in);
+  }
+
+  // Instance methods overriding java.io.FilterInputStream.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the number of bytes available without blocking. The value
+   * returned by this method is never greater than the underlying
+   * cipher's block size.
+   *
+   * @return The number of bytes immediately available.
+   * @throws java.io.IOException If an I/O exception occurs.
+   */
+  public int available() throws IOException
+  {
+    if (isStream)
+      return super.available();
+    return outLength - outOffset;
+  }
+
+  /**
+   * Close this input stream. This method merely calls the {@link
+   * java.io.InputStream#close()} method of the underlying input stream.
+   *
+   * @throws java.io.IOException If an I/O exception occurs.
+   */
+  public void close() throws IOException
+  {
+    super.close();
+  }
+
+  /**
+   * Read a single byte from this input stream; returns -1 on the
+   * end-of-file.
+   *
+   * @return The byte read, or -1 if there are no more bytes.
+   * @throws java.io.IOExcpetion If an I/O exception occurs.
+   */
+  public int read() throws IOException
+  {
+    if (isStream)
+      {
+        byte[] buf = new byte[1];
+        int in = super.read();
+        if (in == -1)
+          return -1;
+        buf[0] = (byte) in;
+        try
+          {
+            cipher.update(buf, 0, 1, buf, 0);
+          }
+        catch (ShortBufferException shouldNotHappen)
+          {
+            throw new IOException(shouldNotHappen.getMessage());
+          }
+        return buf[0] & 0xFF;
+      }
+    if (state == DEAD) return -1;
+    if (available() == 0) nextBlock();
+    if (state == DEAD) return -1;
+    return outBuffer[outOffset++] & 0xFF;
+  }
+
+  /**
+   * Read bytes into an array, returning the number of bytes read or -1
+   * on the end-of-file.
+   *
+   * @param buf The byte array to read into.
+   * @param off The offset in <code>buf</code> to start.
+   * @param len The maximum number of bytes to read.
+   * @return The number of bytes read, or -1 on the end-of-file.
+   * @throws java.io.IOException If an I/O exception occurs.
+   */
+  public int read(byte[] buf, int off, int len) throws IOException
+  {
+    if (isStream)
+      {
+        len = super.read(buf, off, len);
+        try
+          {
+            cipher.update(buf, off, len, buf, off);
+          }
+        catch (ShortBufferException shouldNotHappen)
+          {
+            throw new IOException(shouldNotHappen.getMessage());
+          }
+        return len;
+      }
+
+    int count = 0;
+    while (count < len)
+      {
+        if (available() == 0)
+          nextBlock();
+        if (state == DEAD)
+          {
+            if (count > 0) return count;
+            else return -1;
+          }
+        int l = Math.min(available(), len - count);
+        System.arraycopy(outBuffer, outOffset, buf, count+off, l);
+        count += l;
+        outOffset = outLength = 0;
+      }
+    return count;
+  }
+
+  /**
+   * Read bytes into an array, returning the number of bytes read or -1
+   * on the end-of-file.
+   *
+   * @param buf The byte arry to read into.
+   * @return The number of bytes read, or -1 on the end-of-file.
+   * @throws java.io.IOException If an I/O exception occurs.
+   */
+  public int read(byte[] buf) throws IOException
+  {
+    return read(buf, 0, buf.length);
+  }
+
+  /**
+   * Skip a number of bytes. This class only supports skipping as many
+   * bytes as are returned by {@link #available()}, which is the number
+   * of transformed bytes currently in this class's internal buffer.
+   *
+   * @param bytes The number of bytes to skip.
+   * @return The number of bytes skipped.
+   */
+  public long skip(long bytes) throws IOException
+  {
+    if (isStream)
+      {
+        return super.skip(bytes);
+      }
+    long ret = 0;
+    if (bytes > 0 && available() > 0)
+      {
+        ret = available();
+        outOffset = outLength = 0;
+      }
+    return ret;
+  }
+
+  /**
+   * Returns whether or not this input stream supports the {@link
+   * #mark(long)} and {@link #reset()} methods; this input stream does
+   * not, however, and invariably returns <code>false</code>.
+   *
+   * @return <code>false</code>
+   */
+  public boolean markSupported()
+  {
+    return false;
+  }
+
+  /**
+   * Set the mark. This method is unsupported and is empty.
+   *
+   * @param mark Is ignored.
+   */
+  public void mark(long mark)
+  {
+  }
+
+  /**
+   * Reset to the mark. This method is unsupported and is empty.
+   */
+  public void reset() throws IOException
+  {
+    throw new IOException("reset not supported");
+  }
+
+  // Own methods.
+  // -------------------------------------------------------------------------
+
+  private void nextBlock() throws IOException
+  {
+    byte[] temp = inBuffer[0];
+    inBuffer[0] = inBuffer[1];
+    inBuffer[1] = temp;
+    int count = 0;
+    boolean eof = false;
+
+    if (state == VIRGIN || state == LIVING)
+      {
+        do
+          {
+            int l = in.read(inBuffer[1], count, inBuffer[1].length - count);
+            if (l == -1)
+              {
+                eof = true;
+                break;
+              }
+            count += l;
+          }
+        while (count < inBuffer[1].length);
+      }
+
+    try
+      {
+        switch (state)
+          {
+          case VIRGIN:
+            state = LIVING;
+            nextBlock();
+            break;
+          case LIVING:
+            if (eof)
+              {
+                if (count > 0)
+                  {
+                    outOffset = cipher.update(inBuffer[0], 0, inLength, outBuffer, 0);
+                    state = DYING;
+                  }
+                else
+                  {
+                    outOffset = cipher.doFinal(inBuffer[0], 0, inLength, outBuffer, 0);
+                    state = DEAD;
+                  }
+              }
+            else
+              {
+                outOffset = cipher.update(inBuffer[0], 0, inLength, outBuffer, 0);
+              }
+            break;
+          case DYING:
+            outOffset = cipher.doFinal(inBuffer[0], 0, inLength, outBuffer, 0);
+            state = DEAD;
+            break;
+          case DEAD:
+          }
+      }
+    catch (ShortBufferException sbe)
+      {
+        throw new IOException(sbe.toString());
+      }
+    catch (BadPaddingException bpe)
+      {
+        throw new IOException(bpe.toString());
+      }
+    catch (IllegalBlockSizeException ibse)
+      {
+        throw new IOException(ibse.toString());
+      }
+    inLength = count;
+  }
+}
diff --git a/javax/crypto/CipherOutputStream.java b/javax/crypto/CipherOutputStream.java
new file mode 100644
index 000000000..7eb09c1d0
--- /dev/null
+++ b/javax/crypto/CipherOutputStream.java
@@ -0,0 +1,268 @@
+/* CipherOutputStream.java -- Filters output through a cipher.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.io.FilterOutputStream;
+import java.io.IOException;
+import java.io.OutputStream;
+
+/**
+ * A filtered output stream that transforms data written to it with a
+ * {@link Cipher} before sending it to the underlying output stream.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class CipherOutputStream extends FilterOutputStream
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The underlying cipher. */
+  private Cipher cipher;
+
+  private byte[][] inBuffer;
+
+  private int inLength;
+
+  private byte[] outBuffer;
+
+  private static final int FIRST_TIME  = 0;
+  private static final int SECOND_TIME = 1;
+  private static final int SEASONED    = 2;
+  private int state;
+
+  /** True if the cipher is a stream cipher (blockSize == 1) */
+  private boolean isStream;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new cipher output stream. The cipher argument must have
+   * already been initialized.
+   *
+   * @param out    The sink for transformed data.
+   * @param cipher The cipher to transform data with.
+   */
+  public CipherOutputStream(OutputStream out, Cipher cipher)
+  {
+    super(out);
+    if (cipher != null)
+      {
+        this.cipher = cipher;
+        if (!(isStream = cipher.getBlockSize() == 1))
+          {
+            inBuffer = new byte[2][];
+            inBuffer[0] = new byte[cipher.getBlockSize()];
+            inBuffer[1] = new byte[cipher.getBlockSize()];
+            inLength = 0;
+            state = FIRST_TIME;
+          }
+      }
+    else
+      this.cipher = new NullCipher();
+  }
+
+  /**
+   * Create a cipher output stream with no cipher.
+   *
+   * @param out The sink for transformed data.
+   */
+  protected CipherOutputStream(OutputStream out)
+  {
+    super(out);
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Close this output stream, and the sink output stream.
+   *
+   * <p>This method will first invoke the {@link Cipher#doFinal()}
+   * method of the underlying {@link Cipher}, and writes the output of
+   * that method to the sink output stream.
+   *
+   * @throws java.io.IOException If an I/O error occurs, or if an error
+   *         is caused by finalizing the transformation.
+   */
+  public void close() throws IOException
+  {
+    try
+      {
+        int len;
+        if (state != FIRST_TIME)
+          {
+            len = cipher.update(inBuffer[0], 0, inBuffer[0].length, outBuffer);
+            out.write(outBuffer, 0, len);
+          }
+        len = cipher.doFinal(inBuffer[0], 0, inLength, outBuffer);
+        out.write(outBuffer, 0, len);
+      }
+    catch (javax.crypto.IllegalBlockSizeException ibse)
+      {
+        throw new IOException(ibse.toString());
+      }
+    catch (javax.crypto.BadPaddingException bpe)
+      {
+        throw new IOException(bpe.toString());
+      }
+    catch (ShortBufferException sbe)
+      {
+        throw new IOException(sbe.toString());
+      }
+    out.flush();
+    out.close();
+  }
+
+  /**
+   * Flush any pending output.
+   *
+   * @throws java.io.IOException If an I/O error occurs.
+   */
+  public void flush() throws IOException
+  {
+    out.flush();
+  }
+
+  /**
+   * Write a single byte to the output stream.
+   *
+   * @param b The next byte.
+   * @throws java.io.IOException If an I/O error occurs, or if the
+   *         underlying cipher is not in the correct state to transform
+   *         data.
+   */
+  public void write(int b) throws IOException
+  {
+    if (isStream)
+      {
+        byte[] buf = new byte[] { (byte) b };
+        try
+          {
+            cipher.update(buf, 0, 1, buf, 0);
+          }
+        catch (ShortBufferException sbe)
+          {
+            throw new IOException(sbe.toString());
+          }
+        out.write(buf);
+        return;
+      }
+    inBuffer[1][inLength++] = (byte) b;
+    if (inLength == inBuffer[1].length)
+      process();
+  }
+
+  /**
+   * Write a byte array to the output stream.
+   *
+   * @param buf The next bytes.
+   * @throws java.io.IOException If an I/O error occurs, or if the
+   *         underlying cipher is not in the correct state to transform
+   *         data.
+   */
+  public void write(byte[] buf) throws IOException
+  {
+    write(buf, 0, buf.length);
+  }
+
+  /**
+   * Write a portion of a byte array to the output stream.
+   *
+   * @param buf The next bytes.
+   * @param off The offset in the byte array to start.
+   * @param len The number of bytes to write.
+   * @throws java.io.IOException If an I/O error occurs, or if the
+   *         underlying cipher is not in the correct state to transform
+   *         data.
+   */
+  public void write(byte[] buf, int off, int len) throws IOException
+  {
+    if (isStream)
+      {
+        out.write(cipher.update(buf, off, len));
+        return;
+      }
+    int count = 0;
+    while (count < len)
+      {
+        int l = Math.min(inBuffer[1].length - inLength, len - count);
+        System.arraycopy(buf, off+count, inBuffer[1], inLength, l);
+        count += l;
+        inLength += l;
+        if (inLength == inBuffer[1].length)
+          process();
+      }
+  }
+
+  // Own method.
+  // -------------------------------------------------------------------------
+
+  private void process() throws IOException
+  {
+    if (state == SECOND_TIME)
+      {
+        state = SEASONED;
+      }
+    else
+      {
+        byte[] temp = inBuffer[0];
+        inBuffer[0] = inBuffer[1];
+        inBuffer[1] = temp;
+      }
+    if (state == FIRST_TIME)
+      {
+        inLength = 0;
+        state = SECOND_TIME;
+        return;
+      }
+    try
+      {
+        cipher.update(inBuffer[0], 0, inBuffer[0].length, outBuffer);
+      }
+    catch (ShortBufferException sbe)
+      {
+        throw new IOException(sbe.toString());
+      }
+    out.write(outBuffer);
+    inLength = 0;
+  }
+}
diff --git a/javax/crypto/CipherSpi.java b/javax/crypto/CipherSpi.java
new file mode 100644
index 000000000..06ea534f4
--- /dev/null
+++ b/javax/crypto/CipherSpi.java
@@ -0,0 +1,398 @@
+/* CipherSpi.java -- The cipher service provider interface.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.AlgorithmParameters;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * <p>This class represents the <i>Service Provider Interface</i>
+ * (<b>SPI</b>) for cryptographic ciphers.</p>
+ *
+ * <p>Providers of cryptographic ciphers must subclass this for every
+ * cipher they implement, implementing the abstract methods as
+ * appropriate, then provide an entry that points to the subclass in
+ * their implementation of {@link java.security.Provider}.</p>
+ *
+ * <p>CipherSpi objects are instantiated along with {@link Cipher}s when
+ * the {@link Cipher#getInstance(java.lang.String)} methods are invoked.
+ * Particular ciphers are referenced by a <i>transformation</i>, which
+ * is a String consisting of the cipher's name or the ciper's name
+ * followed by a mode and a padding. Transformations all follow the
+ * general form:</p>
+ *
+ * <ul>
+ * <li><i>algorithm</i>, or</li>
+ * <li><i>algorithm</i>/<i>mode</i>/<i>padding</i>
+ * </ul>
+ *
+ * <p>Cipher names in the master {@link java.security.Provider} class
+ * may be:</p>
+ *
+ * <ol>
+ * <li>The algorithm's name, which uses a pluggable mode and padding:
+ * <code>Cipher.<i>algorithm</i></code></li>
+ * <li>The algorithm's name and the mode, which uses pluggable padding:
+ * <code>Cipher.<i>algorithm</i>/<i>mode</i></code></li>
+ * <li>The algorithm's name and the padding, which uses a pluggable
+ * mode: <code>Cipher.<i>algorithm</i>//<i>padding</i></code></li>
+ * <li>The algorihtm's name, the mode, and the padding:
+ * <code>Cipher.<i>algorithm</i>/<i>mode</i>/<i>padding</i></code></li>
+ * </ol>
+ *
+ * <p>When any {@link Cipher#getInstance(java.lang.String)} method is
+ * invoked, the following happens if the transformation is simply
+ * <i>algorithm</i>:</p>
+ *
+ * <ol>
+ * <li>If the provider defines a <code>CipherSpi</code> implementation
+ * for "<i>algorithm</i>", return it. Otherwise throw a {@link
+ * java.security.NoSuchAlgorithmException}.</li>
+ * </ol>
+ *
+ * <p>If the transformation is of the form
+ * <i>algorithm</i>/<i>mode</i>/<i>padding</i>:</p>
+ *
+ * <ol>
+ * <li>If the provider defines a <code>CipherSpi</code> subclass for
+ * "<i>algorithm</i>/<i>mode</i>/<i>padding</i>", return it. Otherwise
+ * go to step 2.</li>
+ *
+ * <li>If the provider defines a <code>CipherSpi</code> subclass for
+ * "<i>algorithm</i>/<i>mode</i>", instatiate it, call {@link
+ * #engineSetPadding(java.lang.String)} for the padding name, and return
+ * it. Otherwise go to step 3.</li>
+ *
+ * <li>If the provider defines a <code>CipherSpi</code> subclass for
+ * "<i>algorithm</i>//<i>padding</i>", instatiate it, call {@link
+ * #engineSetMode(java.lang.String)} for the mode name, and return
+ * it. Otherwise go to step 4.</li>
+ *
+ * <li>If the provider defines a <code>CipherSpi</code> subclass for
+ * "<i>algorithm</i>", instatiate it, call {@link
+ * #engineSetMode(java.lang.String)} for the mode name, call {@link
+ * #engineSetPadding(java.lang.String)} for the padding name, and return
+ * it. Otherwise throw a {@link java.security.NoSuchAlgorithmException}.</li>
+ * </ol>
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public abstract class CipherSpi
+{
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new CipherSpi.
+   */
+  public CipherSpi()
+  {
+  }
+
+  // Abstract methods to be implemented by providers.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Finishes a multi-part transformation or transforms a portion of a
+   * byte array, and returns the transformed bytes.
+   *
+   * @param input       The input bytes.
+   * @param inputOffset The index in the input at which to start.
+   * @param inputLength The number of bytes to transform.
+   * @return The transformed bytes in a new array.
+   * @throws javax.crypto.IllegalBlockSizeException If this instance has
+   *         no padding and the input size is not a multiple of the
+   *         block size.
+   * @throws javax.crypto.BadPaddingException If this instance is being
+   *         used for decryption and the padding is not appropriate for
+   *         this instance's padding scheme.
+   */
+  protected abstract byte[]
+  engineDoFinal(byte[] input, int inputOffset, int inputLength)
+  throws IllegalBlockSizeException, BadPaddingException;
+
+  /**
+   * Finishes a multi-part transformation or transforms a portion of a
+   * byte array, and stores the transformed bytes in the supplied array.
+   *
+   * @param input        The input bytes.
+   * @param inputOffset  The index in the input at which to start.
+   * @param inputLength  The number of bytes to transform.
+   * @param output       The output byte array.
+   * @param outputOffset The index in the output array at which to start.
+   * @return The number of transformed bytes stored in the output array.
+   * @throws javax.crypto.IllegalBlockSizeException If this instance has
+   *         no padding and the input size is not a multiple of the
+   *         block size.
+   * @throws javax.crypto.BadPaddingException If this instance is being
+   *         used for decryption and the padding is not appropriate for
+   *         this instance's padding scheme.
+   * @throws javax.crypto.ShortBufferException If there is not enough
+   *         space in the output array for the transformed bytes.
+   */
+  protected abstract int
+  engineDoFinal(byte[] input, int inputOffset, int inputLength,
+                byte[] output, int outputOffset)
+  throws IllegalBlockSizeException, BadPaddingException, ShortBufferException;
+
+  /**
+   * Returns the block size of the underlying cipher.
+   *
+   * @return The block size.
+   */
+  protected abstract int engineGetBlockSize();
+
+  /**
+   * Returns the initializaiton vector this cipher was initialized with,
+   * if any.
+   *
+   * @return The IV, or null if this cipher uses no IV or if this
+   *         instance has not been initialized yet.
+   */
+  protected abstract byte[] engineGetIV();
+
+  /**
+   * <p>Return the length of the given key in bits.</p>
+   *
+   * <p>For compatibility this method is not declared
+   * <code>abstract</code>, and the default implementation will throw an
+   * {@link java.lang.UnsupportedOperationException}. Concrete
+   * subclasses should override this method to return the correct
+   * value.</p>
+   *
+   * @param key The key to get the size for.
+   * @return The size of the key, in bits.
+   * @throws java.security.InvalidKeyException If the key's length
+   *         cannot be determined by this implementation.
+   */
+  protected int engineGetKeySize(Key key) throws InvalidKeyException
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * <p>Returns the size, in bytes, an output buffer must be for a call
+   * to {@link #engineUpdate(byte[],int,int,byte[],int)} or {@link
+   * #engineDoFinal(byte[],int,int,byte[],int)} to succeed.</p>
+   *
+   * <p>The actual output length may be smaller than the value returned
+   * by this method, as it considers the padding length as well. The
+   * length considered is the argument plus the length of any buffered,
+   * unprocessed bytes.</p>
+   *
+   * @param inputLength The input length, in bytes.
+   * @return The size an output buffer must be.
+   */
+  protected abstract int engineGetOutputSize(int inputLength);
+
+  /**
+   * Returns the parameters that this cipher is using. This may be the
+   * parameters used to initialize this cipher, or it may be parameters
+   * that have been initialized with random values.
+   *
+   * @return This cipher's parameters, or <code>null</code> if this
+   *         cipher does not use parameters.
+   */
+  protected abstract AlgorithmParameters engineGetParameters();
+
+  /**
+   * Initializes this cipher with an operation mode, key, and source of
+   * randomness. If this cipher requires any other initializing data,
+   * for example an initialization vector, then it should generate it
+   * from the provided source of randomness.
+   *
+   * @param opmode The operation mode, one of {@link
+   *        Cipher#DECRYPT_MODE}, {@link Cipher#ENCRYPT_MODE}, {@link
+   *        Cipher#UNWRAP_MODE}, or {@link Cipher#WRAP_MODE}.
+   * @param key    The key to initialize this cipher with.
+   * @param random The source of random bytes to use.
+   * @throws java.security.InvalidKeyException If the given key is not
+   *         acceptable for this implementation.
+   */
+  protected abstract void engineInit(int opmode, Key key, SecureRandom random)
+  throws InvalidKeyException;
+
+  /**
+   * Initializes this cipher with an operation mode, key, parameters,
+   * and source of randomness. If this cipher requires any other
+   * initializing data, for example an initialization vector, then it should
+   * generate it from the provided source of randomness.
+   *
+   * @param opmode The operation mode, one of {@link
+   *        Cipher#DECRYPT_MODE}, {@link Cipher#ENCRYPT_MODE}, {@link
+   *        Cipher#UNWRAP_MODE}, or {@link Cipher#WRAP_MODE}.
+   * @param key    The key to initialize this cipher with.
+   * @param params The algorithm parameters to initialize with.
+   * @param random The source of random bytes to use.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         given parameters are not appropriate for this
+   *         implementation.
+   * @throws java.security.InvalidKeyException If the given key is not
+   *         acceptable for this implementation.
+   */
+  protected abstract void
+  engineInit(int opmode, Key key, AlgorithmParameters params,
+             SecureRandom random)
+  throws InvalidAlgorithmParameterException, InvalidKeyException;
+
+  /**
+   * Initializes this cipher with an operation mode, key, parameters,
+   * and source of randomness. If this cipher requires any other
+   * initializing data, for example an initialization vector, then it should
+   * generate it from the provided source of randomness.
+   *
+   * @param opmode The operation mode, one of {@link
+   *        Cipher#DECRYPT_MODE}, {@link Cipher#ENCRYPT_MODE}, {@link
+   *        Cipher#UNWRAP_MODE}, or {@link Cipher#WRAP_MODE}.
+   * @param key    The key to initialize this cipher with.
+   * @param params The algorithm parameters to initialize with.
+   * @param random The source of random bytes to use.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         given parameters are not appropriate for this
+   *         implementation.
+   * @throws java.security.InvalidKeyException If the given key is not
+   *         acceptable for this implementation.
+   */
+  protected abstract void
+  engineInit(int opmode, Key key, AlgorithmParameterSpec params,
+             SecureRandom random)
+  throws InvalidAlgorithmParameterException, InvalidKeyException;
+
+  /**
+   * Set the mode in which this cipher is to run.
+   *
+   * @param mode The name of the mode to use.
+   * @throws java.security.NoSuchAlgorithmException If the mode is
+   *         not supported by this cipher's provider.
+   */
+  protected abstract void engineSetMode(String mode)
+  throws NoSuchAlgorithmException;
+
+  /**
+   * Set the method with which the input is to be padded.
+   *
+   * @param padding The name of the padding to use.
+   * @throws javax.crypto.NoSuchPaddingException If the padding is not
+   *         supported by this cipher's provider.
+   */
+  protected abstract void engineSetPadding(String padding)
+  throws NoSuchPaddingException;
+
+  /**
+   * <p>Unwraps a previously-wrapped key.</p>
+   *
+   * <p>For compatibility this method is not declared
+   * <code>abstract</code>, and the default implementation will throw an
+   * {@link java.lang.UnsupportedOperationException}.</p>
+   *
+   * @param wrappedKey          The wrapped key.
+   * @param wrappedKeyAlgorithm The name of the algorithm used to wrap
+   *                            this key.
+   * @param wrappedKeyType      The type of wrapped key; one of
+   *                            {@link Cipher#PRIVATE_KEY},
+   *                            {@link Cipher#PUBLIC_KEY}, or
+   *                            {@link Cipher#SECRET_KEY}.
+   * @return The unwrapped key.
+   * @throws java.security.InvalidKeyException If the key cannot be
+   *         unwrapped, or if <code>wrappedKeyType</code> is an
+   *         inappropriate type for the unwrapped key.
+   * @throws java.security.NoSuchAlgorithmException If the
+   *         <code>wrappedKeyAlgorithm</code> is unknown.
+   */
+  protected Key engineUnwrap(byte[] wrappedKey, String wrappedKeyAlgorithm,
+                             int wrappedKeyType)
+  throws InvalidKeyException, NoSuchAlgorithmException
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * Continue with a multi-part transformation, returning a new array of
+   * the transformed bytes.
+   *
+   * @param input       The next input bytes.
+   * @param inputOffset The index in the input array from which to start.
+   * @param inputLength The number of bytes to input.
+   * @return The transformed bytes.
+   */
+  protected abstract byte[]
+  engineUpdate(byte[] input, int inputOffset, int inputLength);
+
+  /**
+   * Continue with a multi-part transformation, storing the transformed
+   * bytes into the specified array.
+   *
+   * @param input        The next input bytes.
+   * @param inputOffset  The index in the input from which to start.
+   * @param inputLength  The number of bytes to input.
+   * @param output       The output buffer.
+   * @param outputOffset The index in the output array from which to start.
+   * @return The transformed bytes.
+   * @throws javax.crypto.ShortBufferException If there is not enough
+   *         space in the output array to store the transformed bytes.
+   */
+  protected abstract int
+  engineUpdate(byte[] input, int inputOffset, int inputLength,
+               byte[] output, int outputOffset)
+  throws ShortBufferException;
+
+  /**
+   * <p>Wrap a key.</p>
+   *
+   * <p>For compatibility this method is not declared
+   * <code>abstract</code>, and the default implementation will throw an
+   * {@link java.lang.UnsupportedOperationException}.</p>
+   *
+   * @param key The key to wrap.
+   * @return The wrapped key.
+   * @throws java.security.InvalidKeyException If the key cannot be
+   *         wrapped.
+   */
+  protected byte[] engineWrap(Key key) throws InvalidKeyException, IllegalBlockSizeException
+  {
+    throw new UnsupportedOperationException();
+  }
+}
diff --git a/javax/crypto/EncryptedPrivateKeyInfo.java b/javax/crypto/EncryptedPrivateKeyInfo.java
new file mode 100644
index 000000000..b64fbd6af
--- /dev/null
+++ b/javax/crypto/EncryptedPrivateKeyInfo.java
@@ -0,0 +1,284 @@
+/* EncryptedPrivateKeyInfo.java -- As in PKCS #8.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import gnu.java.security.OID;
+import gnu.java.security.der.DER;
+import gnu.java.security.der.DERReader;
+import gnu.java.security.der.DERValue;
+
+import java.io.IOException;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import java.security.AlgorithmParameters;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
+import java.security.spec.PKCS8EncodedKeySpec;
+
+/**
+ * An implementation of the <code>EncryptedPrivateKeyInfo</code> ASN.1
+ * type as specified in <a
+ * href="http://www.rsasecurity.com/rsalabs/pkcs/pkcs-8/">PKCS #8 -
+ * Private-Key Information Syntax Standard</a>.
+ *
+ * <p>The ASN.1 type <code>EncryptedPrivateKeyInfo</code> is:
+ *
+ * <blockquote>
+ * <pre>EncryptedPrivateKeyInfo ::= SEQUENCE {
+ *   encryptionAlgorithm EncryptionAlgorithmIdentifier,
+ *   encryptedData EncryptedData }
+ *
+ * EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
+ *
+ * EncrytpedData ::= OCTET STRING
+ *
+ * AlgorithmIdentifier ::= SEQUENCE {
+ *   algorithm  OBJECT IDENTIFIER,
+ *   parameters ANY DEFINED BY algorithm OPTIONAL }</pre>
+ * </blockquote>
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see java.security.spec.PKCS8EncodedKeySpec
+ */
+public class EncryptedPrivateKeyInfo
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The encrypted data. */
+  private byte[] encryptedData;
+
+  /** The encoded, encrypted key. */
+  private byte[] encoded;
+
+  /** The OID of the encryption algorithm. */
+  private OID algOid;
+
+  /** The encryption algorithm's parameters. */
+  private AlgorithmParameters params;
+
+  /** The encoded ASN.1 algorithm parameters. */
+  private byte[] encodedParams;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new <code>EncryptedPrivateKeyInfo</code> object from raw
+   * encrypted data and the parameters used for encryption.
+   *
+   * <p>The <code>encryptedData</code> array is cloned.
+   *
+   * @param params        The encryption algorithm parameters.
+   * @param encryptedData The encrypted key data.
+   * @throws java.lang.IllegalArgumentException If the
+   *         <code>encryptedData</code> array is empty (zero-length).
+   * @throws java.security.NoSuchAlgorithmException If the algorithm
+   *         specified in the parameters is not supported.
+   * @throws java.lang.NullPointerException If <code>encryptedData</code>
+   *         is null.
+   */
+  public EncryptedPrivateKeyInfo(AlgorithmParameters params,
+                                 byte[] encryptedData)
+    throws IllegalArgumentException, NoSuchAlgorithmException
+  {
+    if (encryptedData.length == 0)
+      {
+        throw new IllegalArgumentException("0-length encryptedData");
+      }
+    this.params = params;
+    algOid = new OID(params.getAlgorithm());
+    this.encryptedData = (byte[]) encryptedData.clone();
+  }
+
+  /**
+   * Create a new <code>EncryptedPrivateKeyInfo</code> from an encoded
+   * representation, parsing the ASN.1 sequence.
+   *
+   * @param encoded The encoded info.
+   * @throws java.io.IOException If parsing the encoded data fails.
+   * @throws java.lang.NullPointerException If <code>encoded</code> is
+   *         null.
+   */
+  public EncryptedPrivateKeyInfo(byte[] encoded)
+    throws IOException
+  {
+    this.encoded = (byte[]) encoded.clone();
+    decode();
+  }
+
+  /**
+   * Create a new <code>EncryptedPrivateKeyInfo</code> from the cipher
+   * name and the encrytpedData.
+   *
+   * <p>The <code>encryptedData</code> array is cloned.
+   *
+   * @param algName       The name of the algorithm (as an object identifier).
+   * @param encryptedData The encrypted key data.
+   * @throws java.lang.IllegalArgumentException If the
+   *         <code>encryptedData</code> array is empty (zero-length).
+   * @throws java.security.NoSuchAlgorithmException If algName is not
+   *         the name of a supported algorithm.
+   * @throws java.lang.NullPointerException If <code>encryptedData</code>
+   *         is null.
+   */
+  public EncryptedPrivateKeyInfo(String algName, byte[] encryptedData)
+    throws IllegalArgumentException, NoSuchAlgorithmException,
+           NullPointerException
+  {
+    if (encryptedData.length == 0)
+      {
+        throw new IllegalArgumentException("0-length encryptedData");
+      }
+    this.algOid = new OID(algName);
+    this.encryptedData = (byte[]) encryptedData.clone();
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the name of the cipher used to encrypt this key.
+   *
+   * @return The algorithm name.
+   */
+  public String getAlgName()
+  {
+    return algOid.toString();
+  }
+
+  public AlgorithmParameters getAlgParameters()
+  {
+    if (params == null && encodedParams != null)
+      {
+        try
+          {
+            params = AlgorithmParameters.getInstance(getAlgName());
+            params.init(encodedParams);
+          }
+        catch (NoSuchAlgorithmException ignore)
+          {
+          }
+        catch (IOException ignore)
+          {
+          }
+      }
+    return params;
+  }
+
+  public synchronized byte[] getEncoded() throws IOException
+  {
+    if (encoded == null) encode();
+    return (byte[]) encoded.clone();
+  }
+
+  public byte[] getEncryptedData()
+  {
+    return encryptedData;
+  }
+
+  public PKCS8EncodedKeySpec getKeySpec(Cipher cipher)
+    throws InvalidKeySpecException
+  {
+    try
+      {
+        return new PKCS8EncodedKeySpec(cipher.doFinal(encryptedData));
+      }
+    catch (Exception x)
+      {
+        throw new InvalidKeySpecException(x.toString());
+      }
+  }
+
+  // Own methods.
+  // -------------------------------------------------------------------------
+
+  private void decode() throws IOException
+  {
+    DERReader der = new DERReader(encoded);
+    DERValue val = der.read();
+    if (val.getTag() != DER.SEQUENCE)
+      throw new IOException("malformed EncryptedPrivateKeyInfo");
+    val = der.read();
+    if (val.getTag() != DER.SEQUENCE)
+      throw new IOException("malformed AlgorithmIdentifier");
+    int algpLen = val.getLength();
+    DERValue oid = der.read();
+    if (oid.getTag() != DER.OBJECT_IDENTIFIER)
+      throw new IOException("malformed AlgorithmIdentifier");
+    algOid = (OID) oid.getValue();
+    if (algpLen == 0)
+      {
+        val = der.read();
+        if (val.getTag() != 0)
+          {
+            encodedParams = val.getEncoded();
+            der.read();
+          }
+      }
+    else if (oid.getEncodedLength() < val.getLength())
+      {
+        val = der.read();
+        encodedParams = val.getEncoded();
+      }
+    val = der.read();
+    if (val.getTag() != DER.OCTET_STRING)
+      throw new IOException("malformed AlgorithmIdentifier");
+    encryptedData = (byte[]) val.getValue();
+  }
+
+  private void encode() throws IOException
+  {
+    List algId = new ArrayList(2);
+    algId.add(new DERValue(DER.OBJECT_IDENTIFIER, algOid));
+    getAlgParameters();
+    if (params != null)
+      {
+        algId.add(DERReader.read(params.getEncoded()));
+      }
+    List epki = new ArrayList(2);
+    epki.add(new DERValue(DER.CONSTRUCTED|DER.SEQUENCE, algId));
+    epki.add(new DERValue(DER.OCTET_STRING, encryptedData));
+    encoded = new DERValue(DER.CONSTRUCTED|DER.SEQUENCE, epki).getEncoded();
+  }
+}
diff --git a/javax/crypto/ExemptionMechanism.java b/javax/crypto/ExemptionMechanism.java
new file mode 100644
index 000000000..7fa658e9e
--- /dev/null
+++ b/javax/crypto/ExemptionMechanism.java
@@ -0,0 +1,226 @@
+/* ExemptionMechanism.java -- Generic crypto-weakening mechanism.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.AlgorithmParameters;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.Security;
+import java.security.spec.AlgorithmParameterSpec;
+
+import gnu.java.security.Engine;
+
+/**
+ * An exemption mechanism, which will conditionally allow cryptography
+ * where it is not normally allowed, implements things such as <i>key
+ * recovery</i>, <i>key weakening</i>, or <i>key escrow</i>.
+ *
+ * <p><b>Implementation note</b>: this class is present for
+ * API-compatibility only; it is not actually used anywhere in this library
+ * and this library does not, in general, support crypto weakening.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public class ExemptionMechanism
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  private static final String SERVICE = "ExemptionMechanism";
+  private ExemptionMechanismSpi emSpi;
+  private Provider provider;
+  private String mechanism;
+  private boolean virgin;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  protected ExemptionMechanism(ExemptionMechanismSpi emSpi, Provider provider,
+                               String mechanism)
+  {
+    this.emSpi = emSpi;
+    this.provider = provider;
+    this.mechanism = mechanism;
+    virgin = true;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  public static final ExemptionMechanism getInstance(String mechanism)
+  throws NoSuchAlgorithmException
+  {
+    Provider[] provs = Security.getProviders();
+    String msg = "";
+    for (int i = 0; i < provs.length; i++)
+      {
+        try
+          {
+            return getInstance(mechanism, provs[i]);
+          }
+        catch (NoSuchAlgorithmException nsae)
+          {
+            msg = nsae.getMessage();
+          }
+      }
+    throw new NoSuchAlgorithmException(msg);
+  }
+
+  public static final ExemptionMechanism getInstance(String mechanism,
+                                                     String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      {
+        throw new NoSuchProviderException(provider);
+      }
+    return getInstance(mechanism, p);
+  }
+
+  public static final ExemptionMechanism getInstance(String mechanism,
+                                                     Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    try
+      {
+        return new ExemptionMechanism((ExemptionMechanismSpi)
+          Engine.getInstance(SERVICE, mechanism, provider),
+          provider, mechanism);
+      }
+    catch (InvocationTargetException ite)
+      {
+        if (ite.getCause() instanceof NoSuchAlgorithmException)
+          throw (NoSuchAlgorithmException) ite.getCause();
+        else
+          throw new NoSuchAlgorithmException(mechanism);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(mechanism);
+      }
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  public final byte[] genExemptionBlob()
+    throws IllegalStateException, ExemptionMechanismException
+  {
+    if (virgin)
+      {
+        throw new IllegalStateException("not initialized");
+      }
+    return emSpi.engineGenExemptionBlob();
+  }
+
+  public final int genExemptionBlob(byte[] output)
+    throws IllegalStateException, ExemptionMechanismException,
+           ShortBufferException
+  {
+    return genExemptionBlob(output, 0);
+  }
+
+  public final int genExemptionBlob(byte[] output, int outputOffset)
+    throws IllegalStateException, ExemptionMechanismException,
+           ShortBufferException
+  {
+    if (virgin)
+      {
+        throw new IllegalStateException("not initialized");
+      }
+    return emSpi.engineGenExemptionBlob(output, outputOffset);
+  }
+
+  public final String getName()
+  {
+    return mechanism;
+  }
+
+  public final int getOutputSize(int inputLength) throws IllegalStateException
+  {
+    if (virgin)
+      {
+        throw new IllegalStateException("not initialized");
+      }
+    return emSpi.engineGetOutputSize(inputLength);
+  }
+
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  public final void init(Key key)
+    throws ExemptionMechanismException, InvalidKeyException
+  {
+    emSpi.engineInit(key);
+    virgin = false;
+  }
+
+  public final void init(Key key, AlgorithmParameters params)
+    throws ExemptionMechanismException, InvalidAlgorithmParameterException,
+           InvalidKeyException
+  {
+    emSpi.engineInit(key, params);
+    virgin = false;
+  }
+
+  public final void init(Key key, AlgorithmParameterSpec params)
+    throws ExemptionMechanismException, InvalidAlgorithmParameterException,
+           InvalidKeyException
+  {
+    emSpi.engineInit(key, params);
+    virgin = false;
+  }
+
+  public final boolean isCryptoAllowed(Key key)
+    throws ExemptionMechanismException
+  {
+    return true;
+  }
+}
diff --git a/javax/crypto/ExemptionMechanismException.java b/javax/crypto/ExemptionMechanismException.java
new file mode 100644
index 000000000..42e1c5e9b
--- /dev/null
+++ b/javax/crypto/ExemptionMechanismException.java
@@ -0,0 +1,81 @@
+/* ExemptionMechanismException -- An error in an exemption mechanism.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is a part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or (at
+your option) any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License along
+with GNU Classpath; if not, write to the
+
+   Free Software Foundation, Inc.,
+   59 Temple Place, Suite 330,
+   Boston, MA  02111-1307
+   USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under terms
+of your choice, provided that you also meet, for each linked independent
+module, the terms and conditions of the license of that module.  An
+independent module is a module which is not derived from or based on
+this library.  If you modify this library, you may extend this exception
+to your version of the library, but you are not obligated to do so.  If
+you do not wish to do so, delete this exception statement from your
+version.  */
+
+
+package javax.crypto;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Signals a general exception in an {@link ExemptionMechanism}.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public class ExemptionMechanismException extends GeneralSecurityException
+{
+
+  // Constant.
+  // ------------------------------------------------------------------------
+
+  /** Compatible with JDK1.4. */
+  private static final long serialVersionUID = 1572699429277957109L;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new exception with no detail message.
+   */
+  public ExemptionMechanismException()
+  {
+    super();
+  }
+
+  /**
+   * Create a new exception with a detail message.
+   *
+   * @param message The detail message.
+   */
+  public ExemptionMechanismException(String message)
+  {
+    super(message);
+  }
+}
diff --git a/javax/crypto/ExemptionMechanismSpi.java b/javax/crypto/ExemptionMechanismSpi.java
new file mode 100644
index 000000000..78997ee07
--- /dev/null
+++ b/javax/crypto/ExemptionMechanismSpi.java
@@ -0,0 +1,149 @@
+/* ExemptionMechanismSpi.java -- Exemption mechanism service provider interface.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.AlgorithmParameters;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * The <i>Service Provider Interface</i> (<b>SPI</b>) for the {@link
+ * ExemptionMechanism} class.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public abstract class ExemptionMechanismSpi
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new exemption mechanism SPI.
+   */
+  public ExemptionMechanismSpi()
+  {
+  }
+
+  // Abstract instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return a key blob for the key that this mechanism was initialized
+   * with.
+   *
+   * @return The key blob.
+   * @throws javax.crypto.ExemptionMechanismException If generating the
+   *         blob fails.
+   */
+  protected abstract byte[] engineGenExemptionBlob()
+    throws ExemptionMechanismException;
+
+  /**
+   * Generate a key blob for the key that this mechanism was initialized
+   * with, storing it into the given byte array.
+   *
+   * @param output       The destination for the key blob.
+   * @param outputOffset The index in the output array to start.
+   * @return The size of the key blob.
+   * @throws javax.crypto.ExemptionMechanismException If generating the
+   *         blob fails.
+   * @throws javax.crypto.ShortBufferException If the output array is
+   *         not large enough for the key blob.
+   */
+  protected abstract int engineGenExemptionBlob(byte[] output, int outputOffset)
+    throws ExemptionMechanismException, ShortBufferException;
+
+  /**
+   * Get the size of the output blob given an input key size. The actual
+   * blob may be shorter than the value returned by this method. Both
+   * values are in bytes.
+   *
+   * @param inputLength The input size.
+   * @return The output size.
+   */
+  protected abstract int engineGetOutputSize(int inputLength);
+
+  /**
+   * Initialize this mechanism with a key.
+   *
+   * @param key The key.
+   * @throws javax.crypto.ExemptionMechanismException If generating the
+   *         blob fails.
+   * @throws java.security.InvalidKeyException If the supplied key
+   *         cannot be used.
+   */
+  protected abstract void engineInit(Key key)
+    throws ExemptionMechanismException, InvalidKeyException;
+
+  /**
+   * Initialize this mechanism with a key and parameters.
+   *
+   * @param key    The key.
+   * @param params The parameters.
+   * @throws javax.crypto.ExemptionMechanismException If generating the
+   *         blob fails.
+   * @throws java.security.InvalidAlgorithmParameterExceptin If the
+   *         supplied parameters are inappropriate.
+   * @throws java.security.InvalidKeyException If the supplied key
+   *         cannot be used.
+   */
+  protected abstract void engineInit(Key key, AlgorithmParameters params)
+    throws ExemptionMechanismException, InvalidAlgorithmParameterException,
+           InvalidKeyException;
+
+  /**
+   * Initialize this mechanism with a key and parameters.
+   *
+   * @param key    The key.
+   * @param params The parameters.
+   * @throws javax.crypto.ExemptionMechanismException If generating the
+   *         blob fails.
+   * @throws java.security.InvalidAlgorithmParameterExceptin If the
+   *         supplied parameters are inappropriate.
+   * @throws java.security.InvalidKeyException If the supplied key
+   *         cannot be used.
+   */
+  protected abstract void engineInit(Key key, AlgorithmParameterSpec params)
+    throws ExemptionMechanismException, InvalidAlgorithmParameterException,
+           InvalidKeyException;
+}
diff --git a/javax/crypto/IllegalBlockSizeException.java b/javax/crypto/IllegalBlockSizeException.java
new file mode 100644
index 000000000..1e442833c
--- /dev/null
+++ b/javax/crypto/IllegalBlockSizeException.java
@@ -0,0 +1,71 @@
+/* IllegalBlockSizeException.java -- Signals illegal block sizes.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * This exception is thrown when finishing encryption without padding or
+ * decryption and the input is not a multiple of the cipher's block
+ * size.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class IllegalBlockSizeException extends GeneralSecurityException
+{
+
+  // Constant.
+  // ------------------------------------------------------------------------
+
+  /** Serialization constant. */
+  private static final long serialVersionUID = -1965144811953540392L;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  public IllegalBlockSizeException()
+  {
+    super();
+  }
+
+  public IllegalBlockSizeException(String message)
+  {
+    super(message);
+  }
+}
diff --git a/javax/crypto/KeyAgreement.java b/javax/crypto/KeyAgreement.java
new file mode 100644
index 000000000..6f6ed34e0
--- /dev/null
+++ b/javax/crypto/KeyAgreement.java
@@ -0,0 +1,373 @@
+/* KeyAgreement.java -- Engine for key agreement methods.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.spec.AlgorithmParameterSpec;
+
+import gnu.java.security.Engine;
+
+/**
+ * Key agreement is a method in which two or more parties may agree on a
+ * secret key for symmetric cryptography or message authentication
+ * without transmitting any secrets in the clear. Key agreement
+ * algorithms typically use a public/private <i>key pair</i>, and the
+ * public key (along with some additional information) is sent across
+ * untrusted networks.
+ *
+ * <p>The most common form of key agreement used today is the
+ * <i>Diffie-Hellman key exchange algorithm</i>, described in <a
+ * href="http://www.rsasecurity.com/rsalabs/pkcs/pkcs-3/">PKCS #3 -
+ * Diffie Hellman Key Agreement Standard</a>.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see KeyGenerator
+ * @see SecretKey
+ */
+public class KeyAgreement
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  private static final String SERVICE = "KeyAgreement";
+
+  /** The underlying key agreement implementation. */
+  private KeyAgreementSpi kaSpi;
+
+  /** The provider of this implementation. */
+  private Provider provider;
+
+  /** The name of this instance's algorithm. */
+  private String algorithm;
+
+  /** Singnals whether or not this instance has been initialized. */
+  private boolean virgin;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  protected KeyAgreement(KeyAgreementSpi kaSpi, Provider provider,
+                         String algorithm)
+  {
+    this.kaSpi = kaSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+    virgin = true;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get an implementation of an algorithm from the first provider that
+   * implements it.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @return The proper KeyAgreement instacne, if found.
+   * @throws java.security.NoSuchAlgorithmException If the specified
+   *         algorithm is not implemented by any installed provider.
+   */
+  public static final KeyAgreement getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] provs = Security.getProviders();
+    String msg = algorithm;
+    for (int i = 0; i < provs.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, provs[i]);
+          }
+        catch (NoSuchAlgorithmException nsae)
+          {
+            msg = nsae.getMessage();
+          }
+      }
+    throw new NoSuchAlgorithmException(msg);
+  }
+
+  /**
+   * Get an implementation of an algorithm from a named provider.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @param provider  The name of the provider from which to get the
+   *        implementation.
+   * @return The proper KeyAgreement instance, if found.
+   * @throws java.security.NoSuchAlgorithmException If the named provider
+   *         does not implement the algorithm.
+   * @throws java.security.NoSuchProviderException If the named provider
+   *         does not exist.
+   */
+  public static final KeyAgreement getInstance(String algorithm,
+                                               String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      {
+        throw new NoSuchProviderException(provider);
+      }
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Get an implementation of an algorithm from a specific provider.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @param provider  The provider from which to get the implementation.
+   * @return The proper KeyAgreement instance, if found.
+   * @throws java.security.NoSuchAlgorithmException If this provider
+   *         does not implement the algorithm.
+   */
+  public static final KeyAgreement getInstance(String algorithm,
+                                               Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    try
+      {
+        return new KeyAgreement((KeyAgreementSpi)
+          Engine.getInstance(SERVICE, algorithm, provider),
+          provider, algorithm);
+      }
+    catch (InvocationTargetException ite)
+      {
+        if (ite.getCause() == null)
+          throw new NoSuchAlgorithmException(algorithm);
+        if (ite.getCause() instanceof NoSuchAlgorithmException)
+          throw (NoSuchAlgorithmException) ite.getCause();
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Do a phase in the key agreement. The number of times this method is
+   * called depends upon the algorithm and the number of parties
+   * involved, but must be called at least once with the
+   * <code>lastPhase</code> flag set to <code>true</code>.
+   *
+   * @param key       The key for this phase.
+   * @param lastPhase Should be <code>true</code> if this will be the
+   *        last phase before generating the shared secret.
+   * @return The intermediate result, or <code>null</code> if there is
+   *         no intermediate result.
+   * @throws java.lang.IllegalStateException If this instance has not
+   *         been initialized.
+   * @throws java.security.InvalidKeyException If the key is
+   *         inappropriate for this algorithm.
+   */
+  public final Key doPhase(Key key, boolean lastPhase)
+    throws IllegalStateException, InvalidKeyException
+  {
+    if (virgin)
+      {
+        throw new IllegalStateException("not initialized");
+      }
+    return kaSpi.engineDoPhase(key, lastPhase);
+  }
+
+  /**
+   * Generate the shared secret in a new byte array.
+   *
+   * @return The shared secret.
+   * @throws java.lang.IllegalStateException If this instnace has not
+   *         been initialized, or if not enough calls to
+   *         <code>doPhase</code> have been made.
+   */
+  public final byte[] generateSecret() throws IllegalStateException
+  {
+    if (virgin)
+      {
+        throw new IllegalStateException("not initialized");
+      }
+    return kaSpi.engineGenerateSecret();
+  }
+
+  /**
+   * Generate the shared secret and store it into the supplied array.
+   *
+   * @param sharedSecret The array in which to store the secret.
+   * @param offset       The index in <code>sharedSecret</code> to start
+   *                     storing data.
+   * @return The length of the shared secret, in bytes.
+   * @throws java.lang.IllegalStateException If this instnace has not
+   *         been initialized, or if not enough calls to
+   *         <code>doPhase</code> have been made.
+   * @throws javax.crypto.ShortBufferException If the supplied array is
+   *         not large enough to store the result.
+   */
+  public final int generateSecret(byte[] sharedSecret, int offset)
+  throws IllegalStateException, ShortBufferException
+  {
+    if (virgin)
+      {
+        throw new IllegalStateException("not initialized");
+      }
+    return kaSpi.engineGenerateSecret(sharedSecret, offset);
+  }
+
+  /**
+   * Generate the shared secret and return it as an appropriate {@link
+   * SecretKey}.
+   *
+   * @param algorithm The secret key's algorithm.
+   * @return The shared secret as a secret key.
+   * @throws java.lang.IllegalStateException If this instnace has not
+   *         been initialized, or if not enough calls to
+   *         <code>doPhase</code> have been made.
+   * @throws java.security.InvalidKeyException If the shared secret
+   *         cannot be used to make a {@link SecretKey}.
+   * @throws java.security.NoSuchAlgorithmException If the specified
+   *         algorithm does not exist.
+   */
+  public final SecretKey generateSecret(String algorithm)
+  throws IllegalStateException, InvalidKeyException, NoSuchAlgorithmException
+  {
+    if (virgin)
+      {
+        throw new IllegalStateException("not initialized");
+      }
+    return kaSpi.engineGenerateSecret(algorithm);
+  }
+
+  /**
+   * Return the name of this key-agreement algorithm.
+   *
+   * @return The algorithm name.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Return the provider of the underlying implementation.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Initialize this key agreement with a key. This method will use the
+   * highest-priority {@link java.security.SecureRandom} as its source
+   * of randomness.
+   *
+   * @param key The key, usually the user's private key.
+   * @throws java.security.InvalidKeyException If the supplied key is
+   *         not appropriate.
+   */
+  public final void init(Key key) throws InvalidKeyException
+  {
+    init(key, new SecureRandom());
+  }
+
+  /**
+   * Initialize this key agreement with a key and a source of
+   * randomness.
+   *
+   * @param key    The key, usually the user's private key.
+   * @param random The source of randomness.
+   * @throws java.security.InvalidKeyException If the supplied key is
+   *         not appropriate.
+   */
+  public final void init(Key key, SecureRandom random)
+    throws InvalidKeyException
+  {
+    kaSpi.engineInit(key, random);
+    virgin = false; // w00t!
+  }
+
+  /**
+   * Initialize this key agreement with a key and parameters. This
+   * method will use the highest-priority {@link
+   * java.security.SecureRandom} as its source of randomness.
+   *
+   * @param key    The key, usually the user's private key.
+   * @param params The algorithm parameters.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         supplied parameters are not appropriate.
+   * @throws java.security.InvalidKeyException If the supplied key is
+   *         not appropriate.
+   */
+  public final void init(Key key, AlgorithmParameterSpec params)
+    throws InvalidAlgorithmParameterException, InvalidKeyException
+  {
+    init(key, params, new SecureRandom());
+  }
+
+  /**
+   * Initialize this key agreement with a key, parameters, and source of
+   * randomness.
+   *
+   * @param key    The key, usually the user's private key.
+   * @param params The algorithm parameters.
+   * @param random The source of randomness.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         supplied parameters are not appropriate.
+   * @throws java.security.InvalidKeyException If the supplied key is
+   *         not appropriate.
+   */
+  public final void init(Key key, AlgorithmParameterSpec params,
+                         SecureRandom random)
+    throws InvalidAlgorithmParameterException, InvalidKeyException
+  {
+    kaSpi.engineInit(key, params, random);
+    virgin = false; // w00t!
+  }
+}
diff --git a/javax/crypto/KeyAgreementSpi.java b/javax/crypto/KeyAgreementSpi.java
new file mode 100644
index 000000000..231f11279
--- /dev/null
+++ b/javax/crypto/KeyAgreementSpi.java
@@ -0,0 +1,160 @@
+/* KeyAgreementSpi.java -- The key agreement service provider interface.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * This is the <i>Service Provider Interface</i> (<b>SPI</b>) for the
+ * {@link javax.crypto.KeyAgreement} class.
+ *
+ * <p>Providers wishing to implement a key agreement algorithm must
+ * subclass this and provide an appropriate implementation for all the
+ * abstract methods below, and provide an appropriate entry in the
+ * master {@link java.security.Provider} class (the service name for key
+ * agreement algorithms is <code>"KeyAgreement"</code>).
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see KeyAgreement
+ * @see SecretKey
+ */
+public abstract class KeyAgreementSpi
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new KeyAgreementSpi instance.
+   */
+  public KeyAgreementSpi()
+  {
+  }
+
+  // Abstract instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Do a phase in the key agreement.
+   *
+   * @param key The key to use for this phase.
+   * @param lastPhase <code>true</code> if this call should be the last
+   *        phase.
+   * @return The intermediate result, or <code>null</code> if there is
+   *         no intermediate result.
+   * @throws java.lang.IllegalStateException If this instance has not
+   *         been initialized.
+   * @throws java.security.InvalidKeyException If the supplied key is
+   *         not appropriate.
+   */
+  protected abstract Key engineDoPhase(Key key, boolean lastPhase)
+    throws IllegalStateException, InvalidKeyException;
+
+  /**
+   * Generate the shared secret in a new byte array.
+   *
+   * @return The shared secret in a new byte array.
+   * @throws java.lang.IllegalStateException If this key agreement is
+   *         not ready to generate the secret.
+   */
+  protected abstract byte[] engineGenerateSecret()
+    throws IllegalStateException;
+
+  /**
+   * Generate the shared secret, storing it into the specified array.
+   *
+   * @param sharedSecret The byte array in which to store the secret.
+   * @param offset       The offset into the byte array to start.
+   * @return The size of the shared secret.
+   * @throws java.lang.IllegalStateException If this key agreement is
+   *         not ready to generate the secret.
+   * @throws javax.crypto.ShortBufferException If there is not enough
+   *         space in the supplied array for the shared secret.
+   */
+  protected abstract int engineGenerateSecret(byte[] sharedSecret, int offset)
+    throws IllegalStateException, ShortBufferException;
+
+  /**
+   * Generate the shared secret and return it as a {@link SecretKey}.
+   *
+   * @param algorithm The algorithm with which to generate the secret key.
+   * @return The shared secret as a secret key.
+   * @throws java.lang.IllegalStateException If this key agreement is
+   *         not ready to generate the secret.
+   * @throws java.security.InvalidKeyException If the shared secret
+   *         cannot be made into a {@link SecretKey}.
+   * @throws java.security.NoSuchAlgorithmException If
+   *         <code>algorithm</code> cannot be found.
+   */
+  protected abstract SecretKey engineGenerateSecret(String algorithm)
+    throws IllegalStateException, InvalidKeyException, NoSuchAlgorithmException;
+
+  /**
+   * Initialize this key agreement with a key, parameters, and source of
+   * randomness.
+   *
+   * @param key    The key to initialize with, usually a private key.
+   * @param params The parameters to initialize with.
+   * @param random The source of randomness to use.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         supplied parameters are inappropriate.
+   * @throws java.security.InvalidKeyException If the supplied key is
+   *         inappropriate.
+   */
+  protected abstract void engineInit(Key key, AlgorithmParameterSpec params,
+                                     SecureRandom random)
+    throws InvalidAlgorithmParameterException, InvalidKeyException;
+
+  /**
+   * Initialize this key agreement with a key and source of randomness.
+   *
+   * @param key    The key to initialize with, usually a private key.
+   * @param random The source of randomness to use.
+   * @throws java.security.InvalidKeyException If the supplied key is
+   *         inappropriate.
+   */
+  protected abstract void engineInit(Key key, SecureRandom random)
+    throws InvalidKeyException;
+}
diff --git a/javax/crypto/KeyGenerator.java b/javax/crypto/KeyGenerator.java
new file mode 100644
index 000000000..35753b036
--- /dev/null
+++ b/javax/crypto/KeyGenerator.java
@@ -0,0 +1,284 @@
+/* KeyGenerator.java -- Interface to a symmetric key generator.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.spec.AlgorithmParameterSpec;
+
+import gnu.java.security.Engine;
+
+/**
+ * A generic producer of keys for symmetric cryptography. The keys
+ * returned may be simple wrappers around byte arrays, or, if the
+ * target cipher requires them, more complex objects.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see Cipher
+ * @see Mac
+ */
+public class KeyGenerator
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  private static final String SERVICE = "KeyGenerator";
+
+  /** The underlying generator implementation. */
+  private KeyGeneratorSpi kgSpi;
+
+  /** The provider of the implementation. */
+  private Provider provider;
+
+  /** The name of the algorithm. */
+  private String algorithm;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new key generator.
+   *
+   * @param kgSpi     The underlying generator.
+   * @param provider  The provider of this implementation.
+   * @param algorithm The algorithm's name.
+   */
+  protected KeyGenerator(KeyGeneratorSpi kgSpi, Provider provider,
+                         String algorithm)
+  {
+    this.kgSpi = kgSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new key generator, returning the first available
+   * implementation.
+   *
+   * @param algorithm The generator algorithm name.
+   * @throws java.security.NoSuchAlgorithmException If the specified
+   *         algorithm does not exist.
+   */
+  public static final KeyGenerator getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] provs = Security.getProviders();
+    String msg = algorithm;
+    for (int i = 0; i < provs.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, provs[i]);
+          }
+        catch (NoSuchAlgorithmException nsae)
+          {
+            msg = nsae.getMessage();
+          }
+      }
+    throw new NoSuchAlgorithmException(msg);
+  }
+
+  /**
+   * Create a new key generator from the named provider.
+   *
+   * @param algorithm The generator algorithm name.
+   * @param provider  The name of the provider to use.
+   * @return An appropriate key generator, if found.
+   * @throws java.security.NoSuchAlgorithmException If the specified
+   *         algorithm is not implemented by the named provider.
+   * @throws java.security.NoSuchProviderException If the named provider
+   *         does not exist.
+   */
+  public static final KeyGenerator getInstance(String algorithm, String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      {
+        throw new NoSuchProviderException(provider);
+      }
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Create a new key generator from the supplied provider.
+   *
+   * @param algorithm The generator algorithm name.
+   * @param provider  The provider to use.
+   * @return An appropriate key generator, if found.
+   * @throws java.security.NoSuchAlgorithmException If the specified
+   *         algorithm is not implemented by the provider.
+   */
+  public static final KeyGenerator getInstance(String algorithm, Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    try
+      {
+        return new KeyGenerator((KeyGeneratorSpi)
+          Engine.getInstance(SERVICE, algorithm, provider),
+          provider, algorithm);
+      }
+    catch (InvocationTargetException ite)
+      {
+        if (ite.getCause() == null)
+          throw new NoSuchAlgorithmException(algorithm);
+        if (ite.getCause() instanceof NoSuchAlgorithmException)
+          throw (NoSuchAlgorithmException) ite.getCause();
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Generate a key.
+   *
+   * @return The new key.
+   */
+  public final SecretKey generateKey()
+  {
+    return kgSpi.engineGenerateKey();
+  }
+
+  /**
+   * Return the name of this key generator.
+   *
+   * @return The algorithm name.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Return the provider of the underlying implementation.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Initialize this key generator with a set of parameters; the
+   * highest-priority {@link java.security.SecureRandom} implementation
+   * will be used.
+   *
+   * @param params The algorithm parameters.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         supplied parameters are inapproprate.
+   */
+  public final void init(AlgorithmParameterSpec params)
+    throws InvalidAlgorithmParameterException
+  {
+    init(params, new SecureRandom());
+  }
+
+  /**
+   * Initialize this key generator with a set of parameters and a source
+   * of randomness.
+   *
+   * @param params The algorithm parameters.
+   * @param random The source of randomness.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         supplied parameters are inapproprate.
+   */
+  public final void init(AlgorithmParameterSpec params, SecureRandom random)
+    throws InvalidAlgorithmParameterException
+  {
+    kgSpi.engineInit(params, random);
+  }
+
+  /**
+   * Initialize this key generator with a key size (in bits); the
+   * highest-priority {@link java.security.SecureRandom} implementation
+   * will be used.
+   *
+   * @param keySize The target key size, in bits.
+   * @throws java.security.InvalidParameterException If the
+   *         key size is unsupported.
+   */
+  public final void init(int keySize)
+  {
+    init(keySize, new SecureRandom());
+  }
+
+  /**
+   * Initialize this key generator with a key size (in bits) and a
+   * source of randomness.
+   *
+   * @param keySize The target key size, in bits.
+   * @param random  The source of randomness.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         key size is unsupported.
+   */
+  public final void init(int keySize, SecureRandom random)
+  {
+    kgSpi.engineInit(keySize, random);
+  }
+
+  /**
+   * Initialize this key generator with a source of randomness. The
+   * implementation-specific default parameters (such as key size) will
+   * be used.
+   *
+   * @param random The source of randomness.
+   */
+  public final void init(SecureRandom random)
+  {
+    kgSpi.engineInit(random);
+  }
+}
diff --git a/javax/crypto/KeyGeneratorSpi.java b/javax/crypto/KeyGeneratorSpi.java
new file mode 100644
index 000000000..fcf229b95
--- /dev/null
+++ b/javax/crypto/KeyGeneratorSpi.java
@@ -0,0 +1,112 @@
+/* KeyGeneratorSpi.java -- The key generator service provider interface.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.SecureRandom;
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * The <i>Service Provider Interface</i> (<b>SPI</b>) for the {@link
+ * KeyGenerator} class.
+ *
+ * <p>Providers wishing to implement a key generator must subclass this
+ * and provide an appropriate implementation for all the abstract
+ * methods below, and provide an appropriate entry in the master {@link
+ * java.security.Provider} class (the service name for key generators is
+ * <code>"KeyGenerator"</code>).
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see KeyGenerator
+ */
+public abstract class KeyGeneratorSpi
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /** Create a new key generator SPI. */
+  public KeyGeneratorSpi()
+  {
+  }
+
+  // Abstract instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Generate a key, returning it as a {@link SecretKey}.
+   *
+   * @return The generated key.
+   */
+  protected abstract SecretKey engineGenerateKey();
+
+  /**
+   * Initialize this key generator with parameters and a source of
+   * randomness.
+   *
+   * @param params The parameters.
+   * @param random The source of randomness.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         parameters are inappropriate for this instance.
+   */
+  protected abstract void engineInit(AlgorithmParameterSpec params,
+                                     SecureRandom random)
+    throws InvalidAlgorithmParameterException;
+
+  /**
+   * Initialize this key generator with a key size (in bits) and a
+   * source of randomness.
+   *
+   * @param keySize The target key size, in bits.
+   * @param random  The source of randomness.
+   * @throws java.security.InvalidParameterException If the
+   *         key size is illogical or unsupported.
+   */
+  protected abstract void engineInit(int keySize, SecureRandom random);
+
+  /**
+   * Initialize this key generator with a source of randomness; the
+   * implementation should use reasonable default parameters (such as
+   * generated key size).
+   *
+   * @param random The source of randomness.
+   */
+  protected abstract void engineInit(SecureRandom random);
+}
diff --git a/javax/crypto/Mac.java b/javax/crypto/Mac.java
new file mode 100644
index 000000000..55f5be61b
--- /dev/null
+++ b/javax/crypto/Mac.java
@@ -0,0 +1,414 @@
+/* Mac.java -- The message authentication code interface.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.Security;
+import java.security.spec.AlgorithmParameterSpec;
+
+import gnu.java.security.Engine;
+
+/**
+ * This class implements a "message authentication code" (MAC), a method
+ * to ensure the integrity of data transmitted between two parties who
+ * share a common secret key.
+ *
+ * <p>The best way to describe a MAC is as a <i>keyed one-way hash
+ * function</i>, which looks like:
+ *
+ * <blockquote><p><code>D = MAC(K, M)</code></blockquote>
+ *
+ * <p>where <code>K</code> is the key, <code>M</code> is the message,
+ * and <code>D</code> is the resulting digest. One party will usually
+ * send the concatenation <code>M || D</code> to the other party, who
+ * will then verify <code>D</code> by computing <code>D'</code> in a
+ * similar fashion. If <code>D == D'</code>, then the message is assumed
+ * to be authentic.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class Mac implements Cloneable
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  private static final String SERVICE = "Mac";
+
+  /** The underlying MAC implementation. */
+  private MacSpi macSpi;
+
+  /** The provider we got our implementation from. */
+  private Provider provider;
+
+  /** The name of the algorithm. */
+  private String algorithm;
+
+  /** Whether or not we've been initialized. */
+  private boolean virgin;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new Mac instance.
+   *
+   * @param macSpi    The underlying MAC implementation.
+   * @param provider  The provider of this implementation.
+   * @param algorithm The name of this MAC algorithm.
+   */
+  protected Mac(MacSpi macSpi, Provider provider, String algorithm)
+  {
+    this.macSpi = macSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+    virgin = true;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get an instance of the named algorithm from the first provider with
+   * an appropriate implementation.
+   *
+   * @param algorithm The name of the algorithm.
+   * @return An appropriate Mac instance, if the specified algorithm
+   *         is implemented by a provider.
+   * @throws java.security.NoSuchAlgorithmException If no implementation
+   *         of the named algorithm is installed.
+   */
+  public static final Mac getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] provs = Security.getProviders();
+    String msg = "";
+    for (int i = 0; i < provs.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, provs[i]);
+          }
+        catch (NoSuchAlgorithmException nsae)
+          {
+            msg = nsae.getMessage();
+          }
+      }
+    throw new NoSuchAlgorithmException(msg);
+  }
+
+  /**
+   * Get an instance of the named algorithm from the named provider.
+   *
+   * @param algorithm The name of the algorithm.
+   * @param provider  The name of the provider.
+   * @return An appropriate Mac instance, if the specified algorithm is
+   *         implemented by the named provider.
+   * @throws java.security.NoSuchAlgorithmException If the named provider
+   *         has no implementation of the algorithm.
+   * @throws java.security.NoSuchProviderException If the named provider
+   *         does not exist.
+   */
+  public static final Mac getInstance(String algorithm, String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      {
+        throw new NoSuchProviderException(provider);
+      }
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Get an instance of the named algorithm from a provider.
+   *
+   * @param algorithm The name of the algorithm.
+   * @param provider  The provider.
+   * @return An appropriate Mac instance, if the specified algorithm is
+   *         implemented by the provider.
+   * @throws java.security.NoSuchAlgorithmException If the provider
+   *         has no implementation of the algorithm.
+   */
+  public static final Mac getInstance(String algorithm, Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    try
+      {
+        return new Mac((MacSpi) Engine.getInstance(SERVICE, algorithm, provider),
+                       provider, algorithm);
+      }
+    catch (InvocationTargetException ite)
+      {
+        if (ite.getCause() == null)
+          throw new NoSuchAlgorithmException(algorithm);
+        if (ite.getCause() instanceof NoSuchAlgorithmException)
+          throw (NoSuchAlgorithmException) ite.getCause();
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Finishes the computation of a MAC and returns the digest.
+   *
+   * <p>After this method succeeds, it may be used again as just after a
+   * call to <code>init</code>, and can compute another MAC using the
+   * same key and parameters.
+   *
+   * @return The message authentication code.
+   * @throws java.lang.IllegalStateException If this instnace has not
+   *         been initialized.
+   */
+  public final byte[] doFinal() throws IllegalStateException
+  {
+    if (virgin)
+      {
+        throw new IllegalStateException("not initialized");
+      }
+    byte[] digest = macSpi.engineDoFinal();
+    reset();
+    return digest;
+  }
+
+  /**
+   * Finishes the computation of a MAC with a final byte array (or
+   * computes a MAC over those bytes only) and returns the digest.
+   *
+   * <p>After this method succeeds, it may be used again as just after a
+   * call to <code>init</code>, and can compute another MAC using the
+   * same key and parameters.
+   *
+   * @param input The bytes to add.
+   * @return The message authentication code.
+   * @throws java.lang.IllegalStateException If this instnace has not
+   *         been initialized.
+   */
+  public final byte[] doFinal(byte[] input) throws IllegalStateException
+  {
+    update(input);
+    byte[] digest = macSpi.engineDoFinal();
+    reset();
+    return digest;
+  }
+
+  /**
+   * Finishes the computation of a MAC and places the result into the
+   * given array.
+   *
+   * <p>After this method succeeds, it may be used again as just after a
+   * call to <code>init</code>, and can compute another MAC using the
+   * same key and parameters.
+   *
+   * @param output    The destination for the result.
+   * @param outOffset The index in the output array to start.
+   * @return The message authentication code.
+   * @throws java.lang.IllegalStateException If this instnace has not
+   *         been initialized.
+   * @throws javax.crypto.ShortBufferException If <code>output</code> is
+   *         not large enough to hold the result.
+   */
+  public final void doFinal(byte[] output, int outOffset)
+  throws IllegalStateException, ShortBufferException
+  {
+    if (virgin)
+      {
+        throw new IllegalStateException("not initialized");
+      }
+    if (output.length - outOffset < getMacLength())
+      {
+        throw new ShortBufferException();
+      }
+    byte[] mac = macSpi.engineDoFinal();
+    System.arraycopy(mac, 0, output, outOffset, getMacLength());
+    reset();
+  }
+
+  /**
+   * Returns the name of this MAC algorithm.
+   *
+   * @return The MAC name.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Get the size of the MAC. This is the size of the array returned by
+   * {@link #doFinal()} and {@link #doFinal(byte[])}, and the minimum
+   * number of bytes that must be available in the byte array passed to
+   * {@link #doFinal(byte[],int)}.
+   *
+   * @return The MAC length.
+   */
+  public int getMacLength()
+  {
+    return macSpi.engineGetMacLength();
+  }
+
+  /**
+   * Get the provider of the underlying implementation.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Initialize this MAC with a key and no parameters.
+   *
+   * @param key The key to initialize this instance with.
+   * @throws java.security.InvalidKeyException If the key is
+   *         unacceptable.
+   */
+  public final void init(Key key) throws InvalidKeyException
+  {
+    try
+      {
+        init(key, null);
+      }
+    catch (InvalidAlgorithmParameterException iape)
+      {
+        throw new IllegalArgumentException(algorithm + " needs parameters");
+      }
+  }
+
+  /**
+   * Initialize this MAC with a key and parameters.
+   *
+   * @param key    The key to initialize this instance with.
+   * @param params The algorithm-specific parameters.
+   * @throws java.security.InvalidAlgorithmParameterException If the
+   *         algorithm parameters are unacceptable.
+   * @throws java.security.InvalidKeyException If the key is
+   *         unacceptable.
+   */
+  public final void init(Key key, AlgorithmParameterSpec params)
+    throws InvalidAlgorithmParameterException, InvalidKeyException
+  {
+    macSpi.engineInit(key, params);
+    virgin = false;                      // w00t!
+  }
+
+  /**
+   * Reset this instance. A call to this method returns this instance
+   * back to the state it was in just after it was initialized.
+   */
+  public final void reset()
+  {
+    macSpi.engineReset();
+  }
+
+  /**
+   * Update the computation with a single byte.
+   *
+   * @param input The next byte.
+   * @throws java.lang.IllegalStateException If this instance has not
+   *         been initialized.
+   */
+  public final void update(byte input) throws IllegalStateException
+  {
+    if (virgin)
+      {
+        throw new IllegalStateException("not initialized");
+      }
+    macSpi.engineUpdate(input);
+  }
+
+  /**
+   * Update the computation with a byte array.
+   *
+   * @param input The next bytes.
+   * @throws java.lang.IllegalStateException If this instance has not
+   *         been initialized.
+   */
+  public final void update(byte[] input) throws IllegalStateException
+  {
+    update(input, 0, input.length);
+  }
+
+  /**
+   * Update the computation with a portion of a byte array.
+   *
+   * @param input  The next bytes.
+   * @param offset The index in <code>input</code> to start.
+   * @param length The number of bytes to update.
+   * @throws java.lang.IllegalStateException If this instance has not
+   *         been initialized.
+   */
+  public final void update(byte[] input, int offset, int length)
+    throws IllegalStateException
+  {
+    if (virgin)
+      {
+        throw new IllegalStateException("not initialized");
+      }
+    macSpi.engineUpdate(input, offset, length);
+  }
+
+  /**
+   * Clone this instance, if the underlying implementation supports it.
+   *
+   * @return A clone of this instance.
+   * @throws java.lang.CloneNotSupportedException If the underlying
+   *         implementation is not cloneable.
+   */
+  public Object clone() throws CloneNotSupportedException
+  {
+    Mac result = new Mac((MacSpi) macSpi.clone(), provider, algorithm);
+    result.virgin = virgin;
+    return result;
+  }
+}
diff --git a/javax/crypto/MacSpi.java b/javax/crypto/MacSpi.java
new file mode 100644
index 000000000..3bee392f4
--- /dev/null
+++ b/javax/crypto/MacSpi.java
@@ -0,0 +1,145 @@
+/* MacSpi.java -- The MAC service provider interface.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * This is the <i>Service Provider Interface</i> (<b>SPI</b>) for the
+ * {@link Mac} class.
+ *
+ * <p>Providers wishing to implement a Mac must subclass this class and
+ * provide appropriate implementations of all its abstract methods,
+ * then provide an entry pointing to this implementation in the master
+ * {@link java.security.Provider} class.
+ *
+ * <p>Implemetations may optionally implement the {@link
+ * java.lang.Cloneable} interface.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public abstract class MacSpi
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new MacSpi instance.
+   */
+  public MacSpi()
+  {
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns a clone of this instance if cloning is supported.
+   *
+   * @return A clone of this instance.
+   * @throws java.lang.CloneNotSupportedException If this instance does
+   *         not support cloneing.
+   */
+  public Object clone() throws CloneNotSupportedException
+  {
+    throw new CloneNotSupportedException();
+  }
+
+  // Abstract instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Finalize the computation of this MAC and return the result as a
+   * byte array.
+   *
+   * @return The MAC.
+   */
+  protected abstract byte[] engineDoFinal();
+
+  /**
+   * Return the total length, in bytes, of the computed MAC (the length
+   * of the byte array returned by {@link #doFinal()}.
+   *
+   * @return The MAC length.
+   */
+  protected abstract int engineGetMacLength();
+
+  /**
+   * Initialize (or re-initialize) this instance.
+   *
+   * @param key    The key to use.
+   * @param params The parameters to use.
+   * @throws java.security.InvalidAlgorithmParameterException If this
+   *         instance rejects the specified parameters.
+   * @throws java.security.InvalidKeyException If this instance rejects
+   *         the specified key.
+   */
+  protected abstract void engineInit(Key key, AlgorithmParameterSpec params)
+    throws InvalidAlgorithmParameterException, InvalidKeyException;
+
+  /**
+   * Reset this instance. After this method succeeds, the state of this
+   * instance should be the same as it was before any data was input
+   * (possibly after a call to {@link
+   * #init(java.security.Key,java.security.spec.AlgorithmParameterSpec)},
+   * possibly not).
+   */
+  protected abstract void engineReset();
+
+  /**
+   * Update this MAC with a single byte.
+   *
+   * @param input The next byte.
+   */
+  protected abstract void engineUpdate(byte input);
+
+  /**
+   * Update this MAC with a portion of a byte array.
+   *
+   * @param input  The next bytes.
+   * @param offset The index in <code>input</code> at which to start.
+   * @param length The number of bytes to update.
+   */
+  protected abstract void engineUpdate(byte[] input, int offset, int length);
+}
diff --git a/javax/crypto/NoSuchPaddingException.java b/javax/crypto/NoSuchPaddingException.java
new file mode 100644
index 000000000..3acd7ae68
--- /dev/null
+++ b/javax/crypto/NoSuchPaddingException.java
@@ -0,0 +1,71 @@
+/* NoSuchPaddingException.java -- Signals an unknown padding scheme.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * This exception is thrown when a particular padding scheme is
+ * requested but is not available.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public class NoSuchPaddingException extends GeneralSecurityException
+{
+
+  // Constant.
+  // ------------------------------------------------------------------------
+
+  /** Serialization constant. */
+  private static final long serialVersionUID = -4572885201200175466L;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  public NoSuchPaddingException()
+  {
+    super();
+  }
+
+  public NoSuchPaddingException(String message)
+  {
+    super(message);
+  }
+}
diff --git a/javax/crypto/NullCipher.java b/javax/crypto/NullCipher.java
new file mode 100644
index 000000000..95f3a8e8f
--- /dev/null
+++ b/javax/crypto/NullCipher.java
@@ -0,0 +1,62 @@
+/* NullCipher.java -- The identity cipher.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+/**
+ * Trivial subclass of Cipher that implements the <i>identity
+ * transformation</i>, where the input is always copied to the output
+ * unchanged. Null ciphers can be instantiated with the public
+ * constructor.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class NullCipher extends Cipher
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new identity cipher.
+   */
+  public NullCipher()
+  {
+    super(new NullCipherImpl(), null, "NULL");
+  }
+}
diff --git a/javax/crypto/NullCipherImpl.java b/javax/crypto/NullCipherImpl.java
new file mode 100644
index 000000000..b203d24bf
--- /dev/null
+++ b/javax/crypto/NullCipherImpl.java
@@ -0,0 +1,127 @@
+/* NullCipherImpl.java -- implementation of NullCipher.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.AlgorithmParameters;
+import java.security.Key;
+import java.security.SecureRandom;
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * Implementation of the identity cipher.
+ */
+final class NullCipherImpl extends CipherSpi
+{
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  NullCipherImpl()
+  {
+    super();
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  protected void engineSetMode(String mode) { }
+  protected void engineSetPadding(String padding) { }
+
+  protected int engineGetBlockSize()
+  {
+    return 1;
+  }
+
+  protected int engineGetOutputSize(int inputLen)
+  {
+    return inputLen;
+  }
+
+  protected byte[] engineGetIV()
+  {
+    return null;
+  }
+
+  protected AlgorithmParameters engineGetParameters()
+  {
+    return null;
+  }
+
+  protected void engineInit(int mode, Key key, SecureRandom random) { }
+  protected void engineInit(int mode, Key key, AlgorithmParameterSpec spec, SecureRandom random) { }
+  protected void engineInit(int mode, Key key, AlgorithmParameters params, SecureRandom random) { }
+
+  protected byte[] engineUpdate(byte[] input, int inputOffset, int inputLen)
+  {
+    if (input == null)
+      return new byte[0];
+    if (inputOffset < 0 || inputLen < 0 || inputOffset + inputLen > input.length)
+      throw new ArrayIndexOutOfBoundsException();
+    byte[] output = new byte[inputLen];
+    System.arraycopy(input, inputOffset, output, 0, inputLen);
+    return output;
+  }
+
+  protected int engineUpdate(byte[] input, int inputOffset, int inputLen,
+                             byte[] output, int outputOffset)
+    throws ShortBufferException
+  {
+    if (input == null)
+      return 0;
+    if (inputOffset < 0 || inputLen < 0 || inputOffset + inputLen > input.length
+        || outputOffset < 0)
+      throw new ArrayIndexOutOfBoundsException();
+    if (output.length - outputOffset < inputLen)
+      throw new ShortBufferException();
+    System.arraycopy(input, inputOffset, output, outputOffset, inputLen);
+    return inputLen;
+  }
+
+  protected byte[] engineDoFinal(byte[] input, int inputOffset, int inputLen)
+  {
+    return engineUpdate(input, inputOffset, inputLen);
+  }
+
+  protected int engineDoFinal(byte[] input, int inputOffset, int inputLen,
+                              byte[] output, int outputOffset)
+    throws ShortBufferException
+  {
+    return engineUpdate(input, inputOffset, inputLen, output, outputOffset);
+  }
+}
diff --git a/javax/crypto/SealedObject.java b/javax/crypto/SealedObject.java
new file mode 100644
index 000000000..9bbbe29be
--- /dev/null
+++ b/javax/crypto/SealedObject.java
@@ -0,0 +1,355 @@
+/* SealedObject.java -- An encrypted Serializable object.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+
+import java.security.AlgorithmParameters;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.Key;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+
+/**
+ * This class allows any {@link java.io.Serializable} object to be
+ * stored in an encrypted form.
+ *
+ * <p>When the sealed object is ready to be unsealed (and deserialized)
+ * the caller may use either
+ *
+ * <ol>
+ * <li>{@link #getObject(javax.crypto.Cipher)}, which uses an
+ * already-initialized {@link javax.crypto.Cipher}.<br>
+ * <br>
+ * or,</li>
+ *
+ * <li>{@link #getObject(java.security.Key)} or {@link
+ * #getObject(java.security.Key,java.lang.String)}, which will
+ * initialize a new cipher instance with the {@link #encodedParams} that
+ * were stored with this sealed object (this is so parameters, such as
+ * the IV, don't need to be known by the one unsealing the object).</li>
+ * </ol>
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public class SealedObject implements Serializable
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** The encoded algorithm parameters. */
+  protected byte[] encodedParams;
+
+  /** The serialized, encrypted object. */
+  private byte[] encryptedContent;
+
+  /** The algorithm used to seal the object. */
+  private String sealAlg;
+
+  /** The parameter type. */
+  private String paramsAlg;
+
+  /** The cipher that decrypts when this object is unsealed. */
+  private transient Cipher sealCipher;
+
+  /** Compatible with JDK1.4. */
+  private static final long serialVersionUID = 4482838265551344752L;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new sealed object from a {@link java.io.Serializable}
+   * object and a cipher.
+   *
+   * @param object The object to seal.
+   * @param cipher The cipher to encrypt with.
+   * @throws java.io.IOException If serializing the object fails.
+   * @throws javax.crypto.IllegalBlockSizeException If the cipher has no
+   *         padding and the size of the serialized representation of the
+   *         object is not a multiple of the cipher's block size.
+   */
+  public SealedObject(Serializable object, Cipher cipher)
+    throws IOException, IllegalBlockSizeException
+  {
+    ByteArrayOutputStream baos = new ByteArrayOutputStream();
+    ObjectOutputStream oos = new ObjectOutputStream(baos);
+    oos.writeObject(object);
+    oos.flush();
+    try
+      {
+        encryptedContent = cipher.doFinal(baos.toByteArray());
+      }
+    catch (IllegalStateException ise)
+      {
+        throw new IOException("cipher not in proper state");
+      }
+    catch (BadPaddingException bpe)
+      {
+        throw new IOException(
+          "encrypting but got javax.crypto.BadPaddingException");
+      }
+    sealAlg = cipher.getAlgorithm();
+    encodedParams = cipher.getParameters().getEncoded();
+    paramsAlg = cipher.getParameters().getAlgorithm();
+  }
+
+  /**
+   * Create a new sealed object from another sealed object.
+   *
+   * @param so The other sealed object.
+   */
+  protected SealedObject(SealedObject so)
+  {
+    this.encodedParams = (byte[]) so.encodedParams.clone();
+    this.encryptedContent = (byte[]) so.encryptedContent.clone();
+    this.sealAlg = so.sealAlg;
+    this.paramsAlg = so.paramsAlg;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the name of the algorithm used to seal this object.
+   *
+   * @return The algorithm's name.
+   */
+  public final String getAlgorithm()
+  {
+    return sealAlg;
+  }
+
+  /**
+   * Unseal and deserialize this sealed object with a specified (already
+   * initialized) cipher.
+   *
+   * @param cipher The cipher to decrypt with.
+   * @return The original object.
+   * @throws java.io.IOException If reading fails.
+   * @throws java.lang.ClassNotFoundException If deserialization fails.
+   * @throws javax.crypto.IllegalBlockSizeException If the cipher has no
+   *         padding and the encrypted data is not a multiple of the
+   *         cipher's block size.
+   * @throws javax.crypto.BadPaddingException If the padding bytes are
+   *         incorrect.
+   */
+  public final Object getObject(Cipher cipher)
+    throws IOException, ClassNotFoundException, IllegalBlockSizeException,
+           BadPaddingException
+  {
+    sealCipher = cipher;
+    return unseal();
+  }
+
+  /**
+   * Unseal and deserialize this sealed object with the specified key.
+   *
+   * @param key The key to decrypt with.
+   * @return The original object.
+   * @throws java.io.IOException If reading fails.
+   * @throws java.lang.ClassNotFoundException If deserialization fails.
+   * @throws java.security.InvalidKeyException If the supplied key
+   *         cannot be used to unseal this object.
+   * @throws java.security.NoSuchAlgorithmException If the algorithm
+   *         used to originally seal this object is not available.
+   */
+  public final Object getObject(Key key)
+    throws IOException, ClassNotFoundException, InvalidKeyException,
+           NoSuchAlgorithmException
+  {
+    try
+      {
+        if (sealCipher == null)
+          sealCipher = Cipher.getInstance(sealAlg);
+      }
+    catch (NoSuchPaddingException nspe)
+      {
+        throw new NoSuchAlgorithmException(nspe.getMessage());
+      }
+    AlgorithmParameters params = null;
+    if (encodedParams != null)
+      {
+        params = AlgorithmParameters.getInstance(paramsAlg);
+        params.init(encodedParams);
+      }
+    try
+      {
+        sealCipher.init(Cipher.DECRYPT_MODE, key, params);
+        return unseal();
+      }
+    catch (InvalidAlgorithmParameterException iape)
+      {
+        throw new IOException("bad parameters");
+      }
+    catch (IllegalBlockSizeException ibse)
+      {
+        throw new IOException("illegal block size");
+      }
+    catch (BadPaddingException bpe)
+      {
+        throw new IOException("bad padding");
+      }
+  }
+
+  /**
+   * Unseal and deserialize this sealed object with the specified key,
+   * using a cipher from the named provider.
+   *
+   * @param key      The key to decrypt with.
+   * @param provider The name of the provider to use.
+   * @return The original object.
+   * @throws java.io.IOException If reading fails.
+   * @throws java.lang.ClassNotFoundException If deserialization fails.
+   * @throws java.security.InvalidKeyException If the supplied key
+   *         cannot be used to unseal this object.
+   * @throws java.security.NoSuchAlgorithmException If the algorithm
+   *         used to originally seal this object is not available from
+   *         the named provider.
+   * @throws java.security.NoSuchProviderException If the named provider
+   *         does not exist.
+   */
+  public final Object getObject(Key key, String provider)
+    throws IOException, ClassNotFoundException, InvalidKeyException,
+           NoSuchAlgorithmException, NoSuchProviderException
+  {
+    try
+      {
+        sealCipher = Cipher.getInstance(sealAlg, provider);
+      }
+    catch (NoSuchPaddingException nspe)
+      {
+        throw new NoSuchAlgorithmException(nspe.getMessage());
+      }
+    AlgorithmParameters params = null;
+    if (encodedParams != null)
+      {
+        params = AlgorithmParameters.getInstance(paramsAlg, provider);
+        params.init(encodedParams);
+      }
+    try
+      {
+        sealCipher.init(Cipher.DECRYPT_MODE, key, params);
+        return unseal();
+      }
+    catch (InvalidAlgorithmParameterException iape)
+      {
+        throw new IOException("bad parameters");
+      }
+    catch (IllegalBlockSizeException ibse)
+      {
+        throw new IOException("illegal block size");
+      }
+    catch (BadPaddingException bpe)
+      {
+        throw new IOException("bad padding");
+      }
+  }
+
+  // Own methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Deserialize this object.
+   *
+   * @param ois The input stream.
+   * @throws java.io.IOException If reading fails.
+   * @throws java.lang.ClassNotFoundException If reading fails.
+   */
+  private void readObject(ObjectInputStream ois)
+    throws IOException, ClassNotFoundException
+  {
+    encodedParams = (byte[]) ois.readObject();
+    encryptedContent = (byte[]) ois.readObject();
+    sealAlg = (String) ois.readObject();
+    paramsAlg = (String) ois.readObject();
+  }
+
+  /**
+   * Serialize this object.
+   *
+   * @param oos The output stream.
+   * @throws java.io.IOException If writing fails.
+   */
+  private void writeObject(ObjectOutputStream oos)
+    throws IOException
+  {
+    oos.writeObject(encodedParams);
+    oos.writeObject(encryptedContent);
+    oos.writeObject(sealAlg);
+    oos.writeObject(paramsAlg);
+  }
+
+  /**
+   * Unseal this object, returning it.
+   *
+   * @return The unsealed, deserialized Object.
+   * @throws java.io.IOException If reading fails.
+   * @throws java.io.ClassNotFoundException If reading fails.
+   * @throws javax.crypto.IllegalBlockSizeException If the cipher has no
+   *         padding and the encrypted data is not a multiple of the
+   *         cipher's block size.
+   * @throws javax.crypto.BadPaddingException If the padding bytes are
+   *         incorrect.
+   */
+  private Object unseal()
+    throws IOException, ClassNotFoundException, IllegalBlockSizeException,
+           BadPaddingException
+  {
+    ByteArrayInputStream bais = null;
+    try
+      {
+        bais = new ByteArrayInputStream(sealCipher.doFinal(encryptedContent));
+      }
+    catch (IllegalStateException ise)
+      {
+        throw new IOException("cipher not initialized");
+      }
+    ObjectInputStream ois = new ObjectInputStream(bais);
+    return ois.readObject();
+  }
+}
diff --git a/javax/crypto/SecretKey.java b/javax/crypto/SecretKey.java
new file mode 100644
index 000000000..85529b94d
--- /dev/null
+++ b/javax/crypto/SecretKey.java
@@ -0,0 +1,67 @@
+/* SecretKey.java -- A key for symmetric cryptography.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is a part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or (at
+your option) any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License along
+with GNU Classpath; if not, write to the
+
+   Free Software Foundation, Inc.,
+   59 Temple Place, Suite 330,
+   Boston, MA  02111-1307
+   USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under terms
+of your choice, provided that you also meet, for each linked independent
+module, the terms and conditions of the license of that module.  An
+independent module is a module which is not derived from or based on
+this library.  If you modify this library, you may extend this exception
+to your version of the library, but you are not obligated to do so.  If
+you do not wish to do so, delete this exception statement from your
+version.  */
+
+
+package javax.crypto;
+
+import java.security.Key;
+
+/**
+ * A secret key for symmetric cryptography.
+ *
+ * <p>This interface defines no new methods over {@link
+ * java.security.Key}, but rather is intended to be a <i>marker
+ * interface</i> and to provide type safety for secret keys.</p>
+ *
+ * <p>The format of secret keys should be <code>RAW</code>, as returned
+ * by {@link java.security.Key#getFormat()}.</p>
+ *
+ * <p>Concrete implementations of this interface should override the
+ * {@link java.lang.Object#equals} and {@link java.lang.Object#hashCode}
+ * methods of {@link java.lang.Object} to use the actual key data rather
+ * than the identity-based default methods.</p>
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @see javax.crypto.SecretKeyFactory
+ * @see javax.crypto.Cipher
+ */
+public interface SecretKey extends Key
+{
+}
diff --git a/javax/crypto/SecretKeyFactory.java b/javax/crypto/SecretKeyFactory.java
new file mode 100644
index 000000000..92f18ec66
--- /dev/null
+++ b/javax/crypto/SecretKeyFactory.java
@@ -0,0 +1,249 @@
+/* SecretKeyFactory.java -- Factory for creating secret keys.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.spec.KeySpec;
+import java.security.spec.InvalidKeySpecException;
+
+import gnu.java.security.Engine;
+
+/**
+ * A secret key factory translates {@link SecretKey} objects to and from
+ * {@link java.security.spec.KeySpec} objects, and can translate between
+ * different vendors' representations of {@link SecretKey} objects (for
+ * security or semantics; whichever applies).
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see SecretKey
+ */
+public class SecretKeyFactory
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  private static final String SERVICE = "SecretKeyFactory";
+
+  /** The underlying factory implementation. */
+  private SecretKeyFactorySpi skfSpi;
+
+  /** The provider of the implementation. */
+  private Provider provider;
+
+  /** The name of the algorithm. */
+  private String algorithm;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new secret key factory.
+   *
+   * @param skfSpi   The underlying factory implementation.
+   * @param provider The provider.
+   * @param algorithm The algorithm name.
+   */
+  protected SecretKeyFactory(SecretKeyFactorySpi skfSpi, Provider provider,
+                             String algorithm)
+  {
+    this.skfSpi = skfSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new secret key factory from the first appropriate
+   * instance.
+   *
+   * @param algorithm The algorithm name.
+   * @return The appropriate key factory, if found.
+   * @throws java.security.NoSuchAlgorithmException If no provider
+   *         implements the specified algorithm.
+   */
+  public static final SecretKeyFactory getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] provs = Security.getProviders();
+    for (int i = 0; i < provs.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, provs[i]);
+          }
+        catch (NoSuchAlgorithmException nsae)
+          {
+          }
+      }
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Create a new secret key factory from the named provider.
+   *
+   * @param algorithm The algorithm name.
+   * @param provider  The provider name.
+   * @return The appropriate key factory, if found.
+   * @throws java.security.NoSuchAlgorithmException If the named
+   *         provider does not implement the algorithm.
+   * @throws java.security.NoSuchProviderException If the named provider
+   *         does not exist.
+   */
+  public static final SecretKeyFactory getInstance(String algorithm,
+                                                   String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      {
+        throw new NoSuchProviderException(provider);
+      }
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Create a new secret key factory from the specified provider.
+   *
+   * @param algorithm The algorithm name.
+   * @param provider  The provider.
+   * @return The appropriate key factory, if found.
+   * @throws java.security.NoSuchAlgorithmException If the provider
+   *         does not implement the algorithm.
+   */
+  public static final SecretKeyFactory getInstance(String algorithm,
+                                                   Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    try
+      {
+        return new SecretKeyFactory((SecretKeyFactorySpi)
+          Engine.getInstance(SERVICE, algorithm, provider),
+          provider, algorithm);
+      }
+    catch (InvocationTargetException ite)
+      {
+        if (ite.getCause() == null)
+          throw new NoSuchAlgorithmException(algorithm);
+        if (ite.getCause() instanceof NoSuchAlgorithmException)
+          throw (NoSuchAlgorithmException) ite.getCause();
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Generate a secret key from a key specification, if possible.
+   *
+   * @param keySpec The key specification.
+   * @return The secret key.
+   * @throws java.security.InvalidKeySpecException If the key specification
+   *         cannot be transformed into a secret key.
+   */
+  public final SecretKey generateSecret(KeySpec keySpec)
+    throws InvalidKeySpecException
+  {
+    return skfSpi.engineGenerateSecret(keySpec);
+  }
+
+  /**
+   * Get the algorithm name.
+   *
+   * @return The algorithm name.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Get the key specification from a secret key.
+   *
+   * @param key     The secret key.
+   * @param keySpec The target key specification class.
+   * @return The key specification.
+   * @throws java.security.spec.InvalidKeySpecException If the secret key cannot
+   *         be transformed into the specified key specification.
+   */
+  public final KeySpec getKeySpec(SecretKey key, Class keySpec)
+    throws InvalidKeySpecException
+  {
+    return skfSpi.engineGetKeySpec(key, keySpec);
+  }
+
+  /**
+   * Get the provider of this implementation.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Translate a secret key into another form.
+   *
+   * @param key The key to translate.
+   * @return The translated key.
+   * @throws java.security.InvalidKeyException If the argument cannot be
+   *         translated.
+   */
+  public final SecretKey translateKey(SecretKey key)
+    throws InvalidKeyException
+  {
+    return skfSpi.engineTranslateKey(key);
+  }
+}
diff --git a/javax/crypto/SecretKeyFactorySpi.java b/javax/crypto/SecretKeyFactorySpi.java
new file mode 100644
index 000000000..7b4763dff
--- /dev/null
+++ b/javax/crypto/SecretKeyFactorySpi.java
@@ -0,0 +1,108 @@
+/* SecretKeyFactorySpi.java -- Secret key factory service provider interface.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.InvalidKeyException;
+import java.security.spec.KeySpec;
+import java.security.spec.InvalidKeySpecException;
+
+/**
+ * The <i>Service Provider Interface</i> (<b>SPI</b>) for the {@link
+ * SecretKeyFactory} class.
+ *
+ * <p>Providers wishing to implement a secret key factory must
+ * subclass this and provide an appropriate implementation for all the
+ * abstract methods below, and provide an appropriate entry in the
+ * master {@link java.security.Provider} class (the service name for
+ * secret key factories is <code>"SecretKeyFactory"</code>).
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see SecretKeyFactory
+ */
+public abstract class SecretKeyFactorySpi
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new secret key factory SPI.
+   */
+  public SecretKeyFactorySpi()
+  {
+  }
+
+  // Abstract instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Translate a {@link java.security.KeySpec} into a {@link SecretKey}.
+   *
+   * @param keySpec The key specification.
+   * @return The secret key.
+   * @throws java.security.spec.InvalidKeySpecException If the key specification
+   *         cannot be translated into a secret key.
+   */
+  protected abstract SecretKey engineGenerateSecret(KeySpec keySpec)
+    throws InvalidKeySpecException;
+
+  /**
+   * Translate a {@link SecretKey} into a {@link java.security.KeySpec}.
+   *
+   * @param key     The secret key.
+   * @param keySpec The desired key specification class.
+   * @return The key specification.
+   * @throws java.security.spec.InvalidKeySpecException If the secret key cannot
+   *         be translated into the desired key specification.
+   */
+  protected abstract KeySpec engineGetKeySpec(SecretKey key, Class keySpec)
+    throws InvalidKeySpecException;
+
+  /**
+   * Translate a secret key into a different representation.
+   *
+   * @param key The secret key to translate.
+   * @return The translated key.
+   * @throws java.security.InvalidKeyException If the specified secret
+   *         key cannot be translated.
+   */
+  protected abstract SecretKey engineTranslateKey(SecretKey key)
+    throws InvalidKeyException;
+}
diff --git a/javax/crypto/ShortBufferException.java b/javax/crypto/ShortBufferException.java
new file mode 100644
index 000000000..5b5bf5437
--- /dev/null
+++ b/javax/crypto/ShortBufferException.java
@@ -0,0 +1,70 @@
+/* ShortBufferException.java -- Signals a short output buffer.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * This exception is thrown on an attempt to transform bytes into a
+ * buffer that is too short to contain the data.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class ShortBufferException extends GeneralSecurityException
+{
+
+  // Constant.
+  // ------------------------------------------------------------------------
+
+  /** Serialization constant. */
+  private static final long serialVersionUID = 8427718640832943747L;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  public ShortBufferException()
+  {
+    super();
+  }
+
+  public ShortBufferException(String message)
+  {
+    super(message);
+  }
+}
diff --git a/javax/crypto/interfaces/DHKey.java b/javax/crypto/interfaces/DHKey.java
new file mode 100644
index 000000000..d5d827946
--- /dev/null
+++ b/javax/crypto/interfaces/DHKey.java
@@ -0,0 +1,61 @@
+/* DHKey.java -- General interface for a Diffie-Hellman key.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.interfaces;
+
+import javax.crypto.spec.DHParameterSpec;
+
+/**
+ * This interface marks public/private keys in the Diffie-Hellman key
+ * exchange algorithm. Implementations of Diffie-Hellman keys should
+ * implement this interface, and applications can safely cast keys that
+ * are known to be Diffie-Hellman keys to this interface.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public interface DHKey
+{
+  /**
+   * Returns the Diffie-Hellman parameters for this key, which includes
+   * the generator and the prime.
+   *
+   * @return The Diffie-Hellman parameters.
+   */
+  DHParameterSpec getParams();
+}
diff --git a/javax/crypto/interfaces/DHPrivateKey.java b/javax/crypto/interfaces/DHPrivateKey.java
new file mode 100644
index 000000000..63b9c15c4
--- /dev/null
+++ b/javax/crypto/interfaces/DHPrivateKey.java
@@ -0,0 +1,70 @@
+/* DHPrivateKey.java -- A Diffie-Hellman private key.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.interfaces;
+
+import java.math.BigInteger;
+import java.security.PrivateKey;
+
+/**
+ * This interface marks a private key in the Diffie-Hellman key exchange
+ * algorithm. It should be treated with as much care as any {@link
+ * java.security.PrivateKey}.
+ *
+ * <p>Implementations of Diffie-Hellman private keys should implement
+ * this interface. Applications that know a particular key is a
+ * Diffie-Hellman private key can safely cast it to this interface.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see DHKey
+ * @see DHPublicKey
+ */
+public interface DHPrivateKey extends DHKey, PrivateKey
+{
+
+  /** Compatible with JDK1.4. */
+  static final long serialVersionUID = 2211791113380396553L;
+
+  /**
+   * Returns the private value <i>x</i>.
+   *
+   * @return The private value <i>x</i>.
+   */
+  BigInteger getX();
+}
diff --git a/javax/crypto/interfaces/DHPublicKey.java b/javax/crypto/interfaces/DHPublicKey.java
new file mode 100644
index 000000000..5e0b35bf0
--- /dev/null
+++ b/javax/crypto/interfaces/DHPublicKey.java
@@ -0,0 +1,69 @@
+/* DHPublicKey.java -- A Diffie-Hellman public key.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.interfaces;
+
+import java.math.BigInteger;
+import java.security.PublicKey;
+
+/**
+ * This interface marks a public key in the Diffie-Hellman key-exchange
+ * algorithm.
+ *
+ * <p>Implementations of Diffie-Hellman public keys should implement
+ * this interface. Applications that know that a particular key is a
+ * Diffie-Hellman public key it can be safely cast to this interface.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see DHKey
+ * @see DHPrivateKey
+ */
+public interface DHPublicKey extends DHKey, PublicKey
+{
+
+  /** Compatible with JDK1.4. */
+  static final long serialVersionUID = -6628103563352519193L;
+
+  /**
+   * Get the public value <i>y</i>.
+   *
+   * @return The public value <i>y</i>.
+   */
+  BigInteger getY();
+}
diff --git a/javax/crypto/interfaces/PBEKey.java b/javax/crypto/interfaces/PBEKey.java
new file mode 100644
index 000000000..533491898
--- /dev/null
+++ b/javax/crypto/interfaces/PBEKey.java
@@ -0,0 +1,91 @@
+/* PBEKey.java -- A key derived from a password.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.interfaces;
+
+import javax.crypto.SecretKey;
+
+/**
+ * Interface to a password-derived key for password-based encryption
+ * (PBE). Applications working with a {@link javax.crypto.SecretKey}
+ * that is known to be a password-based key can safely cast such keys to
+ * this interface.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public interface PBEKey extends SecretKey
+{
+
+  /** Compatible with JDK1.4. */
+  static final long serialVersionUID = -1430015993304333921L;
+
+  /**
+   * Retruns the iteration count, or 0 if not specified.
+   *
+   * @return The iteration count.
+   */
+  int getIterationCount();
+
+  /**
+   * Returns a copy of the password as a character array. It is the
+   * caller's responsibility to zero-out the password when it is no
+   * longer in use.
+   *
+   * <p>Although it is not specified in the documentation,
+   * implementations should not copy or clone the password array, but
+   * rather return the reference to the array itself, so the caller has
+   * the ability to erase the password.
+   *
+   * @return The password.
+   */
+  char[] getPassword();
+
+  /**
+   * Returns a copy of the salt. It is the caller's responsibility to
+   * zero-out the salt when it is no longer in use.
+   *
+   * <p>Although it is not specified in the documentation,
+   * implementations should not copy or clone the salt array, but
+   * rather return the reference to the array itself, so the caller has
+   * the ability to erase the salt.
+   *
+   * @return The salt.
+   */
+  byte[] getSalt();
+}
diff --git a/javax/crypto/spec/DESKeySpec.java b/javax/crypto/spec/DESKeySpec.java
new file mode 100644
index 000000000..7423c969b
--- /dev/null
+++ b/javax/crypto/spec/DESKeySpec.java
@@ -0,0 +1,220 @@
+/* DESKeySpec -- Keys for DES.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.security.InvalidKeyException;
+import java.security.spec.KeySpec;
+
+/**
+ * This class is a transparent wrapper for DES keys, which are arrays
+ * of 8 bytes.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public class DESKeySpec implements KeySpec
+{
+
+  // Constants.
+  // ------------------------------------------------------------------------
+
+  /**
+   * The length of a DES key, in bytes.
+   */
+  public static final int DES_KEY_LEN = 8;
+
+  /**
+   * The key bytes.
+   */
+  private byte[] key;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new DES key spec, copying the first 8 bytes from the
+   * byte array.
+   *
+   * @param key The key bytes.
+   * @throws java.security.InvalidKeyException If there are less than 8
+   *         bytes in the array.
+   */
+  public DESKeySpec(byte[] key) throws InvalidKeyException
+  {
+    this(key, 0);
+  }
+
+  /**
+   * Create a new DES key spec, starting at <code>offset</code> in
+   * the byte array. The first 8 bytes starting at <code>offset</code>
+   * are copied.
+   *
+   * @param key    The key bytes.
+   * @param offset The offset into the byte array at which to begin.
+   * @throws java.security.InvalidKeyException If there are less than 8
+   *         bytes starting at <code>offset</code>.
+   */
+  public DESKeySpec(byte[] key, int offset) throws InvalidKeyException
+  {
+    if (key.length - offset < DES_KEY_LEN)
+      {
+        throw new InvalidKeyException("DES keys must be 8 bytes long");
+      }
+    this.key = new byte[DES_KEY_LEN];
+    System.arraycopy(key, offset, this.key, 0, DES_KEY_LEN);
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns whether or not the given key is <i>parity adjusted</i>;
+   * i.e. every byte in the key has an odd number of "1" bits.
+   *
+   * @param key    The key bytes, considered between <code>[offset,
+   *               offset+7]</code>
+   * @param offset The offset into the byte array at which to begin.
+   * @return True if all bytes have an odd number of "1" bits.
+   * @throws java.security.InvalidKeyException If there are not enough
+   *         bytes in the array.
+   */
+  public static boolean isParityAdjusted(byte[] key, int offset)
+    throws InvalidKeyException
+  {
+    if (key.length - offset < DES_KEY_LEN)
+      {
+        throw new InvalidKeyException("DES keys must be 8 bytes long");
+      }
+    boolean parity = false;
+    boolean oddbits = false;
+    for (int i = 0; i < DES_KEY_LEN; i++)
+      {
+        oddbits = false;
+        for (int j = 0; j < 8; j++)
+          {
+            oddbits ^= (key[i+offset] & 1 << j) != 0;
+          }
+        parity &= oddbits;
+      }
+    return parity;
+  }
+
+  /**
+   * One-half of the weak and semiweak DES keys (the other half are the
+   * complements of these).
+   */
+  private static final byte[][] WEAK_KEYS = new byte[][] {
+    {   0,   0,   0,   0,   0,   0,   0,   0 }, // 0000 0000 0000 0000
+    {  -1,  -1,  -1,  -1,   0,   0,   0,   0 }, // ffff ffff 0000 0000
+    {   1,   1,   1,   1,   1,   1,   1,   1 }, // 0101 0101 0101 0101
+    {  31,  31,  31,  31,  14,  14,  14,  14 }, // 1f1f 1f1f 0e0e 0e0e
+    {   1,  -2,   1,  -2,   1,  -2,   1,  -2 }, // 01fe 01fe 01fe 01fe
+    {  31, -32,  31, -32, -32,  31, -32,  31 }, // 1fe0 1fe0 0e1f 0e1f
+    {   1, -32,   1, -32,   1, -15,   1, -15 }, // 01e0 01e0 01f1 01f1
+    {  31,  -2,  31,  -2,  14,  -2,  14,  -2 }, // 1ffe 1ffe 0efe 0efe
+    {   1,  31,   1,  31,   1,  14,   1,  14 }, // 011f 011f 010e 010e
+    { -32,  -2, -32,  -2, -15,  -2, -15,  -2 }, // e0fe e0fe f1fe f1fe
+  };
+
+  /**
+   * Tests if the bytes between <code>[offset, offset+7]</code>
+   * constitute a weak or semi-weak DES key.
+   *
+   * @param key    The key bytes to check.
+   * @param offset The offset in the byte array to start.
+   * @return true If the key bytes are a weak key.
+   */
+  public static boolean isWeak(byte[] key, int offset)
+    throws InvalidKeyException
+  {
+    if (key.length - offset < DES_KEY_LEN)
+      {
+        throw new InvalidKeyException("DES keys must be 8 bytes long");
+      }
+    for (int i = 0; i < WEAK_KEYS.length; i++)
+      {
+        if (equalsOrComplementEquals(key, offset, WEAK_KEYS[i]))
+          {
+            return true;
+          }
+      }
+    return false;
+  }
+
+  /**
+   * This method returns true if the first 8 bytes starting at
+   * <code>off</code> in <code>a</code> equal the first 8 bytes in
+   * <code>b</code>, or equal the <i>complement</i> of the first 8 bytes
+   * in <code>b</code>.
+   *
+   * @param a   The first byte array.
+   * @param off The index into the first byte array.
+   * @param b   The second byte array.
+   * @return <code>a == b || a == ~b</code>
+   */
+  private static boolean equalsOrComplementEquals(byte[] a, int off, byte[] b)
+  {
+    boolean result = true;
+    for (int i = 0; i < DES_KEY_LEN; i++)
+      {
+        result &= a[off+i] == b[i];
+      }
+    if (result) return true;
+    result = true;
+    for (int i = 0; i < DES_KEY_LEN; i++)
+      {
+        result &= a[off+i] == (~b[i]);
+      }
+    return result;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the key as a byte array. This method does not copy the byte
+   * array.
+   *
+   * @return The key bytes.
+   */
+  public byte[] getKey()
+  {
+    return key;
+  }
+}
diff --git a/javax/crypto/spec/DESedeKeySpec.java b/javax/crypto/spec/DESedeKeySpec.java
new file mode 100644
index 000000000..d455163bc
--- /dev/null
+++ b/javax/crypto/spec/DESedeKeySpec.java
@@ -0,0 +1,151 @@
+/* DESedeKeySpec.java -- Keys for triple-DES.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.security.InvalidKeyException;
+import java.security.spec.KeySpec;
+
+/**
+ * This class is a transparent wrapper for DES-EDE (Triple-DES) keys,
+ * which are arrays of 24 bytes.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public class DESedeKeySpec implements KeySpec
+{
+
+  // Constants.
+  // ------------------------------------------------------------------------
+
+  /**
+   * The length of a triple-DES key, in bytes.
+   */
+  public static final int DES_EDE_KEY_LEN = 24;
+
+  /**
+   * The key bytes.
+   */
+  private byte[] key;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new DES-EDE key spec, copying the first 24 bytes from the
+   * byte array.
+   *
+   * @param key The key bytes.
+   * @throws java.security.InvalidKeyException If there are less than 24
+   *         bytes in the array.
+   */
+  public DESedeKeySpec(byte[] key) throws InvalidKeyException
+  {
+    this(key, 0);
+  }
+
+  /**
+   * Create a new DES-EDE key spec, starting at <code>offset</code> in
+   * the byte array. The first 24 bytes starting at <code>offset</code>
+   * are copied.
+   *
+   * @param key    The key bytes.
+   * @param offset The offset into the byte array at which to begin.
+   * @throws java.security.InvalidKeyException If there are less than 24
+   *         bytes starting at <code>offset</code>.
+   */
+  public DESedeKeySpec(byte[] key, int offset) throws InvalidKeyException
+  {
+    if (key.length - offset < DES_EDE_KEY_LEN)
+      {
+        throw new InvalidKeyException("DES-EDE keys must be 24 bytes long");
+      }
+    this.key = new byte[DES_EDE_KEY_LEN];
+    System.arraycopy(key, offset, this.key, 0, DES_EDE_KEY_LEN);
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns whether or not the given key is <i>parity adjusted</i>;
+   * i.e. every byte in the key has an odd number of "1" bits.
+   *
+   * @param key    The key bytes, considered between <code>[offset,
+   *               offset+23]</code>
+   * @param offset The offset into the byte array at which to begin.
+   * @return True if all bytes have an odd number of "1" bits.
+   * @throws java.security.InvalidKeyException If there are not enough
+   *         bytes in the array.
+   */
+  public static boolean isParityAdjusted(byte[] key, int offset)
+    throws InvalidKeyException
+  {
+    if (key.length - offset < DES_EDE_KEY_LEN)
+      {
+        throw new InvalidKeyException("DES-EDE keys must be 24 bytes long");
+      }
+    boolean parity = false;
+    boolean oddbits = false;
+    for (int i = 0; i < DES_EDE_KEY_LEN; i++)
+      {
+        oddbits = false;
+        for (int j = 0; j < 8; j++)
+          {
+            oddbits ^= (key[i+offset] & 1 << j) != 0;
+          }
+        parity &= oddbits;
+      }
+    return parity;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the key as a byte array. This method does not copy the byte
+   * array.
+   *
+   * @return The key bytes.
+   */
+  public byte[] getKey()
+  {
+    return key;
+  }
+}
diff --git a/javax/crypto/spec/DHGenParameterSpec.java b/javax/crypto/spec/DHGenParameterSpec.java
new file mode 100644
index 000000000..67392a50f
--- /dev/null
+++ b/javax/crypto/spec/DHGenParameterSpec.java
@@ -0,0 +1,100 @@
+/* DHGenParameterSpec.java -- Diffie-Hellman parameter generator spec.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * This class represents the parameters needed for generating
+ * Diffie-Hellman parameters.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see DHParameterSpec
+ */
+public class DHGenParameterSpec implements AlgorithmParameterSpec
+{
+
+  // Variables.
+  // ------------------------------------------------------------------------
+
+  /** The length of the prime, in bits. */
+  private int primeSize;
+
+  /** The length of the exponent, in bits. */
+  private int exponentSize;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new Diffie-Hellman parameter generator spec.
+   *
+   * @param primeSize The size of the prime, in bits.
+   * @param exponentSize The size of the exponent, in bits.
+   */
+  public DHGenParameterSpec(int primeSize, int exponentSize)
+  {
+    this.primeSize = primeSize;
+    this.exponentSize = exponentSize;
+  }
+
+  // Intance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the size of the exponent, in bits.
+   *
+   * @return The exponent size.
+   */
+  public int getExponentSize()
+  {
+    return exponentSize;
+  }
+
+  /**
+   * Get the size of the prime, in bits.
+   *
+   * @return The prime size.
+   */
+  public int getPrimeSize()
+  {
+    return primeSize;
+  }
+}
diff --git a/javax/crypto/spec/DHParameterSpec.java b/javax/crypto/spec/DHParameterSpec.java
new file mode 100644
index 000000000..e66f632e8
--- /dev/null
+++ b/javax/crypto/spec/DHParameterSpec.java
@@ -0,0 +1,135 @@
+/* DHParameterSpec.java -- Parameters for Diffie-Hellman keys.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.math.BigInteger;
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * The base set of parameters necessary to perform Diffie-Hellman key
+ * exchange. Each party in the key exchange shares these parameters.
+ *
+ * <p>Each set of parameters consists of a <i>base generator</i>
+ * <code>g</code>, a <i>prime modulus</i> <code>p</code>, and an
+ * optional length, in bits, of the private exponent.
+ *
+ * <p>See <a href="http://www.rsasecurity.com/rsalabs/pkcs/pkcs-3/">PKCS
+ * #3 - Diffie-Hellman Key Agreement Standard</a> for more information.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see javax.crypto.KeyAgreement
+ */
+public class DHParameterSpec implements AlgorithmParameterSpec
+{
+
+  // Variables.
+  // ------------------------------------------------------------------------
+
+  /** The base generator g. */
+  private BigInteger g;
+
+  /** The prime modulus p. */
+  private BigInteger p;
+
+  /** The length, in bits, of the private exponent. */
+  private int l;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new set of Diffie-Hellman parameters.
+   *
+   * @param p The prime modulus.
+   * @param g The base generator.
+   */
+  public DHParameterSpec(BigInteger p, BigInteger g)
+  {
+    this(p, g, 0);
+  }
+
+  /**
+   * Create a new set of Diffie-Hellman parameters.
+   *
+   * @param p The prime modulus.
+   * @param g The base generator.
+   * @param l The size of the private exponent, in bits.
+   */
+  public DHParameterSpec(BigInteger p, BigInteger g, int l)
+  {
+    this.p = p;
+    this.g = g;
+    this.l = l;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the base generator, <i>g</i>.
+   *
+   * @return The base generator <i>g</i>.
+   */
+  public BigInteger getG()
+  {
+    return g;
+  }
+
+  /**
+   * Get the length of the private exponent, in bits.
+   *
+   * @return The length of the private exponent, in bits, or 0 if this
+   *         has not been explicitly set.
+   */
+  public int getL()
+  {
+    return l;
+  }
+
+  /**
+   * Get the prime modulus, <i>p</i>.
+   *
+   * @return The prime modulus, <i>p</i>.
+   */
+  public BigInteger getP()
+  {
+    return p;
+  }
+}
diff --git a/javax/crypto/spec/DHPrivateKeySpec.java b/javax/crypto/spec/DHPrivateKeySpec.java
new file mode 100644
index 000000000..8a4a790a1
--- /dev/null
+++ b/javax/crypto/spec/DHPrivateKeySpec.java
@@ -0,0 +1,115 @@
+/* DHPrivateKeySpec.java -- Wrapper for Diffie-Hellman private keys.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.math.BigInteger;
+import java.security.spec.KeySpec;
+
+/**
+ * A wrapper for Diffie-Hellman private key data.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see DHPublicKeySpec
+ */
+public class DHPrivateKeySpec implements KeySpec
+{
+
+  // Variables.
+  // ------------------------------------------------------------------------
+
+  /** The base generator. */
+  private BigInteger g;
+
+  /** The prime modulus. */
+  private BigInteger p;
+
+  /** The private exponent. */
+  private BigInteger x;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new Diffie-Hellman private key spec.
+   *
+   * @param x The private exponent.
+   * @param p The prime modulus.
+   * @param g The base generator.
+   */
+  public DHPrivateKeySpec(BigInteger x, BigInteger p, BigInteger g)
+  {
+    this.x = x;
+    this.p = p;
+    this.g = g;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the base generator.
+   *
+   * @return The base generator.
+   */
+  public BigInteger getG()
+  {
+    return g;
+  }
+
+  /**
+   * Get the prime modulus.
+   *
+   * @return The prime modulus.
+   */
+  public BigInteger getP()
+  {
+    return p;
+  }
+
+  /**
+   * Get the private exponent.
+   *
+   * @return The private exponent.
+   */
+  public BigInteger getX()
+  {
+    return x;
+  }
+}
diff --git a/javax/crypto/spec/DHPublicKeySpec.java b/javax/crypto/spec/DHPublicKeySpec.java
new file mode 100644
index 000000000..723dfefa4
--- /dev/null
+++ b/javax/crypto/spec/DHPublicKeySpec.java
@@ -0,0 +1,115 @@
+/* DHPublicKeySpec.java -- Wrapper for Diffie-Hellman public keys.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.math.BigInteger;
+import java.security.spec.KeySpec;
+
+/**
+ * A wrapper for Diffie-Hellman public key data.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see DHPrivateKeySpec
+ */
+public class DHPublicKeySpec implements KeySpec
+{
+
+  // Variables.
+  // ------------------------------------------------------------------------
+
+  /** The base generator. */
+  private BigInteger g;
+
+  /** The prime modulus. */
+  private BigInteger p;
+
+  /** The public value. */
+  private BigInteger y;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new Diffie-Hellman public key spec.
+   *
+   * @param y The public value.
+   * @param p The prime modulus.
+   * @param g The base generator.
+   */
+  public DHPublicKeySpec(BigInteger y, BigInteger p, BigInteger g)
+  {
+    this.y = y;
+    this.p = p;
+    this.g = g;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the base generator.
+   *
+   * @return The base generator.
+   */
+  public BigInteger getG()
+  {
+    return g;
+  }
+
+  /**
+   * Get the prime modulus.
+   *
+   * @return The prime modulus.
+   */
+  public BigInteger getP()
+  {
+    return p;
+  }
+
+  /**
+   * Get the public value.
+   *
+   * @return The public value.
+   */
+  public BigInteger getY()
+  {
+    return y;
+  }
+}
diff --git a/javax/crypto/spec/IvParameterSpec.java b/javax/crypto/spec/IvParameterSpec.java
new file mode 100644
index 000000000..1c09c7665
--- /dev/null
+++ b/javax/crypto/spec/IvParameterSpec.java
@@ -0,0 +1,96 @@
+/* IvParameterSpec.java -- A simple wrapper for initialization vectors.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * A wrapper for an initialization vector. An initialization vector is
+ * necessary for any cipher in any <i>feedback mode</i>, e.g. CBC.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ */
+public class IvParameterSpec implements AlgorithmParameterSpec
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The IV. */
+  private byte[] iv;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new initialization vector spec from an entire byte array.
+   *
+   * @param iv The IV bytes.
+   */
+  public IvParameterSpec(byte[] iv)
+  {
+    this(iv, 0, iv.length);
+  }
+
+  /**
+   * Create a new initialization vector spec from part of a byte array.
+   *
+   * @param iv  The IV bytes.
+   * @param off The offset into the IV bytes.
+   * @param len The number of IV bytes.
+   */
+  public IvParameterSpec(byte[] iv, int off, int len)
+  {
+    this.iv = new byte[len];
+    System.arraycopy(iv, off, this.iv, 0, len);
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the IV. This method does not copy the byte array.
+   *
+   * @return The IV.
+   */
+  public byte[] getIV()
+  {
+    return iv;
+  }
+}
diff --git a/javax/crypto/spec/PBEKeySpec.java b/javax/crypto/spec/PBEKeySpec.java
new file mode 100644
index 000000000..7a8c224cc
--- /dev/null
+++ b/javax/crypto/spec/PBEKeySpec.java
@@ -0,0 +1,176 @@
+/* PBEKeySpec.java -- Wrapper for password-based keys.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.security.spec.KeySpec;
+
+/**
+ * A wrapper for a password-based key, used for password-based
+ * encryption (PBE).
+ *
+ * <p>Examples of password-based encryption algorithms include:
+ *
+ * <ul>
+ * <li><a href="http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/">PKCS #5
+ * - Password-Based Cryptography Standard</a></li>
+ * <li><a href="http://www.rsasecurity.com/rsalabs/pkcs/pkcs-12/">PKCS
+ * #12 - Personal Information Exchange Syntax Standard</a></li>
+ * </ul>
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ * @see javax.crypto.SecretKeyFactory
+ * @see PBEParameterSpec
+ */
+public class PBEKeySpec implements KeySpec
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The iteration count. */
+  private int iterationCount;
+
+  /** The generated key length. */
+  private int keyLength;
+
+  /** The password. */
+  private char[] password;
+
+  /** The salt. */
+  private byte[] salt;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new PBE key spec with just a password.
+   *
+   * @param password The password char array.
+   */
+  public PBEKeySpec(char[] password)
+  {
+    this(password, null, 0, 0);
+  }
+
+  /**
+   * Create a PBE key spec with a password, salt, and iteration count.
+   *
+   * @param password       The password char array.
+   * @param salt           The salt bytes.
+   * @param iterationCount The iteration count.
+   */
+  public PBEKeySpec(char[] password, byte[] salt, int iterationCount)
+  {
+    this(password, salt, iterationCount, 0);
+  }
+
+  /**
+   * Create a PBE key spec with a password, salt, iteration count, and
+   * key length.
+   *
+   * @param password       The password char array.
+   * @param salt           The salt bytes.
+   * @param iterationCount The iteration count.
+   * @param keyLength      The generated key length.
+   */
+  public PBEKeySpec(char[] password, byte[] salt, int iterationCount,
+                    int keyLength)
+  {
+    this.password = password;
+    this.salt = salt;
+    this.iterationCount = iterationCount;
+    this.keyLength = keyLength;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Clear the password array by filling it with null characters.
+   */
+  public final void clearPassword()
+  {
+    if (password == null) return;
+    for (int i = 0; i < password.length; i++)
+      {
+        password[i] = '\u0000';
+      }
+  }
+
+  /**
+   * Get the iteration count, or 0 if it has not been specified.
+   *
+   * @return The iteration count, or 0 if it has not been specified.
+   */
+  public final int getIterationCount()
+  {
+    return iterationCount;
+  }
+
+  /**
+   * Get the generated key length, or 0 if it has not been specified.
+   *
+   * @return The key length, or 0 if it has not been specified.
+   */
+  public final int getKeyLength()
+  {
+    return keyLength;
+  }
+
+  /**
+   * Get the password character array.
+   *
+   * @return The password.
+   */
+  public final char[] getPassword()
+  {
+    return password;
+  }
+
+  /**
+   * Get the salt bytes.
+   *
+   * @return The salt.
+   */
+  public final byte[] getSalt()
+  {
+    return salt;
+  }
+}
diff --git a/javax/crypto/spec/PBEParameterSpec.java b/javax/crypto/spec/PBEParameterSpec.java
new file mode 100644
index 000000000..f45c866c9
--- /dev/null
+++ b/javax/crypto/spec/PBEParameterSpec.java
@@ -0,0 +1,100 @@
+/* PBEParameterSpec.java -- A wrapper for PBE parameters.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * A wrapper for the parameters used in <a
+ * href="http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/">PKCS #5 -
+ * Password-Based Cryptography Standard</a>.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public class PBEParameterSpec implements AlgorithmParameterSpec
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The iteration count. */
+  private int iterationCount;
+
+  /** The salt. */
+  private byte[] salt;
+
+  // Constructor.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Creates a new password-based encryption parameter specification.
+   *
+   * @param salt           The salt.
+   * @param iterationCount The iteration count.
+   */
+  public PBEParameterSpec(byte[] salt, int iterationCount)
+  {
+    this.salt = salt;
+    this.iterationCount = iterationCount;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the iteration count.
+   *
+   * @return The iteration count.
+   */
+  public int getIterationCount()
+  {
+    return iterationCount;
+  }
+
+  /**
+   * Get the salt.
+   *
+   * @return The salt.
+   */
+  public byte[] getSalt()
+  {
+    return salt;
+  }
+}
diff --git a/javax/crypto/spec/RC2ParameterSpec.java b/javax/crypto/spec/RC2ParameterSpec.java
new file mode 100644
index 000000000..ec9cde71c
--- /dev/null
+++ b/javax/crypto/spec/RC2ParameterSpec.java
@@ -0,0 +1,166 @@
+/* RC2ParameterSpec.java -- Wrapper for RC2 parameters.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * A wrapper for parameters for the <a
+ * href="http://www.rsasecurity.com/rsalabs/faq/3-6-2.html">RC2</a>
+ * block cipher ("RC" means either "Rivest Cipher" or "Ron's Code",
+ * depending upon who you ask and when).
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public class RC2ParameterSpec implements AlgorithmParameterSpec
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** The length of an RC2 IV, in bytes. */
+  private static final int RC2_IV_LENGTH = 8;
+
+  /** The effective key length, in bits. */
+  private int effectiveKeyBits;
+
+  /** The initialization vector. */
+  private byte[] iv;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create RC2 parameters without an IV.
+   *
+   * @param effectiveKeyBits The number of effective key bits.
+   */
+  public RC2ParameterSpec(int effectiveKeyBits)
+  {
+    this.effectiveKeyBits = effectiveKeyBits;
+  }
+
+  /**
+   * Create RC2 parameters with an IV.
+   *
+   * @param effectiveKeyBits The number of effective key bits.
+   * @param iv               The IV; the first eight bytes of this array
+   *                         are used.
+   */
+  public RC2ParameterSpec(int effectiveKeyBits, byte[] iv)
+  {
+    this(effectiveKeyBits, iv, 0);
+  }
+
+  /**
+   * Create RC2 parameters with an IV.
+   *
+   * @param effectiveKeyBits The number of effective key bits.
+   * @param iv               The IV; the first eight bytes of this array
+   *                         after <code>offset</code> are used.
+   * @param offset           From whence to start in the array.
+   */
+  public RC2ParameterSpec(int effectiveKeyBits, byte[] iv, int offset)
+  {
+    if (iv.length - offset < RC2_IV_LENGTH)
+      {
+        throw new IllegalArgumentException("IV too short");
+      }
+    this.effectiveKeyBits = effectiveKeyBits;
+    this.iv = new byte[RC2_IV_LENGTH];
+    System.arraycopy(iv, offset, this.iv, 0, RC2_IV_LENGTH);
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Get the number of effective key bits.
+   *
+   * @return The numer of effective key bits.
+   */
+  public int getEffectiveKeyBits()
+  {
+    return effectiveKeyBits;
+  }
+
+  /**
+   * Return the initialization vector, or <code>null</code> if none was
+   * specified.
+   *
+   * @return The IV, or null.
+   */
+  public byte[] getIV()
+  {
+    return iv;
+  }
+
+  public boolean equals(Object o)
+  {
+    if (this == o) return true;
+    byte[] oiv = ((RC2ParameterSpec) o).getIV();
+    if (iv != oiv)
+      {
+        if (iv == null || oiv == null) return false;
+        if (iv.length != oiv.length) return false;
+        for (int i = 0; i < iv.length; i++)
+          {
+            if (iv[i] != oiv[i])
+              {
+                return false;
+              }
+          }
+      }
+    return effectiveKeyBits == ((RC2ParameterSpec) o).getEffectiveKeyBits();
+  }
+
+  public int hashCode()
+  {
+    int code = effectiveKeyBits;
+    if (iv != null)
+      {
+        for (int i = 0; i < RC2_IV_LENGTH; i++)
+          {
+            code += iv[i];
+          }
+      }
+    return code;
+  }
+}
diff --git a/javax/crypto/spec/RC5ParameterSpec.java b/javax/crypto/spec/RC5ParameterSpec.java
new file mode 100644
index 000000000..e7549dd63
--- /dev/null
+++ b/javax/crypto/spec/RC5ParameterSpec.java
@@ -0,0 +1,202 @@
+/* RC5ParameterSpec.java -- parameters for RC5.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.security.spec.AlgorithmParameterSpec;
+
+/**
+ * A wrapper for parameters to the <a
+ * href="http://www.rsasecurity.com/rsalabs/faq/3-6-4.html">RC5</a>
+ * block cipher.
+ *
+ * @author Casey Marshall (csm@gnu.org)
+ * @since 1.4
+ */
+public class RC5ParameterSpec implements AlgorithmParameterSpec
+{
+
+  // Fields.
+  // ------------------------------------------------------------------------
+
+  /** The IV. */
+  private byte[] iv;
+
+  /** The number of rounds. */
+  private int rounds;
+
+  /** The version number. */
+  private int version;
+
+  /** The word size, in bits. */
+  private int wordSize;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create RC5 parameters without an IV.
+   *
+   * @param version  The version number.
+   * @param rounds   The number of rounds.
+   * @param wordSize The size of a word, in bits.
+   */
+  public RC5ParameterSpec(int version, int rounds, int wordSize)
+  {
+    this.version = version;
+    this.rounds = rounds;
+    this.wordSize = wordSize;
+  }
+
+  /**
+   * Create RC5 parameters with an IV. The bytes in <code>iv</code> in
+   * the range <code>[0, 2*(wordSize/8)-1]</code> are used.
+   *
+   * @param version  The version number.
+   * @param rounds   The number of rounds.
+   * @param wordSize The size of a word, in bits.
+   * @param iv       The IV data.
+   */
+  public RC5ParameterSpec(int version, int rounds, int wordSize, byte[] iv)
+  {
+    this(version, rounds, wordSize, iv, 0);
+  }
+
+  /**
+   * Create RC5 parameters with an IV. The bytes in <code>iv</code> in
+   * the range <code>[off, off+2*(wordSize/8)-1]</code> are used.
+   *
+   * @param version  The version number.
+   * @param rounds   The number of rounds.
+   * @param wordSize The size of a word, in bits.
+   * @param iv       The IV data.
+   * @param off      From where in the array the IV starts.
+   */
+  public
+  RC5ParameterSpec(int version, int rounds, int wordSize, byte[] iv, int off)
+  {
+    this(version, rounds, wordSize);
+    int ivLength = 2 * (wordSize / 8);
+    if (off < 0)
+      throw new IllegalArgumentException();
+    if (iv.length - off < ivLength)
+      {
+        throw new IllegalArgumentException("IV too short");
+      }
+    this.iv = new byte[ivLength];
+    System.arraycopy(iv, off, this.iv, 0, ivLength);
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the initializaiton vector, or <code>null</code> if none was
+   * specified.
+   *
+   * @return The IV, or null.
+   */
+  public byte[] getIV()
+  {
+    return iv;
+  }
+
+  /**
+   * Get the number of rounds.
+   *
+   * @return The number of rounds.
+   */
+  public int getRounds()
+  {
+    return rounds;
+  }
+
+  /**
+   * Get the version number.
+   *
+   * @return The version number.
+   */
+  public int getVersion()
+  {
+    return version;
+  }
+
+  /**
+   * Get the word size, in bits.
+   *
+   * @return The word size, in bits.
+   */
+  public int getWordSize()
+  {
+    return wordSize;
+  }
+
+  public boolean equals(Object o)
+  {
+    if (this == o) return true;
+    byte[] oiv = ((RC5ParameterSpec) o).getIV();
+    if (iv != oiv)
+      {
+        if (iv == null || oiv == null) return false;
+        if (iv.length != oiv.length) return false;
+        for (int i = 0; i < iv.length; i++)
+          {
+            if (iv[i] != oiv[i])
+              {
+                return false;
+              }
+          }
+      }
+    return rounds   == ((RC5ParameterSpec) o).getRounds()
+        && version  == ((RC5ParameterSpec) o).getVersion()
+        && wordSize == ((RC5ParameterSpec) o).getWordSize();
+  }
+
+  public int hashCode()
+  {
+    int code = rounds + version + wordSize;
+    if (iv != null)
+      {
+        for (int i = 0; i < iv.length; i++)
+          {
+            code += iv[i];
+          }
+      }
+    return code;
+  }
+}
diff --git a/javax/crypto/spec/SecretKeySpec.java b/javax/crypto/spec/SecretKeySpec.java
new file mode 100644
index 000000000..6d9f4b8fe
--- /dev/null
+++ b/javax/crypto/spec/SecretKeySpec.java
@@ -0,0 +1,154 @@
+/* SecretKeySpec.java -- Wrapper for secret keys.
+   Copyright (C) 2004  Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.crypto.spec;
+
+import java.security.spec.KeySpec;
+import javax.crypto.SecretKey;
+
+/**
+ * This is a simple wrapper around a raw byte array, for ciphers that do
+ * not require any key parameters other than the bytes themselves.
+ *
+ * <p>Since this class implements {@link javax.crypto.SecretKey}, which
+ * in turn extends {@link java.security.Key}, so instances of this class
+ * may be passed directly to the <code>init()</code> methods of {@link
+ * javax.crypto.Cipher}.
+ *
+ * @see javax.crypto.SecretKey
+ * @see javax.crypto.SecretKeyFactory
+ */
+public class SecretKeySpec implements KeySpec, SecretKey
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------------
+
+  /** Compatible with JDK1.4. */
+  private static final long serialVersionUID = 6577238317307289933L;
+
+  /** The key bytes. */
+  private byte[] key;
+
+  /** The algorithm's name. */
+  private String algorithm;
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create a new secret key spec from an entire byte array.
+   *
+   * @param key       The key material.
+   * @param algorithm The name of the algorithm using this key.
+   */
+  public SecretKeySpec(byte[] key, String algorithm)
+  {
+    this(key, 0, key.length, algorithm);
+  }
+
+  /**
+   * Create a new secret key spec from part of a byte array.
+   *
+   * @param key       The key material.
+   * @param off       The offset at which key material begins.
+   * @param len       The length of key material.
+   * @param algorithm The name of the algorithm using this key.
+   */
+  public SecretKeySpec(byte[] key, int off, int len, String algorithm)
+  {
+    this.key = new byte[len];
+    this.algorithm = algorithm;
+    System.arraycopy(key, off, this.key, 0, len);
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Return the name of the algorithm associated with this secret key.
+   *
+   * @return The algorithm's name.
+   */
+  public String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Return the key as a byte array.
+   *
+   * @return The key material.
+   */
+  public byte[] getEncoded()
+  {
+    return key;
+  }
+
+  /**
+   * This key's format, which is always "RAW".
+   *
+   * @return "RAW"
+   */
+  public String getFormat()
+  {
+    return "RAW";
+  }
+
+  public boolean equals(Object o)
+  {
+    byte[] okey = ((SecretKeySpec) o).getEncoded();
+    if (key.length != okey.length) return false;
+    for (int i = 0; i < key.length; i++)
+      {
+        if (key[i] != okey[i])
+          return false;
+      }
+    return algorithm.equals(((SecretKeySpec) o).getAlgorithm());
+  }
+
+  public int hashCode()
+  {
+    int code = 0;
+    for (int i = 0; i < key.length; i++)
+      {
+        code ^= (key[i] & 0xff) << (i << 3 & 31);
+      }
+    return code ^ algorithm.hashCode();
+  }
+}
diff --git a/javax/net/ServerSocketFactory.java b/javax/net/ServerSocketFactory.java
new file mode 100644
index 000000000..d20c7fbe9
--- /dev/null
+++ b/javax/net/ServerSocketFactory.java
@@ -0,0 +1,122 @@
+/* ServerSocketFactory.java -- factory for server sockets.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net;
+
+import java.io.IOException;
+
+import java.net.InetAddress;
+import java.net.ServerSocket;
+
+import java.security.Security;
+
+/**
+ * A factory for server sockets. The purpose of this class is to serve
+ * as the superclass of server socket factories that produce server
+ * sockets of a particular type, such as <i>Secure Socket Layer</i>
+ * (<b>SSL</b>) server sockets.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public abstract class ServerSocketFactory
+{
+
+  // Constructors.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Default 0-argument constructor.
+   */
+  protected ServerSocketFactory()
+  {
+    super();
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Returns the default server socket factory. The type of factory
+   * returned may depend upon the installation.
+   *
+   * @return The default server socket factory.
+   */
+  public static synchronized ServerSocketFactory getDefault()
+  {
+    try
+      {
+        String s = Security.getProperty("gnu.defaultServerSocketFactory");
+        if (s != null)
+          {
+            Class c = Class.forName(s);
+            return (ServerSocketFactory) c.newInstance();
+          }
+      }
+    catch (Exception e)
+      {
+      }
+    return new VanillaServerSocketFactory();
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------------
+
+  /**
+   * Create an unbound server socket.
+   *
+   * @return The new server socket.
+   * @throws IOException If a networking error occurs.
+   */
+  public ServerSocket createServerSocket() throws IOException
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * Create a server socket bound to the given port.
+   *
+   * @param port The port to bind the server socket to.
+   * @return A server socket bound to <i>port</i>.
+   * @throws IOException If a networking error occurs.
+   */
+  public abstract ServerSocket createServerSocket(int port) throws IOException;
+
+  public abstract ServerSocket createServerSocket(int port, int backlog) throws IOException;
+
+  public abstract ServerSocket createServerSocket(int port, int backlog, InetAddress bindAddress) throws IOException;
+}
diff --git a/javax/net/SocketFactory.java b/javax/net/SocketFactory.java
new file mode 100644
index 000000000..9e236d2df
--- /dev/null
+++ b/javax/net/SocketFactory.java
@@ -0,0 +1,157 @@
+/* SocketFactory.java -- factory for client sockets.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net;
+
+import java.io.IOException;
+
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+
+import java.security.Security;
+
+/**
+ * A factory for client sockets. The purpose of this class is to serve
+ * as the superclass of server socket factories that produce client
+ * sockets of a particular type, such as <i>Secure Socket Layer</i>
+ * (<b>SSL</b>) sockets.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public abstract class SocketFactory
+{
+
+  // Constructor.
+  // -------------------------------------------------------------------
+
+  /**
+   * Default 0-arguments constructor.
+   */
+  protected SocketFactory()
+  {
+    super();
+  }
+
+  // Class methods.
+  // -------------------------------------------------------------------
+
+  /**
+   * Returns the default socket factory. The type of factory
+   * returned may depend upon the installation.
+   *
+   * @return The default socket factory.
+   */
+  public static synchronized SocketFactory getDefault()
+  {
+    try
+      {
+        String s = Security.getProperty("gnu.defaultSocketFactory");
+        if (s != null)
+          {
+            Class c = Class.forName(s);
+            return (SocketFactory) c.newInstance();
+          }
+      }
+    catch (Exception e)
+      {
+      }
+    return new VanillaSocketFactory();
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------
+
+  /**
+   * Returns an unbound client socket.
+   *
+   * @return The new, unbound socket.
+   */
+  public Socket createSocket() throws IOException
+  {
+    throw new UnsupportedOperationException();
+  }
+
+  /**
+   * Creates a socket connected to a given host on a given port.
+   *
+   * @param host The hostname to connect to.
+   * @param port The port on <i>host</i> to connect to.
+   * @return A socket connected to <i>host</i> on <i>port</i>.
+   * @throws IOException If a network error occurs.
+   * @throws UnknownHostException If <i>host</i> cannot be resolved.
+   */
+  public abstract Socket createSocket(String host, int port) throws IOException, UnknownHostException;
+
+  /**
+   * Creates a socket connected to a given host on a given port,
+   * connecting locally to the interface with the given address and port.
+   *
+   * @param host The hostname to connect to.
+   * @param port The port on <i>host</i> to connect to.
+   * @param localHost The address of the local interface to bind to.
+   * @param localPort The local port to bind to.
+   * @return A socket connected to <i>host</i> on <i>port</i>.
+   * @throws IOException If a network error occurs.
+   * @throws UnknownHostException If <i>host</i> cannot be resolved.
+   */
+  public abstract Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException;
+
+  /**
+   * Creates a socket connected to a given host on a given port.
+   *
+   * @param host The host address to connect to.
+   * @param port The port on <i>host</i> to connect to.
+   * @return A socket connected to <i>host</i> on <i>port</i>.
+   * @throws IOException If a network error occurs.
+   */
+  public abstract Socket createSocket(InetAddress host, int port) throws IOException;
+
+  /**
+   * Creates a socket connected to a given host on a given port,
+   * connecting locally to the interface with the given address and port.
+   *
+   * @param host The host address  to connect to.
+   * @param port The port on <i>host</i> to connect to.
+   * @param localHost The address of the local interface to bind to.
+   * @param localPort The local port to bind to.
+   * @return A socket connected to <i>host</i> on <i>port</i>.
+   * @throws IOException If a network error occurs.
+   */
+  public abstract Socket createSocket(InetAddress hast, int port, InetAddress localHost, int localPort) throws IOException;
+}
diff --git a/javax/net/VanillaServerSocketFactory.java b/javax/net/VanillaServerSocketFactory.java
new file mode 100644
index 000000000..e52ecba9e
--- /dev/null
+++ b/javax/net/VanillaServerSocketFactory.java
@@ -0,0 +1,82 @@
+/* VanillaServerSocketFactory.java -- trivial socket factory.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net;
+
+import java.io.IOException;
+
+import java.net.InetAddress;
+import java.net.ServerSocket;
+
+/**
+ * A trivial server socket factory.
+ */
+class VanillaServerSocketFactory extends ServerSocketFactory
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------
+
+  VanillaServerSocketFactory()
+  {
+    super();
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------
+
+  public ServerSocket createServerSocket() throws IOException
+  {
+    return new ServerSocket();
+  }
+
+  public ServerSocket createServerSocket(int port) throws IOException
+  {
+    return new ServerSocket(port);
+  }
+
+  public ServerSocket createServerSocket(int port, int backlog) throws IOException
+  {
+    return new ServerSocket(port, backlog);
+  }
+
+  public ServerSocket createServerSocket(int port, int backlog, InetAddress bindAddress) throws IOException
+  {
+    return new ServerSocket(port, backlog, bindAddress);
+  }
+}
diff --git a/javax/net/VanillaSocketFactory.java b/javax/net/VanillaSocketFactory.java
new file mode 100644
index 000000000..ace849293
--- /dev/null
+++ b/javax/net/VanillaSocketFactory.java
@@ -0,0 +1,88 @@
+/* VanillaSocketFactory.java -- trivial socket factory.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net;
+
+import java.io.IOException;
+
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+
+/**
+ * A trivial client socket factory.
+ */
+class VanillaSocketFactory extends SocketFactory
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------
+
+  VanillaSocketFactory()
+  {
+    super();
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------
+
+  public Socket createSocket() throws IOException
+  {
+    return new Socket();
+  }
+
+  public Socket createSocket(String host, int port) throws IOException, UnknownHostException
+  {
+    return new Socket(host, port);
+  }
+
+  public Socket createSocket(String host, int port, InetAddress localAddr, int localPort) throws IOException, UnknownHostException
+  {
+    return new Socket(host, port, localAddr, localPort);
+  }
+
+  public Socket createSocket(InetAddress address, int port) throws IOException
+  {
+    return new Socket(address, port);
+  }
+
+  public Socket createSocket(InetAddress address, int port, InetAddress localAddr, int localPort) throws IOException
+  {
+    return new Socket(address, port, localAddr, localPort);
+  }
+}
diff --git a/javax/net/ssl/HandshakeCompletedEvent.java b/javax/net/ssl/HandshakeCompletedEvent.java
new file mode 100644
index 000000000..6171ebc48
--- /dev/null
+++ b/javax/net/ssl/HandshakeCompletedEvent.java
@@ -0,0 +1,152 @@
+/* HandshakeCompletedEvent.java -- SSL handshake completed.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.security.cert.Certificate;
+import javax.security.cert.X509Certificate;
+
+/**
+ * An event raised by a SSLSocket and passed to the {@link
+ * HandshakeCompletedListener#handshakeCompleted(HandshakeCompletedEvent)}
+ * method of all registered listeners when a SSL handshake in a SSL
+ * protocol is completed.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public class HandshakeCompletedEvent extends java.util.EventObject
+{
+
+  // Fields.
+  // -------------------------------------------------------------------
+
+  /** Serialization constant. */
+  private static final long serialVersionUID = 7914963744257769778L;
+
+  /** The session. */
+  private transient final SSLSession session;
+
+  // Constructor.
+  // -------------------------------------------------------------------
+
+  /**
+   * Creates a new handshake completed event.
+   *
+   * @param socket The socket (also the source) creating this event.
+   * @param session The associated session object.
+   * @throws NullPointerException If <i>session</i> is null.
+   */
+  public HandshakeCompletedEvent(SSLSocket socket, SSLSession session)
+  {
+    super(socket);
+    if (session == null)
+      throw new NullPointerException();
+    this.session = session;
+  }
+
+  // Instance methods.
+  // --------------------------------------------------------------------
+
+  /**
+   * Returns the name of the cipher that was negotiated in this
+   * connection.
+   *
+   * @return The negotiated cipher name.
+   */
+  public String getCipherSuite()
+  {
+    if (session != null)
+      return session.getCipherSuite();
+    return null;
+  }
+
+  /**
+   * Returns the local certificates being used in this connection.
+   *
+   * @return The local certificates.
+   */
+  public Certificate[] getLocalCertificates()
+  {
+    if (session != null)
+      return session.getLocalCertificates();
+    return null;
+  }
+
+  /**
+   * Returns the peer's certificates being used in this connection.
+   *
+   * @return The peer's certificates.
+   * @throws SSLPeerUnverifiedException If the peer has not been
+   *   verified.
+   */
+  public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException
+  {
+    if (session != null)
+      return session.getPeerCertificates();
+    return null;
+  }
+
+  public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException
+  {
+    if (session != null)
+      return session.getPeerCertificateChain();
+    return null;
+  }
+
+  /**
+   * Returns the SSL session object associated with this connection.
+   *
+   * @return The session object.
+   */
+  public SSLSession getSession()
+  {
+    return session;
+  }
+
+  /**
+   * Returns the socket over which this connection is being
+   * negotiated. This method is equivalent to the {@link
+   * java.util.EventObject#getSource()} method.
+   *
+   * @return The socket.
+   */
+  public SSLSocket getSocket()
+  {
+    return (SSLSocket) getSource();
+  }
+}
diff --git a/javax/net/ssl/HandshakeCompletedListener.java b/javax/net/ssl/HandshakeCompletedListener.java
new file mode 100644
index 000000000..5b79bf973
--- /dev/null
+++ b/javax/net/ssl/HandshakeCompletedListener.java
@@ -0,0 +1,57 @@
+/* HandshakeCompletedListener.java -- listens for handshake events.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+/**
+ * An event listener that waits to be notified of {@link
+ * HandshakeCompletedEvent} objects created when handshake phase of
+ * the SSL protocol is completed for a particular connection.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public interface HandshakeCompletedListener extends java.util.EventListener
+{
+
+  /**
+   * Called when the handshake phase of the SSL protocol completes.
+   *
+   * @param event The event describing the new connection.
+   */
+  void handshakeCompleted(HandshakeCompletedEvent event);
+}
diff --git a/javax/net/ssl/HostnameVerifier.java b/javax/net/ssl/HostnameVerifier.java
new file mode 100644
index 000000000..a45648eff
--- /dev/null
+++ b/javax/net/ssl/HostnameVerifier.java
@@ -0,0 +1,64 @@
+/* HostnameVerifier.java -- verifies disparate hostnames.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+/**
+ * The interface for classes that perform hostname verification for cases
+ * when the hostname used to begin the connection (such as in a URL)
+ * does not match the hostname used in the SSL handshake.
+ * Implementations of this interface should provide an implementation
+ * of the {@link #verify(java.lang.String,javax.net.ssl.SSLSession)}
+ * method that accepts or rejects hostnames as appropriate.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public interface HostnameVerifier
+{
+
+  /**
+   * Verifies a hostname given a particular SSL session. This method
+   * should return <code>true</code> if the hostname is an accepted
+   * alias for the hostname negotiated in the SSL handshake.
+   *
+   * @param hostname The hostname in question.
+   * @param session  The current SSL session.
+   * @return <code>true</code> if the hostname is acceptable.
+   */
+  boolean verify(String hostname, SSLSession session);
+}
diff --git a/javax/net/ssl/HttpsURLConnection.java b/javax/net/ssl/HttpsURLConnection.java
new file mode 100644
index 000000000..a7b86c184
--- /dev/null
+++ b/javax/net/ssl/HttpsURLConnection.java
@@ -0,0 +1,256 @@
+/* HttpsURLConnection.java -- an HTTPS connection.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.security.cert.Certificate;
+
+/**
+ * A URL connection that connects via the <i>Secure Socket Layer</i>
+ * (<b>SSL</b>) for HTTPS connections.
+ *
+ * <p>This class may be used in the same way as {@link
+ * HttpURLConnection}, and it will transparently negotiate the SSL
+ * connection.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public abstract class HttpsURLConnection extends HttpURLConnection
+{
+
+  // Fields.
+  // ------------------------------------------------------------------
+
+  /** The default verifier. */
+  private static HostnameVerifier defaultVerifier;
+
+  /** The default factory. */
+  private static SSLSocketFactory defaultFactory;
+
+  /**
+   * The hostname verifier used for this connection.
+   */
+  protected HostnameVerifier hostnameVerifier;
+
+  /**
+   * This connection's socket factory.
+   */
+  private SSLSocketFactory factory;
+
+  // Static initializer.
+  // ------------------------------------------------------------------
+
+  static {
+    defaultVerifier = new TrivialHostnameVerifier();
+    try
+      {
+        defaultFactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
+      }
+    catch (Throwable t)
+      {
+        t.printStackTrace();
+      }
+  }
+
+  // Constructor.
+  // ------------------------------------------------------------------
+
+  /**
+   * Creates a new HTTPS URL connection.
+   *
+   * @param url The URL of the connection being established.
+   * @throws IOException If the connection cannot be established.
+   */
+  protected HttpsURLConnection(URL url) throws IOException
+  {
+    super(url);
+    hostnameVerifier = defaultVerifier;
+    factory = defaultFactory;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------
+
+  /**
+   * Returns the default hostname verifier used in all new
+   * connections.
+   *
+   * @return The default hostname verifier.
+   */
+  public static HostnameVerifier getDefaultHostnameVerifier()
+  {
+    return defaultVerifier;
+  }
+
+  /**
+   * Sets the default hostname verifier to be used in all new
+   * connections.
+   *
+   * @param newDefault The new default hostname verifier.
+   * @throws IllegalArgumentException If <i>newDefault</i> is null.
+   * @throws SecurityException If there is a security manager
+   *   currently installed and the caller does not have the {@link
+   *   SSLPermission} "setHostnameVerifier".
+   */
+  public static void setDefaultHostnameVerifier(HostnameVerifier newDefault)
+  {
+    if (newDefault == null)
+      throw new IllegalArgumentException("default verifier cannot be null");
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkPermission(new SSLPermission("setHostnameVerifier"));
+    defaultVerifier = newDefault;
+  }
+
+  /**
+   * Returns the default SSL socket factory used in all new
+   * connections.
+   *
+   * @return The default SSL socket factory.
+   */
+  public static SSLSocketFactory getDefaultSSLSocketFactory()
+  {
+    return defaultFactory;
+  }
+
+  /**
+   * Sets the default SSL socket factory to be used in all new
+   * connections.
+   *
+   * @param newDefault The new socket factory.
+   * @throws IllegalArgumentException If <i>newDefault</i> is null.
+   * @throws SecurityException If there is a security manager
+   *   installed and a call to {@link
+   *   SecurityManager#checkSetFactory()} fails.
+   */
+  public static void setDefaultSSLSocketFactory(SSLSocketFactory newDefault)
+  {
+    if (newDefault == null)
+      throw new IllegalArgumentException("default factory cannot be null");
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkSetFactory();
+    defaultFactory = newDefault;
+  }
+
+  // Instance methods.
+  // ------------------------------------------------------------------
+
+  /**
+   * Returns the current hostname verifier for this instance.
+   *
+   * @return The hostname verifier.
+   */
+  public HostnameVerifier getHostnameVerifier()
+  {
+    return hostnameVerifier;
+  }
+
+  /**
+   * Sets the hostname verifier for this instance.
+   *
+   * @param hostnameVerifier The new verifier.
+   * @throws IllegalArgumentException If <i>hostnameVerifier</i> is
+   *   null.
+   */
+  public void setHostnameVerifier(HostnameVerifier hostnameVerifier)
+  {
+    if (hostnameVerifier == null)
+      throw new IllegalArgumentException("verifier cannot be null");
+    this.hostnameVerifier = hostnameVerifier;
+  }
+
+  /**
+   * Returns the current SSL socket factory for this instance.
+   *
+   * @return The current SSL socket factory.
+   */
+  public SSLSocketFactory getSSLSocketFactory()
+  {
+    return factory;
+  }
+
+  /**
+   * Sets the SSL socket factory for this instance.
+   *
+   * @param factory The new factory.
+   * @throws IllegalArgumentException If <i>factory</i> is null.
+   */
+  public void setSSLSocketFactory(SSLSocketFactory factory)
+  {
+    if (factory == null)
+      throw new IllegalArgumentException("factory cannot be null");
+    this.factory = factory;
+  }
+
+  // Abstract methods.
+  // -------------------------------------------------------------------
+
+  /**
+   * Returns the cipher name negotiated for this connection.
+   *
+   * @return The cipher name.
+   * @throws IllegalStateException If the connection has not yet been
+   *   established.
+   */
+  public abstract String getCipherSuite();
+
+  /**
+   * Returns the certificates used on the local side in this
+   * connection.
+   *
+   * @return The local certificates.
+   * @throws IllegalStateException If the connection has not yet been
+   *  established.
+   */
+  public abstract Certificate[] getLocalCertificates();
+
+  /**
+   * Returns the certificates sent by the other party.
+   *
+   * @return The peer's certificates.
+   * @throws IllegalStateException If the connection has not yet been
+   *   established.
+   * @throws SSLPeerUnverifiedException If the peer could not be
+   *   verified.
+   */
+  public abstract Certificate[] getServerCertificates() throws SSLPeerUnverifiedException;
+}
diff --git a/javax/net/ssl/KeyManager.java b/javax/net/ssl/KeyManager.java
new file mode 100644
index 000000000..083f3f592
--- /dev/null
+++ b/javax/net/ssl/KeyManager.java
@@ -0,0 +1,51 @@
+/* KeyManager.java -- marker interface for key manager classes.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+/**
+ * A marker interface for objects that serve as key managers in SSL
+ * communications. Key managers typically keep track of the public
+ * certificates and private keys when authenticating the local host to
+ * remote host, and thus is typically used in SSL servers.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public interface KeyManager
+{
+}
diff --git a/javax/net/ssl/KeyManagerFactory.java b/javax/net/ssl/KeyManagerFactory.java
new file mode 100644
index 000000000..a166f60aa
--- /dev/null
+++ b/javax/net/ssl/KeyManagerFactory.java
@@ -0,0 +1,281 @@
+/* KeyManagerFactory.java -- factory for key managers.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.AccessController;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivilegedAction;
+import java.security.Provider;
+import java.security.Security;
+import java.security.UnrecoverableKeyException;
+
+import gnu.java.security.Engine;
+
+/**
+ * A class that creates key manager implementations based on a
+ * requested algorithm.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public class KeyManagerFactory
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------
+
+  /** The service name for key manager factories. */
+  private static final String KEY_MANAGER_FACTORY = "KeyManagerFactory";
+
+  /** The system default trust manager algorithm. */
+  private static final String DEFAULT_ALGORITHM = "JessieX509";
+
+  /** The underlying engine. */
+  private final KeyManagerFactorySpi kmfSpi;
+
+  /** The provider of this implementation. */
+  private final Provider provider;
+
+  /** The name of this algorithm. */
+  private final String algorithm;
+
+  // Constructor.
+  // ------------------------------------------------------------------
+
+  /**
+   * Create a new key manager factory.
+   *
+   * @param kmfSpi The underlying engine.
+   * @param provider The engine's provider.
+   * @param algorithm The name of this algorithm.
+   */
+  protected KeyManagerFactory(KeyManagerFactorySpi kmfSpi,
+                              Provider provider, String algorithm)
+  {
+    this.kmfSpi = kmfSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------
+
+  /**
+   * Get the default algorithm name. This value may be specified at
+   * run-time via the security property
+   * "ssl.KeyManagerFactory.algorithm". If this property is
+   * not specified, this method returns "JessieX509".
+   *
+   * @return The default key manager factory algorithm's name.
+   */
+  public static final String getDefaultAlgorithm()
+  {
+    String alg = null;
+    try
+      {
+        alg = (String) AccessController.doPrivileged(
+          new PrivilegedAction()
+          {
+            public Object run()
+            {
+              return Security.getProperty("ssl.KeyManagerFactory.algorithm");
+            }
+          }
+        );
+      }
+    catch (SecurityException se)
+      {
+      }
+    if (alg == null)
+      alg = DEFAULT_ALGORITHM;
+    return alg;
+  }
+
+  /**
+   * Get an instance of the named key manager factory, from the first
+   * provider that implements it.
+   *
+   * @param algorithm The type of key manager factory to get.
+   * @return An appropriate implementation of that algoritm.
+   * @throws NoSuchAlgorithmException If no provider implements the
+   *   requested algorithm.
+   */
+  public static final KeyManagerFactory getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] provs = Security.getProviders();
+    for (int i = 0; i < provs.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, provs[i]);
+          }
+        catch (NoSuchAlgorithmException ignore)
+          {
+          }
+      }
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Get an instance of the named key manager factory, from the named
+   * provider.
+   *
+   * @param algorithm The type of key manager factory to get.
+   * @param provider The name of the provider to get the
+   *   implementation from.
+   * @return An appropriate implementation of that algorithm.
+   * @throws NoSuchAlgorithmException If the provider does not
+   *   implement the requested algorithm.
+   * @throws NoSuchProviderException If the named provider does not
+   *   exist.
+   */
+  public static final KeyManagerFactory getInstance(String algorithm, String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("provider is null");
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      throw new NoSuchProviderException(provider);
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Get an instance of the named key manager factory, from the given
+   * provider.
+   *
+   * @param algorithm The type of key manager factory to get.
+   * @param provider The provider to get the implementation from.
+   * @return An appropriate implementation of that algorithm.
+   * @throws NoSuchAlgorithmException If the provider does not
+   *   implement the requested algorithm.
+   * @throws IllegalArgumentException If <i>provider</i> is null.
+   */
+  public static final KeyManagerFactory getInstance(String algorithm, Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      throw new IllegalArgumentException("provider is null");
+    try
+      {
+        return new KeyManagerFactory((KeyManagerFactorySpi)
+          Engine.getInstance(KEY_MANAGER_FACTORY, algorithm, provider),
+          provider, algorithm);
+      }
+    catch (InvocationTargetException ite)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------
+
+  /**
+   * Returns the name of this key manager factory algorithm.
+   *
+   * @return The name of this key manager factory algorithm.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Get an array of key managers appropriate for this algorithm, with
+   * the most preferred manager first.
+   *
+   * @return The array of key managers.
+   */
+  public final KeyManager[] getKeyManagers()
+  {
+    return kmfSpi.engineGetKeyManagers();
+  }
+
+  /**
+   * Returns the provider of this implementation.
+   *
+   * @return The provider of this implementation.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Initialize this instance with an implementation-dependent
+   * parameter object.
+   *
+   * @param params The parameters to initialize with.
+   * @throws InvalidAlgorithmParameterException If the specified
+   *   parameters are inappropriate.
+   */
+  public final void init(ManagerFactoryParameters params)
+    throws InvalidAlgorithmParameterException
+  {
+    kmfSpi.engineInit(params);
+  }
+
+  /**
+   * Initialize this instance with a key store and a password for
+   * private key entries.
+   *
+   * @param store The key store to read.
+   * @param passwd The password protecting private keys in the store.
+   * @throws KeyStoreException If an error occurs reading the keys.
+   * @throws NoSuchAlgorithmException If an algorithm (such as a
+   *   certificate algorithm) is not available.
+   * @throws UnrecoverableKeyException If the password is incorrect.
+   */
+  public final void init(KeyStore store, char[] passwd)
+    throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException
+  {
+    kmfSpi.engineInit(store, passwd);
+  }
+}
diff --git a/javax/net/ssl/KeyManagerFactorySpi.java b/javax/net/ssl/KeyManagerFactorySpi.java
new file mode 100644
index 000000000..3ed978f35
--- /dev/null
+++ b/javax/net/ssl/KeyManagerFactorySpi.java
@@ -0,0 +1,102 @@
+/* KeyManagerFactorySpi.java -- SPI for key manager factories.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.UnrecoverableKeyException;
+
+/**
+ * The <i>Service Provider Interface</i> (<b>SPI</b>) for key manager
+ * factories.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public abstract class KeyManagerFactorySpi
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------
+
+  public KeyManagerFactorySpi()
+  {
+    super();
+  }
+
+  // Abstract methods.
+  // ------------------------------------------------------------------
+
+  /**
+   * Engine method for retrieving this factory's key managers.
+   *
+   * @return The key managers.
+   */
+  protected abstract KeyManager[] engineGetKeyManagers();
+
+  /**
+   * Engine method for initializing this factory with some
+   * algorithm-specific parameters.
+   *
+   * @param params The factory parameters.
+   * @throws InvalidAlgorithmParameterException If the supplied parameters
+   *   are inappropriate for this instance.
+   */
+  protected abstract void engineInit(ManagerFactoryParameters params)
+    throws InvalidAlgorithmParameterException;
+
+  /**
+   * Engine method for initializing this factory with a key store and a
+   * password for private keys. Either parameter may be <code>null</code>,
+   * in which case some default parameters (possibly derived from system
+   * properties) should be used.
+   *
+   * @param store The key store.
+   * @param passwd The private key password.
+   * @throws KeyStoreException If the key store cannot be accessed.
+   * @throws NoSuchAlgorithmException If some of the data from the key
+   *   store cannot be retrieved.
+   * @throws UnrecoverableKeyException If a private key cannot be retrieved,
+   *   likely from a wrong password.
+   */
+  protected abstract void engineInit(KeyStore store, char[] passwd)
+    throws KeyStoreException, NoSuchAlgorithmException,
+           UnrecoverableKeyException;
+}
diff --git a/javax/net/ssl/ManagerFactoryParameters.java b/javax/net/ssl/ManagerFactoryParameters.java
new file mode 100644
index 000000000..6d3e008de
--- /dev/null
+++ b/javax/net/ssl/ManagerFactoryParameters.java
@@ -0,0 +1,50 @@
+/* ManagerFactoryParameters.java -- marker interface for manager parameters.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+/**
+ * A marker interface for classes that serve as key or trust manager
+ * parameters, used to initialize instances of {@link
+ * KeyManagerFactory} or {@link TrustManagerFactory}.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public interface ManagerFactoryParameters
+{
+}
diff --git a/javax/net/ssl/SSLContext.java b/javax/net/ssl/SSLContext.java
new file mode 100644
index 000000000..45e01c3c7
--- /dev/null
+++ b/javax/net/ssl/SSLContext.java
@@ -0,0 +1,269 @@
+/* SSLContext.java -- an SSL protocol context.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.Provider;
+import java.security.SecureRandom;
+import java.security.Security;
+
+import gnu.java.security.Engine;
+
+/**
+ * A "meta-factory" for protocol-specific socket and server socket
+ * factories. This class serves as a clearinghouse for socket
+ * factories and cached session contexts for a particular protocol,
+ * such as SSLv3.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public class SSLContext
+{
+
+  // Constants and fields.
+  // ------------------------------------------------------------------
+
+  /** Service name for SSL contexts. */
+  private static final String SSL_CONTEXT = "SSLContext";
+
+  /** The underlying engine. */
+  private final SSLContextSpi ctxSpi;
+
+  /** The provider of the engine class. */
+  private final Provider provider;
+
+  /** The protocal name. */
+  private final String protocol;
+
+  // Constructor.
+  // ------------------------------------------------------------------
+
+  /**
+   * Create a new SSL context.
+   *
+   * @param ctxSpi The context engine.
+   * @param provider The provider of the implementation.
+   * @param protocol The name of the SSL protocol.
+   */
+  protected SSLContext(SSLContextSpi ctxSpi, Provider provider,
+                       String protocol)
+  {
+    this.ctxSpi = ctxSpi;
+    this.provider = provider;
+    this.protocol = protocol;
+  }
+
+  // Class methods.
+  // ------------------------------------------------------------------
+
+  /**
+   * Get an instance of a context for the specified protocol from the
+   * first provider that implements it.
+   *
+   * @param protocol The name of the protocol to get a context for.
+   * @return The new context.
+   * @throws NoSuchAlgorithm If no provider implements the given
+   *   protocol.
+   */
+  public static final SSLContext getInstance(String protocol)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] provs = Security.getProviders();
+    for (int i = 0; i < provs.length; i++)
+      {
+        try
+          {
+            return getInstance(protocol, provs[i]);
+          }
+        catch (NoSuchAlgorithmException ignore)
+          {
+          }
+      }
+    throw new NoSuchAlgorithmException(protocol);
+  }
+
+  /**
+   * Get an instance of a context for the specified protocol from the
+   * named provider.
+   *
+   * @param protocol The name of the protocol to get a context for.
+   * @param provider The name of the provider to get the
+   *   implementation from.
+   * @return The new context.
+   * @throws NoSuchAlgorithmException If the provider does not
+   *   implement the given protocol.
+   * @throws NoSuchProviderException If the named provider does not
+   *   exist.
+   * @throws IllegalArgumentException If <i>provider</i> is null.
+   */
+  public static final SSLContext getInstance(String protocol,
+                                             String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    if (provider == null)
+      {
+        throw new IllegalArgumentException();
+      }
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      {
+        throw new NoSuchProviderException(provider);
+      }
+    return getInstance(protocol, p);
+  }
+
+  /**
+   * Get an instance of a context for the specified protocol from the
+   * specified provider.
+   *
+   * @param protocol The name of the protocol to get a context for.
+   * @param provider The name of the provider to get the
+   *   implementation from.
+   * @return The new context.
+   * @throws NoSuchAlgorithmException If the provider does not
+   *   implement the given protocol.
+   * @throws IllegalArgumentException If <i>provider</i> is null.
+   */
+  public static final SSLContext getInstance(String protocol,
+                                             Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    try
+      {
+        return new SSLContext((SSLContextSpi)
+          Engine.getInstance(SSL_CONTEXT, protocol, provider),
+          provider, protocol);
+      }
+    catch (InvocationTargetException ite)
+      {
+        ite.printStackTrace();
+        throw new NoSuchAlgorithmException();
+      }
+    catch (ClassCastException cce)
+      {
+        cce.printStackTrace();
+        throw new NoSuchAlgorithmException();
+      }
+  }
+
+  // Instance methods.
+  // -----------------------------------------------------------------
+
+  /**
+   * Returns the set of SSL contexts available for client connections.
+   *
+   * @return The set of SSL contexts available for client connections.
+   */
+  public final SSLSessionContext getClientSessionContext()
+  {
+    return ctxSpi.engineGetClientSessionContext();
+  }
+
+  /**
+   * Returns the protocol name of this context.
+   *
+   * @return The protocol name of this context.
+   */
+  public final String getProtocol()
+  {
+    return protocol;
+  }
+
+  /**
+   * Returns the provider of this implementation.
+   *
+   * @return The provider of this implementation.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Returns the set of SSL contexts available for server connections.
+   *
+   * @return The set of SSL contexts available for server connections.
+   */
+  public final SSLSessionContext getServerSessionContext()
+  {
+    return ctxSpi.engineGetServerSessionContext();
+  }
+
+  /**
+   * Returns the factory for server SSL sockets.
+   *
+   * @return The factory for server SSL sockets.
+   */
+  public final SSLServerSocketFactory getServerSocketFactory()
+  {
+    return ctxSpi.engineGetServerSocketFactory();
+  }
+
+  /**
+   * Returns the factory for client SSL sockets.
+   *
+   * @return The factory for client SSL sockets.
+   */
+  public final SSLSocketFactory getSocketFactory()
+  {
+    return ctxSpi.engineGetSocketFactory();
+  }
+
+  /**
+   * Initializes this context and prepares it for producing socket
+   * factories. All of the parameters are optional; default values are
+   * used if left unspecified.
+   *
+   * @param keyManagers The set of key managers to use.
+   * @param trustManagers The set of trust managers to use.
+   * @param random A source of random bits to use.
+   * @throws KeyManagementException If initialization fails.
+   */
+  public final void init(KeyManager[] keyManagers,
+                         TrustManager[] trustManagers,
+                         SecureRandom random)
+    throws KeyManagementException
+  {
+    ctxSpi.engineInit(keyManagers, trustManagers, random);
+  }
+}
diff --git a/javax/net/ssl/SSLContextSpi.java b/javax/net/ssl/SSLContextSpi.java
new file mode 100644
index 000000000..ecac1cbc5
--- /dev/null
+++ b/javax/net/ssl/SSLContextSpi.java
@@ -0,0 +1,109 @@
+/* SSLContextSpi.java -- SPI for SSL contexts.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.security.KeyManagementException;
+import java.security.SecureRandom;
+
+/**
+ * The <i>Service Provider Interface</i> (<b>SPI</b>) for SSLContext
+ * objects.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public abstract class SSLContextSpi
+{
+
+  // Constructor.
+  // -------------------------------------------------------------------
+
+  /**
+   * Create a new SSLContextSpi.
+   */
+  public SSLContextSpi()
+  {
+    super();
+  }
+
+  // Abstract methods.
+  // -------------------------------------------------------------------
+
+  /**
+   * Returns the set of SSL sessions available for client connections.
+   *
+   * @return The set of SSL sessions available for client connections.
+   */
+  protected abstract SSLSessionContext engineGetClientSessionContext();
+
+  /**
+   * Returns the set of SSL sessions available for server connections.
+   *
+   * @return The set of SSL sessions available for server connections.
+   */
+  protected abstract SSLSessionContext engineGetServerSessionContext();
+
+  /**
+   * Returns the SSL server socket factory.
+   *
+   * @return The SSL server socket factory.
+   */
+  protected abstract SSLServerSocketFactory engineGetServerSocketFactory();
+
+  /**
+   * Returns the SSL client socket factory.
+   *
+   * @return The SSL client socket factory.
+   */
+  protected abstract SSLSocketFactory engineGetSocketFactory();
+
+  /**
+   * Initialize this context with key and trust managers, and a source
+   * of randomness. All of the parameters are optional.
+   *
+   * @param keyManagers The set of key managers.
+   * @param trustManagers The set of trust managers.
+   * @param random The source of randomness.
+   * @throws KeyManagementException If this context cannot be
+   *   initialized with these parameters.
+   */
+  protected abstract void engineInit(KeyManager[] keyManagers,
+                                     TrustManager[] trustManagers,
+                                     SecureRandom random)
+    throws KeyManagementException;
+}
diff --git a/javax/net/ssl/SSLException.java b/javax/net/ssl/SSLException.java
new file mode 100644
index 000000000..0a33b458f
--- /dev/null
+++ b/javax/net/ssl/SSLException.java
@@ -0,0 +1,59 @@
+/* SSLException.java -- generic SSL exception.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.io.IOException;
+
+/**
+ * The superclass of all possible SSL exceptions. Usually, a specific
+ * exception is thrown instead of this exception.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public class SSLException extends IOException
+{
+
+  // Constructor.
+  // ------------------------------------------------------------------
+
+  public SSLException(String message)
+  {
+    super(message);
+  }
+}
diff --git a/javax/net/ssl/SSLHandshakeException.java b/javax/net/ssl/SSLHandshakeException.java
new file mode 100644
index 000000000..c0f2c5cbb
--- /dev/null
+++ b/javax/net/ssl/SSLHandshakeException.java
@@ -0,0 +1,51 @@
+/* SSLHandshakeException.java -- exception in SSL handshake.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+/**
+ * An exception that signals an error in the SSL handshake phase.
+ */
+public class SSLHandshakeException extends SSLException
+{
+
+  public SSLHandshakeException(String message)
+  {
+    super(message);
+  }
+}
diff --git a/javax/net/ssl/SSLKeyException.java b/javax/net/ssl/SSLKeyException.java
new file mode 100644
index 000000000..c60cac19f
--- /dev/null
+++ b/javax/net/ssl/SSLKeyException.java
@@ -0,0 +1,52 @@
+/* SSLKeyException.java -- exception in using a key in SSL.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+/**
+ * An exception signaling a problem using a public or private key in
+ * an SSL communication.
+ */
+public class SSLKeyException extends SSLException
+{
+
+  public SSLKeyException(String message)
+  {
+    super(message);
+  }
+}
diff --git a/javax/net/ssl/SSLPeerUnverifiedException.java b/javax/net/ssl/SSLPeerUnverifiedException.java
new file mode 100644
index 000000000..1b3acbc24
--- /dev/null
+++ b/javax/net/ssl/SSLPeerUnverifiedException.java
@@ -0,0 +1,51 @@
+/* SSLPeerUnverifiedException.java -- unverified peer exception.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+/**
+ * An exception thrown when the remote peer could not be verified.
+ */
+public class SSLPeerUnverifiedException extends SSLException
+{
+
+  public SSLPeerUnverifiedException(String message)
+  {
+    super(message);
+  }
+}
diff --git a/javax/net/ssl/SSLPermission.java b/javax/net/ssl/SSLPermission.java
new file mode 100644
index 000000000..3771eaf98
--- /dev/null
+++ b/javax/net/ssl/SSLPermission.java
@@ -0,0 +1,66 @@
+/* SSLPermission.java -- SSL permission class.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.security.BasicPermission;
+
+/**
+ * A permission used for accessing SSL classes.
+ */
+public class SSLPermission extends BasicPermission
+{
+
+  // Constant.
+  // -------------------------------------------------------------------------
+
+  private static final long serialVersionUID = -3456898025505876775L;
+
+  // Constructors.
+  // -------------------------------------------------------------------------
+
+  public SSLPermission(String name)
+  {
+    super(name);
+  }
+
+  public SSLPermission(String name, String actions)
+  {
+    super(name, actions);
+  }
+}
diff --git a/javax/net/ssl/SSLProtocolException.java b/javax/net/ssl/SSLProtocolException.java
new file mode 100644
index 000000000..16a1457ab
--- /dev/null
+++ b/javax/net/ssl/SSLProtocolException.java
@@ -0,0 +1,53 @@
+/* SSLProtocolException.java -- exception in SSL protocol.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+/**
+ * An exception thrown when a fatal protocol error is encountered. This
+ * exception usually indicates some serious problem with the local or
+ * remote SSL implementation.
+ */
+public class SSLProtocolException extends SSLException
+{
+
+  public SSLProtocolException(String message)
+  {
+    super(message);
+  }
+}
diff --git a/javax/net/ssl/SSLServerSocket.java b/javax/net/ssl/SSLServerSocket.java
new file mode 100644
index 000000000..eab92a23f
--- /dev/null
+++ b/javax/net/ssl/SSLServerSocket.java
@@ -0,0 +1,189 @@
+// THIS IS A GENERATED FILE. DO NOT EDIT. -*- buffer-read-only: t -*-
+/* SSLServerSocket.java -- a server socket for SSL connections.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.io.IOException;
+
+import java.net.InetAddress;
+import java.net.ServerSocket;
+
+/**
+ * A server socket that allows clients to connect via the SSL protocol.
+ */
+public abstract class SSLServerSocket extends ServerSocket
+{
+
+  // Constructors.
+  // -------------------------------------------------------------------------
+
+  protected SSLServerSocket() throws IOException
+  {
+    super();
+    //super(0);
+    //throw new UnsupportedOperationException("1.4 socket methods not enabled");
+  }
+
+  protected SSLServerSocket(int port) throws IOException
+  {
+    super(port);
+  }
+
+  protected SSLServerSocket(int port, int backlog) throws IOException
+  {
+    super(port, backlog);
+  }
+
+  protected SSLServerSocket(int port, int backlog, InetAddress bindAddress)
+    throws IOException
+  {
+    super(port, backlog, bindAddress);
+  }
+
+  // Abstract methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Returns the list of cihper suites that are currently enabled in this
+   * server socket. Sockets accepted by this server socket will only have
+   * these suites enabled.
+   *
+   * @return The enabled cipher suites.
+   */
+  public abstract String[] getEnabledCipherSuites();
+
+  /**
+   * Sets the list enabled cipher suites.
+   *
+   * @param suites The cipher suites to enable.
+   */
+  public abstract void setEnabledCipherSuites(String[] suites);
+
+  /**
+   * Returns the list of enabled protocols, such as "SSLv3" and "TLSv1".
+   *
+   * @return The enabled protocols.
+   */
+  public abstract String[] getEnabledProtocols();
+
+  /**
+   * Sets the list of enabled protocols.
+   *
+   * @param protocols The list of protocols to enable.
+   */
+  public abstract void setEnabledProtocols(String[] protocols);
+
+  /**
+   * Returns whether or not sessions will be created, i.e., whether or not
+   * this server socket will allow SSL session resumption.
+   *
+   * @return True if sessions will be created.
+   */
+  public abstract boolean getEnableSessionCreation();
+
+  /**
+   * Sets whether or not sessions will be created.
+   *
+   * @param enabled The new enabled value.
+   */
+  public abstract void setEnableSessionCreation(boolean enabled);
+
+  /**
+   * Returns whether or not this server socket will require clients to
+   * authenticate themselves, such as through a certificate.
+   *
+   * @return True if clients must authenticate themselves.
+   */
+  public abstract boolean getNeedClientAuth();
+
+  /**
+   * Enabled or disables the requirement that clients authenticate themselves.
+   * When this is set to <code>true</code>, connections will be rejected if
+   * connecting clients do not provide proper authentication.
+   *
+   * @param needAuth The new need auth value.
+   */
+  public abstract void setNeedClientAuth(boolean needAuth);
+
+  /**
+   * Returns whether or not sockets accepted by this server socket will do
+   * their handshake as the client-side. The default is false.
+   *
+   * @return True if client mode will be used.
+   */
+  public abstract boolean getUseClientMode();
+
+  /**
+   * Sets whether or not sockets accepted by this server socket will be
+   * created in client mode.
+   *
+   * @param clientMode The new client mode value.
+   */
+  public abstract void setUseClientMode(boolean clientMode);
+
+  /**
+   * Returns whether or not this socket will ask for, but not require, that
+   * connecting clients authenticate themselves. Clients that do not
+   * provide authentication they will still be allowed to connect.
+   *
+   * @return True if this server socket wants client authentication.
+   */
+  public abstract boolean getWantClientAuth();
+
+  /**
+   * Sets whether or not this server socket will want client authentication.
+   *
+   * @param wantAuth The new want auth value.
+   */
+  public abstract void setWantClientAuth(boolean wantAuth);
+
+  /**
+   * Returns a list of cipher suites that this server socket supports.
+   *
+   * @return The list of supported suites.
+   */
+  public abstract String[] getSupportedCipherSuites();
+
+  /**
+   * Returns a list of SSL protocols supported by this server socket.
+   *
+   * @return The list of supported protocols.
+   */
+  public abstract String[] getSupportedProtocols();
+}
diff --git a/javax/net/ssl/SSLServerSocketFactory.java b/javax/net/ssl/SSLServerSocketFactory.java
new file mode 100644
index 000000000..ef82d1462
--- /dev/null
+++ b/javax/net/ssl/SSLServerSocketFactory.java
@@ -0,0 +1,172 @@
+/* SSLServerSocketFactory.java -- factory for SSL server sockets.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.security.KeyStore;
+import java.security.Security;
+import javax.net.ServerSocketFactory;
+
+/**
+ * A server socket factory for <i>Secure Socket Layer</i> (<b>SSL</b>)
+ * server sockets.
+ */
+public abstract class SSLServerSocketFactory extends ServerSocketFactory
+{
+
+  // Field.
+  // -------------------------------------------------------------------------
+
+  private static SSLContext context;
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  protected SSLServerSocketFactory()
+  {
+    super();
+  }
+
+  // Class methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Returns a default implementation of a SSL server socket factory.
+   *
+   * <p>To control the class that gets returned by this method, set the
+   * security property "ssl.ServerSocketFactory.provider" to the class
+   * name of a concrete implementation of this class. If not set, a
+   * system-dependent implementation will be used.</p>
+   *
+   * <p>The implementation returned is created by the first implementation
+   * of the {@link SSLContext} class found, which is initialized with
+   * default parameters. To control the key and trust manager factory
+   * algorithms used as defaults, set the security properties
+   * "ssl.keyManagerFactory.algorithm" and "ssl.trustManagerFactory.algorithm"
+   * to the appropriate names.</p>
+   *
+   * <p>Using this method is not recommended. Instead, use the methods of
+   * {@link SSLContext}, which provide much better control over the
+   * creation of server socket factories.</p>
+   *
+   * @return The default server socket factory.
+   * @throws RuntimeException If no default can be created.
+   */
+  public static synchronized ServerSocketFactory getDefault()
+  {
+    try
+      {
+        String s = Security.getProperty("ssl.ServerSocketFactory.provider");
+        ClassLoader cl = ClassLoader.getSystemClassLoader();
+        if (s != null && cl != null)
+          {
+            return (ServerSocketFactory) cl.loadClass(s).newInstance();
+          }
+      }
+    catch (Exception e)
+      {
+      }
+    if (context == null)
+      {
+        KeyManager[] km = null;
+        TrustManager[] tm = null;
+
+        // 1. Determine which algorithms to use for the key and trust
+        // manager factories.
+        String kmAlg = KeyManagerFactory.getDefaultAlgorithm();
+        String tmAlg = TrustManagerFactory.getDefaultAlgorithm();
+        // 2. Try to initialize the factories with default parameters.
+        try
+          {
+            KeyManagerFactory kmf = KeyManagerFactory.getInstance(kmAlg);
+            kmf.init(null, null);
+            km = kmf.getKeyManagers();
+          }
+        catch (Exception ex)
+          {
+          }
+        try
+          {
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlg);
+            tmf.init((KeyStore) null);
+            tm = tmf.getTrustManagers();
+          }
+        catch (Exception ex)
+          {
+          }
+
+        // 3. Create and initialize a context.
+        try
+          {
+            context = SSLContext.getInstance("SSLv3");
+            context.init(km, tm, null);
+          }
+        catch (Exception ex)
+          {
+            throw new RuntimeException("error instantiating default server socket factory: "
+                                       + ex.toString());
+          }
+      }
+    try
+      {
+        return context.getServerSocketFactory();
+      }
+    catch (Exception e)
+      {
+      }
+    throw new RuntimeException("no SSLSocketFactory implementation available");
+  }
+
+  // Abstract methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Returns the list of cipher suites that will be enabled in server sockets
+   * created by this factory.
+   *
+   * @return The default cipher suites.
+   */
+  public abstract String[] getDefaultCipherSuites();
+
+  /**
+   * Returns the list of all cipher suites supported by this factory.
+   *
+   * @return The list of supported cipher suites.
+   */
+  public abstract String[] getSupportedCipherSuites();
+}
diff --git a/javax/net/ssl/SSLSession.java b/javax/net/ssl/SSLSession.java
new file mode 100644
index 000000000..14797f083
--- /dev/null
+++ b/javax/net/ssl/SSLSession.java
@@ -0,0 +1,168 @@
+/* SSLSession.java -- an SSL session.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.security.cert.Certificate;
+import javax.security.cert.X509Certificate;
+
+/**
+ * An SSL session is a mechanism through which connections can be established
+ * by re-using previously negotiated handshakes.
+ */
+public interface SSLSession
+{
+
+  /**
+   * Returns this session's cihper suite.
+   *
+   * @return The cipher suite.
+   */
+  String getCipherSuite();
+
+  /**
+   * Returns the time in milliseconds since midnight GMT, 1 January 1970, that
+   * this session was created.
+   *
+   * @return The creation time.
+   */
+  long getCreationTime();
+
+  /**
+   * Returns this session's unique identifier, a arbitrary byte array of up
+   * to 32 bytes.
+   *
+   * @return The session identifier.
+   */
+  byte[] getId();
+
+  /**
+   * Returns the last time this session was accessed.
+   *
+   * @return The lest time this session was accessed.
+   */
+  long getLastAccessedTime();
+
+  /**
+   * Returns the chain of certificates that the local side used in the
+   * handshake, or null if none were used.
+   *
+   * @return The local certificate chain.
+   */
+  Certificate[] getLocalCertificates();
+
+  /**
+   * Returns the chain of certificates that the remote side used in
+   * the handshake, or null if none were used.
+   *
+   * @return The peer's certificate chain.
+   * @throws SSLPeerUnverifiedException If the identity of the peer has
+   *   not been verified.
+   */
+  Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException;
+
+  /**
+   * Returns the chain of certificates that the remote side used in
+   * the handshake, or null if none were used.
+   *
+   * @return The peer's certificate chain.
+   * @throws SSLPeerUnverifiedException If the identity of the peer has
+   *   not been verified.
+   */
+  X509Certificate[] getPeerCertificateChain()
+    throws SSLPeerUnverifiedException;
+
+  /**
+   * Returns the remote host's name.
+   *
+   * @return The name of the remote host.
+   */
+  String getPeerHost();
+
+  /**
+   * Returns the protocol this session uses.
+   *
+   * @return The protocol.
+   */
+  String getProtocol();
+
+  /**
+   * Returns this session's session context object.
+   *
+   * @return The session context.
+   * @throws SecurityException If the caller does not have the
+   *   {@link SSLPermission} "getSessionContext".
+   */
+  SSLSessionContext getSessionContext();
+
+  /**
+   * Returns the names of all values bound to this session.
+   *
+   * @return The list of bound names.
+   */
+  String[] getValueNames();
+
+  /**
+   * Returns the object bound to the given name.
+   *
+   * @param name The name of the value to get.
+   * @return The object bound by that name, or null.
+   */
+  Object getValue(String name);
+
+  /**
+   * Invalidates this session, ensuring that it will not be continued by
+   * another socket.
+   */
+  void invalidate();
+
+  /**
+   * Binds a value to this session, with the given name.
+   *
+   * @param name The name to bind the object with.
+   * @param value The value to bind.
+   */
+  void putValue(String name, Object value);
+
+  /**
+   * Un-binds a value.
+   *
+   * @param name The name of the value to un-bind.
+   */
+  void removeValue(String name);
+}
diff --git a/javax/net/ssl/SSLSessionBindingEvent.java b/javax/net/ssl/SSLSessionBindingEvent.java
new file mode 100644
index 000000000..e0d27efa6
--- /dev/null
+++ b/javax/net/ssl/SSLSessionBindingEvent.java
@@ -0,0 +1,94 @@
+/* SSLSessionBindingEvent.java -- SSL binding event.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.util.EventObject;
+
+/**
+ * An event raised by {@link SSLSession} objects when objects are bound to
+ * them.
+ */
+public class SSLSessionBindingEvent extends EventObject
+{
+
+  // Fields.
+  // -------------------------------------------------------------------
+
+  private static final long serialVersionUID = 3989172637106345L;
+
+  private final String name;
+
+  // Constructor.
+  // -------------------------------------------------------------------
+
+  /**
+   * Creates a new binding event.
+   *
+   * @param session The session being bound to.
+   * @param name The name the object was bound under.
+   */
+  public SSLSessionBindingEvent(SSLSession session, String name)
+  {
+    super(session);
+    this.name = name;
+  }
+
+  // Instance methods.
+  // --------------------------------------------------------------------
+
+  /**
+   * Returns the name the object was bound under.
+   *
+   * @return The name.
+   */
+  public String getName()
+  {
+    return name;
+  }
+
+  /**
+   * Returns the session that the object was bound to.
+   *
+   * @return The session.
+   */
+  public SSLSession getSession()
+  {
+    return (SSLSession) getSource();
+  }
+}
diff --git a/javax/net/ssl/SSLSessionBindingListener.java b/javax/net/ssl/SSLSessionBindingListener.java
new file mode 100644
index 000000000..2e2432d4a
--- /dev/null
+++ b/javax/net/ssl/SSLSessionBindingListener.java
@@ -0,0 +1,65 @@
+/* SSLSessionBindingListener.java -- listener for SSL bindings.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.util.EventListener;
+
+/**
+ * An event listener interface that should be notified when it is bound or
+ * unbound to a {@link SSLSession}.
+ */
+public interface SSLSessionBindingListener extends EventListener
+{
+
+  /**
+   * This method is called of all objects when they are bound to an SSL
+   * session.
+   *
+   * @param event The binding event.
+   */
+  void valueBound(SSLSessionBindingEvent event);
+
+  /**
+   * This method is called of all objects when they are unbound to an SSL
+   * session.
+   *
+   * @param event The binding event.
+   */
+  void valueUnbound(SSLSessionBindingEvent event);
+}
diff --git a/javax/net/ssl/SSLSessionContext.java b/javax/net/ssl/SSLSessionContext.java
new file mode 100644
index 000000000..0cbdeed9d
--- /dev/null
+++ b/javax/net/ssl/SSLSessionContext.java
@@ -0,0 +1,103 @@
+/* SSLSessionContext.java -- collection of SSL sessions.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.util.Enumeration;
+
+/**
+ * A collection of saved SSL sessions, with thier corresponding session
+ * IDs.
+ *
+ * @author Casey Marshall (rsdio@metastatic.org)
+ */
+public interface SSLSessionContext
+{
+
+  /**
+   * Returns an enumeration of all saved session IDs. Every element in
+   * the returned enumeration is a byte array.
+   *
+   * @return The session IDs.
+   */
+  Enumeration getIds();
+
+  /**
+   * Gets the session specified by its ID, or <code>null</code> if there
+   * is no session, or if it has expired.
+   *
+   * @param sessionId The ID of the session to get.
+   * @return The session, or <code>null</code>.
+   */
+  SSLSession getSession(byte[] sessionId);
+
+  /**
+   * Returns the maximum number of sessions that may be cached by this
+   * session context.
+   *
+   * @return The maximum number of sessions that may be cached.
+   */
+  int getSessionCacheSize();
+
+  /**
+   * Returns the period of time (in seconds) that a session may be cached
+   * for before becoming invalid.
+   *
+   * @return The time a session may be valid.
+   */
+  int getSessionTimeout();
+
+  /**
+   * Sets the maximum number of sessions that may be cached by this
+   * session context. A cache size of 0 means no limit.
+   *
+   * @param size The new cache size.
+   * @throws IllegalArgumentException If <code>size</code> is negative.
+   */
+  void setSessionCacheSize(int size);
+
+  /**
+   * Sets the period of time (in seconds) that a session may be cached
+   * for before becoming invalid. A timeout of 0 means that sessions
+   * never expire.
+   *
+   * @param seconds The new timeout.
+   * @throws IllegalArgumentException If <code>seconds</code> is negative.
+   */
+  void setSessionTimeout(int seconds);
+}
diff --git a/javax/net/ssl/SSLSocket.java b/javax/net/ssl/SSLSocket.java
new file mode 100644
index 000000000..8b943b9d6
--- /dev/null
+++ b/javax/net/ssl/SSLSocket.java
@@ -0,0 +1,229 @@
+/* SSLSocket.java -- an SSL client socket.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.io.IOException;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.net.UnknownHostException;
+
+/**
+ * A socket that communicates over the secure socket layer protocol.
+ */
+public abstract class SSLSocket extends Socket
+{
+
+  // Constructors.
+  // -------------------------------------------------------------------------
+
+  protected SSLSocket()
+  {
+    super();
+  }
+
+  protected SSLSocket(String host, int port)
+    throws IOException, UnknownHostException
+  {
+    super(host, port);
+  }
+
+  protected SSLSocket(InetAddress address, int port) throws IOException
+  {
+    super(address, port);
+  }
+
+  protected SSLSocket(String host, int port,
+                      InetAddress localAddr, int localPort)
+    throws IOException, UnknownHostException
+  {
+    super(host, port, localAddr, localPort);
+  }
+
+  protected SSLSocket(InetAddress address, int port,
+                      InetAddress localAddr, int localPort)
+    throws IOException
+  {
+    super(address, port, localAddr, localPort);
+  }
+
+  // Abstract methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Adds a handshake completed listener that wants to be notified when the
+   * SSL handshake completes.
+   *
+   * @param listener The listener to add.
+   */
+  public abstract void
+    addHandshakeCompletedListener(HandshakeCompletedListener listener);
+
+  /**
+   * Removes a handshake listener from this socket.
+   *
+   * @param listener The listener to remove.
+   */
+  public abstract void
+    removeHandshakeCompletedListener(HandshakeCompletedListener listener);
+
+  /**
+   * Returns the list of currently enabled cipher suites.
+   *
+   * @return The list of enabled cipher suites.
+   */
+  public abstract String[] getEnabledCipherSuites();
+
+  /**
+   * Sets the list of enabled cipher suites.
+   *
+   * @param suites The list of suites to enable.
+   */
+  public abstract void setEnabledCipherSuites(String[] suites);
+
+  /**
+   * Returns the list of enabled SSL protocols.
+   *
+   * @return The list of enabled protocols.
+   */
+  public abstract String[] getEnabledProtocols();
+
+  /**
+   * Sets the list of enabled SSL protocols.
+   *
+   * @param protocols The list of protocols to enable.
+   */
+  public abstract void setEnabledProtocols(String[] protocols);
+
+  /**
+   * Returns whether or not sessions will be created by this socket, and thus
+   * allow sessions to be continued later.
+   *
+   * @return Whether or not sessions will be created.
+   */
+  public abstract boolean getEnableSessionCreation();
+
+  /**
+   * Sets whether or not sessions will be created by this socket.
+   *
+   * @param enable The new value.
+   */
+  public abstract void setEnableSessionCreation(boolean enable);
+
+  /**
+   * Returns whether or not this socket will require connecting clients to
+   * authenticate themselves. This value only applies to sockets in server
+   * mode.
+   *
+   * @return Whether or not this socket requires client authentication.
+   */
+  public abstract boolean getNeedClientAuth();
+
+  /**
+   * Sets whether or not this socket will require connecting clients to
+   * authenticate themselves. This value only applies to sockets in server
+   * mode.
+   *
+   * @param needAuth The new need auth value.
+   */
+  public abstract void setNeedClientAuth(boolean needAuth);
+
+  /**
+   * Returns this socket's session object.
+   *
+   * @return The session.
+   */
+  public abstract SSLSession getSession();
+
+  /**
+   * Returns the list of cipher suites supported by this socket.
+   *
+   * @return The list of supported cipher suites.
+   */
+  public abstract String[] getSupportedCipherSuites();
+
+  /**
+   * Returns the list of protocols supported by this socket.
+   *
+   * @return The list of supported protocols.
+   */
+  public abstract String[] getSupportedProtocols();
+
+  /**
+   * Returns whether or not this socket will connect in client mode.
+   *
+   * @return True if this is a client socket.
+   */
+  public abstract boolean getUseClientMode();
+
+  /**
+   * Sets whether or not this socket will connect in client mode.
+   *
+   * @param clientMode The new value.
+   */
+  public abstract void setUseClientMode(boolean clientMode);
+
+  /**
+   * Returns whether or not this socket will request that connecting clients
+   * authenticate themselves. This value only applies to sockets in server
+   * mode.
+   *
+   * @return The want client auth value.
+   */
+  public abstract boolean getWantClientAuth();
+
+  /**
+   * Sets whether or not this socket will request that connecting clients
+   * authenticate themselves. This value only applies to sockets in server
+   * mode.
+   *
+   * @param wantAuth The new want auth value.
+   */
+  public abstract void setWantClientAuth(boolean wantAuth);
+
+  /**
+   * Explicitly begins the handshake, or, if the handshake has already
+   * completed, requests that the handshake be repeated.
+   *
+   * <p>The handshake will begin implicitly when any attempt to read or
+   * write to the socket is made.</p>
+   *
+   * @throws IOException If an I/O or SSL error occurs.
+   */
+  public abstract void startHandshake() throws IOException;
+}
diff --git a/javax/net/ssl/SSLSocketFactory.java b/javax/net/ssl/SSLSocketFactory.java
new file mode 100644
index 000000000..181ab18a1
--- /dev/null
+++ b/javax/net/ssl/SSLSocketFactory.java
@@ -0,0 +1,192 @@
+/* SSLSocketFactory.java -- factory for SSL client sockets.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.io.IOException;
+import java.net.Socket;
+import java.security.AccessController;
+import java.security.KeyStore;
+import java.security.PrivilegedAction;
+import java.security.Security;
+import javax.net.SocketFactory;
+
+/**
+ * A socket factory for creating <i>Secure Socket Layer</i> (<b>SSL</b>)
+ * sockets.
+ */
+public abstract class SSLSocketFactory extends SocketFactory
+{
+
+  // Constants.
+  // -------------------------------------------------------------------------
+
+  private static SSLContext context;
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  public SSLSocketFactory()
+  {
+    super();
+  }
+
+  // Class methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Returns a default implementation of a SSL socket factory.
+   *
+   * <p>To control the class that gets returned by this method, set the
+   * security property "ssl.SocketFactory.provider" to the class
+   * name of a concrete implementation of this class. If not set, a
+   * system-dependent implementation will be used.</p>
+   *
+   * <p>The implementation returned is created by the first implementation
+   * of the {@link SSLContext} class found, which is initialized with
+   * default parameters. To control the key and trust manager factory
+   * algorithms used as defaults, set the security properties
+   * "ssl.keyManagerFactory.algorithm" and "ssl.trustManagerFactory.algorithm"
+   * to the appropriate names.</p>
+   *
+   * <p>Using this method is not recommended. Instead, use the methods of
+   * {@link SSLContext}, which provide much better control over the
+   * creation of socket factories.</p>
+   *
+   * @return The default socket factory.
+   * @throws RuntimeException If no default can be created.
+   */
+  public static synchronized SocketFactory getDefault()
+  {
+    try
+      {
+        String s = Security.getProperty("ssl.SocketFactory.provider");
+        ClassLoader cl = ClassLoader.getSystemClassLoader();
+        if (s != null && cl != null)
+          {
+            return (SocketFactory) cl.loadClass(s).newInstance();
+          }
+      }
+    catch (Exception e)
+      {
+      }
+    if (context == null)
+      {
+        KeyManager[] km = null;
+        TrustManager[] tm = null;
+
+        // 1. Determine which algorithms to use for the key and trust
+        // manager factories.
+        String kmAlg = KeyManagerFactory.getDefaultAlgorithm();
+        String tmAlg = TrustManagerFactory.getDefaultAlgorithm();
+
+        // 2. Try to initialize the factories with default parameters.
+        try
+          {
+            KeyManagerFactory kmf = KeyManagerFactory.getInstance(kmAlg);
+            kmf.init(null, null);
+            km = kmf.getKeyManagers();
+          }
+        catch (Exception ex)
+          {
+          }
+        try
+          {
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlg);
+            tmf.init((KeyStore) null);
+            tm = tmf.getTrustManagers();
+          }
+        catch (Exception ex)
+          {
+          }
+
+        // 3. Create and initialize a context.
+        try
+          {
+            context = SSLContext.getInstance("SSLv3");
+            context.init(km, tm, null);
+          }
+        catch (Exception ex)
+          {
+            throw new RuntimeException("error instantiating default socket factory: "
+                                       + ex.toString());
+          }
+      }
+    try
+      {
+        return context.getSocketFactory();
+      }
+    catch (Exception e)
+      {
+      }
+    throw new RuntimeException("no SSLSocketFactory implementation available");
+  }
+
+  // Abstract methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Creates a SSL socket wrapped around an existing socket.
+   *
+   * @param socket The socket to wrap.
+   * @param host The host the socket is connected to.
+   * @param port The port the socket is connected to.
+   * @param autoClose Whether or not the wrapped socket should be closed
+   *   automatically.
+   * @return The new SSL socket.
+   * @throws IOException If the socket could not be created.
+   */
+  public abstract Socket createSocket(Socket socket, String host,
+                                      int port, boolean autoClose)
+    throws IOException;
+
+  /**
+   * Returns the list of cipher suites that will be enabled in sockets
+   * created by this factory.
+   *
+   * @return The default cipher suites.
+   */
+  public abstract String[] getDefaultCipherSuites();
+
+  /**
+   * Returns the list of all cipher suites supported by this factory.
+   *
+   * @return The list of supported cipher suites.
+   */
+  public abstract String[] getSupportedCipherSuites();
+}
diff --git a/javax/net/ssl/TrivialHostnameVerifier.java b/javax/net/ssl/TrivialHostnameVerifier.java
new file mode 100644
index 000000000..e4e2befc0
--- /dev/null
+++ b/javax/net/ssl/TrivialHostnameVerifier.java
@@ -0,0 +1,51 @@
+/* TrivialHostnameVerifier.java -- non-verifing verifier.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+/**
+ * A hostname verifier that always rejects mismatched hostnames.
+ */
+class TrivialHostnameVerifier implements HostnameVerifier
+{
+
+  public boolean verify(String hostname, SSLSession session)
+  {
+    return false;
+  }
+}
diff --git a/javax/net/ssl/TrustManager.java b/javax/net/ssl/TrustManager.java
new file mode 100644
index 000000000..f90629ab4
--- /dev/null
+++ b/javax/net/ssl/TrustManager.java
@@ -0,0 +1,47 @@
+/* TrustManager.java -- marker interface for trust managers.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+/**
+ * A marker interface for classes that establish the trust of remote
+ * hosts.
+ */
+public interface TrustManager
+{
+}
diff --git a/javax/net/ssl/TrustManagerFactory.java b/javax/net/ssl/TrustManagerFactory.java
new file mode 100644
index 000000000..84059c896
--- /dev/null
+++ b/javax/net/ssl/TrustManagerFactory.java
@@ -0,0 +1,279 @@
+/* TrustManagerFactory.java -- factory for trust managers.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.AccessController;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivilegedAction;
+import java.security.Provider;
+import java.security.Security;
+
+import gnu.java.security.Engine;
+
+/**
+ * A factory for creating trust manager objects.
+ */
+public class TrustManagerFactory
+{
+
+  // Constants and fields.
+  // -------------------------------------------------------------------------
+
+  /** The service name for trust manager factories. */
+  private static final String TRUST_MANAGER_FACTORY = "TrustManagerFactory";
+
+  /** The system default trust manager algorithm. */
+  private static final String DEFAULT_ALGORITHM = "JessieX509";
+
+  /** The underlying engine class. */
+  private final TrustManagerFactorySpi tmfSpi;
+
+  /** The provider of the engine class. */
+  private final Provider provider;
+
+  /** The name of this trust manager algorithm. */
+  private final String algorithm;
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Creates a new trust manager factory.
+   *
+   * @param tmfSpi The underlying engine class.
+   * @param provider The provider of the engine class.
+   * @param algorithm The trust manager algorithm name.
+   */
+  protected TrustManagerFactory(TrustManagerFactorySpi tmfSpi,
+                                Provider provider, String algorithm)
+  {
+    this.tmfSpi = tmfSpi;
+    this.provider = provider;
+    this.algorithm = algorithm;
+  }
+
+  // Class methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Returns an instance of a trust manager factory for the given algorithm
+   * from the first provider that implements it.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @return The instance of the trust manager factory.
+   * @throws NoSuchAlgorithmException If no provider implements the given
+   *   algorithm.
+   */
+  public static final TrustManagerFactory getInstance(String algorithm)
+    throws NoSuchAlgorithmException
+  {
+    Provider[] provs = Security.getProviders();
+    for (int i = 0; i < provs.length; i++)
+      {
+        try
+          {
+            return getInstance(algorithm, provs[i]);
+          }
+        catch (NoSuchAlgorithmException ignore)
+          {
+          }
+      }
+    throw new NoSuchAlgorithmException(algorithm);
+  }
+
+  /**
+   * Returns an instance of a trust manager factory for the given algorithm
+   * from the named provider.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @param provider The name of the provider to get the instance from.
+   * @return The instance of the trust manager factory.
+   * @throws NoSuchAlgorithmException If the provider does not implement the
+   *   given algorithm.
+   * @throws NoSuchProviderException If there is no such named provider.
+   * @throws IllegalArgumentException If the provider argument is null.
+   */
+  public static final TrustManagerFactory getInstance(String algorithm,
+                                                      String provider)
+    throws NoSuchAlgorithmException, NoSuchProviderException
+  {
+    if (provider == null)
+      {
+        throw new IllegalArgumentException();
+      }
+    Provider p = Security.getProvider(provider);
+    if (p == null)
+      {
+        throw new NoSuchProviderException(provider);
+      }
+    return getInstance(algorithm, p);
+  }
+
+  /**
+   * Returns an instance of a trust manager factory for the given algorithm
+   * from the specified provider.
+   *
+   * @param algorithm The name of the algorithm to get.
+   * @param provider The provider to get the instance from.
+   * @return The instance of the trust manager factory.
+   * @throws NoSuchAlgorithmException If the provider does not implement the
+   *   given algorithm.
+   * @throws IllegalArgumentException If the provider argument is null.
+   */
+  public static final TrustManagerFactory getInstance(String algorithm,
+                                                      Provider provider)
+    throws NoSuchAlgorithmException
+  {
+    if (provider == null)
+      {
+        throw new IllegalArgumentException();
+      }
+    try
+      {
+        return new TrustManagerFactory((TrustManagerFactorySpi)
+          Engine.getInstance(TRUST_MANAGER_FACTORY, algorithm, provider),
+          provider, algorithm);
+      }
+    catch (InvocationTargetException ite)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+    catch (ClassCastException cce)
+      {
+        throw new NoSuchAlgorithmException(algorithm);
+      }
+  }
+
+  /**
+   * Returns the default algorithm for trust manager factories. The value
+   * returned is either the value of the security property
+   * "ssl.TrustManagerFactory.algorithm" if it is set, or the value "JessieX509"
+   * if not.
+   *
+   * @return The default algorithm name.
+   * @see Security.getProperty(java.lang.String)
+   */
+  public static final String getDefaultAlgorithm()
+  {
+    String alg = null;
+    try
+      {
+        alg = (String) AccessController.doPrivileged(
+          new PrivilegedAction()
+          {
+            public Object run()
+            {
+              return Security.getProperty("ssl.TrustManagerFactory.algorithm");
+            }
+          }
+        );
+      }
+    catch (SecurityException se)
+      {
+      }
+    if (alg == null)
+      alg = DEFAULT_ALGORITHM;
+    return alg;
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Returns the name of this trust manager algorithm.
+   *
+   * @return The algorithm name.
+   */
+  public final String getAlgorithm()
+  {
+    return algorithm;
+  }
+
+  /**
+   * Returns the provider of the underlying implementation.
+   *
+   * @return The provider.
+   */
+  public final Provider getProvider()
+  {
+    return provider;
+  }
+
+  /**
+   * Returns the trust managers created by this factory.
+   *
+   * @return The trust managers.
+   */
+  public final TrustManager[] getTrustManagers()
+  {
+    return tmfSpi.engineGetTrustManagers();
+  }
+
+  /**
+   * Initialize this instance with some algorithm-specific parameters.
+   *
+   * @param params The parameters.
+   * @throws InvalidAlgorithmParameterException If the supplied parameters
+   *   are inappropriate for this instance.
+   */
+  public final void init(ManagerFactoryParameters params)
+    throws InvalidAlgorithmParameterException
+  {
+    tmfSpi.engineInit(params);
+  }
+
+  /**
+   * Initialize this instance with a key store. The key store may be null,
+   * in which case a default will be used.
+   *
+   * @param store The key store.
+   * @throws KeyStoreException If there is a problem reading from the
+   *   key store.
+   */
+  public final void init(KeyStore store) throws KeyStoreException
+  {
+    tmfSpi.engineInit(store);
+  }
+}
diff --git a/javax/net/ssl/TrustManagerFactorySpi.java b/javax/net/ssl/TrustManagerFactorySpi.java
new file mode 100644
index 000000000..389e02325
--- /dev/null
+++ b/javax/net/ssl/TrustManagerFactorySpi.java
@@ -0,0 +1,88 @@
+/* TrustManagerFactorySpi.java -- SPI for trust manager factories.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+
+/**
+ * The <i>service provider interface</i> (<b>SPI</b>) for trust managers.
+ */
+public abstract class TrustManagerFactorySpi
+{
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  public TrustManagerFactorySpi()
+  {
+    super();
+  }
+
+  // Abstract methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Engine method that returns the trust managers created by this factory.
+   *
+   * @return The trust managers.
+   */
+  protected abstract TrustManager[] engineGetTrustManagers();
+
+  /**
+   * Engine method that initializes this factory with some algorithm-specific
+   * parameters.
+   *
+   * @param params The parameters.
+   * @throws InvalidAlgorithmParameterException If the given parameters are
+   *   inappropriate.
+   */
+  protected abstract void engineInit(ManagerFactoryParameters params)
+    throws InvalidAlgorithmParameterException;
+
+  /**
+   * Engine method that initializes this factory with a key store. The key
+   * store parameter may be null, in which case some default should be used.
+   *
+   * @param store The key store.
+   * @throws KeyStoreException If a problem occurs reading from the key store.
+   */
+  protected abstract void engineInit(KeyStore store) throws KeyStoreException;
+}
diff --git a/javax/net/ssl/X509KeyManager.java b/javax/net/ssl/X509KeyManager.java
new file mode 100644
index 000000000..d5c00b62c
--- /dev/null
+++ b/javax/net/ssl/X509KeyManager.java
@@ -0,0 +1,108 @@
+/* X509KeyManager.java -- X.509 key manager interface.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.net.Socket;
+
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+/**
+ * A key manager for X.509 certificates and their associated private keys.
+ */
+public interface X509KeyManager extends KeyManager
+{
+
+  /**
+   * Choose an alias for client-side authentication.
+   *
+   * @param keyTypes A list of acceptable key types.
+   * @param issuers A list of acceptable certificate issuers.
+   * @param socket The connecting socket.
+   * @return The chosen alias.
+   */
+  String chooseClientAlias(String[] keyTypes, Principal[] issuers,
+                           Socket socket);
+
+  /**
+   * Choose an alias for server-side authentication.
+   *
+   * @param keyType The desired certificate type.
+   * @param issuers A list of acceptable certificate issuers.
+   * @param socket The connecting socket.
+   * @return The chosen alias.
+   */
+  String chooseServerAlias(String keyType, Principal[] issuers,
+                           Socket socket);
+
+  /**
+   * Gets the X.509 certificate chain associated with the given alias.
+   *
+   * @param alias The alias.
+   * @return The certificate chain.
+   */
+  X509Certificate[] getCertificateChain(String alias);
+
+  /**
+   * Returns all client aliases that support the given key type.
+   *
+   * @param keyType The desired key type.
+   * @param issuers A list of acceptable certificate issuers.
+   * @return The (possibly empty) list of aliases.
+   */
+  String[] getClientAliases(String keyType, Principal[] issuers);
+
+  /**
+   * Gets the private key associated with the given alias.
+   *
+   * @param alias The alias.
+   * @return The private key.
+   */
+  PrivateKey getPrivateKey(String alias);
+
+  /**
+   * Returns all server aliases that support the given key type.
+   *
+   * @param keyType The desired key type.
+   * @param issuers A list of acceptable certificate issuers.
+   * @return The (possibly empty) list of aliases.
+   */
+  String[] getServerAliases(String keyType, Principal[] issuers);
+}
diff --git a/javax/net/ssl/X509TrustManager.java b/javax/net/ssl/X509TrustManager.java
new file mode 100644
index 000000000..b63e0a830
--- /dev/null
+++ b/javax/net/ssl/X509TrustManager.java
@@ -0,0 +1,76 @@
+/* X509TrustManager.java -- X.509 trust manager interface.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.net.ssl;
+
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+
+/**
+ * A trust manager for dealing with X.509 certificates.
+ */
+public interface X509TrustManager extends TrustManager
+{
+
+  /**
+   * Checks if a certificate chain sent by the client is trusted.
+   *
+   * @param chain The certificate chain to check.
+   * @param authType The authentication type.
+   * @throws CertificateException If the client's certificates are not trusted.
+   */
+  void checkClientTrusted(X509Certificate[] chain, String authType)
+    throws CertificateException;
+
+  /**
+   * Checks if a certificate chain sent by the server is trusted.
+   *
+   * @param chain The certificate chain to check.
+   * @param authType The authentication type.
+   * @throws CertificateException If the server's certificates are not trusted.
+   */
+  void checkServerTrusted(X509Certificate[] chain, String authType)
+    throws CertificateException;
+
+  /**
+   * Returns the list of trusted issuer certificates currently in use.
+   *
+   * @return The list of trusted issuer certificates.
+   */
+  X509Certificate[] getAcceptedIssuers();
+}
diff --git a/javax/security/auth/AuthPermission.java b/javax/security/auth/AuthPermission.java
new file mode 100644
index 000000000..b4ffa15a9
--- /dev/null
+++ b/javax/security/auth/AuthPermission.java
@@ -0,0 +1,146 @@
+/* AuthPermission.java -- permissions related to authentication.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth;
+
+import java.security.BasicPermission;
+
+/**
+ * <p>A permission controlling access to authentication service. The
+ * <i>actions</i> field of auth permission objects is ignored; the whole
+ * of the permission is defined by the <i>target</i>.</p>
+ *
+ * <p>The authentication permission targets recognized are:</p>
+ *
+ * <dl>
+ * <dt><code>doAs</code></dt>
+ *
+ * <dd><p>Allows access to the {@link
+ * Subject#doAs(javax.security.auth.Subject  java.security.PrivilegedAction)}
+ * methods.</p></dd>
+ *
+ * <dt><code>doAsPrivileged</code></dt>
+ *
+ * <dd><p>Allows access to the {@link
+ * Subject#doAsPrivileged(javax.security.auth.Subject,
+ * java.security.PrivilegedAction, java.security.AccessControlContext)}
+ * methods.</p></dd>
+ *
+ * <dt><code>getSubject</code></dt>
+ *
+ * <dd><p>Allows access to the {@link Subject} associated with a
+ * thread.</p></dd>
+ *
+ * <dt><code>getSubjectFromDomainCombiner</code></dt>
+ *
+ * <dd><p>Allows access to the {@link Subject} associated with a
+ * {@link SubjectDomainCombiner}.</p></dd>
+ *
+ * <dt><code>setReadOnly</code></dt>
+ *
+ * <dd><p>Allows a {@link Subject} to be marked as read-only.</p></dd>
+ *
+ * <dt><code>modifyPrincipals</code></dt>
+ *
+ * <dd><p>Allows the set of principals of a subject to be modified.</p></dd>
+ *
+ * <dt><code>modifyPublicCredentials</code></dt>
+ *
+ * <dd><p>Allows the set of public credentials of a subject to be
+ * modified.</p></dd>
+ *
+ * <dt><code>modifyPrivateCredentials</code></dt>
+ *
+ * <dd><p>Allows the set of private credentials of a subject to be
+ * modified.</p></dd>
+ *
+ * <dt><code>refreshCredential</code></dt>
+ *
+ * <dd><p>Allows a {@link Refreshable} credential to be refreshed.</p></dd>
+ *
+ * <dt><code>destroyCredential</code></dt>
+ *
+ * <dd><p>Allows a {@link Destroyable} credential to be destroyed.</p></dd>
+ *
+ * <dt><code>createLoginContext.<i>name</i></code></dt>
+ *
+ * <dd><p>Allows a {@link javax.security.auth.login.LoginContext} for the
+ * given <i>name</i>. <i>name</i> can also be a wildcard (<code>'*'</code>),
+ * which allows the creation of a context with any name.</p></dd>
+ *
+ * <dt><code>getLoginConfiguration</code></dt>
+ *
+ * <dd><p>Allows the system-wide login {@link
+ * javax.security.auth.login.Configuration} to be retrieved.</p></dd>
+ *
+ * <dt><code>setLoginConfiguration</code></dt>
+ *
+ * <dd><p>Allows the system-wide login {@link
+ * javax.security.auth.login.Configuration} to be set.</p></dd>
+ *
+ * <dt><code>refreshLoginConfiguration</code></dt>
+ *
+ * <dd><p>Allows the system-wide login {@link
+ * javax.security.auth.login.Configuration} to be refreshed.</p></dd>
+ * </dl>
+ */
+public final class AuthPermission extends BasicPermission
+{
+
+  /**
+   * Creates a new authentication permission for the given target name.
+   *
+   * @param name The target name.
+   */
+  public AuthPermission (String name)
+  {
+    super (name);
+  }
+
+  /**
+   * Creates a new authentication permission for the given target name.
+   * The actions list is not used by this class.
+   *
+   * @param name The target name.
+   * @param actions The action list.
+   */
+  public AuthPermission (String name, String actions)
+  {
+    super (name, actions);
+  }
+}
diff --git a/javax/security/auth/DestroyFailedException.java b/javax/security/auth/DestroyFailedException.java
new file mode 100644
index 000000000..00bbd8966
--- /dev/null
+++ b/javax/security/auth/DestroyFailedException.java
@@ -0,0 +1,67 @@
+/* DestroyFailedException.java -- signals an object could not be destroyed.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth;
+
+/**
+ * An exception thrown when the {@link Destroyable#destroy()} method
+ * fails for a credential.
+ *
+ * @see Destroyable
+ */
+public class DestroyFailedException extends Exception
+{
+
+  /**
+   * Creates a new DestroyFailedException with no detail message.
+   */
+  public DestroyFailedException()
+  {
+    super();
+  }
+
+  /**
+   * Creates a new DestroyFailedException with a detail message.
+   *
+   * @param message The detail message.
+   */
+  public DestroyFailedException (String message)
+  {
+    super (message);
+  }
+}
diff --git a/javax/security/auth/Destroyable.java b/javax/security/auth/Destroyable.java
new file mode 100644
index 000000000..484bece8d
--- /dev/null
+++ b/javax/security/auth/Destroyable.java
@@ -0,0 +1,64 @@
+/* Destroyable.java -- an immutable object that may be destroyed.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth;
+
+/**
+ * An interface for objects that are immutable but whose sensitive
+ * data may be wiped out.
+ */
+public interface Destroyable
+{
+
+  /**
+   * Destroy this object, clearing all sensitive fields appropriately.
+   *
+   * @throws DestroyFailedException If this object could not be
+   *   destroyed.
+   * @throws SecurityException If the caller does not have permission
+   *   to destroy this object.
+   */
+  void destroy() throws DestroyFailedException;
+
+  /**
+   * Tells whether or not this object has been destroyed.
+   *
+   * @return True if this object has been destroyed.
+   */
+  boolean isDestroyed();
+}
diff --git a/javax/security/auth/Policy.java b/javax/security/auth/Policy.java
new file mode 100644
index 000000000..2234d8573
--- /dev/null
+++ b/javax/security/auth/Policy.java
@@ -0,0 +1,79 @@
+/* Policy.java -- deprecated precursor to java.security.Policy.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth;
+
+import java.security.CodeSource;
+import java.security.PermissionCollection;
+
+/**
+ * @deprecated The classes java.security.Policy and
+ * java.security.ProtectionDomain provide the functionality of this class.
+ */
+public abstract class Policy
+{
+
+  private static Policy policy;
+
+  protected Policy()
+  {
+  }
+
+  public static synchronized Policy getPolicy()
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      {
+        sm.checkPermission (new AuthPermission ("getPolicy"));
+      }
+    return policy;
+  }
+
+  public static synchronized void setPolicy (Policy p)
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      {
+        sm.checkPermission (new AuthPermission ("setPolicy"));
+      }
+    policy = p;
+  }
+
+  public abstract PermissionCollection getPermissions (Subject subject, CodeSource source);
+  public abstract void refresh();
+}
diff --git a/javax/security/auth/PrivateCredentialPermission.java b/javax/security/auth/PrivateCredentialPermission.java
new file mode 100644
index 000000000..db9fed793
--- /dev/null
+++ b/javax/security/auth/PrivateCredentialPermission.java
@@ -0,0 +1,322 @@
+/* PrivateCredentialPermission.java -- permissions governing private credentials.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth;
+
+import java.io.Serializable;
+
+import java.security.Permission;
+import java.security.PermissionCollection;
+
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Set;
+import java.util.StringTokenizer;
+
+/**
+ * A permission governing access to a private credential. The action of this
+ * permission is always "read" -- meaning that the private credential
+ * information can be read from an object.
+ *
+ * <p>The target of this permission is formatted as follows:</p>
+ *
+ * <p><code>CredentialClassName ( PrinicpalClassName PrincipalName )*</code></p>
+ *
+ * <p><i>CredentialClassName</i> is either the name of a private credential
+ * class name, or a wildcard character (<code>'*'</code>).
+ * <i>PrinicpalClassName</i> is the class name of a principal object, and
+ * <i>PrincipalName</i> is a string representing the principal, or the
+ * wildcard character.</p>
+ */
+public class PrivateCredentialPermission extends Permission
+  implements Serializable
+{
+
+  // Fields.
+  // -------------------------------------------------------------------------
+
+  /**
+   * @serial The credential class name.
+   */
+  private final String credentialClass;
+
+  /**
+   * @serial The principals, a set of CredOwner objects (an undocumented
+   *  inner class of this class).
+   */
+  private final Set principals;
+
+  /**
+   * @serial Who knows?
+   */
+  private final boolean testing;
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Create a new private credential permission.
+   *
+   * @param name The permission target name.
+   * @param actions The list of actions, which, for this class, must be
+   *  <code>"read"</code>.
+   */
+  public PrivateCredentialPermission (final String name, String actions)
+  {
+    super(name);
+    actions = actions.trim().toLowerCase();
+    if (!"read".equals (actions))
+      {
+        throw new IllegalArgumentException("actions must be \"read\"");
+      }
+    StringTokenizer st = new StringTokenizer (name, " \"'");
+    principals = new HashSet();
+    if (st.countTokens() < 3 || (st.countTokens() & 1) == 0)
+      {
+        throw new IllegalArgumentException ("badly formed credential name");
+      }
+    credentialClass = st.nextToken();
+    while (st.hasMoreTokens())
+      {
+        principals.add (new CredOwner (st.nextToken(), st.nextToken()));
+      }
+    testing = false; // WTF ever.
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  public boolean equals (Object o)
+  {
+    if (! (o instanceof PrivateCredentialPermission))
+      {
+        return false;
+      }
+    PrivateCredentialPermission that = (PrivateCredentialPermission) o;
+    if (!that.getActions().equals (getActions()))
+      {
+        return false;
+      }
+    if (!that.getCredentialClass().equals (getCredentialClass()))
+      {
+        return false;
+      }
+
+    final String[][] principals = getPrincipals();
+    final String[][] that_principals = that.getPrincipals();
+    if (that_principals == null)
+      {
+        return false;
+      }
+    if (that_principals.length != principals.length)
+      {
+        return false;
+      }
+    for (int i = 0; i < principals.length; i++)
+      {
+        if (!principals[i][0].equals (that_principals[i][0]) ||
+            !principals[i][1].equals (that_principals[i][1]))
+          {
+            return false;
+          }
+      }
+    return true;
+  }
+
+  /**
+   * Returns the actions this permission encompasses. For private credential
+   * permissions, this is always the string <code>"read"</code>.
+   *
+   * @return The list of actions.
+   */
+  public String getActions()
+  {
+    return "read";
+  }
+
+  /**
+   * Returns the credential class name that was embedded in this permission's
+   * target name.
+   *
+   * @return The credential class name.
+   */
+  public String getCredentialClass()
+  {
+    return credentialClass;
+  }
+
+  /**
+   * Returns the principal list that was embedded in this permission's target
+   * name.
+   *
+   * <p>Each element of the returned array is a pair; the first element is the
+   * principal class name, and the second is the principal name.
+   *
+   * @return The principal list.
+   */
+  public String[][] getPrincipals()
+  {
+    String[][] ret = new String[principals.size()][];
+    Iterator it = principals.iterator();
+    for (int i = 0; i < principals.size() && it.hasNext(); i++)
+      {
+        CredOwner co = (CredOwner) it.next();
+        ret[i] = new String[] { co.getPrincipalClass(), co.getPrincipalName() };
+      }
+    return ret;
+  }
+
+  public int hashCode()
+  {
+    return credentialClass.hashCode() + principals.hashCode();
+  }
+
+  /**
+   * Test if this permission implies another. This method returns true if:
+   *
+   * <ol>
+   * <li><i>p</i> is an instance of PrivateCredentialPermission</li>.
+   * <li>The credential class name of this instance matches that of <i>p</i>,
+   * and one of the principals of <i>p</i> is contained in the principals of
+   * this class. Thus,
+   *   <ul>
+   *   <li><code>[ * P "foo" ]  implies [ C P "foo" ]</code></li>
+   *   <li><code>[ C P1 "foo" ] implies [ C P1 "foo" P2 "bar" ]</code></li>
+   *   <li><code>[ C P1 "*" ]   implies [ C P1 "foo" ]</code></li>
+   *   </ul>
+   * </ol>
+   *
+   * @param p The permission to check.
+   * @return True if this permission implies <i>p</i>.
+   */
+  public boolean implies (Permission p)
+  {
+    if (! (p instanceof PrivateCredentialPermission))
+      {
+        return false;
+      }
+    PrivateCredentialPermission that = (PrivateCredentialPermission) p;
+    if (!credentialClass.equals ("*")
+        && !credentialClass.equals (that.getCredentialClass()))
+      {
+        return false;
+      }
+    String[][] principals = getPrincipals();
+    String[][] that_principals = that.getPrincipals();
+    if (that_principals == null)
+      {
+        return false;
+      }
+    for (int i = 0; i < principals.length; i++)
+      {
+        for (int j = 0; j < that_principals.length; j++)
+          {
+            if (principals[i][0].equals (that_principals[j][0]) &&
+                (principals[i][1].equals ("*") ||
+                 principals[i][1].equals (that_principals[j][1])))
+              {
+                return true;
+              }
+          }
+      }
+    return false;
+  }
+
+  /**
+   * This method is not necessary for this class, thus it always returns null.
+   *
+   * @return null.
+   */
+  public PermissionCollection newPermissionCollection()
+  {
+    return null;
+  }
+
+  // Inner class.
+  // -------------------------------------------------------------------------
+
+  /**
+   * An undocumented inner class present for serialization compatibility.
+   */
+  private static class CredOwner implements Serializable
+  {
+
+    // Fields.
+    // -----------------------------------------------------------------------
+
+    private final String principalClass;
+    private final String principalName;
+
+    // Constructor.
+    // -----------------------------------------------------------------------
+
+    CredOwner (final String principalClass, final String principalName)
+    {
+      this.principalClass = principalClass;
+      this.principalName = principalName;
+    }
+
+    // Instance methods.
+    // -----------------------------------------------------------------------
+
+    public boolean equals (Object o)
+    {
+      if (!(o instanceof CredOwner))
+        {
+          return false;
+        }
+      return principalClass.equals (((CredOwner) o).getPrincipalClass()) &&
+        principalName.equals (((CredOwner) o).getPrincipalName());
+    }
+
+    public int hashCode()
+    {
+      return principalClass.hashCode() + principalName.hashCode();
+    }
+
+    public String getPrincipalClass()
+    {
+      return principalClass;
+    }
+
+    public String getPrincipalName()
+    {
+      return principalName;
+    }
+  }
+}
diff --git a/javax/security/auth/RefreshFailedException.java b/javax/security/auth/RefreshFailedException.java
new file mode 100644
index 000000000..5be9ab75e
--- /dev/null
+++ b/javax/security/auth/RefreshFailedException.java
@@ -0,0 +1,63 @@
+/* RefreshFailedException.java -- signals a failed refresh.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth;
+
+/**
+ * A signal that a call to {@link Refreshable#refresh()} failed.
+ */
+public class RefreshFailedException extends Exception
+{
+
+  /**
+   * Create a new RefreshFailedException with no detail message.
+   */
+  public RefreshFailedException()
+  {
+  }
+
+  /**
+   * Create a new RefreshFailedException with a detail message.
+   *
+   * @param message The detail message.
+   */
+  public RefreshFailedException (String message)
+  {
+    super (message);
+  }
+}
diff --git a/javax/security/auth/Refreshable.java b/javax/security/auth/Refreshable.java
new file mode 100644
index 000000000..b3ceded41
--- /dev/null
+++ b/javax/security/auth/Refreshable.java
@@ -0,0 +1,65 @@
+/* Refreshable.java -- an object whose state may be refreshed.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth;
+
+/**
+ * An object whose internal state may be <em>refreshed:</em> as in a
+ * credential object with a expiry date.
+ */
+public interface Refreshable
+{
+
+  /**
+   * Tells whether or not this object is current. Refreshable objects that
+   * are not current may need to be refreshed.
+   *
+   * @return Whether this object is current.
+   */
+  boolean isCurrent();
+
+  /**
+   * Refresh this object. The process involved in refreshing an object is
+   * per-implementation dependent.
+   *
+   * @throws RefreshFailedException If refreshing this object fails.
+   * @throws SecurityException If the caller does not have permission to
+   *  refresh, or to take the steps involved in refreshing, this object.
+   */
+  void refresh() throws RefreshFailedException;
+}
diff --git a/javax/security/auth/Subject.java b/javax/security/auth/Subject.java
new file mode 100644
index 000000000..264a41c05
--- /dev/null
+++ b/javax/security/auth/Subject.java
@@ -0,0 +1,559 @@
+/* Subject.java -- a single entity in the system.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth;
+
+import java.io.IOException;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.Serializable;
+
+import java.security.AccessControlContext;
+import java.security.AccessController;
+import java.security.DomainCombiner;
+import java.security.Principal;
+import java.security.PrivilegedAction;
+import java.security.PrivilegedActionException;
+import java.security.PrivilegedExceptionAction;
+
+import java.util.AbstractSet;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.Set;
+
+/**
+ *
+ */
+public final class Subject implements Serializable
+{
+
+  // Fields.
+  // -------------------------------------------------------------------------
+
+  private static final long serialVersionUID = -8308522755600156056L;
+
+  /**
+   * @serial The set of principals. The type of this field is SecureSet, a
+   *  private inner class.
+   */
+  private final Set principals;
+
+  /**
+   * @serial The read-only flag.
+   */
+  private boolean readOnly;
+
+  private transient final SecureSet pubCred;
+  private transient final SecureSet privCred;
+
+  // Constructors.
+  // -------------------------------------------------------------------------
+
+  public Subject()
+  {
+    principals = new SecureSet (this, SecureSet.PRINCIPALS);
+    pubCred = new SecureSet (this, SecureSet.PUBLIC_CREDENTIALS);
+    privCred = new SecureSet (this, SecureSet.PRIVATE_CREDENTIALS);
+    readOnly = false;
+  }
+
+  public Subject (final boolean readOnly, final Set principals,
+                  final Set pubCred, final Set privCred)
+  {
+    if (principals == null || pubCred == null || privCred == null)
+      {
+        throw new NullPointerException();
+      }
+    this.principals = new SecureSet (this, SecureSet.PRINCIPALS, principals);
+    this.pubCred = new SecureSet (this, SecureSet.PUBLIC_CREDENTIALS, pubCred);
+    this.privCred = new SecureSet (this, SecureSet.PRIVATE_CREDENTIALS, privCred);
+    this.readOnly = readOnly;
+  }
+
+  // Class methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * <p>Returns the subject associated with the given {@link
+   * AccessControlContext}.</p>
+   *
+   * <p>All this method does is retrieve the Subject object from the supplied
+   * context's {@link DomainCombiner}, if any, and if it is an instance of
+   * a {@link SubjectDomainCombiner}.
+   *
+   * @param context The context to retrieve the subject from.
+   * @return The subject assoctiated with the context, or <code>null</code>
+   *  if there is none.
+   * @throws NullPointerException If <i>subject</i> is null.
+   * @throws SecurityException If the caller does not have permission to get
+   *  the subject (<code>"getSubject"</code> target of {@link AuthPermission}.
+   */
+  public static Subject getSubject (final AccessControlContext context)
+  {
+    final SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      {
+        sm.checkPermission (new AuthPermission ("getSubject"));
+      }
+    DomainCombiner dc = context.getDomainCombiner();
+    if (!(dc instanceof SubjectDomainCombiner))
+      {
+        return null;
+      }
+    return ((SubjectDomainCombiner) dc).getSubject();
+  }
+
+  /**
+   * <p>Run a method as another subject. This method will obtain the current
+   * {@link AccessControlContext} for this thread, then creates another with
+   * a {@link SubjectDomainCombiner} with the given subject. The supplied
+   * action will then be run with the modified context.</p>
+   *
+   * @param subject The subject to run as.
+   * @param action The action to run.
+   * @return The value returned by the privileged action.
+   * @throws SecurityException If the caller is not allowed to run under a
+   *  different identity (<code>"doAs"</code> target of {@link AuthPermission}.
+   */
+  public static Object doAs (final Subject subject, final PrivilegedAction action)
+  {
+    final SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      {
+        sm.checkPermission (new AuthPermission ("doAs"));
+      }
+    AccessControlContext context =
+      new AccessControlContext (AccessController.getContext(),
+                                new SubjectDomainCombiner (subject));
+    return AccessController.doPrivileged (action, context);
+  }
+
+  /**
+   * <p>Run a method as another subject. This method will obtain the current
+   * {@link AccessControlContext} for this thread, then creates another with
+   * a {@link SubjectDomainCombiner} with the given subject. The supplied
+   * action will then be run with the modified context.</p>
+   *
+   * @param subject The subject to run as.
+   * @param action The action to run.
+   * @return The value returned by the privileged action.
+   * @throws SecurityException If the caller is not allowed to run under a
+   *  different identity (<code>"doAs"</code> target of {@link AuthPermission}.
+   * @throws PrivilegedActionException If the action throws an exception.
+   */
+  public static Object doAs (final Subject subject,
+                             final PrivilegedExceptionAction action)
+    throws PrivilegedActionException
+  {
+    final SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      {
+        sm.checkPermission (new AuthPermission ("doAs"));
+      }
+    AccessControlContext context =
+      new AccessControlContext (AccessController.getContext(),
+                                new SubjectDomainCombiner(subject));
+    return AccessController.doPrivileged (action, context);
+  }
+
+  /**
+   * <p>Run a method as another subject. This method will create a new
+   * {@link AccessControlContext} derived from the given one, with a
+   * {@link SubjectDomainCombiner} with the given subject. The supplied
+   * action will then be run with the modified context.</p>
+   *
+   * @param subject The subject to run as.
+   * @param action The action to run.
+   * @param acc The context to use.
+   * @return The value returned by the privileged action.
+   * @throws SecurityException If the caller is not allowed to run under a
+   *  different identity (<code>"doAsPrivileged"</code> target of {@link
+   *  AuthPermission}.
+   */
+  public static Object doAsPrivileged (final Subject subject,
+                                       final PrivilegedAction action,
+                                       final AccessControlContext acc)
+  {
+    final SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      {
+        sm.checkPermission (new AuthPermission ("doAsPrivileged"));
+      }
+    AccessControlContext context =
+      new AccessControlContext (acc, new SubjectDomainCombiner (subject));
+    return AccessController.doPrivileged (action, context);
+  }
+
+  /**
+   * <p>Run a method as another subject. This method will create a new
+   * {@link AccessControlContext} derived from the given one, with a
+   * {@link SubjectDomainCombiner} with the given subject. The supplied
+   * action will then be run with the modified context.</p>
+   *
+   * @param subject The subject to run as.
+   * @param action The action to run.
+   * @param acc The context to use.
+   * @return The value returned by the privileged action.
+   * @throws SecurityException If the caller is not allowed to run under a
+   *  different identity (<code>"doAsPrivileged"</code> target of
+   *  {@link AuthPermission}.
+   * @throws PrivilegedActionException If the action throws an exception.
+   */
+  public static Object doAsPrivileged (final Subject subject,
+                                       final PrivilegedExceptionAction action,
+                                       final AccessControlContext acc)
+    throws PrivilegedActionException
+  {
+    final SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      {
+        sm.checkPermission (new AuthPermission ("doAsPrivileged"));
+      }
+    AccessControlContext context =
+      new AccessControlContext (acc, new SubjectDomainCombiner (subject));
+    return AccessController.doPrivileged (action, context);
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  public boolean equals (Object o)
+  {
+    if (!(o instanceof Subject))
+      {
+        return false;
+      }
+    Subject that = (Subject) o;
+    return principals.containsAll (that.getPrincipals()) &&
+      pubCred.containsAll (that.getPublicCredentials()) &&
+      privCred.containsAll (that.getPrivateCredentials());
+  }
+
+  public Set getPrincipals()
+  {
+    return principals;
+  }
+
+  public Set getPrincipals(Class clazz)
+  {
+    HashSet result = new HashSet (principals.size());
+    for (Iterator it = principals.iterator(); it.hasNext(); )
+      {
+        Object o = it.next();
+        if (o != null && clazz.isAssignableFrom (o.getClass()))
+          {
+            result.add(o);
+          }
+      }
+    return Collections.unmodifiableSet (result);
+  }
+
+  public Set getPrivateCredentials()
+  {
+    return privCred;
+  }
+
+  public Set getPrivateCredentials (Class clazz)
+  {
+    HashSet result = new HashSet (privCred.size());
+    for (Iterator it = privCred.iterator(); it.hasNext(); )
+      {
+        Object o = it.next();
+        if (o != null && clazz.isAssignableFrom (o.getClass()))
+          {
+            result.add(o);
+          }
+      }
+    return Collections.unmodifiableSet (result);
+  }
+
+  public Set getPublicCredentials()
+  {
+    return pubCred;
+  }
+
+  public Set getPublicCredentials (Class clazz)
+  {
+    HashSet result = new HashSet (pubCred.size());
+    for (Iterator it = pubCred.iterator(); it.hasNext(); )
+      {
+        Object o = it.next();
+        if (o != null && clazz.isAssignableFrom (o.getClass()))
+          {
+            result.add(o);
+          }
+      }
+    return Collections.unmodifiableSet (result);
+  }
+
+  public int hashCode()
+  {
+    return principals.hashCode() + privCred.hashCode() + pubCred.hashCode();
+  }
+
+  /**
+   * <p>Returns whether or not this subject is read-only.</p>
+   *
+   * @return True is this subject is read-only.
+   */
+  public boolean isReadOnly()
+  {
+    return readOnly;
+  }
+
+  /**
+   * <p>Marks this subject as read-only.</p>
+   *
+   * @throws SecurityException If the caller does not have permission to
+   *  set this subject as read-only (<code>"setReadOnly"</code> target of
+   *  {@link AuthPermission}.
+   */
+  public void setReadOnly()
+  {
+    final SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      {
+        sm.checkPermission (new AuthPermission ("setReadOnly"));
+      }
+    readOnly = true;
+  }
+
+  public String toString()
+  {
+    return Subject.class.getName() + " [ principals=" + principals +
+      ", private credentials=" + privCred + ", public credentials=" +
+      pubCred + ", read-only=" + readOnly + " ]";
+  }
+
+// Inner class.
+  // -------------------------------------------------------------------------
+
+  /**
+   * An undocumented inner class that is used for sets in the parent class.
+   */
+  private static class SecureSet extends AbstractSet implements Serializable
+  {
+
+    // Fields.
+    // -----------------------------------------------------------------------
+
+    private static final long serialVersionUID = 7911754171111800359L;
+
+    static final int PRINCIPALS = 0;
+    static final int PUBLIC_CREDENTIALS = 1;
+    static final int PRIVATE_CREDENTIALS = 2;
+
+    private final Subject subject;
+    private final LinkedList elements;
+    private transient final int type;
+
+    // Constructors.
+    // -----------------------------------------------------------------------
+
+    SecureSet (final Subject subject, final int type, final Collection elements)
+    {
+      this (subject, type);
+      for (Iterator it = elements.iterator(); it.hasNext(); )
+        {
+          Object o = it.next();
+          if (type == PRINCIPALS && !(o instanceof Principal))
+            {
+              throw new IllegalArgumentException(o+" is not a Principal");
+            }
+          if (!elements.contains (o))
+            {
+              elements.add (o);
+            }
+        }
+    }
+
+    SecureSet (final Subject subject, final int type)
+    {
+      this.subject = subject;
+      this.type = type;
+      this.elements = new LinkedList();
+    }
+
+    // Instance methods.
+    // -----------------------------------------------------------------------
+
+    public synchronized int size()
+    {
+      return elements.size();
+    }
+
+    public Iterator iterator()
+    {
+      return elements.iterator();
+    }
+
+    public synchronized boolean add(Object element)
+    {
+      if (subject.isReadOnly())
+        {
+          throw new IllegalStateException ("subject is read-only");
+        }
+      final SecurityManager sm = System.getSecurityManager();
+      switch (type)
+        {
+        case PRINCIPALS:
+          if (sm != null)
+            {
+              sm.checkPermission (new AuthPermission ("modifyPrincipals"));
+            }
+          if (!(element instanceof Principal))
+            {
+              throw new IllegalArgumentException ("element is not a Principal");
+            }
+          break;
+
+        case PUBLIC_CREDENTIALS:
+          if (sm != null)
+            {
+              sm.checkPermission (new AuthPermission ("modifyPublicCredentials"));
+            }
+          break;
+
+        case PRIVATE_CREDENTIALS:
+          if (sm != null)
+            {
+              sm.checkPermission (new AuthPermission ("modifyPrivateCredentials"));
+            }
+          break;
+
+        default:
+          throw new Error ("this statement should be unreachable");
+        }
+
+      if (elements.contains (element))
+        {
+          return false;
+        }
+
+      return elements.add (element);
+    }
+
+    public synchronized boolean remove (final Object element)
+    {
+      if (subject.isReadOnly())
+        {
+          throw new IllegalStateException ("subject is read-only");
+        }
+      final SecurityManager sm = System.getSecurityManager();
+      switch (type)
+        {
+        case PRINCIPALS:
+          if (sm != null)
+            {
+              sm.checkPermission (new AuthPermission ("modifyPrincipals"));
+            }
+          if (!(element instanceof Principal))
+            {
+              throw new IllegalArgumentException ("element is not a Principal");
+            }
+          break;
+
+        case PUBLIC_CREDENTIALS:
+          if (sm != null)
+            {
+              sm.checkPermission (new AuthPermission ("modifyPublicCredentials"));
+            }
+          break;
+
+        case PRIVATE_CREDENTIALS:
+          if (sm != null)
+            {
+              sm.checkPermission (new AuthPermission ("modifyPrivateCredentials"));
+            }
+          break;
+
+        default:
+          throw new Error("this statement should be unreachable");
+        }
+
+      return elements.remove(element);
+    }
+
+    public synchronized boolean contains (final Object element)
+    {
+      return elements.remove (element);
+    }
+
+    public boolean removeAll (final Collection c)
+    {
+      if (subject.isReadOnly())
+        {
+          throw new IllegalStateException ("subject is read-only");
+        }
+      return super.removeAll (c);
+    }
+
+    public boolean retainAll (final Collection c)
+    {
+      if (subject.isReadOnly())
+        {
+          throw new IllegalStateException ("subject is read-only");
+        }
+      return super.retainAll (c);
+    }
+
+    public void clear()
+    {
+      if (subject.isReadOnly())
+        {
+          throw new IllegalStateException ("subject is read-only");
+        }
+      elements.clear();
+    }
+
+    private synchronized void writeObject (ObjectOutputStream out)
+      throws IOException
+    {
+      throw new UnsupportedOperationException ("FIXME: determine serialization");
+    }
+
+    private void readObject (ObjectInputStream in)
+      throws ClassNotFoundException, IOException
+    {
+      throw new UnsupportedOperationException ("FIXME: determine serialization");
+    }
+  }
+}
diff --git a/javax/security/auth/SubjectDomainCombiner.java b/javax/security/auth/SubjectDomainCombiner.java
new file mode 100644
index 000000000..194e1130a
--- /dev/null
+++ b/javax/security/auth/SubjectDomainCombiner.java
@@ -0,0 +1,96 @@
+/* SubjectDomainCombiner.java -- domain combiner for Subjects.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth;
+
+import java.security.DomainCombiner;
+import java.security.Principal;
+import java.security.ProtectionDomain;
+
+import java.util.LinkedList;
+
+public class SubjectDomainCombiner implements DomainCombiner
+{
+
+  // Field.
+  // -------------------------------------------------------------------------
+
+  private final Subject subject;
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  public SubjectDomainCombiner (final Subject subject)
+  {
+    this.subject = subject;
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  public ProtectionDomain[] combine (final ProtectionDomain[] current,
+                                     final ProtectionDomain[] assigned)
+  {
+    LinkedList domains = new LinkedList();
+    Principal[] principals =
+      (Principal[]) subject.getPrincipals().toArray (new Principal[0]);
+    if (current != null)
+      {
+        for (int i = 0; i < current.length; i++)
+          {
+            domains.add (new ProtectionDomain (current[i].getCodeSource(),
+                                               current[i].getPermissions(),
+                                               current[i].getClassLoader(),
+                                               principals));
+          }
+      }
+    if (assigned != null)
+      {
+        for (int i = 0; i < assigned.length; i++)
+          {
+            domains.add (assigned[i]);
+          }
+      }
+    return (ProtectionDomain[]) domains.toArray (new ProtectionDomain[domains.size()]);
+  }
+
+  public Subject getSubject()
+  {
+    return subject;
+  }
+}
diff --git a/javax/security/auth/callback/Callback.java b/javax/security/auth/callback/Callback.java
new file mode 100644
index 000000000..655ad3348
--- /dev/null
+++ b/javax/security/auth/callback/Callback.java
@@ -0,0 +1,65 @@
+/* Callback.java -- marker interface for callback classes
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.callback;
+
+/**
+ * <p>Implementations of this interface are passed to a {@link CallbackHandler},
+ * allowing underlying security services the ability to interact with a calling
+ * application to retrieve specific authentication data such as usernames and
+ * passwords, or to display certain information, such as error and warning
+ * messages.</p>
+ *
+ * <p><code>Callback</code> implementations do not retrieve or display the
+ * information requested by underlying security services. <code>Callback</code>
+ * implementations simply provide the means to pass such requests to
+ * applications, and for applications, if appropriate, to return requested
+ * information back to the underlying security services.</p>
+ *
+ * @see CallbackHandler
+ * @see ChoiceCallback
+ * @see ConfirmationCallback
+ * @see LanguageCallback
+ * @see NameCallback
+ * @see PasswordCallback
+ * @see TextInputCallback
+ * @see TextOutputCallback
+ * @version $Revision: 1.1 $
+ */
+public interface Callback {
+}
diff --git a/javax/security/auth/callback/CallbackHandler.java b/javax/security/auth/callback/CallbackHandler.java
new file mode 100644
index 000000000..289999c5e
--- /dev/null
+++ b/javax/security/auth/callback/CallbackHandler.java
@@ -0,0 +1,156 @@
+/* CallbackHandler.java -- base interface for callback handlers.
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.callback;
+
+import java.io.IOException;
+
+/**
+ * <p>An application implements a <code>CallbackHandler</code> and passes it to
+ * underlying security services so that they may interact with the application
+ * to retrieve specific authentication data, such as usernames and passwords, or
+ * to display certain information, such as error and warning messages.</p>
+ *
+ * <p><code>CallbackHandler</code>s are implemented in an application-dependent
+ * fashion. For example, implementations for an application with a graphical
+ * user interface (GUI) may pop up windows to prompt for requested information
+ * or to display error messages. An implementation may also choose to obtain
+ * requested information from an alternate source without asking the end user.</p>
+ *
+ * <p>Underlying security services make requests for different types of
+ * information by passing individual Callbacks to the <code>CallbackHandler</code>.
+ * The <code>CallbackHandler</code> implementation decides how to retrieve and
+ * display information depending on the {@link Callback}s passed to it. For
+ * example, if the underlying service needs a username and password to
+ * authenticate a user, it uses a {@link NameCallback} and
+ * {@link PasswordCallback}. The <code>CallbackHandler</code> can then choose
+ * to prompt for a username and password serially, or to prompt for both in a
+ * single window.</p>
+ *
+ * <p>A default <code>CallbackHandler</code> class implementation may be
+ * specified in the <code>auth.login.defaultCallbackHandler</code> security
+ * property. The security property can be set in the Java security properties
+ * file located in the file named
+ * <code>&lt;JAVA_HOME>/lib/security/java.security</code>, where
+ * <code>&lt;JAVA_HOME></code> refers to the directory where the SDK was
+ * installed.</p>
+ *
+ * <p>If the security property is set to the fully qualified name of a
+ * <code>CallbackHandler</code> implementation class, then a
+ * <code>LoginContext</code>will load the specified <code>CallbackHandler</code>
+ * and pass it to the underlying <code>LoginModules</code>. The
+ * <code>LoginContext</code> only loads the default handler if one was not
+ * provided.</p>
+ *
+ * <p>All default handler implementations must provide a public zero-argument
+ * constructor.</p>
+ *
+ * @version $Revision: 1.1 $
+ */
+public interface CallbackHandler
+{
+
+  /**
+   * <p>Retrieve or display the information requested in the provided
+   * {@link Callback}s.</p>
+   *
+   * <p>The <code>handle()</code> method implementation checks the instance(s)
+   * of the {@link Callback} object(s) passed in to retrieve or display the
+   * requested information. The following example is provided to help
+   * demonstrate what an <code>handle()</code> method implementation might look
+   * like. This example code is for guidance only. Many details, including
+   * proper error handling, are left out for simplicity.</p>
+   *
+   * <pre>
+   *public void handle(Callback[] callbacks)
+   *throws IOException, UnsupportedCallbackException {
+   *   for (int i = 0; i < callbacks.length; i++) {
+   *      if (callbacks[i] instanceof TextOutputCallback) {
+   *         // display the message according to the specified type
+   *         TextOutputCallback toc = (TextOutputCallback)callbacks[i];
+   *         switch (toc.getMessageType()) {
+   *         case TextOutputCallback.INFORMATION:
+   *            System.out.println(toc.getMessage());
+   *            break;
+   *         case TextOutputCallback.ERROR:
+   *            System.out.println("ERROR: " + toc.getMessage());
+   *            break;
+   *         case TextOutputCallback.WARNING:
+   *            System.out.println("WARNING: " + toc.getMessage());
+   *            break;
+   *         default:
+   *            throw new IOException("Unsupported message type: "
+   *                  + toc.getMessageType());
+   *         }
+   *      } else if (callbacks[i] instanceof NameCallback) {
+   *         // prompt the user for a username
+   *         NameCallback nc = (NameCallback)callbacks[i];
+   *         // ignore the provided defaultName
+   *         System.err.print(nc.getPrompt());
+   *         System.err.flush();
+   *         nc.setName((new BufferedReader(
+   *               new InputStreamReader(System.in))).readLine());
+   *      } else if (callbacks[i] instanceof PasswordCallback) {
+   *         // prompt the user for sensitive information
+   *         PasswordCallback pc = (PasswordCallback)callbacks[i];
+   *         System.err.print(pc.getPrompt());
+   *         System.err.flush();
+   *         pc.setPassword(readPassword(System.in));
+   *      } else {
+   *         throw new UnsupportedCallbackException(
+   *               callbacks[i], "Unrecognized Callback");
+   *      }
+   *   }
+   *}
+   *
+   * // Reads user password from given input stream.
+   *private char[] readPassword(InputStream in) throws IOException {
+   *   // insert code to read a user password from the input stream
+   *}
+   * </pre>
+   *
+   * @param callbacks an array of {@link Callback} objects provided by an
+   * underlying security service which contains the information requested to
+   * be retrieved or displayed.
+   * @throws IOException if an input or output error occurs.
+   * @throws UnsupportedCallbackException if the implementation of this method
+   * does not support one or more of the Callbacks specified in the
+   * <code>callbacks</code> parameter.
+   */
+  void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException;
+}
diff --git a/javax/security/auth/callback/ChoiceCallback.java b/javax/security/auth/callback/ChoiceCallback.java
new file mode 100644
index 000000000..44b5ffcba
--- /dev/null
+++ b/javax/security/auth/callback/ChoiceCallback.java
@@ -0,0 +1,237 @@
+/* ChoiceCallback.java -- callback for a choice of values.
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.callback;
+
+import java.io.Serializable;
+
+/**
+ * Underlying security services instantiate and pass a
+ * <code>ChoiceCallback</code> to the <code>handle()</code> method of a
+ * {@link CallbackHandler} to display a list of choices and to retrieve the
+ * selected choice(s).
+ *
+ * @see CallbackHandler
+ * @version $Revision: 1.1 $
+ */
+public class ChoiceCallback implements Callback, Serializable
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private String prompt;
+
+  /**
+   * @serial the list of choices.
+   * @since 1.4
+   */
+  private String[] choices;
+
+  /**
+   * @serial the choice to be used as the default choice.
+   * @since 1.4
+   */
+  private int defaultChoice;
+
+  /**
+   * @serial whether multiple selections are allowed from the list of choices.
+   * @since 1.4
+   */
+  private boolean multipleSelectionsAllowed;
+
+  /**
+   * @serial the selected choices, represented as indexes into the choices list.
+   * @since 1.4
+   */
+  private int[] selections;
+
+  // Constructor(s)
+  //--------------------------------------------------------------------------
+
+  /**
+   * Construct a <code>ChoiceCallback</code> with a prompt, a list of choices,
+   * a default choice, and a boolean specifying whether or not multiple
+   * selections from the list of choices are allowed.
+   *
+   * @param prompt the prompt used to describe the list of choices.
+   * @param choices the list of choices.
+   * @param defaultChoice the choice to be used as the default choice when the
+   * list of choices are displayed. This value is represented as an index into
+   * the <code>choices</code> array.
+   * @param multipleSelectionsAllowed boolean specifying whether or not
+   * multiple selections can be made from the list of choices.
+   * @throws IllegalArgumentException if <code>prompt</code> is <code>null</code>,
+   * if <code>prompt</code> has a length of <code>0</code>, if <code>choices</code>
+   * is <code>null</code>, if <code>choices</code> has a length of <code>0</code>,
+   * if any element from <code>choices</code> is <code>null</code>, if any
+   * element from <code>choices</code> has a length of <code>0</code> or if
+   * <code>defaultChoice</code> does not fall within the array boundaries of
+   * <code>choices</code>.
+   */
+  public ChoiceCallback(String prompt, String[] choices, int defaultChoice,
+			boolean multipleSelectionsAllowed)
+  {
+    super();
+
+    setPrompt(prompt);
+    setChoices(choices);
+    if (defaultChoice < 0 || defaultChoice >= this.choices.length)
+      {
+	throw new IllegalArgumentException("default choice is out of bounds");
+      }
+    this.defaultChoice = defaultChoice;
+    this.multipleSelectionsAllowed = multipleSelectionsAllowed;
+  }
+
+  // Instance methods
+  // -------------------------------------------------------------------------
+
+  /**
+   * Get the prompt.
+   *
+   * @return the prompt.
+   */
+  public String getPrompt()
+  {
+    return prompt;
+  }
+
+  /**
+   * Get the list of choices.
+   *
+   * @return the list of choices.
+   */
+  public String[] getChoices()
+  {
+    return choices;
+  }
+
+  /**
+   * Get the defaultChoice.
+   *
+   * @return the defaultChoice, represented as an index into the choices list.
+   */
+  public int getDefaultChoice()
+  {
+    return defaultChoice;
+  }
+
+  /**
+   * Get the boolean determining whether multiple selections from the choices
+   * list are allowed.
+   *
+   * @return whether multiple selections are allowed.
+   */
+  public boolean allowMultipleSelections()
+  {
+    return multipleSelectionsAllowed;
+  }
+
+  /**
+   * Set the selected choice.
+   *
+   * @param selection the selection represented as an index into the choices
+   * list.
+   * @see #getSelectedIndexes()
+   */
+  public void setSelectedIndex(int selection)
+  {
+    this.selections = new int[1];
+    this.selections[0] = selection;
+  }
+
+  /**
+   * Set the selected choices.
+   *
+   * @param selections the selections represented as indexes into the choices
+   * list.
+   * @throws UnsupportedOperationException if multiple selections are not
+   * allowed, as determined by <code>allowMultipleSelections</code>.
+   * @see #getSelectedIndexes()
+   */
+  public void setSelectedIndexes(int[] selections)
+  {
+    if (!multipleSelectionsAllowed)
+      {
+	throw new UnsupportedOperationException("not allowed");
+      }
+
+    this.selections = selections;
+  }
+
+  /**
+   * Get the selected choices.
+   *
+   * @return the selected choices, represented as indexes into the choices list.
+   * @see #setSelectedIndexes(int[])
+   */
+  public int[] getSelectedIndexes()
+  {
+    return selections;
+  }
+
+  private void setPrompt(String prompt) throws IllegalArgumentException
+  {
+    if ((prompt == null) || (prompt.length() == 0))
+      {
+	throw new IllegalArgumentException("invalid prompt");
+      }
+    this.prompt = prompt;
+  }
+
+  private void setChoices(String[] choices) throws IllegalArgumentException
+  {
+    if (choices == null || choices.length == 0)
+      {
+	throw new IllegalArgumentException("invalid choices");
+      }
+    for (int i = 0; i < choices.length; i++)
+      {
+	if (choices[i] == null || choices[i].length() == 0)
+	  {
+	    throw new IllegalArgumentException("invalid choice at index #"+i);
+	  }
+      }
+    this.choices = choices;
+  }
+}
diff --git a/javax/security/auth/callback/ConfirmationCallback.java b/javax/security/auth/callback/ConfirmationCallback.java
new file mode 100644
index 000000000..8abd393f5
--- /dev/null
+++ b/javax/security/auth/callback/ConfirmationCallback.java
@@ -0,0 +1,506 @@
+/* ConfirmationCallback.java -- callback for confirmations.
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.callback;
+
+import java.io.Serializable;
+
+/**
+ * Underlying security services instantiate and pass a
+ * <code>ConfirmationCallback</code> to the <code>handle()</code> method of a
+ * {@link CallbackHandler} to ask for YES/NO, OK/CANCEL, YES/NO/CANCEL or other
+ * similar confirmations.
+ *
+ * @see CallbackHandler
+ * @version $Revision: 1.1 $
+ */
+public class ConfirmationCallback implements Callback, Serializable
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  /**
+   * <p>Unspecified option type.</p>
+   *
+   * <p>The <code>getOptionType</code> method returns this value if this
+   * <code>ConfirmationCallback</code> was instantiated with <code>options</code>
+   * instead of an <code>optionType</code>.</p>
+   */
+  public static final int UNSPECIFIED_OPTION = -1;
+
+  /**
+   * <p>YES/NO confirmation option.</p>
+   *
+   * <p>An underlying security service specifies this as the <code>optionType</code>
+   * to a <code>ConfirmationCallback</code> constructor if it requires a
+   * confirmation which can be answered with either <code>YES</code> or
+   * <code>NO</code>.</p>
+   */
+  public static final int YES_NO_OPTION = 0;
+
+  /**
+   * <p>YES/NO/CANCEL confirmation confirmation option.</p>
+   *
+   * <p>An underlying security service specifies this as the <code>optionType</code>
+   * to a <code>ConfirmationCallback</code> constructor if it requires a
+   * confirmation which can be answered with either <code>YES</code>,
+   * <code>NO</code> or <code>CANCEL</code>.
+   */
+  public static final int YES_NO_CANCEL_OPTION = 1;
+
+  /**
+   * <p>OK/CANCEL confirmation confirmation option.</p>
+   *
+   * <p>An underlying security service specifies this as the <code>optionType</code>
+   * to a <code>ConfirmationCallback</code> constructor if it requires a
+   * confirmation which can be answered with either <code>OK</code> or
+   * <code>CANCEL</code>.</p>
+   */
+  public static final int OK_CANCEL_OPTION = 2;
+
+  /**
+   * <p>YES option.</p>
+   *
+   * <p>If an <code>optionType</code> was specified to this
+   * <code>ConfirmationCallback</code>, this option may be specified as a
+   * <code>defaultOption</code> or returned as the selected index.</p>
+   */
+  public static final int YES = 0;
+
+  /**
+   * <p>NO option.</p>
+   *
+   * <p>If an <code>optionType</code> was specified to this
+   * <code>ConfirmationCallback</code>, this option may be specified as a
+   * <code>defaultOption</code> or returned as the selected index.</p>
+   */
+  public static final int NO = 1;
+
+  /**
+   * <p>CANCEL option.</p>
+   *
+   * <p>If an <code>optionType</code> was specified to this
+   * <code>ConfirmationCallback</code>, this option may be specified as a
+   * <code>defaultOption</code> or returned as the selected index.</p>
+   */
+  public static final int CANCEL = 2;
+
+  /**
+   * <p>OK option.</p>
+   *
+   * <p>If an <code>optionType</code> was specified to this
+   * <code>ConfirmationCallback</code>, this option may be specified as a
+   * <code>defaultOption</code> or returned as the selected index.</p>
+   */
+  public static final int OK = 3;
+
+  /** INFORMATION message type. */
+  public static final int INFORMATION = 0;
+
+  /** WARNING message type. */
+  public static final int WARNING = 1;
+
+  /** ERROR message type. */
+  public static final int ERROR = 2;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private String prompt;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private int messageType;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private int optionType;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private int defaultOption;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private String[] options = null;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private int selection;
+
+  // Constructor(s)
+  // -------------------------------------------------------------------------
+
+  /**
+   * <p>Construct a <code>ConfirmationCallback</code> with a message type, an
+   * option type and a default option.</p>
+   *
+   * <p>Underlying security services use this constructor if they require
+   * either a YES/NO, YES/NO/CANCEL or OK/CANCEL confirmation.</p>
+   *
+   * @param messageType the message type (INFORMATION, WARNING or ERROR).
+   * @param optionType the option type (YES_NO_OPTION, YES_NO_CANCEL_OPTION or
+   * OK_CANCEL_OPTION).
+   * @param defaultOption the default option from the provided optionType (YES,
+   * NO, CANCEL or OK).
+   * @throws IllegalArgumentException if <code>messageType</code> is not either
+   * <code>INFORMATION</code>, <code>WARNING</code>, or <code>ERROR</code>, if
+   * <code>optionType</code> is not either <code>YES_NO_OPTION</code>,
+   * <code>YES_NO_CANCEL_OPTION</code>, or <code>OK_CANCEL_OPTION</code>, or if
+   * <code>defaultOption</code> does not correspond to one of the options in
+   * <code>optionType</code>.
+   */
+  public ConfirmationCallback(int messageType, int optionType, int defaultOption)
+    throws IllegalArgumentException
+  {
+    super();
+
+    setMessageType(messageType);
+    setOptionType(optionType, defaultOption);
+    this.defaultOption = defaultOption;
+  }
+
+  /**
+   * <p>Construct a <code>ConfirmationCallback</code> with a message type, a
+   * list of options and a default option.</p>
+   *
+   * <p>Underlying security services use this constructor if they require a
+   * confirmation different from the available preset confirmations provided
+   * (for example, CONTINUE/ABORT or STOP/GO). The confirmation options are
+   * listed in the <code>options</code> array, and are displayed by the
+   * {@link CallbackHandler} implementation in a manner consistent with the
+   * way preset options are displayed.</p>
+   *
+   * @param messageType the message type (INFORMATION, WARNING or ERROR).
+   * @param options the list of confirmation options.
+   * @param defaultOption the default option, represented as an index into the
+   * <code>options</code> array.
+   * @throws IllegalArgumentException if <code>messageType</code> is not either
+   * <code>INFORMATION</code>, <code>WARNING</code>, or <code>ERROR</code>, if
+   * <code>options</code> is <code>null</code>, if <code>options</code> has a
+   * length of <code>0</code>, if any element from <code>options</code> is
+   * <code>null</code>, if any element from <code>options</code> has a length
+   * of <code>0</code>, or if <code>defaultOption</code> does not lie within
+   * the array boundaries of <code>options</code>.
+   */
+  public ConfirmationCallback(int messageType, String[] options, int defaultOption)
+  {
+    super();
+
+    setMessageType(messageType);
+    setOptions(options, defaultOption);
+    this.defaultOption = defaultOption;
+  }
+
+  /**
+   * <p>Construct a <code>ConfirmationCallback</code> with a prompt, message
+   * type, an option type and a default option.</p>
+   *
+   * <p>Underlying security services use this constructor if they require
+   * either a YES/NO, YES/NO/CANCEL or OK/CANCEL confirmation.</p>
+   *
+   * @param prompt the prompt used to describe the list of options.
+   * @param messageType the message type (INFORMATION, WARNING or ERROR).
+   * @param optionType the option type (YES_NO_OPTION, YES_NO_CANCEL_OPTION or
+   * OK_CANCEL_OPTION).
+   * @param defaultOption the default option from the provided optionType (YES,
+   * NO, CANCEL or OK).
+   * @throws IllegalArgumentException if <code>prompt</code> is <code>null</code>,
+   * if <code>prompt</code> has a length of <code>0</code>, if
+   * <code>messageType</code> is not either <ode>INFORMATION</code>,
+   * <code>WARNING</code>, or <code>ERROR</code>, if <code>optionType</code> is
+   * not either <code>YES_NO_OPTION</code>, <code>YES_NO_CANCEL_OPTION</code>,
+   * or <code>OK_CANCEL_OPTION</code>, or if <code>defaultOption</code> does
+   * not correspond to one of the options in <code>optionType</code>.
+   */
+  public ConfirmationCallback(String prompt, int messageType, int optionType,
+			      int defaultOption)
+  {
+    super();
+
+    setPrompt(prompt);
+    setMessageType(messageType);
+    setOptionType(optionType, defaultOption);
+    this.defaultOption = defaultOption;
+  }
+
+  /**
+   * <p>Construct a <code>ConfirmationCallback</code> with a prompt, message
+   * type, a list of options and a default option.</p>
+   *
+   * <p>Underlying security services use this constructor if they require a
+   * confirmation different from the available preset confirmations provided
+   * (for example, CONTINUE/ABORT or STOP/GO). The confirmation options are
+   * listed in the <code>options</code> array, and are displayed by the
+   * {@link CallbackHandler} implementation in a manner consistent with the
+   * way preset options are displayed.</p>
+   *
+   * @param prompt the prompt used to describe the list of options.
+   * @param messageType the message type (INFORMATION, WARNING or ERROR).
+   * @param options the list of confirmation options.
+   * @param defaultOption the default option, represented as an index into the
+   * <code>options</code> array.
+   * @throws IllegalArgumentException if <code>prompt</code> is <code>null</code>,
+   * if <code>prompt</code> has a length of <code>0</code>, if
+   * <code>messageType</code> is not either <ode>INFORMATION</code>,
+   * <code>WARNING</code>, or <code>ERROR</code>, if <code>options</code> is
+   * <code>null</code>, if <code>options</code> has a length of <code>0</code>,
+   * if any element from <code>options</code> is <code>null</code>, if any
+   * element from <code>options</code> has a length of <code>0</code>, or if
+   * <code>defaultOption</code> does not lie within the array boundaries of
+   * <code>options</code>.
+   */
+  public ConfirmationCallback(String prompt, int messageType, String[] options,
+			      int defaultOption)
+  {
+    super();
+
+    setPrompt(prompt);
+    setMessageType(messageType);
+    setOptions(options, defaultOption);
+    this.defaultOption = defaultOption;
+  }
+
+  // Class methods
+  // -------------------------------------------------------------------------
+
+  // Instance methods
+  // -------------------------------------------------------------------------
+
+  /**
+   * Get the prompt.
+   *
+   * @return the prompt, or <code>null</code> if this
+   * <code>ConfirmationCallback</code> was instantiated without a prompt.
+   */
+  public String getPrompt()
+  {
+    return prompt;
+  }
+
+  /**
+   * Get the message type.
+   *
+   * @return the message type (INFORMATION, WARNING or ERROR).
+   */
+  public int getMessageType()
+  {
+    return messageType;
+  }
+
+  /**
+   * <p>Get the option type.</p>
+   *
+   * <p>If this method returns {@link #UNSPECIFIED_OPTION}, then this
+   * <code>ConfirmationCallback</code> was instantiated with <code>options</code>
+   * instead of an <code>optionType</code>. In this case, invoke the
+   * {@link #getOptions()} method to determine which confirmation options to
+   * display.</p>
+   *
+   * @return the option type (YES_NO_OPTION, YES_NO_CANCEL_OPTION or
+   * OK_CANCEL_OPTION), or UNSPECIFIED_OPTION if this
+   * <code>ConfirmationCallback</code> was instantiated with <code>options</code>
+   * instead of an <code>optionType</code>.
+   */
+  public int getOptionType()
+  {
+    if (options != null)
+      {
+	return UNSPECIFIED_OPTION;
+      }
+    return optionType;
+  }
+
+  /**
+   * Get the confirmation options.
+   *
+   * @return the list of confirmation options, or <code>null</code> if this
+   * <code>ConfirmationCallback</code> was instantiated with an
+   * <code>optionType</code> instead of <code>options</code>.
+   */
+  public String[] getOptions()
+  {
+    return options;
+  }
+
+  /**
+   * Get the default option.
+   *
+   * @return the default option, represented as <code>YES</code>, <code>NO</code>,
+   * <code>OK</code> or <code>CANCEL</code> if an <code>optionType</code> was
+   * specified to the constructor of this <code>ConfirmationCallback</code>.
+   * Otherwise, this method returns the default option as an index into the
+   * <code>options</code> array specified to the constructor of this
+   * <code>ConfirmationCallback</code>.
+   */
+  public int getDefaultOption()
+  {
+    return defaultOption;
+  }
+
+  /**
+   * Set the selected confirmation option.
+   *
+   * @param selection the selection represented as <code>YES</code>,
+   * <code>NO</code>, <code>OK</code> or <code>CANCEL</code> if an
+   * <code>optionType</code> was specified to the constructor of this
+   * <code>ConfirmationCallback</code>. Otherwise, the <code>selection</code>
+   * represents the index into the <code>options</code> array specified to the
+   * constructor of this <code>ConfirmationCallback</code>.
+   * @see #getSelectedIndex()
+   */
+  public void setSelectedIndex(int selection)
+  {
+    if (options != null)
+      {
+	setOptions(options, selection);
+      }
+    else
+      {
+	setOptionType(optionType, selection);
+      }
+  }
+
+  /**
+   * Get the selected confirmation option.
+   *
+   * @return the selected confirmation option represented as <code>YES</code>,
+   * <code>NO</code>, <code>OK</code> or <code>CANCEL</code> if an
+   * <code>optionType</code> was specified to the constructor of this
+   * <code>ConfirmationCallback</code>. Otherwise, this method returns the
+   * selected confirmation option as an index into the <code>options</code>
+   * array specified to the constructor of this <code>ConfirmationCallback</code>.
+   * @see #setSelectedIndex(int)
+   */
+  public int getSelectedIndex()
+  {
+    return this.selection;
+  }
+
+  private void setMessageType(int messageType) throws IllegalArgumentException
+  {
+    switch (messageType)
+      {
+      case INFORMATION:
+      case WARNING:
+      case ERROR: this.messageType = messageType; break;
+      default: throw new IllegalArgumentException("illegal message type");
+      }
+  }
+
+  private void setOptionType(int optionType, int selectedOption)
+    throws IllegalArgumentException
+  {
+    switch (optionType)
+      {
+      case YES_NO_OPTION:
+	this.optionType = optionType;
+	switch (selectedOption)
+	  {
+	  case YES:
+	  case NO: this.selection = selectedOption; break;
+	  default: throw new IllegalArgumentException("invalid option");
+	  }
+	break;
+      case YES_NO_CANCEL_OPTION:
+	this.optionType = optionType;
+	switch (selectedOption)
+	  {
+	  case YES:
+	  case NO:
+	  case CANCEL: this.selection = selectedOption; break;
+	  default: throw new IllegalArgumentException("invalid option");
+	  }
+	break;
+      case OK_CANCEL_OPTION:
+	this.optionType = optionType;
+	switch (selectedOption)
+	  {
+	  case OK:
+	  case CANCEL: this.selection = selectedOption; break;
+	  default: throw new IllegalArgumentException("invalid option");
+	  }
+	break;
+      default:
+	throw new IllegalArgumentException("illegal option type");
+      }
+  }
+
+  private void setOptions(String[] options, int selectedOption)
+    throws IllegalArgumentException
+  {
+    if ((selectedOption < 0) || (selectedOption > options.length - 1))
+      {
+	throw new IllegalArgumentException("invalid selection");
+      }
+    if ((options == null) || (options.length == 0))
+      {
+	throw new IllegalArgumentException("options is null or empty");
+      }
+    for (int i = 0; i < options.length; i++)
+      {
+	if ((options[i] == null) || (options[i].length() == 0))
+	  {
+	    throw new IllegalArgumentException("options[" + i + "] is null or empty");
+	  }
+      }
+    this.options = options;
+    this.selection = selectedOption;
+  }
+
+  private void setPrompt(String prompt) throws IllegalArgumentException
+  {
+    if ((prompt == null) || (prompt.length() == 0))
+      {
+	throw new IllegalArgumentException("prompt is null or empty");
+      }
+    this.prompt = prompt;
+  }
+}
diff --git a/javax/security/auth/callback/LanguageCallback.java b/javax/security/auth/callback/LanguageCallback.java
new file mode 100644
index 000000000..71910632b
--- /dev/null
+++ b/javax/security/auth/callback/LanguageCallback.java
@@ -0,0 +1,101 @@
+/* LanguageCallback.java -- callback for language choices.
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.callback;
+
+import java.io.Serializable;
+import java.util.Locale;
+
+/**
+ * Underlying security services instantiate and pass a <code>LanguageCallback</code>
+ * to the <code>handle()</code> method of a {@link CallbackHandler} to retrieve
+ * the {@link Locale} used for localizing text.
+ *
+ * @see CallbackHandler
+ * @version $Revision: 1.1 $
+ */
+public class LanguageCallback implements Callback, Serializable
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private Locale locale;
+
+  // Constructor(s)
+  // -------------------------------------------------------------------------
+
+  /** Construct a <code>LanguageCallback</code>. */
+  public LanguageCallback()
+  {
+    super();
+  }
+
+  // Class methods
+  // -------------------------------------------------------------------------
+
+  // Instance methods
+  // -------------------------------------------------------------------------
+
+  /**
+   * Set the retrieved Locale.
+   *
+   * @param locale the retrieved Locale.
+   * @see #getLocale()
+   */
+  public void setLocale(Locale locale)
+  {
+    this.locale = locale;
+  }
+
+  /**
+   * Get the retrieved Locale.
+   *
+   * @return the retrieved Locale, or <code>null</code> if no Locale could be
+   * retrieved.
+   * @see #setLocale(Locale)
+   */
+  public Locale getLocale()
+  {
+    return locale;
+  }
+}
diff --git a/javax/security/auth/callback/NameCallback.java b/javax/security/auth/callback/NameCallback.java
new file mode 100644
index 000000000..c98edfdbe
--- /dev/null
+++ b/javax/security/auth/callback/NameCallback.java
@@ -0,0 +1,179 @@
+/* NameCallback.java -- callback for user names.
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.callback;
+
+import java.io.Serializable;
+
+/**
+ * Underlying security services instantiate and pass a <code>NameCallback</code>
+ * to the <code>handle()</code> method of a {@link CallbackHandler} to retrieve
+ * name information.
+ *
+ * @see CallbackHandler
+ * @version $Revision: 1.1 $
+ */
+public class NameCallback implements Callback, Serializable
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private String prompt;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private String defaultName;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private String inputName;
+
+  // Constructor(s)
+  // -------------------------------------------------------------------------
+
+  /**
+   * Construct a <code>NameCallback</code> with a prompt.
+   *
+   * @param prompt the prompt used to request the name.
+   * @throws IllegalArgumentException if <code>prompt</code> is <code>null</code>
+   * or if <code>prompt</code> has a length of <code>0</code>.
+   */
+  public NameCallback(String prompt)
+  {
+    super();
+
+    setPrompt(prompt);
+  }
+
+  /**
+   * Construct a <code>NameCallback</code> with a prompt and default name.
+   *
+   * @param prompt the prompt used to request the information.
+   * @param defaultName the name to be used as the default name displayed with
+   * the prompt.
+   * @throws IllegalArgumentException if <code>prompt</code> is <code>null</code>
+   * or if <code>prompt</code> has a length of <code>0</code>, if
+   * <code>defaultName</code> is <code>null</code>, or if <code>defaultName</code>
+   * has a length of <code>0</code>.
+   */
+  public NameCallback(String prompt, String defaultName)
+    throws IllegalArgumentException
+  {
+    super();
+
+    setPrompt(prompt);
+    setDefaultName(defaultName);
+  }
+
+  // Class methods
+  // -------------------------------------------------------------------------
+
+  // Instance methods
+  // -------------------------------------------------------------------------
+
+  /**
+   * Get the prompt.
+   *
+   * @return the prompt.
+   */
+  public String getPrompt()
+  {
+    return prompt;
+  }
+
+  /**
+   * Get the default name.
+   *
+   * @return the default name, or <code>null</code> if this
+   * <code>NameCallback</code> was not instantiated with a
+   * <code>defaultName</code>.
+   */
+  public String getDefaultName()
+  {
+    return defaultName;
+  }
+
+  /**
+   * Set the retrieved name.
+   *
+   * @param name the retrieved name (which may be <code>null</code>).
+   * @see #getName()
+   */
+  public void setName(String name)
+  {
+    this.inputName = name;
+  }
+
+  /**
+   * Get the retrieved name.
+   *
+   * @return the retrieved name (which may be <code>null</code>)
+   * @see #setName(String)
+   */
+  public String getName()
+  {
+    return inputName;
+  }
+
+  private void setPrompt(String prompt) throws IllegalArgumentException
+  {
+    if ((prompt == null) || (prompt.length() == 0))
+      {
+	throw new IllegalArgumentException("invalid prompt");
+      }
+    this.prompt = prompt;
+  }
+
+  private void setDefaultName(String defaultName) throws IllegalArgumentException
+  {
+    if ((defaultName == null) || (defaultName.length() == 0))
+      {
+	throw new IllegalArgumentException("invalid default name");
+      }
+    this.defaultName = defaultName;
+  }
+}
diff --git a/javax/security/auth/callback/PasswordCallback.java b/javax/security/auth/callback/PasswordCallback.java
new file mode 100644
index 000000000..5620bc5cd
--- /dev/null
+++ b/javax/security/auth/callback/PasswordCallback.java
@@ -0,0 +1,169 @@
+/* PasswordCallback.java -- callback for passwords.
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.callback;
+
+import java.io.Serializable;
+
+/**
+ * Underlying security services instantiate and pass a <code>PasswordCallback</code>
+ * to the <code>handle()</code> method of a {@link CallbackHandler} to retrieve
+ * password information.
+ *
+ * @see CallbackHandler,
+ * @version $Revision: 1.1 $
+ */
+public class PasswordCallback implements Callback, Serializable
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private String prompt;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private boolean echoOn;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private char[] inputPassword;
+
+  // Constructor(s)
+  // -------------------------------------------------------------------------
+
+  /**
+   * Construct a <code>PasswordCallback</code> with a prompt and a boolean
+   * specifying whether the password should be displayed as it is being typed.
+   *
+   * @param prompt the prompt used to request the password.
+   * @param echoOn <code>true</code> if the password should be displayed as it
+   * is being typed.
+   * @throws IllegalArgumentException if <code>prompt</code> is <code>null</code>
+   * or if <code>prompt</code> has a length of <code>0</code>.
+   */
+  public PasswordCallback(String prompt, boolean echoOn)
+  {
+    super();
+
+    setPrompt(prompt);
+    this.echoOn = echoOn;
+  }
+
+  // Class methods
+  // -------------------------------------------------------------------------
+
+  // Instance methods
+  // -------------------------------------------------------------------------
+
+  /**
+   * Get the prompt.
+   *
+   * @return the prompt.
+   */
+  public String getPrompt()
+  {
+    return prompt;
+  }
+
+  /**
+   * Return whether the password should be displayed as it is being typed.
+   *
+   * @return the whether the password should be displayed as it is being typed.
+   */
+  public boolean isEchoOn()
+  {
+    return echoOn;
+  }
+
+  /**
+   * <p>Set the retrieved password.</p>
+   *
+   * <p>This method makes a copy of the input password before storing it.</p>
+   *
+   * @param password the retrieved password, which may be <code>null</code>.
+   * @see #getPassword()
+   */
+  public void setPassword(char[] password)
+  {
+    inputPassword = (password == null ? null : (char[]) password.clone());
+  }
+
+  /**
+   * <p>Get the retrieved password.</p>
+   *
+   * <p>This method returns a copy of the retrieved password.</p>
+   *
+   * @return the retrieved password, which may be <code>null</code>.
+   * @see #setPassword(char[])
+   */
+  public char[] getPassword()
+  {
+    return (inputPassword == null ? null : (char[]) inputPassword.clone());
+  }
+
+  /** Clear the retrieved password. */
+  public void clearPassword()
+  {
+    if (inputPassword != null)
+      {
+	for (int i = 0; i < inputPassword.length; i++)
+	  {
+	    inputPassword[i] = '\0';
+	  }
+	inputPassword = null;
+      }
+  }
+
+  private void setPrompt(String prompt) throws IllegalArgumentException
+  {
+    if ((prompt == null) || (prompt.length() == 0))
+      {
+	throw new IllegalArgumentException("invalid prompt");
+      }
+    this.prompt = prompt;
+  }
+}
diff --git a/javax/security/auth/callback/TextInputCallback.java b/javax/security/auth/callback/TextInputCallback.java
new file mode 100644
index 000000000..55c1aa253
--- /dev/null
+++ b/javax/security/auth/callback/TextInputCallback.java
@@ -0,0 +1,178 @@
+/* TextInputCallback.java -- callbacks for user input.
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.callback;
+
+import java.io.Serializable;
+
+/**
+ * Underlying security services instantiate and pass a <code>TextInputCallback</code>
+ * to the <code>handle()</code> method of a {@link CallbackHandler} to retrieve
+ * generic text information.
+ *
+ * @see CallbackHandler
+ * @version $Revision: 1.1 $
+ */
+public class TextInputCallback implements Callback, Serializable
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private String prompt;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private String defaultText;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private String inputText;
+
+  // Constructor(s)
+  // -------------------------------------------------------------------------
+
+  /**
+   * Construct a <code>TextInputCallback</code> with a prompt.
+   *
+   * @param prompt the prompt used to request the information.
+   * @throws IllegalArgumentException if <code>prompt</code> is <code>null</code>
+   * or if <code>prompt</code> has a length of <code>0</code>.
+   */
+  public TextInputCallback(String prompt) throws IllegalArgumentException
+  {
+    super();
+
+    setPrompt(prompt);
+  }
+
+  /**
+   * Construct a <code>TextInputCallback</code> with a prompt and default
+   * input value.
+   *
+   * @param prompt the prompt used to request the information.
+   * @param defaultText the text to be used as the default text displayed with
+   * the prompt.
+   * @throws IllegalArgumentException if <code>prompt</code> is <code>null</code>,
+   * if <code>prompt</code> has a length of <code>0</code>, if
+   * <code>defaultText</code> is <code>null</code> or if <code>defaultText</code>
+   * has a length of <code>0</code>.
+   */
+  public TextInputCallback(String prompt, String defaultText)
+    throws IllegalArgumentException
+  {
+    super();
+
+    setPrompt(prompt);
+    setDefaultText(defaultText);
+  }
+
+  // Class methods
+  // -------------------------------------------------------------------------
+
+  // Instance methods
+  // -------------------------------------------------------------------------
+
+  /**
+   * Get the prompt.
+   *
+   * @return the prompt.
+   */
+  public String getPrompt()
+  {
+    return prompt;
+  }
+
+  /**
+   * Get the default text.
+   *
+   * @return the default text, or <code>null</code> if this
+   * <code>TextInputCallback</code> was not instantiated with
+   * <code>defaultText</code>.
+   */
+  public String getDefaultText()
+  {
+    return defaultText;
+  }
+
+  /**
+   * Set the retrieved text.
+   *
+   * @param text the retrieved text, which may be <code>null</code>.
+   */
+  public void setText(String text)
+  {
+    this.inputText = text;
+  }
+
+  /**
+   * Get the retrieved text.
+   *
+   * @return the retrieved text, which may be <code>null</code>.
+   */
+  public String getText()
+  {
+    return inputText;
+  }
+
+  private void setPrompt(String prompt) throws IllegalArgumentException
+  {
+    if ((prompt == null) || (prompt.length() == 0))
+      {
+	throw new IllegalArgumentException("invalid prompt");
+      }
+    this.prompt = prompt;
+  }
+
+  private void setDefaultText(String defaultText) throws IllegalArgumentException
+  {
+    if ((defaultText == null) || (defaultText.length() == 0))
+      {
+	throw new IllegalArgumentException("invalid default text");
+      }
+    this.defaultText = defaultText;
+  }
+}
diff --git a/javax/security/auth/callback/TextOutputCallback.java b/javax/security/auth/callback/TextOutputCallback.java
new file mode 100644
index 000000000..fac08874d
--- /dev/null
+++ b/javax/security/auth/callback/TextOutputCallback.java
@@ -0,0 +1,141 @@
+/* TextOutputCallback.java -- callback for text output.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.callback;
+
+import java.io.Serializable;
+
+/**
+ * <p>Underlying security services instantiate and pass a
+ * <code>TextOutputCallback</code> to the <code>handle()</code> method of a
+ * {@link CallbackHandler} to display information messages, warning messages and
+ * error messages.</p>
+ *
+ * @see CallbackHandler
+ * @version $Revision: 1.1 $
+ */
+public class TextOutputCallback implements Callback, Serializable
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  /** Information message */
+  public static final int INFORMATION = 0;
+
+  /** Warning message */
+  public static final int WARNING = 1;
+
+  /** Error message */
+  public static final int ERROR = 2;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private int messageType;
+
+  /**
+   * @serial
+   * @since 1.4
+   */
+  private String message;
+
+  // Constructor(s)
+  // -------------------------------------------------------------------------
+
+  /**
+   * <p>Construct a <code>TextOutputCallback</code> with a message type and
+   * message to be displayed.</p>
+   *
+   * @param messageType the message type (INFORMATION, WARNING or ERROR).
+   * @param message the message to be displayed.
+   * @throws IllegalArgumentException if <code>messageType</code> is not either
+   * <code>INFORMATION</code>, <code>WARNING</code> or <code>ERROR</code>, if
+   * <code>message</code> is <code>null</code>, or if <code>message</code> has
+   * a length of <code>0</code>.
+   */
+  public TextOutputCallback(int messageType, String message)
+    throws IllegalArgumentException
+  {
+    switch (messageType)
+      {
+      case INFORMATION:
+      case WARNING:
+      case ERROR: this.messageType = messageType; break;
+      default: throw new IllegalArgumentException("invalid message type");
+      }
+
+    setMessage(message);
+  }
+
+  // Class methods
+  // -------------------------------------------------------------------------
+
+  // Instance methods
+  // -------------------------------------------------------------------------
+
+  /**
+   * <p>Returns the message's <code>messageType</code>.</p>
+   *
+   * @return the message type (INFORMATION, WARNING or ERROR).
+   */
+  public int getMessageType()
+  {
+    return messageType;
+  }
+
+  /**
+   * <p>Returns the <code>message</code> to be displayed.</p>
+   *
+   * @return the message to be displayed.
+   */
+  public String getMessage()
+  {
+    return message;
+  }
+
+  private void setMessage(String message) throws IllegalArgumentException
+  {
+    if ((message == null) || (message.length() == 0))
+      {
+	throw new IllegalArgumentException("invalid message");
+      }
+    this.message = message;
+  }
+}
diff --git a/javax/security/auth/callback/UnsupportedCallbackException.java b/javax/security/auth/callback/UnsupportedCallbackException.java
new file mode 100644
index 000000000..215942c40
--- /dev/null
+++ b/javax/security/auth/callback/UnsupportedCallbackException.java
@@ -0,0 +1,102 @@
+/* UnsupportedCallbackException.java -- signals an unsupported callback type.
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.callback;
+
+/**
+ * Signals that a {@link CallbackHandler} does not recognize a particular
+ * {@link Callback}.
+ *
+ * @version $Revision: 1.1 $
+ */
+public class UnsupportedCallbackException extends Exception
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  /** @serial */
+  private Callback callback;
+
+  // Constructor(s)
+  // -------------------------------------------------------------------------
+
+  /**
+   * Constructs an <code>UnsupportedCallbackException</code> with no detail
+   * message.
+   *
+   * @param callback the unrecognized {@link Callback}.
+   */
+  public UnsupportedCallbackException(Callback callback)
+  {
+    super();
+
+    this.callback = callback;
+  }
+
+  /**
+   * Constructs an <code>UnsupportedCallbackException</code> with the specified
+   * detail message. A detail message is a {@link String} that describes this
+   * particular exception.
+   *
+   * @param callback the unrecognized {@link Callback}.
+   * @param msg the detail message.
+   */
+  public UnsupportedCallbackException(Callback callback, String msg)
+  {
+    super(msg);
+
+    this.callback = callback;
+  }
+
+  // Class methods
+  // -------------------------------------------------------------------------
+
+  // Instance methods
+  // -------------------------------------------------------------------------
+
+  /**
+   * Get the unrecognized {@link Callback}.
+   *
+   * @return the unrecognized {@link Callback}.
+   */
+  public Callback getCallback()
+  {
+    return this.callback;
+  }
+}
diff --git a/javax/security/auth/login/AccountExpiredException.java b/javax/security/auth/login/AccountExpiredException.java
new file mode 100644
index 000000000..e8e331347
--- /dev/null
+++ b/javax/security/auth/login/AccountExpiredException.java
@@ -0,0 +1,64 @@
+/* AccountExpiredException.java
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.login;
+
+/**
+ * An exception that signals that an attempt was made to login to an account
+ * that has expired.
+ */
+public class AccountExpiredException extends LoginException
+{
+
+  // Constant.
+  // -------------------------------------------------------------------------
+
+  private static final long serialVersionUID = -6064064890162661560L;
+
+  // Constructors.
+  // -------------------------------------------------------------------------
+
+  public AccountExpiredException()
+  {
+  }
+
+  public AccountExpiredException (String message)
+  {
+    super (message);
+  }
+}
diff --git a/javax/security/auth/login/AppConfigurationEntry.java b/javax/security/auth/login/AppConfigurationEntry.java
new file mode 100644
index 000000000..1879a68c1
--- /dev/null
+++ b/javax/security/auth/login/AppConfigurationEntry.java
@@ -0,0 +1,135 @@
+/* AppConfigurationEntry.java
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.login;
+
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+public class AppConfigurationEntry
+{
+
+  // Fields.
+  // -------------------------------------------------------------------------
+
+  private final String loginModuleName;
+  private final LoginModuleControlFlag controlFlag;
+  private final Map options;
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  public AppConfigurationEntry (final String loginModuleName,
+                                final LoginModuleControlFlag controlFlag,
+                                final Map options)
+  {
+    if (loginModuleName == null || loginModuleName.length() == 0)
+      throw new IllegalArgumentException ("module name cannot be null nor empty");
+    if (LoginModuleControlFlag.OPTIONAL != controlFlag &&
+        LoginModuleControlFlag.REQUIRED != controlFlag &&
+        LoginModuleControlFlag.REQUISITE != controlFlag &&
+        LoginModuleControlFlag.SUFFICIENT != controlFlag)
+      throw new IllegalArgumentException ("invalid controlFlag");
+    if (options == null)
+      throw new IllegalArgumentException ("options cannot be null");
+    this.loginModuleName = loginModuleName;
+    this.controlFlag = controlFlag;
+    this.options = Collections.unmodifiableMap (new HashMap (options));
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  public LoginModuleControlFlag getControlFlag()
+  {
+    return controlFlag;
+  }
+
+  public String getLoginModuleName()
+  {
+    return loginModuleName;
+  }
+
+  public Map getOptions()
+  {
+    return options;
+  }
+
+// Inner class.
+  // -------------------------------------------------------------------------
+
+  public static class LoginModuleControlFlag
+  {
+
+    // Constants.
+    // -----------------------------------------------------------------------
+
+    public static final LoginModuleControlFlag OPTIONAL = new LoginModuleControlFlag();
+    public static final LoginModuleControlFlag REQUIRED = new LoginModuleControlFlag();
+    public static final LoginModuleControlFlag REQUISITE = new LoginModuleControlFlag();
+    public static final LoginModuleControlFlag SUFFICIENT = new LoginModuleControlFlag();
+
+    // Constructor.
+    // -----------------------------------------------------------------------
+
+    private LoginModuleControlFlag()
+    {
+    }
+
+    // Instance methods.
+    // -----------------------------------------------------------------------
+
+    public String toString()
+    {
+      StringBuffer buf = new StringBuffer (LoginModuleControlFlag.class.getName());
+      buf.append ('.');
+      if (this == OPTIONAL)
+        buf.append ("OPTIONAL");
+      else if (this == REQUIRED)
+        buf.append ("REQUIRED");
+      else if (this == REQUISITE)
+        buf.append ("REQUISITE");
+      else if (this == SUFFICIENT)
+        buf.append ("SUFFICIENT");
+      else
+        buf.append ("HARVEY_THE_RABBIT");
+      return buf.toString();
+    }
+  }
+}
diff --git a/javax/security/auth/login/Configuration.java b/javax/security/auth/login/Configuration.java
new file mode 100644
index 000000000..4a55013ca
--- /dev/null
+++ b/javax/security/auth/login/Configuration.java
@@ -0,0 +1,109 @@
+/* Configuration.java
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.login;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.Security;
+
+import javax.security.auth.AuthPermission;
+
+public abstract class Configuration
+{
+
+  // Fields.
+  // -------------------------------------------------------------------------
+
+  private static Configuration config;
+
+  // Constructors.
+  // -------------------------------------------------------------------------
+
+  protected Configuration()
+  {
+  }
+
+  // Class methods.
+  // -------------------------------------------------------------------------
+
+  public static synchronized Configuration getConfiguration()
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkPermission (new AuthPermission ("getLoginConfiguration"));
+    if (config == null)
+      {
+        String conf = (String) AccessController.doPrivileged
+          (new PrivilegedAction()
+            {
+              public Object run()
+              {
+                return Security.getProperty ("login.configuration.provider");
+              }
+            });
+        try
+          {
+            if (conf != null)
+              config = (Configuration) Class.forName (conf).newInstance();
+            else
+              config = new NullConfiguration();
+          }
+        catch (Exception x)
+          {
+            config = new NullConfiguration();
+          }
+      }
+    return config;
+  }
+
+  public static synchronized void setConfiguration (Configuration config)
+  {
+    SecurityManager sm = System.getSecurityManager();
+    if (sm != null)
+      sm.checkPermission (new AuthPermission ("setLoginConfiguration"));
+    Configuration.config = config;
+  }
+
+  // Abstract methods.
+  // -------------------------------------------------------------------------
+
+  public abstract AppConfigurationEntry[] getAppConfigurationEntry (String applicationName);
+
+  public abstract void refresh();
+}
diff --git a/javax/security/auth/login/CredentialExpiredException.java b/javax/security/auth/login/CredentialExpiredException.java
new file mode 100644
index 000000000..df643ba69
--- /dev/null
+++ b/javax/security/auth/login/CredentialExpiredException.java
@@ -0,0 +1,64 @@
+/* CredentialExpiredException.java
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.login;
+
+/**
+ * An exception that signals an attempt to login with a credential that
+ * has expired.
+ */
+public class CredentialExpiredException extends LoginException
+{
+
+  // Constant.
+  // -------------------------------------------------------------------------
+
+  private static final long serialVersionUID = -5344739593859737937L;
+
+  // Constructors.
+  // -------------------------------------------------------------------------
+
+  public CredentialExpiredException()
+  {
+  }
+
+  public CredentialExpiredException (String message)
+  {
+    super (message);
+  }
+}
diff --git a/javax/security/auth/login/FailedLoginException.java b/javax/security/auth/login/FailedLoginException.java
new file mode 100644
index 000000000..384ade084
--- /dev/null
+++ b/javax/security/auth/login/FailedLoginException.java
@@ -0,0 +1,63 @@
+/* FailedLoginException.java
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.login;
+
+/**
+ * An exception that signals that an attempt to login was unsuccessful.
+ */
+public class FailedLoginException extends LoginException
+{
+
+  // Constant.
+  // -------------------------------------------------------------------------
+
+  private static final long serialVersionUID = 802556922354616286L;
+
+  // Constructors.
+  // -------------------------------------------------------------------------
+
+  public FailedLoginException()
+  {
+  }
+
+  public FailedLoginException (String message)
+  {
+    super (message);
+  }
+}
diff --git a/javax/security/auth/login/LoginContext.java b/javax/security/auth/login/LoginContext.java
new file mode 100644
index 000000000..da88e8412
--- /dev/null
+++ b/javax/security/auth/login/LoginContext.java
@@ -0,0 +1,44 @@
+/* LoginContext.java
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.login;
+
+public class LoginContext
+{
+
+}
diff --git a/javax/security/auth/login/LoginException.java b/javax/security/auth/login/LoginException.java
new file mode 100644
index 000000000..878120381
--- /dev/null
+++ b/javax/security/auth/login/LoginException.java
@@ -0,0 +1,65 @@
+/* LoginException.java
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.login;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * A general exception during authentication and authorization.
+ */
+public class LoginException extends GeneralSecurityException
+{
+
+  // Constant.
+  // -------------------------------------------------------------------------
+
+  private static final long serialVersionUID = -4679091624035232488L;
+
+  // Constructors.
+  // -------------------------------------------------------------------------
+
+  public LoginException()
+  {
+  }
+
+  public LoginException (String message)
+  {
+    super (message);
+  }
+}
diff --git a/javax/security/auth/login/NullConfiguration.java b/javax/security/auth/login/NullConfiguration.java
new file mode 100644
index 000000000..e1c99037f
--- /dev/null
+++ b/javax/security/auth/login/NullConfiguration.java
@@ -0,0 +1,64 @@
+/* NullConfiguration.java -- no-op default login configuration.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.login;
+
+import javax.security.auth.AuthPermission;
+
+final class NullConfiguration extends Configuration
+{
+
+  // Contructor.
+  // -------------------------------------------------------------------------
+
+  NullConfiguration()
+  {
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  public AppConfigurationEntry[] getAppConfigurationEntry (String applicationName)
+  {
+    return null;
+  }
+
+  public void refresh()
+  {
+  }
+}
diff --git a/javax/security/auth/x500/X500Principal.java b/javax/security/auth/x500/X500Principal.java
index 6c7e79ee7..201a195cb 100644
--- a/javax/security/auth/x500/X500Principal.java
+++ b/javax/security/auth/x500/X500Principal.java
@@ -7,7 +7,7 @@ GNU Classpath is free software; you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation; either version 2, or (at your option)
 any later version.
- 
+
 GNU Classpath is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
@@ -38,16 +38,38 @@ exception statement from your version. */
 
 package javax.security.auth.x500;
 
-import gnu.java.security.x509.X500DistinguishedName;
+import gnu.java.security.OID;
+import gnu.java.security.der.BitString;
+import gnu.java.security.der.DER;
+import gnu.java.security.der.DEREncodingException;
+import gnu.java.security.der.DERReader;
+import gnu.java.security.der.DERValue;
 
+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.EOFException;
 import java.io.NotActiveException;
 import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
+import java.io.Reader;
 import java.io.Serializable;
+import java.io.StringReader;
+
 import java.security.Principal;
 
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.LinkedHashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.Map;
+import java.util.Set;
+import java.util.TreeMap;
+
 public final class X500Principal implements Principal, Serializable
 {
   private static final long serialVersionUID = -500463348111345721L;
@@ -56,44 +78,66 @@ public final class X500Principal implements Principal, Serializable
   // ------------------------------------------------------------------------
 
   public static final String CANONICAL = "CANONICAL";
-
   public static final String RFC1779 = "RFC1779";
-
   public static final String RFC2253 = "RFC2253";
 
-  private transient X500DistinguishedName name;
+  private static final OID CN         = new OID("2.5.4.3");
+  private static final OID C          = new OID("2.5.4.6");
+  private static final OID L          = new OID("2.5.4.7");
+  private static final OID ST         = new OID("2.5.4.8");
+  private static final OID STREET     = new OID("2.5.4.9");
+  private static final OID O          = new OID("2.5.4.10");
+  private static final OID OU         = new OID("2.5.4.11");
+  private static final OID DC         = new OID("0.9.2342.19200300.100.1.25");
+  private static final OID UID        = new OID("0.9.2342.19200300.100.1.1");
+
+  private transient List components;
+  private transient Map currentRdn;
+  private transient boolean fixed;
+  private transient byte[] encoded;
 
   // Constructors.
   // ------------------------------------------------------------------------
 
-  public X500Principal(String name)
+  private X500Principal()
   {
-    if (name == null)
-      throw new NullPointerException();
-    this.name = new X500DistinguishedName(name);
+    components = new LinkedList();
+    currentRdn = new LinkedHashMap();
+    components.add (currentRdn);
   }
 
-  public X500Principal(byte[] encoded)
+  public X500Principal (String name)
   {
+    this();
+    if (name == null)
+      throw new NullPointerException();
     try
       {
-        name = new X500DistinguishedName(encoded);
+        parseString (name);
       }
     catch (IOException ioe)
       {
-        throw new IllegalArgumentException(ioe.toString());
+        IllegalArgumentException iae = new IllegalArgumentException("malformed name");
+        iae.initCause (ioe);
+        throw iae;
       }
   }
 
-  public X500Principal(InputStream encoded)
+  public X500Principal (byte[] encoded)
   {
+    this(new ByteArrayInputStream (encoded));
+  }
+
+  public X500Principal (InputStream encoded)
+  {
+    this();
     try
       {
-        name = new X500DistinguishedName(encoded);
+        parseDer (encoded);
       }
     catch (IOException ioe)
       {
-        throw new IllegalArgumentException(ioe.toString());
+        throw new IllegalArgumentException (ioe.toString());
       }
   }
 
@@ -102,42 +146,389 @@ public final class X500Principal implements Principal, Serializable
 
   public boolean equals(Object o)
   {
-    return ((X500Principal) o).name.equals(name);
+    if (!(o instanceof X500Principal))
+      return false;
+    if (size() != ((X500Principal) o).size())
+      return false;
+    for (int i = 0; i < size(); i++)
+      {
+        Map m = (Map) components.get (i);
+        for (Iterator it2 = m.entrySet().iterator(); it2.hasNext(); )
+          {
+            Map.Entry e = (Map.Entry) it2.next();
+            OID oid = (OID) e.getKey();
+            String v1 = (String) e.getValue();
+            String v2 = ((X500Principal) o).getComponent (oid, i);
+            if (v2 == null)
+              return false;
+            if (!compressWS (v1).equalsIgnoreCase (compressWS (v2)))
+              return false;
+          }
+      }
+    return true;
   }
 
   public byte[] getEncoded()
   {
-    return name.getEncoded();
+    if (encoded == null)
+      encodeDer();
+    return (byte[]) encoded.clone();
   }
 
   public String getName()
   {
-    return getName(RFC2253);
+    return getName (RFC2253);
+  }
+
+  public String getName (final String format)
+  {
+    boolean rfc2253 = RFC2253.equalsIgnoreCase (format) ||
+      CANONICAL.equalsIgnoreCase (format);
+    boolean rfc1779 = RFC1779.equalsIgnoreCase (format);
+    boolean canon   = CANONICAL.equalsIgnoreCase (format);
+    if (! (rfc2253 || rfc1779 || canon))
+      throw new IllegalArgumentException ("unsupported format " + format);
+    StringBuffer str = new StringBuffer();
+    for (Iterator it = components.iterator(); it.hasNext(); )
+      {
+        Map m = (Map) it.next();
+        for (Iterator it2 = m.entrySet().iterator(); it2.hasNext(); )
+          {
+            Map.Entry entry = (Map.Entry) it2.next();
+            OID oid = (OID) entry.getKey();
+            String value = (String) entry.getValue();
+            if (oid.equals (CN))
+              str.append ("CN");
+            else if (oid.equals (C))
+              str.append ("C");
+            else if (oid.equals (L))
+              str.append ("L");
+            else if (oid.equals (ST))
+              str.append ("ST");
+            else if (oid.equals (STREET))
+              str.append ("STREET");
+            else if (oid.equals (O))
+              str.append ("O");
+            else if (oid.equals (OU))
+              str.append ("OU");
+            else if (oid.equals (DC) && rfc2253)
+              str.append ("DC");
+            else if (oid.equals ("UID") && rfc2253)
+              str.append ("UID");
+            else
+              str.append (oid.toString());
+            str.append('=');
+            str.append(value);
+            if (it2.hasNext())
+              str.append('+');
+          }
+        if (it.hasNext())
+          str.append(',');
+      }
+    if (canon)
+      return str.toString().toUpperCase (Locale.US).toLowerCase (Locale.US);
+    return str.toString();
   }
 
-  public String getName(String format)
+  public String toString()
   {
-    if (format.equalsIgnoreCase(RFC2253))
-      return name.toRFC2253();
-    else if (format.equalsIgnoreCase(RFC1779))
-      return name.toRFC1779();
-    else if (format.equalsIgnoreCase(CANONICAL))
-      return name.toCanonical();
-    throw new IllegalArgumentException("unsupported format " + format);
+    return getName (RFC2253);
   }
 
   // Serialization methods.
   // ------------------------------------------------------------------------
 
-  private void writeObject(ObjectOutputStream out) throws IOException
+  private void writeObject (ObjectOutputStream out) throws IOException
   {
-    out.writeObject(name.getEncoded());
+    if (encoded != null)
+      encodeDer();
+    out.writeObject (encoded);
   }
 
-  private void readObject(ObjectInputStream in)
+  private void readObject (ObjectInputStream in)
     throws IOException, NotActiveException, ClassNotFoundException
   {
     byte[] buf = (byte[]) in.readObject();
-    name = new X500DistinguishedName(buf);
+    parseDer (new ByteArrayInputStream (buf));
+  }
+
+  // Own methods.
+  // -------------------------------------------------------------------------
+
+  private int size()
+  {
+    return components.size();
+  }
+
+  private String getComponent(OID oid, int rdn)
+  {
+    if (rdn >= size())
+      return null;
+    return (String) ((Map) components.get (rdn)).get (oid);
+  }
+
+  private void encodeDer()
+  {
+    ArrayList name = new ArrayList(components.size());
+    for (Iterator it = components.iterator(); it.hasNext(); )
+      {
+        Map m = (Map) it.next();
+        if (m.isEmpty())
+          continue;
+        Set rdn = new HashSet();
+        for (Iterator it2 = m.entrySet().iterator(); it2.hasNext(); )
+          {
+            Map.Entry e = (Map.Entry) it.next();
+            ArrayList atav = new ArrayList(2);
+            atav.add(new DERValue(DER.OBJECT_IDENTIFIER, e.getKey()));
+            atav.add(new DERValue(DER.UTF8_STRING, e.getValue()));
+            rdn.add(new DERValue(DER.SEQUENCE|DER.CONSTRUCTED, atav));
+          }
+        name.add(new DERValue(DER.SET|DER.CONSTRUCTED, rdn));
+      }
+    DERValue val = new DERValue(DER.SEQUENCE|DER.CONSTRUCTED, name);
+    encoded = val.getEncoded();
+  }
+
+  private int sep;
+
+  private void parseString(String str) throws IOException
+  {
+    Reader in = new StringReader(str);
+    while (true)
+      {
+        String key = readAttributeType(in);
+        if (key == null)
+          break;
+        String value = readAttributeValue(in);
+        putComponent(key, value);
+        if (sep == ',')
+          newRelativeDistinguishedName();
+      }
+  }
+
+  private String readAttributeType(Reader in) throws IOException
+  {
+    StringBuffer buf = new StringBuffer();
+    int ch;
+    while ((ch = in.read()) != '=')
+      {
+        if (ch == -1)
+          {
+            if (buf.length() > 0)
+              throw new EOFException();
+            return null;
+          }
+        if (ch > 127)
+          throw new IOException("Invalid char: " + (char) ch);
+        if (Character.isLetterOrDigit((char) ch) || ch == '-' || ch == '.')
+          buf.append((char) ch);
+        else
+          throw new IOException("Invalid char: " + (char) ch);
+      }
+    return buf.toString();
+  }
+
+  private String readAttributeValue(Reader in) throws IOException
+  {
+    StringBuffer buf = new StringBuffer();
+    int ch = in.read();
+    if (ch == '#')
+      {
+        while (true)
+          {
+            ch = in.read();
+            if (('a' <= ch && ch <= 'f') || ('A' <= ch && ch <= 'F')
+                || Character.isDigit((char) ch))
+              buf.append((char) ch);
+            else if (ch == '+' || ch == ',')
+              {
+                sep = ch;
+                String hex = buf.toString();
+                return new String(toByteArray(hex));
+              }
+            else
+              throw new IOException("illegal character: " + (char) ch);
+          }
+      }
+    else if (ch == '"')
+      {
+        while (true)
+          {
+            ch = in.read();
+            if (ch == '"')
+              break;
+            else if (ch == '\\')
+              {
+                ch = in.read();
+                if (ch == -1)
+                  throw new EOFException();
+                if (('a' <= ch && ch <= 'f') || ('A' <= ch && ch <= 'F')
+                    || Character.isDigit((char) ch))
+                  {
+                    int i = Character.digit((char) ch, 16) << 4;
+                    ch = in.read();
+                    if (!(('a' <= ch && ch <= 'f') || ('A' <= ch && ch <= 'F')
+                          || Character.isDigit((char) ch)))
+                      throw new IOException("illegal hex char");
+                    i |= Character.digit((char) ch, 16);
+                    buf.append((char) i);
+                  }
+                else
+                  buf.append((char) ch);
+              }
+            else
+              buf.append((char) ch);
+          }
+        sep = in.read();
+        if (sep != '+' || sep != ',')
+          throw new IOException("illegal character: " + (char) ch);
+        return buf.toString();
+      }
+    else
+      {
+        while (true)
+          {
+            switch (ch)
+              {
+              case '+':
+              case ',':
+                sep = ch;
+                return buf.toString();
+              case '\\':
+                ch = in.read();
+                if (ch == -1)
+                  throw new EOFException();
+                if (('a' <= ch && ch <= 'f') || ('A' <= ch && ch <= 'F')
+                    || Character.isDigit((char) ch))
+                  {
+                    int i = Character.digit((char) ch, 16) << 4;
+                    ch = in.read();
+                    if (!(('a' <= ch && ch <= 'f') || ('A' <= ch && ch <= 'F')
+                          || Character.isDigit((char) ch)))
+                      throw new IOException("illegal hex char");
+                    i |= Character.digit((char) ch, 16);
+                    buf.append((char) i);
+                  }
+                else
+                  buf.append((char) ch);
+                break;
+              case '=':
+              case '<':
+              case '>':
+              case '#':
+              case ';':
+                throw new IOException("illegal character: " + (char) ch);
+              case -1:
+                throw new EOFException();
+              default:
+                buf.append((char) ch);
+              }
+          }
+      }
+  }
+
+  private void parseDer (InputStream encoded) throws IOException
+  {
+    DERReader der = new DERReader (encoded);
+    DERValue name = der.read();
+    if (!name.isConstructed())
+      throw new IOException ("malformed Name");
+    this.encoded = name.getEncoded();
+    int len = 0;
+    while (len < name.getLength())
+      {
+        DERValue rdn = der.read();
+        if (!rdn.isConstructed())
+          throw new IOException ("badly formed RDNSequence");
+        int len2 = 0;
+        while (len2 < rdn.getLength())
+          {
+            DERValue atav = der.read();
+            if (!atav.isConstructed())
+              throw new IOException ("badly formed AttributeTypeAndValue");
+            DERValue val = der.read();
+            if (val.getTag() != DER.OBJECT_IDENTIFIER)
+              throw new IOException ("badly formed AttributeTypeAndValue");
+            OID oid = (OID) val.getValue();
+            val = der.read();
+            if (!(val.getValue() instanceof String))
+              throw new IOException ("badly formed AttributeTypeAndValue");
+            String value = (String) val.getValue();
+            putComponent(oid, value);
+            len2 += atav.getEncodedLength();
+          }
+        len += rdn.getEncodedLength();
+        if (len < name.getLength())
+          newRelativeDistinguishedName();
+      }
+  }
+
+  private void newRelativeDistinguishedName()
+  {
+    currentRdn = new LinkedHashMap();
+    components.add(currentRdn);
+  }
+
+  private void putComponent(OID oid, String value)
+  {
+    currentRdn.put(oid, value);
+  }
+
+  private void putComponent(String name, String value)
+  {
+    name = name.trim().toLowerCase();
+    if (name.equals("cn"))
+      putComponent(CN, value);
+    else if (name.equals("c"))
+      putComponent(C, value);
+    else if (name.equals("l"))
+      putComponent(L, value);
+    else if (name.equals("street"))
+      putComponent(STREET, value);
+    else if (name.equals("st"))
+      putComponent(ST, value);
+    else if (name.equals("dc"))
+      putComponent(DC, value);
+    else if (name.equals("uid"))
+      putComponent(UID, value);
+    else
+      putComponent(new OID(name), value);
+  }
+
+  private static String compressWS(String str)
+  {
+    StringBuffer buf = new StringBuffer();
+    char lastChar = 0;
+    for (int i = 0; i < str.length(); i++)
+      {
+        char c = str.charAt(i);
+        if (Character.isWhitespace(c))
+          {
+            if (!Character.isWhitespace(lastChar))
+              buf.append(' ');
+          }
+        else
+          buf.append(c);
+        lastChar = c;
+      }
+    return buf.toString().trim();
+  }
+
+  private static byte[] toByteArray (String str)
+  {
+    int limit = str.length();
+    byte[] result = new byte[((limit + 1) / 2)];
+    int i = 0, j = 0;
+    if ((limit % 2) == 1)
+      {
+        result[j++] = (byte) Character.digit (str.charAt(i++), 16);
+      }
+    while (i < limit)
+      {
+        result[j  ]  = (byte) (Character.digit (str.charAt(i++), 16) << 4);
+        result[j++] |= (byte)  Character.digit (str.charAt(i++), 16);
+      }
+    return result;
   }
 }
diff --git a/javax/security/auth/x500/X500PrivateCredential.java b/javax/security/auth/x500/X500PrivateCredential.java
new file mode 100644
index 000000000..fb3a5ef40
--- /dev/null
+++ b/javax/security/auth/x500/X500PrivateCredential.java
@@ -0,0 +1,148 @@
+/* X500PrivateCredential.java -- certificate and private key pair.
+   Copyright (C) 2003 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.auth.x500;
+
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+import javax.security.auth.Destroyable;
+
+/**
+ * A pairing of a {@link X509Certificate} and its corresponding {@link
+ * PrivateKey}, with an optional keystore alias.
+ */
+public final class X500PrivateCredential implements Destroyable
+{
+
+  // Fields.
+  // -------------------------------------------------------------------------
+
+  private PrivateKey key;
+  private X509Certificate certificate;
+  private String alias;
+
+  // Constructors.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Creates a new private credential with no associated keystore alias.
+   *
+   * @param certificate The X.509 certificate.
+   * @param key The private key.
+   * @throws IllegalArgumentException If either parameter is null.
+   */
+  public X500PrivateCredential (X509Certificate certificate, PrivateKey key)
+  {
+    if (certificate == null || key == null)
+      throw new IllegalArgumentException();
+    this.certificate = certificate;
+    this.key = key;
+  }
+
+  /**
+   * Creates a new private credential with a keystore alias.
+   *
+   * @param certificate The X.509 certificate.
+   * @param key The private key.
+   * @param alias The keystore alias for this credential.
+   * @throws IllegalArgumentException If any parameter is null.
+   */
+  public X500PrivateCredential (X509Certificate certificate, PrivateKey key,
+                                String alias)
+  {
+    this (certificate, key);
+    if (alias == null)
+      throw new IllegalArgumentException();
+    this.alias = alias;
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * Returns the certificate of this credential.
+   *
+   * @return The certificate of this credential.
+   */
+  public X509Certificate getCertificate()
+  {
+    return certificate;
+  }
+
+  /**
+   * Returns the private key of this credential.
+   *
+   * @return The private key of this credential.
+   */
+  public PrivateKey getPrivateKey()
+  {
+    return key;
+  }
+
+  /**
+   * Returns the keystore alias of this credential, or null if not present.
+   *
+   * @return The keystore alias, or null.
+   */
+  public String getAlias()
+  {
+    return alias;
+  }
+
+  /**
+   * Destroy the sensitive data of this credential, setting the certificate,
+   * private key, and keystore alias to null.
+   */
+  public void destroy()
+  {
+    certificate = null;
+    key = null;
+    alias = null;
+  }
+
+  /**
+   * Tells whether or not this credential has been destroyed, and that
+   * the certificate and private key fields are null.
+   *
+   * @return True if this object has been destroyed.
+   */
+  public boolean isDestroyed()
+  {
+    return certificate == null && key == null;
+  }
+}
diff --git a/javax/security/cert/Certificate.java b/javax/security/cert/Certificate.java
new file mode 100644
index 000000000..8090817fc
--- /dev/null
+++ b/javax/security/cert/Certificate.java
@@ -0,0 +1,176 @@
+/* Certificate.java -- base class of public-key certificates.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.cert;
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.SignatureException;
+
+import java.util.Arrays;
+import java.util.zip.Adler32;
+
+/**
+ * <p>The base class for public-key certificates.</p>
+ *
+ * <p><b>This class is deprecated in favor of the {@link
+ * java.security.cert.Certificate} class. It should not be used in new
+ * applications.</b></p>
+ */
+public abstract class Certificate
+{
+
+  // Constructors.
+  // -------------------------------------------------------------------------
+
+  public Certificate()
+  {
+    super();
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * <p>Tests if this certificate equals another.</p>
+   *
+   * @param other The object to test.
+   * @return True if the certificates are equal.
+   */
+  public boolean equals(Object other)
+  {
+    if (other == null || !(other instanceof Certificate))
+      {
+        return false;
+      }
+    if (other == this)
+      {
+        return true;
+      }
+    try
+      {
+        return Arrays.equals(getEncoded(), ((Certificate) other).getEncoded());
+      }
+    catch (CertificateEncodingException cee)
+      {
+        return false;
+      }
+  }
+
+  /**
+   * <p>Computes a hash code for this certificate.</p>
+   *
+   * @return The hash code.
+   */
+  public int hashCode()
+  {
+    try
+      {
+        Adler32 csum = new Adler32();
+        csum.update(getEncoded());
+        return (int) csum.getValue();
+      }
+    catch (CertificateEncodingException cee)
+      {
+        return 0;
+      }
+  }
+
+  // Abstract methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * <p>Return the encoded form of this certificate.</p>
+   *
+   * @return The encoded form.
+   * @throws CertificateEncodingException If the certificate could not be
+   *   encoded.
+   */
+  public abstract byte[] getEncoded() throws CertificateEncodingException;
+
+  /**
+   * <p>Verifies the signature of this certificate.</p>
+   *
+   * @param key The signer's public key.
+   * @throws CertificateException
+   * @throws NoSuchAlgorithmException If the algorithm used to sign the
+   *   certificate is not available.
+   * @throws InvalidKeyException If the supplied key is not appropriate for the
+   *   certificate's signature algorithm.
+   * @throws NoSuchProviderException
+   * @throws SignatureException If the signature could not be verified.
+   */
+  public abstract void verify(PublicKey key)
+    throws CertificateException, NoSuchAlgorithmException, InvalidKeyException,
+           NoSuchProviderException, SignatureException;
+
+  /**
+   * <p>Verifies the signature of this certificate, using the specified security
+   * provider.</p>
+   *
+   * @param key The signer's public key.
+   * @param sigProvider The name of the signature provider.
+   * @throws CertificateException
+   * @throws NoSuchAlgorithmException If the algorithm used to sign the
+   *   certificate is not available.
+   * @throws InvalidKeyException If the supplied key is not appropriate for the
+   *   certificate's signature algorithm.
+   * @throws NoSuchProviderException If <i>sigProvider</i> is not the name of an
+   *   installed provider.
+   * @throws SignatureException If the signature could not be verified.
+   */
+  public abstract void verify(PublicKey key, String sigProvider)
+    throws CertificateException, NoSuchAlgorithmException, InvalidKeyException,
+           NoSuchProviderException, SignatureException;
+
+  /**
+   * <p>Returns a printable representation of this certificate.</p>
+   *
+   * @return The string.
+   */
+  public abstract String toString();
+
+  /**
+   * <p>Returns this certificate's public key.</p>
+   *
+   * @return The public key.
+   */
+  public abstract PublicKey getPublicKey();
+}
diff --git a/javax/security/cert/CertificateEncodingException.java b/javax/security/cert/CertificateEncodingException.java
new file mode 100644
index 000000000..81c85dd9f
--- /dev/null
+++ b/javax/security/cert/CertificateEncodingException.java
@@ -0,0 +1,60 @@
+/* CertificateEncodingException.java -- certificate encoding exception.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.cert;
+
+/**
+ * <p>Signals a problem when encoding certificates.</p>
+ *
+ * <p><b>This class is deprecated in favor of the {@link
+ * java.security.cert.CertificateEncodingException} class. It should not be used
+ * in new applications.</b></p>
+ */
+public class CertificateEncodingException extends CertificateException
+{
+
+  public CertificateEncodingException()
+  {
+    super();
+  }
+
+  public CertificateEncodingException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/javax/security/cert/CertificateException.java b/javax/security/cert/CertificateException.java
new file mode 100644
index 000000000..4e79a3120
--- /dev/null
+++ b/javax/security/cert/CertificateException.java
@@ -0,0 +1,60 @@
+/* CertificateException.java -- certificate exception.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.cert;
+
+/**
+ * <p>Signals a generic problem with certificates.</p>
+ *
+ * <p><b>This class is deprecated in favor of the {@link
+ * java.security.cert.CertificateException} class. It should not be used in new
+ * applications.</b></p>
+ */
+public class CertificateException extends Exception
+{
+
+  public CertificateException()
+  {
+    super();
+  }
+
+  public CertificateException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/javax/security/cert/CertificateExpiredException.java b/javax/security/cert/CertificateExpiredException.java
new file mode 100644
index 000000000..53b0cc007
--- /dev/null
+++ b/javax/security/cert/CertificateExpiredException.java
@@ -0,0 +1,60 @@
+/* CertificateExpiredException.java -- certificate expired exception.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.cert;
+
+/**
+ * <p>Signals that a certificate has expired.</p>
+ *
+ * <p><b>This class is deprecated in favor of the {@link
+ * java.security.cert.CertificateExpiredException} class. It should not be used
+ * in new applications.</b></p>
+ */
+public class CertificateExpiredException extends CertificateException
+{
+
+  public CertificateExpiredException()
+  {
+    super();
+  }
+
+  public CertificateExpiredException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/javax/security/cert/CertificateNotYetValidException.java b/javax/security/cert/CertificateNotYetValidException.java
new file mode 100644
index 000000000..56c8aeb7f
--- /dev/null
+++ b/javax/security/cert/CertificateNotYetValidException.java
@@ -0,0 +1,60 @@
+/* CertificateNotYetValidException.java -- certificate not yet valid exception.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.cert;
+
+/**
+ * <p>Signals that a certificate is not yet valid.</p>
+ *
+ * <p><b>This class is deprecated in favor of the {@link
+ * java.security.cert.CertificateNotYetValidException} class. It should not be
+ * used in new applications.</b></p>
+ */
+public class CertificateNotYetValidException extends CertificateException
+{
+
+  public CertificateNotYetValidException()
+  {
+    super();
+  }
+
+  public CertificateNotYetValidException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/javax/security/cert/CertificateParsingException.java b/javax/security/cert/CertificateParsingException.java
new file mode 100644
index 000000000..17012e2f1
--- /dev/null
+++ b/javax/security/cert/CertificateParsingException.java
@@ -0,0 +1,59 @@
+/* CertificateParsingException.java -- certificate parsing exception.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.cert;
+
+/**
+ * <p>Signals a parsing error when decoding a certificate.</p>
+ *
+ * <p><b>This class is deprecated. It should not be used in new
+ * applications.</b></p>
+ */
+public class CertificateParsingException extends CertificateException
+{
+
+  public CertificateParsingException()
+  {
+    super();
+  }
+
+  public CertificateParsingException(String msg)
+  {
+    super(msg);
+  }
+}
diff --git a/javax/security/cert/X509CertBridge.java b/javax/security/cert/X509CertBridge.java
new file mode 100644
index 000000000..1c075d6d5
--- /dev/null
+++ b/javax/security/cert/X509CertBridge.java
@@ -0,0 +1,203 @@
+/* X509CertBridge.java -- bridge between JDK and JSSE cert APIs.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.cert;
+
+import java.math.BigInteger;
+
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PublicKey;
+import java.security.Principal;
+import java.security.SignatureException;
+
+import java.util.Date;
+
+/**
+ * <p>An implementation of the {@link X509Certificate} class that delegates
+ * calls to a {@link java.security.cert.X509Certificate}.</p>
+ */
+final class X509CertBridge extends X509Certificate
+{
+
+  // Fields.
+  // -------------------------------------------------------------------------
+
+  private java.security.cert.X509Certificate cert;
+
+  // Constructor.
+  // -------------------------------------------------------------------------
+
+  X509CertBridge(java.security.cert.X509Certificate cert)
+  {
+    this.cert = cert;
+  }
+
+  // Instance methods.
+  // -------------------------------------------------------------------------
+
+  public byte[] getEncoded() throws CertificateEncodingException
+  {
+    try
+      {
+        return cert.getEncoded();
+      }
+    catch (java.security.cert.CertificateEncodingException cee)
+      {
+        throw new CertificateEncodingException(cee.getMessage());
+      }
+  }
+
+  public void verify(PublicKey key)
+    throws CertificateException, NoSuchAlgorithmException, InvalidKeyException,
+           NoSuchProviderException, SignatureException
+  {
+    try
+      {
+        cert.verify(key);
+      }
+    catch (java.security.cert.CertificateException ce)
+      {
+        throw new CertificateException(ce.getMessage());
+      }
+  }
+
+  public void verify(PublicKey key, String sigProvider)
+    throws CertificateException, NoSuchAlgorithmException, InvalidKeyException,
+           NoSuchProviderException, SignatureException
+  {
+    try
+      {
+        cert.verify(key, sigProvider);
+      }
+    catch (java.security.cert.CertificateException ce)
+      {
+        throw new CertificateException(ce.getMessage());
+      }
+  }
+
+  public String toString()
+  {
+    return cert.toString();
+  }
+
+  public PublicKey getPublicKey()
+  {
+    return cert.getPublicKey();
+  }
+
+  public void checkValidity()
+    throws CertificateExpiredException, CertificateNotYetValidException
+  {
+    try
+      {
+        cert.checkValidity();
+      }
+    catch (java.security.cert.CertificateExpiredException cee)
+      {
+        throw new CertificateExpiredException(cee.getMessage());
+      }
+    catch (java.security.cert.CertificateNotYetValidException cnyve)
+      {
+        throw new CertificateNotYetValidException(cnyve.getMessage());
+      }
+  }
+
+  public void checkValidity(Date date)
+    throws CertificateExpiredException, CertificateNotYetValidException
+  {
+    try
+      {
+        cert.checkValidity(date);
+      }
+    catch (java.security.cert.CertificateExpiredException cee)
+      {
+        throw new CertificateExpiredException(cee.getMessage());
+      }
+    catch (java.security.cert.CertificateNotYetValidException cnyve)
+      {
+        throw new CertificateNotYetValidException(cnyve.getMessage());
+      }
+  }
+
+  public int getVersion()
+  {
+    return cert.getVersion();
+  }
+
+  public BigInteger getSerialNumber()
+  {
+    return cert.getSerialNumber();
+  }
+
+  public Principal getIssuerDN()
+  {
+    return cert.getIssuerDN();
+  }
+
+  public Principal getSubjectDN()
+  {
+    return cert.getSubjectDN();
+  }
+
+  public Date getNotBefore()
+  {
+    return cert.getNotBefore();
+  }
+
+  public Date getNotAfter()
+  {
+    return cert.getNotAfter();
+  }
+
+  public String getSigAlgName()
+  {
+    return cert.getSigAlgName();
+  }
+
+  public String getSigAlgOID()
+  {
+    return cert.getSigAlgOID();
+  }
+
+  public byte[] getSigAlgParams()
+  {
+    return cert.getSigAlgParams();
+  }
+}
diff --git a/javax/security/cert/X509Certificate.java b/javax/security/cert/X509Certificate.java
new file mode 100644
index 000000000..2bf0b4e94
--- /dev/null
+++ b/javax/security/cert/X509Certificate.java
@@ -0,0 +1,191 @@
+/* X509Certificate.java -- base class of X.509 certificates.
+   Copyright (C) 2004 Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+02111-1307 USA.
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version. */
+
+
+package javax.security.cert;
+
+import java.io.ByteArrayInputStream;
+import java.io.InputStream;
+import java.io.IOException;
+
+import java.math.BigInteger;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.Principal;
+import java.security.cert.CertificateFactory;
+
+import java.util.Date;
+
+/**
+ * <p>The base class of all X.509 certificates.</p>
+ *
+ * <p><b>This class is deprecated in favor of the {@link
+ * java.security.cert.X509Certificate} class. It should not be used in new
+ * applications.</b></p>
+ */
+public abstract class X509Certificate extends Certificate
+{
+
+  // Class methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * <p>Get an instance of X509Certificate for the given encoded bytes.</p>
+   *
+   * @param encoded The encoded certificate.
+   * @return An instance of X509Certificate.
+   * @throws CertificateException If the encoded certificate cannot be parsed.
+   */
+  public static X509Certificate getInstance(byte[] encoded)
+    throws CertificateException
+  {
+    return getInstance(new ByteArrayInputStream(encoded));
+  }
+
+  /**
+   * <p>Get an instance of X509Certificate for the given encoded stream.</p>
+   *
+   * @param encoded The encoded certificate stream..
+   * @return An instance of X509Certificate.
+   * @throws CertificateException If the encoded certificate cannot be parsed.
+   */
+  public static X509Certificate getInstance(InputStream encoded)
+    throws CertificateException
+  {
+    try
+      {
+        CertificateFactory cf = CertificateFactory.getInstance("X.509");
+        return new X509CertBridge((java.security.cert.X509Certificate)
+                                  cf.generateCertificate(encoded));
+      }
+    catch (java.security.cert.CertificateException ce)
+      {
+        throw new CertificateException(ce.getMessage());
+      }
+  }
+
+  // Abstract methods.
+  // -------------------------------------------------------------------------
+
+  /**
+   * <p>Check if this certificate is valid now.</p>
+   *
+   * @throws CertificateExpiredException If the certificate has expired.
+   * @throws CertificateNotYetValidException If the certificate is not yet valid.
+   * @see #checkValidity(java.util.Date)
+   */
+  public abstract void checkValidity()
+    throws CertificateExpiredException, CertificateNotYetValidException;
+
+  /**
+   * <p>Check if this certificate is valid for the given date.</p>
+   *
+   * @param date The date to check.
+   * @throws CertificateExpiredException If the certificate has expired.
+   * @throws CertificateNotYetValidException If the certificate is not yet valid.
+   */
+  public abstract void checkValidity(Date date)
+    throws CertificateExpiredException, CertificateNotYetValidException;
+
+  /**
+   * <p>Returns the X.509 version number.</p>
+   *
+   * @return The version number.
+   */
+  public abstract int getVersion();
+
+  /**
+   * <p>Returns this certificate's serial number.</p>
+   *
+   * @return The serial number.
+   */
+  public abstract BigInteger getSerialNumber();
+
+  /**
+   * <p>Returns the distinguished name of this certificate's issuer.</p>
+   *
+   * @return The issuer's distinguished name.
+   */
+  public abstract Principal getIssuerDN();
+
+  /**
+   * <p>Returns the distinguished name of this certificate's subject.</p>
+   *
+   * @return The subject's distinguished name.
+   */
+  public abstract Principal getSubjectDN();
+
+  /**
+   * <p>Returns the <i>not before</i> portion of this certificate's validity
+   * period.</p>
+   *
+   * @return The not before date.
+   */
+  public abstract Date getNotBefore();
+
+  /**
+   * <p>Returns the <i>not after</i> portion of this certificate's validity
+   * period.</p>
+   *
+   * @return The not after date.
+   */
+  public abstract Date getNotAfter();
+
+  /**
+   * <p>Returns the name of this certificate's signature algorithm.</p>
+   *
+   * @return The name of the signature algorithm.
+   */
+  public abstract String getSigAlgName();
+
+  /**
+   * <p>Returns the object identifier (OID) of this certificate's signature
+   * algorithm. The returned string is a sequence of integers separated by
+   * periods.</p>
+   *
+   * @return The signature OID.
+   */
+  public abstract String getSigAlgOID();
+
+  /**
+   * <p>Returns the signature parameters. The returned byte array contains the
+   * raw DER-encoded parameters.</p>
+   *
+   * @return The signature parameters.
+   */
+  public abstract byte[] getSigAlgParams();
+}
diff --git a/javax/security/sasl/AuthenticationException.java b/javax/security/sasl/AuthenticationException.java
new file mode 100644
index 000000000..1af2eb30a
--- /dev/null
+++ b/javax/security/sasl/AuthenticationException.java
@@ -0,0 +1,105 @@
+/* AuthenticationException.java
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpathis free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpathis distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307 USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.  */
+
+
+package javax.security.sasl;
+
+/**
+ * <p>This exception is thrown by a SASL mechanism implementation to indicate
+ * that the SASL exchange has failed due to reasons related to authentication,
+ * such as an invalid identity, passphrase, or key.</p>
+ *
+ * <p>Note that the lack of an <code>AuthenticationException</code> does not
+ * mean that the failure was not due to an authentication error. A SASL
+ * mechanism implementation might throw the more general {@link SaslException}
+ * instead of <code>AuthenticationException</code> if it is unable to determine
+ * the nature of the failure, or if does not want to disclose the nature of the
+ * failure, for example, due to security reasons.</p>
+ */
+public class AuthenticationException extends SaslException
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  // Constructor(s)
+  // -------------------------------------------------------------------------
+
+  /**
+   * Constructs a new instance of <code>AuthenticationException</code>. The
+   * root exception and the detailed message are <code>null</code>.
+   */
+  public AuthenticationException()
+  {
+    super();
+  }
+
+  /**
+   * Constructs a new instance of <code>AuthenticationException</code> with a
+   * detailed message. The root exception is <code>null</code>.
+   *
+   * @param detail a possibly <code>null</code> string containing details of
+   * the exception.
+   * @see Throwable#getMessage()
+   */
+  public AuthenticationException(String detail)
+  {
+    super(detail);
+  }
+
+  /**
+   * Constructs a new instance of <code>AuthenticationException</code> with a
+   * detailed message and a root exception.
+   *
+   * @param detail a possibly <code>null</code> string containing details of
+   * the exception.
+   * @param ex a possibly <code>null</code> root exception that caused this
+   * exception.
+   * @see Throwable#getMessage()
+   * @see SaslException#getCause()
+   */
+  public AuthenticationException(String detail, Throwable ex)
+  {
+    super(detail, ex);
+  }
+
+  // Class methods
+  // -------------------------------------------------------------------------
+
+  // Instance methods
+  // -------------------------------------------------------------------------
+}
diff --git a/javax/security/sasl/AuthorizeCallback.java b/javax/security/sasl/AuthorizeCallback.java
new file mode 100644
index 000000000..77fe78698
--- /dev/null
+++ b/javax/security/sasl/AuthorizeCallback.java
@@ -0,0 +1,171 @@
+/* AuthorizeCallback.java
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpathis free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpathis distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307 USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.  */
+
+
+package javax.security.sasl;
+
+import javax.security.auth.callback.Callback;
+
+/**
+ * This callback is used by {@link SaslServer} to determine whether one entity
+ * (identified by an authenticated authentication ID) can act on behalf of
+ * another entity (identified by an authorization ID).
+ */
+public class AuthorizeCallback implements Callback
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  /** @serial The (authenticated) authentication id to check. */
+  private String authenticationID = null;
+
+  /** @serial The authorization id to check. */
+  private String authorizationID  = null;
+
+  /**
+   * @serial The id of the authorized entity. If null, the id of the authorized
+   * entity is authorizationID.
+   */
+  private String authorizedID  = null;
+
+  /**
+   * @serial A flag indicating whether the authentication id is allowed to act
+   * on behalf of the authorization id.
+   */
+  private boolean authorized = false;
+
+  // Constructor(s)
+  // -------------------------------------------------------------------------
+
+  /**
+   * Constructs an instance of <code>AuthorizeCallback</code>.
+   *
+   * @param authnID the (authenticated) authentication ID.
+   * @param authzID the authorization ID.
+   */
+  public AuthorizeCallback(String authnID, String authzID)
+  {
+    super();
+
+    this.authenticationID = authnID;
+    this.authorizationID  = authzID;
+  }
+
+  // Class methods
+  // -------------------------------------------------------------------------
+
+  // Instance methods
+  // -------------------------------------------------------------------------
+
+  /**
+   * Returns the authentication ID to check.
+   *
+   * @return the authentication ID to check
+   */
+  public String getAuthenticationID()
+  {
+    return authenticationID;
+  }
+
+  /**
+   * Returns the authorization ID to check.
+   *
+   * @return the authorization ID to check.
+   */
+  public String getAuthorizationID()
+  {
+    return authorizationID;
+  }
+
+  /**
+   * Determines if the identity represented by authentication ID is allowed to
+   * act on behalf of the authorization ID.
+   *
+   * @return <code>true</code> if authorization is allowed; <code>false</code>
+   * otherwise.
+   * @see #setAuthorized(boolean)
+   * @see #getAuthorizedID()
+   */
+  public boolean isAuthorized()
+  {
+    return authorized;
+  }
+
+  /**
+   * Sets if authorization is allowed or not.
+   *
+   * @param authorized <code>true</code> if authorization is allowed;
+   * <code>false</code> otherwise.
+   * @see #isAuthorized()
+   * @see #setAuthorizedID(String)
+   */
+  public void setAuthorized(boolean authorized)
+  {
+    this.authorized = authorized;
+  }
+
+  /**
+   * Returns the ID of the authorized user.
+   *
+   * @return the ID of the authorized user. <code>null</code> means the
+   * authorization failed.
+   * @see #setAuthorized(boolean)
+   * @see #setAuthorizedID(String)
+   */
+  public String getAuthorizedID()
+  {
+    if (!authorized)
+      {
+        return null;
+      }
+    return (authorizedID != null ? authorizedID : authorizationID);
+  }
+
+  /**
+   * Sets the ID of the authorized entity. Called by handler only when the ID
+   * is different from {@link #getAuthorizationID()}. For example, the ID might
+   * need to be canonicalized for the environment in which it will be used.
+   *
+   * @see #setAuthorized(boolean)
+   * @see #getAuthorizedID()
+   */
+  public void setAuthorizedID(String id)
+  {
+    this.authorizedID = id;
+  }
+}
diff --git a/javax/security/sasl/RealmCallback.java b/javax/security/sasl/RealmCallback.java
new file mode 100644
index 000000000..49bc08ae2
--- /dev/null
+++ b/javax/security/sasl/RealmCallback.java
@@ -0,0 +1,75 @@
+/* RealmCallback.java
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307 USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.  */
+
+
+package javax.security.sasl;
+
+import javax.security.auth.callback.TextInputCallback;
+
+/**
+ * This callback is used by {@link SaslClient} and {@link SaslServer} to
+ * retrieve realm information.
+ */
+public class RealmCallback extends TextInputCallback
+{
+
+  /**
+   * Constructs a <code>RealmCallback</code> with a prompt.
+   *
+   * @param prompt the non-null prompt to use to request the realm information.
+   * @throws IllegalArgumentException if <code>prompt</code> is <code>null</code>
+   * or empty.
+   */
+  public RealmCallback(String prompt)
+  {
+    super(prompt);
+  }
+
+  /**
+   * Constructs a <code>RealmCallback</code> with a prompt and default realm
+   * information.
+   *
+   * @param prompt the non-null prompt to use to request the realm information.
+   * @param defaultRealmInfo the non-null default realm information to use.
+   * @throws IllegalArgumentException if <code>prompt</code> is <code>null</code>
+   * or empty, or if <code>defaultRealm</code> is empty or <code>null</code>.
+   */
+  public RealmCallback(String prompt, String defaultRealmInfo)
+  {
+    super(prompt, defaultRealmInfo);
+  }
+}
diff --git a/javax/security/sasl/RealmChoiceCallback.java b/javax/security/sasl/RealmChoiceCallback.java
new file mode 100644
index 000000000..2e0040761
--- /dev/null
+++ b/javax/security/sasl/RealmChoiceCallback.java
@@ -0,0 +1,71 @@
+/* RealmChoiceCallback.java
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307 USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.  */
+
+
+package javax.security.sasl;
+
+import javax.security.auth.callback.ChoiceCallback;
+
+/**
+ * This callback is used by {@link SaslClient} and {@link SaslServer} to obtain
+ * a realm given a list of realm choices.
+ */
+public class RealmChoiceCallback extends ChoiceCallback
+{
+
+  /**
+   * Constructs a <code>RealmChoiceCallback</code> with a prompt, a list of
+   * choices and a default choice.
+   *
+   * @param prompt the non-null prompt to use to request the realm.
+   * @param choices the non-null list of realms to choose from.
+   * @param defaultChoice the choice to be used as the default when the list of
+   * choices is displayed. It is an index into the <code>choices</code> array.
+   * @param multiple <code>true</code> if multiple choices allowed;
+   * <code>false</code> otherwise.
+   * @throws IllegalArgumentException if <code>prompt</code> is <code>null</code>
+   * or empty, if <code>choices</code> has a length of <code>0</code>, if any
+   * element from <code>choices</code> is <code>null</code> or empty, or if
+   * <code>defaultChoice</code> does not fall within the array boundary of
+   * <code>choices</code>.
+   */
+  public RealmChoiceCallback(String prompt, String[] choices, int defaultChoice,
+                             boolean multiple)
+  {
+    super(prompt, choices, defaultChoice, multiple);
+  }
+}
diff --git a/javax/security/sasl/Sasl.java b/javax/security/sasl/Sasl.java
new file mode 100644
index 000000000..2174692f4
--- /dev/null
+++ b/javax/security/sasl/Sasl.java
@@ -0,0 +1,691 @@
+/* Sasl.java
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307 USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.  */
+
+
+package javax.security.sasl;
+
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.Map;
+import java.util.Vector;
+import java.security.Security;
+import java.security.Provider;
+
+import javax.security.auth.callback.CallbackHandler;
+
+/**
+ * <p>A static class for creating SASL clients and servers.</p>
+ *
+ * <p>This class defines the policy of how to locate, load, and instantiate SASL
+ * clients and servers.</p>
+ *
+ * <p>For example, an application or library gets a SASL client instance by
+ * doing something like:</p>
+ *
+ * <pre>
+ *SaslClient sc =
+ *      Sasl.createSaslClient(mechanisms, authorizationID, protocol,
+ *                            serverName, props, callbackHandler);
+ * </pre>
+ *
+ * <p>It can then proceed to use the instance to create an authenticated
+ * connection.</p>
+ *
+ * <p>Similarly, a server gets a SASL server instance by using code that looks
+ * as follows:</p>
+ *
+ * <pre>
+ *SaslServer ss =
+ *      Sasl.createSaslServer(mechanism, protocol, serverName, props,
+ *                            callbackHandler);
+ * </pre>
+ */
+public class Sasl
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  /**
+   * <p>The name of a property that specifies the quality-of-protection to use.
+   * The property contains a comma-separated, ordered list of quality-of-
+   * protection values that the client or server is willing to support. A qop
+   * value is one of:</p>
+   *
+   * <ul>
+   *    <li><code>"auth"</code> - authentication only,</li>
+   *    <li><code>"auth-int"</code> - authentication plus integrity
+   *    protection,</li>
+   *    <li><code>"auth-conf"</code> - authentication plus integrity and
+   *    confidentiality protection.</li>
+   * </ul>
+   *
+   * <p>The order of the list specifies the preference order of the client or
+   * server.</p>
+   *
+   * <p>If this property is absent, the default qop is <code>"auth"</code>.</p>
+   *
+   * <p>The value of this constant is <code>"javax.security.sasl.qop"</code>.</p>
+   */
+  public static final String QOP = "javax.security.sasl.qop";
+
+  /**
+   * <p>The name of a property that specifies the cipher strength to use. The
+   * property contains a comma-separated, ordered list of cipher strength
+   * values that the client or server is willing to support. A strength value
+   * is one of:</p>
+   *
+   * <ul>
+   *    <li><code>"low"</code>,</li>
+   *    <li><code>"medium"</code>,</li>
+   *    <li><code>"high"</code>.</li>
+   * </ul>
+   *
+   * <p>The order of the list specifies the preference order of the client or
+   * server. An implementation should allow configuration of the meaning of
+   * these values. An application may use the Java Cryptography Extension (JCE)
+   * with JCE-aware mechanisms to control the selection of cipher suites that
+   * match the strength values.</p>
+   *
+   * <p>If this property is absent, the default strength is
+   * <code>"high,medium,low"</code>.</p>
+   *
+   * <p>The value of this constant is <code>"javax.security.sasl.strength"</code>.
+   * </p>
+   */
+  public static final String STRENGTH = "javax.security.sasl.strength";
+
+  /**
+   * <p>The name of a property that specifies whether the server must authenticate
+   * to the client. The property contains <code>"true"</code> if the server
+   * must authenticate the to client; <code>"false"</code> otherwise. The
+   * default is <code>"false"</code>.</p>
+   *
+   * <p>The value of this constant is
+   * <code>"javax.security.sasl.server.authentication"</code>.</p>
+   */
+  public static final String SERVER_AUTH = "javax.security.sasl.server.authentication";
+
+  /**
+   * <p>The name of a property that specifies the maximum size of the receive
+   * buffer in bytes of {@link SaslClient}/{@link SaslServer}. The property
+   * contains the string representation of an integer.</p>
+   *
+   * <p>If this property is absent, the default size is defined by the
+   * mechanism.</p>
+   *
+   * <p>The value of this constant is <code>"javax.security.sasl.maxbuffer"</code>.
+   * </p>
+   */
+  public static final String MAX_BUFFER = "javax.security.sasl.maxbuffer";
+
+  /**
+   * <p>The name of a property that specifies the maximum size of the raw send
+   * buffer in bytes of {@link SaslClient}/{@link SaslServer}. The property
+   * contains the string representation of an integer. The value of this
+   * property is negotiated between the client and server during the
+   * authentication exchange.</p>
+   *
+   * <p>The value of this constant is <code>"javax.security.sasl.rawsendsize"</code>.
+   * </p>
+   */
+  public static final String RAW_SEND_SIZE = "javax.security.sasl.rawsendsize";
+
+  /**
+   * <p>The name of a property that specifies whether mechanisms susceptible
+   * to simple plain passive attacks (e.g., "PLAIN") are not permitted. The
+   * property contains <code>"true"</code> if such mechanisms are not
+   * permitted; <code>"false"</code> if such mechanisms are permitted. The
+   * default is <code>"false"</code>.</p>
+   *
+   * <p>The value of this constant is <code>"javax.security.sasl.policy.noplaintext"</code>.
+   * </p>
+   */
+  public static final String POLICY_NOPLAINTEXT = "javax.security.sasl.policy.noplaintext";
+
+  /**
+   * <p>The name of a property that specifies whether mechanisms susceptible to
+   * active (non-dictionary) attacks are not permitted. The property contains
+   * <code>"true"</code> if mechanisms susceptible to active attacks are not
+   * permitted; <code>"false"</code> if such mechanisms are permitted. The
+   * default is <code>"false"</code>.</p>
+   *
+   * <p>The value of this constant is <code>"javax.security.sasl.policy.noactive"</code>.
+   * </p>
+   */
+  public static final String POLICY_NOACTIVE = "javax.security.sasl.policy.noactive";
+
+  /**
+   * <p>The name of a property that specifies whether mechanisms susceptible to
+   * passive dictionary attacks are not permitted. The property contains
+   * <code>"true"</code> if mechanisms susceptible to dictionary attacks are
+   * not permitted; <code>"false"</code> if such mechanisms are permitted. The
+   * default is <code>"false"</code>.</p>
+   *
+   * <p>The value of this constant is <code>"javax.security.sasl.policy.nodictionary"</code>.
+   * </p>
+   */
+  public static final String POLICY_NODICTIONARY = "javax.security.sasl.policy.nodictionary";
+
+  /**
+   * <p>The name of a property that specifies whether mechanisms that accept
+   * anonymous login are not permitted. The property contains <code>"true"</code>
+   * if mechanisms that accept anonymous login are not permitted; <code>"false"
+   * </code> if such mechanisms are permitted. The default is <code>"false"</code>.
+   * </p>
+   *
+   * <p>The value of this constant is <code>"javax.security.sasl.policy.noanonymous"</code>.
+   * </p>
+   */
+  public static final String POLICY_NOANONYMOUS = "javax.security.sasl.policy.noanonymous";
+
+  /**
+   * The name of a property that specifies whether mechanisms that implement
+   * forward secrecy between sessions are required. Forward secrecy means that
+   * breaking into one session will not automatically provide information for
+   * breaking into future sessions. The property contains <code>"true"</code>
+   * if mechanisms that implement forward secrecy between sessions are
+   * required; <code>"false"</code> if such mechanisms are not required. The
+   * default is <code>"false"</code>.</p>
+   *
+   * <p>The value of this constant is <code>"javax.security.sasl.policy.forward"</code>.
+   * </p>
+   */
+  public static final String POLICY_FORWARD_SECRECY = "javax.security.sasl.policy.forward";
+
+  /**
+   * The name of a property that specifies whether mechanisms that pass client
+   * credentials are required. The property contains <code>"true"</code> if
+   * mechanisms that pass client credentials are required; <code>"false"</code>
+   * if such mechanisms are not required. The default is <code>"false"</code>.
+   * </p>
+   *
+   * <p>The value of this constant is <code>"javax.security.sasl.policy.credentials"</code>.
+   * </p>
+   */
+  public static final String POLICY_PASS_CREDENTIALS = "javax.security.sasl.policy.credentials";
+
+  /**
+   * <p>The name of a property that specifies whether to reuse previously
+   * authenticated session information. The property contains <code>"true"</code>
+   * if the mechanism implementation may attempt to reuse previously
+   * authenticated session information; it contains <code>"false"</code> if the
+   * implementation must not reuse previously authenticated session information.
+   * A setting of <code>"true"</code> serves only as a hint; it does not
+   * necessarily entail actual reuse because reuse might not be possible due to
+   * a number of reasons, including, but not limited to, lack of mechanism
+   * support for reuse, expiration of reusable information, and the peer's
+   * refusal to support reuse. The property's default value is <code>"false"</code>.
+   * </p>
+   *
+   * <p>The value of this constant is <code>"javax.security.sasl.reuse"</code>.
+   * Note that all other parameters and properties required to create a SASL
+   * client/server instance must be provided regardless of whether this
+   * property has been supplied. That is, you cannot supply any less
+   * information in anticipation of reuse. Mechanism implementations that
+   * support reuse might allow customization of its implementation for factors
+   * such as cache size, timeouts, and criteria for reuseability. Such
+   * customizations are implementation-dependent.</p>
+   */
+  public static final String REUSE = "javax.security.sasl.reuse";
+
+  private static final String CLIENT_FACTORY_SVC = "SaslClientFactory.";
+  private static final String SERVER_FACTORY_SVC = "SaslServerFactory.";
+  private static final String ALIAS = "Alg.Alias.";
+
+  // Constructor(s)
+  // -------------------------------------------------------------------------
+
+  private Sasl()
+  {
+    super();
+  }
+
+  // Class methods
+  // -------------------------------------------------------------------------
+
+  /**
+   * <p>Creates a {@link SaslClient} for the specified mechanism.</p>
+   *
+   * <p>This method uses the JCA Security Provider Framework, described in the
+   * "Java Cryptography Architecture API Specification &amp; Reference", for
+   * locating and selecting a {@link SaslClient} implementation.</p>
+   *
+   * <p>First, it obtains an ordered list of {@link SaslClientFactory}
+   * instances from the registered security providers for the
+   * <code>"SaslClientFactory"</code> service and the specified mechanism. It
+   * then invokes <code>createSaslClient()</code> on each factory instance on
+   * the list until one produces a non-null {@link SaslClient} instance. It
+   * returns the non-null {@link SaslClient} instance, or <code>null</code> if
+   * the search fails to produce a non-null {@link SaslClient} instance.</p>
+   *
+   * <p>A security provider for <code>SaslClientFactory</code> registers with
+   * the JCA Security Provider Framework keys of the form:</p>
+   *
+   * <pre>
+   *    SaslClientFactory.mechanism_name
+   * </pre>
+   *
+   * <p>and values that are class names of implementations of {@link
+   * SaslClientFactory}.</p>
+   *
+   * <p>For example, a provider that contains a factory class,
+   * <code>com.wiz.sasl.digest.ClientFactory</code>, that supports the
+   * <code>"DIGEST-MD5"</code> mechanism would register the following entry
+   * with the JCA:</p>
+   *
+   * <pre>
+   *    SaslClientFactory.DIGEST-MD5     com.wiz.sasl.digest.ClientFactory
+   * </pre>
+   *
+   * <p>See the "Java Cryptography Architecture API Specification &amp;
+   * Reference" for information about how to install and configure security
+   * service providers.</p>
+   *
+   * @param mechanisms the non-null list of mechanism names to try. Each is the
+   * IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").
+   * @param authorizationID the possibly <code>null</code> protocol-dependent
+   * identification to be used for authorization. If <code>null</code> or
+   * empty, the server derives an authorization ID from the client's
+   * authentication credentials. When the SASL authentication completes
+   * successfully, the specified entity is granted access.
+   * @param protocol the non-null string name of the protocol for which the
+   * authentication is being performed (e.g. "ldap").
+   * @param serverName the non-null fully-qualified host name of the server to
+   * authenticate to.
+   * @param props the possibly null set of properties used to select the SASL
+   * mechanism and to configure the authentication exchange of the selected
+   * mechanism. For example, if props contains the {@link Sasl#POLICY_NOPLAINTEXT}
+   * property with the value <code>"true"</code>, then the selected SASL
+   * mechanism must not be susceptible to simple plain passive attacks. In
+   * addition to the standard properties declared in this class, other,
+   * possibly mechanism-specific, properties can be included. Properties not
+   * relevant to the selected mechanism are ignored.
+   * @param cbh the possibly <code>null</code> callback handler to used by the
+   * SASL mechanisms to get further information from the application/library to
+   * complete the authentication. For example, a SASL mechanism might require
+   * the authentication ID, password and realm from the caller. The
+   * authentication ID is requested by using a
+   * {@link javax.security.auth.callback.NameCallback}. The password is
+   * requested by using a {@link javax.security.auth.callback.PasswordCallback}.
+   * The realm is requested by using a {@link RealmChoiceCallback} if there is
+   * a list of realms to choose from, and by using a {@link RealmCallback} if
+   * the realm must be entered.
+   * @return a possibly <code>null</code> {@link SaslClient} created using the
+   * parameters supplied. If <code>null</code>, the method could not find a
+   * {@link SaslClientFactory} that will produce one.
+   * @throws SaslException if a {@link SaslClient} cannot be created because
+   * of an error.
+   */
+  public static SaslClient createSaslClient(String[] mechanisms,
+                                            String authorizationID,
+                                            String protocol,
+                                            String serverName, Map props,
+                                            CallbackHandler cbh)
+    throws SaslException
+  {
+    if (mechanisms == null)
+      {
+        return null;
+      }
+    Provider[] providers = Security.getProviders();
+    if (providers == null || providers.length == 0)
+      {
+        return null;
+      }
+
+    SaslClient result = null;
+    SaslClientFactory factory = null;
+    String m, clazz = null, upper, alias;
+    int j;
+    Provider p;
+    for (int i = 0; i < mechanisms.length; i++)
+      {
+        m = mechanisms[i];
+        if (m == null)
+          continue;
+        for (j = 0; j < providers.length; j++)
+          {
+            p = providers[j];
+            if (p != null)
+              {
+                // try the name as is
+                clazz = p.getProperty(CLIENT_FACTORY_SVC + m);
+                if (clazz == null) // try all uppercase
+                  {
+                    upper = m.toUpperCase();
+                    clazz = p.getProperty(CLIENT_FACTORY_SVC + upper);
+                    if (clazz == null) // try if it's an alias
+                      {
+                        alias = p.getProperty(ALIAS + CLIENT_FACTORY_SVC + m);
+                        if (alias == null) // try all-uppercase alias name
+                          {
+                            alias = p.getProperty(ALIAS + CLIENT_FACTORY_SVC + upper);
+                            if (alias == null) // spit the dummy
+                              continue;
+                          }
+                        clazz = p.getProperty(CLIENT_FACTORY_SVC + alias);
+                      }
+                  }
+                if (clazz == null)
+                  continue;
+                else
+                  clazz = clazz.trim();
+              }
+
+            try
+              {
+                result = null;
+                factory = (SaslClientFactory) Class.forName(clazz).newInstance();
+                result = factory.createSaslClient(mechanisms, authorizationID,
+                                                  protocol, serverName, props, cbh);
+              }
+            catch (ClassCastException ignored) // ignore instantiation exceptions
+              {
+              }
+            catch (ClassNotFoundException ignored)
+              {
+              }
+            catch (InstantiationException ignored)
+              {
+              }
+            catch (IllegalAccessException ignored)
+              {
+              }
+            if (result != null)
+              return result;
+          }
+      }
+    return null;
+  }
+
+  /**
+   * Gets an enumeration of known factories for producing a {@link SaslClient}
+   * instance. This method uses the same sources for locating factories as
+   * <code>createSaslClient()</code>.
+   *
+   * @return a non-null {@link Enumeration} of known factories for producing a
+   * {@link SaslClient} instance.
+   * @see #createSaslClient(String[],String,String,String,Map,CallbackHandler)
+   */
+  public static Enumeration getSaslClientFactories()
+  {
+    Vector result = new Vector();
+    HashSet names = new HashSet();
+    Provider[] providers = Security.getProviders();
+    Iterator it;
+    if (providers == null)
+      {
+        Provider p;
+        String key;
+        for (int i = 0; i < providers.length; i++)
+          {
+            p = providers[i];
+            for (it = p.keySet().iterator(); it.hasNext(); )
+              {
+                key = (String) it.next();
+                // add key's binding (a) it is a class of a client factory,
+                // and (b) the key does not include blanks
+                if (key.startsWith(CLIENT_FACTORY_SVC) && key.indexOf(" ") == -1)
+                  {
+                    names.add(p.getProperty(key));
+                    break;
+                  }
+              }
+          }
+      }
+    // we have the factory class names in names; instantiate and enumerate
+    String c;
+    for (it = names.iterator(); it.hasNext(); )
+      {
+        c = (String) it.next();
+        try
+          {
+            SaslClientFactory f = (SaslClientFactory) Class.forName(c).newInstance();
+            if (f != null)
+              result.add(f);
+          } catch (ClassCastException ignored) { // ignore instantiation exceptions
+          } catch (ClassNotFoundException ignored) {
+          } catch (InstantiationException ignored) {
+          } catch (IllegalAccessException ignored) {
+          }
+      }
+
+    return result.elements();
+  }
+
+  /**
+   * <p>Creates a {@link SaslServer} for the specified mechanism.</p>
+   *
+   * <p>This method uses the JCA Security Provider Framework, described in the
+   * "Java Cryptography Architecture API Specification &amp; Reference", for
+   * locating and selecting a SaslServer implementation.</p>
+   *
+   * <p>First, it obtains an ordered list of {@link SaslServerFactory}
+   * instances from the registered security providers for the
+   * <code>"SaslServerFactory"</code> service and the specified mechanism. It
+   * then invokes <code>createSaslServer()</code> on each factory instance on
+   * the list until one produces a non-null {@link SaslServer} instance. It
+   * returns the non-null {@link SaslServer} instance, or <code>null</code> if
+   * the search fails to produce a non-null {@link SaslServer} instance.</p>
+   *
+   * <p>A security provider for {@link SaslServerFactory} registers with the
+   * JCA Security Provider Framework keys of the form:</p>
+   *
+   * <pre>
+   *    SaslServerFactory.mechanism_name
+   * </pre>
+   *
+   * <p>and values that are class names of implementations of {@link
+   * SaslServerFactory}.</p>
+   *
+   * <p>For example, a provider that contains a factory class,
+   * <code>com.wiz.sasl.digest.ServerFactory</code>, that supports the
+   * <code>"DIGEST-MD5"</code> mechanism would register the following entry
+   * with the JCA:</p>
+   *
+   * <pre>
+   *    SaslServerFactory.DIGEST-MD5     com.wiz.sasl.digest.ServerFactory
+   * </pre></p>
+   *
+   * <p>See the "Java Cryptography Architecture API Specification &amp;
+   * Reference" for information about how to install and configure security
+   * service providers.</p>
+   *
+   * @param mechanism the non-null mechanism name. It must be an
+   * IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5").
+   * @param protocol the non-null string name of the protocol for which the
+   * authentication is being performed (e.g. "ldap").
+   * @param serverName the non-null fully qualified host name of the server.
+   * @param props the possibly <code>null</code> set of properties used to
+   * select the SASL mechanism and to configure the authentication exchange of
+   * the selected mechanism. For example, if props contains the {@link
+   * Sasl#POLICY_NOPLAINTEXT} property with the value <code>"true"</code>, then
+   * the selected SASL mechanism must not be susceptible to simple plain
+   * passive attacks. In addition to the standard properties declared in this
+   * class, other, possibly mechanism-specific, properties can be included.
+   * Properties not relevant to the selected mechanism are ignored.
+   * @param cbh the possibly <code>null</code> callback handler to used by the
+   * SASL mechanisms to get further information from the application/library to
+   * complete the authentication. For example, a SASL mechanism might require
+   * the authentication ID, password and realm from the caller. The
+   * authentication ID is requested by using a
+   * {@link javax.security.auth.callback.NameCallback}. The password is
+   * requested by using a {@link javax.security.auth.callback.PasswordCallback}.
+   * The realm is requested by using a {@link RealmChoiceCallback} if there is
+   * a list of realms to choose from, and by using a {@link RealmCallback} if
+   * the realm must be entered.
+   * @return a possibly <code>null</code> {@link SaslServer} created using the
+   * parameters supplied. If <code>null</code>, the method cannot find a
+   * {@link SaslServerFactory} instance that will produce one.
+   * @throws SaslException if a {@link SaslServer} instance cannot be created
+   * because of an error.
+   */
+  public static SaslServer createSaslServer(String mechanism, String protocol,
+                                            String serverName,
+                                            Map props, CallbackHandler cbh)
+    throws SaslException
+  {
+    if (mechanism == null)
+      return null;
+    Provider[] providers = Security.getProviders();
+    if (providers == null || providers.length == 0)
+      return null;
+
+    SaslServer result = null;
+    SaslServerFactory factory = null;
+    String clazz = null, upper, alias = null;
+    int j;
+    Provider p;
+    for (j = 0; j < providers.length; j++)
+      {
+        p = providers[j];
+        if (p != null)
+          {
+            // try the name as is
+            clazz = p.getProperty(SERVER_FACTORY_SVC + mechanism);
+            if (clazz == null) // try all uppercase
+              {
+                upper = mechanism.toUpperCase();
+                clazz = p.getProperty(SERVER_FACTORY_SVC + upper);
+                if (clazz == null) // try if it's an alias
+                  {
+                    alias = p.getProperty(ALIAS + SERVER_FACTORY_SVC + mechanism);
+                    if (alias == null) // try all-uppercase alias name
+                      {
+                        alias = p.getProperty(ALIAS + SERVER_FACTORY_SVC + upper);
+                        if (alias == null) // spit the dummy
+                          continue;
+                      }
+                  }
+                clazz = p.getProperty(SERVER_FACTORY_SVC + alias);
+              }
+          }
+        if (clazz == null)
+          continue;
+        else
+          clazz = clazz.trim();
+
+        try
+          {
+            result = null;
+            factory = (SaslServerFactory) Class.forName(clazz).newInstance();
+            result =
+              factory.createSaslServer(mechanism, protocol, serverName, props, cbh);
+          }
+        catch (ClassCastException ignored) // ignore instantiation exceptions
+          {
+          }
+        catch (ClassNotFoundException ignored)
+          {
+          }
+        catch (InstantiationException ignored)
+          {
+          }
+        catch (IllegalAccessException ignored)
+          {
+          }
+        if (result != null)
+          return result;
+      }
+    return null;
+  }
+
+  /**
+   * Gets an enumeration of known factories for producing a {@link SaslServer}
+   * instance. This method uses the same sources for locating factories as
+   * <code>createSaslServer()</code>.
+   *
+   * @return a non-null {@link Enumeration} of known factories for producing a
+   * {@link SaslServer} instance.
+   * @see #createSaslServer(String,String,String,Map,CallbackHandler)
+   */
+  public static Enumeration getSaslServerFactories()
+  {
+    Vector result = new Vector();
+    HashSet names = new HashSet();
+    Provider[] providers = Security.getProviders();
+    Iterator it;
+    if (providers == null)
+      {
+        Provider p;
+        String key;
+        for (int i = 0; i < providers.length; i++)
+          {
+            p = providers[i];
+            for (it = p.keySet().iterator(); it.hasNext(); )
+              {
+                key = (String) it.next();
+                // add key's binding (a) it is a class of a server factory,
+                // and (b) the key does not include blanks
+                if (key.startsWith(SERVER_FACTORY_SVC) && key.indexOf(" ") == -1)
+                  {
+                    names.add(p.getProperty(key));
+                    break;
+                  }
+              }
+          }
+      }
+    // we have the factory class names in names; instantiate and enumerate
+    String c;
+    for (it = names.iterator(); it.hasNext(); )
+      {
+        c = (String) it.next();
+        try
+          {
+            SaslServerFactory f = (SaslServerFactory) Class.forName(c).newInstance();
+            if (f != null)
+              result.add(f);
+          }
+        catch (ClassCastException ignored) // ignore instantiation exceptions
+          {
+          }
+        catch (ClassNotFoundException ignored)
+          {
+          }
+        catch (InstantiationException ignored)
+          {
+          }
+        catch (IllegalAccessException ignored)
+          {
+          }
+      }
+
+    return result.elements();
+  }
+}
diff --git a/javax/security/sasl/SaslClient.java b/javax/security/sasl/SaslClient.java
new file mode 100644
index 000000000..ca95ced25
--- /dev/null
+++ b/javax/security/sasl/SaslClient.java
@@ -0,0 +1,231 @@
+/* SaslClient.java
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpathis free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpathis distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307 USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.  */
+
+
+package javax.security.sasl;
+
+/**
+ * <p>Performs SASL authentication as a client.</p>
+ *
+ * <p>A protocol library such as one for LDAP gets an instance of this class in
+ * order to perform authentication defined by a specific SASL mechanism.
+ * Invoking methods on the <code>SaslClient</code> instance process challenges
+ * and create responses according to the SASL mechanism implemented by the
+ * <code>SaslClient</code>. As the authentication proceeds, the instance
+ * encapsulates the state of a SASL client's authentication exchange.</p>
+ *
+ * <p>Here's an example of how an LDAP library might use a <code>SaslClient</code>.
+ * It first gets an instance of a SaslClient:</p>
+ * <pre>
+ *SaslClient sc =
+ *      Sasl.createSaslClient(mechanisms, authorizationID, protocol,
+ *                            serverName, props, callbackHandler);
+ * </pre>
+ *
+ * <p>It can then proceed to use the client for authentication. For example, an
+ * LDAP library might use the client as follows:</p>
+ * <pre>
+ * // Get initial response and send to server
+ *byte[] response = sc.hasInitialResponse()
+ *      ? sc.evaluateChallenge(new byte[0]) : null;
+ *LdapResult res = ldap.sendBindRequest(dn, sc.getName(), response);
+ *while (!sc.isComplete()
+ *       && ((res.status == SASL_BIND_IN_PROGRESS) || (res.status == SUCCESS))) {
+ *   response = sc.evaluateChallenge( res.getBytes() );
+ *   if (res.status == SUCCESS) {
+ *      // we're done; don't expect to send another BIND
+ *      if ( response != null ) {
+ *         throw new SaslException(
+ *               "Protocol error: attempting to send response after completion");
+ *      }
+ *      break;
+ *   }
+ *   res = ldap.sendBindRequest(dn, sc.getName(), response);
+ *}
+ *if (sc.isComplete() && (res.status == SUCCESS) ) {
+ *   String qop = (String)sc.getNegotiatedProperty(Sasl.QOP);
+ *   if ((qop != null)
+ *         && (qop.equalsIgnoreCase("auth-int")
+ *            || qop.equalsIgnoreCase("auth-conf"))) {
+ *      // Use SaslClient.wrap() and SaslClient.unwrap() for future
+ *      // communication with server
+ *      ldap.in = new SecureInputStream(sc, ldap.in);
+ *      ldap.out = new SecureOutputStream(sc, ldap.out);
+ *   }
+ *}
+ * </pre>
+ *
+ * <p>If the mechanism has an initial response, the library invokes
+ * {@link #evaluateChallenge(byte[])} with an empty challenge to get the initial
+ * response. Protocols such as IMAP4, which do not include an initial response
+ * with their first authentication command to the server, initiate the
+ * authentication without first calling {@link #hasInitialResponse()} or
+ * {@link #evaluateChallenge(byte[])}. When the server responds to the command,
+ * it sends an initial challenge. For a SASL mechanism in which the client sends
+ * data first, the server should have issued a challenge with no data. This will
+ * then result in a call (on the client) to {@link #evaluateChallenge(byte[])}
+ * with an empty challenge.</p>
+ *
+ * @see Sasl
+ * @see SaslClientFactory
+ * @version $Revision: 1.1 $
+ */
+public interface SaslClient
+{
+
+  /**
+   * Returns the IANA-registered mechanism name of this SASL client. (e.g.
+   * "CRAM-MD5", "GSSAPI").
+   *
+   * @return a non-null string representing the IANA-registered mechanism name.
+   */
+  String getMechanismName();
+
+  /**
+   * Determines if this mechanism has an optional initial response. If
+   * <code>true</code>, caller should call {@link #evaluateChallenge(byte[])}
+   * with an empty array to get the initial response.
+   *
+   * @return <code>true</code> if this mechanism has an initial response.
+   */
+  boolean hasInitialResponse();
+
+  /**
+   * Evaluates the challenge data and generates a response. If a challenge is
+   * received from the server during the authentication process, this method is
+   * called to prepare an appropriate next response to submit to the server.
+   *
+   * @param challenge the non-null challenge sent from the server. The
+   * challenge array may have zero length.
+   * @return the possibly <code>null</code> reponse to send to the server. It
+   * is <code>null</code> if the challenge accompanied a "SUCCESS" status and
+   * the challenge only contains data for the client to update its state and no
+   * response needs to be sent to the server. The response is a zero-length
+   * byte array if the client is to send a response with no data.
+   * @throws SaslException if an error occurred while processing the challenge
+   * or generating a response.
+   */
+  byte[] evaluateChallenge(byte[] challenge) throws SaslException;
+
+  /**
+   * Determines if the authentication exchange has completed. This method may
+   * be called at any time, but typically, it will not be called until the
+   * caller has received indication from the server (in a protocol-specific
+   * manner) that the exchange has completed.
+   *
+   * @return <code>true</code> if the authentication exchange has completed;
+   * <code>false</code> otherwise.
+   */
+  boolean isComplete();
+
+  /**
+   * <p>Unwraps a byte array received from the server. This method can be
+   * called only after the authentication exchange has completed (i.e., when
+   * {@link #isComplete()} returns <code>true</code>) and only if the
+   * authentication exchange has negotiated integrity and/or privacy as the
+   * quality of protection; otherwise, an {@link IllegalStateException} is
+   * thrown.</p>
+   *
+   * <p><code>incoming</code> is the contents of the SASL buffer as defined in
+   * RFC 2222 without the leading four octet field that represents the length.
+   * <code>offset</code> and <code>len</code> specify the portion of incoming
+   * to use.</p>
+   *
+   * @param incoming a non-null byte array containing the encoded bytes from
+   * the server.
+   * @param offset the starting position at <code>incoming</code> of the bytes
+   * to use.
+   * @param len the number of bytes from <code>incoming</code> to use.
+   * @return a non-null byte array containing the decoded bytes.
+   * @throws SaslException if <code>incoming</code> cannot be successfully
+   * unwrapped.
+   * @throws IllegalStateException if the authentication exchange has not
+   * completed, or if the negotiated quality of protection has neither
+   * integrity nor privacy.
+   */
+  byte[] unwrap(byte[] incoming, int offset, int len) throws SaslException;
+
+  /**
+   * <p>Wraps a byte array to be sent to the server. This method can be called
+   * only after the authentication exchange has completed (i.e., when
+   * {@link #isComplete()} returns <code>true</code>) and only if the
+   * authentication exchange has negotiated integrity and/or privacy as the
+   * quality of protection; otherwise, an {@link IllegalStateException} is
+   * thrown.</p>
+   *
+   * <p>The result of this method will make up the contents of the SASL buffer
+   * as defined in RFC 2222 without the leading four octet field that
+   * represents the length. <code>offset</code> and <code>len</code> specify
+   * the portion of <code>outgoing</code> to use.</p>
+   *
+   * @param outgoing a non-null byte array containing the bytes to encode.
+   * @param offset the starting position at <code>outgoing</code> of the bytes
+   * to use.
+   * @param len the number of bytes from <code>outgoing</code> to use.
+   * @return a non-null byte array containing the encoded bytes.
+   * @throws SaslException if <code>outgoing</code> cannot be successfully
+   * wrapped.
+   * @throws IllegalStateException if the authentication exchange has not
+   * completed, or if the negotiated quality of protection has neither
+   * integrity nor privacy.
+   */
+  byte[] wrap(byte[] outgoing, int offset, int len) throws SaslException;
+
+  /**
+   * Retrieves the negotiated property. This method can be called only after
+   * the authentication exchange has completed (i.e., when {@link #isComplete()}
+   * returns <code>true</code>); otherwise, an {@link IllegalStateException} is
+   * thrown.
+   *
+   * @param propName the non-null property name.
+   * @return the value of the negotiated property. If <code>null</code>, the
+   * property was not negotiated or is not applicable to this mechanism.
+   * @throws IllegalStateException if this authentication exchange has not
+   * completed.
+   */
+  Object getNegotiatedProperty(String propName) throws SaslException;
+
+  /**
+   * Disposes of any system resources or security-sensitive information the
+   * <code>SaslClient</code> might be using. Invoking this method invalidates
+   * the <code>SaslClient</code> instance. This method is idempotent.
+   *
+   * @throws SaslException if a problem was encountered while disposing of the
+   * resources.
+   */
+  void dispose() throws SaslException;
+}
diff --git a/javax/security/sasl/SaslClientFactory.java b/javax/security/sasl/SaslClientFactory.java
new file mode 100644
index 000000000..b67c7a324
--- /dev/null
+++ b/javax/security/sasl/SaslClientFactory.java
@@ -0,0 +1,117 @@
+/* SaslClientFactory.java
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307 USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.  */
+
+
+package javax.security.sasl;
+
+import java.util.Map;
+
+import javax.security.auth.callback.CallbackHandler;
+
+/**
+ * <p>An interface for creating instances of {@link SaslClient}. A class that
+ * implements this interface must be thread-safe and handle multiple
+ * simultaneous requests. It must also have a public constructor that accepts
+ * no arguments.</p>
+ *
+ * <p>This interface is not normally accessed directly by a client, which will
+ * use the {@link Sasl} static methods to create a client instance instead.
+ * However, a particular environment may provide and install a new or different
+ * <code>SaslClientFactory</code>.</p>
+ *
+ * @see SaslClient
+ * @see Sasl
+ * @version $Revision: 1.1 $
+ */
+public interface SaslClientFactory
+{
+
+  /**
+   * Creates a {@link SaslClient} using the parameters supplied.
+   *
+   * @param mechanisms the non-null list of mechanism names to try. Each is the
+   * IANA-registered name of a SASL mechanism (e.g. "GSSAPI", "CRAM-MD5").
+   * @param authorizationID the possibly null protocol-dependent identification
+   * to be used for authorization. If <code>null</code> or empty, the server
+   * derives an authorization ID from the client's authentication credentials.
+   * When the SASL authentication completes successfully, the specified entity
+   * is granted access.
+   * @param protocol the non-null string name of the protocol for which the
+   * authentication is being performed (e.g. "ldap").
+   * @param serverName the non-null fully qualified host name of the server to
+   * authenticate to.
+   * @param props the possibly <code>null</code> set of properties used to
+   * select the SASL mechanism and to configure the authentication exchange of
+   * the selected mechanism. See the {@link Sasl} class for a list of standard
+   * properties. Other, possibly mechanism-specific, properties can be included.
+   * Properties not relevant to the selected mechanism are ignored.
+   * @param cbh the possibly <code>null</code> callback handler to used by the
+   * SASL mechanisms to get further information from the application/library to
+   * complete the authentication. For example, a SASL mechanism might require
+   * the authentication ID, password and realm from the caller. The
+   * authentication ID is requested by using a
+   * {@link javax.security.auth.callback.NameCallback}. The password is
+   * requested by using a {@link javax.security.auth.callback.PasswordCallback}.
+   * The realm is requested by using a {@link RealmChoiceCallback} if there is
+   * a list of realms to choose from, and by using a {@link RealmCallback} if
+   * the realm must be entered.
+   * @return a possibly <code>null</code> {@link SaslClient} created using the
+   * parameters supplied. If <code>null</code>, this factory cannot produce a
+   * {@link SaslClient} using the parameters supplied.
+   * @throws SaslException if a {@link SaslClient} instance cannot be created
+   * because of an error.
+   */
+  SaslClient createSaslClient(String[] mechanisms, String authorizationID,
+                              String protocol, String serverName, Map props,
+                              CallbackHandler cbh)
+    throws SaslException;
+
+  /**
+   * Returns an array of names of mechanisms that match the specified mechanism
+   * selection policies.
+   *
+   * @param props the possibly <code>null</code> set of properties used to
+   * specify the security policy of the SASL mechanisms. For example, if props
+   * contains the {@link Sasl#POLICY_NOPLAINTEXT} property with the value
+   * <code>"true"</code>, then the factory must not return any SASL mechanisms
+   * that are susceptible to simple plain passive attacks. See the {@link Sasl}
+   * class for a complete list of policy properties. Non-policy related
+   * properties, if present in props, are ignored.
+   * @return a non-null array containing IANA-registered SASL mechanism names.
+   */
+  String[] getMechanismNames(Map props);
+}
diff --git a/javax/security/sasl/SaslException.java b/javax/security/sasl/SaslException.java
new file mode 100644
index 000000000..9ff091d63
--- /dev/null
+++ b/javax/security/sasl/SaslException.java
@@ -0,0 +1,185 @@
+/* SaslException.java
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307 USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.  */
+
+
+package javax.security.sasl;
+
+import java.io.IOException;
+import java.io.PrintStream;
+import java.io.PrintWriter;
+import java.io.Serializable;
+
+/**
+ * This class represents an error that has occurred when using SASL.
+ *
+ * @version $Revision: 1.1 $
+ */
+public class SaslException extends IOException implements Serializable
+{
+
+  // Constants and variables
+  // -------------------------------------------------------------------------
+
+  /**
+   * @serial The possibly null root cause exception.
+   */
+  private Throwable _exception = null;
+
+  // Constructor(s)
+  // -------------------------------------------------------------------------
+
+  /**
+   * Constructs a new instance of <code>SaslException</code>. The root
+   * exception and the detailed message are null.
+   */
+  public SaslException()
+  {
+    super();
+  }
+
+  /**
+   * Constructs a new instance of <code>SaslException</code> with a detailed
+   * message. The <code>root</code> exception is <code>null</code>.
+   *
+   * @param detail a possibly null string containing details of the exception.
+   * @see Throwable#getMessage()
+   */
+  public SaslException(String detail)
+  {
+    super(detail);
+  }
+
+  /**
+   * Constructs a new instance of <code>SaslException</code> with a detailed
+   * message and a root exception. For example, a <code>SaslException</code>
+   * might result from a problem with the callback handler, which might throw a
+   * {@link javax.security.auth.callback.UnsupportedCallbackException} if it
+   * does not support the requested callback, or throw an {@link IOException}
+   * if it had problems obtaining data for the callback. The
+   * <code>SaslException</code>'s root exception would be then be the exception
+   * thrown by the callback handler.
+   *
+   * @param detail a possibly <code>null</code> string containing details of
+   * the exception.
+   * @param ex a possibly <code>null</code> root exception that caused this
+   * exception.
+   * @see Throwable#getMessage()
+   * @see #getCause()
+   */
+  public SaslException(String detail, Throwable ex)
+  {
+    super(detail);
+    _exception = ex;
+  }
+
+  // Class methods
+  // -------------------------------------------------------------------------
+
+  // Instance methods
+  // -------------------------------------------------------------------------
+
+  /**
+   * Returns the cause of this throwable or <code>null</code> if the cause is
+   * nonexistent or unknown. The cause is the throwable that caused this
+   * exception to be thrown.
+   *
+   * @return the possibly <code>null</code> exception that caused this exception.
+   */
+  public Throwable getCause()
+  {
+    return _exception;
+  }
+
+  /**
+   * Prints this exception's stack trace to <code>System.err</code>. If this
+   * exception has a root exception; the stack trace of the root exception is
+   * also printed to <code>System.err</code>.
+   */
+  public void printStackTrace()
+  {
+    super.printStackTrace();
+    if (_exception != null)
+      _exception.printStackTrace();
+  }
+
+  /**
+   * Prints this exception's stack trace to a print stream. If this exception
+   * has a root exception; the stack trace of the root exception is also
+   * printed to the print stream.
+   *
+   * @param ps the non-null print stream to which to print.
+   */
+  public void printStackTrace(PrintStream ps)
+  {
+    super.printStackTrace(ps);
+    if (_exception != null)
+      _exception.printStackTrace(ps);
+  }
+
+  /**
+   * Prints this exception's stack trace to a print writer. If this exception
+   * has a root exception; the stack trace of the root exception is also
+   * printed to the print writer.
+   *
+   * @param pw the non-null print writer to use for output.
+   */
+  public void printStackTrace(PrintWriter pw)
+  {
+    super.printStackTrace(pw);
+    if (_exception != null)
+      _exception.printStackTrace(pw);
+  }
+
+  /**
+   * Returns the string representation of this exception. The string
+   * representation contains this exception's class name, its detailed
+   * messsage, and if it has a root exception, the string representation of the
+   * root exception. This string representation is meant for debugging and not
+   * meant to be interpreted programmatically.
+   *
+   * @return the non-null string representation of this exception.
+   * @see Throwable#getMessage()
+   */
+  public String toString()
+  {
+    StringBuffer sb = new StringBuffer(this.getClass().getName())
+      .append(": ").append(super.toString());
+    if (_exception != null)
+      sb.append("; caused by: ").append(_exception.toString());
+    return sb.toString();
+  }
+}
diff --git a/javax/security/sasl/SaslServer.java b/javax/security/sasl/SaslServer.java
new file mode 100644
index 000000000..3f0d79d44
--- /dev/null
+++ b/javax/security/sasl/SaslServer.java
@@ -0,0 +1,226 @@
+/* SasServer.java
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307 USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.  */
+
+
+package javax.security.sasl;
+
+/**
+ * <p>Performs SASL authentication as a server.</p>
+ *
+ * <p>A server such as an LDAP server gets an instance of this class in order to
+ * perform authentication defined by a specific SASL mechanism. Invoking methods
+ * on the <code>SaslServer</code> instance generates challenges corresponding to
+ * the SASL mechanism implemented by the <code>SaslServer</code> instance. As
+ * the authentication proceeds, the instance encapsulates the state of a SASL
+ * server's authentication exchange.</p>
+ *
+ * <p>Here's an example of how an LDAP server might use a <code>SaslServer</code>
+ * instance. It first gets an instance of a <code>SaslServer</code> for the SASL
+ * mechanism requested by the client:</p>
+ *
+ * <pre>
+ *SaslServer ss =
+ *      Sasl.createSaslServer(mechanism, "ldap", myFQDN, props, callbackHandler);
+ * </pre>
+ *
+ * <p>It can then proceed to use the server for authentication. For example,
+ * suppose the LDAP server received an LDAP BIND request containing the name of
+ * the SASL mechanism and an (optional) initial response. It then might use the
+ * server as follows:</p>
+ *
+ * <pre>
+ *while (!ss.isComplete()) {
+ *   try {
+ *      byte[] challenge = ss.evaluateResponse(response);
+ *      if (ss.isComplete()) {
+ *         status = ldap.sendBindResponse(mechanism, challenge, SUCCESS);
+ *      } else {
+ *         status = ldap.sendBindResponse(mechanism, challenge, SASL_BIND_IN_PROGRESS);
+ *         response = ldap.readBindRequest();
+ *      }
+ *   } catch (SaslException x) {
+ *      status = ldap.sendErrorResponse(x);
+ *      break;
+ *   }
+ *}
+ *if (ss.isComplete() && (status == SUCCESS)) {
+ *   String qop = (String) sc.getNegotiatedProperty(Sasl.QOP);
+ *   if (qop != null
+ *         && (qop.equalsIgnoreCase("auth-int")
+ *            || qop.equalsIgnoreCase("auth-conf"))) {
+ *      // Use SaslServer.wrap() and SaslServer.unwrap() for future
+ *      // communication with client
+ *      ldap.in = new SecureInputStream(ss, ldap.in);
+ *      ldap.out = new SecureOutputStream(ss, ldap.out);
+ *   }
+ *}
+ * </pre>
+ *
+ * @see Sasl
+ * @see SaslServerFactory
+ * @version $Revision: 1.1 $
+ */
+public interface SaslServer
+{
+
+  /**
+   * Returns the IANA-registered mechanism name of this SASL server (e.g.
+   * "CRAM-MD5", "GSSAPI").
+   *
+   * @return a non-null string representing the IANA-registered mechanism name.
+   */
+  String getMechanismName();
+
+  /**
+   * Evaluates the response data and generates a challenge. If a response is
+   * received from the client during the authentication process, this method is
+   * called to prepare an appropriate next challenge to submit to the client.
+   * The challenge is <code>null</code> if the authentication has succeeded and
+   * no more challenge data is to be sent to the client. It is non-null if the
+   * authentication must be continued by sending a challenge to the client, or
+   * if the authentication has succeeded but challenge data needs to be
+   * processed by the client. {@link #isComplete()} should be called after each
+   * call to <code>evaluateResponse()</code>,to determine if any further
+   * response is needed from the client.
+   *
+   * @param response the non-null (but possibly empty) response sent by the
+   * client.
+   * @return the possibly <code>null</code> challenge to send to the client.
+   * It is <code>null</code> if the authentication has succeeded and there is
+   * no more challenge data to be sent to the client.
+   * @throws SaslException if an error occurred while processing the response
+   * or generating a challenge.
+   */
+  byte[] evaluateResponse(byte[] response) throws SaslException;
+
+  /**
+   * Determines if the authentication exchange has completed. This method is
+   * typically called after each invocation of {@link #evaluateResponse(byte[])}
+   * to determine whether the authentication has completed successfully or
+   * should be continued.
+   *
+   * @return <code>true</code> if the authentication exchange has completed;
+   * <code>false</code> otherwise.
+   */
+  boolean isComplete();
+
+  /**
+   * Reports the authorization ID in effect for the client of this session This
+   * method can only be called if {@link #isComplete()} returns <code>true</code>.
+   *
+   * @return the authorization ID of the client.
+   * @throws IllegalStateException if this authentication session has not
+   * completed.
+   */
+  String getAuthorizationID();
+
+  /**
+   * <p>Unwraps a byte array received from the client. This method can be called
+   * only after the authentication exchange has completed (i.e., when
+   * {@link #isComplete()} returns <code>true</code>) and only if the
+   * authentication exchange has negotiated integrity and/or privacy as the
+   * quality of protection; otherwise, an {@link IllegalStateException} is
+   * thrown.</p>
+   *
+   * <p><code>incoming</code> is the contents of the SASL buffer as defined in
+   * RFC 2222 without the leading four octet field that represents the length.
+   * <code>offset</code> and <code>len</code> specify the portion of incoming
+   * to use.</p>
+   *
+   * @param incoming a non-null byte array containing the encoded bytes from
+   * the client.
+   * @param offset the starting position at <code>incoming</code> of the bytes
+   * to use.
+   * @param len the number of bytes from <code>incoming</code> to use.
+   * @return a non-null byte array containing the decoded bytes.
+   * @throws SaslException if <code>incoming</code> cannot be successfully
+   * unwrapped.
+   * @throws IllegalStateException if the authentication exchange has not
+   * completed, or if the negotiated quality of protection has neither
+   * integrity nor privacy.
+   */
+  byte[] unwrap(byte[] incoming, int offset, int len) throws SaslException;
+
+  /**
+   * <p>Wraps a byte array to be sent to the client. This method can be called
+   * only after the authentication exchange has completed (i.e., when
+   * {@link #isComplete()} returns <code>true</code>) and only if the
+   * authentication exchange has negotiated integrity and/or privacy as the
+   * quality of protection; otherwise, an {@link IllegalStateException} is
+   * thrown.</p>
+   *
+   * <p>The result of this method will make up the contents of the SASL buffer
+   * as defined in RFC 2222 without the leading four octet field that
+   * represents the length. <code>offset</code> and <code>len</code> specify
+   * the portion of <code>outgoing</code> to use.
+   *
+   * @param outgoing a non-null byte array containing the bytes to encode.
+   * @param offset the starting position at <code>outgoing</code> of the bytes
+   * to use.
+   * @param len the number of bytes from <code>outgoing</code> to use.
+   * @return a non-null byte array containing the encoded bytes.
+   * @throws SaslException if <code>outgoing</code> cannot be successfully
+   * wrapped.
+   * @throws IllegalStateException if the authentication exchange has not
+   * completed, or if the negotiated quality of protection has neither
+   * integrity nor privacy.
+   */
+  byte[] wrap(byte[] outgoing, int offset, int len) throws SaslException;
+
+  /**
+   * Retrieves the negotiated property. This method can be called only after
+   * the authentication exchange has completed (i.e., when
+   * {@link #isComplete()} returns <code>true</code>); otherwise, an
+   * {@link IllegalStateException} is thrown.
+   *
+   * @return the value of the negotiated property. If <code>null</code>, the
+   * property was not negotiated or is not applicable to this mechanism.
+   * @throws IllegalStateException if this authentication exchange has not
+   * completed.
+   */
+  Object getNegotiatedProperty(String propName) throws SaslException;
+
+  /**
+   * Disposes of any system resources or security-sensitive information the
+   * <code>SaslServer</code> might be using. Invoking this method invalidates
+   * the <code>SaslServer</code> instance. This method is idempotent.
+   *
+   * @throws SaslException if a problem was encountered while disposing of the
+   * resources.
+   */
+  void dispose() throws SaslException;
+}
diff --git a/javax/security/sasl/SaslServerFactory.java b/javax/security/sasl/SaslServerFactory.java
new file mode 100644
index 000000000..b9387bbee
--- /dev/null
+++ b/javax/security/sasl/SaslServerFactory.java
@@ -0,0 +1,114 @@
+/* SaslServerFactory.java
+   Copyright (C) 2003, Free Software Foundation, Inc.
+
+This file is part of GNU Classpath.
+
+GNU Classpath is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2, or (at your option)
+any later version.
+
+GNU Classpath is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with GNU Classpath; see the file COPYING.  If not, write to the
+Free Software Foundation Inc., 59 Temple Place - Suite 330, Boston, MA
+02111-1307 USA
+
+Linking this library statically or dynamically with other modules is
+making a combined work based on this library.  Thus, the terms and
+conditions of the GNU General Public License cover the whole
+combination.
+
+As a special exception, the copyright holders of this library give you
+permission to link this library with independent modules to produce an
+executable, regardless of the license terms of these independent
+modules, and to copy and distribute the resulting executable under
+terms of your choice, provided that you also meet, for each linked
+independent module, the terms and conditions of the license of that
+module.  An independent module is a module which is not derived from
+or based on this library.  If you modify this library, you may extend
+this exception to your version of the library, but you are not
+obligated to do so.  If you do not wish to do so, delete this
+exception statement from your version.  */
+
+
+package javax.security.sasl;
+
+import java.util.Map;
+
+import javax.security.auth.callback.CallbackHandler;
+
+/**
+ * <p>An interface for creating instances of {@link SaslServer}. A class that
+ * implements this interface must be thread-safe and handle multiple
+ * simultaneous requests. It must also have a public constructor that accepts
+ * no arguments.</p>
+ *
+ * This interface is not normally accessed directly by a server, which will use
+ * the {@link Sasl} static methods to create a {@link SaslServer} instance
+ * instead. However, a particular environment may provide and install a new or
+ * different <code>SaslServerFactory</code>.</p>
+ *
+ * @see SaslServer
+ * @see Sasl
+ * @version $Revision: 1.1 $
+ */
+public interface SaslServerFactory
+{
+
+  /**
+   * Creates a {@link SaslServer} instance using the parameters supplied. It
+   * returns <code>null</code> if no {@link SaslServer} instance can be created
+   * using the parameters supplied. Throws {@link SaslException} if it cannot
+   * create a {@link SaslServer} because of an error.
+   *
+   * @param mechanism the non-null IANA-registered name of a SASL mechanism
+   * (e.g. "GSSAPI", "CRAM-MD5").
+   * @param protocol the non-null string name of the protocol for which the
+   * authentication is being performed (e.g. "ldap").
+   * @param serverName the non-null fully qualified host name of the server to
+   * authenticate to.
+   * @param props the possibly null set of properties used to select the SASL
+   * mechanism and to configure the authentication exchange of the selected
+   * mechanism. See the {@link Sasl} class for a list of standard properties.
+   * Other, possibly mechanism-specific, properties can be included. Properties
+   * not relevant to the selected mechanism are ignored.
+   * @param cbh the possibly null callback handler to used by the SASL
+   * mechanisms to get further information from the application/library to
+   * complete the authentication. For example, a SASL mechanism might require
+   * the authentication ID, password and realm from the caller. The
+   * authentication ID is requested by using a
+   * {@link javax.security.auth.callback.NameCallback}. The password is
+   * requested by using a {@link javax.security.auth.callback.PasswordCallback}.
+   * The realm is requested by using a {@link RealmChoiceCallback} if there is
+   * a list of realms to choose from, and by using a {@link RealmCallback} if
+   * the realm must be entered.
+   * @return a possibly null {@link SaslServer} created using the parameters
+   * supplied. If <code>null</code> is returned, it means that this factory
+   * cannot produce a {@link SaslServer} using the parameters supplied.
+   * @throws SaslException if a SaslServer instance cannot be created because
+   * of an error.
+   */
+  SaslServer createSaslServer(String mechanism, String protocol,
+                              String serverName, Map props, CallbackHandler cbh)
+    throws SaslException;
+
+  /**
+   * Returns an array of names of mechanisms that match the specified mechanism
+   * selection policies.
+   *
+   * @param props the possibly <code>null</code> set of properties used to
+   * specify the security policy of the SASL mechanisms. For example, if props
+   * contains the {@link Sasl#POLICY_NOPLAINTEXT} property with the value
+   * <code>"true"</code>, then the factory must not return any SASL mechanisms
+   * that are susceptible to simple plain passive attacks. See the {@link Sasl}
+   * class for a complete list of policy properties. Non-policy related
+   * properties, if present in props, are ignored.
+   * @return a non-null array containing IANA-registered SASL mechanism names.
+   */
+  String[] getMechanismNames(Map props);
+}