diff --git a/fine-bouncycastle/readme.md b/fine-bouncycastle/readme.md index 7e179b705..ee3d0f005 100644 --- a/fine-bouncycastle/readme.md +++ b/fine-bouncycastle/readme.md @@ -1,2 +1,2 @@ -版本:1.67
+版本:1.68
源码:https://www.bouncycastle.org/latest_releases.html
\ No newline at end of file diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/LICENSE.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/LICENSE.java index 80f1fd5e4..1b76350fd 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/LICENSE.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/LICENSE.java @@ -5,7 +5,7 @@ import com.fr.third.org.bouncycastle.util.Strings; /** * The Bouncy Castle License * - * Copyright (c) 2000-2019 The Legion Of The Bouncy Castle Inc. (http://www.bouncycastle.org) + * Copyright (c) 2000-2021 The Legion Of The Bouncy Castle Inc. (https://www.bouncycastle.org) *

* Permission is hereby granted, free of charge, to any person obtaining a copy of this software * and associated documentation files (the "Software"), to deal in the Software without restriction, @@ -26,7 +26,7 @@ import com.fr.third.org.bouncycastle.util.Strings; public class LICENSE { public static final String licenseText = - "Copyright (c) 2000-2019 The Legion of the Bouncy Castle Inc. (http://www.bouncycastle.org) " + "Copyright (c) 2000-2021 The Legion of the Bouncy Castle Inc. (https://www.bouncycastle.org) " + Strings.lineSeparator() + Strings.lineSeparator() + "Permission is hereby granted, free of charge, to any person obtaining a copy of this software " diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/BERGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/BERGenerator.java index 41d0e5bb6..57aec4ca6 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/BERGenerator.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/BERGenerator.java @@ -7,8 +7,7 @@ import java.io.OutputStream; * Base class for generators for indefinite-length structures. */ public class BERGenerator - extends - ASN1Generator + extends ASN1Generator { private boolean _tagged = false; private boolean _isExplicit; diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSequence.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSequence.java index 970c3d091..192d99387 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSequence.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSequence.java @@ -1,7 +1,6 @@ package com.fr.third.org.bouncycastle.asn1; import java.io.IOException; -import java.io.OutputStream; /** * Definite length SEQUENCE, encoding tells explicit number of bytes diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSet.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSet.java index 9149201be..a90f8d532 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSet.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/DERSet.java @@ -1,7 +1,6 @@ package com.fr.third.org.bouncycastle.asn1; import java.io.IOException; -import java.io.OutputStream; /** * A DER encoded SET object diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attribute.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attribute.java index 736d60a3a..a0ee76456 100644 --- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attribute.java +++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attribute.java @@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1Set; import com.fr.third.org.bouncycastle.asn1.DERSequence; /** - * RFC 5652: + * RFC 5652: * Attribute is a pair of OID (as type identifier) + set of values. *

* 

diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attributes.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attributes.java
index 4161404d7..5722a3af9 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attributes.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Attributes.java
@@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject;
 import com.fr.third.org.bouncycastle.asn1.DLSet;
 
 /**
- * RFC 5652 defines
+ * RFC 5652 defines
  * 5 "SET OF Attribute" entities with 5 different names.
  * This is common implementation for them all:
  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthEnvelopedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthEnvelopedData.java
index 796bcd4a2..0277c7a3d 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthEnvelopedData.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthEnvelopedData.java
@@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence;
 import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 
 /**
- * RFC 5083:
+ * RFC 5083:
  *
  * CMS AuthEnveloped Data object.
  * 

diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthenticatedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthenticatedData.java
index d4847fe5e..eb12b0850 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthenticatedData.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/AuthenticatedData.java
@@ -15,7 +15,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /**
- * RFC 5652 section 9.1:
+ * RFC 5652 section 9.1:
  * The AuthenticatedData carries AuthAttributes and other data
  * which define what really is being signed.
  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CCMParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CCMParameters.java
index affeb25a6..e6d4e80e8 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CCMParameters.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CCMParameters.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence;
 import com.fr.third.org.bouncycastle.util.Arrays;
 
 /**
- * RFC 5084: CCMParameters object.
+ * RFC 5084: CCMParameters object.
  * 

  * 
  CCMParameters ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CMSAttributes.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CMSAttributes.java
index b48563f67..6861bf728 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CMSAttributes.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CMSAttributes.java
@@ -5,8 +5,8 @@ import com.fr.third.org.bouncycastle.asn1.pkcs.PKCSObjectIdentifiers;
 
 
 /**
- * RFC 5652 CMS attribute OID constants.
- * and RFC 6211 Algorithm Identifier Protection Attribute.
+ * RFC 5652 CMS attribute OID constants.
+ * and RFC 6211 Algorithm Identifier Protection Attribute.
  * 
  * contentType      ::= 1.2.840.113549.1.9.3
  * messageDigest    ::= 1.2.840.113549.1.9.4
@@ -28,7 +28,7 @@ public interface CMSAttributes
     ASN1ObjectIdentifier  signingTime = PKCSObjectIdentifiers.pkcs_9_at_signingTime;
     /** PKCS#9: 1.2.840.113549.1.9.6 */
     ASN1ObjectIdentifier  counterSignature = PKCSObjectIdentifiers.pkcs_9_at_counterSignature;
-    /** PKCS#9: 1.2.840.113549.1.9.16.6.2.4 - See RFC 2634 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.6.2.4 - See RFC 2634 */
     ASN1ObjectIdentifier  contentHint = PKCSObjectIdentifiers.id_aa_contentHint;
 
     ASN1ObjectIdentifier  cmsAlgorithmProtect = PKCSObjectIdentifiers.id_aa_cmsAlgorithmProtect;
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedData.java
index 9d916c352..53b09a9df 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedData.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedData.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /** 
- * RFC 3274: CMS Compressed Data.
+ * RFC 3274: CMS Compressed Data.
  * 
  * 
  * CompressedData ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedDataParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedDataParser.java
index 8845236d3..9674ff835 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedDataParser.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/CompressedDataParser.java
@@ -7,7 +7,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1SequenceParser;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /**
- * Parser of RFC 3274 {@link CompressedData} object.
+ * Parser of RFC 3274 {@link CompressedData} object.
  * 

  * 
  * CompressedData ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfo.java
index 65c5fbd4e..fc3d94492 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfo.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfo.java
@@ -11,8 +11,8 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence;
 import com.fr.third.org.bouncycastle.asn1.BERTaggedObject;
 
 /**
- * RFC 5652 ContentInfo, and 
- * RFC 5652 EncapsulatedContentInfo objects.
+ * RFC 5652 ContentInfo, and
+ * RFC 5652 EncapsulatedContentInfo objects.
  *
  * 
  * ContentInfo ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfoParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfoParser.java
index 6912b2216..dbe0fd641 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfoParser.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ContentInfoParser.java
@@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1SequenceParser;
 import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObjectParser;
 
 /**
- * RFC 5652 {@link ContentInfo} object parser.
+ * RFC 5652 {@link ContentInfo} object parser.
  *
  * 
  * ContentInfo ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/DigestedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/DigestedData.java
index 1c328c4ec..e06250022 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/DigestedData.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/DigestedData.java
@@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.asn1.DEROctetString;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /** 
- * RFC 5652 DigestedData object.
+ * RFC 5652 DigestedData object.
  * 
  * DigestedData ::= SEQUENCE {
  *       version CMSVersion,
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfo.java
index 0e2361af9..897bdbac9 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfo.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfo.java
@@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.asn1.BERTaggedObject;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /**
- * RFC 5652 EncryptedContentInfo object.
+ * RFC 5652 EncryptedContentInfo object.
  *
  * 
  * EncryptedContentInfo ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfoParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfoParser.java
index 44193af02..842c75b4e 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfoParser.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedContentInfoParser.java
@@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObjectParser;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /**
- * Parser for RFC 5652 EncryptedContentInfo object.
+ * Parser for RFC 5652 EncryptedContentInfo object.
  * 

  * 
  * EncryptedContentInfo ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedData.java
index c06081002..6fc3f63c6 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedData.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EncryptedData.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence;
 import com.fr.third.org.bouncycastle.asn1.BERTaggedObject;
 
 /**
- * RFC 5652 EncryptedData object.
+ * RFC 5652 EncryptedData object.
  * 

  * 
  * EncryptedData ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedData.java
index a5e2c955e..ac92880ca 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedData.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedData.java
@@ -13,7 +13,7 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence;
 import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 
 /**
- * RFC 5652 EnvelopedData object.
+ * RFC 5652 EnvelopedData object.
  * 
  * EnvelopedData ::= SEQUENCE {
  *     version CMSVersion,
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedDataParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedDataParser.java
index ff12c1a4b..90304a818 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedDataParser.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/EnvelopedDataParser.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObjectParser;
 import com.fr.third.org.bouncycastle.asn1.BERTags;
 
 /** 
- * Parser of RFC 5652 {@link EnvelopedData} object.
+ * Parser of RFC 5652 {@link EnvelopedData} object.
  * 

  * 
  * EnvelopedData ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Evidence.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Evidence.java
index 7238506ad..558c82c2a 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Evidence.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Evidence.java
@@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 import com.fr.third.org.bouncycastle.asn1.tsp.EvidenceRecord;
 
 /**
- * RFC 5544:
+ * RFC 5544:
  * Binding Documents with Time-Stamps; Evidence object.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/GCMParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/GCMParameters.java
index 0bcd25c6a..3ca6d47bd 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/GCMParameters.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/GCMParameters.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence;
 import com.fr.third.org.bouncycastle.util.Arrays;
 
 /**
- * RFC 5084: GCMParameters object.
+ * RFC 5084: GCMParameters object.
  * 

  * 
  GCMParameters ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/IssuerAndSerialNumber.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/IssuerAndSerialNumber.java
index 6f08e319d..d77862a54 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/IssuerAndSerialNumber.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/IssuerAndSerialNumber.java
@@ -14,7 +14,7 @@ import com.fr.third.org.bouncycastle.asn1.x509.X509CertificateStructure;
 import com.fr.third.org.bouncycastle.asn1.x509.X509Name;
 
 /**
- * RFC 5652: IssuerAndSerialNumber object.
+ * RFC 5652: IssuerAndSerialNumber object.
  * 

  * 
  * IssuerAndSerialNumber ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKIdentifier.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKIdentifier.java
index 94c8fecaf..415761c6e 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKIdentifier.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKIdentifier.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DEROctetString;
 import com.fr.third.org.bouncycastle.asn1.DERSequence;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKRecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKRecipientInfo.java
index 551c6c658..4bfd14cc2 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKRecipientInfo.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KEKRecipientInfo.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientIdentifier.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientIdentifier.java
index ea07a8400..a81bbf51b 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientIdentifier.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientIdentifier.java
@@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject;
 import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientInfo.java
index 8912d0878..7da53fd84 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientInfo.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyAgreeRecipientInfo.java
@@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyTransRecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyTransRecipientInfo.java
index cc9daa790..4f0a0d3b5 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyTransRecipientInfo.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/KeyTransRecipientInfo.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 
  * KeyTransRecipientInfo ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/MetaData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/MetaData.java
index dc29a4e20..e126f6650 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/MetaData.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/MetaData.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence;
 import com.fr.third.org.bouncycastle.asn1.DERUTF8String;
 
 /**
- * RFC 5544:
+ * RFC 5544:
  * Binding Documents with Time-Stamps; MetaData object.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorIdentifierOrKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorIdentifierOrKey.java
index 55aa47727..dc5c13c99 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorIdentifierOrKey.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorIdentifierOrKey.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 import com.fr.third.org.bouncycastle.asn1.x509.SubjectKeyIdentifier;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 
  * OriginatorIdentifierOrKey ::= CHOICE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorInfo.java
index 6cfdfe95f..a2b4b752d 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorInfo.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorInfo.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence;
 import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 
 /**
- * RFC 5652: OriginatorInfo object.
+ * RFC 5652: OriginatorInfo object.
  * 
  * RFC 3369:
  *
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorPublicKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorPublicKey.java
index 6714f6bd6..887c31f59 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorPublicKey.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OriginatorPublicKey.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherKeyAttribute.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherKeyAttribute.java
index 67d0ebb7c..b254ff498 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherKeyAttribute.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherKeyAttribute.java
@@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1Sequence;
 import com.fr.third.org.bouncycastle.asn1.DERSequence;
 
 /**
- * RFC 5652: OtherKeyAttribute object.
+ * RFC 5652: OtherKeyAttribute object.
  * 

  * 
  * OtherKeyAttribute ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRecipientInfo.java
index bc857aecf..7fc989b71 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRecipientInfo.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRecipientInfo.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject;
 import com.fr.third.org.bouncycastle.asn1.DERSequence;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 
  * OtherRecipientInfo ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRevocationInfoFormat.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRevocationInfoFormat.java
index 4a039ebd2..f87e56a32 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRevocationInfoFormat.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/OtherRevocationInfoFormat.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject;
 import com.fr.third.org.bouncycastle.asn1.DERSequence;
 
 /**
- * RFC 5652: OtherRevocationInfoFormat object.
+ * RFC 5652: OtherRevocationInfoFormat object.
  * 

  * 
  * OtherRevocationInfoFormat ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/PasswordRecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/PasswordRecipientInfo.java
index d72d25876..4210c4774 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/PasswordRecipientInfo.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/PasswordRecipientInfo.java
@@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 
  * PasswordRecipientInfo ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientEncryptedKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientEncryptedKey.java
index 92dae9c1a..157e3a3c8 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientEncryptedKey.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientEncryptedKey.java
@@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject;
 import com.fr.third.org.bouncycastle.asn1.DERSequence;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 
  * RecipientEncryptedKey ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientIdentifier.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientIdentifier.java
index 753c675c3..035a6a80f 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientIdentifier.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientIdentifier.java
@@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject;
 import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 
  * RecipientIdentifier ::= CHOICE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientInfo.java
index 4733eb342..9b10695e0 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientInfo.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientInfo.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject;
 import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientKeyIdentifier.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientKeyIdentifier.java
index 8304b5341..9543fcc6a 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientKeyIdentifier.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/RecipientKeyIdentifier.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DEROctetString;
 import com.fr.third.org.bouncycastle.asn1.DERSequence;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Content encryption key delivery mechanisms.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SCVPReqRes.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SCVPReqRes.java
index ec33d531d..c1db368c5 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SCVPReqRes.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SCVPReqRes.java
@@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence;
 import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 
 /**
- * RFC 5940:
+ * RFC 5940:
  * Additional Cryptographic Message Syntax (CMS) Revocation Information Choices.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedData.java
index 3276aad7b..937f48f56 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedData.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedData.java
@@ -16,7 +16,7 @@ import com.fr.third.org.bouncycastle.asn1.BERTaggedObject;
 import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * 

  * A signed data object containing multitude of {@link SignerInfo}s.
  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedDataParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedDataParser.java
index 1c13937d1..b4829fc68 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedDataParser.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignedDataParser.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObjectParser;
 import com.fr.third.org.bouncycastle.asn1.BERTags;
 
 /**
- * Parser for RFC 5652: {@link SignedData} object.
+ * Parser for RFC 5652: {@link SignedData} object.
  * 

  * 
  * SignedData ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerIdentifier.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerIdentifier.java
index 976ef020b..57cd187c4 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerIdentifier.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerIdentifier.java
@@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject;
 import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Identify who signed the containing {@link SignerInfo} object.
  * 

  * The certificates referred to by this are at containing {@link SignedData} structure.
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerInfo.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerInfo.java
index 48363186f..d2b5fe499 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerInfo.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/SignerInfo.java
@@ -16,7 +16,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Signature container per Signer, see {@link SignerIdentifier}.
  * 
  * PKCS#7:
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Time.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Time.java
index 4cab5fa02..9f3ce7317 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Time.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/Time.java
@@ -16,7 +16,7 @@ import com.fr.third.org.bouncycastle.asn1.DERGeneralizedTime;
 import com.fr.third.org.bouncycastle.asn1.DERUTCTime;
 
 /**
- * RFC 5652:
+ * RFC 5652:
  * Dual-mode timestamp format producing either UTCTIme or GeneralizedTime.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampAndCRL.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampAndCRL.java
index 60fd27a4e..7132fb145 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampAndCRL.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampAndCRL.java
@@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence;
 import com.fr.third.org.bouncycastle.asn1.x509.CertificateList;
 
 /**
- * RFC 5544
+ * RFC 5544
  * Binding Documents with Time-Stamps; TimeStampAndCRL object.
  * 
  * TimeStampAndCRL ::= SEQUENCE {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampTokenEvidence.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampTokenEvidence.java
index 9bb70b8fb..7887c3dc5 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampTokenEvidence.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampTokenEvidence.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1TaggedObject;
 import com.fr.third.org.bouncycastle.asn1.DERSequence;
 
 /**
- * RFC 5544
+ * RFC 5544
  * Binding Documents with Time-Stamps; TimeStampTokenEvidence object.
  * 
  * TimeStampTokenEvidence ::=
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedData.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedData.java
index 0cd3cb5d7..24a22e5c1 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedData.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedData.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.BERSequence;
 import com.fr.third.org.bouncycastle.asn1.DERIA5String;
 
 /**
- * RFC 5544:
+ * RFC 5544:
  * Binding Documents with Time-Stamps; TimeStampedData object.
  * 

  * 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedDataParser.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedDataParser.java
index 742b186a3..b15fda126 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedDataParser.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/TimeStampedDataParser.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1SequenceParser;
 import com.fr.third.org.bouncycastle.asn1.DERIA5String;
 
 /**
- * Parser for RFC 5544:
+ * Parser for RFC 5544:
  * {@link TimeStampedData} object.
  * 

  * 
@@ -71,6 +71,11 @@ public class TimeStampedDataParser
         return null;
     }
 
+    public int getVersion()
+    {
+        return version.getValue().intValue();
+    }
+    
     public DERIA5String getDataUri()
     {
         return dataUri;
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ecc/MQVuserKeyingMaterial.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ecc/MQVuserKeyingMaterial.java
index 70d0ed3f4..e848906e8 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ecc/MQVuserKeyingMaterial.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/cms/ecc/MQVuserKeyingMaterial.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.asn1.DERTaggedObject;
 import com.fr.third.org.bouncycastle.asn1.cms.OriginatorPublicKey;
 
 /**
- * RFC 5753/3278: MQVuserKeyingMaterial object.
+ * RFC 5753/3278: MQVuserKeyingMaterial object.
  * 
  * MQVuserKeyingMaterial ::= SEQUENCE {
  *   ephemeralPublicKey OriginatorPublicKey,
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/dvcs/DVCSObjectIdentifiers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/dvcs/DVCSObjectIdentifiers.java
index 08a205070..31792d182 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/dvcs/DVCSObjectIdentifiers.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/dvcs/DVCSObjectIdentifiers.java
@@ -3,7 +3,7 @@ package com.fr.third.org.bouncycastle.asn1.dvcs;
 import com.fr.third.org.bouncycastle.asn1.ASN1ObjectIdentifier;
 
 /**
- * OIDs for RFC 3029
+ * OIDs for RFC 3029
  * Data Validation and Certification Server Protocols
  */
 public interface DVCSObjectIdentifiers
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/eac/EACObjectIdentifiers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/eac/EACObjectIdentifiers.java
index 7cf8c5da3..f83cbc1b0 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/eac/EACObjectIdentifiers.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/eac/EACObjectIdentifiers.java
@@ -5,7 +5,7 @@ import com.fr.third.org.bouncycastle.asn1.ASN1ObjectIdentifier;
 /**
  * German Federal Office for Information Security
  * (Bundesamt für Sicherheit in der Informationstechnik)
- * http://www.bsi.bund.de/
+ * https://www.bsi.bund.de/
  * 

  * BSI TR-03110
  * Technical Guideline Advanced Security Mechanisms for Machine Readable Travel Documents
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/isismtt/x509/AdmissionSyntax.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/isismtt/x509/AdmissionSyntax.java
index 37d9e04d5..f469ef666 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/isismtt/x509/AdmissionSyntax.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/isismtt/x509/AdmissionSyntax.java
@@ -67,8 +67,8 @@ import com.fr.third.org.bouncycastle.asn1.x509.GeneralName;
  * component namingAuthorityId are grouped under the OID-branch
  * id-isis-at-namingAuthorities and must be applied for.
  * 
  • See
- * http://www.teletrust.de/anwend.asp?Id=30200&Sprache=E_&HomePG=0 for
- * an application form and http://www.teletrust.de/links.asp?id=30220,11
+ * https://www.teletrust.de/anwend.asp?Id=30200&Sprache=E_&HomePG=0 for
+ * an application form and https://www.teletrust.de/links.asp?id=30220,11
  * for an overview of registered naming authorities.
  * 
  •  By means of the data type ProfessionInfo certain professions,
  * specializations, disciplines, fields of activity, etc. are identified. A
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/kisa/KISAObjectIdentifiers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/kisa/KISAObjectIdentifiers.java
index d41634892..4b8a9bab4 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/kisa/KISAObjectIdentifiers.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/kisa/KISAObjectIdentifiers.java
@@ -6,10 +6,10 @@ import com.fr.third.org.bouncycastle.asn1.ASN1ObjectIdentifier;
  * Korea Information Security Agency (KISA)
  * ({iso(1) member-body(2) kr(410) kisa(200004)})
  * 
    
- * See RFC 4010
+ * See RFC 4010
  * Use of the SEED Encryption Algorithm
  * in Cryptographic Message Syntax (CMS),
- * and RFC 4269
+ * and RFC 4269
  * The SEED Encryption Algorithm
  */
 public interface KISAObjectIdentifiers
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ntt/NTTObjectIdentifiers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ntt/NTTObjectIdentifiers.java
index b72f3eac0..ea1590cb8 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ntt/NTTObjectIdentifiers.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ntt/NTTObjectIdentifiers.java
@@ -3,7 +3,7 @@ package com.fr.third.org.bouncycastle.asn1.ntt;
 import com.fr.third.org.bouncycastle.asn1.ASN1ObjectIdentifier;
 
 /**
- * From RFC 3657
+ * From RFC 3657
  * Use of the Camellia Encryption Algorithm
  * in Cryptographic Message Syntax (CMS)
  */
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ocsp/OCSPObjectIdentifiers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ocsp/OCSPObjectIdentifiers.java
index 115e632e8..b165c1475 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ocsp/OCSPObjectIdentifiers.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/ocsp/OCSPObjectIdentifiers.java
@@ -3,7 +3,7 @@ package com.fr.third.org.bouncycastle.asn1.ocsp;
 import com.fr.third.org.bouncycastle.asn1.ASN1ObjectIdentifier;
 
 /**
- * OIDs for RFC 2560 and RFC 6960
+ * OIDs for RFC 2560 and RFC 6960
  * Online Certificate Status Protocol - OCSP.
  */
 public interface OCSPObjectIdentifiers
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/pkcs/PKCSObjectIdentifiers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/pkcs/PKCSObjectIdentifiers.java
index bb32dfc4e..f6a6371e6 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/pkcs/PKCSObjectIdentifiers.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/pkcs/PKCSObjectIdentifiers.java
@@ -327,7 +327,7 @@ public interface PKCSObjectIdentifiers
     /** PKCS#9: 1.2.840.113549.1.9.16.2.1 -- smime attribute receiptRequest */
     ASN1ObjectIdentifier id_aa_receiptRequest = id_aa.branch("1");
     
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.4 - See RFC 2634 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.4 - See RFC 2634 */
     ASN1ObjectIdentifier id_aa_contentHint      = id_aa.branch("4"); // See RFC 2634
     /** PKCS#9: 1.2.840.113549.1.9.16.2.5 */
     ASN1ObjectIdentifier id_aa_msgSigDigest     = id_aa.branch("5");
@@ -344,40 +344,40 @@ public interface PKCSObjectIdentifiers
     /** PKCS#9: 1.2.840.113549.1.9.16.2.47 */
     ASN1ObjectIdentifier id_aa_signingCertificateV2 = id_aa.branch("47");
 
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.7 - See RFC 2634 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.7 - See RFC 2634 */
     ASN1ObjectIdentifier id_aa_contentIdentifier = id_aa.branch("7"); // See RFC 2634
 
     /*
      * RFC 3126
      */
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.14 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.14 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_signatureTimeStampToken = id_aa.branch("14");
     
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.15 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.15 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_sigPolicyId = id_aa.branch("15");
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.16 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.16 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_commitmentType = id_aa.branch("16");
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.17 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.17 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_signerLocation = id_aa.branch("17");
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.18 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.18 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_signerAttr = id_aa.branch("18");
-    /** PKCS#9: 1.2.840.113549.1.9.16.6.2.19 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.6.2.19 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_otherSigCert = id_aa.branch("19");
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.20 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.20 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_contentTimestamp = id_aa.branch("20");
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.21 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.21 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_certificateRefs = id_aa.branch("21");
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.22 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.22 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_revocationRefs = id_aa.branch("22");
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.23 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.23 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_certValues = id_aa.branch("23");
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.24 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.24 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_revocationValues = id_aa.branch("24");
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.25 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.25 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_escTimeStamp = id_aa.branch("25");
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.26 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.26 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_certCRLTimestamp = id_aa.branch("26");
-    /** PKCS#9: 1.2.840.113549.1.9.16.2.27 - RFC 3126 */
+    /** PKCS#9: 1.2.840.113549.1.9.16.2.27 - RFC 3126 */
     ASN1ObjectIdentifier id_aa_ets_archiveTimestamp = id_aa.branch("27");
 
     /** PKCS#9: 1.2.840.113549.1.9.16.2.37 - RFC 4108 */
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java
index 109bb95cf..a21938c2e 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/teletrust/TeleTrusTNamedCurves.java
@@ -15,7 +15,7 @@ import com.fr.third.org.bouncycastle.util.encoders.Hex;
 
 /**
  * Elliptic curves defined in "ECC Brainpool Standard Curves and Curve Generation"
- * http://www.ecc-brainpool.org/download/draft_pkix_additional_ecc_dp.txt
+ * https://www.ecc-brainpool.org/download/draft_pkix_additional_ecc_dp.txt
  */
 public class TeleTrusTNamedCurves
 {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/tsp/ArchiveTimeStamp.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/tsp/ArchiveTimeStamp.java
index 9fafde65f..7d14644c9 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/tsp/ArchiveTimeStamp.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/tsp/ArchiveTimeStamp.java
@@ -33,10 +33,10 @@ import com.fr.third.org.bouncycastle.asn1.x509.AlgorithmIdentifier;
 public class ArchiveTimeStamp
     extends ASN1Object
 {
-    private AlgorithmIdentifier digestAlgorithm;
-    private Attributes attributes;
-    private ASN1Sequence reducedHashTree;
-    private ContentInfo timeStamp;
+    private final AlgorithmIdentifier digestAlgorithm;
+    private final Attributes attributes;
+    private final ASN1Sequence reducedHashTree;
+    private final ContentInfo timeStamp;
 
     /**
      * Return an ArchiveTimestamp from the given object.
@@ -64,26 +64,31 @@ public class ArchiveTimeStamp
         PartialHashtree[] reducedHashTree,
         ContentInfo timeStamp)
     {
-        this.digestAlgorithm = digestAlgorithm;
-        this.reducedHashTree = new DERSequence(reducedHashTree);
-        this.timeStamp = timeStamp;
+        this(digestAlgorithm, null, reducedHashTree, timeStamp);
     }
 
     public ArchiveTimeStamp(
-        AlgorithmIdentifier digestAlgorithm,
-        Attributes attributes,
-        PartialHashtree[] reducedHashTree,
         ContentInfo timeStamp)
     {
-        this.digestAlgorithm = digestAlgorithm;
-        this.attributes = attributes;
-        this.reducedHashTree = new DERSequence(reducedHashTree);
-        this.timeStamp = timeStamp;
+        this(null, null, null, timeStamp);
     }
 
     public ArchiveTimeStamp(
+        AlgorithmIdentifier digestAlgorithm,
+        Attributes attributes,
+        PartialHashtree[] reducedHashTree,
         ContentInfo timeStamp)
     {
+        this.digestAlgorithm = digestAlgorithm;
+        this.attributes = attributes;
+        if (reducedHashTree != null)
+        {
+            this.reducedHashTree = new DERSequence(reducedHashTree);
+        }
+        else
+        {
+            this.reducedHashTree = null;
+        }
         this.timeStamp = timeStamp;
     }
 
@@ -94,6 +99,9 @@ public class ArchiveTimeStamp
             throw new IllegalArgumentException("wrong sequence size in constructor: " + sequence.size());
         }
 
+        AlgorithmIdentifier digAlg = null;
+        Attributes attrs = null;
+        ASN1Sequence rHashTree = null;
         for (int i = 0; i < sequence.size() - 1; i++)
         {
             Object obj = sequence.getObjectAt(i);
@@ -105,13 +113,13 @@ public class ArchiveTimeStamp
                 switch (taggedObject.getTagNo())
                 {
                 case 0:
-                    digestAlgorithm = AlgorithmIdentifier.getInstance(taggedObject, false);
+                    digAlg = AlgorithmIdentifier.getInstance(taggedObject, false);
                     break;
                 case 1:
-                    attributes = Attributes.getInstance(taggedObject, false);
+                    attrs = Attributes.getInstance(taggedObject, false);
                     break;
                 case 2:
-                    reducedHashTree = ASN1Sequence.getInstance(taggedObject, false);
+                    rHashTree = ASN1Sequence.getInstance(taggedObject, false);
                     break;
                 default:
                     throw new IllegalArgumentException("invalid tag no in constructor: "
@@ -120,6 +128,9 @@ public class ArchiveTimeStamp
             }
         }
 
+        digestAlgorithm = digAlg;
+        attributes = attrs;
+        reducedHashTree = rHashTree;
         timeStamp = ContentInfo.getInstance(sequence.getObjectAt(sequence.size() - 1));
     }
 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x500/style/BCStyle.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x500/style/BCStyle.java
index f4537a22b..f4ef1cc63 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x500/style/BCStyle.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x500/style/BCStyle.java
@@ -76,6 +76,8 @@ public class BCStyle
     public static final ASN1ObjectIdentifier GENERATION = new ASN1ObjectIdentifier("2.5.4.44").intern();
     public static final ASN1ObjectIdentifier UNIQUE_IDENTIFIER = new ASN1ObjectIdentifier("2.5.4.45").intern();
 
+    public static final ASN1ObjectIdentifier DESCRIPTION = new ASN1ObjectIdentifier("2.5.4.13").intern();
+
     /**
      * businessCategory - DirectoryString(SIZE(1..128)
      */
@@ -96,6 +98,7 @@ public class BCStyle
      */
     public static final ASN1ObjectIdentifier PSEUDONYM = new ASN1ObjectIdentifier("2.5.4.65").intern();
 
+    public static final ASN1ObjectIdentifier ROLE = new ASN1ObjectIdentifier("2.5.4.72").intern();
 
     /**
      * RFC 3039 DateOfBirth - GeneralizedTime - YYYYMMDD000000Z
@@ -213,6 +216,8 @@ public class BCStyle
         DefaultSymbols.put(GIVENNAME, "GIVENNAME");
         DefaultSymbols.put(INITIALS, "INITIALS");
         DefaultSymbols.put(GENERATION, "GENERATION");
+        DefaultSymbols.put(DESCRIPTION, "DESCRIPTION");
+        DefaultSymbols.put(ROLE, "ROLE");
         DefaultSymbols.put(UnstructuredAddress, "unstructuredAddress");
         DefaultSymbols.put(UnstructuredName, "unstructuredName");
         DefaultSymbols.put(UNIQUE_IDENTIFIER, "UniqueIdentifier");
@@ -249,6 +254,8 @@ public class BCStyle
         DefaultLookUp.put("givenname", GIVENNAME);
         DefaultLookUp.put("initials", INITIALS);
         DefaultLookUp.put("generation", GENERATION);
+        DefaultLookUp.put("description", DESCRIPTION);
+        DefaultLookUp.put("role", ROLE);
         DefaultLookUp.put("unstructuredaddress", UnstructuredAddress);
         DefaultLookUp.put("unstructuredname", UnstructuredName);
         DefaultLookUp.put("uniqueidentifier", UNIQUE_IDENTIFIER);
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/KeyPurposeId.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/KeyPurposeId.java
index 1e0c64fe4..083c7585b 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/KeyPurposeId.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/KeyPurposeId.java
@@ -123,12 +123,12 @@ public class KeyPurposeId
 
 
     /**
-     * Microsoft Server Gated Crypto (msSGC) see http://www.alvestrand.no/objectid/1.3.6.1.4.1.311.10.3.3.html
+     * Microsoft Server Gated Crypto (msSGC) see https://www.alvestrand.no/objectid/1.3.6.1.4.1.311.10.3.3.html
      */
     public static final KeyPurposeId id_kp_msSGC = new KeyPurposeId(new ASN1ObjectIdentifier("1.3.6.1.4.1.311.10.3.3"));
 
     /**
-     * Netscape Server Gated Crypto (nsSGC) see http://www.alvestrand.no/objectid/2.16.840.1.113730.4.1.html
+     * Netscape Server Gated Crypto (nsSGC) see https://www.alvestrand.no/objectid/2.16.840.1.113730.4.1.html
      */
     public static final KeyPurposeId id_kp_nsSGC = new KeyPurposeId(new ASN1ObjectIdentifier("2.16.840.1.113730.4.1"));
 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/PolicyMappings.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/PolicyMappings.java
index b3170be73..8bbf6ad70 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/PolicyMappings.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/asn1/x509/PolicyMappings.java
@@ -18,7 +18,7 @@ import com.fr.third.org.bouncycastle.asn1.DERSequence;
  *      subjectDomainPolicy     CertPolicyId }
  * 
    • 
  *
- * @see RFC 3280, section 4.2.1.6
+ * @see RFC 3280, section 4.2.1.6
  */
 public class PolicyMappings
     extends ASN1Object
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEParticipant.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEParticipant.java
index bab8a60d0..02124493b 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEParticipant.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEParticipant.java
@@ -49,7 +49,7 @@ import com.fr.third.org.bouncycastle.util.Arrays;
  * These are the trivial techniques to optimize the communication.
  * 
    
  * The key confirmation process is implemented as specified in
- * NIST SP 800-56A Revision 1,
+ * NIST SP 800-56A Revision 1,
  * Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes.
  * 
    
  * This class is stateful and NOT threadsafe.
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroup.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroup.java
index 381dbc124..57a880f8b 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroup.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroup.java
@@ -10,7 +10,7 @@ import java.math.BigInteger;
  * 
    
  * See {@link JPAKEPrimeOrderGroups} for convenient standard groups.
  * 
    
- * NIST publishes
+ * NIST publishes
  * many groups that can be used for the desired level of security.
  */
 public class JPAKEPrimeOrderGroup
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroups.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroups.java
index 8f5eb905d..afa2e0926 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroups.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEPrimeOrderGroups.java
@@ -11,7 +11,7 @@ import java.math.BigInteger;
  * 
    
  * The prime order groups below are taken from Sun's JDK JavaDoc (docs/guide/security/CryptoSpec.html#AppB),
  * and from the prime order groups
- * published by NIST.
+ * published by NIST.
  */
 public class JPAKEPrimeOrderGroups
 {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEUtil.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEUtil.java
index 66570e03e..c84a09efb 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEUtil.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/agreement/jpake/JPAKEUtil.java
@@ -317,7 +317,7 @@ public class JPAKEUtil
 
     /**
      * Calculates the MacTag (to be used for key confirmation), as defined by
-     * NIST SP 800-56A Revision 1,
+     * NIST SP 800-56A Revision 1,
      * Section 8.2 Unilateral Key Confirmation for Key Agreement Schemes.
      * 
          * MacTag = HMAC(MacKey, MacLen, MacData)
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/RIPEMD160Digest.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/RIPEMD160Digest.java
index 7eb48d29f..62be72edf 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/RIPEMD160Digest.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/RIPEMD160Digest.java
@@ -5,7 +5,7 @@ import com.fr.third.org.bouncycastle.util.Memoable;
 
 /**
  * implementation of RIPEMD see,
- * http://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html
+ * https://www.esat.kuleuven.ac.be/~bosselae/ripemd160.html
  */
 public class RIPEMD160Digest
     extends GeneralDigest
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/SM3Digest.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/SM3Digest.java
index b004d6f1d..b3a6efc6e 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/SM3Digest.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/SM3Digest.java
@@ -5,7 +5,7 @@ import com.fr.third.org.bouncycastle.util.Pack;
 
 /**
  * Implementation of Chinese SM3 digest as described at
- * http://tools.ietf.org/html/draft-shen-sm3-hash-01
+ * https://tools.ietf.org/html/draft-shen-sm3-hash-01
  * and at .... ( Chinese PDF )
  * 
    
  * The specification says "process a bit stream",
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/TigerDigest.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/TigerDigest.java
index 90969003d..cf4fd7d24 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/TigerDigest.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/digests/TigerDigest.java
@@ -5,8 +5,8 @@ import com.fr.third.org.bouncycastle.util.Memoable;
 
 /**
  * implementation of Tiger based on:
- * 
- *  http://www.cs.technion.ac.il/~biham/Reports/Tiger
+ * 
+ *  https://www.cs.technion.ac.il/~biham/Reports/Tiger
  */
 public class TigerDigest
     implements ExtendedDigest, Memoable
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/encodings/OAEPEncoding.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/encodings/OAEPEncoding.java
index 6f7c9ddef..755b472b7 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/encodings/OAEPEncoding.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/encodings/OAEPEncoding.java
@@ -297,6 +297,7 @@ public class OAEPEncoding
         byte[]  output = new byte[block.length - start];
 
         System.arraycopy(block, start, output, 0, output.length);
+        Arrays.fill(block, (byte)0);
 
         return output;
     }
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESEngine.java
index 40ca573a6..816027fda 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESEngine.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.util.Pack;
 /**
  * an implementation of the AES (Rijndael), from FIPS-197.
  * 
    
- * For further details see: http://csrc.nist.gov/encryption/aes/.
+ * For further details see: https://csrc.nist.gov/encryption/aes/.
  *
  * This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at
  * http://fp.gladman.plus.com/cryptography_technology/rijndael/
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESFastEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESFastEngine.java
index b6508626b..6d3072860 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESFastEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESFastEngine.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.util.Pack;
 /**
  * an implementation of the AES (Rijndael), from FIPS-197.
  * 
    
- * For further details see: http://csrc.nist.gov/encryption/aes/.
+ * For further details see: https://csrc.nist.gov/encryption/aes/.
  *
  * This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at
  * http://fp.gladman.plus.com/cryptography_technology/rijndael/
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESLightEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESLightEngine.java
index 9e0f42d3e..dde33eee3 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESLightEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESLightEngine.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.util.Pack;
 /**
  * an implementation of the AES (Rijndael), from FIPS-197.
  * 
    
- * For further details see: http://csrc.nist.gov/encryption/aes/.
+ * For further details see: https://csrc.nist.gov/encryption/aes/.
  *
  * This implementation is based on optimizations from Dr. Brian Gladman's paper and C code at
  * http://fp.gladman.plus.com/cryptography_technology/rijndael/
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESWrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESWrapEngine.java
index 39690f8ed..4f4061c58 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESWrapEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/AESWrapEngine.java
@@ -4,7 +4,7 @@ package com.fr.third.org.bouncycastle.crypto.engines;
  * an implementation of the AES Key Wrapper from the NIST Key Wrap
  * Specification.
  * 
    
- * For further details see: http://csrc.nist.gov/encryption/kms/key-wrap.pdf.
+ * For further details see: https://csrc.nist.gov/encryption/kms/key-wrap.pdf.
  */
 public class AESWrapEngine
     extends RFC3394WrapEngine
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ARIAWrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ARIAWrapEngine.java
index 567e2fa9f..44a7e190f 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ARIAWrapEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ARIAWrapEngine.java
@@ -4,7 +4,7 @@ package com.fr.third.org.bouncycastle.crypto.engines;
  * an implementation of the ARIA Key Wrapper from the NIST Key Wrap
  * Specification.
  * 
    
- * For further details see: http://csrc.nist.gov/encryption/kms/key-wrap.pdf.
+ * For further details see: https://csrc.nist.gov/encryption/kms/key-wrap.pdf.
  */
 public class ARIAWrapEngine
     extends RFC3394WrapEngine
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/CamelliaWrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/CamelliaWrapEngine.java
index 754481e9a..acea7fcbe 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/CamelliaWrapEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/CamelliaWrapEngine.java
@@ -3,7 +3,7 @@ package com.fr.third.org.bouncycastle.crypto.engines;
 /**
  * An implementation of the Camellia key wrapper based on RFC 3657/RFC 3394.
  * 
    
- * For further details see: http://www.ietf.org/rfc/rfc3657.txt.
+ * For further details see: https://www.ietf.org/rfc/rfc3657.txt.
  */
 public class CamelliaWrapEngine
     extends RFC3394WrapEngine
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/DESedeWrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/DESedeWrapEngine.java
index 2b546aa0f..05d05c4d6 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/DESedeWrapEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/DESedeWrapEngine.java
@@ -305,7 +305,7 @@ public class DESedeWrapEngine
      * - Compute the 20 octet SHA-1 hash on the key being wrapped.
      * - Use the first 8 octets of this hash as the checksum value.
      *
-     * For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum.
+     * For details see https://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum.
      *
      * @param key the key to check,
      * @return the CMS checksum.
@@ -325,7 +325,7 @@ public class DESedeWrapEngine
     }
 
     /**
-     * For details see http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum
+     * For details see https://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum
      *
      * @param key key to be validated.
      * @param checksum the checksum.
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC128Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC128Engine.java
index c06bbed71..fddbca2a4 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC128Engine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC128Engine.java
@@ -12,12 +12,12 @@ import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV;
  * generates keystream from a 128-bit secret key and a 128-bit initialization
  * vector.
  * 
    
- * http://www.ecrypt.eu.org/stream/p3ciphers/hc/hc128_p3.pdf
+ * https://www.ecrypt.eu.org/stream/p3ciphers/hc/hc128_p3.pdf
  * 
    
  * It is a third phase candidate in the eStream contest, and is patent-free.
  * No attacks are known as of today (April 2007). See
  *
- * http://www.ecrypt.eu.org/stream/hcp3.html
+ * https://www.ecrypt.eu.org/stream/hcp3.html
  * 
    
  */
 public class HC128Engine
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC256Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC256Engine.java
index 48d3a80bf..9abcf27f2 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC256Engine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/HC256Engine.java
@@ -12,13 +12,13 @@ import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV;
  * generates keystream from a 256-bit secret key and a 256-bit initialization 
  * vector.
  * 
    
- * http://www.ecrypt.eu.org/stream/p3ciphers/hc/hc256_p3.pdf
+ * https://www.ecrypt.eu.org/stream/p3ciphers/hc/hc256_p3.pdf
  * 
    
  * Its brother, HC-128, is a third phase candidate in the eStream contest.
  * The algorithm is patent-free. No attacks are known as of today (April 2007). 
  * See
  * 
- * http://www.ecrypt.eu.org/stream/hcp3.html
+ * https://www.ecrypt.eu.org/stream/hcp3.html
  * 
    
  */
 public class HC256Engine
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ISAACEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ISAACEngine.java
index 9c196f07b..bae6b941f 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ISAACEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/ISAACEngine.java
@@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.util.Pack;
 
 /**
  * Implementation of Bob Jenkin's ISAAC (Indirection Shift Accumulate Add and Count).
- * see: http://www.burtleburtle.net/bob/rand/isaacafa.html
+ * see: https://www.burtleburtle.net/bob/rand/isaacafa.html
 */
 public class ISAACEngine
     implements StreamCipher
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/NaccacheSternEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/NaccacheSternEngine.java
index 660b08a77..3fbc05ad4 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/NaccacheSternEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/NaccacheSternEngine.java
@@ -2,7 +2,6 @@ package com.fr.third.org.bouncycastle.crypto.engines;
 
 import java.math.BigInteger;
 import java.util.Vector;
-import com.fr.third.org.bouncycastle.util.Arrays;
 
 import com.fr.third.org.bouncycastle.crypto.AsymmetricBlockCipher;
 import com.fr.third.org.bouncycastle.crypto.CipherParameters;
@@ -11,10 +10,11 @@ import com.fr.third.org.bouncycastle.crypto.InvalidCipherTextException;
 import com.fr.third.org.bouncycastle.crypto.params.NaccacheSternKeyParameters;
 import com.fr.third.org.bouncycastle.crypto.params.NaccacheSternPrivateKeyParameters;
 import com.fr.third.org.bouncycastle.crypto.params.ParametersWithRandom;
+import com.fr.third.org.bouncycastle.util.Arrays;
 
 /**
  * NaccacheStern Engine. For details on this cipher, please see
- * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf
+ * https://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf
  */
 public class NaccacheSternEngine
     implements AsymmetricBlockCipher
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC2WrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC2WrapEngine.java
index 25fb2e9c3..2d056109a 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC2WrapEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC2WrapEngine.java
@@ -351,7 +351,7 @@ public class RC2WrapEngine
      * - Compute the 20 octet SHA-1 hash on the key being wrapped.
      * - Use the first 8 octets of this hash as the checksum value.
      *
-     * For details see  http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum
+     * For details see  https://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum
      */
     private byte[] calculateCMSKeyChecksum(
         byte[] key)
@@ -367,7 +367,7 @@ public class RC2WrapEngine
     }
 
     /*
-     * For details see  http://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum
+     * For details see  https://www.w3.org/TR/xmlenc-core/#sec-CMSKeyChecksum
      */
     private boolean checkCMSKeyChecksum(
         byte[] key,
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC532Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC532Engine.java
index 8aa5cb1cd..7dd8f39b2 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC532Engine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC532Engine.java
@@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.crypto.params.RC5Parameters;
 /**
  * The specification for RC5 came from the RC5 Encryption Algorithm
  * publication in RSA CryptoBytes, Spring of 1995. 
- * http://www.rsasecurity.com/rsalabs/cryptobytes.
+ * https://www.rsasecurity.com/rsalabs/cryptobytes.
  * 
    
  * This implementation has a word size of 32 bits.
  * 
    
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC564Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC564Engine.java
index bdaa35f70..4acf712dd 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC564Engine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RC564Engine.java
@@ -7,7 +7,7 @@ import com.fr.third.org.bouncycastle.crypto.params.RC5Parameters;
 /**
  * The specification for RC5 came from the RC5 Encryption Algorithm
  * publication in RSA CryptoBytes, Spring of 1995. 
- * http://www.rsasecurity.com/rsalabs/cryptobytes.
+ * https://www.rsasecurity.com/rsalabs/cryptobytes.
  * 
    
  * This implementation is set to work with a 64 bit word size.
  * 
    
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java
index 724c41d29..63da5eeda 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/RFC3394WrapEngine.java
@@ -14,8 +14,8 @@ import com.fr.third.org.bouncycastle.util.Arrays;
  * an implementation of the AES Key Wrapper from the NIST Key Wrap
  * Specification as described in RFC 3394.
  * 
    
- * For further details see: http://www.ietf.org/rfc/rfc3394.txt
- * and  http://csrc.nist.gov/encryption/kms/key-wrap.pdf.
+ * For further details see: https://www.ietf.org/rfc/rfc3394.txt
+ * and  https://csrc.nist.gov/encryption/kms/key-wrap.pdf.
  */
 public class RFC3394WrapEngine
     implements Wrapper
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SEEDWrapEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SEEDWrapEngine.java
index 5f3de689d..69ddc9b9e 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SEEDWrapEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SEEDWrapEngine.java
@@ -3,7 +3,7 @@ package com.fr.third.org.bouncycastle.crypto.engines;
 /**
  * An implementation of the SEED key wrapper based on RFC 4010/RFC 3394.
  * 
    
- * For further details see: http://www.ietf.org/rfc/rfc4010.txt.
+ * For further details see: https://www.ietf.org/rfc/rfc4010.txt.
  */
 public class SEEDWrapEngine
     extends RFC3394WrapEngine
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SerpentEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SerpentEngine.java
index e4431e340..1a0f88f40 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SerpentEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/SerpentEngine.java
@@ -10,7 +10,7 @@ import com.fr.third.org.bouncycastle.util.Pack;
  * Serpent was designed by Ross Anderson, Eli Biham and Lars Knudsen as a
  * candidate algorithm for the NIST AES Quest.
  * 
    
- * For full details see The Serpent home page
+ * For full details see The Serpent home page
  */
 public final class SerpentEngine
     extends SerpentEngineBase
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/TnepresEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/TnepresEngine.java
index 1472b9135..96a5b6b5b 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/TnepresEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/TnepresEngine.java
@@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.util.Pack;
  * with test vectors in the AES submission and the resulting confusion lead to the Tnepres cipher
  * as well, which is a byte swapped version of Serpent.
  * 
    
- * For full details see The Serpent home page
+ * For full details see The Serpent home page
  */
 public final class TnepresEngine
     extends SerpentEngineBase
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc128Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc128Engine.java
index a59b4b1ce..145f2635c 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc128Engine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc128Engine.java
@@ -4,7 +4,7 @@ import com.fr.third.org.bouncycastle.util.Memoable;
 
 /**
  * Zuc256 implementation.
- * Based on http://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf
+ * Based on https://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf
  */
 public final class Zuc128Engine
     extends Zuc128CoreEngine
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256CoreEngine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256CoreEngine.java
index 21c932b87..e586ee17b 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256CoreEngine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256CoreEngine.java
@@ -4,7 +4,7 @@ import com.fr.third.org.bouncycastle.util.Memoable;
 
 /**
  * Zuc256 implementation.
- * Based on http://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf
+ * Based on https://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf
  */
 public class Zuc256CoreEngine
     extends Zuc128CoreEngine
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256Engine.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256Engine.java
index c48c4e7f8..3fb55031c 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256Engine.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/engines/Zuc256Engine.java
@@ -4,7 +4,7 @@ import com.fr.third.org.bouncycastle.util.Memoable;
 
 /**
  * Zuc256 implementation.
- * Based on http://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf
+ * Based on https://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf
  */
 public final class Zuc256Engine
     extends Zuc256CoreEngine
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/NaccacheSternKeyPairGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/NaccacheSternKeyPairGenerator.java
index b41b61770..7f95d14e3 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/NaccacheSternKeyPairGenerator.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/NaccacheSternKeyPairGenerator.java
@@ -15,7 +15,7 @@ import com.fr.third.org.bouncycastle.util.BigIntegers;
 /**
  * Key generation parameters for NaccacheStern cipher. For details on this cipher, please see
  * 
- * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf
+ * https://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf
  */
 public class NaccacheSternKeyPairGenerator 
     implements AsymmetricCipherKeyPairGenerator 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS12ParametersGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS12ParametersGenerator.java
index c2fd4afb8..6bd47f6ed 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS12ParametersGenerator.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS12ParametersGenerator.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV;
  * Generator for PBE derived keys and ivs as defined by PKCS 12 V1.0.
  * 
    
  * The document this implementation is based on can be found at
- * 
+ * 
  * RSA's PKCS12 Page
  */
 public class PKCS12ParametersGenerator
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S1ParametersGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S1ParametersGenerator.java
index bedd0800e..5e326a589 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S1ParametersGenerator.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S1ParametersGenerator.java
@@ -12,7 +12,7 @@ import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV;
  * digest used to drive it.
  * 
    
  * The document this implementation is based on can be found at
- * 
+ * 
  * RSA's PKCS5 Page
  */
 public class PKCS5S1ParametersGenerator
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S2ParametersGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S2ParametersGenerator.java
index fce1aec3d..1696d39ec 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S2ParametersGenerator.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/generators/PKCS5S2ParametersGenerator.java
@@ -14,7 +14,7 @@ import com.fr.third.org.bouncycastle.crypto.util.DigestFactory;
  * This generator uses a SHA-1 HMac as the calculation function.
  * 
    
  * The document this implementation is based on can be found at
- * 
+ * 
  * RSA's PKCS5 Page
  */
 public class PKCS5S2ParametersGenerator
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc128Mac.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc128Mac.java
index df1698749..331590fe5 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc128Mac.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc128Mac.java
@@ -6,7 +6,7 @@ import com.fr.third.org.bouncycastle.crypto.engines.Zuc128CoreEngine;
 
 /**
  * Zuc128 Mac implementation.
- * Based on http://www.qtc.jp/3GPP/Specs/eea3eia3specificationv16.pdf
+ * Based on https://www.qtc.jp/3GPP/Specs/eea3eia3specificationv16.pdf
  */
 public final class Zuc128Mac
     implements Mac
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc256Mac.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc256Mac.java
index 114c8433d..f9f8e477a 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc256Mac.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/macs/Zuc256Mac.java
@@ -6,7 +6,7 @@ import com.fr.third.org.bouncycastle.crypto.engines.Zuc256CoreEngine;
 
 /**
  * Zuc256 Mac implementation.
- * Based on http://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf
+ * Based on https://www.is.cas.cn/ztzl2016/zouchongzhi/201801/W020180126529970733243.pdf
  */
 public final class Zuc256Mac
     implements Mac
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/EAXBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/EAXBlockCipher.java
index d68bbcca3..6d817b9ec 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/EAXBlockCipher.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/EAXBlockCipher.java
@@ -15,7 +15,7 @@ import com.fr.third.org.bouncycastle.util.Arrays;
  * A Two-Pass Authenticated-Encryption Scheme Optimized for Simplicity and
  * Efficiency - by M. Bellare, P. Rogaway, D. Wagner.
  *
- * http://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf
+ * https://www.cs.ucdavis.edu/~rogaway/papers/eax.pdf
  *
  * EAX is an AEAD scheme based on CTR and OMAC1/CMAC, that uses a single block
  * cipher to encrypt and authenticate data. It's on-line (the length of a
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CBCBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CBCBlockCipher.java
index df2201571..bd81ed00e 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CBCBlockCipher.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CBCBlockCipher.java
@@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.util.Arrays;
 
 /**
  * An implementation of the CBC mode for GOST 3412 2015 cipher.
- * See  GOST R 3413 2015
+ * See  GOST R 3413 2015
  */
 public class G3413CBCBlockCipher
     implements BlockCipher
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CFBBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CFBBlockCipher.java
index 0ce7bfbae..54c3e5364 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CFBBlockCipher.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413CFBBlockCipher.java
@@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.util.Arrays;
 
 /**
  * An implementation of the CFB mode for GOST 3412 2015 cipher.
- * See  GOST R 3413 2015
+ * See  GOST R 3413 2015
  */
 public class G3413CFBBlockCipher
     extends StreamBlockCipher
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413OFBBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413OFBBlockCipher.java
index dabd6d21e..8323f5c9c 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413OFBBlockCipher.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/G3413OFBBlockCipher.java
@@ -9,7 +9,7 @@ import com.fr.third.org.bouncycastle.util.Arrays;
 
 /**
  * An implementation of the OFB mode for GOST 3412 2015 cipher.
- * See  GOST R 3413 2015
+ * See  GOST R 3413 2015
  */
 public class G3413OFBBlockCipher
     extends StreamBlockCipher
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OCBBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OCBBlockCipher.java
index fe09827d6..491ee3983 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OCBBlockCipher.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OCBBlockCipher.java
@@ -13,10 +13,10 @@ import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV;
 import com.fr.third.org.bouncycastle.util.Arrays;
 
 /**
- * An implementation of RFC 7253 on The OCB
+ * An implementation of RFC 7253 on The OCB
  * Authenticated-Encryption Algorithm, licensed per:
  * 
    
- * 
     License for
+ * 
     License for
  * Open-Source Software Implementations of OCB (Jan 9, 2013) — “License 1” 
    
  * Under this license, you are authorized to make, use, and distribute open-source software
  * implementations of OCB. This license terminates for you if you sue someone over their open-source
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OpenPGPCFBBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OpenPGPCFBBlockCipher.java
index 1d0c72d6e..bfad6dd44 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OpenPGPCFBBlockCipher.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/OpenPGPCFBBlockCipher.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.crypto.OutputLengthException;
  * to the data stream already, and just accomodates the reset after
  * (blockSize + 2) bytes have been read.
  * 
    
- * For further info see RFC 2440.
+ * For further info see RFC 2440.
  */
 public class OpenPGPCFBBlockCipher
     implements BlockCipher
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/PGPCFBBlockCipher.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/PGPCFBBlockCipher.java
index 226113c7e..12d49e4f7 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/PGPCFBBlockCipher.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/modes/PGPCFBBlockCipher.java
@@ -7,7 +7,7 @@ import com.fr.third.org.bouncycastle.crypto.OutputLengthException;
 import com.fr.third.org.bouncycastle.crypto.params.ParametersWithIV;
 
 /**
- * Implements OpenPGP's rather strange version of Cipher-FeedBack (CFB) mode on top of a simple cipher. For further info see RFC 2440.
+ * Implements OpenPGP's rather strange version of Cipher-FeedBack (CFB) mode on top of a simple cipher. For further info see RFC 2440.
  */
 public class PGPCFBBlockCipher
     implements BlockCipher
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/DESParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/DESParameters.java
index 7de7f6c28..288e09941 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/DESParameters.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/DESParameters.java
@@ -52,7 +52,7 @@ public class DESParameters
      * if the given DES key material is weak or semi-weak.
      * Key material that is too short is regarded as weak.
      * 
    
-     * See "Applied
+     * See "Applied
      * Cryptography" by Bruce Schneier for more information.
      *
      * @return true if the given DES key material is weak or semi-weak,
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyGenerationParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyGenerationParameters.java
index 5a03eadff..8d12d1951 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyGenerationParameters.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyGenerationParameters.java
@@ -8,7 +8,7 @@ import com.fr.third.org.bouncycastle.crypto.KeyGenerationParameters;
  * Parameters for NaccacheStern public private key generation. For details on
  * this cipher, please see
  * 
- * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf
+ * https://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf
  */
 public class NaccacheSternKeyGenerationParameters extends KeyGenerationParameters
 {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyParameters.java
index a7baf3bf7..26d89e3cb 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyParameters.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternKeyParameters.java
@@ -6,7 +6,7 @@ import java.math.BigInteger;
  * Public key parameters for NaccacheStern cipher. For details on this cipher,
  * please see
  * 
- * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf
+ * https://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf
  */
 public class NaccacheSternKeyParameters extends AsymmetricKeyParameter
 {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternPrivateKeyParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternPrivateKeyParameters.java
index bd818bb72..ace41d97e 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternPrivateKeyParameters.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/crypto/params/NaccacheSternPrivateKeyParameters.java
@@ -7,7 +7,7 @@ import java.util.Vector;
  * Private key parameters for NaccacheStern cipher. For details on this cipher,
  * please see
  * 
- * http://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf
+ * https://www.gemplus.com/smart/rd/publications/pdf/NS98pkcs.pdf
  */
 public class NaccacheSternPrivateKeyParameters extends NaccacheSternKeyParameters 
 {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXCertRevocationChecker.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXCertRevocationChecker.java
index f40e0c6ca..fc8b186ba 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXCertRevocationChecker.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXCertRevocationChecker.java
@@ -7,7 +7,8 @@ public interface PKIXCertRevocationChecker
 {
     void setParameter(String name, Object value);
 
-    void initialize(PKIXCertRevocationCheckerParameters params);
+    void initialize(PKIXCertRevocationCheckerParameters params)
+        throws CertPathValidatorException;
 
     void check(Certificate cert)
         throws CertPathValidatorException;
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXExtendedParameters.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXExtendedParameters.java
index a5c930f28..fc0ee6ff1 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXExtendedParameters.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/PKIXExtendedParameters.java
@@ -22,26 +22,22 @@ public class PKIXExtendedParameters
     implements CertPathParameters
 {
     /**
-     * This is the default PKIX validity model. Actually there are two variants
-     * of this: The PKIX model and the modified PKIX model. The PKIX model
-     * verifies that all involved certificates must have been valid at the
-     * current time. The modified PKIX model verifies that all involved
-     * certificates were valid at the signing time. Both are indirectly choosen
-     * with the {@link PKIXParameters#setDate(Date)} method, so this
-     * methods sets the Date when all certificates must have been
-     * valid.
+     * This is the default PKIX validity model. Actually there are two variants of this: The PKIX
+     * model and the modified PKIX model. The PKIX model verifies that all involved certificates
+     * must have been valid at the current time. The modified PKIX model verifies that all involved
+     * certificates were valid at the signing time. Both are indirectly chosen with the
+     * {@link PKIXParameters#setDate(Date)} method, so this methods sets the Date when all
+     * certificates must have been valid.
      */
     public static final int PKIX_VALIDITY_MODEL = 0;
 
     /**
-     * This model uses the following validity model. Each certificate must have
-     * been valid at the moment where is was used. That means the end
-     * certificate must have been valid at the time the signature was done. The
-     * CA certificate which signed the end certificate must have been valid,
-     * when the end certificate was signed. The CA (or Root CA) certificate must
-     * have been valid, when the CA certificate was signed and so on. So the
-     * {@link PKIXParameters#setDate(Date)} method sets the time, when
-     * the end certificate must have been valid. It is used e.g.
+     * This model uses the following validity model. Each certificate must have been valid at the
+     * moment when it was used. That means the end certificate must have been valid at the time the
+     * signature was done. The CA certificate which signed the end certificate must have been valid,
+     * when the end certificate was signed. The CA (or Root CA) certificate must have been valid
+     * when the CA certificate was signed, and so on. So the {@link PKIXParameters#setDate(Date)}
+     * method sets the time, when the end certificate must have been valid. It is used e.g.
      * in the German signature law.
      */
     public static final int CHAIN_VALIDITY_MODEL = 1;
@@ -52,6 +48,7 @@ public class PKIXExtendedParameters
     public static class Builder
     {
         private final PKIXParameters baseParameters;
+        private final Date validityDate;
         private final Date date;
 
         private PKIXCertStoreSelector targetConstraints;
@@ -72,8 +69,8 @@ public class PKIXExtendedParameters
             {
                 this.targetConstraints = new PKIXCertStoreSelector.Builder(constraints).build();
             }
-            Date checkDate = baseParameters.getDate();
-            this.date = (checkDate == null) ? new Date() : checkDate;
+            this.validityDate = baseParameters.getDate();
+            this.date = (validityDate == null) ? new Date() : validityDate;
             this.revocationEnabled = baseParameters.isRevocationEnabled();
             this.trustAnchors = baseParameters.getTrustAnchors();
         }
@@ -81,6 +78,7 @@ public class PKIXExtendedParameters
         public Builder(PKIXExtendedParameters baseParameters)
         {
             this.baseParameters = baseParameters.baseParameters;
+            this.validityDate = baseParameters.validityDate;
             this.date = baseParameters.date;
             this.targetConstraints = baseParameters.targetConstraints;
             this.extraCertStores = new ArrayList(baseParameters.extraCertStores);
@@ -196,6 +194,7 @@ public class PKIXExtendedParameters
 
     private final PKIXParameters baseParameters;
     private final PKIXCertStoreSelector targetConstraints;
+    private final Date validityDate;
     private final Date date;
     private final List extraCertStores;
     private final Map namedCertificateStoreMap;
@@ -209,6 +208,7 @@ public class PKIXExtendedParameters
     private PKIXExtendedParameters(Builder builder)
     {
         this.baseParameters = builder.baseParameters;
+        this.validityDate = builder.validityDate;
         this.date = builder.date;
         this.extraCertStores = Collections.unmodifiableList(builder.extraCertStores);
         this.namedCertificateStoreMap = Collections.unmodifiableMap(new HashMap(builder.namedCertificateStoreMap));
@@ -242,14 +242,25 @@ public class PKIXExtendedParameters
         return namedCRLStoreMap;
     }
 
+    /**
+     * Returns the time at which to check the validity of the certification path. If {@code null},
+     * the current time is used.
+     *
+     * @return the {@code Date}, or {@code null} if not set
+     */
+    public Date getValidityDate()
+    {
+        return null == validityDate ? null : new Date(validityDate.getTime());
+    }
+
+    /**
+     * @deprecated Use 'getValidityDate' instead (which can return null).
+     */
     public Date getDate()
     {
         return new Date(date.getTime());
     }
 
-
-
-
     /**
      * Defaults to false.
      *
@@ -260,8 +271,6 @@ public class PKIXExtendedParameters
         return useDeltas;
     }
 
-
-
     /**
      * @return Returns the validity model.
      * @see #CHAIN_VALIDITY_MODEL
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/RSA.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/RSA.java
index 2d280c561..c07dae048 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/RSA.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/RSA.java
@@ -263,6 +263,9 @@ public class RSA
             provider.addAlgorithm("Alg.Alias.Signature." + digest + "WithRSA/PSS", digest + "WITHRSAANDMGF1");
             provider.addAlgorithm("Alg.Alias.Signature." + digest + "withRSAandMGF1", digest + "WITHRSAANDMGF1");
             provider.addAlgorithm("Alg.Alias.Signature." + digest + "WithRSAAndMGF1", digest + "WITHRSAANDMGF1");
+            provider.addAlgorithm("Alg.Alias.Signature." + digest + "withRSASSA-PSS", digest + "WITHRSAANDMGF1");
+            provider.addAlgorithm("Alg.Alias.Signature." + digest + "WithRSASSA-PSS", digest + "WITHRSAANDMGF1");
+            provider.addAlgorithm("Alg.Alias.Signature." + digest + "WITHRSASSA-PSS", digest + "WITHRSAANDMGF1");
             provider.addAlgorithm("Signature." + digest + "WITHRSAANDMGF1", className);
         }
 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/dsa/BCDSAPublicKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/dsa/BCDSAPublicKey.java
index 2165280fe..910f92948 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/dsa/BCDSAPublicKey.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/dsa/BCDSAPublicKey.java
@@ -51,7 +51,7 @@ public class BCDSAPublicKey
         DSAPublicKeyParameters params)
     {
         this.y = params.getY();
-        if (params != null)
+        if (params.getParameters() != null)
         {
             this.dsaSpec = new DSAParameterSpec(params.getParameters().getP(), params.getParameters().getQ(), params.getParameters().getG());
         }
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLImpl.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLImpl.java
index 6a9e58768..c27d30a6f 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLImpl.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jcajce/provider/asymmetric/x509/X509CRLImpl.java
@@ -48,6 +48,7 @@ import com.fr.third.org.bouncycastle.asn1.x509.Extensions;
 import com.fr.third.org.bouncycastle.asn1.x509.GeneralNames;
 import com.fr.third.org.bouncycastle.asn1.x509.IssuingDistributionPoint;
 import com.fr.third.org.bouncycastle.asn1.x509.TBSCertList;
+import com.fr.third.org.bouncycastle.asn1.x509.Time;
 import com.fr.third.org.bouncycastle.jcajce.CompositePublicKey;
 import com.fr.third.org.bouncycastle.jcajce.io.OutputStreamFactory;
 import com.fr.third.org.bouncycastle.jcajce.util.JcaJceHelper;
@@ -424,12 +425,9 @@ abstract class X509CRLImpl
 
     public Date getNextUpdate()
     {
-        if (c.getNextUpdate() != null)
-        {
-            return c.getNextUpdate().getDate();
-        }
+        Time nextUpdate = c.getNextUpdate();
 
-        return null;
+        return null == nextUpdate ? null : nextUpdate.getDate();
     }
 
     private Set loadCRLEntries()
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BouncyCastleProvider.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BouncyCastleProvider.java
index f5ce5652c..db4b232d5 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BouncyCastleProvider.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BouncyCastleProvider.java
@@ -58,7 +58,7 @@ import com.fr.third.org.bouncycastle.pqc.jcajce.provider.xmss.XMSSMTKeyFactorySp
 public final class BouncyCastleProvider extends Provider
     implements ConfigurableProvider
 {
-    private static String info = "BouncyCastle Security Provider v1.67";
+    private static String info = "BouncyCastle Security Provider v1.68";
 
     public static final String PROVIDER_NAME = "BC";
 
@@ -144,7 +144,7 @@ public final class BouncyCastleProvider extends Provider
      */
     public BouncyCastleProvider()
     {
-        super(PROVIDER_NAME, 1.67, info);
+        super(PROVIDER_NAME, 1.68, info);
 
         AccessController.doPrivileged(new PrivilegedAction()
         {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BrokenPBE.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BrokenPBE.java
index fdea094bb..46d9eada2 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BrokenPBE.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/BrokenPBE.java
@@ -24,7 +24,7 @@ import com.fr.third.org.bouncycastle.jcajce.provider.symmetric.util.BCPBEKey;
  * use it (it won't be staying around).
  * 
    
  * The document this implementation is based on can be found at
- * 
+ * 
  * RSA's PKCS12 Page
  */
 class OldPKCS12ParametersGenerator
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/CertPathValidatorUtilities.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/CertPathValidatorUtilities.java
index 051313a51..d84c660ef 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/CertPathValidatorUtilities.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/CertPathValidatorUtilities.java
@@ -44,7 +44,6 @@ import javax.security.auth.x500.X500Principal;
 import com.fr.third.org.bouncycastle.asn1.ASN1Encodable;
 import com.fr.third.org.bouncycastle.asn1.ASN1Enumerated;
 import com.fr.third.org.bouncycastle.asn1.ASN1GeneralizedTime;
-import com.fr.third.org.bouncycastle.asn1.ASN1InputStream;
 import com.fr.third.org.bouncycastle.asn1.ASN1Integer;
 import com.fr.third.org.bouncycastle.asn1.ASN1ObjectIdentifier;
 import com.fr.third.org.bouncycastle.asn1.ASN1OctetString;
@@ -86,8 +85,6 @@ import com.fr.third.org.bouncycastle.x509.X509AttributeCertificate;
 
 class CertPathValidatorUtilities
 {
-    protected static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil();
-
     protected static final String CERTIFICATE_POLICIES = Extension.certificatePolicies.getId();
     protected static final String BASIC_CONSTRAINTS = Extension.basicConstraints.getId();
     protected static final String POLICY_MAPPINGS = Extension.policyMappings.getId();
@@ -125,38 +122,34 @@ class CertPathValidatorUtilities
         "privilegeWithdrawn",
         "aACompromise"};
 
-    static Collection findTargets(PKIXExtendedBuilderParameters paramsPKIX)
-        throws CertPathBuilderException
+    static Collection findTargets(PKIXExtendedBuilderParameters paramsPKIX) throws CertPathBuilderException
     {
-        Collection targets;
-        PKIXCertStoreSelector certSelect = paramsPKIX.getBaseParameters().getTargetConstraints();
+        PKIXExtendedParameters baseParams = paramsPKIX.getBaseParameters();
+        PKIXCertStoreSelector certSelect = baseParams.getTargetConstraints();
+        LinkedHashSet targets = new LinkedHashSet();
 
         try
         {
-            targets = CertPathValidatorUtilities.findCertificates(certSelect, paramsPKIX.getBaseParameters().getCertificateStores());
-            targets.addAll(CertPathValidatorUtilities.findCertificates(certSelect, paramsPKIX.getBaseParameters().getCertStores()));
+            CertPathValidatorUtilities.findCertificates(targets, certSelect, baseParams.getCertificateStores());
+            CertPathValidatorUtilities.findCertificates(targets, certSelect, baseParams.getCertStores());
         }
         catch (AnnotatedException e)
         {
-            throw new ExtCertPathBuilderException(
-                "Error finding target certificate.", e);
+            throw new ExtCertPathBuilderException("Error finding target certificate.", e);
         }
 
-        if (targets.isEmpty())
+        if (!targets.isEmpty())
         {
-            Certificate target = certSelect.getCertificate();
+            return targets;
+        }
 
-            if (target != null)
-            {
-                targets = Collections.singleton(target);
-            }
-            else
-            {
-                throw new CertPathBuilderException(
-                    "No certificate found matching targetConstraints.");
-            }
+        Certificate target = certSelect.getCertificate();
+        if (null == target)
+        {
+            throw new CertPathBuilderException("No certificate found matching targetConstraints.");
         }
-        return targets;
+
+        return Collections.singleton(target);
     }
 
     /**
@@ -303,43 +296,35 @@ class CertPathValidatorUtilities
     {
         // if in the IssuerAltName extension an URI
         // is given, add an additional X.509 store
-        if (issuerAlternativeName != null)
+        if (issuerAlternativeName == null)
         {
-            GeneralNames issuerAltName = GeneralNames.getInstance(ASN1OctetString.getInstance(issuerAlternativeName).getOctets());
+            return Collections.EMPTY_LIST;
+        }
 
-            GeneralName[] names = issuerAltName.getNames();
-            List  stores = new ArrayList();
+        GeneralNames issuerAltName = GeneralNames.getInstance(ASN1OctetString.getInstance(issuerAlternativeName).getOctets());
 
-            for (int i = 0; i != names.length; i++)
-            {
-                GeneralName altName = names[i];
+        GeneralName[] names = issuerAltName.getNames();
+        List  stores = new ArrayList();
 
-                PKIXCertStore altStore = altNameCertStoreMap.get(altName);
+        for (int i = 0; i != names.length; i++)
+        {
+            GeneralName altName = names[i];
 
-                if (altStore != null)
-                {
-                    stores.add(altStore);
-                }
+            PKIXCertStore altStore = altNameCertStoreMap.get(altName);
+            if (altStore != null)
+            {
+                stores.add(altStore);
             }
-
-            return stores;
-        }
-        else
-        {
-            return Collections.EMPTY_LIST;
         }
+
+        return stores;
     }
 
-    protected static Date getValidDate(PKIXExtendedParameters paramsPKIX)
+    protected static Date getValidityDate(PKIXExtendedParameters paramsPKIX, Date currentDate)
     {
-        Date validDate = paramsPKIX.getDate();
-
-        if (validDate == null)
-        {
-            validDate = new Date();
-        }
+        Date validityDate = paramsPKIX.getValidityDate();
 
-        return validDate;
+        return null == validityDate ? currentDate : validityDate;
     }
 
     protected static boolean isSelfIssued(X509Certificate cert)
@@ -347,7 +332,6 @@ class CertPathValidatorUtilities
         return cert.getSubjectDN().equals(cert.getIssuerDN());
     }
 
-
     /**
      * Extract the value of the given extension, if it exists.
      *
@@ -355,29 +339,19 @@ class CertPathValidatorUtilities
      * @param oid The object identifier to obtain.
      * @throws AnnotatedException if the extension cannot be read.
      */
-    protected static ASN1Primitive getExtensionValue(
-        java.security.cert.X509Extension ext,
-        String oid)
+    protected static ASN1Primitive getExtensionValue(java.security.cert.X509Extension ext, String oid)
         throws AnnotatedException
     {
         byte[] bytes = ext.getExtensionValue(oid);
-        if (bytes == null)
-        {
-            return null;
-        }
 
-        return getObject(oid, bytes);
+        return null == bytes ? null : getObject(oid, bytes);
     }
 
-    private static ASN1Primitive getObject(
-        String oid,
-        byte[] ext)
-        throws AnnotatedException
+    private static ASN1Primitive getObject(String oid, byte[] ext) throws AnnotatedException
     {
         try
         {
-            ASN1InputStream aIn = new ASN1InputStream(ext);
-            ASN1OctetString octs = ASN1OctetString.getInstance(aIn.readObject());
+            ASN1OctetString octs = ASN1OctetString.getInstance(ext);
 
             return ASN1Primitive.fromByteArray(octs.getOctets());
         }
@@ -387,17 +361,11 @@ class CertPathValidatorUtilities
         }
     }
 
-    protected static AlgorithmIdentifier getAlgorithmIdentifier(
-        PublicKey key)
-        throws CertPathValidatorException
+    protected static AlgorithmIdentifier getAlgorithmIdentifier(PublicKey key) throws CertPathValidatorException
     {
         try
         {
-            ASN1InputStream aIn = new ASN1InputStream(key.getEncoded());
-
-            SubjectPublicKeyInfo info = SubjectPublicKeyInfo.getInstance(aIn.readObject());
-
-            return info.getAlgorithm();
+            return SubjectPublicKeyInfo.getInstance(key.getEncoded()).getAlgorithm();
         }
         catch (Exception e)
         {
@@ -691,27 +659,26 @@ class CertPathValidatorUtilities
     }
 
     /**
-     * Return a Collection of all certificates or attribute certificates found
-     * in the X509Store's that are matching the certSelect criteriums.
+     * Return a Collection of all certificates or attribute certificates found in the X509Store's
+     * that are matching the certSelect criteriums.
      *
-     * @param certSelect a {@link Selector} object that will be used to select
-     *                   the certificates
-     * @param certStores a List containing only {@link Store} objects. These
-     *                   are used to search for certificates.
-     * @return a Collection of all found {@link X509Certificate}
-     *         May be empty but never null.
+     * @param certs
+     *            a {@link LinkedHashSet} to which the certificates will be added.
+     * @param certSelect
+     *            a {@link Selector} object that will be used to select the certificates
+     * @param certStores
+     *            a List containing only {@link Store} objects. These are used to search for
+     *            certificates.
+     * @return a Collection of all found {@link X509Certificate} May be empty but never
+     *         null.
      */
-    protected static Collection findCertificates(PKIXCertStoreSelector certSelect,
-                                                 List certStores)
+    protected static void findCertificates(LinkedHashSet certs, PKIXCertStoreSelector certSelect, List certStores)
         throws AnnotatedException
     {
-        Set certs = new LinkedHashSet();
         Iterator iter = certStores.iterator();
-
         while (iter.hasNext())
         {
             Object obj = iter.next();
-
             if (obj instanceof Store)
             {
                 Store certStore = (Store)obj;
@@ -721,123 +688,111 @@ class CertPathValidatorUtilities
                 }
                 catch (StoreException e)
                 {
-                    throw new AnnotatedException(
-                            "Problem while picking certificates from X.509 store.", e);
+                    throw new AnnotatedException("Problem while picking certificates from X.509 store.", e);
                 }
             }
             else
             {
                 CertStore certStore = (CertStore)obj;
-
                 try
                 {
                     certs.addAll(PKIXCertStoreSelector.getCertificates(certSelect, certStore));
                 }
                 catch (CertStoreException e)
                 {
-                    throw new AnnotatedException(
-                        "Problem while picking certificates from certificate store.",
-                        e);
+                    throw new AnnotatedException("Problem while picking certificates from certificate store.", e);
                 }
             }
         }
-        return certs;
     }
 
     static List getAdditionalStoresFromCRLDistributionPoint(
         CRLDistPoint crldp, Map namedCRLStoreMap, Date validDate, JcaJceHelper helper)
         throws AnnotatedException
     {
-        if (crldp != null)
+        if (null == crldp)
         {
-            DistributionPoint dps[] = null;
+            return Collections.EMPTY_LIST;
+        }
+
+        DistributionPoint dps[];
+        try
+        {
+            dps = crldp.getDistributionPoints();
+        }
+        catch (Exception e)
+        {
+            throw new AnnotatedException("Distribution points could not be read.", e);
+        }
+
+        List stores = new ArrayList();
+
+        for (int i = 0; i < dps.length; i++)
+        {
+            DistributionPointName dpn = dps[i].getDistributionPoint();
+            // look for URIs in fullName
+            if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME)
+            {
+                GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
+
+                for (int j = 0; j < genNames.length; j++)
+                {
+                    PKIXCRLStore store = namedCRLStoreMap.get(genNames[j]);
+                    if (store != null)
+                    {
+                        stores.add(store);
+                    }
+                }
+            }
+        }
+
+        // if the named CRL store is empty, and we're told to check with CRLDP
+        if (stores.isEmpty() && Properties.isOverrideSet("com.fr.third.org.bouncycastle.x509.enableCRLDP"))
+        {
+            CertificateFactory certFact;
             try
             {
-                dps = crldp.getDistributionPoints();
+                certFact = helper.createCertificateFactory("X.509");
             }
             catch (Exception e)
             {
-                throw new AnnotatedException(
-                    "Distribution points could not be read.", e);
+                throw new AnnotatedException("cannot create certificate factory: " + e.getMessage(), e);
             }
-            List stores = new ArrayList();
 
             for (int i = 0; i < dps.length; i++)
             {
                 DistributionPointName dpn = dps[i].getDistributionPoint();
                 // look for URIs in fullName
-                if (dpn != null)
+                if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME)
                 {
-                    if (dpn.getType() == DistributionPointName.FULL_NAME)
-                    {
-                        GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
+                    GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
 
-                        for (int j = 0; j < genNames.length; j++)
-                        {
-                            PKIXCRLStore store = namedCRLStoreMap.get(genNames[j]);
-                            if (store != null)
-                            {
-                                stores.add(store);
-                            }
-                        }
-                    }
-                }
-            }
-    
-            // if the named CRL store is empty, and we're told to check with CRLDP
-            if (stores.isEmpty() && Properties.isOverrideSet("com.fr.third.org.bouncycastle.x509.enableCRLDP"))
-            {
-                CertificateFactory certFact = null;
-                try
-                {
-                    certFact = helper.createCertificateFactory("X.509");
-                }
-                catch (Exception e)
-                {
-                    throw new AnnotatedException("cannot create certificate factory: " + e.getMessage(), e);
-                }
-
-                for (int i = 0; i < dps.length; i++)
-                {
-                    DistributionPointName dpn = dps[i].getDistributionPoint();
-                    // look for URIs in fullName
-                    if (dpn != null)
+                    for (int j = 0; j < genNames.length; j++)
                     {
-                        if (dpn.getType() == DistributionPointName.FULL_NAME)
+                        GeneralName name = genNames[i];
+                        if (name.getTagNo() == GeneralName.uniformResourceIdentifier)
                         {
-                            GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
-
-                            for (int j = 0; j < genNames.length; j++)
+                            try
                             {
-                                GeneralName name = genNames[i];
-                                if (name.getTagNo() == GeneralName.uniformResourceIdentifier)
+                                URI distributionPoint = new URI(((ASN1String)name.getName()).getString());
+                                PKIXCRLStore store = CrlCache.getCrl(certFact, validDate, distributionPoint);
+                                if (store != null)
                                 {
-                                    try
-                                    {
-                                        PKIXCRLStore store = CrlCache.getCrl(certFact, validDate, new URI(((ASN1String)name.getName()).getString()));
-                                        if (store != null)
-                                        {
-                                            stores.add(store);
-                                        }
-                                        break;
-                                    }
-                                    catch (Exception e)
-                                    {
-                                        // ignore...  TODO: maybe log
-                                    }
+                                    stores.add(store);
                                 }
+                                break;
+                            }
+                            catch (Exception e)
+                            {
+                                // ignore...  TODO: maybe log
                             }
                         }
                     }
                 }
             }
-
-            return stores;
-        }
-        else
-        {
-            return Collections.EMPTY_LIST;
         }
+
+        return stores;
     }
 
     /**
@@ -874,14 +829,12 @@ class CertPathValidatorUtilities
                 {
                     try
                     {
-                        issuers.add(X500Name.getInstance(genNames[j].getName()
-                            .toASN1Primitive().getEncoded()));
+                        issuers.add(X500Name.getInstance(genNames[j].getName().toASN1Primitive().getEncoded()));
                     }
                     catch (IOException e)
                     {
                         throw new AnnotatedException(
-                            "CRL issuer information from distribution point cannot be decoded.",
-                            e);
+                            "CRL issuer information from distribution point cannot be decoded.", e);
                     }
                 }
             }
@@ -962,8 +915,7 @@ class CertPathValidatorUtilities
         }
     }
 
-    private static BigInteger getSerialNumber(
-        Object cert)
+    private static BigInteger getSerialNumber(Object cert)
     {
         return ((X509Certificate)cert).getSerialNumber();
     }
@@ -975,8 +927,6 @@ class CertPathValidatorUtilities
         CertStatus certStatus)
         throws AnnotatedException
     {
-        X509CRLEntry crl_entry = null;
-
         boolean isIndirect;
         try
         {
@@ -987,6 +937,7 @@ class CertPathValidatorUtilities
             throw new AnnotatedException("Failed check for indirect CRL.", exception);
         }
 
+        X509CRLEntry crl_entry;
         if (isIndirect)
         {
             crl_entry = crl.getRevokedCertificate(getSerialNumber(cert));
@@ -1032,22 +983,17 @@ class CertPathValidatorUtilities
         {
             if (crl_entry.hasUnsupportedCriticalExtension())
             {
-                throw new AnnotatedException(
-                      "CRL entry has unsupported critical extensions.");
+                throw new AnnotatedException("CRL entry has unsupported critical extensions.");
             }
 
             try
             {
                 reasonCode = ASN1Enumerated
-                    .getInstance(CertPathValidatorUtilities
-                        .getExtensionValue(crl_entry,
-                            Extension.reasonCode.getId()));
+                    .getInstance(CertPathValidatorUtilities.getExtensionValue(crl_entry, Extension.reasonCode.getId()));
             }
             catch (Exception e)
             {
-                throw new AnnotatedException(
-                    "Reason code CRL entry extension could not be decoded.",
-                    e);
+                throw new AnnotatedException("Reason code CRL entry extension could not be decoded.", e);
             }
         }
 
@@ -1111,16 +1057,14 @@ class CertPathValidatorUtilities
         }
 
         // 5.2.4 (b)
-        byte[] idp = null;
+        byte[] idp;
         try
         {
             idp = completeCRL.getExtensionValue(ISSUING_DISTRIBUTION_POINT);
         }
         catch (Exception e)
         {
-            throw new AnnotatedException(
-                "Issuing distribution point extension value could not be read.",
-                e);
+            throw new AnnotatedException("Issuing distribution point extension value could not be read.", e);
         }
 
         // 5.2.4 (d)
@@ -1138,12 +1082,12 @@ class CertPathValidatorUtilities
         PKIXCRLStoreSelector deltaSelect = selBuilder.build();
 
         // find delta CRLs
-        Set temp = CRL_UTIL.findCRLs(deltaSelect, validityDate, certStores, pkixCrlStores);
+        Set temp = PKIXCRLUtil.findCRLs(deltaSelect, validityDate, certStores, pkixCrlStores);
 
         // if the named CRL store is empty, and we're told to check with CRLDP
         if (temp.isEmpty() && Properties.isOverrideSet("com.fr.third.org.bouncycastle.x509.enableCRLDP"))
         {
-            CertificateFactory certFact = null;
+            CertificateFactory certFact;
             try
             {
                 certFact = helper.createCertificateFactory("X.509");
@@ -1159,30 +1103,29 @@ class CertPathValidatorUtilities
             {
                 DistributionPointName dpn = dps[i].getDistributionPoint();
                 // look for URIs in fullName
-                if (dpn != null)
+                if (dpn != null && dpn.getType() == DistributionPointName.FULL_NAME)
                 {
-                    if (dpn.getType() == DistributionPointName.FULL_NAME)
-                    {
-                        GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
+                    GeneralName[] genNames = GeneralNames.getInstance(dpn.getName()).getNames();
 
-                        for (int j = 0; j < genNames.length; j++)
+                    for (int j = 0; j < genNames.length; j++)
+                    {
+                        GeneralName name = genNames[i];
+                        if (name.getTagNo() == GeneralName.uniformResourceIdentifier)
                         {
-                            GeneralName name = genNames[i];
-                            if (name.getTagNo() == GeneralName.uniformResourceIdentifier)
+                            try
                             {
-                                try
-                                {
-                                    PKIXCRLStore store = CrlCache.getCrl(certFact, validityDate, new URI(((ASN1String)name.getName()).getString()));
-                                    if (store != null)
-                                    {
-                                        temp = CRL_UTIL.findCRLs(deltaSelect, validityDate, Collections.emptyList(), Collections.singletonList(store));
-                                    }
-                                    break;
-                                }
-                                catch (Exception e)
+                                PKIXCRLStore store = CrlCache.getCrl(certFact, validityDate,
+                                    new URI(((ASN1String)name.getName()).getString()));
+                                if (store != null)
                                 {
-                                    // ignore...  TODO: maybe log
+                                    temp = PKIXCRLUtil.findCRLs(deltaSelect, validityDate, Collections.EMPTY_LIST,
+                                        Collections.singletonList(store));
                                 }
+                                break;
+                            }
+                            catch (Exception e)
+                            {
+                                // ignore...  TODO: maybe log
                             }
                         }
                     }
@@ -1231,7 +1174,7 @@ class CertPathValidatorUtilities
      * or no CRLs are found.
      */
     protected static Set getCompleteCRLs(PKIXCertRevocationCheckerParameters params, DistributionPoint dp, Object cert,
-                                         Date currentDate, PKIXExtendedParameters paramsPKIX)
+        PKIXExtendedParameters paramsPKIX, Date validityDate)
         throws AnnotatedException, RecoverableCertPathValidatorException
     {
         X509CRLSelector baseCrlSelect = new X509CRLSelector();
@@ -1239,15 +1182,13 @@ class CertPathValidatorUtilities
         try
         {
             Set issuers = new HashSet();
-
             issuers.add(PrincipalUtils.getEncodedIssuerPrincipal(cert));
 
             CertPathValidatorUtilities.getCRLIssuersFromDistributionPoint(dp, issuers, baseCrlSelect);
         }
         catch (AnnotatedException e)
         {
-            throw new AnnotatedException(
-                "Could not get issuer information from distribution point.", e);
+            throw new AnnotatedException("Could not get issuer information from distribution point.", e);
         }
 
         if (cert instanceof X509Certificate)
@@ -1255,84 +1196,62 @@ class CertPathValidatorUtilities
             baseCrlSelect.setCertificateChecking((X509Certificate)cert);
         }
 
-        PKIXCRLStoreSelector crlSelect = new PKIXCRLStoreSelector.Builder(baseCrlSelect).setCompleteCRLEnabled(true).build();
+        PKIXCRLStoreSelector crlSelect = new PKIXCRLStoreSelector.Builder(baseCrlSelect).setCompleteCRLEnabled(true)
+            .build();
 
-        Date validityDate = currentDate;
-
-        if (paramsPKIX.getDate() != null)
-        {
-            validityDate = paramsPKIX.getDate();
-        }
-
-        Set crls = CRL_UTIL.findCRLs(crlSelect, validityDate, paramsPKIX.getCertStores(), paramsPKIX.getCRLStores());
+        Set crls = PKIXCRLUtil.findCRLs(crlSelect, validityDate, paramsPKIX.getCertStores(), paramsPKIX.getCRLStores());
 
         checkCRLsNotEmpty(params, crls, cert);
 
         return crls;
     }
 
-    protected static Date getValidCertDateFromValidityModel(
-        PKIXExtendedParameters paramsPKIX, CertPath certPath, int index)
-        throws AnnotatedException
+    protected static Date getValidCertDateFromValidityModel(Date validityDate, int validityModel, CertPath certPath,
+        int index) throws AnnotatedException
     {
-        if (paramsPKIX.getValidityModel() == PKIXExtendedParameters.CHAIN_VALIDITY_MODEL)
+        if (PKIXExtendedParameters.CHAIN_VALIDITY_MODEL != validityModel || index <= 0)
         {
-            // if end cert use given signing/encryption/... time
-            if (index <= 0)
+            // use given signing/encryption/... time (or current date)
+            return validityDate;
+        }
+
+        X509Certificate issuedCert = (X509Certificate)certPath.getCertificates().get(index - 1);
+
+        if (index - 1 == 0)
+        {
+            // use time when cert was issued, if available
+            ASN1GeneralizedTime dateOfCertgen = null;
+            try
+            {
+                byte[] extBytes = ((X509Certificate)certPath.getCertificates().get(index - 1))
+                    .getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId());
+                if (extBytes != null)
+                {
+                    dateOfCertgen = ASN1GeneralizedTime.getInstance(ASN1Primitive.fromByteArray(extBytes));
+                }
+            }
+            catch (IOException e)
             {
-                return CertPathValidatorUtilities.getValidDate(paramsPKIX);
-                // else use time when previous cert was created
+                throw new AnnotatedException("Date of cert gen extension could not be read.");
             }
-            else
+            catch (IllegalArgumentException e)
+            {
+                throw new AnnotatedException("Date of cert gen extension could not be read.");
+            }
+            if (dateOfCertgen != null)
             {
-                if (index - 1 == 0)
+                try
                 {
-                    ASN1GeneralizedTime dateOfCertgen = null;
-                    try
-                    {
-                        byte[] extBytes = ((X509Certificate)certPath.getCertificates().get(index - 1)).getExtensionValue(ISISMTTObjectIdentifiers.id_isismtt_at_dateOfCertGen.getId());
-                        if (extBytes != null)
-                        {
-                            dateOfCertgen = ASN1GeneralizedTime.getInstance(ASN1Primitive.fromByteArray(extBytes));
-                        }
-                    }
-                    catch (IOException e)
-                    {
-                        throw new AnnotatedException(
-                            "Date of cert gen extension could not be read.");
-                    }
-                    catch (IllegalArgumentException e)
-                    {
-                        throw new AnnotatedException(
-                            "Date of cert gen extension could not be read.");
-                    }
-                    if (dateOfCertgen != null)
-                    {
-                        try
-                        {
-                            return dateOfCertgen.getDate();
-                        }
-                        catch (ParseException e)
-                        {
-                            throw new AnnotatedException(
-                                "Date from date of cert gen extension could not be parsed.",
-                                e);
-                        }
-                    }
-                    return ((X509Certificate)certPath.getCertificates().get(
-                        index - 1)).getNotBefore();
+                    return dateOfCertgen.getDate();
                 }
-                else
+                catch (ParseException e)
                 {
-                    return ((X509Certificate)certPath.getCertificates().get(
-                        index - 1)).getNotBefore();
+                    throw new AnnotatedException("Date from date of cert gen extension could not be parsed.", e);
                 }
             }
         }
-        else
-        {
-            return getValidDate(paramsPKIX);
-        }
+
+        return issuedCert.getNotBefore();
     }
 
     /**
@@ -1445,37 +1364,24 @@ class CertPathValidatorUtilities
         }
 
         PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build();
-        Set certs = new LinkedHashSet();
-
-        Iterator iter;
+        LinkedHashSet certs = new LinkedHashSet();
 
         try
         {
-            List matches = new ArrayList();
-
-            matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, certStores));
-            matches.addAll(CertPathValidatorUtilities.findCertificates(certSelect, pkixCertStores));
-
-            iter = matches.iterator();
+            CertPathValidatorUtilities.findCertificates(certs, certSelect, certStores);
+            CertPathValidatorUtilities.findCertificates(certs, certSelect, pkixCertStores);
         }
         catch (AnnotatedException e)
         {
             throw new AnnotatedException("Issuer certificate cannot be searched.", e);
         }
 
-        X509Certificate issuer = null;
-        while (iter.hasNext())
-        {
-            issuer = (X509Certificate)iter.next();
-            // issuer cannot be verified because possible DSA inheritance
-            // parameters are missing
-            certs.add(issuer);
-        }
+        // issuers cannot be verified because possible DSA inheritance parameters are missing
+
         return certs;
     }
 
-    protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey,
-                                                String sigProvider)
+    protected static void verifyX509Certificate(X509Certificate cert, PublicKey publicKey, String sigProvider)
         throws GeneralSecurityException
     {
         if (sigProvider == null)
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java
index 8a55189c7..7c7100cba 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathBuilderSpi.java
@@ -1,6 +1,5 @@
 package com.fr.third.org.bouncycastle.jce.provider;
 
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.Principal;
@@ -10,10 +9,6 @@ import java.security.cert.CertPathBuilderResult;
 import java.security.cert.CertPathBuilderSpi;
 import java.security.cert.CertPathParameters;
 import java.security.cert.CertPathValidator;
-import java.security.cert.CertStore;
-import java.security.cert.CertStoreException;
-import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.CertificateParsingException;
 import java.security.cert.PKIXBuilderParameters;
@@ -24,6 +19,7 @@ import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashSet;
 import java.util.Iterator;
+import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Set;
 
@@ -32,8 +28,8 @@ import javax.security.auth.x500.X500Principal;
 import com.fr.third.org.bouncycastle.asn1.x509.Extension;
 import com.fr.third.org.bouncycastle.jcajce.PKIXCertStoreSelector;
 import com.fr.third.org.bouncycastle.jcajce.PKIXExtendedBuilderParameters;
+import com.fr.third.org.bouncycastle.jcajce.PKIXExtendedParameters;
 import com.fr.third.org.bouncycastle.jce.exception.ExtCertPathBuilderException;
-import com.fr.third.org.bouncycastle.util.Encodable;
 import com.fr.third.org.bouncycastle.util.Selector;
 import com.fr.third.org.bouncycastle.util.Store;
 import com.fr.third.org.bouncycastle.util.StoreException;
@@ -42,7 +38,6 @@ import com.fr.third.org.bouncycastle.x509.ExtendedPKIXParameters;
 import com.fr.third.org.bouncycastle.x509.X509AttributeCertStoreSelector;
 import com.fr.third.org.bouncycastle.x509.X509AttributeCertificate;
 import com.fr.third.org.bouncycastle.x509.X509CertStoreSelector;
-import com.fr.third.org.bouncycastle.x509.X509Store;
 
 public class PKIXAttrCertPathBuilderSpi
     extends CertPathBuilderSpi
@@ -98,7 +93,8 @@ public class PKIXAttrCertPathBuilderSpi
 
         // search target certificates
 
-        Selector certSelect = paramsPKIX.getBaseParameters().getTargetConstraints();
+        PKIXExtendedParameters baseParams = paramsPKIX.getBaseParameters();
+        Selector certSelect = baseParams.getTargetConstraints();
         if (!(certSelect instanceof X509AttributeCertStoreSelector))
         {
             throw new CertPathBuilderException(
@@ -133,7 +129,7 @@ public class PKIXAttrCertPathBuilderSpi
             
             X509CertStoreSelector selector = new X509CertStoreSelector();
             Principal[] principals = cert.getIssuer().getPrincipals();
-            Set issuers = new HashSet();
+            LinkedHashSet issuers = new LinkedHashSet();
             for (int i = 0; i < principals.length; i++)
             {
                 try
@@ -143,8 +139,8 @@ public class PKIXAttrCertPathBuilderSpi
                         selector.setSubject(((X500Principal)principals[i]).getEncoded());
                     }
                     PKIXCertStoreSelector certStoreSelector = new PKIXCertStoreSelector.Builder(selector).build();
-                    issuers.addAll(CertPathValidatorUtilities.findCertificates(certStoreSelector, paramsPKIX.getBaseParameters().getCertStores()));
-                    issuers.addAll(CertPathValidatorUtilities.findCertificates(certStoreSelector, paramsPKIX.getBaseParameters().getCertificateStores()));
+                    CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertStores());
+                    CertPathValidatorUtilities.findCertificates(issuers, certStoreSelector, baseParams.getCertificateStores());
                 }
                 catch (AnnotatedException e)
                 {
@@ -236,82 +232,78 @@ public class PKIXAttrCertPathBuilderSpi
         try
         {
             // check whether the issuer of  is a TrustAnchor
-            if (CertPathValidatorUtilities.isIssuerTrustAnchor(tbvCert, pkixParams.getBaseParameters().getTrustAnchors(),
-                pkixParams.getBaseParameters().getSigProvider()))
+            PKIXExtendedParameters baseParams = pkixParams.getBaseParameters();
+            if (CertPathValidatorUtilities.isIssuerTrustAnchor(tbvCert, baseParams.getTrustAnchors(),
+                baseParams.getSigProvider()))
             {
                 CertPath certPath;
-                PKIXCertPathValidatorResult result;
                 try
                 {
                     certPath = cFact.generateCertPath(tbvPath);
                 }
                 catch (Exception e)
                 {
-                    throw new AnnotatedException(
-                                            "Certification path could not be constructed from certificate list.",
-                                            e);
+                    throw new AnnotatedException("Certification path could not be constructed from certificate list.",
+                        e);
                 }
 
+                PKIXCertPathValidatorResult result;
                 try
                 {
-                    result = (PKIXCertPathValidatorResult) validator.validate(
-                            certPath, pkixParams);
+                    result = (PKIXCertPathValidatorResult)validator.validate(certPath, pkixParams);
                 }
                 catch (Exception e)
                 {
-                    throw new AnnotatedException(
-                                            "Certification path could not be validated.",
-                                            e);
+                    throw new AnnotatedException("Certification path could not be validated.", e);
                 }
 
-                return new PKIXCertPathBuilderResult(certPath, result
-                        .getTrustAnchor(), result.getPolicyTree(), result
-                        .getPublicKey());
+                return new PKIXCertPathBuilderResult(certPath, result.getTrustAnchor(), result.getPolicyTree(),
+                    result.getPublicKey());
 
             }
             else
             {
                 List stores = new ArrayList();
+                stores.addAll(baseParams.getCertificateStores());
 
-                stores.addAll(pkixParams.getBaseParameters().getCertificateStores());
                 // add additional X.509 stores from locations in certificate
                 try
                 {
-                    stores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromAltNames(tbvCert.getExtensionValue(Extension.issuerAlternativeName.getId()), pkixParams.getBaseParameters().getNamedCertificateStoreMap()));
+                    stores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromAltNames(
+                        tbvCert.getExtensionValue(Extension.issuerAlternativeName.getId()),
+                        baseParams.getNamedCertificateStoreMap()));
                 }
                 catch (CertificateParsingException e)
                 {
-                    throw new AnnotatedException(
-                                            "No additional X.509 stores can be added from certificate locations.",
-                                            e);
+                    throw new AnnotatedException("No additional X.509 stores can be added from certificate locations.",
+                        e);
                 }
+
                 Collection issuers = new HashSet();
                 // try to get the issuer certificate from one
                 // of the stores
                 try
                 {
-                    issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, pkixParams.getBaseParameters().getCertStores(), stores));
+                    issuers.addAll(CertPathValidatorUtilities.findIssuerCerts(tbvCert, baseParams.getCertStores(), stores));
                 }
                 catch (AnnotatedException e)
                 {
                     throw new AnnotatedException(
-                                            "Cannot find issuer certificate for certificate in certification path.",
-                                            e);
+                        "Cannot find issuer certificate for certificate in certification path.", e);
                 }
                 if (issuers.isEmpty())
                 {
                     throw new AnnotatedException(
                             "No issuer certificate for certificate in certification path found.");
                 }
-                Iterator it = issuers.iterator();
 
+                Iterator it = issuers.iterator();
                 while (it.hasNext() && builderResult == null)
                 {
                     X509Certificate issuer = (X509Certificate) it.next();
                     // TODO Use CertPathValidatorUtilities.isSelfIssued(issuer)?
                     // if untrusted self signed certificate continue
-                    if (issuer.getIssuerX500Principal().equals(
-                            issuer.getSubjectX500Principal()))
+                    if (issuer.getIssuerX500Principal().equals(issuer.getSubjectX500Principal()))
                     {
                         continue;
                     }
@@ -321,8 +313,7 @@ public class PKIXAttrCertPathBuilderSpi
         }
         catch (AnnotatedException e)
         {
-            certPathException = new AnnotatedException(
-                            "No valid certification path could be build.", e);
+            certPathException = new AnnotatedException("No valid certification path could be build.", e);
         }
         if (builderResult == null)
         {
@@ -331,17 +322,15 @@ public class PKIXAttrCertPathBuilderSpi
         return builderResult;
     }
 
-    protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect,
-                                                     List certStores)
+    protected static Collection findCertificates(X509AttributeCertStoreSelector certSelect, List certStores)
         throws AnnotatedException
     {
         Set certs = new HashSet();
-        Iterator iter = certStores.iterator();
 
+        Iterator iter = certStores.iterator();
         while (iter.hasNext())
         {
             Object obj = iter.next();
-
             if (obj instanceof Store)
             {
                 Store certStore = (Store)obj;
@@ -351,11 +340,11 @@ public class PKIXAttrCertPathBuilderSpi
                 }
                 catch (StoreException e)
                 {
-                    throw new AnnotatedException(
-                            "Problem while picking certificates from X.509 store.", e);
+                    throw new AnnotatedException("Problem while picking certificates from X.509 store.", e);
                 }
             }
         }
+
         return certs;
     }
 }
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathValidatorSpi.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathValidatorSpi.java
index 57dda533e..bc067eb78 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathValidatorSpi.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXAttrCertPathValidatorSpi.java
@@ -97,6 +97,9 @@ public class PKIXAttrCertPathValidatorSpi
             paramsPKIX = (PKIXExtendedParameters)params;
         }
 
+        final Date currentDate = new Date();
+        final Date validityDate = CertPathValidatorUtilities.getValidityDate(paramsPKIX, currentDate);
+
         Selector certSelect = paramsPKIX.getTargetConstraints();
         if (!(certSelect instanceof X509AttributeCertStoreSelector))
         {
@@ -115,21 +118,13 @@ public class PKIXAttrCertPathValidatorSpi
             .getCertificates().get(0);
         RFC3281CertPathUtilities.processAttrCert3(issuerCert, paramsPKIX);
         RFC3281CertPathUtilities.processAttrCert4(issuerCert, trustedACIssuers);
-        RFC3281CertPathUtilities.processAttrCert5(attrCert, paramsPKIX);
+        RFC3281CertPathUtilities.processAttrCert5(attrCert, validityDate);
         // 6 already done in X509AttributeCertStoreSelector
         RFC3281CertPathUtilities.processAttrCert7(attrCert, certPath, holderCertPath, paramsPKIX, attrCertCheckers);
         RFC3281CertPathUtilities.additionalChecks(attrCert, prohibitedACAttrbiutes, necessaryACAttributes);
-        Date date = null;
-        try
-        {
-            date = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, null, -1);
-        }
-        catch (AnnotatedException e)
-        {
-            throw new ExtCertPathValidatorException(
-                "Could not get validity date from attribute certificate.", e);
-        }
-        RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, issuerCert, date, certPath.getCertificates(), helper);
+
+        RFC3281CertPathUtilities.checkCRLs(attrCert, paramsPKIX, currentDate, validityDate, issuerCert,
+            certPath.getCertificates(), helper);
         return result;
     }
 }
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCRLUtil.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCRLUtil.java
index a49fd9c70..90c1df868 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCRLUtil.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCRLUtil.java
@@ -16,18 +16,18 @@ import com.fr.third.org.bouncycastle.jcajce.PKIXCRLStoreSelector;
 import com.fr.third.org.bouncycastle.util.Store;
 import com.fr.third.org.bouncycastle.util.StoreException;
 
-class PKIXCRLUtil
+abstract class PKIXCRLUtil
 {
-    public Set findCRLs(PKIXCRLStoreSelector crlselect, Date validityDate, List certStores, List pkixCrlStores)
+    static Set findCRLs(PKIXCRLStoreSelector crlselect, Date validityDate, List certStores, List pkixCrlStores)
         throws AnnotatedException
     {
-        Set initialSet = new HashSet();
+        HashSet initialSet = new HashSet();
 
         // get complete CRL(s)
         try
         {
-            initialSet.addAll(findCRLs(crlselect, pkixCrlStores));
-            initialSet.addAll(findCRLs(crlselect, certStores));
+            findCRLs(initialSet, crlselect, pkixCrlStores);
+            findCRLs(initialSet, crlselect, certStores);
         }
         catch (AnnotatedException e)
         {
@@ -45,14 +45,7 @@ class PKIXCRLUtil
             {
                 X509Certificate cert = crlselect.getCertificateChecking();
 
-                if (cert != null)
-                {
-                    if (crl.getThisUpdate().before(cert.getNotAfter()))
-                    {
-                        finalSet.add(crl);
-                    }
-                }
-                else
+                if (null == cert || crl.getThisUpdate().before(cert.getNotAfter()))
                 {
                     finalSet.add(crl);
                 }
@@ -63,31 +56,26 @@ class PKIXCRLUtil
     }
 
     /**
-     * Return a Collection of all CRLs found in the X509Store's that are
-     * matching the crlSelect criteriums.
-     *
-     * @param crlSelect a {@link com.fr.third.org.bouncycastle.jcajce.PKIXCRLStoreSelector} object that will be used
-     *            to select the CRLs
-     * @param crlStores a List containing only
-     *            {@link Store} objects.
-     *            These are used to search for CRLs
+     * Add to a HashSet any and all CRLs found in the X509Store's that are matching the crlSelect
+     * critera.
      *
-     * @return a Collection of all found {@link java.security.cert.X509CRL X509CRL} objects. May be
-     *         empty but never null.
+     * @param crls
+     *            the {@link HashSet} to add the CRLs to.
+     * @param crlSelect
+     *            a {@link com.fr.third.org.bouncycastle.jcajce.PKIXCRLStoreSelector} object that will be used to
+     *            select the CRLs
+     * @param crlStores
+     *            a List containing only {@link Store} objects. These are used to search for CRLs
      */
-    private final Collection findCRLs(PKIXCRLStoreSelector crlSelect,
-        List crlStores) throws AnnotatedException
+    private static void findCRLs(HashSet crls, PKIXCRLStoreSelector crlSelect, List crlStores) throws AnnotatedException
     {
-        Set crls = new HashSet();
-        Iterator iter = crlStores.iterator();
-
         AnnotatedException lastException = null;
         boolean foundValidStore = false;
 
+        Iterator iter = crlStores.iterator();
         while (iter.hasNext())
         {
             Object obj = iter.next();
-
             if (obj instanceof Store)
             {
                 Store store = (Store)obj;
@@ -99,8 +87,7 @@ class PKIXCRLUtil
                 }
                 catch (StoreException e)
                 {
-                    lastException = new AnnotatedException(
-                        "Exception searching in X.509 CRL store.", e);
+                    lastException = new AnnotatedException("Exception searching in X.509 CRL store.", e);
                 }
             }
             else
@@ -114,16 +101,14 @@ class PKIXCRLUtil
                 }
                 catch (CertStoreException e)
                 {
-                    lastException = new AnnotatedException(
-                        "Exception searching in X.509 CRL store.", e);
+                    lastException = new AnnotatedException("Exception searching in X.509 CRL store.", e);
                 }
             }
         }
+
         if (!foundValidStore && lastException != null)
         {
             throw lastException;
         }
-        return crls;
     }
-
 }
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
index 528ee55db..ca0086aee 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
@@ -14,6 +14,7 @@ import java.security.cert.PKIXParameters;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Date;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
@@ -111,7 +112,8 @@ public class PKIXCertPathValidatorSpi
         //
         // (b)
         //
-        // Date validDate = CertPathValidatorUtilities.getValidDate(paramsPKIX);
+        final Date currentDate = new Date();
+        final Date validityDate = CertPathValidatorUtilities.getValidityDate(paramsPKIX, currentDate);
 
         //
         // (c)
@@ -330,8 +332,8 @@ public class PKIXCertPathValidatorSpi
             // 6.1.3
             //
 
-            RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, revocationChecker, index, workingPublicKey,
-                verificationAlreadyPerformed, workingIssuerName, sign);
+            RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, validityDate, revocationChecker, index,
+                workingPublicKey, verificationAlreadyPerformed, workingIssuerName, sign);
 
             RFC3280CertPathUtilities.processCertBC(certPath, index, nameConstraintValidator, isForCRLCheck);
 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi_8.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi_8.java
index cc131978e..1345d0ecc 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi_8.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi_8.java
@@ -15,6 +15,7 @@ import java.security.cert.PKIXRevocationChecker;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
+import java.util.Date;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
@@ -118,7 +119,8 @@ public class PKIXCertPathValidatorSpi_8
         //
         // (b)
         //
-        // Date validDate = CertPathValidatorUtilities.getValidDate(paramsPKIX);
+        final Date currentDate = new Date();
+        final Date validityDate = CertPathValidatorUtilities.getValidityDate(paramsPKIX, currentDate);
 
         //
         // (c)
@@ -348,8 +350,8 @@ public class PKIXCertPathValidatorSpi_8
             // 6.1.3
             //
 
-            RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, revocationChecker, index, workingPublicKey,
-                verificationAlreadyPerformed, workingIssuerName, sign);
+            RFC3280CertPathUtilities.processCertA(certPath, paramsPKIX, validityDate, revocationChecker, index,
+                workingPublicKey, verificationAlreadyPerformed, workingIssuerName, sign);
 
             RFC3280CertPathUtilities.processCertBC(certPath, index, nameConstraintValidator, isForCRLCheck);
 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvCrlRevocationChecker.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvCrlRevocationChecker.java
index bb4660cd2..69e867796 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvCrlRevocationChecker.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvCrlRevocationChecker.java
@@ -3,6 +3,7 @@ package com.fr.third.org.bouncycastle.jce.provider;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+import java.util.Date;
 
 import com.fr.third.org.bouncycastle.jcajce.PKIXCertRevocationChecker;
 import com.fr.third.org.bouncycastle.jcajce.PKIXCertRevocationCheckerParameters;
@@ -12,7 +13,9 @@ class ProvCrlRevocationChecker
     implements PKIXCertRevocationChecker
 {
     private final JcaJceHelper helper;
+
     private PKIXCertRevocationCheckerParameters params;
+    private Date currentDate = null;
 
     public ProvCrlRevocationChecker(JcaJceHelper helper)
     {
@@ -27,6 +30,7 @@ class ProvCrlRevocationChecker
     public void initialize(PKIXCertRevocationCheckerParameters params)
     {
         this.params = params;
+        this.currentDate = new Date();
     }
 
     public void init(boolean forForward)
@@ -36,6 +40,9 @@ class ProvCrlRevocationChecker
         {
             throw new CertPathValidatorException("forward checking not supported");
         }
+
+        this.params = null;
+        this.currentDate = new Date();
     }
 
     public void check(Certificate certificate)
@@ -43,8 +50,9 @@ class ProvCrlRevocationChecker
     {
         try
         {
-            RFC3280CertPathUtilities.checkCRLs(params,
-                params.getParamsPKIX(), (X509Certificate)certificate, params.getValidDate(), params.getSigningCert(), params.getWorkingPublicKey(), params.getCertPath().getCertificates(), helper);
+            RFC3280CertPathUtilities.checkCRLs(params, params.getParamsPKIX(), currentDate, params.getValidDate(),
+                (X509Certificate)certificate, params.getSigningCert(), params.getWorkingPublicKey(),
+                params.getCertPath().getCertificates(), helper);
         }
         catch (AnnotatedException e)
         {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvOcspRevocationChecker.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvOcspRevocationChecker.java
index 9d50f412b..bdbd31226 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvOcspRevocationChecker.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvOcspRevocationChecker.java
@@ -139,7 +139,6 @@ class ProvOcspRevocationChecker
     public void initialize(PKIXCertRevocationCheckerParameters parameters)
     {
         this.parameters = parameters;
-
         this.isEnabledOCSP = Properties.isOverrideSet("ocsp.enable");
         this.ocspURL = Properties.getPropertyValue("ocsp.responderURL");
     }
@@ -156,6 +155,10 @@ class ProvOcspRevocationChecker
         {
             throw new CertPathValidatorException("forward checking not supported");
         }
+
+        this.parameters = null;
+        this.isEnabledOCSP = Properties.isOverrideSet("ocsp.enable");
+        this.ocspURL = Properties.getPropertyValue("ocsp.responderURL");
     }
 
     public boolean isForwardCheckingSupported()
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvRevocationChecker.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvRevocationChecker.java
index 635ab3bec..716b7e860 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvRevocationChecker.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/ProvRevocationChecker.java
@@ -108,7 +108,9 @@ class ProvRevocationChecker
     public void init(boolean forForward)
         throws CertPathValidatorException
     {
+        this.parameters = null;
          crlChecker.init(forForward);
+         ocspChecker.init(forForward);
     }
 
     public boolean isForwardCheckingSupported()
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java
index 1dd033896..c274113fa 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3280CertPathUtilities.java
@@ -17,12 +17,12 @@ import java.security.cert.X509Certificate;
 import java.security.cert.X509Extension;
 import java.text.SimpleDateFormat;
 import java.util.ArrayList;
-import java.util.Collection;
 import java.util.Date;
 import java.util.Enumeration;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Iterator;
+import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -65,8 +65,6 @@ import com.fr.third.org.bouncycastle.util.Arrays;
 
 class RFC3280CertPathUtilities
 {
-    private static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil();
-
     private static final Class revChkClass = ClassUtil.loadClass(RFC3280CertPathUtilities.class, "java.security.cert.PKIXRevocationChecker");
 
     /**
@@ -472,11 +470,11 @@ class RFC3280CertPathUtilities
         PKIXCertStoreSelector selector = new PKIXCertStoreSelector.Builder(certSelector).build();
 
         // get CRL signing certs
-        Collection coll;
+        LinkedHashSet coll = new LinkedHashSet();
         try
         {
-            coll = CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getCertificateStores());
-            coll.addAll(CertPathValidatorUtilities.findCertificates(selector, paramsPKIX.getCertStores()));
+            CertPathValidatorUtilities.findCertificates(coll, selector, paramsPKIX.getCertificateStores());
+            CertPathValidatorUtilities.findCertificates(coll, selector, paramsPKIX.getCertStores());
         }
         catch (AnnotatedException e)
         {
@@ -1381,6 +1379,7 @@ class RFC3280CertPathUtilities
     protected static void processCertA(
         CertPath certPath,
         PKIXExtendedParameters paramsPKIX,
+        Date validityDate,
         PKIXCertRevocationChecker revocationChecker,
         int index,
         PublicKey workingPublicKey,
@@ -1409,12 +1408,22 @@ class RFC3280CertPathUtilities
             }
         }
 
+        final Date validCertDate;
         try
         {
-            // (a) (2)
-            //
-            cert.checkValidity(CertPathValidatorUtilities
-                .getValidCertDateFromValidityModel(paramsPKIX, certPath, index));
+            validCertDate = CertPathValidatorUtilities.getValidCertDateFromValidityModel(validityDate,
+                paramsPKIX.getValidityModel(), certPath, index);
+        }
+        catch (AnnotatedException e)
+        {
+            throw new ExtCertPathValidatorException("Could not validate time of certificate.", e, certPath, index);
+        }
+
+        // (a) (2)
+        //
+        try
+        {
+            cert.checkValidity(validCertDate);
         }
         catch (CertificateExpiredException e)
         {
@@ -1424,35 +1433,16 @@ class RFC3280CertPathUtilities
         {
             throw new ExtCertPathValidatorException("Could not validate certificate: " + e.getMessage(), e, certPath, index);
         }
-        catch (AnnotatedException e)
-        {
-            throw new ExtCertPathValidatorException("Could not validate time of certificate.", e, certPath, index);
-        }
 
         //
         // (a) (3)
         //
         if (revocationChecker != null)
         {
+            revocationChecker.initialize(new PKIXCertRevocationCheckerParameters(paramsPKIX, validCertDate, certPath,
+                index, sign, workingPublicKey));
 
-            try
-            {
-                Date validDate = CertPathValidatorUtilities.getValidCertDateFromValidityModel(paramsPKIX, certPath, index);
-
-                revocationChecker.initialize(
-                        new PKIXCertRevocationCheckerParameters(paramsPKIX, validDate, certPath, index, sign, workingPublicKey));
-
-                revocationChecker.check(cert);
-            }
-            catch (AnnotatedException e)
-            {
-                Throwable cause = e;
-                if (null != e.getCause())
-                {
-                    cause = e.getCause();
-                }
-                throw new ExtCertPathValidatorException(e.getMessage(), cause, certPath, index);
-            }
+            revocationChecker.check(cert);
         }
 
         //
@@ -1641,29 +1631,39 @@ class RFC3280CertPathUtilities
     }
 
     /**
-     * Checks a distribution point for revocation information for the
-     * certificate cert.
+     * Checks a distribution point for revocation information for the certificate cert.
      *
-     * @param dp                 The distribution point to consider.
-     * @param paramsPKIX         PKIX parameters.
-     * @param cert               Certificate to check if it is revoked.
-     * @param validDate          The date when the certificate revocation status should be
-     *                           checked.
-     * @param defaultCRLSignCert The issuer certificate of the certificate cert.
-     * @param defaultCRLSignKey  The public key of the issuer certificate
-     *                           defaultCRLSignCert.
-     * @param certStatus         The current certificate revocation status.
-     * @param reasonMask         The reasons mask which is already checked.
-     * @param certPathCerts      The certificates of the certification path.
-     * @throws AnnotatedException if the certificate is revoked or the status cannot be checked
-     *                            or some error occurs.
+     * @param dp
+     *            The distribution point to consider.
+     * @param paramsPKIX
+     *            PKIX parameters.
+     * @param currentDate
+     *            The date at which this check is being run.
+     * @param validityDate
+     *            The date when the certificate revocation status should be checked.
+     * @param cert
+     *            Certificate to check if it is revoked.
+     * @param defaultCRLSignCert
+     *            The issuer certificate of the certificate cert.
+     * @param defaultCRLSignKey
+     *            The public key of the issuer certificate defaultCRLSignCert.
+     * @param certStatus
+     *            The current certificate revocation status.
+     * @param reasonMask
+     *            The reasons mask which is already checked.
+     * @param certPathCerts
+     *            The certificates of the certification path.
+     * @throws AnnotatedException
+     *             if the certificate is revoked or the status cannot be checked or some error
+     *             occurs.
      */
     private static void checkCRL(
         PKIXCertRevocationCheckerParameters params,
         DistributionPoint dp,
         PKIXExtendedParameters paramsPKIX,
+        Date currentDate,
+        Date validityDate,
         X509Certificate cert,
-        Date validDate,
         X509Certificate defaultCRLSignCert,
         PublicKey defaultCRLSignKey,
         CertStatus certStatus,
@@ -1672,8 +1672,11 @@ class RFC3280CertPathUtilities
         JcaJceHelper helper)
         throws AnnotatedException, RecoverableCertPathValidatorException
     {
-        Date currentDate = new Date(System.currentTimeMillis());
-        if (validDate.getTime() > currentDate.getTime())
+        if (currentDate == null)
+        {
+            boolean debug = true;
+        }
+        if (validityDate.getTime() > currentDate.getTime())
         {
             throw new AnnotatedException("Validation time is in future.");
         }
@@ -1686,7 +1689,7 @@ class RFC3280CertPathUtilities
          * getAdditionalStore()
          */
 
-        Set crls = CertPathValidatorUtilities.getCompleteCRLs(params, dp, cert, currentDate, paramsPKIX);
+        Set crls = CertPathValidatorUtilities.getCompleteCRLs(params, dp, cert, paramsPKIX, validityDate);
         boolean validCrlFound = false;
         AnnotatedException lastException = null;
         Iterator crl_iter = crls.iterator();
@@ -1719,13 +1722,6 @@ class RFC3280CertPathUtilities
 
                 X509CRL deltaCRL = null;
 
-                Date validityDate = currentDate;
-
-                if (paramsPKIX.getDate() != null)
-                {
-                    validityDate = paramsPKIX.getDate();
-                }
-
                 if (paramsPKIX.isUseDeltasEnabled())
                 {
                     // get delta CRLs
@@ -1770,10 +1766,10 @@ class RFC3280CertPathUtilities
                 RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX);
 
                 // (i)
-                RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL, cert, certStatus, paramsPKIX);
+                RFC3280CertPathUtilities.processCRLI(validityDate, deltaCRL, cert, certStatus, paramsPKIX);
 
                 // (j)
-                RFC3280CertPathUtilities.processCRLJ(validDate, crl, cert, certStatus);
+                RFC3280CertPathUtilities.processCRLJ(validityDate, crl, cert, certStatus);
 
                 // (k)
                 if (certStatus.getCertStatus() == CRLReason.removeFromCRL)
@@ -1828,21 +1824,30 @@ class RFC3280CertPathUtilities
     /**
      * Checks a certificate if it is revoked.
      *
-     * @param paramsPKIX       PKIX parameters.
-     * @param cert             Certificate to check if it is revoked.
-     * @param validDate        The date when the certificate revocation status should be
-     *                         checked.
-     * @param sign             The issuer certificate of the certificate cert.
-     * @param workingPublicKey The public key of the issuer certificate sign.
-     * @param certPathCerts    The certificates of the certification path.
-     * @throws AnnotatedException if the certificate is revoked or the status cannot be checked
-     *                            or some error occurs.
+     * @param paramsPKIX
+     *            PKIX parameters.
+     * @param currentDate
+     *            The date at which this check is being run.
+     * @param validityDate
+     *            The date when the certificate revocation status should be checked.
+     * @param cert
+     *            Certificate to check if it is revoked.
+     * @param sign
+     *            The issuer certificate of the certificate cert.
+     * @param workingPublicKey
+     *            The public key of the issuer certificate sign.
+     * @param certPathCerts
+     *            The certificates of the certification path.
+     * @throws AnnotatedException
+     *             if the certificate is revoked or the status cannot be checked or some error
+     *             occurs.
      */
     protected static void checkCRLs(
         PKIXCertRevocationCheckerParameters params,
         PKIXExtendedParameters paramsPKIX,
+        Date currentDate,
+        Date validityDate,
         X509Certificate cert,
-        Date validDate,
         X509Certificate sign,
         PublicKey workingPublicKey,
         List certPathCerts,
@@ -1864,7 +1869,8 @@ class RFC3280CertPathUtilities
         PKIXExtendedParameters.Builder paramsBldr = new PKIXExtendedParameters.Builder(paramsPKIX);
         try
         {
-            List extras = CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX.getNamedCRLStoreMap(), validDate, helper);
+            List extras = CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp,
+                paramsPKIX.getNamedCRLStoreMap(), validityDate, helper);
             for (Iterator it = extras.iterator(); it.hasNext();)
             {
                 paramsBldr.addCRLStore((PKIXCRLStore)it.next());
@@ -1898,7 +1904,8 @@ class RFC3280CertPathUtilities
                 {
                     try
                     {
-                        checkCRL(params, dps[i], finalParams, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask, certPathCerts, helper);
+                        checkCRL(params, dps[i], finalParams, currentDate, validityDate, cert, sign, workingPublicKey,
+                            certStatus, reasonsMask, certPathCerts, helper);
                         validCrlFound = true;
                     }
                     catch (AnnotatedException e)
@@ -1936,8 +1943,8 @@ class RFC3280CertPathUtilities
                 DistributionPoint dp = new DistributionPoint(new DistributionPointName(0, new GeneralNames(
                     new GeneralName(GeneralName.directoryName, issuer))), null, null);
                 PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters)paramsPKIX.clone();
-                checkCRL(params, dp, paramsPKIXClone, cert, validDate, sign, workingPublicKey, certStatus, reasonsMask,
-                    certPathCerts, helper);
+                checkCRL(params, dp, paramsPKIXClone, currentDate, validityDate, cert, sign, workingPublicKey,
+                    certStatus, reasonsMask, certPathCerts, helper);
                 validCrlFound = true;
             }
             catch (AnnotatedException e)
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3281CertPathUtilities.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3281CertPathUtilities.java
index 696dd0cdd..9a7dba30e 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3281CertPathUtilities.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/RFC3281CertPathUtilities.java
@@ -21,8 +21,8 @@ import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
 import java.util.Date;
-import java.util.HashSet;
 import java.util.Iterator;
+import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Set;
 
@@ -113,22 +113,24 @@ class RFC3281CertPathUtilities
     /**
      * Checks if an attribute certificate is revoked.
      * 
-     * @param attrCert Attribute certificate to check if it is revoked.
-     * @param paramsPKIX PKIX parameters.
-     * @param issuerCert The issuer certificate of the attribute certificate
-     *            attrCert.
-     * @param validDate The date when the certificate revocation status should
-     *            be checked.
-     * @param certPathCerts The certificates of the certification path to be
-     *            checked.
+     * @param attrCert
+     *            Attribute certificate to check if it is revoked.
+     * @param paramsPKIX
+     *            PKIX parameters.
+     * @param validityDate
+     *            The date when the certificate revocation status should be checked.
+     * @param issuerCert
+     *            The issuer certificate of the attribute certificate attrCert.
+     * @param certPathCerts
+     *            The certificates of the certification path to be checked.
      * 
-     * @throws CertPathValidatorException if the certificate is revoked or the
-     *             status cannot be checked or some error occurs.
+     * @throws CertPathValidatorException
+     *             if the certificate is revoked or the status cannot be checked or some error
+     *             occurs.
      */
-    protected static void checkCRLs(
-        X509AttributeCertificate attrCert,
-        PKIXExtendedParameters paramsPKIX, X509Certificate issuerCert,
-        Date validDate, List certPathCerts, JcaJceHelper helper) throws CertPathValidatorException
+    protected static void checkCRLs(X509AttributeCertificate attrCert, PKIXExtendedParameters paramsPKIX,
+        Date currentDate, Date validityDate, X509Certificate issuerCert, List certPathCerts, JcaJceHelper helper)
+        throws CertPathValidatorException
     {
         if (paramsPKIX.isRevocationEnabled())
         {
@@ -152,7 +154,8 @@ class RFC3281CertPathUtilities
 
                 try
                 {
-                    crlStores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp, paramsPKIX.getNamedCRLStoreMap(), validDate, helper));
+                    crlStores.addAll(CertPathValidatorUtilities.getAdditionalStoresFromCRLDistributionPoint(crldp,
+                        paramsPKIX.getNamedCRLStoreMap(), validityDate, helper));
                 }
                 catch (AnnotatedException e)
                 {
@@ -197,10 +200,8 @@ class RFC3281CertPathUtilities
                             PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters)paramsPKIX
                                     .clone();
 
-                            checkCRL(
-                                dps[i], attrCert, paramsPKIXClone,
-                                validDate, issuerCert, certStatus, reasonsMask,
-                                certPathCerts, helper);
+                            checkCRL(dps[i], attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert,
+                                certStatus, reasonsMask, certPathCerts, helper);
                             validCrlFound = true;
                         }
                     }
@@ -245,8 +246,8 @@ class RFC3281CertPathUtilities
                         PKIXExtendedParameters paramsPKIXClone = (PKIXExtendedParameters) paramsPKIX
                             .clone();
  
-                        checkCRL(dp, attrCert, paramsPKIXClone, validDate,
-                            issuerCert, certStatus, reasonsMask, certPathCerts, helper);
+                        checkCRL(dp, attrCert, paramsPKIXClone, currentDate, validityDate, issuerCert, certStatus,
+                            reasonsMask, certPathCerts, helper);
                         validCrlFound = true;
                     }
                     catch (AnnotatedException e)
@@ -322,13 +323,12 @@ class RFC3281CertPathUtilities
         }
     }
 
-    protected static void processAttrCert5(X509AttributeCertificate attrCert,
-        PKIXExtendedParameters pkixParams) throws CertPathValidatorException
+    protected static void processAttrCert5(X509AttributeCertificate attrCert, Date validityDate)
+        throws CertPathValidatorException
     {
         try
         {
-            attrCert.checkValidity(CertPathValidatorUtilities
-                .getValidDate(pkixParams));
+            attrCert.checkValidity(validityDate);
         }
         catch (CertificateExpiredException e)
         {
@@ -439,7 +439,7 @@ class RFC3281CertPathUtilities
     {
         CertPathBuilderResult result = null;
         // find holder PKCs
-        Set holderPKCs = new HashSet();
+        LinkedHashSet holderPKCs = new LinkedHashSet();
         if (attrCert.getHolder().getIssuer() != null)
         {
             X509CertSelector selector = new X509CertSelector();
@@ -454,8 +454,8 @@ class RFC3281CertPathUtilities
                         selector.setIssuer(((X500Principal)principals[i])
                             .getEncoded());
                     }
-                    holderPKCs.addAll(CertPathValidatorUtilities
-                        .findCertificates(new PKIXCertStoreSelector.Builder(selector).build(), pkixParams.getCertStores()));
+                    PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build();
+                    CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores());
                 }
                 catch (AnnotatedException e)
                 {
@@ -488,8 +488,8 @@ class RFC3281CertPathUtilities
                         selector.setIssuer(((X500Principal) principals[i])
                             .getEncoded());
                     }
-                    holderPKCs.addAll(CertPathValidatorUtilities
-                        .findCertificates(new PKIXCertStoreSelector.Builder(selector).build(), pkixParams.getCertStores()));
+                    PKIXCertStoreSelector certSelect = new PKIXCertStoreSelector.Builder(selector).build();
+                    CertPathValidatorUtilities.findCertificates(holderPKCs, certSelect, pkixParams.getCertStores());
                 }
                 catch (AnnotatedException e)
                 {
@@ -557,29 +557,32 @@ class RFC3281CertPathUtilities
     }
 
     /**
+     * Checks a distribution point for revocation information for the certificate
+     * attrCert.
      * 
-     * Checks a distribution point for revocation information for the
-     * certificate attrCert.
-     * 
-     * @param dp The distribution point to consider.
-     * @param attrCert The attribute certificate which should be checked.
-     * @param paramsPKIX PKIX parameters.
-     * @param validDate The date when the certificate revocation status should
-     *            be checked.
-     * @param issuerCert Certificate to check if it is revoked.
-     * @param reasonMask The reasons mask which is already checked.
-     * @param certPathCerts The certificates of the certification path to be
-     *            checked.
-     * @throws AnnotatedException if the certificate is revoked or the status
-     *             cannot be checked or some error occurs.
+     * @param dp
+     *            The distribution point to consider.
+     * @param attrCert
+     *            The attribute certificate which should be checked.
+     * @param paramsPKIX
+     *            PKIX parameters.
+     * @param validDate
+     *            The date when the certificate revocation status should be checked.
+     * @param issuerCert
+     *            Certificate to check if it is revoked.
+     * @param reasonMask
+     *            The reasons mask which is already checked.
+     * @param certPathCerts
+     *            The certificates of the certification path to be checked.
+     * @throws AnnotatedException
+     *             if the certificate is revoked or the status cannot be checked or some error
+     *             occurs.
      */
-    private static void checkCRL(DistributionPoint dp,
-                                 X509AttributeCertificate attrCert, PKIXExtendedParameters paramsPKIX,
-                                 Date validDate, X509Certificate issuerCert, CertStatus certStatus,
-                                 ReasonsMask reasonMask, List certPathCerts, JcaJceHelper helper)
+    private static void checkCRL(DistributionPoint dp, X509AttributeCertificate attrCert,
+        PKIXExtendedParameters paramsPKIX, Date currentDate, Date validityDate, X509Certificate issuerCert, CertStatus certStatus,
+        ReasonsMask reasonMask, List certPathCerts, JcaJceHelper helper)
         throws AnnotatedException, RecoverableCertPathValidatorException
     {
-
         /*
          * 4.3.6 No Revocation Available
          * 
@@ -591,8 +594,8 @@ class RFC3281CertPathUtilities
         {
             return;
         }
-        Date currentDate = new Date(System.currentTimeMillis());
-        if (validDate.getTime() > currentDate.getTime())
+
+        if (validityDate.getTime() > currentDate.getTime())
         {
             throw new AnnotatedException("Validation time is in future.");
         }
@@ -605,9 +608,9 @@ class RFC3281CertPathUtilities
          * getAdditionalStore()
          */
 
-        PKIXCertRevocationCheckerParameters params = new PKIXCertRevocationCheckerParameters(paramsPKIX, validDate, null, -1, issuerCert, null);
-        Set crls = CertPathValidatorUtilities.getCompleteCRLs(params, dp, attrCert,
-            currentDate, paramsPKIX);
+        PKIXCertRevocationCheckerParameters params = new PKIXCertRevocationCheckerParameters(paramsPKIX, validityDate,
+            null, -1, issuerCert, null);
+        Set crls = CertPathValidatorUtilities.getCompleteCRLs(params, dp, attrCert, paramsPKIX, validityDate);
         boolean validCrlFound = false;
         AnnotatedException lastException = null;
         Iterator crl_iter = crls.iterator();
@@ -689,12 +692,10 @@ class RFC3281CertPathUtilities
                 RFC3280CertPathUtilities.processCRLC(deltaCRL, crl, paramsPKIX);
 
                 // (i)
-                RFC3280CertPathUtilities.processCRLI(validDate, deltaCRL,
-                    attrCert, certStatus, paramsPKIX);
+                RFC3280CertPathUtilities.processCRLI(validityDate, deltaCRL, attrCert, certStatus, paramsPKIX);
 
                 // (j)
-                RFC3280CertPathUtilities.processCRLJ(validDate, crl, attrCert,
-                    certStatus);
+                RFC3280CertPathUtilities.processCRLJ(validityDate, crl, attrCert, certStatus);
 
                 // (k)
                 if (certStatus.getCertStatus() == CRLReason.removeFromCRL)
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/WrappedRevocationChecker.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/WrappedRevocationChecker.java
index 8ad1197c5..287cecb1e 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/WrappedRevocationChecker.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/jce/provider/WrappedRevocationChecker.java
@@ -23,8 +23,9 @@ class WrappedRevocationChecker
     }
 
     public void initialize(PKIXCertRevocationCheckerParameters params)
+        throws CertPathValidatorException
     {
-         // ignore.
+        checker.init(false);
     }
 
     public void check(Certificate cert)
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/math/raw/Mod.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/math/raw/Mod.java
index f7048b022..2efe9030d 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/math/raw/Mod.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/math/raw/Mod.java
@@ -69,7 +69,6 @@ public abstract class Mod
 
         int bits = (len32 << 5) - Integers.numberOfLeadingZeros(m[len32 - 1]);
         int len30 = (bits + 29) / 30;
-        int m0Inv30x4 = -inverse32(m[0]) << 2;
 
         int[] t = new int[4];
         int[] D = new int[len30];
@@ -84,28 +83,25 @@ public abstract class Mod
         System.arraycopy(M, 0, F, 0, len30);
 
         int eta = -1;
+        int m0Inv32 = inverse32(M[0]);
         int maxDivsteps = getMaximumDivsteps(bits);
 
         for (int divSteps = 0; divSteps < maxDivsteps; divSteps += 30)
         {
             eta = divsteps30(eta, F[0], G[0], t);
-            updateDE30(len30, D, E, t, m0Inv30x4, M);
+            updateDE30(len30, D, E, t, m0Inv32, M);
             updateFG30(len30, F, G, t);
         }
 
         int signF = F[len30 - 1] >> 31;
-//        assert -1 == signF | 0 == signF;
-
         cnegate30(len30, signF, F);
 
-        int signD = cnegate30(len30, signF, D);
-//        assert -1 == signD | 0 == signD;
-
-        // TODO 'D' should already be in [P, -P), but absent a proof we support [-2P, 2P)  
-        signD = csub30(len30, ~signD, D, M);
-        signD = cadd30(len30,  signD, D, M);
-        signD = cadd30(len30,  signD, D, M);
-//        assert 0 == signD;
+        /*
+         * D is in the range (-2.M, M). First, conditionally add M if D is negative, to bring it
+         * into the range (-M, M). Then normalize by conditionally negating (according to signF)
+         * and/or then adding M, to bring it into the range [0, M).
+         */
+        cnormalize30(len30, signF, D, M);
 
         decode30(bits, D, 0, z, 0);
 //        assert 0 != Nat.lessThan(len32, z, m);
@@ -122,7 +118,6 @@ public abstract class Mod
 
         int bits = (len32 << 5) - Integers.numberOfLeadingZeros(m[len32 - 1]);
         int len30 = (bits + 29) / 30;
-        int m0Inv30x4 = -inverse32(m[0]) << 2;
 
         int[] t = new int[4];
         int[] D = new int[len30];
@@ -139,6 +134,7 @@ public abstract class Mod
         int clzG = Integers.numberOfLeadingZeros(G[len30 - 1] | 1) - (len30 * 30 + 2 - bits);
         int eta = -1 - clzG;
         int lenDE = len30, lenFG = len30;
+        int m0Inv32 = inverse32(M[0]);
         int maxDivsteps = getMaximumDivsteps(bits);
 
         int divsteps = 0;
@@ -152,7 +148,7 @@ public abstract class Mod
             divsteps += 30;
 
             eta = divsteps30Var(eta, F[0], G[0], t);
-            updateDE30(lenDE, D, E, t, m0Inv30x4, M);
+            updateDE30(lenDE, D, E, t, m0Inv32, M);
             updateFG30(lenFG, F, G, t);
 
             int fn = F[lenFG - 1];
@@ -171,34 +167,32 @@ public abstract class Mod
         }
 
         int signF = F[lenFG - 1] >> 31;
-//        assert -1 == signF || 0 == signF;
 
-        if (0 != signF)
+        /*
+         * D is in the range (-2.M, M). First, conditionally add M if D is negative, to bring it
+         * into the range (-M, M). Then normalize by conditionally negating (according to signF)
+         * and/or then adding M, to bring it into the range [0, M).
+         */
+        int signD = D[lenDE - 1] >> 31;
+        if (signD < 0)
+        {
+            signD = add30(lenDE, D, M);
+        }
+        if (signF < 0)
         {
-            negate30(lenFG, F);
-            negate30(lenDE, D);
+            signD = negate30(lenDE, D);
+            signF = negate30(lenFG, F);
         }
+//        assert 0 == signF;
 
         if (!Nat.isOne(lenFG, F))
         {
             return false;
         }
 
-        int signD = D[lenDE - 1] >> 31;
-//        assert -1 == signD || 0 == signD;
-
-        // TODO 'D' should already be in [P, -P), but absent a proof we support [-2P, 2P)  
-        if (signD < 0)
-        {
-            signD = add30(len30, D, M);
-        }
-        else
-        {
-            signD = sub30(len30, D, M);
-        }
         if (signD < 0)
         {
-            signD = add30(len30, D, M);
+            signD = add30(lenDE, D, M);
         }
 //        assert 0 == signD;
 
@@ -262,24 +256,7 @@ public abstract class Mod
         return c;
     }
 
-    private static int cadd30(int len30, int cond, int[] D, int[] M)
-    {
-//        assert len30 > 0;
-//        assert D.length >= len30;
-//        assert M.length >= len30;
-
-        int c = 0, last = len30 - 1;
-        for (int i = 0; i < last; ++i)
-        {
-            c += D[i] + (M[i] & cond);
-            D[i] = c & M30; c >>= 30;
-        }
-        c += D[last] + (M[last] & cond);
-        D[last] = c; c >>= 30;
-        return c;
-    }
-
-    private static int cnegate30(int len30, int cond, int[] D)
+    private static void cnegate30(int len30, int cond, int[] D)
     {
 //        assert len30 > 0;
 //        assert D.length >= len30;
@@ -291,25 +268,45 @@ public abstract class Mod
             D[i] = c & M30; c >>= 30;
         }
         c += (D[last] ^ cond) - cond;
-        D[last] = c; c >>= 30;
-        return c;
+        D[last] = c;
     }
 
-    private static int csub30(int len30, int cond, int[] D, int[] M)
+    private static void cnormalize30(int len30, int condNegate, int[] D, int[] M)
     {
 //        assert len30 > 0;
 //        assert D.length >= len30;
 //        assert M.length >= len30;
 
-        int c = 0, last = len30 - 1;
-        for (int i = 0; i < last; ++i)
+        int last = len30 - 1;
+
         {
-            c += D[i] - (M[i] & cond);
-            D[i] = c & M30; c >>= 30;
+            int c = 0, condAdd = D[last] >> 31;
+            for (int i = 0; i < last; ++i)
+            {
+                int di = D[i] + (M[i] & condAdd);
+                di = (di ^ condNegate) - condNegate;
+                c += di; D[i] = c & M30; c >>= 30;
+            }
+            {
+                int di = D[last] + (M[last] & condAdd);
+                di = (di ^ condNegate) - condNegate;
+                c += di; D[last] = c;
+            }
+        }
+
+        {
+            int c = 0, condAdd = D[last] >> 31;
+            for (int i = 0; i < last; ++i)
+            {
+                int di = D[i] + (M[i] & condAdd);
+                c += di; D[i] = c & M30; c >>= 30;
+            }
+            {
+                int di = D[last] + (M[last] & condAdd);
+                c += di; D[last] = c;
+            }
+//            assert c >> 30 == 0;
         }
-        c += D[last] - (M[last] & cond);
-        D[last] = c; c >>= 30;
-        return c;
     }
 
     private static void decode30(int bits, int[] x, int xOff, int[] z, int zOff)
@@ -484,46 +481,46 @@ public abstract class Mod
         return c;
     }
 
-    private static int sub30(int len30, int[] D, int[] M)
-    {
-//        assert len30 > 0;
-//        assert D.length >= len30;
-//        assert M.length >= len30;
-
-        int c = 0, last = len30 - 1;
-        for (int i = 0; i < last; ++i)
-        {
-            c += D[i] - M[i];
-            D[i] = c & M30; c >>= 30;
-        }
-        c += D[last] - M[last];
-        D[last] = c; c >>= 30;
-        return c;
-    }
-
-    private static void updateDE30(int len30, int[] D, int[] E, int[] t, int m0Inv30x4, int[] M)
+    private static void updateDE30(int len30, int[] D, int[] E, int[] t, int m0Inv32, int[] M)
     {
 //        assert len30 > 0;
 //        assert D.length >= len30;
 //        assert E.length >= len30;
 //        assert M.length >= len30;
-//        assert m0Inv30x4 * M[0] == -1 << 2;
+//        assert m0Inv32 * M[0] == 1;
 
         final int u = t[0], v = t[1], q = t[2], r = t[3];
-        int di, ei, i, md, me;
+        int di, ei, i, md, me, mi, sd, se;
         long cd, ce;
 
+        /*
+         * We accept D (E) in the range (-2.M, M) and conceptually add the modulus to the input
+         * value if it is initially negative. Instead of adding it explicitly, we add u and/or v (q
+         * and/or r) to md (me).
+         */
+        sd = D[len30 - 1] >> 31;
+        se = E[len30 - 1] >> 31;
+
+        md = (u & sd) + (v & se);
+        me = (q & sd) + (r & se);
+
+        mi = M[0];
         di = D[0];
         ei = E[0];
 
         cd = (long)u * di + (long)v * ei;
         ce = (long)q * di + (long)r * ei;
 
-        md = (m0Inv30x4 * (int)cd) >> 2;
-        me = (m0Inv30x4 * (int)ce) >> 2;
+        /*
+         * Subtract from md/me an extra term in the range [0, 2^30) such that the low 30 bits of the
+         * intermediate D/E values will be 0, allowing clean division by 2^30. The final D/E are
+         * thus in the range (-2.M, M), consistent with the input constraint.
+         */
+        md -= (m0Inv32 * (int)cd + md) & M30;
+        me -= (m0Inv32 * (int)ce + me) & M30;
 
-        cd += (long)M[0] * md;
-        ce += (long)M[0] * me;
+        cd += (long)mi * md;
+        ce += (long)mi * me;
 
 //        assert ((int)cd & M30) == 0;
 //        assert ((int)ce & M30) == 0;
@@ -533,14 +530,12 @@ public abstract class Mod
 
         for (i = 1; i < len30; ++i)
         {
+            mi = M[i];
             di = D[i];
             ei = E[i];
 
-            cd += (long)u * di + (long)v * ei;
-            ce += (long)q * di + (long)r * ei;
-
-            cd += (long)M[i] * md;
-            ce += (long)M[i] * me;
+            cd += (long)u * di + (long)v * ei + (long)mi * md;
+            ce += (long)q * di + (long)r * ei + (long)mi * me;
 
             D[i - 1] = (int)cd & M30; cd >>= 30;
             E[i - 1] = (int)ce & M30; ce >>= 30;
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/ntru/NTRUSigner.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/ntru/NTRUSigner.java
index 5e76ce2ff..7748fa76e 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/ntru/NTRUSigner.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/ntru/NTRUSigner.java
@@ -10,8 +10,8 @@ import com.fr.third.org.bouncycastle.pqc.math.ntru.polynomial.Polynomial;
 /**
 * Signs, verifies data and generates key pairs.
 * @deprecated the NTRUSigner algorithm was broken in 2012 by Ducas and Nguyen. See
-* 
-* http://www.di.ens.fr/~ducas/NTRUSign_Cryptanalysis/DucasNguyen_Learning.pdf
+* 
+* https://www.di.ens.fr/~ducas/NTRUSign_Cryptanalysis/DucasNguyen_Learning.pdf
 * for details.
 */
 public class NTRUSigner
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/Layer.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/Layer.java
index bdf5cc636..0cf450a57 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/Layer.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/Layer.java
@@ -20,7 +20,7 @@ import com.fr.third.org.bouncycastle.util.Arrays;
  * 
    
  * More information about the layer can be found in the paper of Jintai Ding,
  * Dieter Schmidt: Rainbow, a New Multivariable Polynomial Signature Scheme.
- * ACNS 2005: 164-175 (http://dx.doi.org/10.1007/11496137_12)
+ * ACNS 2005: 164-175 (https://dx.doi.org/10.1007/11496137_12)
  */
 public class Layer
 {
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowKeyPairGenerator.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowKeyPairGenerator.java
index de79fdce8..ab89b7694 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowKeyPairGenerator.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowKeyPairGenerator.java
@@ -16,7 +16,7 @@ import com.fr.third.org.bouncycastle.pqc.crypto.rainbow.util.GF2Field;
  * 
    
  * Detailed information about the key generation is to be found in the paper of
  * Jintai Ding, Dieter Schmidt: Rainbow, a New Multivariable Polynomial
- * Signature Scheme. ACNS 2005: 164-175 (http://dx.doi.org/10.1007/11496137_12)
+ * Signature Scheme. ACNS 2005: 164-175 (https://dx.doi.org/10.1007/11496137_12)
  */
 public class RainbowKeyPairGenerator
     implements AsymmetricCipherKeyPairGenerator
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowSigner.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowSigner.java
index 37447d1e2..0842f368d 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowSigner.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/crypto/rainbow/RainbowSigner.java
@@ -17,7 +17,7 @@ import com.fr.third.org.bouncycastle.pqc.crypto.rainbow.util.GF2Field;
  * Detailed information about the signature and the verify-method is to be found
  * in the paper of Jintai Ding, Dieter Schmidt: Rainbow, a New Multivariable
  * Polynomial Signature Scheme. ACNS 2005: 164-175
- * (http://dx.doi.org/10.1007/11496137_12)
+ * (https://dx.doi.org/10.1007/11496137_12)
  */
 public class RainbowSigner
     implements MessageSigner
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/mceliece/McEliecePKCSCipherSpi.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/mceliece/McEliecePKCSCipherSpi.java
index 37c952f77..41a459d57 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/mceliece/McEliecePKCSCipherSpi.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/mceliece/McEliecePKCSCipherSpi.java
@@ -66,7 +66,7 @@ public class McEliecePKCSCipherSpi
         }
         catch (Exception e)
         {
-            e.printStackTrace();
+            throw new IllegalBlockSizeException(e.getMessage());
         }
         return output;
     }
@@ -81,7 +81,7 @@ public class McEliecePKCSCipherSpi
         }
         catch (Exception e)
         {
-            e.printStackTrace();
+            throw new IllegalBlockSizeException(e.getMessage());
         }
         return output;
     }
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPrivateKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPrivateKey.java
index c6aacb97d..d022be569 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPrivateKey.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPrivateKey.java
@@ -25,7 +25,7 @@ import com.fr.third.org.bouncycastle.pqc.jcajce.spec.RainbowPrivateKeySpec;
  * 
    
  * More detailed information about the private key is to be found in the paper
  * of Jintai Ding, Dieter Schmidt: Rainbow, a New Multivariable Polynomial
- * Signature Scheme. ACNS 2005: 164-175 (http://dx.doi.org/10.1007/11496137_12)
+ * Signature Scheme. ACNS 2005: 164-175 (https://dx.doi.org/10.1007/11496137_12)
  * 
    
  */
 public class BCRainbowPrivateKey
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPublicKey.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPublicKey.java
index 5fdedb111..2a6904fdf 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPublicKey.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/provider/rainbow/BCRainbowPublicKey.java
@@ -27,7 +27,7 @@ import com.fr.third.org.bouncycastle.util.Arrays;
  * 
    
  * More detailed information on the public key is to be found in the paper of
  * Jintai Ding, Dieter Schmidt: Rainbow, a New Multivariable Polynomial
- * Signature Scheme. ACNS 2005: 164-175 (http://dx.doi.org/10.1007/11496137_12)
+ * Signature Scheme. ACNS 2005: 164-175 (https://dx.doi.org/10.1007/11496137_12)
  * 
    
  */
 public class BCRainbowPublicKey
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/spec/RainbowParameterSpec.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/spec/RainbowParameterSpec.java
index d62852292..55196e2b3 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/spec/RainbowParameterSpec.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/jcajce/spec/RainbowParameterSpec.java
@@ -11,7 +11,7 @@ import com.fr.third.org.bouncycastle.util.Arrays;
  * More detailed information about the needed parameters for the Rainbow
  * Signature Scheme is to be found in the paper of Jintai Ding, Dieter Schmidt:
  * Rainbow, a New Multivariable Polynomial Signature Scheme. ACNS 2005: 164-175
- * (http://dx.doi.org/10.1007/11496137_12)
+ * (https://dx.doi.org/10.1007/11496137_12)
  * 
    
  */
 public class RainbowParameterSpec
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/GF2nPolynomialElement.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/GF2nPolynomialElement.java
index ac8e47230..cf3fd44a6 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/GF2nPolynomialElement.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/GF2nPolynomialElement.java
@@ -9,7 +9,7 @@ import java.util.Random;
  * This class implements elements of finite binary fields GF(2n)
  * using polynomial representation. For more information on the arithmetic see
  * for example IEEE Standard 1363 or  Certicom online-tutorial.
+ * href=https://www.certicom.com/research/online.html> Certicom online-tutorial.
  *
  * @see "GF2nField"
  * @see GF2nPolynomialField
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/IntegerFunctions.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/IntegerFunctions.java
index 9656b0953..49271be60 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/IntegerFunctions.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/pqc/math/linearalgebra/IntegerFunctions.java
@@ -1355,8 +1355,6 @@ public final class IntegerFunctions
         {
             if (a[i - 1] >= a[i])
             {
-                System.out.println("a[" + (i - 1) + "] = " + a[i - 1] + " >= "
-                    + a[i] + " = a[" + i + "]");
                 return false;
             }
         }
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Arrays.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Arrays.java
index c43cbcbf6..2935d44eb 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Arrays.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Arrays.java
@@ -876,6 +876,25 @@ public final class Arrays
         return r;
     }
 
+    public static short[] concatenate(short[] a, short[] b)
+    {
+        if (null == a)
+        {
+            // b might also be null
+            return clone(b);
+        }
+        if (null == b)
+        {
+            // a might also be null
+            return clone(a);
+        }
+
+        short[] r = new short[a.length + b.length];
+        System.arraycopy(a, 0, r, 0, a.length);
+        System.arraycopy(b, 0, r, a.length, b.length);
+        return r;
+    }
+
     public static byte[] concatenate(byte[] a, byte[] b, byte[] c)
     {
         if (null == a)
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/BigIntegers.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/BigIntegers.java
index 2838255d3..ee6399ef7 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/BigIntegers.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/BigIntegers.java
@@ -13,8 +13,8 @@ public final class BigIntegers
 {
     public static final BigInteger ZERO = BigInteger.valueOf(0);
     public static final BigInteger ONE = BigInteger.valueOf(1);
+    public static final BigInteger TWO = BigInteger.valueOf(2);
 
-    private static final BigInteger TWO = BigInteger.valueOf(2);
     private static final BigInteger THREE = BigInteger.valueOf(3);
 
     private static final int MAX_ITERATIONS = 1000;
@@ -30,7 +30,7 @@ public final class BigIntegers
     {
         byte[] bytes = value.toByteArray();
         
-        if (bytes[0] == 0)
+        if (bytes[0] == 0 && bytes.length != 1)
         {
             byte[] tmp = new byte[bytes.length - 1];
             
@@ -60,7 +60,7 @@ public final class BigIntegers
             return bytes;
         }
 
-        int start = bytes[0] == 0 ? 1 : 0;
+        int start = (bytes[0] == 0 && bytes.length != 1) ? 1 : 0;
         int count = bytes.length - start;
 
         if (count > length)
@@ -95,7 +95,7 @@ public final class BigIntegers
             return;
         }
 
-        int start = bytes[0] == 0 ? 1 : 0;
+        int start = (bytes[0] == 0 && bytes.length != 1) ? 1 : 0;
         int count = bytes.length - start;
 
         if (count > len)
@@ -252,6 +252,11 @@ public final class BigIntegers
 
     public static int getUnsignedByteLength(BigInteger n)
     {
+        if (n.equals(ZERO))
+        {
+            return 1;
+        }
+
         return (n.bitLength() + 7) / 8;
     }
 
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Doubles.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Doubles.java
new file mode 100644
index 000000000..2ba867aff
--- /dev/null
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/util/Doubles.java
@@ -0,0 +1,9 @@
+package com.fr.third.org.bouncycastle.util;
+
+public class Doubles
+{
+    public static Double valueOf(double value)
+    {
+        return Double.valueOf(value);
+    }
+}
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/CertPathValidatorUtilities.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/CertPathValidatorUtilities.java
index 4d1187367..8ae05ec80 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/CertPathValidatorUtilities.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/CertPathValidatorUtilities.java
@@ -61,8 +61,6 @@ import com.fr.third.org.bouncycastle.util.StoreException;
 
 class CertPathValidatorUtilities
 {
-    protected static final PKIXCRLUtil CRL_UTIL = new PKIXCRLUtil();
-
     protected static final String CERTIFICATE_POLICIES = Extension.certificatePolicies.getId();
     protected static final String BASIC_CONSTRAINTS = Extension.basicConstraints.getId();
     protected static final String POLICY_MAPPINGS = Extension.policyMappings.getId();
@@ -73,14 +71,13 @@ class CertPathValidatorUtilities
     protected static final String ISSUING_DISTRIBUTION_POINT = Extension.issuingDistributionPoint.getId();
     protected static final String DELTA_CRL_INDICATOR = Extension.deltaCRLIndicator.getId();
     protected static final String POLICY_CONSTRAINTS = Extension.policyConstraints.getId();
-    protected static final String FRESHEST_CRL = Extension.freshestCRL.getId();
-    protected static final String CRL_DISTRIBUTION_POINTS = Extension.cRLDistributionPoints.getId();
-    protected static final String AUTHORITY_KEY_IDENTIFIER = Extension.authorityKeyIdentifier.getId();
+//    protected static final String FRESHEST_CRL = Extension.freshestCRL.getId();
+//    protected static final String CRL_DISTRIBUTION_POINTS = Extension.cRLDistributionPoints.getId();
+//    protected static final String AUTHORITY_KEY_IDENTIFIER = Extension.authorityKeyIdentifier.getId();
+    protected static final String CRL_NUMBER = Extension.cRLNumber.getId();
 
     protected static final String ANY_POLICY = "2.5.29.32.0";
 
-    protected static final String CRL_NUMBER = Extension.cRLNumber.getId();
-
     /*
     * key usage bits
     */
@@ -100,9 +97,6 @@ class CertPathValidatorUtilities
         "privilegeWithdrawn",
         "aACompromise"};
 
-
-
-
     /**
      * Returns the issuer of an attribute certificate or certificate.
      *
@@ -122,16 +116,11 @@ class CertPathValidatorUtilities
         }
     }
 
-    protected static Date getValidDate(PKIXParameters paramsPKIX)
+    protected static Date getValidityDate(PKIXParameters paramsPKIX, Date currentDate)
     {
-        Date validDate = paramsPKIX.getDate();
-
-        if (validDate == null)
-        {
-            validDate = new Date();
-        }
+        Date validityDate = paramsPKIX.getDate();
 
-        return validDate;
+        return null == validityDate ? currentDate : validityDate;
     }
 
     protected static X500Principal getSubjectPrincipal(X509Certificate cert)
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCRLUtil.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCRLUtil.java
index 9feb763bf..3839d2578 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCRLUtil.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCRLUtil.java
@@ -3,10 +3,6 @@ package com.fr.third.org.bouncycastle.x509;
 import java.security.cert.CertStore;
 import java.security.cert.CertStoreException;
 import java.security.cert.PKIXParameters;
-import java.security.cert.X509CRL;
-import java.security.cert.X509Certificate;
-import java.util.Collection;
-import java.util.Date;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
@@ -15,68 +11,17 @@ import java.util.Set;
 import com.fr.third.org.bouncycastle.jce.provider.AnnotatedException;
 import com.fr.third.org.bouncycastle.util.StoreException;
 
-class PKIXCRLUtil
+abstract class PKIXCRLUtil
 {
-    public Set findCRLs(X509CRLStoreSelector crlselect, ExtendedPKIXParameters paramsPKIX, Date currentDate)
+    static Set findCRLs(X509CRLStoreSelector crlselect, PKIXParameters paramsPKIX)
         throws AnnotatedException
     {
-        Set initialSet = new HashSet();
+        HashSet completeSet = new HashSet();
 
         // get complete CRL(s)
         try
         {
-            initialSet.addAll(findCRLs(crlselect, paramsPKIX.getAdditionalStores()));
-            initialSet.addAll(findCRLs(crlselect, paramsPKIX.getStores()));
-            initialSet.addAll(findCRLs(crlselect, paramsPKIX.getCertStores()));
-        }
-        catch (AnnotatedException e)
-        {
-            throw new AnnotatedException("Exception obtaining complete CRLs.", e);
-        }
-
-        Set finalSet = new HashSet();
-        Date validityDate = currentDate;
-
-        if (paramsPKIX.getDate() != null)
-        {
-            validityDate = paramsPKIX.getDate();
-        }
-
-        // based on RFC 5280 6.3.3
-        for (Iterator it = initialSet.iterator(); it.hasNext();)
-        {
-            X509CRL crl = (X509CRL)it.next();
-
-            if (crl.getNextUpdate().after(validityDate))
-            {
-                X509Certificate cert = crlselect.getCertificateChecking();
-
-                if (cert != null)
-                {
-                    if (crl.getThisUpdate().before(cert.getNotAfter()))
-                    {
-                        finalSet.add(crl);
-                    }
-                }
-                else
-                {
-                    finalSet.add(crl);
-                }
-            }
-        }
-
-        return finalSet;
-    }
-
-    public Set findCRLs(X509CRLStoreSelector crlselect, PKIXParameters paramsPKIX)
-        throws AnnotatedException
-    {
-        Set completeSet = new HashSet();
-
-        // get complete CRL(s)
-        try
-        {
-            completeSet.addAll(findCRLs(crlselect, paramsPKIX.getCertStores()));
+            findCRLs(completeSet, crlselect, paramsPKIX.getCertStores());
         }
         catch (AnnotatedException e)
         {
@@ -86,36 +31,30 @@ class PKIXCRLUtil
         return completeSet;
     }
 
-/**
-     * Return a Collection of all CRLs found in the X509Store's that are
-     * matching the crlSelect criteriums.
+    /**
+     * Add to a HashSet any and all CRLs found in the X509Store's that are matching the crlSelect
+     * criteria.
      *
-     * @param crlSelect a {@link X509CRLStoreSelector} object that will be used
-     *            to select the CRLs
-     * @param crlStores a List containing only
-     *            {@link com.fr.third.org.bouncycastle.x509.X509Store  X509Store} objects.
+     * @param crls
+     *            the {@link HashSet} to add the CRLs to.
+     * @param crlSelect
+     *            a {@link X509CRLStoreSelector} object that will be used to select the CRLs
+     * @param crlStores
+     *            a List containing only {@link com.fr.third.org.bouncycastle.x509.X509Store X509Store} objects.
      *            These are used to search for CRLs
-     *
-     * @return a Collection of all found {@link java.security.cert.X509CRL X509CRL} objects. May be
-     *         empty but never null.
      */
-    private final Collection findCRLs(X509CRLStoreSelector crlSelect,
-        List crlStores) throws AnnotatedException
+    private static void findCRLs(HashSet crls, X509CRLStoreSelector crlSelect, List crlStores) throws AnnotatedException
     {
-        Set crls = new HashSet();
-        Iterator iter = crlStores.iterator();
-
         AnnotatedException lastException = null;
         boolean foundValidStore = false;
 
+        Iterator iter = crlStores.iterator();
         while (iter.hasNext())
         {
             Object obj = iter.next();
-
             if (obj instanceof X509Store)
             {
                 X509Store store = (X509Store)obj;
-
                 try
                 {
                     crls.addAll(store.getMatches(crlSelect));
@@ -123,14 +62,12 @@ class PKIXCRLUtil
                 }
                 catch (StoreException e)
                 {
-                    lastException = new AnnotatedException(
-                        "Exception searching in X.509 CRL store.", e);
+                    lastException = new AnnotatedException("Exception searching in X.509 CRL store.", e);
                 }
             }
             else
             {
                 CertStore store = (CertStore)obj;
-
                 try
                 {
                     crls.addAll(store.getCRLs(crlSelect));
@@ -138,8 +75,7 @@ class PKIXCRLUtil
                 }
                 catch (CertStoreException e)
                 {
-                    lastException = new AnnotatedException(
-                        "Exception searching in X.509 CRL store.", e);
+                    lastException = new AnnotatedException("Exception searching in X.509 CRL store.", e);
                 }
             }
         }
@@ -147,7 +83,5 @@ class PKIXCRLUtil
         {
             throw lastException;
         }
-        return crls;
     }
-
-}
\ No newline at end of file
+}
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCertPathReviewer.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCertPathReviewer.java
index 5d891968d..38a83a50c 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCertPathReviewer.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/PKIXCertPathReviewer.java
@@ -75,6 +75,7 @@ import com.fr.third.org.bouncycastle.jce.provider.PKIXNameConstraintValidator;
 import com.fr.third.org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException;
 import com.fr.third.org.bouncycastle.jce.provider.PKIXPolicyNode;
 import com.fr.third.org.bouncycastle.util.Integers;
+import com.fr.third.org.bouncycastle.util.Objects;
 
 /**
  * PKIXCertPathReviewer
    
@@ -95,6 +96,7 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
 
     protected PKIXParameters pkixParams;
 
+    protected Date currentDate;
     protected Date validDate;
 
     // state variables
@@ -152,7 +154,8 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
 
         // b)
 
-        validDate = getValidDate(pkixParams);
+        currentDate = new Date();
+        validDate = getValidityDate(pkixParams, currentDate);
 
         // c) part of pkixParams
 
@@ -699,7 +702,7 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
         // validation date
         {
             ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.certPathValidDate",
-                    new Object[] {new TrustedInput(validDate), new TrustedInput(new Date())});
+                    new Object[] {new TrustedInput(validDate), new TrustedInput(currentDate)});
             addNotification(msg);
         }
         
@@ -2044,13 +2047,13 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
         Iterator crl_iter;
         try 
         {
-            Collection crl_coll = CRL_UTIL.findCRLs(crlselect, paramsPKIX);
+            Collection crl_coll = PKIXCRLUtil.findCRLs(crlselect, paramsPKIX);
             crl_iter = crl_coll.iterator();
             
             if (crl_coll.isEmpty())
             {
-                // notifcation - no local crls found
-                crl_coll = CRL_UTIL.findCRLs(new X509CRLStoreSelector(),paramsPKIX);
+                // notification - no local crls found
+                crl_coll = PKIXCRLUtil.findCRLs(new X509CRLStoreSelector(),paramsPKIX);
                 Iterator it = crl_coll.iterator();
                 List nonMatchingCrlNames = new ArrayList();
                 while (it.hasNext())
@@ -2065,7 +2068,6 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
                             Integers.valueOf(numbOfCrls)});
                 addNotification(msg,index);
             }
-
         }
         catch (AnnotatedException ae)
         {
@@ -2074,35 +2076,35 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
             addError(msg,index);
             crl_iter = new ArrayList().iterator();
         }
+
         boolean validCrlFound = false;
         X509CRL crl = null;
         while (crl_iter.hasNext())
         {
             crl = (X509CRL)crl_iter.next();
-            
-            if (crl.getNextUpdate() == null
-                || paramsPKIX.getDate().before(crl.getNextUpdate()))
+
+            Date thisUpdate = crl.getThisUpdate();
+            Date nextUpdate = crl.getNextUpdate();
+            Object[] arguments = new Object[]{ new TrustedInput(thisUpdate), new TrustedInput(nextUpdate) };
+
+            if (nextUpdate == null || validDate.before(crl.getNextUpdate()))
             {
                 validCrlFound = true;
-                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
-                        "CertPathReviewer.localValidCRL",
-                        new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())});
+                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.localValidCRL", arguments);
                 addNotification(msg,index);
                 break;
             }
-            else
-            {
-                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
-                        "CertPathReviewer.localInvalidCRL",
-                        new Object[] {new TrustedInput(crl.getThisUpdate()), new TrustedInput(crl.getNextUpdate())});
-                addNotification(msg,index);
-            }
+
+            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.localInvalidCRL", arguments);
+            addNotification(msg,index);
         }
-        
+
         // if no valid crl was found in the CertStores try to get one from a
         // crl distribution point
         if (!validCrlFound)
         {
+            X500Principal certIssuer = cert.getIssuerX500Principal();
+
             X509CRL onlineCRL = null;
             Iterator urlIt = crlDistPointUrls.iterator();
             while (urlIt.hasNext())
@@ -2113,40 +2115,36 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
                     onlineCRL = getCRL(location);
                     if (onlineCRL != null)
                     {
+                        X500Principal crlIssuer = onlineCRL.getIssuerX500Principal();
+
                         // check if crl issuer is correct
-                        if (!cert.getIssuerX500Principal().equals(onlineCRL.getIssuerX500Principal()))
+                        if (!certIssuer.equals(crlIssuer))
                         {
-                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
-                                        "CertPathReviewer.onlineCRLWrongCA",
-                                        new Object[] {new UntrustedInput(onlineCRL.getIssuerX500Principal().getName()),
-                                                      new UntrustedInput(cert.getIssuerX500Principal().getName()),
-                                                      new UntrustedUrlInput(location)});
+                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineCRLWrongCA",
+                                new Object[]{ new UntrustedInput(crlIssuer.getName()), new UntrustedInput(certIssuer.getName()),
+                                    new UntrustedUrlInput(location) });
                             addNotification(msg,index);
                             continue;
                         }
-                        
-                        if (onlineCRL.getNextUpdate() == null
-                            || pkixParams.getDate().before(onlineCRL.getNextUpdate()))
+
+                        Date thisUpdate = onlineCRL.getThisUpdate();
+                        Date nextUpdate = onlineCRL.getNextUpdate();
+                        Object[] arguments = new Object[]{ new TrustedInput(thisUpdate), new TrustedInput(nextUpdate),
+                            new UntrustedUrlInput(location) };
+
+                        if (nextUpdate == null || validDate.before(nextUpdate))
                         {
                             validCrlFound = true;
-                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
-                                    "CertPathReviewer.onlineValidCRL",
-                                    new Object[] {new TrustedInput(onlineCRL.getThisUpdate()),
-                                                  new TrustedInput(onlineCRL.getNextUpdate()),
-                                                  new UntrustedUrlInput(location)});
-                            addNotification(msg,index);
+                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineValidCRL",
+                                arguments);
+                            addNotification(msg, index);
                             crl = onlineCRL;
                             break;
                         }
-                        else
-                        {
-                            ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,
-                                    "CertPathReviewer.onlineInvalidCRL",
-                                    new Object[] {new TrustedInput(onlineCRL.getThisUpdate()),
-                                                  new TrustedInput(onlineCRL.getNextUpdate()),
-                                                  new UntrustedUrlInput(location)});
-                            addNotification(msg,index);
-                        }
+
+                        ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.onlineInvalidCRL",
+                            arguments);
+                        addNotification(msg, index);
                     }
                 }
                 catch (CertPathReviewerException cpre)
@@ -2242,11 +2240,12 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
             //
             // warn if a new crl is available
             //
-            if (crl.getNextUpdate() != null && crl.getNextUpdate().before(pkixParams.getDate()))
+            Date nextUpdate = crl.getNextUpdate();
+            if (!(nextUpdate == null || validDate.before(nextUpdate)))
             {
-                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.crlUpdateAvailable",
-                        new Object[] {new TrustedInput(crl.getNextUpdate())});
-                addNotification(msg,index);
+                ErrorBundle msg = new ErrorBundle(RESOURCE_NAME, "CertPathReviewer.crlUpdateAvailable",
+                    new Object[]{ new TrustedInput(nextUpdate) });
+                addNotification(msg, index);
             }
             
             //
@@ -2302,7 +2301,7 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
                 Iterator it;
                 try 
                 {
-                    it  = CRL_UTIL.findCRLs(baseSelect, paramsPKIX).iterator();
+                    it  = PKIXCRLUtil.findCRLs(baseSelect, paramsPKIX).iterator();
                 }
                 catch (AnnotatedException ae)
                 {
@@ -2323,25 +2322,14 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
                         ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.distrPtExtError");
                         throw new CertPathReviewerException(msg,ae);
                     }
-                    
-                    if (idp == null)
-                    {
-                        if (baseIdp == null)
-                        {
-                            foundBase = true;
-                            break;
-                        }
-                    }
-                    else
+
+                    if (Objects.areEqual(idp, baseIdp))
                     {
-                        if (idp.equals(baseIdp))
-                        {
-                            foundBase = true;
-                            break;
-                        }
+                        foundBase = true;
+                        break;
                     }
                 }
-                
+
                 if (!foundBase)
                 {
                     ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noBaseCRL");
@@ -2388,7 +2376,6 @@ public class PKIXCertPathReviewer extends CertPathValidatorUtilities
             ErrorBundle msg = new ErrorBundle(RESOURCE_NAME,"CertPathReviewer.noValidCrlFound");
             throw new CertPathReviewerException(msg);
         }
-    
     }
     
     protected Vector getCRLDistUrls(CRLDistPoint crlDistPoints)
diff --git a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/util/LDAPStoreHelper.java b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/util/LDAPStoreHelper.java
index 6074a4b7b..b7ef10c4a 100644
--- a/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/util/LDAPStoreHelper.java
+++ b/fine-bouncycastle/src/main/java/com/fr/third/org/bouncycastle/x509/util/LDAPStoreHelper.java
@@ -56,7 +56,7 @@ import com.fr.third.org.bouncycastle.x509.X509CertificatePair;
  * 
    
  * For the used schemes see:
  *