Please take a review at http://cr.openjdk.java.net/~weijun/8170732/webrev.00/
According to https://tools.ietf.org/html/rfc4752#section-3.1: The client then constructs data, with the first octet containing the bit-mask specifying the selected security layer, the second through fourth octets containing in network byte order the maximum size output_message the client is able to receive (which MUST be 0 if the client does not support any security layer), A test is modified to check this case. Please note that when there is no security layer, you cannot call wrap/unwrap anymore. Thanks Max