diff --git a/WORKSPACE b/WORKSPACE
index 4cf5e7283d6aeec35b2c700e4b1478e4d298f44f..1834866b9c168a715b568209f7a04ed84bb021a7 100644
--- a/WORKSPACE
+++ b/WORKSPACE
@@ -510,8 +510,8 @@ java_import_external(
 
 http_archive(
     name = "build_bazel_rules_apple",
-    strip_prefix = "rules_apple-master",
-    url = "https://github.com/bazelbuild/rules_apple/archive/master.zip",
+    strip_prefix = "rules_apple-a2b620070d373e4f265194b69f65e9e5c17fbcb8",
+    url = "https://github.com/bazelbuild/rules_apple/archive/a2b620070d373e4f265194b69f65e9e5c17fbcb8.zip",
 )
 
 load("@io_bazel_rules_go//go:def.bzl", "go_rules_dependencies", "go_register_toolchains")
diff --git a/apps/rewardedads/java/BUILD b/apps/rewardedads/java/BUILD
index 9f71a1739f582cab867a0c760844d1be23bc1163..2c181819f4657a0dd2c368dc92500a22112037a6 100644
--- a/apps/rewardedads/java/BUILD
+++ b/apps/rewardedads/java/BUILD
@@ -12,7 +12,7 @@ java_library(
     javacopts = JAVACOPTS,
     deps = [
         "//java",
-        "@com_google_http_client//:com_google_http_client",
+        "@com_google_http_client",
         "@org_json//jar",
     ],
 )
@@ -28,7 +28,7 @@ java_library(
     deps = [
         ":java",
         "//java:testonly",
-        "@com_google_http_client//:com_google_http_client",
+        "@com_google_http_client",
         "@junit",
         "@org_json//jar",
     ],
diff --git a/go/tink/BUILD b/go/tink/BUILD
index 02f5bced1414142b395e42e42cd1e3e652c75a95..8fa6c659b681327818a5aaa4c71e9cd38e67d11b 100644
--- a/go/tink/BUILD
+++ b/go/tink/BUILD
@@ -76,9 +76,6 @@ go_test(
     srcs = TINK_INTERNAL_TEST_SRCS,
     importpath = "github.com/google/tink/go/tink/tink_test",
     library = ":tink",
-    deps = [
-        "//go/signature",
-    ],
 )
 
 # primitives only
diff --git a/go/tink/keyset_handle_test.go b/go/tink/keyset_handle_test.go
index 83386f5aa55b843b9dc41334020aaccd5b66e47e..71645aadd43d434dadc6f144bb696e14183aea8a 100644
--- a/go/tink/keyset_handle_test.go
+++ b/go/tink/keyset_handle_test.go
@@ -17,7 +17,6 @@
 package tink
 
 import (
-	"github.com/google/tink/go/signature/signature"
 	"github.com/google/tink/go/util/util"
 	tinkpb "github.com/google/tink/proto/tink_go_proto"
 	"testing"
@@ -60,47 +59,3 @@ func TestNewKeysetHandleWithInvalidInput(t *testing.T) {
 		t.Errorf("unexpected error: %s", err)
 	}
 }
-
-func TestGetPublicKeysetHandleBasic(t *testing.T) {
-	Registry().RegisterKeyManager(signature.NewEcdsaSignKeyManager())
-	Registry().RegisterKeyManager(signature.NewEcdsaVerifyKeyManager())
-
-	template := signature.EcdsaP256KeyTemplate()
-	privHandle, err := CleartextKeysetHandle().GenerateNew(template)
-	if err != nil {
-		t.Errorf("unexpected error: %s", err)
-	}
-	privKeyset := privHandle.keyset
-	pubHandle, err := privHandle.GetPublicKeysetHandle()
-	if err != nil {
-		t.Errorf("getting public keyset handle failed: %s", err)
-	}
-	pubKeyset := pubHandle.keyset
-	// check Keyset's params
-	if len(pubKeyset.Key) != 1 {
-		t.Errorf("incorrect number of keys in the keyset handle: %s", len(pubHandle.keyset.Key))
-	}
-	if pubKeyset.PrimaryKeyId != privKeyset.PrimaryKeyId {
-		t.Errorf("incorrect primary key id")
-	}
-	// check Keyset_Key's params
-	pubKey := pubKeyset.Key[0]
-	privKey := privKeyset.Key[0]
-	if pubKey.OutputPrefixType != privKey.OutputPrefixType {
-		t.Errorf("incorrect output prefix type")
-	}
-	if pubKey.Status != privKey.Status {
-		t.Errorf("incorrect key status")
-	}
-	if pubKey.KeyId != privKey.KeyId {
-		t.Errorf("incorrect key id")
-	}
-	// check KeyData's params
-	pubKeyData := pubKey.KeyData
-	if pubKeyData.TypeUrl != signature.ECDSA_VERIFY_TYPE_URL {
-		t.Errorf("incorrect typeurl")
-	}
-	if pubKeyData.KeyMaterialType != tinkpb.KeyData_ASYMMETRIC_PUBLIC {
-		t.Errorf("incorrect key material type")
-	}
-}
diff --git a/java/src/test/java/com/google/crypto/tink/hybrid/RegistryEciesAeadHkdfDemHelperTest.java b/java/src/test/java/com/google/crypto/tink/hybrid/RegistryEciesAeadHkdfDemHelperTest.java
index d1314e1a34641541c16b728d3b51f9591ac1048a..244399b9acf3d2a69162552e790d8f80f0454938 100644
--- a/java/src/test/java/com/google/crypto/tink/hybrid/RegistryEciesAeadHkdfDemHelperTest.java
+++ b/java/src/test/java/com/google/crypto/tink/hybrid/RegistryEciesAeadHkdfDemHelperTest.java
@@ -30,36 +30,70 @@ import com.google.crypto.tink.signature.SignatureKeyTemplates;
 import com.google.crypto.tink.subtle.Random;
 import java.nio.charset.Charset;
 import java.security.GeneralSecurityException;
+import javax.crypto.Cipher;
 import org.junit.Before;
 import org.junit.Test;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
 
-/**
- * Tests for RegistryEciesAeadHkdfDemHelper.
- */
+/** Tests for RegistryEciesAeadHkdfDemHelper. */
 @RunWith(JUnit4.class)
 public class RegistryEciesAeadHkdfDemHelperTest {
   private static final Charset UTF_8 = Charset.forName("UTF-8");
 
+  private KeyTemplate[] keyTemplates;
+
   @Before
   public void setUp() throws Exception {
     Config.register(AeadConfig.TINK_1_0_0);
+
+    if (Cipher.getMaxAllowedKeyLength("AES") < 256) {
+      System.out.println(
+          "Unlimited Strength Jurisdiction Policy Files are required"
+              + " but not installed. Skip tests with keys larger than 128 bits.");
+      keyTemplates =
+          new KeyTemplate[] {AeadKeyTemplates.AES128_GCM, AeadKeyTemplates.AES128_CTR_HMAC_SHA256};
+    } else {
+      keyTemplates =
+          new KeyTemplate[] {
+            AeadKeyTemplates.AES128_GCM,
+            AeadKeyTemplates.AES256_GCM,
+            AeadKeyTemplates.AES128_CTR_HMAC_SHA256,
+            AeadKeyTemplates.AES256_CTR_HMAC_SHA256
+          };
+    }
   }
 
   @Test
-  public void testConstructor() throws Exception {
+  public void testConstructorWith128BitCiphers() throws Exception {
     RegistryEciesAeadHkdfDemHelper helper;
 
     // Supported templates.
     helper = new RegistryEciesAeadHkdfDemHelper(AeadKeyTemplates.AES128_GCM);
     assertEquals(16, helper.getSymmetricKeySizeInBytes());
-    helper = new RegistryEciesAeadHkdfDemHelper(AeadKeyTemplates.AES256_GCM);
-    assertEquals(32, helper.getSymmetricKeySizeInBytes());
     helper = new RegistryEciesAeadHkdfDemHelper(AeadKeyTemplates.AES128_CTR_HMAC_SHA256);
     assertEquals(48, helper.getSymmetricKeySizeInBytes());
+  }
+
+  @Test
+  public void testConstructorWith256BitCiphers() throws Exception {
+    if (Cipher.getMaxAllowedKeyLength("AES") < 256) {
+      System.out.println(
+          "Unlimited Strength Jurisdiction Policy Files are required"
+              + " but not installed. Skip tests with keys larger than 128 bits.");
+      return;
+    }
+    // Supported templates.
+    RegistryEciesAeadHkdfDemHelper helper =
+        new RegistryEciesAeadHkdfDemHelper(AeadKeyTemplates.AES256_GCM);
+    assertEquals(32, helper.getSymmetricKeySizeInBytes());
     helper = new RegistryEciesAeadHkdfDemHelper(AeadKeyTemplates.AES256_CTR_HMAC_SHA256);
     assertEquals(64, helper.getSymmetricKeySizeInBytes());
+  }
+
+  @Test
+  public void testConstructorWithUnsupportedTemplates() throws Exception {
+    RegistryEciesAeadHkdfDemHelper helper;
 
     // Unsupported templates.
     int templateCount = 4;
@@ -83,10 +117,11 @@ public class RegistryEciesAeadHkdfDemHelperTest {
     assertEquals(templateCount, count);
 
     // An inconsistent template.
-    KeyTemplate template = KeyTemplate.newBuilder()
-        .setTypeUrl(AeadKeyTemplates.AES128_CTR_HMAC_SHA256.getTypeUrl())
-        .setValue(SignatureKeyTemplates.ECDSA_P256.getValue())
-        .build();
+    KeyTemplate template =
+        KeyTemplate.newBuilder()
+            .setTypeUrl(AeadKeyTemplates.AES128_CTR_HMAC_SHA256.getTypeUrl())
+            .setValue(SignatureKeyTemplates.ECDSA_P256.getValue())
+            .build();
     try {
       helper = new RegistryEciesAeadHkdfDemHelper(template);
       fail("Inconsistent template, should have thrown exception:\n" + template.toString());
@@ -97,17 +132,10 @@ public class RegistryEciesAeadHkdfDemHelperTest {
 
   @Test
   public void testGetAead() throws Exception {
-    int templateCount = 4;
-    KeyTemplate[] templates = new KeyTemplate[templateCount];
-    templates[0] = AeadKeyTemplates.AES128_GCM;
-    templates[1] = AeadKeyTemplates.AES256_GCM;
-    templates[2] = AeadKeyTemplates.AES128_CTR_HMAC_SHA256;
-    templates[3] = AeadKeyTemplates.AES256_CTR_HMAC_SHA256;
-
     byte[] plaintext = "some plaintext string".getBytes(UTF_8);
     byte[] associatedData = "some associated data".getBytes(UTF_8);
     int count = 0;
-    for (KeyTemplate template : templates) {
+    for (KeyTemplate template : keyTemplates) {
       RegistryEciesAeadHkdfDemHelper helper = new RegistryEciesAeadHkdfDemHelper(template);
       byte[] symmetricKey = Random.randBytes(helper.getSymmetricKeySizeInBytes());
       Aead aead = helper.getAead(symmetricKey);
@@ -136,6 +164,6 @@ public class RegistryEciesAeadHkdfDemHelperTest {
       }
       count++;
     }
-    assertEquals(templateCount, count);
+    assertEquals(keyTemplates.length, count);
   }
 }
diff --git a/java/src/test/java/com/google/crypto/tink/subtle/DaeadThreadSafetyTest.java b/java/src/test/java/com/google/crypto/tink/subtle/DaeadThreadSafetyTest.java
index 92b0393933ba6628a3ebb114e7e36ebb2fbe0f8a..90b492c1982873f0900648a67723848ff0bff3a0 100644
--- a/java/src/test/java/com/google/crypto/tink/subtle/DaeadThreadSafetyTest.java
+++ b/java/src/test/java/com/google/crypto/tink/subtle/DaeadThreadSafetyTest.java
@@ -140,7 +140,13 @@ public class DaeadThreadSafetyTest {
   @Test
   public void testAesSiv256() throws Exception {
     byte[] key = Random.randBytes(64);
-    AesSiv siv = new AesSiv(key);
+    AesSiv siv;
+    try {
+      siv = new AesSiv(key);
+    } catch (GeneralSecurityException ex) {
+      System.out.println("Skipping test: AES-SIV with 256 bit AES keys is not supported.");
+      return;
+    }
     testEncryptionDecryption(siv, 5, 128, 20);
   }
 }
diff --git a/kokoro/run_tests.sh b/kokoro/run_tests.sh
index 786001f1ba874602f11177c99f6b360635de2638..fc8c655b9bd5088c525ab83f0823e04219b78996 100755
--- a/kokoro/run_tests.sh
+++ b/kokoro/run_tests.sh
@@ -26,10 +26,7 @@ rm -f ~/.bazelrc
 
 PLATFORM=`uname | tr '[:upper:]' '[:lower:]'`
 
-# Using Bazel at commit 88157011af4ddac21e404e9deea0d78668a71a99.
-# In this version, {java,cc}_proto_library now look for dependencies in
-# @com_google_protobuf, instead of in @com_google_protobuf_$LANG.
-# See https://github.com/cgrushko/proto_library/issues/4.
+# Using Bazel 0.9.0.
 BAZEL_BIN="${KOKORO_GFILE_DIR}/bazel-${PLATFORM}-x86_64"
 
 DISABLE_SANDBOX="--strategy=GenRule=standalone --strategy=Turbine=standalone \
@@ -45,6 +42,9 @@ ${BAZEL_BIN} version
 echo "using java binary: " `which java`
 java -version
 
+echo "using go: " `which go`
+go version
+
 run_linux_tests() {
   time ${BAZEL_BIN} fetch ...
 
diff --git a/tools/testing/cross_language/aead_test.sh b/tools/testing/cross_language/aead_test.sh
index 3473c057218e0b21145b1b9656d8f4cec1372f3e..2fb09a99ce7bcf0939efa00a29b26208a4ff1830 100755
--- a/tools/testing/cross_language/aead_test.sh
+++ b/tools/testing/cross_language/aead_test.sh
@@ -5,7 +5,7 @@ CC_AEAD_CLI="$ROOT_DIR/tools/testing/cc/aead_cli_cc"
 JAVA_AEAD_CLI="$ROOT_DIR/tools/testing/aead_cli_java"
 TEST_UTIL="$ROOT_DIR/tools/testing/cross_language/test_util.sh"
 
-KEY_TEMPLATES=(AES128_GCM.ascii AES256_GCM.ascii AES128_CTR_HMAC_SHA256.ascii AES256_CTR_HMAC_SHA256.ascii)
+KEY_TEMPLATES=(AES128_GCM.ascii AES128_CTR_HMAC_SHA256.ascii)
 
 source $TEST_UTIL || exit 1