In the Devoxx presentation "Prepare for JDK9", the strategy for encapsulating "sun.* " packages is discussed.

The class sun.security.SunPkcs11 is not listed on slide 16 ("Uses of JDK-internal APIs"), but as the rest of sun.security.* is listed as "Non-critical, no replacement planned", will this also be case for SunPKCS11?

As far as I know there is no alternative security Provider for integrating with PKCS11 aside from rolling your own jni code or using vendor-specific apis.

We rely on SunPKCS for interfacing with an HSM and belgian e-id smartcard. And even though we are aware that touching sun.* is frowned upon, first search hit on "java pkcs11" gives following page: https://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html . With such elaborate documentation, you can't really blame devs to actually use this functionality :) .

Is there an alternative to SunPKCS11 or am I overlooking something?

Thanks for your response,

Glen Vermeylen