JEP260 -- Impact on SunPKCS11?

Vincent Ryan vincent.x.ryan at oracle.com
Mon Nov 16 15:30:00 UTC 2015


Hello Glen,

JCE providers are always accessed via the Java SE public APIs and not directly via sun.* implementation classes.
In JDK 9, the SunPKCS11 provider continues to be accessible via those APIs. It’s implementation classes are present
in the  jdk.crypto.pkcs11 module.

Thanks.


> On 16 Nov 2015, at 15:21, Chris Hegarty <chris.hegarty at oracle.com> wrote:
> 
> Including the security-dev mailing list.
> 
> -Chris.
> 
> On 16/11/15 12:13, glen.vermeylen at telenet.be wrote:
>> In the Devoxx presentation "Prepare for JDK9", the strategy for
>> encapsulating "sun.* " packages is discussed.
>> The class sun.security.SunPkcs11 is not listed on slide 16 ("Uses of
>> JDK-internal APIs"), but as the rest of sun.security.* is listed as
>> "Non-critical, no replacement planned", will this also be case for
>> SunPKCS11?
>> As far as I know there is no alternative security Provider for
>> integrating with PKCS11 aside from rolling your own jni code or using
>> vendor-specific apis.
>> 
>> We rely on SunPKCS for interfacing with an HSM and belgian e-id
>> smartcard. And even though we are aware that touching sun.* is frowned
>> upon, first search hit on "java pkcs11" gives following page:
>> https://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html
>> . With such elaborate documentation, you can't really blame devs to
>> actually use this functionality :) .
>> 
>> Is there an alternative to SunPKCS11 or am I overlooking something?
>> 
>> Thanks for your response,
>> Glen Vermeylen




More information about the security-dev mailing list