Building sunpkcs11.jar

Valerie (Yu-Ching) Peng valerie.peng at
Fri May 25 23:50:14 UTC 2012

There is no such flag; otherwise it'd be an easy way to circumvent 
existing checks for enforcing export/import control.
Cryptographic vendors who develop JCE providers can apply for JCE code 
signing certificates through a process documented in the JCE guide.

The easiest route may be just to test against your OpenJDK build since 
the JCE framework in the OpenJDK can accept unsigned providers.

On 05/25/12 15:13, Deneau, Tom wrote:
> Valerie --
> I don't believe we have a JCE code signing keypair (where would we have gotten one?)
> Is there any test flag that tells the Oracle 7u4 jre to not require a signed crypto provider
> -- Tom
> -----Original Message-----
> From: Valerie (Yu-Ching) Peng [mailto:valerie.peng at]
> Sent: Friday, May 25, 2012 12:11 PM
> To: Deneau, Tom
> Cc: build-dev at
> Subject: Re: Building sunpkcs11.jar
> The provider built from OpenJDK workspace is unsigned.
> It can't be used with Oracle 7u4 JRE which require crypto provider to be
> signed for export/import conformance.
> If Your company has a JCE code signing keypair, you can sign the
> provider built using OpenJDK with that keypair and then use it w/ Oracle
> 7u4 JRE.
> Thanks,
> Valerie
> On 05/23/12 08:54, Deneau, Tom wrote:
>> I want to be able to modify and rebuild lib/ext/sunpkcs11.jar.
>> When I do a "make all; make images" everything completes successfully.
>> With javap, I can see my modified class in the build/linux-amd64/j2sdk-image/jre/lib/ext
>> When I use this built ext directory as a replacement of the Oracle 7U4 JRE, and run some code that does
>> 	  KeyGenerator gen = KeyGenerator.getInstance("AES");
>> I get
>>         Test1, AES KeyGenerator not available
>> 	at javax.crypto.KeyGenerator.<init>(
>> 	at javax.crypto.KeyGenerator.getInstance(
>> This code runs successfully with the regular Oracle 7U4 JRE.
>> Am I missing something in the build process?
>> -- Tom Deneau

More information about the build-dev mailing list