OpenSolaris Launch

23 files changed, 2499 insertions, 0 deletions

diff --git a/usr/src/lib/libcryptoutil/Makefile b/usr/src/lib/libcryptoutil/Makefile
new file mode 100644
index 0000000000..687e767a20
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/Makefile
@@ -0,0 +1,54 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+
+include			$(SRC)/lib/Makefile.lib
+
+HDRS=	cryptoutil.h
+HDRDIR=         common
+SUBDIRS=	$(MACH)
+$(BUILD64)SUBDIRS += $(MACH64)
+
+all :=		TARGET= all
+clean :=	TARGET= clean
+clobber :=	TARGET= clobber
+install :=	TARGET= install
+lint :=		TARGET= lint
+
+.KEEP_STATE:
+
+all clean clobber install lint: spec .WAIT $(SUBDIRS)
+
+install_h:	$(ROOTHDRS)
+
+check:  $(CHECKHDRS)
+
+spec $(SUBDIRS):	FRC
+	@cd $@; pwd; $(MAKE) $(TARGET)
+
+FRC:
+
+include $(SRC)/lib/Makefile.targ
diff --git a/usr/src/lib/libcryptoutil/Makefile.com b/usr/src/lib/libcryptoutil/Makefile.com
new file mode 100644
index 0000000000..716bd94b1e
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/Makefile.com
@@ -0,0 +1,57 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+LIBRARY= libcryptoutil.a
+VERS=	.1
+
+OBJECTS= \
+	debug.o \
+	mechstr.o \
+	config_parsing.o \
+	tohexstr.o \
+	mechkeytype.o\
+	pkcserror.o
+
+include $(SRC)/lib/Makefile.lib
+
+SRCDIR=	../common
+
+LIBS =	$(DYNLIB) $(LINTLIB)
+SRCS=	$(OBJECTS:%.o=../common/%.c)
+$(LINTLIB) := SRCS = $(SRCDIR)/$(LINTSRC)
+LDLIBS += -lc
+
+CFLAGS +=	$(CCVERBOSE)
+CPPFLAGS +=	-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -I$(SRCDIR)
+LINTFLAGS64 +=  -errchk=longptr64
+
+all: $(LIBS)
+
+lint: lintcheck
+
+include $(SRC)/lib/Makefile.targ
diff --git a/usr/src/lib/libcryptoutil/README b/usr/src/lib/libcryptoutil/README
new file mode 100644
index 0000000000..271fc6407e
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/README
@@ -0,0 +1,232 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+
+This is an internal library for use only by:
+	usr/src/cmd/cmd-crypto
+	usr/src/lib/pkcs11
+
+The library and the header file are installed into the proto area but
+are not included in any pacakges.
+
+
+			libcryptoutil Design
+
+1. Introduction
+
+There are a number of common code components and general utility functions
+needed that are shared by various userland parts of the crypto framework.
+
+The originally approved ARC materials (PSARC/2001/488 & PSARC/2001/553)
+didn't have a library that was included by all user land libraries,
+plugins and commands.
+
+The solution to this is to follow what other project teams have done in the
+past and create a project private util library.
+
+2. Contents
+
+Any code that is generic enough to be shared by multiple parts of the
+user crypto framework is eligible.
+
+The current contents are:
+
+2.1 Error & Debug Functions
+
+	cryptodebug_init(),
+	cryptodebug()
+	cryptoerror()
+
+These functions log debug or error information to stderr and/or
+syslog or a file.  Debug is off by default but the code is always
+compiled in.
+
+The cryptodebug_init() routine allows the caller to set a message
+prefix for error and debug output.
+
+The environment variable SUNW_CRYPTO_DEBUG determines wither or not
+debug output is generated at run time, valid values are "syslog" or "stderr"
+
+For example elfsign(1) could do:
+
+	cryptodebug_init("elfsign");
+
+and later:
+	cryptoerror(LOG_STDERR, gettext("invalid number of arguments"));
+
+This would cause an error message on stderr thus:
+
+	"elfsign: invalid number of arguments"
+
+The first argument to cryptoerror is either LOG_STDERR or a syslog(3c)
+priority.  All messages include the PID and are logged at LOG_USER.
+
+for debug output:
+
+	cryptodebug("scmd=request opts=%s", opts);
+
+This would go to the location defined by $SUNW_CRYPTO_DEBUG, ie
+syslog, stderr or not be generated at all.
+
+2.2 PKCS#11 Mechanism Type to and from Strings
+
+	pkcs11_mech2str() and pkcs11_str2mech()
+
+These functions use a table built at compile time from the contents of
+the pkcs11t.h file to map mechanism numbers to the corresponding string
+value.
+
+pkcs11_mech2str() returns a pointer to a string that should be free(3c)'d
+by the caller.
+
+Consumers:  
+
+	digest(1), mac(1), encrypt(1), decrypt(1) for translating
+	command line args to mech numbers.  They will need to
+	add the "CKM_" prefix before calling pkc11_str2mech()
+
+	cryptoadm(1m) for output to user, and for storing in pkcs11.conf
+	file.
+
+	Debug code.
+
+2.3 The "pkcs11.conf" configuration file Parsing code.
+
+The "pkcs11.conf" configuration file parsing code and data structures are
+shared between:
+	cryptoadm(1m), libpkcs11(3crypto).
+
+2.3.1 Data Structures:
+
+	#define MECH_ID_HEX_LEN 11 /* length of mechanism id in hex form */
+
+	typedef char libname_t[MAXPATHLEN];
+	typedef char midstr_t[MECH_ID_HEX_LEN];
+
+	/* The policy list for an entry in the config file  */
+	typedef struct umechlist {
+        	midstr_t                name;
+	        struct umechlist        *next;
+	} umechlist_t;
+
+	/* An entry in the pkcs11.conf file */
+	typedef struct uentry {
+        	libname_t       name;
+	        boolean_t       flag_enabledlist; /* TRUE if an enabledlist */
+        	umechlist_t     *policylist; /* disabledlist or enabledlist */
+	        int             count;
+	} uentry_t;
+
+	/* The entry list for the entire pkcs11.conf file */
+	typedef struct uentrylist {
+        	uentry_t               *pent;
+	        struct uentrylist      *next;
+	} uentrylist_t;
+
+
+2.3.2 Functions:
+
+extern int get_pkcs11conf_info(uentrylist_t **ppliblist);
+$
+    Retrieve the user-level provider info from the pkcs11.conf file.
+    If successful, the result is returned from the ppliblist argument.
+    This function returns SUCCESS if successfully done; otherwise it returns
+    FAILURE.  The caller should use free_uentrylist() to free the space
+    allocated for "ppliblist".
+
+extern umechlist_t *create_umech(char *mechname);
+
+    Create one item of type umechlist_t with the mechanism name in hex form. 
+    A NULL is returned when the input name is NULL or the heap memory is
+    insufficient.  The Caller should use free_umechlist() to free the space
+    allocated for the returning data.
+
+extern void free_uentrylist(uentrylist_t *ptr);
+
+    Free space allocated for an pointer to the struct "uentrylist_t".
+
+extern void free_uentry(uentry_t *ptr);
+
+    Free space allocated for an pointer to the struct "uentry_t".
+	
+extern void free_umechlist(umechlist_t *ptr);
+
+    Free space allocated for an pointer to the struct "umechlist_t".
+
+2.4 PKCS#11 Mechanism Type to key type
+
+	pkcs11_mech2keytype()
+
+This function is used to get the key type for a mechanism.
+
+Consumers:  
+
+	encrypt(1), decrypt(1), and libpkcs11(3crypto) for getting
+	the key type when creating an object for use with a
+	specific mechanism.
+
+2.5 PKCS#11 return code to string
+
+	pkcs11_strerror()
+
+This function returnes a string representation of any given PKCS11 return
+code.
+
+Consumer:
+
+	encrypt(1) and decrypt(1) uses this function for reporting errors.
+	
+3. Non-Contents
+	
+Code for cryptographic algorithms does not belong in here.  That
+comes from usr/src/common/<algorithm> since it is shared between user and
+kernel.
+
+PKCS#11 header files although they are common to various parts of the
+user land framework come from usr/src/pkcs11/include
+
+4. Interface Taxonomy
+
+Everything in this library is Project Private or Internal.  The
+exported symbols will all be marked as SUNWprivate_1.0 in the library
+spec file.
+
+5. Static vs Dynamic
+
+The initial design was to only use a static archive library to avoid
+exposing a new interface (even though it is all private).  However while
+this is fine for initial delivery it creates difficulties later with
+patching.  As such a Dynamic version will be build.
+
+Libraries for lint and header files will not be shipped in any Sun packages
+since this is all Project Private.  Similarly the abi_ file will not be
+shipped even though a spec file will be used in the source gate.
+
+6. Library location
+
+At present all of the consumers of the library are in /usr/ so the
+library is /usr/lib/{sparcv9}/libcryptoutil.so.1.  If kcfd ever moves
+to /lib/crypto/kcf as a result of PSARC/2002/117 allowing it, then
+libcryptoutil needs to move as well.
diff --git a/usr/src/lib/libcryptoutil/amd64/Makefile b/usr/src/lib/libcryptoutil/amd64/Makefile
new file mode 100644
index 0000000000..4720148af4
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/amd64/Makefile
@@ -0,0 +1,34 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+include ../Makefile.com
+include ../../Makefile.lib.64
+
+.KEEP_STATE:
+
+install: all $(ROOTLIBS64) $(ROOTLINKS64) $(ROOTLINT64)
diff --git a/usr/src/lib/libcryptoutil/common/config_parsing.c b/usr/src/lib/libcryptoutil/common/config_parsing.c
new file mode 100644
index 0000000000..09f9073b7c
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/common/config_parsing.c
@@ -0,0 +1,379 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License").  You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <stdio.h>
+#include <errno.h>
+#include <strings.h>
+#include <locale.h>
+#include <stdlib.h>
+#include "cryptoutil.h"
+
+static int uef_interpret(char *, uentry_t **);
+static int parse_policylist(char *, uentry_t *);
+
+/*
+ * Retrieve the user-level provider info from the pkcs11.conf file.
+ * If successful, the result is returned from the ppliblist argument.
+ * This function returns SUCCESS if successfully done; otherwise it returns
+ * FAILURE.
+ */
+int
+get_pkcs11conf_info(uentrylist_t **ppliblist)
+{
+	FILE *pfile;
+	char buffer[BUFSIZ];
+	size_t len;
+	uentry_t *pent;
+	uentrylist_t *pentlist;
+	uentrylist_t *pcur;
+	int rc = SUCCESS;
+
+	*ppliblist = NULL;
+	if ((pfile = fopen(_PATH_PKCS11_CONF, "r")) == NULL) {
+		cryptoerror(LOG_ERR, "failed to open %s.\n", _PATH_PKCS11_CONF);
+		return (FAILURE);
+	}
+
+	while (fgets(buffer, BUFSIZ, pfile) != NULL) {
+		if (buffer[0] == '#' || buffer[0] == ' ' ||
+		    buffer[0] == '\n'|| buffer[0] == '\t') {
+			continue;   /* ignore comment lines */
+		}
+
+		len = strlen(buffer);
+		if (buffer[len-1] == '\n') { /* get rid of trailing '\n' */
+			len--;
+		}
+		buffer[len] = '\0';
+
+		if ((rc = uef_interpret(buffer,  &pent)) != SUCCESS) {
+			break;
+		}
+
+		/* append pent into ppliblist */
+		pentlist = malloc(sizeof (uentrylist_t));
+		if (pentlist == NULL) {
+			cryptoerror(LOG_ERR, "parsing %s, out of memory.\n",
+			    _PATH_PKCS11_CONF);
+			free_uentry(pent);
+			rc = FAILURE;
+			break;
+		}
+		pentlist->puent = pent;
+		pentlist->next = NULL;
+
+		if (*ppliblist == NULL) {
+			*ppliblist = pcur = pentlist;
+		} else {
+			pcur->next = pentlist;
+			pcur = pcur->next;
+		}
+	}
+
+	(void) fclose(pfile);
+
+	if (rc != SUCCESS) {
+		free_uentrylist(*ppliblist);
+		*ppliblist = NULL;
+	}
+
+	return (rc);
+}
+
+
+/*
+ * This routine converts a char string into a uentry_t structure
+ * The input string "buf" should be one of the following:
+ *	library_name
+ *	library_name:NO_RANDOM
+ *	library_name:disabledlist=m1,m2,...,mk
+ *	library_name:disabledlist=m1,m2,...,mk;NO_RANDOM
+ *	library_name:enabledlist=
+ *	library_name:enabledlist=;NO_RANDOM
+ *	library_name:enabledlist=m1,m2,...,mk
+ *	library_name:enabledlist=m1,m2,...,mk;NO_RANDOM
+ *	metaslot:status=enabled;enabledlist=m1,m2,....;slot=<slot-description>;\
+ *	token=<token-label>
+ *
+ * Note:
+ *	The mechanisms m1,..mk are in hex form. For example, "0x00000210"
+ *	for CKM_MD5.
+ *
+ *	For the metaslot entry, "enabledlist", "slot", "auto_key_migrate"
+ * 	or "token" is optional
+ */
+static int
+uef_interpret(char *buf, uentry_t **ppent)
+{
+	uentry_t *pent;
+	char	*token1;
+	char	*token2;
+	char	*lasts;
+	int	rc;
+
+	*ppent = NULL;
+	if ((token1 = strtok_r(buf, SEP_COLON, &lasts)) == NULL) {
+		/* buf is NULL */
+		return (FAILURE);
+	};
+
+	pent = calloc(sizeof (uentry_t), 1);
+	if (pent == NULL) {
+		cryptoerror(LOG_ERR, "parsing %s, out of memory.\n",
+		    _PATH_PKCS11_CONF);
+		return (FAILURE);
+	}
+	(void) strlcpy(pent->name, token1, sizeof (pent->name));
+	/*
+	 * in case metaslot_auto_key_migrate is not specified, it should
+	 * be default to true
+	 */
+	pent->flag_metaslot_auto_key_migrate = B_TRUE;
+
+	while ((token2 = strtok_r(NULL, SEP_SEMICOLON, &lasts)) != NULL) {
+		if ((rc = parse_policylist(token2, pent)) != SUCCESS) {
+			free_uentry(pent);
+			return (rc);
+		}
+	}
+
+	*ppent = pent;
+	return (SUCCESS);
+}
+
+
+/*
+ * This routine parses the policy list and stored the result in the argument
+ * pent.
+ *
+ * 	Arg buf: input only, its format should be one of the following:
+ *     		enabledlist=
+ *		enabledlist=m1,m2,...,mk
+ *		disabledlist=m1,m2,...,mk
+ *		NO_RANDOM
+ *		metaslot_status=enabled|disabled
+ *		metaslot_token=<token-label>
+ *		metaslot_slot=<slot-description.
+ *
+ *	Arg pent: input/output
+ *
+ *      return: SUCCESS or FAILURE
+ */
+static int
+parse_policylist(char *buf, uentry_t *pent)
+{
+	umechlist_t *phead = NULL;
+	umechlist_t *pcur = NULL;
+	umechlist_t *pmech;
+	char *next_token;
+	char *value;
+	char *lasts;
+	int count = 0;
+	int rc = SUCCESS;
+
+	if (pent == NULL) {
+		return (FAILURE);
+	}
+
+	if (strncmp(buf, EF_DISABLED, sizeof (EF_DISABLED) - 1) == 0) {
+		pent->flag_enabledlist = B_FALSE;
+	} else if (strncmp(buf, EF_ENABLED, sizeof (EF_ENABLED) - 1) == 0) {
+		pent->flag_enabledlist = B_TRUE;
+	} else if (strncmp(buf, EF_NORANDOM, sizeof (EF_NORANDOM) - 1) == 0) {
+		pent->flag_norandom = B_TRUE;
+		return (rc);
+	} else if (strncmp(buf, METASLOT_TOKEN,
+	    sizeof (METASLOT_TOKEN) - 1) == 0) {
+		if (value = strpbrk(buf, SEP_EQUAL)) {
+			value++; /* get rid of = */
+			(void) strlcpy((char *)pent->metaslot_ks_token, value,
+			    TOKEN_LABEL_SIZE);
+			return (SUCCESS);
+		} else {
+			cryptoerror(LOG_ERR, "failed to parse %s.\n",
+			    _PATH_PKCS11_CONF);
+			return (FAILURE);
+		}
+	} else if (strncmp(buf, METASLOT_SLOT,
+	    sizeof (METASLOT_SLOT) - 1) == 0) {
+		if (value = strpbrk(buf, SEP_EQUAL)) {
+			value++; /* get rid of = */
+			(void) strlcpy((char *)pent->metaslot_ks_slot, value,
+			    SLOT_DESCRIPTION_SIZE);
+			return (SUCCESS);
+		} else {
+			cryptoerror(LOG_ERR, "failed to parse %s.\n",
+			    _PATH_PKCS11_CONF);
+			return (FAILURE);
+		}
+	} else if (strncmp(buf, METASLOT_STATUS,
+	    sizeof (METASLOT_STATUS) - 1) == 0) {
+		if (value = strpbrk(buf, SEP_EQUAL)) {
+			value++; /* get rid of = */
+			if (strcmp(value, METASLOT_DISABLED) == 0) {
+				pent->flag_metaslot_enabled = B_FALSE;
+			} else if (strcmp(value, METASLOT_ENABLED) == 0) {
+				pent->flag_metaslot_enabled = B_TRUE;
+			} else {
+				cryptoerror(LOG_ERR, "failed to parse %s.\n",
+				    _PATH_PKCS11_CONF);
+				return (FAILURE);
+			}
+			return (SUCCESS);
+		} else {
+			cryptoerror(LOG_ERR, "failed to parse %s.\n",
+			    _PATH_PKCS11_CONF);
+			return (FAILURE);
+		}
+	} else if (strncmp(buf, METASLOT_AUTO_KEY_MIGRATE,
+	    sizeof (METASLOT_AUTO_KEY_MIGRATE) - 1) == 0) {
+		if (value = strpbrk(buf, SEP_EQUAL)) {
+			value++; /* get rid of = */
+			if (strcmp(value, METASLOT_DISABLED) == 0) {
+				pent->flag_metaslot_auto_key_migrate = B_FALSE;
+			} else if (strcmp(value, METASLOT_ENABLED) == 0) {
+				pent->flag_metaslot_auto_key_migrate = B_TRUE;
+			} else {
+				cryptoerror(LOG_ERR, "failed to parse %s.\n",
+				    _PATH_PKCS11_CONF);
+				return (FAILURE);
+			}
+			return (SUCCESS);
+		} else {
+			cryptoerror(LOG_ERR, "failed to parse %s.\n",
+			    _PATH_PKCS11_CONF);
+			return (FAILURE);
+		}
+	} else {
+		cryptoerror(LOG_ERR, "failed to parse %s.\n",
+		    _PATH_PKCS11_CONF);
+		return (FAILURE);
+	}
+
+	if (value = strpbrk(buf, SEP_EQUAL)) {
+		value++; /* get rid of = */
+	}
+
+	if ((next_token = strtok_r(value, SEP_COMMA, &lasts)) == NULL) {
+		if (pent->flag_enabledlist) {
+			return (SUCCESS);
+		} else {
+			cryptoerror(LOG_ERR, "failed to parse %s.\n",
+			    _PATH_PKCS11_CONF);
+			return (FAILURE);
+		}
+	}
+
+	while (next_token) {
+		if ((pmech = create_umech(next_token)) == NULL) {
+			cryptoerror(LOG_ERR, "parsing %s, out of memory.\n",
+			    _PATH_PKCS11_CONF);
+			rc = FAILURE;
+			break;
+		}
+
+		if (phead == NULL) {
+			phead = pcur = pmech;
+		} else {
+			pcur->next = pmech;
+			pcur = pcur->next;
+		}
+		count++;
+		next_token = strtok_r(NULL, SEP_COMMA, &lasts);
+	}
+
+	if (rc == SUCCESS) {
+		pent->policylist = phead;
+		pent->count = count;
+	} else {
+		free_umechlist(phead);
+	}
+
+	return (rc);
+}
+
+
+/*
+ * Create one item of type umechlist_t with the mechanism name.  A NULL is
+ * returned when the input name is NULL or the heap memory is insufficient.
+ */
+umechlist_t *
+create_umech(char *name)
+{
+	umechlist_t *pmech = NULL;
+
+	if (name == NULL) {
+		return (NULL);
+	}
+
+	if ((pmech = malloc(sizeof (umechlist_t))) != NULL) {
+		(void) strlcpy(pmech->name, name, sizeof (pmech->name));
+		pmech->next = NULL;
+	}
+
+	return (pmech);
+}
+
+
+void
+free_umechlist(umechlist_t *plist)
+{
+	umechlist_t *pnext;
+
+	while (plist != NULL) {
+		pnext = plist->next;
+		free(plist);
+		plist = pnext;
+	}
+}
+
+
+void
+free_uentry(uentry_t  *pent)
+{
+	if (pent == NULL) {
+		return;
+	} else {
+		free_umechlist(pent->policylist);
+		free(pent);
+	}
+}
+
+
+void
+free_uentrylist(uentrylist_t *entrylist)
+{
+	uentrylist_t *pnext;
+
+	while (entrylist != NULL) {
+		pnext = entrylist->next;
+		free_uentry(entrylist->puent);
+		free(entrylist);
+		entrylist = pnext;
+	}
+}
diff --git a/usr/src/lib/libcryptoutil/common/cryptoutil.h b/usr/src/lib/libcryptoutil/common/cryptoutil.h
new file mode 100644
index 0000000000..18a82bcdc0
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/common/cryptoutil.h
@@ -0,0 +1,134 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License").  You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#ifndef _CRYPTOUTIL_H
+#define	_CRYPTOUTIL_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include <sys/types.h>
+#include <syslog.h>
+#include <security/cryptoki.h>
+#include <sys/param.h>
+
+#define	LOG_STDERR	-1
+#define	SUCCESS		0
+#define	FAILURE		1
+#define	MECH_ID_HEX_LEN	11	/* length of mechanism id in hex form */
+
+#define	_PATH_PKCS11_CONF	"/etc/crypto/pkcs11.conf"
+#define	_PATH_KCFD_LOCK		"/var/run/kcfd.lock"
+
+/* $ISA substitution for parsing pkcs11.conf data */
+#define	PKCS11_ISA	"/$ISA/"
+#if defined(_LP64)
+#define	PKCS11_ISA_DIR	"/64/"
+#else	/* !_LP64 */
+#define	PKCS11_ISA_DIR	"/"
+#endif
+
+/* keywords and delimiters for parsing configuration files */
+#define	SEP_COLON	":"
+#define	SEP_SEMICOLON	";"
+#define	SEP_EQUAL	"="
+#define	SEP_COMMA	","
+#define	METASLOT_KEYWORD	"metaslot"
+#define	EF_DISABLED	"disabledlist="
+#define	EF_ENABLED	"enabledlist="
+#define	EF_NORANDOM	"NO_RANDOM"
+#define	METASLOT_TOKEN	"metaslot_token="
+#define	METASLOT_SLOT	"metaslot_slot="
+#define	METASLOT_STATUS	"metaslot_status="
+#define	METASLOT_AUTO_KEY_MIGRATE	"metaslot_auto_key_migrate="
+#define	METASLOT_ENABLED	"enabled"
+#define	METASLOT_DISABLED	"disabled"
+#define	SLOT_DESCRIPTION_SIZE	64
+#define	TOKEN_LABEL_SIZE	32
+
+/*
+ * Define the following softtoken values that are used by softtoken
+ * library, cryptoadm and pktool command.
+ */
+#define	SOFT_SLOT_DESCRIPTION	\
+			"Sun Crypto Softtoken            " \
+			"                                "
+#define	SOFT_TOKEN_LABEL	"Sun Software PKCS#11 softtoken  "
+#define	SOFT_TOKEN_SERIAL	"                "
+#define	SOFT_MANUFACTURER_ID	"Sun Microsystems, Inc.          "
+#define	SOFT_DEFAULT_PIN	"changeme"
+
+typedef char libname_t[MAXPATHLEN];
+typedef char midstr_t[MECH_ID_HEX_LEN];
+
+typedef struct umechlist {
+	midstr_t		name;	/* mechanism name in hex form */
+	struct umechlist	*next;
+} umechlist_t;
+
+typedef struct uentry {
+	libname_t	name;
+	boolean_t	flag_norandom; /* TRUE if random is disabled */
+	boolean_t	flag_enabledlist; /* TRUE if an enabledlist */
+	umechlist_t	*policylist; /* disabledlist or enabledlist */
+	boolean_t	flag_metaslot_enabled; /* TRUE if metaslot's enabled */
+	boolean_t	flag_metaslot_auto_key_migrate;
+	CK_UTF8CHAR	metaslot_ks_slot[SLOT_DESCRIPTION_SIZE + 1];
+	CK_UTF8CHAR	metaslot_ks_token[TOKEN_LABEL_SIZE + 1];
+	int 		count;
+} uentry_t;
+
+typedef struct uentrylist {
+	uentry_t	*puent;
+	struct uentrylist	*next;
+} uentrylist_t;
+
+extern void cryptodebug(const char *fmt, ...);
+extern void cryptoerror(int priority, const char *fmt, ...);
+extern void cryptodebug_init(const char *prefix);
+
+extern char *pkcs11_mech2str(CK_MECHANISM_TYPE mech);
+extern CK_RV pkcs11_str2mech(char *mech_str, CK_MECHANISM_TYPE_PTR mech);
+
+extern int get_pkcs11conf_info(uentrylist_t **);
+extern umechlist_t *create_umech(char *);
+extern void free_umechlist(umechlist_t *);
+extern void free_uentrylist(uentrylist_t *);
+extern void free_uentry(uentry_t *);
+
+extern void tohexstr(uchar_t *bytes, size_t blen, char *hexstr, size_t hexlen);
+extern CK_RV pkcs11_mech2keytype(CK_MECHANISM_TYPE mech_type,
+    CK_KEY_TYPE *ktype);
+extern char *pkcs11_strerror(CK_RV rv);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _CRYPTOUTIL_H */
diff --git a/usr/src/lib/libcryptoutil/common/debug.c b/usr/src/lib/libcryptoutil/common/debug.c
new file mode 100644
index 0000000000..9dcfe19a87
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/common/debug.c
@@ -0,0 +1,149 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License").  You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <syslog.h>
+#include <string.h>
+#include <cryptoutil.h>
+
+#define	CRYPTO_DEBUG_ENV	"SUNW_CRYPTO_DEBUG"
+
+static char *_cryptodebug_prefix = NULL;
+static int _cryptodebug_enabled = -1; /* -1 unknown, 0 disabled, 1 enabled */
+static boolean_t _cryptodebug_syslog = B_TRUE;
+
+/*PRINTFLIKE1*/
+void
+cryptodebug(const char *fmt, ...)
+{
+	va_list args;
+	char fmtbuf[BUFSIZ];
+	char msgbuf[BUFSIZ];
+
+	if (fmt == NULL || _cryptodebug_enabled != 1)
+		return;
+
+	va_start(args, fmt);
+	if (_cryptodebug_prefix == NULL) {
+		(void) vsnprintf(msgbuf, sizeof (msgbuf), fmt, args);
+	} else {
+		(void) snprintf(fmtbuf, sizeof (fmtbuf), "%s: %s",
+		    _cryptodebug_prefix, fmt);
+		(void) vsnprintf(msgbuf, sizeof (msgbuf), fmtbuf, args);
+	}
+
+	if (_cryptodebug_syslog) {
+		syslog(LOG_DEBUG, msgbuf);
+	} else {
+		(void) fprintf(stderr, "%s\n", msgbuf);
+	}
+	va_end(args);
+}
+
+/*
+ * cryptoerror
+ *
+ * This is intended to be used both by interactive commands like cryptoadm(1m)
+ * digest(1) etc, and by libraries libpkcs11, libelfsign etc.
+ *
+ * A library probably wants most (all?) of its errors going to syslog but
+ * commands are usually happy for them to go to stderr.
+ *
+ * If a syslog priority is passed we log on that priority.  Otherwise we
+ * use LOG_STDERR to mean use stderr instead. LOG_STDERR is defined in
+ * cryptoutil.h
+ */
+
+/*PRINTFLIKE2*/
+void
+cryptoerror(int priority, const char *fmt, ...)
+{
+	char fmtbuf[BUFSIZ];
+	char msgbuf[BUFSIZ];
+	va_list args;
+
+	if (fmt == NULL)
+		return;
+
+	va_start(args, fmt);
+	if (_cryptodebug_prefix == NULL) {
+		(void) vsnprintf(msgbuf, sizeof (msgbuf), fmt, args);
+	} else {
+		(void) snprintf(fmtbuf, sizeof (fmtbuf), "%s: %s",
+		    _cryptodebug_prefix, fmt);
+		(void) vsnprintf(msgbuf, sizeof (msgbuf), fmtbuf, args);
+	}
+
+	if ((priority == LOG_STDERR) || (priority < 0))  {
+		(void) fprintf(stderr, "%s\n", msgbuf);
+	} else {
+		syslog(priority, msgbuf);
+	}
+	va_end(args);
+}
+
+void
+cryptodebug_init(const char *prefix)
+{
+	char *envval = NULL;
+
+	if (prefix != NULL) {
+		_cryptodebug_prefix = strdup(prefix);
+	}
+
+	if (_cryptodebug_enabled == -1) {
+		envval = getenv(CRYPTO_DEBUG_ENV);
+		/*
+		 * If unset or it isn't one of syslog or stderr
+		 * disable debug.
+		 */
+		if (envval == NULL || (strcmp(envval, "") == 0)) {
+			_cryptodebug_enabled = 0;
+			return;
+		} else if (strcmp(envval, "stderr") == 0) {
+			_cryptodebug_syslog = B_FALSE;
+			_cryptodebug_enabled = 1;
+		} else if (strcmp(envval, "syslog") == 0) {
+			_cryptodebug_syslog = B_TRUE;
+			_cryptodebug_enabled = 1;
+		}
+	}
+
+	openlog(_cryptodebug_prefix, LOG_PID, LOG_USER);
+}
+
+#pragma fini(_cryptodebug_fini)
+
+static void
+_cryptodebug_fini(void)
+{
+	if (_cryptodebug_prefix != NULL)
+		free(_cryptodebug_prefix);
+}
diff --git a/usr/src/lib/libcryptoutil/common/llib-lcryptoutil b/usr/src/lib/libcryptoutil/common/llib-lcryptoutil
new file mode 100644
index 0000000000..6f2f6bf5db
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/common/llib-lcryptoutil
@@ -0,0 +1,32 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License").  You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/* LINTLIBRARY */
+/* PROTOLIB1 */
+
+#include <cryptoutil.h>
diff --git a/usr/src/lib/libcryptoutil/common/mechkeytype.c b/usr/src/lib/libcryptoutil/common/mechkeytype.c
new file mode 100644
index 0000000000..ab26d9567c
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/common/mechkeytype.c
@@ -0,0 +1,291 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License").  You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <cryptoutil.h>
+
+/*
+ * Get the key type for the given mechanism
+ *
+ * All mechanisms in PKCS #11 v2.11 are listed here.
+ */
+CK_RV
+pkcs11_mech2keytype(CK_MECHANISM_TYPE mech_type, CK_KEY_TYPE *ktype)
+{
+
+	CK_RV rv = CKR_OK;
+
+	switch (mech_type) {
+
+	case CKM_RSA_PKCS_KEY_PAIR_GEN:
+	case CKM_RSA_PKCS:
+	case CKM_RSA_9796:
+	case CKM_RSA_X_509:
+	case CKM_MD2_RSA_PKCS:
+	case CKM_MD5_RSA_PKCS:
+	case CKM_SHA1_RSA_PKCS:
+	case CKM_RIPEMD128_RSA_PKCS:
+	case CKM_RIPEMD160_RSA_PKCS:
+	case CKM_RSA_PKCS_OAEP:
+	case CKM_RSA_X9_31_KEY_PAIR_GEN:
+	case CKM_RSA_X9_31:
+	case CKM_SHA1_RSA_X9_31:
+	case CKM_RSA_PKCS_PSS:
+	case CKM_SHA1_RSA_PKCS_PSS:
+	case CKM_DH_PKCS_PARAMETER_GEN:
+		*ktype = CKK_RSA;
+		break;
+
+	case CKM_DSA_KEY_PAIR_GEN:
+	case CKM_DSA:
+	case CKM_DSA_SHA1:
+	case CKM_DSA_PARAMETER_GEN:
+	case CKM_FORTEZZA_TIMESTAMP:
+		*ktype = CKK_DSA;
+		break;
+
+	case CKM_DH_PKCS_KEY_PAIR_GEN:
+	case CKM_DH_PKCS_DERIVE:
+		*ktype = CKK_DH;
+		break;
+
+	case CKM_ECDSA:
+	case CKM_ECDSA_SHA1:
+	case CKM_EC_KEY_PAIR_GEN:
+	case CKM_ECDH1_DERIVE:
+	case CKM_ECDH1_COFACTOR_DERIVE:
+	case CKM_ECMQV_DERIVE:
+		*ktype = CKK_EC;
+		break;
+
+	case CKM_X9_42_DH_KEY_PAIR_GEN:
+	case CKM_X9_42_DH_DERIVE:
+	case CKM_X9_42_DH_HYBRID_DERIVE:
+	case CKM_X9_42_MQV_DERIVE:
+	case CKM_X9_42_DH_PARAMETER_GEN:
+		*ktype = CKK_X9_42_DH;
+		break;
+
+	case CKM_KEA_KEY_PAIR_GEN:
+	case CKM_KEA_KEY_DERIVE:
+		*ktype = CKK_KEA;
+		break;
+
+	case CKM_MD2:
+	case CKM_MD2_HMAC:
+	case CKM_MD2_HMAC_GENERAL:
+	case CKM_MD5:
+	case CKM_MD5_HMAC:
+	case CKM_MD5_HMAC_GENERAL:
+	case CKM_SHA_1:
+	case CKM_SHA_1_HMAC:
+	case CKM_SHA_1_HMAC_GENERAL:
+	case CKM_GENERIC_SECRET_KEY_GEN:
+	case CKM_FASTHASH:
+	case CKM_PKCS5_PBKD2:
+	case CKM_PBA_SHA1_WITH_SHA1_HMAC:
+	case CKM_SSL3_MD5_MAC:
+	case CKM_SSL3_SHA1_MAC:
+	case CKM_SSL3_PRE_MASTER_KEY_GEN:
+	case CKM_SSL3_MASTER_KEY_DERIVE:
+	case CKM_SSL3_KEY_AND_MAC_DERIVE:
+	case CKM_SSL3_MASTER_KEY_DERIVE_DH:
+	case CKM_TLS_PRE_MASTER_KEY_GEN:
+	case CKM_TLS_MASTER_KEY_DERIVE:
+	case CKM_TLS_KEY_AND_MAC_DERIVE:
+	case CKM_TLS_MASTER_KEY_DERIVE_DH:
+	case CKM_CONCATENATE_BASE_AND_KEY:
+	case CKM_CONCATENATE_BASE_AND_DATA:
+	case CKM_CONCATENATE_DATA_AND_BASE:
+	case CKM_XOR_BASE_AND_DATA:
+	case CKM_EXTRACT_KEY_FROM_KEY:
+	case CKM_RIPEMD128:
+	case CKM_RIPEMD128_HMAC:
+	case CKM_RIPEMD128_HMAC_GENERAL:
+	case CKM_RIPEMD160:
+	case CKM_RIPEMD160_HMAC:
+	case CKM_RIPEMD160_HMAC_GENERAL:
+	case CKM_SHA1_KEY_DERIVATION:
+	case CKM_MD5_KEY_DERIVATION:
+	case CKM_MD2_KEY_DERIVATION:
+	/* not sure the following 2 should be CKK_DES or not */
+	case CKM_KEY_WRAP_LYNKS: /* wrap/unwrap secret key w/ DES key */
+	case CKM_KEY_WRAP_SET_OAEP:  /* wrap/unwarp DES key w/ RSA key */
+		*ktype = CKK_GENERIC_SECRET;
+		break;
+
+	case CKM_RC2_KEY_GEN:
+	case CKM_RC2_ECB:
+	case CKM_RC2_CBC:
+	case CKM_RC2_MAC:
+	case CKM_RC2_MAC_GENERAL:
+	case CKM_RC2_CBC_PAD:
+	case CKM_PBE_SHA1_RC2_128_CBC:
+	case CKM_PBE_SHA1_RC2_40_CBC:
+		*ktype = CKK_RC2;
+		break;
+
+	case CKM_RC4_KEY_GEN:
+	case CKM_RC4:
+	case CKM_PBE_SHA1_RC4_128:
+	case CKM_PBE_SHA1_RC4_40:
+		*ktype = CKK_RC4;
+		break;
+
+	case CKM_DES_KEY_GEN:
+	case CKM_DES_ECB:
+	case CKM_DES_CBC:
+	case CKM_DES_MAC:
+	case CKM_DES_MAC_GENERAL:
+	case CKM_DES_CBC_PAD:
+	case CKM_PBE_MD2_DES_CBC:
+	case CKM_PBE_MD5_DES_CBC:
+		*ktype = CKK_DES;
+		break;
+
+	case CKM_DES2_KEY_GEN:
+	case CKM_PBE_SHA1_DES2_EDE_CBC:
+		*ktype = CKK_DES2;
+		break;
+
+	case CKM_DES3_KEY_GEN:
+	case CKM_DES3_ECB:
+	case CKM_DES3_CBC:
+	case CKM_DES3_MAC:
+	case CKM_DES3_MAC_GENERAL:
+	case CKM_DES3_CBC_PAD:
+	case CKM_PBE_SHA1_DES3_EDE_CBC:
+		*ktype = CKK_DES3;
+		break;
+
+	case CKM_CAST_KEY_GEN:
+	case CKM_CAST_ECB:
+	case CKM_CAST_CBC:
+	case CKM_CAST_MAC:
+	case CKM_CAST_MAC_GENERAL:
+	case CKM_CAST_CBC_PAD:
+	case CKM_PBE_MD5_CAST_CBC:
+		*ktype = CKK_CAST;
+		break;
+
+	case CKM_CAST3_KEY_GEN:
+	case CKM_CAST3_ECB:
+	case CKM_CAST3_CBC:
+	case CKM_CAST3_MAC:
+	case CKM_CAST3_MAC_GENERAL:
+	case CKM_CAST3_CBC_PAD:
+	case CKM_PBE_MD5_CAST3_CBC:
+		*ktype = CKK_CAST3;
+		break;
+
+	case CKM_CAST128_KEY_GEN:
+	case CKM_CAST128_ECB:
+	case CKM_CAST128_CBC:
+	case CKM_CAST128_MAC:
+	case CKM_CAST128_MAC_GENERAL:
+	case CKM_CAST128_CBC_PAD:
+	case CKM_PBE_MD5_CAST128_CBC:
+	case CKM_PBE_SHA1_CAST128_CBC:
+		*ktype = CKK_CAST128;
+		break;
+
+	case CKM_RC5_KEY_GEN:
+	case CKM_RC5_ECB:
+	case CKM_RC5_CBC:
+	case CKM_RC5_MAC:
+	case CKM_RC5_MAC_GENERAL:
+	case CKM_RC5_CBC_PAD:
+		*ktype = CKK_RC5;
+		break;
+
+	case CKM_IDEA_KEY_GEN:
+	case CKM_IDEA_ECB:
+	case CKM_IDEA_CBC:
+	case CKM_IDEA_MAC:
+	case CKM_IDEA_MAC_GENERAL:
+	case CKM_IDEA_CBC_PAD:
+		*ktype = CKK_IDEA;
+		break;
+
+	case CKM_SKIPJACK_KEY_GEN:
+	case CKM_SKIPJACK_ECB64:
+	case CKM_SKIPJACK_CBC64:
+	case CKM_SKIPJACK_OFB64:
+	case CKM_SKIPJACK_CFB64:
+	case CKM_SKIPJACK_CFB32:
+	case CKM_SKIPJACK_CFB16:
+	case CKM_SKIPJACK_CFB8:
+	case CKM_SKIPJACK_WRAP:
+	case CKM_SKIPJACK_PRIVATE_WRAP:
+	case CKM_SKIPJACK_RELAYX:
+		*ktype = CKK_SKIPJACK;
+		break;
+
+	case CKM_BATON_KEY_GEN:
+	case CKM_BATON_ECB128:
+	case CKM_BATON_ECB96:
+	case CKM_BATON_CBC128:
+	case CKM_BATON_COUNTER:
+	case CKM_BATON_SHUFFLE:
+	case CKM_BATON_WRAP:
+		*ktype = CKK_BATON;
+		break;
+
+	case CKM_JUNIPER_KEY_GEN:
+	case CKM_JUNIPER_ECB128:
+	case CKM_JUNIPER_CBC128:
+	case CKM_JUNIPER_COUNTER:
+	case CKM_JUNIPER_SHUFFLE:
+	case CKM_JUNIPER_WRAP:
+		*ktype = CKK_JUNIPER;
+		break;
+
+	case CKM_CDMF_KEY_GEN:
+	case CKM_CDMF_ECB:
+	case CKM_CDMF_CBC:
+	case CKM_CDMF_MAC:
+	case CKM_CDMF_MAC_GENERAL:
+	case CKM_CDMF_CBC_PAD:
+		*ktype = CKK_CDMF;
+		break;
+
+	case CKM_AES_KEY_GEN:
+	case CKM_AES_ECB:
+	case CKM_AES_CBC:
+	case CKM_AES_MAC:
+	case CKM_AES_MAC_GENERAL:
+	case CKM_AES_CBC_PAD:
+		*ktype = CKK_AES;
+		break;
+
+	default:
+		rv = CKR_MECHANISM_INVALID;
+		break;
+	}
+
+	return (rv);
+}
diff --git a/usr/src/lib/libcryptoutil/common/mechstr.c b/usr/src/lib/libcryptoutil/common/mechstr.c
new file mode 100644
index 0000000000..fc3ab9c16f
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/common/mechstr.c
@@ -0,0 +1,307 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License").  You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * Convert Algorithm names as strings to PKCS#11 Mech numbers and vice versa.
+ */
+
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <security/cryptoki.h>
+#include <security/pkcs11t.h>
+
+#include <cryptoutil.h>
+
+/*
+ * The table below is dynamically generated by parsing pkcs11t.h
+ * from the Makefile.
+ */
+static const struct {
+	const char *str;
+	CK_MECHANISM_TYPE mech;
+} mapping[] = {
+	{ "CKM_RSA_PKCS_KEY_PAIR_GEN", CKM_RSA_PKCS_KEY_PAIR_GEN },
+	{ "CKM_RSA_PKCS", CKM_RSA_PKCS },
+	{ "CKM_RSA_9796", CKM_RSA_9796 },
+	{ "CKM_RSA_X_509", CKM_RSA_X_509 },
+	{ "CKM_MD2_RSA_PKCS", CKM_MD2_RSA_PKCS },
+	{ "CKM_MD5_RSA_PKCS", CKM_MD5_RSA_PKCS },
+	{ "CKM_SHA1_RSA_PKCS", CKM_SHA1_RSA_PKCS },
+	{ "CKM_RIPEMD128_RSA_PKCS", CKM_RIPEMD128_RSA_PKCS },
+	{ "CKM_RIPEMD160_RSA_PKCS", CKM_RIPEMD160_RSA_PKCS },
+	{ "CKM_RSA_PKCS_OAEP", CKM_RSA_PKCS_OAEP },
+	{ "CKM_RSA_X9_31_KEY_PAIR_GEN", CKM_RSA_X9_31_KEY_PAIR_GEN },
+	{ "CKM_RSA_X9_31", CKM_RSA_X9_31 },
+	{ "CKM_SHA1_RSA_X9_31", CKM_SHA1_RSA_X9_31 },
+	{ "CKM_RSA_PKCS_PSS", CKM_RSA_PKCS_PSS },
+	{ "CKM_SHA1_RSA_PKCS_PSS", CKM_SHA1_RSA_PKCS_PSS },
+	{ "CKM_DSA_KEY_PAIR_GEN", CKM_DSA_KEY_PAIR_GEN },
+	{ "CKM_DSA", CKM_DSA },
+	{ "CKM_DSA_SHA1", CKM_DSA_SHA1 },
+	{ "CKM_DH_PKCS_KEY_PAIR_GEN", CKM_DH_PKCS_KEY_PAIR_GEN },
+	{ "CKM_DH_PKCS_DERIVE", CKM_DH_PKCS_DERIVE },
+	{ "CKM_X9_42_DH_KEY_PAIR_GEN", CKM_X9_42_DH_KEY_PAIR_GEN },
+	{ "CKM_X9_42_DH_DERIVE", CKM_X9_42_DH_DERIVE },
+	{ "CKM_X9_42_DH_HYBRID_DERIVE", CKM_X9_42_DH_HYBRID_DERIVE },
+	{ "CKM_X9_42_MQV_DERIVE", CKM_X9_42_MQV_DERIVE },
+	{ "CKM_RC2_KEY_GEN", CKM_RC2_KEY_GEN },
+	{ "CKM_RC2_ECB", CKM_RC2_ECB },
+	{ "CKM_RC2_CBC", CKM_RC2_CBC },
+	{ "CKM_RC2_MAC", CKM_RC2_MAC },
+	{ "CKM_RC2_MAC_GENERAL", CKM_RC2_MAC_GENERAL },
+	{ "CKM_RC2_CBC_PAD", CKM_RC2_CBC_PAD },
+	{ "CKM_RC4_KEY_GEN", CKM_RC4_KEY_GEN },
+	{ "CKM_RC4", CKM_RC4 },
+	{ "CKM_DES_KEY_GEN", CKM_DES_KEY_GEN },
+	{ "CKM_DES_ECB", CKM_DES_ECB },
+	{ "CKM_DES_CBC", CKM_DES_CBC },
+	{ "CKM_DES_MAC", CKM_DES_MAC },
+	{ "CKM_DES_MAC_GENERAL", CKM_DES_MAC_GENERAL },
+	{ "CKM_DES_CBC_PAD", CKM_DES_CBC_PAD },
+	{ "CKM_DES2_KEY_GEN", CKM_DES2_KEY_GEN },
+	{ "CKM_DES3_KEY_GEN", CKM_DES3_KEY_GEN },
+	{ "CKM_DES3_ECB", CKM_DES3_ECB },
+	{ "CKM_DES3_CBC", CKM_DES3_CBC },
+	{ "CKM_DES3_MAC", CKM_DES3_MAC },
+	{ "CKM_DES3_MAC_GENERAL", CKM_DES3_MAC_GENERAL },
+	{ "CKM_DES3_CBC_PAD", CKM_DES3_CBC_PAD },
+	{ "CKM_CDMF_KEY_GEN", CKM_CDMF_KEY_GEN },
+	{ "CKM_CDMF_ECB", CKM_CDMF_ECB },
+	{ "CKM_CDMF_CBC", CKM_CDMF_CBC },
+	{ "CKM_CDMF_MAC", CKM_CDMF_MAC },
+	{ "CKM_CDMF_MAC_GENERAL", CKM_CDMF_MAC_GENERAL },
+	{ "CKM_CDMF_CBC_PAD", CKM_CDMF_CBC_PAD },
+	{ "CKM_MD2", CKM_MD2 },
+	{ "CKM_MD2_HMAC", CKM_MD2_HMAC },
+	{ "CKM_MD2_HMAC_GENERAL", CKM_MD2_HMAC_GENERAL },
+	{ "CKM_MD5", CKM_MD5 },
+	{ "CKM_MD5_HMAC", CKM_MD5_HMAC },
+	{ "CKM_MD5_HMAC_GENERAL", CKM_MD5_HMAC_GENERAL },
+	{ "CKM_SHA_1", CKM_SHA_1 },
+	{ "CKM_SHA_1_HMAC", CKM_SHA_1_HMAC },
+	{ "CKM_SHA_1_HMAC_GENERAL", CKM_SHA_1_HMAC_GENERAL },
+	{ "CKM_RIPEMD128", CKM_RIPEMD128 },
+	{ "CKM_RIPEMD128_HMAC", CKM_RIPEMD128_HMAC },
+	{ "CKM_RIPEMD128_HMAC_GENERAL", CKM_RIPEMD128_HMAC_GENERAL },
+	{ "CKM_RIPEMD160", CKM_RIPEMD160 },
+	{ "CKM_RIPEMD160_HMAC", CKM_RIPEMD160_HMAC },
+	{ "CKM_RIPEMD160_HMAC_GENERAL", CKM_RIPEMD160_HMAC_GENERAL },
+	{ "CKM_CAST_KEY_GEN", CKM_CAST_KEY_GEN },
+	{ "CKM_CAST_ECB", CKM_CAST_ECB },
+	{ "CKM_CAST_CBC", CKM_CAST_CBC },
+	{ "CKM_CAST_MAC", CKM_CAST_MAC },
+	{ "CKM_CAST_MAC_GENERAL", CKM_CAST_MAC_GENERAL },
+	{ "CKM_CAST_CBC_PAD", CKM_CAST_CBC_PAD },
+	{ "CKM_CAST3_KEY_GEN", CKM_CAST3_KEY_GEN },
+	{ "CKM_CAST3_ECB", CKM_CAST3_ECB },
+	{ "CKM_CAST3_CBC", CKM_CAST3_CBC },
+	{ "CKM_CAST3_MAC", CKM_CAST3_MAC },
+	{ "CKM_CAST3_MAC_GENERAL", CKM_CAST3_MAC_GENERAL },
+	{ "CKM_CAST3_CBC_PAD", CKM_CAST3_CBC_PAD },
+	{ "CKM_CAST5_KEY_GEN", CKM_CAST5_KEY_GEN },
+	{ "CKM_CAST128_KEY_GEN", CKM_CAST128_KEY_GEN },
+	{ "CKM_CAST5_ECB", CKM_CAST5_ECB },
+	{ "CKM_CAST128_ECB", CKM_CAST128_ECB },
+	{ "CKM_CAST5_CBC", CKM_CAST5_CBC },
+	{ "CKM_CAST128_CBC", CKM_CAST128_CBC },
+	{ "CKM_CAST5_MAC", CKM_CAST5_MAC },
+	{ "CKM_CAST128_MAC", CKM_CAST128_MAC },
+	{ "CKM_CAST5_MAC_GENERAL", CKM_CAST5_MAC_GENERAL },
+	{ "CKM_CAST128_MAC_GENERAL", CKM_CAST128_MAC_GENERAL },
+	{ "CKM_CAST5_CBC_PAD", CKM_CAST5_CBC_PAD },
+	{ "CKM_CAST128_CBC_PAD", CKM_CAST128_CBC_PAD },
+	{ "CKM_RC5_KEY_GEN", CKM_RC5_KEY_GEN },
+	{ "CKM_RC5_ECB", CKM_RC5_ECB },
+	{ "CKM_RC5_CBC", CKM_RC5_CBC },
+	{ "CKM_RC5_MAC", CKM_RC5_MAC },
+	{ "CKM_RC5_MAC_GENERAL", CKM_RC5_MAC_GENERAL },
+	{ "CKM_RC5_CBC_PAD", CKM_RC5_CBC_PAD },
+	{ "CKM_IDEA_KEY_GEN", CKM_IDEA_KEY_GEN },
+	{ "CKM_IDEA_ECB", CKM_IDEA_ECB },
+	{ "CKM_IDEA_CBC", CKM_IDEA_CBC },
+	{ "CKM_IDEA_MAC", CKM_IDEA_MAC },
+	{ "CKM_IDEA_MAC_GENERAL", CKM_IDEA_MAC_GENERAL },
+	{ "CKM_IDEA_CBC_PAD", CKM_IDEA_CBC_PAD },
+	{ "CKM_GENERIC_SECRET_KEY_GEN", CKM_GENERIC_SECRET_KEY_GEN },
+	{ "CKM_CONCATENATE_BASE_AND_KEY", CKM_CONCATENATE_BASE_AND_KEY },
+	{ "CKM_CONCATENATE_BASE_AND_DATA", CKM_CONCATENATE_BASE_AND_DATA },
+	{ "CKM_CONCATENATE_DATA_AND_BASE", CKM_CONCATENATE_DATA_AND_BASE },
+	{ "CKM_XOR_BASE_AND_DATA", CKM_XOR_BASE_AND_DATA },
+	{ "CKM_EXTRACT_KEY_FROM_KEY", CKM_EXTRACT_KEY_FROM_KEY },
+	{ "CKM_SSL3_PRE_MASTER_KEY_GEN", CKM_SSL3_PRE_MASTER_KEY_GEN },
+	{ "CKM_SSL3_MASTER_KEY_DERIVE", CKM_SSL3_MASTER_KEY_DERIVE },
+	{ "CKM_SSL3_KEY_AND_MAC_DERIVE", CKM_SSL3_KEY_AND_MAC_DERIVE },
+	{ "CKM_SSL3_MASTER_KEY_DERIVE_DH", CKM_SSL3_MASTER_KEY_DERIVE_DH },
+	{ "CKM_TLS_PRE_MASTER_KEY_GEN", CKM_TLS_PRE_MASTER_KEY_GEN },
+	{ "CKM_TLS_MASTER_KEY_DERIVE", CKM_TLS_MASTER_KEY_DERIVE },
+	{ "CKM_TLS_KEY_AND_MAC_DERIVE", CKM_TLS_KEY_AND_MAC_DERIVE },
+	{ "CKM_TLS_MASTER_KEY_DERIVE_DH", CKM_TLS_MASTER_KEY_DERIVE_DH },
+	{ "CKM_SSL3_MD5_MAC", CKM_SSL3_MD5_MAC },
+	{ "CKM_SSL3_SHA1_MAC", CKM_SSL3_SHA1_MAC },
+	{ "CKM_MD5_KEY_DERIVATION", CKM_MD5_KEY_DERIVATION },
+	{ "CKM_MD2_KEY_DERIVATION", CKM_MD2_KEY_DERIVATION },
+	{ "CKM_SHA1_KEY_DERIVATION", CKM_SHA1_KEY_DERIVATION },
+	{ "CKM_PBE_MD2_DES_CBC", CKM_PBE_MD2_DES_CBC },
+	{ "CKM_PBE_MD5_DES_CBC", CKM_PBE_MD5_DES_CBC },
+	{ "CKM_PBE_MD5_CAST_CBC", CKM_PBE_MD5_CAST_CBC },
+	{ "CKM_PBE_MD5_CAST3_CBC", CKM_PBE_MD5_CAST3_CBC },
+	{ "CKM_PBE_MD5_CAST5_CBC", CKM_PBE_MD5_CAST5_CBC },
+	{ "CKM_PBE_MD5_CAST128_CBC", CKM_PBE_MD5_CAST128_CBC },
+	{ "CKM_PBE_SHA1_CAST5_CBC", CKM_PBE_SHA1_CAST5_CBC },
+	{ "CKM_PBE_SHA1_CAST128_CBC", CKM_PBE_SHA1_CAST128_CBC },
+	{ "CKM_PBE_SHA1_RC4_128", CKM_PBE_SHA1_RC4_128 },
+	{ "CKM_PBE_SHA1_RC4_40", CKM_PBE_SHA1_RC4_40 },
+	{ "CKM_PBE_SHA1_DES3_EDE_CBC", CKM_PBE_SHA1_DES3_EDE_CBC },
+	{ "CKM_PBE_SHA1_DES2_EDE_CBC", CKM_PBE_SHA1_DES2_EDE_CBC },
+	{ "CKM_PBE_SHA1_RC2_128_CBC", CKM_PBE_SHA1_RC2_128_CBC },
+	{ "CKM_PBE_SHA1_RC2_40_CBC", CKM_PBE_SHA1_RC2_40_CBC },
+	{ "CKM_PKCS5_PBKD2", CKM_PKCS5_PBKD2 },
+	{ "CKM_PBA_SHA1_WITH_SHA1_HMAC", CKM_PBA_SHA1_WITH_SHA1_HMAC },
+	{ "CKM_KEY_WRAP_LYNKS", CKM_KEY_WRAP_LYNKS },
+	{ "CKM_KEY_WRAP_SET_OAEP", CKM_KEY_WRAP_SET_OAEP },
+	{ "CKM_SKIPJACK_KEY_GEN", CKM_SKIPJACK_KEY_GEN },
+	{ "CKM_SKIPJACK_ECB64", CKM_SKIPJACK_ECB64 },
+	{ "CKM_SKIPJACK_CBC64", CKM_SKIPJACK_CBC64 },
+	{ "CKM_SKIPJACK_OFB64", CKM_SKIPJACK_OFB64 },
+	{ "CKM_SKIPJACK_CFB64", CKM_SKIPJACK_CFB64 },
+	{ "CKM_SKIPJACK_CFB32", CKM_SKIPJACK_CFB32 },
+	{ "CKM_SKIPJACK_CFB16", CKM_SKIPJACK_CFB16 },
+	{ "CKM_SKIPJACK_CFB8", CKM_SKIPJACK_CFB8 },
+	{ "CKM_SKIPJACK_WRAP", CKM_SKIPJACK_WRAP },
+	{ "CKM_SKIPJACK_PRIVATE_WRAP", CKM_SKIPJACK_PRIVATE_WRAP },
+	{ "CKM_SKIPJACK_RELAYX", CKM_SKIPJACK_RELAYX },
+	{ "CKM_KEA_KEY_PAIR_GEN", CKM_KEA_KEY_PAIR_GEN },
+	{ "CKM_KEA_KEY_DERIVE", CKM_KEA_KEY_DERIVE },
+	{ "CKM_FORTEZZA_TIMESTAMP", CKM_FORTEZZA_TIMESTAMP },
+	{ "CKM_BATON_KEY_GEN", CKM_BATON_KEY_GEN },
+	{ "CKM_BATON_ECB128", CKM_BATON_ECB128 },
+	{ "CKM_BATON_ECB96", CKM_BATON_ECB96 },
+	{ "CKM_BATON_CBC128", CKM_BATON_CBC128 },
+	{ "CKM_BATON_COUNTER", CKM_BATON_COUNTER },
+	{ "CKM_BATON_SHUFFLE", CKM_BATON_SHUFFLE },
+	{ "CKM_BATON_WRAP", CKM_BATON_WRAP },
+	{ "CKM_ECDSA_KEY_PAIR_GEN", CKM_ECDSA_KEY_PAIR_GEN },
+	{ "CKM_EC_KEY_PAIR_GEN", CKM_EC_KEY_PAIR_GEN },
+	{ "CKM_ECDSA", CKM_ECDSA },
+	{ "CKM_ECDSA_SHA1", CKM_ECDSA_SHA1 },
+	{ "CKM_ECDH1_DERIVE", CKM_ECDH1_DERIVE },
+	{ "CKM_ECDH1_COFACTOR_DERIVE", CKM_ECDH1_COFACTOR_DERIVE },
+	{ "CKM_ECMQV_DERIVE", CKM_ECMQV_DERIVE },
+	{ "CKM_JUNIPER_KEY_GEN", CKM_JUNIPER_KEY_GEN },
+	{ "CKM_JUNIPER_ECB128", CKM_JUNIPER_ECB128 },
+	{ "CKM_JUNIPER_CBC128", CKM_JUNIPER_CBC128 },
+	{ "CKM_JUNIPER_COUNTER", CKM_JUNIPER_COUNTER },
+	{ "CKM_JUNIPER_SHUFFLE", CKM_JUNIPER_SHUFFLE },
+	{ "CKM_JUNIPER_WRAP", CKM_JUNIPER_WRAP },
+	{ "CKM_FASTHASH", CKM_FASTHASH },
+	{ "CKM_AES_KEY_GEN", CKM_AES_KEY_GEN },
+	{ "CKM_AES_ECB", CKM_AES_ECB },
+	{ "CKM_AES_CBC", CKM_AES_CBC },
+	{ "CKM_AES_MAC", CKM_AES_MAC },
+	{ "CKM_AES_MAC_GENERAL", CKM_AES_MAC_GENERAL },
+	{ "CKM_AES_CBC_PAD", CKM_AES_CBC_PAD },
+	{ "CKM_DSA_PARAMETER_GEN", CKM_DSA_PARAMETER_GEN },
+	{ "CKM_DH_PKCS_PARAMETER_GEN", CKM_DH_PKCS_PARAMETER_GEN },
+	{ "CKM_X9_42_DH_PARAMETER_GEN", CKM_X9_42_DH_PARAMETER_GEN },
+	{ "CKM_VENDOR_DEFINED", CKM_VENDOR_DEFINED },
+	{ NULL, 0 }
+};
+
+/*
+ * pkcs11_mech2str - convert PKCS#11 mech to a string
+ *
+ * Anything below CKM_VENDOR_DEFINED that wasn't in the mapping table
+ * at build time causes NULL to be returned.  Anything above it also
+ * returns NULL since we have no way to know what its real name is.
+ */
+char
+*pkcs11_mech2str(CK_MECHANISM_TYPE mech)
+{
+	int i;
+	char buf[11];	/* Num chars for representing ulong in ASCII */
+
+	if (mech > CKM_VENDOR_DEFINED) {
+		(void) snprintf(buf, sizeof (buf), "%#lx", mech);
+		return (strdup(buf));
+	}
+
+	for (i = 0; mapping[i].str; i++) {
+		if (mapping[i].mech == mech)
+			return (strdup(mapping[i].str));
+	}
+
+	return (NULL);
+}
+
+/*
+ * pkcs11_str2mech - convert a string into a PKCS#11 mech number.
+ *
+ * Since there isn't reserved value for an invalid mech we return
+ * CKR_MECHANISM_INVALID for anything we don't recognise.
+ * The value in mech isn't meaningful in these cases.
+ */
+CK_RV
+pkcs11_str2mech(char *mech_str, CK_MECHANISM_TYPE_PTR mech)
+{
+	int i;
+	char *tmech_str;
+
+	if (mech_str == NULL)
+		return (CKR_MECHANISM_INVALID);
+
+	if (strncasecmp(mech_str, "0x8", 3) == 0) {
+		cryptodebug("pkcs11_str2mech: hex string passed in: %s",
+		    mech_str);
+		*mech = strtoll(mech_str, NULL, 16);
+		return (CKR_OK);
+	}
+
+	if (strncasecmp(mech_str, "CKM_", 4) != 0) {
+		size_t tmech_strlen = strlen(mech_str) + 4 + 1;
+		cryptodebug("pkcs11_str2mech: no CKM_ prefix: %s", mech_str);
+		tmech_str = malloc(tmech_strlen * sizeof (char));
+		(void) snprintf(tmech_str, tmech_strlen, "CKM_%s", mech_str);
+		cryptodebug("pkcs11_str2mech: with prefix: %s", tmech_str);
+	} else {
+		tmech_str = mech_str;
+	}
+
+	for (i = 0; mapping[i].str; i++) {
+		if (strcasecmp(mapping[i].str, tmech_str) == 0) {
+			*mech = mapping[i].mech;
+			if (tmech_str != mech_str)
+				free(tmech_str);
+			return (CKR_OK);
+		}
+	}
+	if (tmech_str != mech_str)
+		free(tmech_str);
+
+	return (CKR_MECHANISM_INVALID);
+}
diff --git a/usr/src/lib/libcryptoutil/common/pkcserror.c b/usr/src/lib/libcryptoutil/common/pkcserror.c
new file mode 100644
index 0000000000..e829a2db1b
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/common/pkcserror.c
@@ -0,0 +1,309 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License").  You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+/*
+ * Block comment which describes the contents of this file.
+ */
+
+#include <stdio.h>
+#include <security/cryptoki.h>
+
+/*
+ * pkcs11_strerror: returns a string representation of the given return code.
+ * The string returned is static pointer.  It doesn't need to be free'd
+ * by the caller.
+ */
+char *
+pkcs11_strerror(CK_RV rv)
+{
+	static char errstr[128];
+
+	switch (rv) {
+		case CKR_OK:
+			return ("CKR_OK");
+			break;
+		case CKR_CANCEL:
+			return ("CKR_CANCEL");
+			break;
+		case CKR_HOST_MEMORY:
+			return ("CKR_HOST_MEMORY");
+			break;
+		case CKR_SLOT_ID_INVALID:
+			return ("CKR_SLOT_ID_INVALID");
+			break;
+		case CKR_GENERAL_ERROR:
+			return ("CKR_GENERAL_ERROR");
+			break;
+		case CKR_FUNCTION_FAILED:
+			return ("CKR_FUNCTION_FAILED");
+			break;
+		case CKR_ARGUMENTS_BAD:
+			return ("CKR_ARGUMENTS_BAD");
+			break;
+		case CKR_NO_EVENT:
+			return ("CKR_NO_EVENT");
+			break;
+		case CKR_NEED_TO_CREATE_THREADS:
+			return ("CKR_NEED_TO_CREATE_THREADS");
+			break;
+		case CKR_CANT_LOCK:
+			return ("CKR_CANT_LOCK");
+			break;
+		case CKR_ATTRIBUTE_READ_ONLY:
+			return ("CKR_ATTRIBUTE_READ_ONLY");
+			break;
+		case CKR_ATTRIBUTE_SENSITIVE:
+			return ("CKR_ATTRIBUTE_SENSITIVE");
+			break;
+		case CKR_ATTRIBUTE_TYPE_INVALID:
+			return ("CKR_ATTRIBUTE_TYPE_INVALID");
+			break;
+		case CKR_ATTRIBUTE_VALUE_INVALID:
+			return ("CKR_ATTRIBUTE_VALUE_INVALID");
+			break;
+		case CKR_DATA_INVALID:
+			return ("CKR_DATA_INVALID");
+			break;
+		case CKR_DATA_LEN_RANGE:
+			return ("CKR_DATA_LEN_RANGE");
+			break;
+		case CKR_DEVICE_ERROR:
+			return ("CKR_DEVICE_ERROR");
+			break;
+		case CKR_DEVICE_MEMORY:
+			return ("CKR_DEVICE_MEMORY");
+			break;
+		case CKR_DEVICE_REMOVED:
+			return ("CKR_DEVICE_REMOVED");
+			break;
+		case CKR_ENCRYPTED_DATA_INVALID:
+			return ("CKR_ENCRYPTED_DATA_INVALID");
+			break;
+		case CKR_ENCRYPTED_DATA_LEN_RANGE:
+			return ("CKR_ENCRYPTED_DATA_LEN_RANGE");
+			break;
+		case CKR_FUNCTION_CANCELED:
+			return ("CKR_FUNCTION_CANCELED");
+			break;
+		case CKR_FUNCTION_NOT_PARALLEL:
+			return ("CKR_FUNCTION_NOT_PARALLEL");
+			break;
+		case CKR_FUNCTION_NOT_SUPPORTED:
+			return ("CKR_FUNCTION_NOT_SUPPORTED");
+			break;
+		case CKR_KEY_HANDLE_INVALID:
+			return ("CKR_KEY_HANDLE_INVALID");
+			break;
+		case CKR_KEY_SIZE_RANGE:
+			return ("CKR_KEY_SIZE_RANGE");
+			break;
+		case CKR_KEY_TYPE_INCONSISTENT:
+			return ("CKR_KEY_TYPE_INCONSISTENT");
+			break;
+		case CKR_KEY_NOT_NEEDED:
+			return ("CKR_KEY_NOT_NEEDED");
+			break;
+		case CKR_KEY_CHANGED:
+			return ("CKR_KEY_CHANGED");
+			break;
+		case CKR_KEY_NEEDED:
+			return ("CKR_KEY_NEEDED");
+			break;
+		case CKR_KEY_INDIGESTIBLE:
+			return ("CKR_KEY_INDIGESTIBLE");
+			break;
+		case CKR_KEY_FUNCTION_NOT_PERMITTED:
+			return ("CKR_KEY_FUNCTION_NOT_PERMITTED");
+			break;
+		case CKR_KEY_NOT_WRAPPABLE:
+			return ("CKR_KEY_NOT_WRAPPABLE");
+			break;
+		case CKR_KEY_UNEXTRACTABLE:
+			return ("CKR_KEY_UNEXTRACTABLE");
+			break;
+		case CKR_MECHANISM_INVALID:
+			return ("CKR_MECHANISM_INVALID");
+			break;
+		case CKR_MECHANISM_PARAM_INVALID:
+			return ("CKR_MECHANISM_PARAM_INVALID");
+			break;
+		case CKR_OBJECT_HANDLE_INVALID:
+			return ("CKR_OBJECT_HANDLE_INVALID");
+			break;
+		case CKR_OPERATION_ACTIVE:
+			return ("CKR_OPERATION_ACTIVE");
+			break;
+		case CKR_OPERATION_NOT_INITIALIZED:
+			return ("CKR_OPERATION_NOT_INITIALIZED");
+			break;
+		case CKR_PIN_INCORRECT:
+			return ("CKR_PIN_INCORRECT");
+			break;
+		case CKR_PIN_INVALID:
+			return ("CKR_PIN_INVALID");
+			break;
+		case CKR_PIN_LEN_RANGE:
+			return ("CKR_PIN_LEN_RANGE");
+			break;
+		case CKR_PIN_EXPIRED:
+			return ("CKR_PIN_EXPIRED");
+			break;
+		case CKR_PIN_LOCKED:
+			return ("CKR_PIN_LOCKED");
+			break;
+		case CKR_SESSION_CLOSED:
+			return ("CKR_SESSION_CLOSED");
+			break;
+		case CKR_SESSION_COUNT:
+			return ("CKR_SESSION_COUNT");
+			break;
+		case CKR_SESSION_HANDLE_INVALID:
+			return ("CKR_SESSION_HANDLE_INVALID");
+			break;
+		case CKR_SESSION_PARALLEL_NOT_SUPPORTED:
+			return ("CKR_SESSION_PARALLEL_NOT_SUPPORTED");
+			break;
+		case CKR_SESSION_READ_ONLY:
+			return ("CKR_SESSION_READ_ONLY");
+			break;
+		case CKR_SESSION_EXISTS:
+			return ("CKR_SESSION_EXISTS");
+			break;
+		case CKR_SESSION_READ_ONLY_EXISTS:
+			return ("CKR_SESSION_READ_ONLY_EXISTS");
+			break;
+		case CKR_SESSION_READ_WRITE_SO_EXISTS:
+			return ("CKR_SESSION_READ_WRITE_SO_EXISTS");
+			break;
+		case CKR_SIGNATURE_INVALID:
+			return ("CKR_SIGNATURE_INVALID");
+			break;
+		case CKR_SIGNATURE_LEN_RANGE:
+			return ("CKR_SIGNATURE_LEN_RANGE");
+			break;
+		case CKR_TEMPLATE_INCOMPLETE:
+			return ("CKR_TEMPLATE_INCOMPLETE");
+			break;
+		case CKR_TEMPLATE_INCONSISTENT:
+			return ("CKR_TEMPLATE_INCONSISTENT");
+			break;
+		case CKR_TOKEN_NOT_PRESENT:
+			return ("CKR_TOKEN_NOT_PRESENT");
+			break;
+		case CKR_TOKEN_NOT_RECOGNIZED:
+			return ("CKR_TOKEN_NOT_RECOGNIZED");
+			break;
+		case CKR_TOKEN_WRITE_PROTECTED:
+			return ("CKR_TOKEN_WRITE_PROTECTED");
+			break;
+		case CKR_UNWRAPPING_KEY_HANDLE_INVALID:
+			return ("CKR_UNWRAPPING_KEY_HANDLE_INVALID");
+			break;
+		case CKR_UNWRAPPING_KEY_SIZE_RANGE:
+			return ("CKR_UNWRAPPING_KEY_SIZE_RANGE");
+			break;
+		case CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT:
+			return ("CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT");
+			break;
+		case CKR_USER_ALREADY_LOGGED_IN:
+			return ("CKR_USER_ALREADY_LOGGED_IN");
+			break;
+		case CKR_USER_NOT_LOGGED_IN:
+			return ("CKR_USER_NOT_LOGGED_IN");
+			break;
+		case CKR_USER_PIN_NOT_INITIALIZED:
+			return ("CKR_USER_PIN_NOT_INITIALIZED");
+			break;
+		case CKR_USER_TYPE_INVALID:
+			return ("CKR_USER_TYPE_INVALID");
+			break;
+		case CKR_USER_ANOTHER_ALREADY_LOGGED_IN:
+			return ("CKR_USER_ANOTHER_ALREADY_LOGGED_IN");
+			break;
+		case CKR_USER_TOO_MANY_TYPES:
+			return ("CKR_USER_TOO_MANY_TYPES");
+			break;
+		case CKR_WRAPPED_KEY_INVALID:
+			return ("CKR_WRAPPED_KEY_INVALID");
+			break;
+		case CKR_WRAPPED_KEY_LEN_RANGE:
+			return ("CKR_WRAPPED_KEY_LEN_RANGE");
+			break;
+		case CKR_WRAPPING_KEY_HANDLE_INVALID:
+			return ("CKR_WRAPPING_KEY_HANDLE_INVALID");
+			break;
+		case CKR_WRAPPING_KEY_SIZE_RANGE:
+			return ("CKR_WRAPPING_KEY_SIZE_RANGE");
+			break;
+		case CKR_WRAPPING_KEY_TYPE_INCONSISTENT:
+			return ("CKR_WRAPPING_KEY_TYPE_INCONSISTENT");
+			break;
+		case CKR_RANDOM_SEED_NOT_SUPPORTED:
+			return ("CKR_RANDOM_SEED_NOT_SUPPORTED");
+			break;
+		case CKR_RANDOM_NO_RNG:
+			return ("CKR_RANDOM_NO_RNG");
+			break;
+		case CKR_DOMAIN_PARAMS_INVALID:
+			return ("CKR_DOMAIN_PARAMS_INVALID");
+			break;
+		case CKR_BUFFER_TOO_SMALL:
+			return ("CKR_BUFFER_TOO_SMALL");
+			break;
+		case CKR_SAVED_STATE_INVALID:
+			return ("CKR_SAVED_STATE_INVALID");
+			break;
+		case CKR_INFORMATION_SENSITIVE:
+			return ("CKR_INFORMATION_SENSITIVE");
+			break;
+		case CKR_STATE_UNSAVEABLE:
+			return ("CKR_STATE_UNSAVEABLE");
+			break;
+		case CKR_CRYPTOKI_NOT_INITIALIZED:
+			return ("CKR_CRYPTOKI_NOT_INITIALIZED");
+			break;
+		case CKR_CRYPTOKI_ALREADY_INITIALIZED:
+			return ("CKR_CRYPTOKI_ALREADY_INITIALIZED");
+			break;
+		case CKR_MUTEX_BAD:
+			return ("CKR_MUTEX_BAD");
+			break;
+		case CKR_MUTEX_NOT_LOCKED:
+			return ("CKR_MUTEX_NOT_LOCKED");
+			break;
+		case CKR_VENDOR_DEFINED:
+			return ("CKR_VENDOR_DEFINED");
+			break;
+		default:
+			/* rv not found */
+			(void) snprintf(errstr, sizeof (errstr),
+			    "Unknown return code: 0x%lx", rv);
+			return (errstr);
+			break;
+	}
+}
diff --git a/usr/src/lib/libcryptoutil/common/tohexstr.c b/usr/src/lib/libcryptoutil/common/tohexstr.c
new file mode 100644
index 0000000000..062b4f4d3e
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/common/tohexstr.c
@@ -0,0 +1,54 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License, Version 1.0 only
+ * (the "License").  You may not use this file except in compliance
+ * with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/*
+ * Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <sys/types.h>
+
+#include <cryptoutil.h>
+
+/*
+ * tohexstr
+ * IN	bytes
+ *	blen
+ *	hexlen should be 2 * blen + 1
+ * OUT
+ *	hexstr
+ */
+void
+tohexstr(uchar_t *bytes, size_t blen, char *hexstr, size_t hexlen)
+{
+	size_t i;
+	char hexlist[] = "0123456789abcdef";
+
+	for (i = 0; i < blen; i++) {
+		if (hexlen < (2 * i + 1))
+			break;
+		hexstr[2 * i] = hexlist[(bytes[i] >> 4) & 0xf];
+		hexstr[2 * i + 1] = hexlist[bytes[i] & 0xf];
+	}
+	hexstr[2 * blen] = '\0';
+}
diff --git a/usr/src/lib/libcryptoutil/i386/Makefile b/usr/src/lib/libcryptoutil/i386/Makefile
new file mode 100644
index 0000000000..3921305654
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/i386/Makefile
@@ -0,0 +1,31 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+include ../Makefile.com
+
+install: all $(ROOTLIBS) $(ROOTLINKS) $(ROOTLINT)
diff --git a/usr/src/lib/libcryptoutil/sparc/Makefile b/usr/src/lib/libcryptoutil/sparc/Makefile
new file mode 100644
index 0000000000..3921305654
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/sparc/Makefile
@@ -0,0 +1,31 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+include ../Makefile.com
+
+install: all $(ROOTLIBS) $(ROOTLINKS) $(ROOTLINT)
diff --git a/usr/src/lib/libcryptoutil/sparcv9/Makefile b/usr/src/lib/libcryptoutil/sparcv9/Makefile
new file mode 100644
index 0000000000..5b07b54edf
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/sparcv9/Makefile
@@ -0,0 +1,34 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2002-2003 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+include ../Makefile.com
+include ../../Makefile.lib.64
+
+.KEEP_STATE:
+
+install: all $(ROOTLIBS64) $(ROOTLINKS64) $(ROOTLINT64)
diff --git a/usr/src/lib/libcryptoutil/spec/Makefile b/usr/src/lib/libcryptoutil/spec/Makefile
new file mode 100644
index 0000000000..7fc3c15e34
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/spec/Makefile
@@ -0,0 +1,28 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"U
+
+include        $(SRC)/lib/Makefile.spec.arch
diff --git a/usr/src/lib/libcryptoutil/spec/Makefile.targ b/usr/src/lib/libcryptoutil/spec/Makefile.targ
new file mode 100644
index 0000000000..fb1d5ef898
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/spec/Makefile.targ
@@ -0,0 +1,31 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"U
+
+LIBRARY =       libcryptoutil.a
+VERS    =       .1
+
+OBJECTS =       cryptoutil.o
diff --git a/usr/src/lib/libcryptoutil/spec/amd64/Makefile b/usr/src/lib/libcryptoutil/spec/amd64/Makefile
new file mode 100644
index 0000000000..40a72c892d
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/spec/amd64/Makefile
@@ -0,0 +1,43 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"I
+
+.KEEP_STATE:
+
+include ../Makefile.targ
+
+# Add arch specific objects here
+OBJECTS +=
+
+include $(SRC)/lib/Makefile.lib
+include $(SRC)/lib/Makefile.lib.64
+
+# Uncomment the following if the linker complains
+#amd64  = -K PIC
+
+include $(SRC)/lib/Makefile.spec
+
+install: $(ROOTABILIB64)
diff --git a/usr/src/lib/libcryptoutil/spec/cryptoutil.spec b/usr/src/lib/libcryptoutil/spec/cryptoutil.spec
new file mode 100644
index 0000000000..947cce551a
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/spec/cryptoutil.spec
@@ -0,0 +1,104 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+#
+# lib/libcryptoutil/spec/cryptoutil.spec
+
+function        cryptodebug
+include         <cryptoutil.h>
+declaration     void cryptodebug(const char *fmt, ...)
+version         SUNWprivate_1.1
+end
+
+function        cryptoerror
+include         <cryptoutil.h>
+declaration     void cryptoerror(int priority, const char *fmt, ...)
+version         SUNWprivate_1.1
+end
+
+function        cryptodebug_init
+include         <cryptoutil.h>
+declaration     void cryptodebug_init(const char *prefix)
+version         SUNWprivate_1.1
+end
+
+function        pkcs11_mech2str
+include         <cryptoutil.h>
+declaration     char *pkcs11_mech2str(CK_MECHANISM_TYPE mech)
+version         SUNWprivate_1.1
+end
+
+function        pkcs11_str2mech
+include         <cryptoutil.h>
+declaration     CK_RV pkcs11_str2mech(char *mech_str, CK_MECHANISM_TYPE_PTR mech)
+version         SUNWprivate_1.1
+end
+
+function        pkcs11_mech2keytype
+include         <cryptoutil.h>
+declaration     CK_RV pkcs11_mech2keytype(CK_MECHANISM_TYPE mech_type, CK_KEY_TYPE *ktype)
+version         SUNWprivate_1.1
+end
+
+function        pkcs11_strerror
+include         <cryptoutil.h>
+declaration     char *pkcs11_strerror(CK_RV rv)
+version         SUNWprivate_1.1
+end
+function        get_pkcs11conf_info
+include         <cryptoutil.h>
+declaration     int get_pkcs11conf_info(uentrylist_t **)
+version         SUNWprivate_1.1
+end
+
+function        tohexstr
+include         <cryptoutil.h>
+declaration     void tohexstr(uchar_t *bytes, size_t blen, char *hexstr, size_t hexlen)
+version         SUNWprivate_1.1
+end
+
+function        create_umech
+include         <cryptoutil.h>
+declaration     umechlist_t *create_umech(char *)
+version         SUNWprivate_1.1
+end
+
+function        free_umechlist
+include         <cryptoutil.h>
+declaration     void free_umechlist(umechlist_t *)
+version         SUNWprivate_1.1
+end
+
+function        free_uentrylist
+include         <cryptoutil.h>
+declaration     void free_uentrylist(uentrylist_t *)
+version         SUNWprivate_1.1
+end
+
+function        free_uentry
+include         <cryptoutil.h>
+declaration     void free_uentry(uentry_t *)
+version         SUNWprivate_1.1
+end
diff --git a/usr/src/lib/libcryptoutil/spec/i386/Makefile b/usr/src/lib/libcryptoutil/spec/i386/Makefile
new file mode 100644
index 0000000000..bb5123e331
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/spec/i386/Makefile
@@ -0,0 +1,42 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"I
+
+.KEEP_STATE:
+
+include ../Makefile.targ
+
+# Add arch specific objects here
+OBJECTS +=
+
+include $(SRC)/lib/Makefile.lib
+
+# Uncomment the following if the linker complains
+#i386_C_PICFLAGS  = -K PIC
+
+include $(SRC)/lib/Makefile.spec
+
+install: $(ROOTABILIB)
diff --git a/usr/src/lib/libcryptoutil/spec/sparc/Makefile b/usr/src/lib/libcryptoutil/spec/sparc/Makefile
new file mode 100644
index 0000000000..76d47aab26
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/spec/sparc/Makefile
@@ -0,0 +1,42 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+
+.KEEP_STATE:
+
+include ../Makefile.targ
+
+# Add arch specific objects here
+OBJECTS +=
+
+include $(SRC)/lib/Makefile.lib
+
+# Uncomment the following if the linker complains
+#sparc_C_PICFLAGS  = -K PIC
+
+include $(SRC)/lib/Makefile.spec
+
+install: $(ROOTABILIB)
diff --git a/usr/src/lib/libcryptoutil/spec/sparcv9/Makefile b/usr/src/lib/libcryptoutil/spec/sparcv9/Makefile
new file mode 100644
index 0000000000..1cfa32dc3c
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/spec/sparcv9/Makefile
@@ -0,0 +1,43 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+
+.KEEP_STATE:
+
+include	../Makefile.targ
+
+# Add arch specific objects here
+OBJECTS	+=
+
+include	$(SRC)/lib/Makefile.lib
+include	$(SRC)/lib/Makefile.lib.64
+
+# Uncomment the following if the linker complains
+#sparcv9_C_PICFLAGS  = -K PIC
+
+include	$(SRC)/lib/Makefile.spec
+
+install: $(ROOTABILIB64)
diff --git a/usr/src/lib/libcryptoutil/spec/versions b/usr/src/lib/libcryptoutil/spec/versions
new file mode 100644
index 0000000000..a990772196
--- /dev/null
+++ b/usr/src/lib/libcryptoutil/spec/versions
@@ -0,0 +1,38 @@
+#
+# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License, Version 1.0 only
+# (the "License").  You may not use this file except in compliance
+# with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+sparc {
+        SUNWprivate_1.1;
+}
+sparcv9 {
+        SUNWprivate_1.1;
+}
+i386 {
+        SUNWprivate_1.1;
+}
+amd64 {
+        SUNWprivate_1.1;
+}