6592898 open elfsign, libelfsign

10 files changed, 2769 insertions, 0 deletions

diff --git a/usr/src/lib/libelfsign/Makefile b/usr/src/lib/libelfsign/Makefile
new file mode 100644
index 0000000000..1d663e73d1
--- /dev/null
+++ b/usr/src/lib/libelfsign/Makefile
@@ -0,0 +1,70 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# lib/libelfsign/Makefile
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+
+include $(SRC)/lib/Makefile.lib
+
+SUBDIRS=	$(MACH)
+
+POFILE=		libelfsign.po
+MSGFILES=	common/elfsignlib.c common/elfcertlib.c
+XGETFLAGS=	-a
+
+HDRS=		libelfsign.h
+ROOTHDRDIR=	$(ROOT)/usr/include
+HDRDIR=		common
+
+all:=		TARGET= all
+clean:=		TARGET= clean
+clobber:=	TARGET= clobber
+install:=	TARGET= install
+lint:=		TARGET= lint
+
+.KEEP_STATE:
+
+all clean clobber install: .WAIT $(SUBDIRS)
+
+install_h:	$(ROOTHDRS)
+
+check:		$(CHECKHDRS)
+
+lint:	$(SUBDIRS)
+
+$(SUBDIRS):	FRC
+	@cd $@; pwd; $(MAKE) $(TARGET)
+
+$(POFILE): $(MSGFILES)
+	$(BUILDPO.msgfiles)
+
+_msg: $(MSGDOMAINPOFILE)
+
+include $(SRC)/Makefile.msg.targ
+
+FRC:
+
+include $(SRC)/lib/Makefile.targ
diff --git a/usr/src/lib/libelfsign/Makefile.com b/usr/src/lib/libelfsign/Makefile.com
new file mode 100644
index 0000000000..c5faa4ea7e
--- /dev/null
+++ b/usr/src/lib/libelfsign/Makefile.com
@@ -0,0 +1,63 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+LIBRARY = libelfsign.a
+VERS = .1
+
+OBJECTS = \
+	elfcertlib.o \
+	elfsignlib.o
+
+include $(SRC)/lib/Makefile.lib
+
+SRCDIR =	../common
+
+LIBS =		$(DYNLIB) $(LINTLIB)
+$(LINTLIB):=	SRCS = $(SRCDIR)/$(LINTSRC)
+
+LDLIBS +=	-lmd -lelf -lkmf -lcryptoutil -lc
+
+MAPFILE =	mapfile
+MAPFILES =	$(MAPFILE)
+
+CFLAGS +=	$(CCMT) $(CCVERBOSE)
+CPPFLAGS +=	-D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS
+
+.KEEP_STATE:
+
+all:		$(LIBS)
+
+lint:		lintcheck
+
+$(MAPFILE):	$(SRCDIR)/$(MAPFILE).map
+		$(RM) $@
+		$(CPP) $(SRCDIR)/$(MAPFILE).map > $@
+
+CLEANFILES +=	$(MAPFILE)
+
+include $(SRC)/lib/Makefile.targ
diff --git a/usr/src/lib/libelfsign/README b/usr/src/lib/libelfsign/README
new file mode 100644
index 0000000000..059b4c7869
--- /dev/null
+++ b/usr/src/lib/libelfsign/README
@@ -0,0 +1,38 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+
+
+Note that this library does not have a spec file.
+
+There are no interfaces in this library that are public so an abi_
+library for appcert and friends doesn't make any sense.  If the APIs
+here are ever elevated to a public taxonomy then a spec file needs to
+be introduced.
+
+A 64 bit version of this library does not exist.
+That isn't an issue since kcfd(1m) and elfsign(1) are 32 bit
+applications and are the only consumers.
diff --git a/usr/src/lib/libelfsign/common/elfcertlib.c b/usr/src/lib/libelfsign/common/elfcertlib.c
new file mode 100644
index 0000000000..ddf24e6659
--- /dev/null
+++ b/usr/src/lib/libelfsign/common/elfcertlib.c
@@ -0,0 +1,644 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#include <limits.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <dirent.h>
+#include <strings.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <md5.h>
+#include <pthread.h>
+
+#include <cryptoutil.h>
+
+#include <kmfapi.h>
+#include <sys/crypto/elfsign.h>
+#include <libelfsign.h>
+
+#include <synch.h>
+
+const char _PATH_ELFSIGN_CRYPTO_CERTS[] = CRYPTO_CERTS_DIR;
+const char _PATH_ELFSIGN_ETC_CERTS[] = ETC_CERTS_DIR;
+
+/*
+ * The CACERT and OBJCACERT are the Cryptographic Trust Anchors
+ * for the Solaris Cryptographic Framework.
+ */
+static const char _PATH_CRYPTO_CACERT[] = CRYPTO_CERTS_DIR "/CA";
+static const char _PATH_CRYPTO_OBJCACERT[] = CRYPTO_CERTS_DIR "/SUNWObjectCA";
+static ELFCert_t CACERT = NULL;
+static ELFCert_t OBJCACERT = NULL;
+static pthread_mutex_t ca_mutex = PTHREAD_MUTEX_INITIALIZER;
+
+static void elfcertlib_freecert(ELFsign_t, ELFCert_t);
+static ELFCert_t elfcertlib_allocatecert(void);
+
+/*
+ * elfcertlib_verifycert - Verify the Cert with a Trust Anchor
+ *
+ * IN	ess		- elfsign context structure
+ *	cert
+ * OUT	NONE
+ * RETURN	TRUE/FALSE
+ *
+ * We first setup the Trust Anchor (CA and SUNWObjectCA) certs
+ * if it hasn't been done already.  We verify that the files on disk
+ * are those we expected.
+ *
+ * We then verify the given cert using the publickey of a TA.
+ * If the passed in cert is a TA or it has been verified already we
+ * short cut and return TRUE without futher validation.
+ */
+/*ARGSUSED*/
+boolean_t
+elfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert)
+{
+	KMF_RETURN rv;
+	if ((cert->c_verified == E_OK) || (cert->c_verified == E_IS_TA)) {
+		return (B_TRUE);
+	}
+
+	(void) pthread_mutex_lock(&ca_mutex);
+	if (CACERT == NULL) {
+		(void) elfcertlib_getcert(ess, (char *)_PATH_CRYPTO_CACERT,
+		    NULL, &CACERT, ES_GET);
+	}
+	if (OBJCACERT == NULL) {
+		(void) elfcertlib_getcert(ess, (char *)_PATH_CRYPTO_OBJCACERT,
+		    NULL, &OBJCACERT, ES_GET);
+	}
+	(void) pthread_mutex_unlock(&ca_mutex);
+
+	if (CACERT != NULL) {
+		rv = KMF_VerifyCertWithCert(ess->es_kmfhandle,
+		    (const KMF_DATA *)&cert->c_cert,
+		    (const KMF_DATA *)&CACERT->c_cert.certificate);
+		if (rv == KMF_OK) {
+			if (ess->es_certCAcallback != NULL)
+				(ess->es_certvercallback)(ess->es_callbackctx,
+				    cert, CACERT);
+			cert->c_verified = E_OK;
+			return (B_TRUE);
+		}
+	}
+
+	if (OBJCACERT != NULL) {
+		rv = KMF_VerifyCertWithCert(ess->es_kmfhandle,
+		    (const KMF_DATA *)&cert->c_cert,
+		    (const KMF_DATA *)&OBJCACERT->c_cert.certificate);
+		if (rv == KMF_OK) {
+			if (ess->es_certCAcallback != NULL)
+				(ess->es_certvercallback)(ess->es_callbackctx,
+				    cert, OBJCACERT);
+			cert->c_verified = E_OK;
+			return (B_TRUE);
+		}
+	}
+
+	return (B_FALSE);
+}
+
+/*
+ * elfcertlib_getcert - Get the certificate for signer_DN
+ *
+ * IN	ess		- elfsign context structure
+ *	cert_pathname	- path to cert (May be NULL)
+ *	signer_DN	- The DN we are looking for (May be NULL)
+ *      action		- indicates crypto verification call
+ * OUT  certp		- allocated/loaded ELFCert_t
+ *
+ * If the cert_pathname is passed use it and don't search.
+ * Otherwise, go looking in certificate directories
+ */
+boolean_t
+elfcertlib_getcert(ELFsign_t ess, char *cert_pathname,
+    char *signer_DN, ELFCert_t *certp, enum ES_ACTION action)
+{
+	KMF_RETURN rv;
+	ELFCert_t	cert = NULL;
+	KMF_FINDCERT_PARAMS fcparams;
+	KMF_X509_DER_CERT certbuf[2];
+	uint32_t ncerts;
+	boolean_t ret = B_FALSE;
+	char	*pathlist[3], **plp;
+
+	cryptodebug("elfcertlib_getcert: path=%s, DN=%s",
+	    cert_pathname ? cert_pathname : "-none-",
+	    signer_DN ? signer_DN : "-none-");
+	*certp = NULL;
+	if (cert_pathname == NULL && signer_DN == NULL) {
+		cryptodebug("elfcertlib_getcert: lack of specificity");
+		return (ret);
+	}
+
+	plp = pathlist;
+	if (cert_pathname != NULL) {
+		/* look in the specified object */
+		*plp++ = cert_pathname;
+	} else {
+		/* look in the certificate directories */
+		*plp++ = (char *)_PATH_ELFSIGN_CRYPTO_CERTS;
+		/*
+		 * crypto verifications don't search beyond
+		 * _PATH_ELFSIGN_CRYPTO_CERTS
+		 */
+		if (action != ES_GET_CRYPTO)
+			*plp++ = (char *)_PATH_ELFSIGN_ETC_CERTS;
+	}
+	*plp = NULL;
+
+	if ((cert = elfcertlib_allocatecert()) == NULL) {
+		return (ret);
+	}
+
+	for (plp = pathlist; *plp; plp++) {
+		(void) memset(&fcparams, 0, sizeof (fcparams));
+		fcparams.kstype = KMF_KEYSTORE_OPENSSL;
+		fcparams.sslparms.certfile = *plp;
+		fcparams.subject = signer_DN;
+		ncerts = 2;
+
+		rv = KMF_FindCert(ess->es_kmfhandle, &fcparams, certbuf,
+		    &ncerts);
+		if (rv != KMF_OK)
+			continue;
+		if (ncerts > 1 && signer_DN == NULL) {
+			/* There can be only one */
+			cryptodebug("elfcertlib_getcert: "
+			    "too many certificates found in %s",
+			    cert_pathname);
+			goto cleanup;
+		}
+		/* found it, cache subject and issuer */
+		cert->c_cert = certbuf[0];
+		rv = KMF_GetCertSubjectNameString(ess->es_kmfhandle,
+		    &cert->c_cert.certificate, &cert->c_subject);
+		if (rv != KMF_OK)
+			goto cleanup;
+
+		rv = KMF_GetCertIssuerNameString(ess->es_kmfhandle,
+		    &cert->c_cert.certificate, &cert->c_issuer);
+		if (rv != KMF_OK)
+			goto cleanup;
+		break;
+	}
+	if (*plp == NULL) {
+		cryptodebug("elfcertlib_getcert: no certificate found");
+		goto cleanup;
+	}
+
+	cert->c_verified = E_UNCHECKED;
+
+	/*
+	 * If the cert we are loading it the trust anchor (ie the CA) then
+	 * we mark it as such in cert.  This is so that we don't attempt
+	 * to verify it later.  The CA is always implicitly verified.
+	 */
+	if (cert_pathname != NULL && (
+	    strcmp(cert_pathname, _PATH_CRYPTO_CACERT) == 0 ||
+	    strcmp(cert_pathname, _PATH_CRYPTO_OBJCACERT) == 0)) {
+		if (ess->es_certCAcallback != NULL)
+			(ess->es_certCAcallback)(ess->es_callbackctx, cert,
+			    cert_pathname);
+		cert->c_verified = E_IS_TA;
+	}
+
+	ret = B_TRUE;
+
+cleanup:
+	if (ret) {
+		*certp = cert;
+	} else {
+		if (cert != NULL)
+			elfcertlib_freecert(ess, cert);
+		if (signer_DN != NULL)
+			cryptoerror(LOG_ERR, "unable to find a certificate "
+			    "for DN: %s", signer_DN);
+		else
+			cryptoerror(LOG_ERR, "unable to load certificate "
+			    "from %s", cert_pathname);
+	}
+	return (ret);
+}
+
+/*
+ * elfcertlib_loadprivatekey - Load the private key from path
+ *
+ * IN	ess		- elfsign context structure
+ *	cert
+ *	pathname
+ * OUT	cert
+ * RETURNS	TRUE/FALSE
+ */
+boolean_t
+elfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert, const char *pathname)
+{
+	KMF_RETURN rv = KMF_OK;
+	uint32_t nkeys = 2;
+	KMF_FINDKEY_PARAMS fkparams;
+	KMF_KEY_HANDLE	keybuf[2];
+
+	(void) memset(&fkparams, 0, sizeof (fkparams));
+	fkparams.keyclass = KMF_ASYM_PRI;
+	fkparams.kstype = KMF_KEYSTORE_OPENSSL;
+	fkparams.sslparms.keyfile = (char *)pathname;
+
+	rv = KMF_FindKey(ess->es_kmfhandle, &fkparams, keybuf, &nkeys);
+	if (rv != KMF_OK)
+		return (B_FALSE);
+	if (nkeys != 1) {
+		/* lack of specificity */
+		cryptodebug("found %d keys at %s", nkeys, pathname);
+		return (B_FALSE);
+	}
+	cert->c_privatekey = keybuf[0];
+	cryptodebug("key %s loaded", pathname);
+	return (B_TRUE);
+}
+
+/*
+ * elfcertlib_loadtokenkey - Load the private key from token
+ *
+ * IN	ess		- elfsign context structure
+ *	cert
+ *	token_label
+ *	pin
+ * OUT	cert
+ * RETURNS	TRUE/FALSE
+ */
+boolean_t
+elfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert,
+    const char *token_label, const char *pin)
+{
+	KMF_RETURN rv = KMF_OK;
+	KMF_FINDKEY_PARAMS fkparams;
+	KMF_CONFIG_PARAMS cfgparams;
+	uint32_t nkeys = 1;
+	char *idstr = NULL;
+	char *err = NULL;
+
+	(void) memset(&fkparams, 0, sizeof (fkparams));
+	(void) memset(&cfgparams, 0, sizeof (cfgparams));
+
+	cfgparams.kstype = KMF_KEYSTORE_PK11TOKEN;
+	cfgparams.pkcs11config.label = (char *)token_label;
+	cfgparams.pkcs11config.readonly = B_TRUE;
+	rv = KMF_ConfigureKeystore(ess->es_kmfhandle, &cfgparams);
+	if (rv != KMF_OK) {
+		if (KMF_GetKMFErrorString(rv, &err) == KMF_OK) {
+			cryptodebug("Error configuring token access:"
+			    " %s\n", err);
+			free(err);
+		}
+		return (B_FALSE);
+	}
+
+	fkparams.idstr = idstr;
+	fkparams.kstype = KMF_KEYSTORE_PK11TOKEN;
+	fkparams.keyclass = KMF_ASYM_PRI;
+	fkparams.cred.cred = (char *)pin;
+	fkparams.cred.credlen = (pin != NULL ? strlen(pin) : 0);
+	fkparams.pkcs11parms.private = B_TRUE;
+
+	/*
+	 * We will search for the key based on the ID attribute
+	 * which was added when the key was created.  ID is
+	 * a SHA-1 hash of the public modulus shared by the
+	 * key and the certificate.
+	 */
+	rv = KMF_GetCertIDString(&cert->c_cert.certificate, &idstr);
+	if (rv != KMF_OK) {
+		if (KMF_GetKMFErrorString(rv, &err) == KMF_OK) {
+			cryptodebug("Error getting ID from cert: %s\n", err);
+			free(err);
+		}
+		return (B_FALSE);
+	}
+	fkparams.idstr = idstr;
+
+	rv = KMF_FindKey(ess->es_kmfhandle, &fkparams,
+	    &cert->c_privatekey, &nkeys);
+	if (rv != KMF_OK || nkeys != 1) {
+		if (KMF_GetKMFErrorString(rv, &err) == KMF_OK) {
+			cryptodebug("Error finding private key: %s\n", err);
+			free(err);
+		}
+		free(idstr);
+		return (B_FALSE);
+	}
+	cryptodebug("key found in %s", token_label);
+	cryptodebug("elfcertlib_loadprivatekey = 0x%.8X",
+	    &cert->c_privatekey);
+
+	free(idstr);
+	return (B_TRUE);
+}
+
+static const CK_BYTE MD5_DER_PREFIX[] = {0x30, 0x20, 0x30, 0x0c, 0x06, 0x08,
+	0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x02, 0x05, 0x05, 0x00, 0x04, 0x10};
+
+/*
+ * elfcertlib_sign - sign the given DATA using the privatekey in cert
+ *
+ * IN	ess		- elfsign context structure
+ *	cert
+ *	data
+ *	data_len
+ * OUT	sig	- must be big enough to hold the signature of data
+ *		  Caller must allocate
+ *	sig_len	- actual length used; 0 on failure.
+ * RETURNS	TRUE/FALSE
+ */
+/*ARGSUSED*/
+boolean_t
+elfcertlib_sign(ELFsign_t ess, ELFCert_t cert,
+	const uchar_t *data, size_t data_len,
+	uchar_t *sig, size_t *sig_len)
+{
+	KMF_RETURN ret = KMF_OK;
+	KMF_DATA tobesigned;
+	KMF_DATA signature;
+	uchar_t	 der_data[sizeof (MD5_DER_PREFIX) + MD5_DIGEST_LENGTH];
+
+	if (ess->es_version <= FILESIG_VERSION2) {
+		/* compatibility: take MD5 hash of SHA1 hash */
+		size_t	derlen = MD5_DIGEST_LENGTH;
+		MD5_CTX ctx;
+
+		/*
+		 * first: digest using software-based methods, don't
+		 * rely on the token for hashing.
+		 */
+		MD5Init(&ctx);
+		MD5Update(&ctx, data, data_len);
+		MD5Final(&der_data[sizeof (MD5_DER_PREFIX)], &ctx);
+
+		/*
+		 * second: insert prefix
+		 */
+		(void) memcpy(der_data, MD5_DER_PREFIX,
+		    sizeof (MD5_DER_PREFIX));
+		/*
+		 * prepare to sign the local buffer
+		 */
+		tobesigned.Data = (uchar_t *)der_data;
+		tobesigned.Length = sizeof (MD5_DER_PREFIX) + derlen;
+	} else {
+		tobesigned.Data = (uchar_t *)data;
+		tobesigned.Length = data_len;
+	}
+
+	signature.Data = (uchar_t *)sig;
+	signature.Length = *sig_len;
+
+	ret = KMF_SignDataWithKey(ess->es_kmfhandle,
+	    &cert->c_privatekey, (KMF_OID *)&KMFOID_RSA,
+	    &tobesigned, &signature);
+
+	if (ret != KMF_OK) {
+		char *err;
+		if (KMF_GetKMFErrorString(ret, &err) == KMF_OK &&
+		    err != NULL) {
+			cryptodebug("Error signing data: %s\n", err);
+			free(err);
+		}
+		*sig_len = 0;
+		return (B_FALSE);
+	}
+	*sig_len = signature.Length;
+	return (B_TRUE);
+}
+
+/*
+ * elfcertlib_verifysig - verify the given DATA using the public key in cert
+ *
+ * IN	ess		- elfsign context structure
+ *	cert
+ *	signature
+ *	sig_len
+ *	data
+ *	data_len
+ * OUT	N/A
+ * RETURNS	TRUE/FALSE
+ */
+boolean_t
+elfcertlib_verifysig(ELFsign_t ess, ELFCert_t cert,
+	const uchar_t *signature, size_t sig_len,
+	const uchar_t *data, size_t data_len)
+{
+	KMF_RETURN	rv;
+	KMF_DATA	indata;
+	KMF_DATA	insig;
+	KMF_ALGORITHM_INDEX algid;
+
+	indata.Data = (uchar_t *)data;
+	indata.Length = data_len;
+	insig.Data = (uchar_t *)signature;
+	insig.Length = sig_len;
+
+	if (ess->es_version <= FILESIG_VERSION2)
+		algid = KMF_ALGID_MD5WithRSA;
+	else
+		algid = KMF_ALGID_RSA;
+
+	/*
+	 * We tell KMF to use the OpenSSL verification
+	 * APIs here to avoid a circular dependency with
+	 * kcfd and libpkcs11.
+	 */
+	rv = KMF_VerifyDataWithCert(ess->es_kmfhandle,
+	    KMF_KEYSTORE_OPENSSL, algid,
+	    &indata, &insig, &cert->c_cert.certificate);
+
+	return ((rv == KMF_OK));
+}
+
+/*
+ * elfcertlib_getdn
+ *
+ * IN	cert
+ * OUT	NONE
+ * RETURN 	dn or NULL
+ */
+char *
+elfcertlib_getdn(ELFCert_t cert)
+{
+	cryptodebug("elfcertlib_getdn");
+
+	return (cert->c_subject);
+}
+
+/*
+ * elfcertlib_getissuer
+ *
+ * IN	cert
+ * OUT	NONE
+ * RETURN 	dn or NULL
+ */
+char *
+elfcertlib_getissuer(ELFCert_t cert)
+{
+	cryptodebug("elfcertlib_issuer");
+
+	return (cert->c_issuer);
+}
+
+boolean_t
+elfcertlib_init(ELFsign_t ess)
+{
+	boolean_t rc = B_TRUE;
+	KMF_RETURN rv;
+	if (ess->es_kmfhandle == NULL) {
+		rv = KMF_Initialize(&ess->es_kmfhandle, NULL, NULL);
+		if (rv != KMF_OK) {
+			cryptoerror(LOG_ERR,
+			    "unable to initialize KMF library");
+			rc = B_FALSE;
+		}
+	}
+	return (rc);
+}
+
+void
+elfcertlib_fini(ELFsign_t ess)
+{
+	(void) KMF_Finalize(ess->es_kmfhandle);
+}
+
+/*
+ * set the token device
+ */
+boolean_t
+elfcertlib_settoken(ELFsign_t ess, char *token)
+{
+	boolean_t rc = B_TRUE;
+	KMF_RETURN rv;
+	KMF_CONFIG_PARAMS cfgparams;
+
+	(void) memset(&cfgparams, 0, sizeof (cfgparams));
+	cfgparams.kstype = KMF_KEYSTORE_PK11TOKEN;
+	cfgparams.pkcs11config.label = token;
+	cfgparams.pkcs11config.readonly = B_TRUE;
+	rv = KMF_ConfigureKeystore(ess->es_kmfhandle, &cfgparams);
+	if (rv != KMF_OK) {
+		cryptoerror(LOG_ERR, "unable to select token\n");
+		rc = B_FALSE;
+	}
+
+	return (rc);
+}
+
+/*
+ * set the certificate CA identification callback
+ */
+void
+elfcertlib_setcertCAcallback(ELFsign_t ess,
+    void (*cb)(void *, ELFCert_t, char *))
+{
+	ess->es_certCAcallback = cb;
+}
+
+/*
+ * set the certificate verification callback
+ */
+void
+elfcertlib_setcertvercallback(ELFsign_t ess,
+    void (*cb)(void *, ELFCert_t, ELFCert_t))
+{
+	ess->es_certvercallback = cb;
+}
+
+
+/*
+ * elfcertlib_releasecert - release a cert
+ *
+ * IN cert
+ * OUT cert
+ * RETURN	N/A
+ *
+ */
+void
+elfcertlib_releasecert(ELFsign_t ess, ELFCert_t cert)
+{
+	elfcertlib_freecert(ess, cert);
+}
+
+/*
+ * elfcertlib_allocatecert - create a new ELFCert_t
+ *
+ * IN N/A
+ * OUT	N/A
+ * RETURN 	ELFCert_t, NULL on failure.
+ */
+static ELFCert_t
+elfcertlib_allocatecert(void)
+{
+	ELFCert_t cert = NULL;
+
+	cert = malloc(sizeof (struct ELFCert_s));
+	if (cert == NULL) {
+		cryptoerror(LOG_ERR,
+		    "elfcertlib_allocatecert: malloc failed %s",
+		    strerror(errno));
+		return (NULL);
+	}
+	(void) memset(cert, 0, sizeof (struct ELFCert_s));
+	cert->c_verified = E_UNCHECKED;
+	cert->c_subject = NULL;
+	cert->c_issuer = NULL;
+	return (cert);
+}
+
+/*
+ * elfcertlib_freecert - freeup the memory of a cert
+ *
+ * IN cert
+ * OUT cert
+ * RETURN	N/A
+ *
+ */
+static void
+elfcertlib_freecert(ELFsign_t ess, ELFCert_t cert)
+{
+	if (cert == NULL)
+		return;
+
+	free(cert->c_subject);
+	free(cert->c_issuer);
+
+	KMF_FreeKMFCert(ess->es_kmfhandle, &cert->c_cert);
+	KMF_FreeKMFKey(ess->es_kmfhandle, &cert->c_privatekey);
+
+	free(cert);
+}
diff --git a/usr/src/lib/libelfsign/common/elfsignlib.c b/usr/src/lib/libelfsign/common/elfsignlib.c
new file mode 100644
index 0000000000..00f71a125d
--- /dev/null
+++ b/usr/src/lib/libelfsign/common/elfsignlib.c
@@ -0,0 +1,1598 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#define	ELF_TARGET_ALL	/* get definitions of all section flags */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <strings.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <libintl.h>
+#include <dirent.h>
+#include <errno.h>
+#include <libelf.h>
+#include <gelf.h>
+#include <sys/mman.h>
+#include <cryptoutil.h>
+#include <sha1.h>
+#include <sys/crypto/elfsign.h>
+#include <libelfsign.h>
+
+#ifndef SHA1_DIGEST_LENGTH
+#define	SHA1_DIGEST_LENGTH 20
+#endif /* SHA1_DIGEST_LENGTH */
+
+const char SUNW_ELF_SIGNATURE_ID[] =	ELF_SIGNATURE_SECTION;
+const char OID_sha1WithRSAEncryption[] = "1.2.840.113549.1.1.5";
+
+static ELFsign_status_t elfsign_adjustoffsets(ELFsign_t ess,
+    Elf_Scn *scn, uint64_t new_size);
+static ELFsign_status_t elfsign_verify_esa(ELFsign_t ess,
+    uchar_t *sig, size_t sig_len);
+static uint32_t elfsign_switch_uint32(uint32_t i);
+static ELFsign_status_t elfsign_switch(ELFsign_t ess,
+    struct filesignatures *fssp, enum ES_ACTION action);
+
+struct filesig_extraction {
+	filesig_vers_t	fsx_version;
+	char	*fsx_format;
+	char	fsx_signer_DN[ELFCERT_MAX_DN_LEN];
+	size_t	fsx_signer_DN_len;
+	uchar_t	fsx_signature[SIG_MAX_LENGTH];
+	size_t	fsx_sig_len;
+	char	fsx_sig_oid[100];
+	size_t	fsx_sig_oid_len;
+	time_t	fsx_time;
+};
+
+static char *
+version_to_str(filesig_vers_t v)
+{
+	char	*ret;
+
+	switch (v) {
+	case FILESIG_VERSION1:
+		ret = "VERSION1";
+		break;
+	case FILESIG_VERSION2:
+		ret = "VERSION2";
+		break;
+	case FILESIG_VERSION3:
+		ret = "VERSION3";
+		break;
+	case FILESIG_VERSION4:
+		ret = "VERSION4";
+		break;
+	default:
+		ret = "UNKNOWN";
+		break;
+	}
+	return (ret);
+}
+
+/*
+ * Update filesignatures to include the v1/v2 filesig,
+ *	composed of signer DN, signature, and OID.
+ */
+static struct filesignatures *
+filesig_insert_dso(struct filesignatures *fssp,
+    filesig_vers_t	version,
+    const char		*dn,
+    int			dn_len,
+    const uchar_t	*sig,
+    int			sig_len,
+    const char		*oid,
+    int			oid_len)
+{
+	struct filesig	*fsgp;
+	char		*fsdatap;
+
+	if (oid == NULL) {
+		/*
+		 * This OID is used for the rsa_md5_sha1 format signature also.
+		 * This use is historical, and is hence continued,
+		 * despite its lack of technical accuracy.
+		 */
+		oid = OID_sha1WithRSAEncryption;
+		oid_len = strlen(oid);
+	}
+
+	/*
+	 * for now, always insert a single-signature signature block
+	 */
+	if (fssp != NULL)
+		free(fssp);
+	fssp  = (struct filesignatures *)
+	    malloc(filesig_ALIGN(sizeof (struct filesignatures) +
+	    dn_len + sig_len + oid_len));
+	if (fssp == NULL)
+		return (fssp);
+
+	fssp->filesig_cnt = 1;
+	fssp->filesig_pad = 0;	/* reserve for future use */
+
+	fsgp = &fssp->filesig_sig;
+	fsgp->filesig_size = sizeof (struct filesig) +
+	    dn_len + sig_len + oid_len;
+	fsgp->filesig_version = version;
+	switch (version) {
+	case FILESIG_VERSION1:
+	case FILESIG_VERSION2:
+		fsgp->filesig_size -= sizeof (struct filesig) -
+		    offsetof(struct filesig, filesig_v1_data[0]);
+		fsgp->filesig_v1_dnsize = dn_len;
+		fsgp->filesig_v1_sigsize = sig_len;
+		fsgp->filesig_v1_oidsize = oid_len;
+		fsdatap = &fsgp->filesig_v1_data[0];
+		break;
+	case FILESIG_VERSION3:
+	case FILESIG_VERSION4:
+		fsgp->filesig_size -= sizeof (struct filesig) -
+		    offsetof(struct filesig, filesig_v3_data[0]);
+		fsgp->filesig_v3_time = time(NULL);
+		fsgp->filesig_v3_dnsize = dn_len;
+		fsgp->filesig_v3_sigsize = sig_len;
+		fsgp->filesig_v3_oidsize = oid_len;
+		fsdatap = &fsgp->filesig_v3_data[0];
+		break;
+	default:
+		cryptodebug("filesig_insert_dso: unknown version: %d",
+		    version);
+		free(fssp);
+		return (NULL);
+	}
+	(void) memcpy(fsdatap, dn, dn_len);
+	fsdatap += dn_len;
+	(void) memcpy(fsdatap, (char *)sig, sig_len);
+	fsdatap += sig_len;
+	(void) memcpy(fsdatap, oid, oid_len);
+	fsdatap += oid_len;
+	fsgp = filesig_next(fsgp);
+	(void) memset(fsdatap, 0, (char *)(fsgp) - fsdatap);
+
+	return (fssp);
+}
+
+/*
+ * filesig_extract - extract filesig structure to internal form
+ */
+static filesig_vers_t
+filesig_extract(struct filesig *fsgp, struct filesig_extraction *fsxp)
+{
+	char	*fsdp;
+
+#define	filesig_extract_common(cp, field, data_var, len_var, len_limit)  { \
+	len_var = len_limit; \
+	if (len_var > fsgp->field) \
+		len_var = fsgp->field; \
+	(void) memcpy(data_var, cp, len_var); \
+	cp += fsgp->field; }
+#define	filesig_extract_str(cp, field, data_var, len_var) \
+	filesig_extract_common(cp, field, data_var, len_var, \
+	    sizeof (data_var) - 1); \
+	data_var[len_var] = '\0';
+#define	filesig_extract_opaque(cp, field, data_var, len_var) \
+	filesig_extract_common(cp, field, data_var, len_var, sizeof (data_var))
+
+	fsxp->fsx_version = fsgp->filesig_version;
+	cryptodebug("filesig_extract: version=%s",
+	    version_to_str(fsxp->fsx_version));
+	switch (fsxp->fsx_version) {
+	case FILESIG_VERSION1:
+	case FILESIG_VERSION2:
+		/*
+		 * extract VERSION1 DN, signature, and OID
+		 */
+		fsdp = fsgp->filesig_v1_data;
+		fsxp->fsx_format = ES_FMT_RSA_MD5_SHA1;
+		fsxp->fsx_time = 0;
+		filesig_extract_str(fsdp, filesig_v1_dnsize,
+		    fsxp->fsx_signer_DN, fsxp->fsx_signer_DN_len);
+		filesig_extract_opaque(fsdp, filesig_v1_sigsize,
+		    fsxp->fsx_signature, fsxp->fsx_sig_len);
+		filesig_extract_str(fsdp, filesig_v1_oidsize,
+		    fsxp->fsx_sig_oid, fsxp->fsx_sig_oid_len);
+		break;
+	case FILESIG_VERSION3:
+	case FILESIG_VERSION4:
+		fsdp = fsgp->filesig_v3_data;
+		fsxp->fsx_format = ES_FMT_RSA_SHA1;
+		fsxp->fsx_time = fsgp->filesig_v3_time;
+		filesig_extract_str(fsdp, filesig_v3_dnsize,
+		    fsxp->fsx_signer_DN, fsxp->fsx_signer_DN_len);
+		filesig_extract_opaque(fsdp, filesig_v3_sigsize,
+		    fsxp->fsx_signature, fsxp->fsx_sig_len);
+		filesig_extract_str(fsdp, filesig_v3_oidsize,
+		    fsxp->fsx_sig_oid, fsxp->fsx_sig_oid_len);
+		break;
+	default:
+		break;
+	}
+
+	return (fsxp->fsx_version);
+}
+
+ELFsign_status_t
+elfsign_begin(const char *filename, enum ES_ACTION action, ELFsign_t *essp)
+{
+	Elf_Cmd		elfcmd;
+	int		oflags = 0;
+	short		l_type;
+	ELFsign_t	ess;
+	struct stat	stb;
+	union {
+		char	c[2];
+		short	s;
+	}	uorder;
+	GElf_Ehdr	elfehdr;
+	char		*ident;
+
+	switch (action) {
+	case ES_GET:
+	case ES_GET_CRYPTO:
+		cryptodebug("elfsign_begin for get");
+		elfcmd = ELF_C_READ;
+		oflags = O_RDONLY | O_NOCTTY | O_NDELAY;
+		l_type = F_RDLCK;
+		break;
+	case ES_UPDATE_RSA_MD5_SHA1:
+	case ES_UPDATE_RSA_SHA1:
+		cryptodebug("elfsign_begin for update");
+		elfcmd = ELF_C_RDWR;
+		oflags = O_RDWR | O_NOCTTY | O_NDELAY;
+		l_type = F_WRLCK;
+		break;
+	default:
+		return (ELFSIGN_UNKNOWN);
+	}
+
+	if ((ess = malloc(sizeof (struct ELFsign_s))) == NULL) {
+		return (ELFSIGN_UNKNOWN);
+	}
+	(void) memset((void *)ess, 0, sizeof (struct ELFsign_s));
+
+	if (!elfcertlib_init(ess)) {
+		cryptodebug("elfsign_begin: failed initialization");
+		return (ELFSIGN_UNKNOWN);
+	}
+
+	ess->es_elf = NULL;
+	ess->es_action = action;
+	ess->es_version = FILESIG_UNKNOWN;
+	ess->es_pathname = NULL;
+	ess->es_certpath = NULL;
+
+	if (filename == NULL) {
+		*essp = ess;
+		return (ELFSIGN_SUCCESS);
+	}
+
+	if ((ess->es_fd = open(filename, oflags)) == -1) {
+		elfsign_end(ess);
+		return (ELFSIGN_INVALID_ELFOBJ);
+	}
+	if ((fstat(ess->es_fd, &stb) == -1) || !S_ISREG(stb.st_mode)) {
+		elfsign_end(ess);
+		return (ELFSIGN_INVALID_ELFOBJ);
+	}
+	if ((ess->es_pathname = strdup(filename)) == NULL) {
+		elfsign_end(ess);
+		return (ELFSIGN_UNKNOWN);
+	}
+	/*
+	 * The following lock is released in elfsign_end() when we close(2)
+	 * the es_fd. This ensures that we aren't trying verify a file
+	 * we are currently updating.
+	 */
+	ess->es_flock.l_type = l_type;
+	ess->es_flock.l_whence = SEEK_CUR;
+	ess->es_flock.l_start = 0;
+	ess->es_flock.l_len = 0;
+	if (fcntl(ess->es_fd, F_SETLK, &ess->es_flock) == -1) {
+		cryptodebug("fcntl(F_SETLK) of %s failed with: %s",
+		    ess->es_pathname, strerror(errno));
+		elfsign_end(ess);
+		return (ELFSIGN_UNKNOWN);
+	}
+
+	if (elf_version(EV_CURRENT) == EV_NONE) {
+		elfsign_end(ess);
+		return (ELFSIGN_UNKNOWN);
+	}
+
+	if ((ess->es_elf = elf_begin(ess->es_fd, elfcmd,
+	    (Elf *)NULL)) == NULL) {
+		cryptodebug("elf_begin() failed: %s", elf_errmsg(-1));
+		elfsign_end(ess);
+		return (ELFSIGN_INVALID_ELFOBJ);
+	}
+
+	if (gelf_getehdr(ess->es_elf, &elfehdr) == NULL) {
+		cryptodebug("elf_getehdr() failed: %s", elf_errmsg(-1));
+		elfsign_end(ess);
+		return (ELFSIGN_INVALID_ELFOBJ);
+	}
+	ess->es_has_phdr = (elfehdr.e_phnum != 0);
+
+	uorder.s = ELFDATA2MSB << 8 | ELFDATA2LSB;
+	ident = elf_getident(ess->es_elf, NULL);
+	if (ident == NULL) {
+		cryptodebug("elf_getident() failed: %s", elf_errmsg(-1));
+		elfsign_end(ess);
+		return (ELFSIGN_INVALID_ELFOBJ);
+	}
+	ess->es_same_endian = (ident[EI_DATA] == uorder.c[0]);
+	ess->es_ei_class = ident[EI_CLASS];
+
+	/*
+	 * Call elf_getshstrndx to be sure we have a real ELF object
+	 * this is required because elf_begin doesn't check that.
+	 */
+	if (elf_getshstrndx(ess->es_elf, &ess->es_shstrndx) == 0) {
+		elfsign_end(ess);
+		cryptodebug("elfsign_begin: elf_getshstrndx failed");
+		return (ELFSIGN_INVALID_ELFOBJ);
+	}
+
+	/*
+	 * Make sure libelf doesn't rearrange section ordering / offsets.
+	 */
+	(void) elf_flagelf(ess->es_elf, ELF_C_SET, ELF_F_LAYOUT);
+
+	*essp = ess;
+
+	return (ELFSIGN_SUCCESS);
+}
+
+/*
+ * elfsign_end - cleanup the ELFsign_t
+ *
+ * IN/OUT:	ess
+ */
+void
+elfsign_end(ELFsign_t ess)
+{
+	if (ess == NULL)
+		return;
+
+	if (ess->es_elf != NULL && ES_ACTISUPDATE(ess->es_action)) {
+		if (elf_update(ess->es_elf, ELF_C_WRITE) == -1) {
+			cryptodebug("elf_update() failed: %s",
+			    elf_errmsg(-1));
+			return;
+		}
+	}
+
+	if (ess->es_fd != -1) {
+		(void) close(ess->es_fd);
+		ess->es_fd = -1;
+	}
+
+	if (ess->es_pathname != NULL) {
+		free(ess->es_pathname);
+		ess->es_pathname = NULL;
+	}
+	if (ess->es_certpath != NULL) {
+		free(ess->es_certpath);
+		ess->es_certpath = NULL;
+	}
+
+	if (ess->es_elf != NULL) {
+		(void) elf_end(ess->es_elf);
+		ess->es_elf = NULL;
+	}
+
+	elfcertlib_fini(ess);
+
+	free(ess);
+}
+
+/*
+ * set the certificate path
+ */
+ELFsign_status_t
+elfsign_setcertpath(ELFsign_t ess, const char *certpath)
+{
+	/*
+	 * Normally use of access(2) is insecure, here we are only
+	 * doing it to help provide early failure and better error
+	 * checking, so there is no race condition.
+	 */
+	if (access(certpath, R_OK) != 0) {
+		elfsign_end(ess);
+		return (ELFSIGN_INVALID_CERTPATH);
+	}
+	ess->es_certpath = strdup(certpath);
+
+	if (ES_ACTISUPDATE(ess->es_action)) {
+		ELFCert_t	cert = NULL;
+		char		*subject;
+
+		/* set the version based on the certificate */
+		if (elfcertlib_getcert(ess, ess->es_certpath, NULL,
+		    &cert, ess->es_action)) {
+			if ((subject = elfcertlib_getdn(cert)) != NULL) {
+				if (strstr(subject, ELFSIGN_CRYPTO))
+					ess->es_version = (ess->es_action ==
+					    ES_UPDATE_RSA_MD5_SHA1) ?
+					    FILESIG_VERSION1 : FILESIG_VERSION3;
+				else
+					ess->es_version = (ess->es_action ==
+					    ES_UPDATE_RSA_MD5_SHA1) ?
+					    FILESIG_VERSION2 : FILESIG_VERSION4;
+			}
+			elfcertlib_releasecert(ess, cert);
+		}
+		if (ess->es_version == FILESIG_UNKNOWN)
+			return (ELFSIGN_FAILED);
+	}
+	return (ELFSIGN_SUCCESS);
+}
+
+/*
+ * set the callback context
+ */
+void
+elfsign_setcallbackctx(ELFsign_t ess, void *ctx)
+{
+	ess->es_callbackctx = ctx;
+}
+
+/*
+ * set the signature extraction callback
+ */
+void
+elfsign_setsigvercallback(ELFsign_t ess,
+    void (*cb)(void *, void *, size_t, ELFCert_t))
+{
+	ess->es_sigvercallback = cb;
+}
+
+/*
+ * elfsign_signatures
+ *
+ * IN: 	ess, fsspp, action
+ * OUT:	fsspp
+ */
+ELFsign_status_t
+elfsign_signatures(ELFsign_t ess,
+    struct filesignatures **fsspp,
+    size_t *fslen,
+    enum ES_ACTION action)
+{
+	Elf_Scn		*scn = NULL, *sig_scn = NULL;
+	GElf_Shdr	shdr;
+	Elf_Data	*data = NULL;
+	const char	*elf_section = SUNW_ELF_SIGNATURE_ID;
+	int		fscnt, fssize;
+	struct filesig	*fsgp, *fsgpnext;
+	uint64_t	sig_offset = 0;
+
+	cryptodebug("elfsign_signature");
+	if ((ess == NULL) || (fsspp == NULL)) {
+		cryptodebug("invalid arguments");
+		return (ELFSIGN_UNKNOWN);
+	}
+
+	cryptodebug("elfsign_signature %s for %s",
+	    ES_ACTISUPDATE(action) ? "ES_UPDATE" : "ES_GET", elf_section);
+
+	(void) elf_errno();
+	while ((scn = elf_nextscn(ess->es_elf, scn)) != NULL) {
+		const char	*sh_name;
+		/*
+		 * Do a string compare to examine each section header
+		 * to see if this is the section that needs to be updated.
+		 */
+		if (gelf_getshdr(scn, &shdr) == NULL) {
+			cryptodebug("gelf_getshdr() failed: %s",
+			    elf_errmsg(-1));
+			return (ELFSIGN_FAILED);
+		}
+		sh_name = elf_strptr(ess->es_elf, ess->es_shstrndx,
+		    (size_t)shdr.sh_name);
+		if (strcmp(sh_name, elf_section) == 0) {
+			cryptodebug("elfsign_signature: found %s", elf_section);
+			sig_scn = scn;
+			break;
+		}
+		if (shdr.sh_type != SHT_NOBITS &&
+		    sig_offset < shdr.sh_offset + shdr.sh_size) {
+			sig_offset = shdr.sh_offset + shdr.sh_size;
+		}
+	}
+	if (elf_errmsg(0) != NULL) {
+		cryptodebug("unexpected error: %s", elf_section,
+		    elf_errmsg(-1));
+		return (ELFSIGN_FAILED);
+	}
+
+	if (ES_ACTISUPDATE(action) && (sig_scn == NULL))  {
+		size_t	old_size, new_size;
+		char	*new_d_buf;
+
+		cryptodebug("elfsign_signature: %s not found - creating",
+		    elf_section);
+
+		/*
+		 * insert section name in .shstrtab
+		 */
+		if ((scn = elf_getscn(ess->es_elf, ess->es_shstrndx)) == 0) {
+			cryptodebug("elf_getscn() failed: %s",
+			    elf_errmsg(-1));
+			return (ELFSIGN_FAILED);
+		}
+		if (gelf_getshdr(scn, &shdr) == NULL) {
+			cryptodebug("gelf_getshdr() failed: %s",
+			    elf_errmsg(-1));
+			return (ELFSIGN_FAILED);
+		}
+		if ((data = elf_getdata(scn, data)) == NULL) {
+			cryptodebug("elf_getdata() failed: %s",
+			    elf_errmsg(-1));
+			return (ELFSIGN_FAILED);
+		}
+		old_size = data->d_size;
+		if (old_size != shdr.sh_size) {
+			cryptodebug("mismatch between data size %d "
+			    "and section size %lld", old_size, shdr.sh_size);
+			return (ELFSIGN_FAILED);
+		}
+		new_size = old_size + strlen(elf_section) + 1;
+		if ((new_d_buf = malloc(new_size)) == NULL)
+			return (ELFSIGN_FAILED);
+
+		(void) memcpy(new_d_buf, data->d_buf, old_size);
+		(void) strlcpy(new_d_buf + old_size, elf_section,
+		    new_size - old_size);
+		data->d_buf = new_d_buf;
+		data->d_size = new_size;
+		data->d_align = 1;
+		/*
+		 * Add the section name passed in to the end of the file.
+		 * Initialize the fields in the Section Header that
+		 * libelf will not fill in.
+		 */
+		if ((sig_scn = elf_newscn(ess->es_elf)) == 0) {
+			cryptodebug("elf_newscn() failed: %s",
+			    elf_errmsg(-1));
+			return (ELFSIGN_FAILED);
+		}
+		if (gelf_getshdr(sig_scn, &shdr) == 0) {
+			cryptodebug("gelf_getshdr() failed: %s",
+			    elf_errmsg(-1));
+			return (ELFSIGN_FAILED);
+		}
+		shdr.sh_name = old_size;
+		shdr.sh_type = SHT_SUNW_SIGNATURE;
+		shdr.sh_flags = SHF_EXCLUDE;
+		shdr.sh_addr = 0;
+		shdr.sh_link = 0;
+		shdr.sh_info = 0;
+		shdr.sh_size = 0;
+		shdr.sh_offset = sig_offset;
+		shdr.sh_addralign = 1;
+
+		/*
+		 * Flush the changes to the underlying elf32 or elf64
+		 * section header.
+		 */
+		if (gelf_update_shdr(sig_scn, &shdr) == 0) {
+			cryptodebug("gelf_update_shdr failed");
+			return (ELFSIGN_FAILED);
+		}
+
+		if ((data = elf_newdata(sig_scn)) == NULL) {
+			cryptodebug("can't add elf data area for %s: %s",
+			    elf_section, elf_errmsg(-1));
+			return (ELFSIGN_FAILED);
+		}
+		if (elfsign_adjustoffsets(ess, scn,
+		    old_size + strlen(elf_section) + 1) != ELFSIGN_SUCCESS) {
+			cryptodebug("can't adjust for new section name %s",
+			    elf_section);
+			return (ELFSIGN_FAILED);
+		}
+	} else {
+		if (sig_scn == NULL) {
+			cryptodebug("can't find signature section");
+			*fsspp = NULL;
+			return (ELFSIGN_NOTSIGNED);
+		}
+		if ((data = elf_getdata(sig_scn, NULL)) == 0) {
+			cryptodebug("can't get section data for %s",
+			    elf_section);
+			return (ELFSIGN_FAILED);
+		}
+	}
+
+	if (ES_ACTISUPDATE(action))  {
+		fssize = offsetof(struct filesignatures, _u1);
+		if (*fsspp != NULL) {
+			fsgp = &(*fsspp)->filesig_sig;
+			for (fscnt = 0; fscnt < (*fsspp)->filesig_cnt;
+			    fscnt++) {
+				fsgpnext = filesig_next(fsgp);
+				fssize += (char *)(fsgpnext) - (char *)(fsgp);
+				fsgp = fsgpnext;
+			}
+		}
+		if (shdr.sh_addr != 0) {
+			cryptodebug("section %s is part of a loadable segment, "
+			    "it cannot be changed.\n", elf_section);
+			return (ELFSIGN_FAILED);
+		}
+		if ((data->d_buf = malloc(fssize)) == NULL)
+			return (ELFSIGN_FAILED);
+		if (*fsspp != NULL) {
+			(void) memcpy(data->d_buf, *fsspp, fssize);
+			(void) elfsign_switch(ess,
+			    (struct filesignatures *)data->d_buf, action);
+		}
+		data->d_size = fssize;
+		data->d_align = 1;
+		data->d_type = ELF_T_BYTE;
+		cryptodebug("elfsign_signature: data->d_size = %d",
+		    data->d_size);
+		if (elfsign_adjustoffsets(ess, sig_scn, fssize) !=
+		    ELFSIGN_SUCCESS) {
+			cryptodebug("can't adjust for revised signature "
+			    "section contents");
+			return (ELFSIGN_FAILED);
+		}
+	} else {
+		*fsspp = malloc(data->d_size);
+		if (*fsspp == NULL)
+			return (ELFSIGN_FAILED);
+		(void) memcpy(*fsspp, data->d_buf, data->d_size);
+		if (elfsign_switch(ess, *fsspp, ES_GET) != ELFSIGN_SUCCESS) {
+			free(*fsspp);
+			*fsspp = NULL;
+			return (ELFSIGN_FAILED);
+		}
+		*fslen = data->d_size;
+	}
+
+	return (ELFSIGN_SUCCESS);
+}
+
+static ELFsign_status_t
+elfsign_adjustoffsets(ELFsign_t ess, Elf_Scn *scn, uint64_t new_size)
+{
+	GElf_Ehdr	elfehdr;
+	GElf_Shdr	shdr;
+	uint64_t	prev_end, scn_offset;
+	char		*name;
+	Elf_Scn		*scnp;
+	Elf_Data	*data;
+	ELFsign_status_t	retval = ELFSIGN_FAILED;
+	struct scninfo {
+		struct scninfo	*scni_next;
+		Elf_Scn		*scni_scn;
+		uint64_t	scni_offset;
+	}		*scnip = NULL, *tmpscnip, **scnipp;
+
+	/* get the size of the current section */
+	if (gelf_getshdr(scn, &shdr) == NULL)
+		return (ELFSIGN_FAILED);
+	if (shdr.sh_size == new_size)
+		return (ELFSIGN_SUCCESS);
+	scn_offset = shdr.sh_offset;
+	name = elf_strptr(ess->es_elf, ess->es_shstrndx,
+	    (size_t)shdr.sh_name);
+	if (shdr.sh_flags & SHF_ALLOC && ess->es_has_phdr) {
+		cryptodebug("elfsign_adjustoffsets: "
+		    "can't move allocated section %s", name ? name : "NULL");
+		return (ELFSIGN_FAILED);
+	}
+
+	/* resize the desired section */
+	cryptodebug("elfsign_adjustoffsets: "
+	    "resizing %s at 0x%llx from 0x%llx to 0x%llx",
+	    name ? name : "NULL", shdr.sh_offset, shdr.sh_size, new_size);
+	shdr.sh_size = new_size;
+	if (gelf_update_shdr(scn, &shdr) == 0) {
+		cryptodebug("gelf_update_shdr failed");
+		goto bad;
+	}
+	prev_end = shdr.sh_offset + shdr.sh_size;
+
+	/*
+	 * find sections whose data follows the changed section
+	 *	must scan all sections since section data may not
+	 *	be in same order as section headers
+	 */
+	scnp = elf_getscn(ess->es_elf, 0);	/* "seek" to start */
+	while ((scnp = elf_nextscn(ess->es_elf, scnp)) != NULL) {
+		if (gelf_getshdr(scnp, &shdr) == NULL)
+			goto bad;
+		if (shdr.sh_offset <= scn_offset)
+			continue;
+		name = elf_strptr(ess->es_elf, ess->es_shstrndx,
+		    (size_t)shdr.sh_name);
+		if (shdr.sh_flags & SHF_ALLOC && ess->es_has_phdr) {
+			if (shdr.sh_type == SHT_NOBITS) {
+				/* .bss can occasionally overlap .shrtab */
+				continue;
+			}
+			cryptodebug("elfsign_adjustoffsets: "
+			    "can't move allocated section %s",
+			    name ? name : "NULL");
+			goto bad;
+		}
+		/*
+		 * force reading of data to memory image
+		 */
+		data = NULL;
+		while ((data = elf_rawdata(scnp, data)) != NULL)
+			;
+		/*
+		 * capture section information
+		 * insert into list in order of sh_offset
+		 */
+		cryptodebug("elfsign_adjustoffsets: "
+		    "may have to adjust section %s, offset 0x%llx",
+		    name ? name : "NULL", shdr.sh_offset);
+		tmpscnip = (struct scninfo *)malloc(sizeof (struct scninfo));
+		if (tmpscnip == NULL) {
+			cryptodebug("elfsign_adjustoffsets: "
+			    "memory allocation failure");
+			goto bad;
+		}
+		tmpscnip->scni_scn = scnp;
+		tmpscnip->scni_offset = shdr.sh_offset;
+		for (scnipp = &scnip; *scnipp != NULL;
+		    scnipp = &(*scnipp)->scni_next) {
+			if ((*scnipp)->scni_offset > tmpscnip->scni_offset)
+				break;
+		}
+		tmpscnip->scni_next = *scnipp;
+		*scnipp = tmpscnip;
+	}
+
+	/* move following sections as necessary */
+	for (tmpscnip = scnip; tmpscnip != NULL;
+	    tmpscnip = tmpscnip->scni_next) {
+		scnp = tmpscnip->scni_scn;
+		if (gelf_getshdr(scnp, &shdr) == NULL) {
+			cryptodebug("elfsign_adjustoffsets: "
+			    "elf_getshdr for section %d failed",
+			    elf_ndxscn(scnp));
+			goto bad;
+		}
+		if (shdr.sh_offset >= prev_end)
+			break;
+		prev_end = (prev_end + shdr.sh_addralign - 1) &
+		    (-shdr.sh_addralign);
+		name = elf_strptr(ess->es_elf, ess->es_shstrndx,
+		    (size_t)shdr.sh_name);
+		cryptodebug("elfsign_adjustoffsets: "
+		    "moving %s size 0x%llx from 0x%llx to 0x%llx",
+		    name ? name : "NULL", shdr.sh_size,
+		    shdr.sh_offset, prev_end);
+		shdr.sh_offset = prev_end;
+		if (gelf_update_shdr(scnp, &shdr) == 0) {
+			cryptodebug("gelf_update_shdr failed");
+			goto bad;
+		}
+		prev_end = shdr.sh_offset + shdr.sh_size;
+	}
+
+	/*
+	 * adjust section header offset in elf header
+	 */
+	if (gelf_getehdr(ess->es_elf, &elfehdr) == NULL) {
+		cryptodebug("elf_getehdr() failed: %s", elf_errmsg(-1));
+		goto bad;
+	}
+	if (elfehdr.e_shoff < prev_end) {
+		if (ess->es_ei_class == ELFCLASS32)
+			prev_end = (prev_end + ELF32_FSZ_OFF - 1) &
+			    (-ELF32_FSZ_OFF);
+		else if (ess->es_ei_class == ELFCLASS64)
+			prev_end = (prev_end + ELF64_FSZ_OFF - 1) &
+			    (-ELF64_FSZ_OFF);
+		cryptodebug("elfsign_adjustoffsets: "
+		    "move sh_off from 0x%llx to 0x%llx",
+		    elfehdr.e_shoff, prev_end);
+		elfehdr.e_shoff = prev_end;
+		if (gelf_update_ehdr(ess->es_elf, &elfehdr) == 0) {
+			cryptodebug("elf_update_ehdr() failed: %s",
+			    elf_errmsg(-1));
+			goto bad;
+		}
+	}
+
+	retval = ELFSIGN_SUCCESS;
+
+bad:
+	while (scnip != NULL) {
+		tmpscnip = scnip->scni_next;
+		free(scnip);
+		scnip = tmpscnip;
+	}
+	return (retval);
+}
+
+struct filesignatures *
+elfsign_insert_dso(ELFsign_t ess,
+    struct filesignatures *fssp,
+    const char		*dn,
+    int			dn_len,
+    const uchar_t	*sig,
+    int			sig_len,
+    const char		*oid,
+    int			oid_len)
+{
+	return (filesig_insert_dso(fssp, ess->es_version, dn, dn_len,
+	    sig, sig_len, oid, oid_len));
+}
+
+/*ARGSUSED*/
+filesig_vers_t
+elfsign_extract_sig(ELFsign_t ess,
+    struct filesignatures *fssp,
+    uchar_t		*sig,
+    size_t		*sig_len)
+{
+	struct filesig_extraction	fsx;
+	filesig_vers_t	version;
+
+	if (fssp == NULL)
+		return (FILESIG_UNKNOWN);
+	if (fssp->filesig_cnt != 1)
+		return (FILESIG_UNKNOWN);
+	version = filesig_extract(&fssp->filesig_sig, &fsx);
+	switch (version) {
+	case FILESIG_VERSION1:
+	case FILESIG_VERSION2:
+	case FILESIG_VERSION3:
+	case FILESIG_VERSION4:
+		if (*sig_len >= fsx.fsx_sig_len) {
+			(void) memcpy((char *)sig, (char *)fsx.fsx_signature,
+			    *sig_len);
+			*sig_len = fsx.fsx_sig_len;
+		} else
+			version = FILESIG_UNKNOWN;
+		break;
+	default:
+		version = FILESIG_UNKNOWN;
+		break;
+	}
+
+	if (ess->es_version == FILESIG_UNKNOWN) {
+		ess->es_version = version;
+	}
+
+	return (version);
+}
+
+static ELFsign_status_t
+elfsign_hash_common(ELFsign_t ess, uchar_t *hash, size_t *hash_len,
+    boolean_t hash_mem_resident)
+{
+	Elf_Scn		*scn = NULL;
+	ELFsign_status_t elfstat;
+	GElf_Shdr	shdr;
+	SHA1_CTX	ctx;
+
+	/* The buffer must be large enough to hold the hash */
+	if (*hash_len < SHA1_DIGEST_LENGTH)
+		return (ELFSIGN_FAILED);
+
+	bzero(hash, *hash_len);
+
+	/* Initialize the digest session */
+	SHA1Init(&ctx);
+
+	scn = elf_getscn(ess->es_elf, 0);	/* "seek" to start */
+	(void) elf_errno();
+	while ((scn = elf_nextscn(ess->es_elf, scn)) != 0) {
+		char *name = NULL;
+		Elf_Data *data = NULL;
+
+		if (gelf_getshdr(scn, &shdr) == NULL) {
+			elfstat = ELFSIGN_FAILED;
+			goto done;
+		}
+
+		name = elf_strptr(ess->es_elf, ess->es_shstrndx,
+		    (size_t)shdr.sh_name);
+		if (name == NULL)
+			name = "NULL";
+
+		if (!hash_mem_resident &&
+		    (ess->es_version == FILESIG_VERSION1 ||
+		    ess->es_version == FILESIG_VERSION3)) {
+			/*
+			 * skip the signature section only
+			 */
+			if (shdr.sh_type == SHT_SUNW_SIGNATURE) {
+				cryptodebug("elfsign_hash: skipping %s", name);
+				continue;
+			}
+		} else if (!(shdr.sh_flags & SHF_ALLOC)) {
+			/*
+			 * select only memory resident sections
+			 */
+			cryptodebug("elfsign_hash: skipping %s", name);
+			continue;
+		}
+
+		/*
+		 * throw this section into the hash
+		 *   use elf_rawdata for endian-independence
+		 *   use elf_getdata to get update of .shstrtab
+		 */
+		while ((data = (shdr.sh_type == SHT_STRTAB ?
+		    elf_getdata(scn, data) : elf_rawdata(scn, data))) != NULL) {
+			if (data->d_buf == NULL) {
+				cryptodebug("elfsign_hash: %s has NULL data",
+				    name);
+				continue;
+			}
+			cryptodebug("elfsign_hash: updating hash "
+			    "with %s data size=%d", name, data->d_size);
+			SHA1Update(&ctx, data->d_buf, data->d_size);
+		}
+	}
+	if (elf_errmsg(0) != NULL) {
+		cryptodebug("elfsign_hash: %s", elf_errmsg(-1));
+		elfstat = ELFSIGN_FAILED;
+		goto done;
+	}
+
+	SHA1Final(hash, &ctx);
+	*hash_len = SHA1_DIGEST_LENGTH;
+	{ /* DEBUG START */
+		const int hashstr_len = (*hash_len) * 2 + 1;
+		char *hashstr = malloc(hashstr_len);
+
+		if (hashstr != NULL) {
+			tohexstr(hash, *hash_len, hashstr, hashstr_len);
+			cryptodebug("hash value is: %s", hashstr);
+			free(hashstr);
+		}
+	} /* DEBUG END */
+	elfstat = ELFSIGN_SUCCESS;
+done:
+	return (elfstat);
+}
+
+/*
+ * elfsign_hash - return the hash of the ELF sections affecting execution.
+ *
+ * IN:		ess, hash_len
+ * OUT:		hash, hash_len
+ */
+ELFsign_status_t
+elfsign_hash(ELFsign_t ess, uchar_t *hash, size_t *hash_len)
+{
+	return (elfsign_hash_common(ess, hash, hash_len, B_FALSE));
+}
+
+/*
+ * elfsign_hash_mem_resident - return the hash of the ELF sections
+ * with only memory resident sections.
+ *
+ * IN:		ess, hash_len
+ * OUT:		hash, hash_len
+ */
+ELFsign_status_t
+elfsign_hash_mem_resident(ELFsign_t ess, uchar_t *hash, size_t *hash_len)
+{
+	return (elfsign_hash_common(ess, hash, hash_len, B_TRUE));
+}
+
+/*
+ * elfsign_hash_esa = return the hash of the esa_buffer
+ *
+ * IN:          ess, esa_buf, esa_buf_len, hash_len
+ * OUT:         hash, hash_len
+ */
+ELFsign_status_t
+elfsign_hash_esa(ELFsign_t ess, uchar_t *esa_buf, size_t esa_buf_len,
+    uchar_t **hash, size_t *hash_len)
+{
+	SHA1_CTX ctx;
+
+	cryptodebug("esa_hash version is: %s",
+	    version_to_str(ess->es_version));
+	if (ess->es_version <= FILESIG_VERSION2) {
+		/*
+		 * old rsa_md5_sha1 format
+		 * signed with MD5 digest, just pass full esa_buf
+		 */
+		*hash = esa_buf;
+		*hash_len = esa_buf_len;
+		return (ELFSIGN_SUCCESS);
+	}
+
+	if (*hash_len < SHA1_DIGEST_LENGTH)
+		return (ELFSIGN_FAILED);
+
+	bzero(*hash, *hash_len);
+	SHA1Init(&ctx);
+	SHA1Update(&ctx, esa_buf, esa_buf_len);
+	SHA1Final(*hash, &ctx);
+	*hash_len = SHA1_DIGEST_LENGTH;
+
+	{ /* DEBUG START */
+		const int hashstr_len = (*hash_len) * 2 + 1;
+		char *hashstr = malloc(hashstr_len);
+
+		if (hashstr != NULL) {
+			tohexstr(*hash, *hash_len, hashstr, hashstr_len);
+			cryptodebug("esa_hash value is: %s", hashstr);
+			free(hashstr);
+		}
+	} /* DEBUG END */
+
+	return (ELFSIGN_SUCCESS);
+}
+
+/*
+ * elfsign_verify_signature - Verify the signature of the ELF object.
+ *
+ * IN:		ess
+ * OUT:		esipp
+ * RETURNS:
+ *	ELFsign_status_t
+ */
+ELFsign_status_t
+elfsign_verify_signature(ELFsign_t ess, struct ELFsign_sig_info **esipp)
+{
+	ELFsign_status_t	ret = ELFSIGN_FAILED;
+	struct	filesignatures *fssp;
+	struct	filesig *fsgp;
+	size_t	fslen;
+	struct filesig_extraction	fsx;
+	uchar_t	hash[SIG_MAX_LENGTH];
+	size_t	hash_len;
+	ELFCert_t	cert = NULL;
+	int	sigcnt;
+	int	nocert = 0;
+	struct ELFsign_sig_info	*esip = NULL;
+
+	if (esipp != NULL) {
+		esip = (struct ELFsign_sig_info *)
+		    calloc(1, sizeof (struct ELFsign_sig_info));
+		*esipp = esip;
+	}
+
+	/*
+	 * Find out which cert we need, based on who signed the ELF object
+	 */
+	if (elfsign_signatures(ess, &fssp, &fslen, ES_GET) != ELFSIGN_SUCCESS) {
+		return (ELFSIGN_NOTSIGNED);
+	}
+
+	if (fssp->filesig_cnt < 1) {
+		ret = ELFSIGN_FAILED;
+		goto cleanup;
+	}
+
+	fsgp = &fssp->filesig_sig;
+
+	/*
+	 * Scan the signature block, looking for a verifiable signature
+	 */
+	for (sigcnt = 0; sigcnt < fssp->filesig_cnt;
+	    sigcnt++, fsgp = filesig_next(fsgp)) {
+		ess->es_version = filesig_extract(fsgp, &fsx);
+		cryptodebug("elfsign_verify_signature: version=%s",
+		    version_to_str(ess->es_version));
+		switch (ess->es_version) {
+		case FILESIG_VERSION1:
+		case FILESIG_VERSION2:
+		case FILESIG_VERSION3:
+		case FILESIG_VERSION4:
+			break;
+		default:
+			ret = ELFSIGN_FAILED;
+			goto cleanup;
+		}
+
+		cryptodebug("elfsign_verify_signature: signer_DN=\"%s\"",
+		    fsx.fsx_signer_DN);
+		cryptodebug("elfsign_verify_signature: algorithmOID=\"%s\"",
+		    fsx.fsx_sig_oid);
+		/* return signer DN if requested */
+		if (esipp != NULL) {
+			esip->esi_format = fsx.fsx_format;
+			if (esip->esi_signer != NULL)
+				free(esip->esi_signer);
+			esip->esi_signer = strdup(fsx.fsx_signer_DN);
+			esip->esi_time = fsx.fsx_time;
+		}
+
+		/*
+		 * look for certificate
+		 */
+		if (cert != NULL)
+			elfcertlib_releasecert(ess, cert);
+
+		/*
+		 * skip unfound certificates
+		 */
+		if (!elfcertlib_getcert(ess, ess->es_certpath,
+		    fsx.fsx_signer_DN, &cert, ess->es_action)) {
+			cryptodebug("unable to find certificate "
+			    "with DN=\"%s\" for %s",
+			    fsx.fsx_signer_DN, ess->es_pathname);
+			nocert++;
+			continue;
+		}
+
+		/*
+		 * skip unverified certificates
+		 *	force verification of crypto certs
+		 */
+		if ((ess->es_action == ES_GET_CRYPTO ||
+		    strstr(fsx.fsx_signer_DN, ELFSIGN_CRYPTO)) &&
+		    !elfcertlib_verifycert(ess, cert)) {
+			cryptodebug("elfsign_verify_signature: invalid cert");
+			nocert++;
+			continue;
+		}
+
+		/*
+		 * At this time the only sha1WithRSAEncryption is supported,
+		 * so check that is what we have and skip with anything else.
+		 */
+		if (strcmp(fsx.fsx_sig_oid, OID_sha1WithRSAEncryption) != 0) {
+			continue;
+		}
+
+		nocert = 0;
+		/*
+		 * compute file hash
+		 */
+		hash_len = sizeof (hash);
+		if (elfsign_hash(ess, hash, &hash_len) != ELFSIGN_SUCCESS) {
+			cryptodebug("elfsign_verify_signature:"
+			    " elfsign_hash failed");
+			ret = ELFSIGN_FAILED;
+			break;
+		}
+
+		{ /* DEBUG START */
+			const int sigstr_len = fsx.fsx_sig_len * 2 + 1;
+			char *sigstr = malloc(sigstr_len);
+
+			if (sigstr != NULL) {
+				tohexstr(fsx.fsx_signature, fsx.fsx_sig_len,
+				    sigstr, sigstr_len);
+				cryptodebug("signature value is: %s", sigstr);
+				free(sigstr);
+			}
+		} /* DEBUG END */
+
+		if (elfcertlib_verifysig(ess, cert,
+		    fsx.fsx_signature, fsx.fsx_sig_len, hash, hash_len)) {
+			if (ess->es_sigvercallback)
+				(ess->es_sigvercallback)
+				    (ess->es_callbackctx, fssp, fslen, cert);
+			/*
+			 * The signature is verified!
+			 * Check if this is a restricted provider
+			 */
+			if (strstr(fsx.fsx_signer_DN, USAGELIMITED) == NULL)
+				ret = ELFSIGN_SUCCESS;
+			else {
+				cryptodebug("DN is tagged for usagelimited");
+				ret = elfsign_verify_esa(ess,
+				    fsx.fsx_signature, fsx.fsx_sig_len);
+			}
+			break;
+		}
+
+		cryptodebug("elfsign_verify_signature: invalid signature");
+	}
+
+cleanup:
+	if (cert != NULL)
+		elfcertlib_releasecert(ess, cert);
+
+	free(fssp);
+	if (ret == ELFSIGN_FAILED && nocert)
+		ret = ELFSIGN_INVALID_CERTPATH;
+	return (ret);
+}
+
+/*
+ * Verify the contents of the .esa file, as per Jumbo export control
+ * document.  Logic in this function should remain unchanged, unless
+ * a misinterpretation of the jumbo case was found or if there are
+ * changes in export regulations necessitating a change.
+ *
+ * If the .esa file exists, but is somehow corrupted, we just return
+ * that this is restricted.  This is consistent with the Jumbo export
+ * case covering this library and other compenents of ON.  Do not change
+ * this logic without consulting export control.
+ *
+ * Please see do_gen_esa() for a description of the esa file format.
+ *
+ */
+static ELFsign_status_t
+elfsign_verify_esa(ELFsign_t ess, uchar_t *orig_sig, size_t orig_sig_len)
+{
+	ELFsign_status_t ret = ELFSIGN_RESTRICTED;
+	char	*elfobj_esa = NULL;
+	size_t	elfobj_esa_len;
+	int	esa_fd = -1;
+	size_t	esa_buf_len = 0;
+	uchar_t *main_sig;
+	size_t	main_sig_len = 0;
+	uchar_t hash[SIG_MAX_LENGTH], *hash_ptr = hash;
+	size_t  hash_len = SIG_MAX_LENGTH;
+	char 	*esa_dn = NULL;
+	size_t	esa_dn_len = 0;
+	uchar_t	*esa_sig;
+	size_t	esa_sig_len = 0;
+	uchar_t *esa_file_buffer = NULL, *esa_file_ptr;
+	struct stat statbuf;
+	ELFCert_t cert = NULL;
+
+	cryptodebug("elfsign_verify_esa");
+
+	/* does the activation file exist? */
+	elfobj_esa_len = strlen(ess->es_pathname) + ESA_LEN + 1;
+	elfobj_esa = malloc(elfobj_esa_len);
+	if (elfobj_esa == NULL) {
+		cryptoerror(LOG_STDERR,
+		    gettext("Unable to allocate buffer for esa filename."));
+		goto cleanup;
+	}
+
+	(void) strlcpy(elfobj_esa, ess->es_pathname, elfobj_esa_len);
+	(void) strlcat(elfobj_esa, ESA, elfobj_esa_len);
+
+	if ((esa_fd = open(elfobj_esa, O_RDONLY|O_NONBLOCK)) == -1) {
+		cryptodebug("No .esa file was found, or it was unreadable");
+		goto cleanup;
+	}
+
+	cryptodebug("Reading contents of esa file %s", elfobj_esa);
+
+	if (fstat(esa_fd, &statbuf) == -1) {
+		cryptoerror(LOG_STDERR,
+		    gettext("Can't stat %s"), elfobj_esa);
+		goto cleanup;
+	}
+
+	/*
+	 * mmap the buffer to save on syscalls
+	 */
+	esa_file_buffer = (uchar_t *)mmap(NULL, statbuf.st_size, PROT_READ,
+	    MAP_PRIVATE, esa_fd, 0);
+
+	if (esa_file_buffer == MAP_FAILED) {
+		cryptoerror(LOG_STDERR,
+		    gettext("Unable to mmap file to a buffer for %s."),
+		    elfobj_esa);
+		goto cleanup;
+	}
+
+	esa_file_ptr = esa_file_buffer;
+	elfsign_buffer_len(ess, &main_sig_len, esa_file_ptr, ES_GET);
+	esa_file_ptr += sizeof (uint32_t);
+	cryptodebug("Contents of esa file: main_sig_len=%d", main_sig_len);
+	main_sig = esa_file_ptr;
+
+	esa_file_ptr += main_sig_len;
+
+	/* verify .esa main signature versus original signature */
+	if (main_sig_len != orig_sig_len ||
+	    memcmp(main_sig, orig_sig, orig_sig_len) != 0) {
+		cryptoerror(LOG_STDERR,
+		    gettext("Unable to match original signature from %s."),
+		    elfobj_esa);
+		goto cleanup;
+	}
+
+	elfsign_buffer_len(ess, &esa_dn_len, esa_file_ptr, ES_GET);
+	esa_file_ptr += sizeof (uint32_t);
+	cryptodebug("Contents of esa file: esa_dn_len=%d", esa_dn_len);
+
+	esa_dn = malloc(esa_dn_len + 1);
+	if (esa_dn == NULL) {
+		cryptoerror(LOG_ERR,
+		    gettext("Unable to allocate memory for dn buffer."));
+		goto cleanup;
+	}
+	(void) memcpy(esa_dn, esa_file_ptr, esa_dn_len);
+	esa_dn[esa_dn_len] = '\0';
+	esa_file_ptr += esa_dn_len;
+	cryptodebug("Contents of esa file: esa_dn=%s", esa_dn);
+
+	elfsign_buffer_len(ess, &esa_sig_len, esa_file_ptr, ES_GET);
+	esa_file_ptr += sizeof (uint32_t);
+	cryptodebug("Contents of esa file: esa_sig_len=%d", esa_sig_len);
+
+	esa_sig = esa_file_ptr;
+
+	cryptodebug("Read esa contents, now verifying");
+
+	/*
+	 * dn used in .esa file should not be limited.
+	 */
+	if (strstr(esa_dn, USAGELIMITED) != NULL) {
+		cryptoerror(LOG_ERR,
+		    gettext("DN for .esa file is tagged as limited for %s.\n"
+		    "Activation files should only be tagged as unlimited.\n"
+		    "Please contact vendor for this provider"),
+		    ess->es_pathname);
+		goto cleanup;
+	}
+
+	if (!elfcertlib_getcert(ess, ess->es_certpath, esa_dn, &cert,
+	    ess->es_action)) {
+		cryptodebug(gettext("unable to find certificate "
+		    "with DN=\"%s\" for %s"),
+		    esa_dn, ess->es_pathname);
+		goto cleanup;
+	}
+
+	/*
+	 * Since we've already matched the original signature
+	 * and the main file signature, we can just verify the esa signature
+	 * against the main file signature.
+	 */
+	esa_buf_len = sizeof (uint32_t) + main_sig_len;
+
+	if (elfsign_hash_esa(ess, esa_file_buffer, esa_buf_len,
+	    &hash_ptr, &hash_len) != ELFSIGN_SUCCESS) {
+		cryptoerror(LOG_STDERR,
+		    gettext("Unable to hash activation contents."));
+		goto cleanup;
+	}
+
+
+	if (!elfcertlib_verifysig(ess, cert, esa_sig, esa_sig_len,
+	    hash_ptr, hash_len)) {
+		cryptoerror(LOG_STDERR,
+		    gettext("Unable to verify .esa contents for %s"),
+		    ess->es_pathname);
+		goto cleanup;
+	}
+
+	cryptodebug("Verified esa contents");
+	if (ess->es_sigvercallback)
+		(ess->es_sigvercallback) (ess->es_callbackctx,
+		    esa_file_buffer, statbuf.st_size, cert);
+
+	/*
+	 * validate the certificate used to sign the activation file
+	 */
+	if (!elfcertlib_verifycert(ess, cert)) {
+		cryptoerror(LOG_STDERR,
+		    gettext("Unable to verify .esa certificate %s for %s"),
+		    esa_dn, ess->es_pathname);
+		goto cleanup;
+	}
+
+	cryptodebug("Verified esa certificate");
+	ret = ELFSIGN_SUCCESS;
+
+cleanup:
+	if (elfobj_esa != NULL)
+		free(elfobj_esa);
+
+	if (esa_fd != -1)
+		(void) close(esa_fd);
+
+	if (esa_file_buffer != NULL)
+		(void) munmap((caddr_t)esa_file_buffer, statbuf.st_size);
+
+	if (esa_dn != NULL)
+		free(esa_dn);
+
+	if (cert != NULL)
+		elfcertlib_releasecert(ess, cert);
+
+	return (ret);
+}
+
+static uint32_t
+elfsign_switch_uint32(uint32_t i)
+{
+	return (((i & 0xff) << 24) | ((i & 0xff00) << 8) |
+	    ((i >> 8) & 0xff00) | ((i >> 24) & 0xff));
+}
+
+static uint64_t
+elfsign_switch_uint64(uint64_t i)
+{
+	return (((uint64_t)elfsign_switch_uint32(i) << 32) |
+	    (elfsign_switch_uint32(i >> 32)));
+}
+
+/*
+ * If appropriate, switch the endianness of the filesignatures structure
+ *	Examine the structure only when it is in native endianness
+ */
+static ELFsign_status_t
+elfsign_switch(ELFsign_t ess, struct filesignatures *fssp,
+    enum ES_ACTION action)
+{
+	int		fscnt;
+	filesig_vers_t	version;
+	struct filesig	*fsgp, *fsgpnext;
+
+	if (ess->es_same_endian)
+		return (ELFSIGN_SUCCESS);
+
+	if (ES_ACTISUPDATE(action))
+		fscnt = fssp->filesig_cnt;
+	fssp->filesig_cnt = elfsign_switch_uint32(fssp->filesig_cnt);
+	if (!ES_ACTISUPDATE(action))
+		fscnt = fssp->filesig_cnt;
+
+	fsgp = &(fssp)->filesig_sig;
+	for (; fscnt > 0; fscnt--, fsgp = fsgpnext) {
+		if (ES_ACTISUPDATE(action)) {
+			version = fsgp->filesig_version;
+			fsgpnext = filesig_next(fsgp);
+		}
+		fsgp->filesig_size =
+		    elfsign_switch_uint32(fsgp->filesig_size);
+		fsgp->filesig_version =
+		    elfsign_switch_uint32(fsgp->filesig_version);
+		if (!ES_ACTISUPDATE(action)) {
+			version = fsgp->filesig_version;
+			fsgpnext = filesig_next(fsgp);
+		}
+		switch (version) {
+		case FILESIG_VERSION1:
+		case FILESIG_VERSION2:
+			fsgp->filesig_v1_dnsize =
+			    elfsign_switch_uint32(fsgp->filesig_v1_dnsize);
+			fsgp->filesig_v1_sigsize =
+			    elfsign_switch_uint32(fsgp->filesig_v1_sigsize);
+			fsgp->filesig_v1_oidsize =
+			    elfsign_switch_uint32(fsgp->filesig_v1_oidsize);
+			break;
+		case FILESIG_VERSION3:
+		case FILESIG_VERSION4:
+			fsgp->filesig_v3_time =
+			    elfsign_switch_uint64(fsgp->filesig_v3_time);
+			fsgp->filesig_v3_dnsize =
+			    elfsign_switch_uint32(fsgp->filesig_v3_dnsize);
+			fsgp->filesig_v3_sigsize =
+			    elfsign_switch_uint32(fsgp->filesig_v3_sigsize);
+			fsgp->filesig_v3_oidsize =
+			    elfsign_switch_uint32(fsgp->filesig_v3_oidsize);
+			break;
+		default:
+			cryptodebug("elfsign_switch: failed");
+			return (ELFSIGN_FAILED);
+		}
+	}
+	return (ELFSIGN_SUCCESS);
+}
+
+/*
+ * get/put an integer value from/to a buffer, possibly of opposite endianness
+ */
+void
+elfsign_buffer_len(ELFsign_t ess, size_t *ip, uchar_t *cp,
+    enum ES_ACTION action)
+{
+	uint32_t tmp;
+
+	if (!ES_ACTISUPDATE(action)) {
+		/* fetch integer from buffer */
+		(void) memcpy(&tmp, cp, sizeof (tmp));
+		if (!ess->es_same_endian) {
+			tmp = elfsign_switch_uint32(tmp);
+		}
+		*ip = tmp;
+	} else {
+		/* put integer into buffer */
+		tmp = *ip;
+		if (!ess->es_same_endian) {
+			tmp = elfsign_switch_uint32(tmp);
+		}
+		(void) memcpy(cp, &tmp, sizeof (tmp));
+	}
+}
+
+char const *
+elfsign_strerror(ELFsign_status_t elferror)
+{
+	char const *msg = NULL;
+
+	switch (elferror) {
+		case ELFSIGN_SUCCESS:
+			msg = gettext("sign or verify of ELF object succeeded");
+			break;
+		case ELFSIGN_FAILED:
+			msg = gettext("sign or verify of ELF object failed");
+			break;
+		case ELFSIGN_NOTSIGNED:
+			msg = gettext("ELF object not signed");
+			break;
+		case ELFSIGN_INVALID_CERTPATH:
+			msg = gettext("cannot access certificate");
+			break;
+		case ELFSIGN_INVALID_ELFOBJ:
+			msg = gettext("unable to open as an ELF object");
+			break;
+		case ELFSIGN_RESTRICTED:
+			msg = gettext("ELF object is restricted");
+			break;
+		case ELFSIGN_UNKNOWN:
+		default:
+			msg = gettext("Unknown error");
+			break;
+	}
+
+	return (msg);
+}
+
+boolean_t
+elfsign_sig_info(struct filesignatures *fssp, struct ELFsign_sig_info **esipp)
+{
+	struct filesig_extraction	fsx;
+	struct ELFsign_sig_info	*esip;
+
+	esip = (struct ELFsign_sig_info *)
+	    calloc(1, sizeof (struct ELFsign_sig_info));
+	*esipp = esip;
+	if (esip == NULL)
+		return (B_FALSE);
+
+	switch (filesig_extract(&fssp->filesig_sig, &fsx)) {
+	case FILESIG_VERSION1:
+	case FILESIG_VERSION2:
+	case FILESIG_VERSION3:
+	case FILESIG_VERSION4:
+		esip->esi_format = fsx.fsx_format;
+		esip->esi_signer = strdup(fsx.fsx_signer_DN);
+		esip->esi_time = fsx.fsx_time;
+		break;
+	default:
+		free(esip);
+		*esipp = NULL;
+	}
+
+	return (*esipp != NULL);
+}
+
+void
+elfsign_sig_info_free(struct ELFsign_sig_info *esip)
+{
+	if (esip != NULL) {
+		free(esip->esi_signer);
+		free(esip);
+	}
+}
diff --git a/usr/src/lib/libelfsign/common/libelfsign.h b/usr/src/lib/libelfsign/common/libelfsign.h
new file mode 100644
index 0000000000..8637fc4c6d
--- /dev/null
+++ b/usr/src/lib/libelfsign/common/libelfsign.h
@@ -0,0 +1,194 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#ifndef _LIBELFSIGN_H
+#define	_LIBELFSIGN_H
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/*
+ * libelfsign Private Interfaces
+ * This Header file should not be shipped as part of Solaris binary or
+ * source products.
+ */
+
+#include <sys/crypto/elfsign.h>
+#include <libelf.h>
+#include <fcntl.h>
+#include <md5.h>
+#include <sha1.h>
+#include <kmfapi.h>
+
+/*
+ * Certificate-related definitions
+ */
+#define	ELFSIGN_CRYPTO		"Solaris Cryptographic Framework"
+#define	USAGELIMITED		"OU=UsageLimited"
+#define	ESA			".esa"
+#define	ESA_LEN			sizeof (".esa")
+
+typedef enum ELFCert_VStatus_e {
+	E_UNCHECKED,
+	E_OK,
+	E_IS_TA,
+	E_FAILED
+} ELFCert_VStatus_t;
+
+typedef struct ELFCert_s {
+	ELFCert_VStatus_t	c_verified;
+	char			*c_subject;
+	char			*c_issuer;
+	KMF_X509_DER_CERT	c_cert;
+	KMF_KEY_HANDLE		c_privatekey;
+}	*ELFCert_t;
+
+#define	CRYPTO_CERTS_DIR	"/etc/crypto/certs"
+#define	ETC_CERTS_DIR		"/etc/certs"
+
+/*
+ * libelfsign actions
+ */
+enum ES_ACTION {
+	ES_GET,
+	ES_GET_CRYPTO,
+	ES_UPDATE,
+	ES_UPDATE_RSA_MD5_SHA1,
+	ES_UPDATE_RSA_SHA1
+};
+#define	ES_ACTISUPDATE(a)	((a) >= ES_UPDATE)
+
+/*
+ * Context for elfsign operation
+ */
+struct ELFsign_s {
+	Elf	*es_elf;
+	char	*es_pathname;
+	char	*es_certpath;
+	int	es_fd;
+	size_t	es_shstrndx;
+	enum ES_ACTION	es_action;
+	KMF_KEY_HANDLE		es_privatekey;
+	filesig_vers_t	es_version;
+	boolean_t	es_same_endian;
+	boolean_t	es_has_phdr;
+	char		es_ei_class;
+	struct flock	es_flock;
+	KMF_HANDLE_T	es_kmfhandle;
+	void		*es_callbackctx;
+	void		(*es_sigvercallback)(void *, void *, size_t, ELFCert_t);
+	void		(*es_certCAcallback)(void *, ELFCert_t, char *);
+	void		(*es_certvercallback)(void *, ELFCert_t, ELFCert_t);
+};
+
+#define	ES_FMT_RSA_MD5_SHA1	"rsa_md5_sha1"
+#define	ES_FMT_RSA_SHA1		"rsa_sha1"
+
+/*
+ * ELF signature handling
+ */
+typedef struct ELFsign_s *ELFsign_t;
+struct ELFsign_sig_info {
+	char	*esi_format;
+	char	*esi_signer;
+	time_t	esi_time;
+};
+
+extern struct filesignatures *elfsign_insert_dso(ELFsign_t ess,
+    struct filesignatures *fsp, const char *dn, int dn_len,
+    const uchar_t *sig, int sig_len, const char *oid, int oid_len);
+extern filesig_vers_t elfsign_extract_sig(ELFsign_t ess,
+    struct filesignatures *fsp, uchar_t *sig, size_t *sig_len);
+extern ELFsign_status_t elfsign_begin(const char *,
+    enum ES_ACTION, ELFsign_t *);
+extern void elfsign_end(ELFsign_t ess);
+extern ELFsign_status_t elfsign_setcertpath(ELFsign_t ess, const char *path);
+extern ELFsign_status_t elfsign_verify_signature(ELFsign_t ess,
+    struct ELFsign_sig_info **esipp);
+extern ELFsign_status_t elfsign_hash(ELFsign_t ess, uchar_t *hash,
+    size_t *hash_len);
+extern ELFsign_status_t elfsign_hash_mem_resident(ELFsign_t ess,
+    uchar_t *hash, size_t *hash_len);
+extern ELFsign_status_t elfsign_hash_esa(ELFsign_t ess,
+    uchar_t *esa_buf, size_t esa_buf_len, uchar_t **hash, size_t *hash_len);
+extern void elfsign_buffer_len(ELFsign_t ess, size_t *ip, uchar_t *cp,
+    enum ES_ACTION action);
+
+extern void elfsign_setcallbackctx(ELFsign_t ess, void *ctx);
+extern void elfsign_setsigvercallback(ELFsign_t ess,
+    void (*cb)(void *, void *, size_t, ELFCert_t));
+extern ELFsign_status_t elfsign_signatures(ELFsign_t ess,
+    struct filesignatures **fspp, size_t *fs_len, enum ES_ACTION action);
+
+extern char const *elfsign_strerror(ELFsign_status_t);
+extern boolean_t elfsign_sig_info(struct filesignatures *fssp,
+    struct ELFsign_sig_info **esipp);
+extern void elfsign_sig_info_free(struct ELFsign_sig_info *);
+
+/*
+ * ELF "Certificate Library"
+ */
+
+extern const char _PATH_ELFSIGN_CERTS[];
+
+#define	ELFCERT_MAX_DN_LEN	255
+
+extern boolean_t elfcertlib_init(ELFsign_t);
+extern void elfcertlib_fini(ELFsign_t);
+extern boolean_t elfcertlib_settoken(ELFsign_t, char *);
+extern void elfcertlib_setcertCAcallback(ELFsign_t ess,
+    void (*cb)(void *, ELFCert_t, char *));
+extern void elfcertlib_setcertvercallback(ELFsign_t ess,
+    void (*cb)(void *, ELFCert_t, ELFCert_t));
+
+extern boolean_t elfcertlib_getcert(ELFsign_t ess, char *cert_pathname,
+	char *signer_DN, ELFCert_t *certp, enum ES_ACTION action);
+extern void elfcertlib_releasecert(ELFsign_t, ELFCert_t);
+extern char *elfcertlib_getdn(ELFCert_t cert);
+extern char *elfcertlib_getissuer(ELFCert_t cert);
+
+extern boolean_t elfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert,
+	const char *path);
+extern boolean_t elfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert,
+	const char *token_id, const char *pin);
+
+extern boolean_t elfcertlib_sign(ELFsign_t ess, ELFCert_t cert,
+	const uchar_t *data, size_t data_len, uchar_t *sig,
+	size_t *sig_len);
+
+extern boolean_t elfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert);
+extern boolean_t elfcertlib_verifysig(ELFsign_t ess, ELFCert_t cert,
+	const uchar_t *sig, size_t sig_len,
+	const uchar_t *data, size_t data_len);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* _LIBELFSIGN_H */
diff --git a/usr/src/lib/libelfsign/common/llib-lelfsign b/usr/src/lib/libelfsign/common/llib-lelfsign
new file mode 100644
index 0000000000..5ed60d4a75
--- /dev/null
+++ b/usr/src/lib/libelfsign/common/llib-lelfsign
@@ -0,0 +1,32 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+/* LINTLIBRARY */
+/* PROTOLIB1 */
+
+#include <sys/crypto/elfsign.h>
+#include <libelfsign.h>
diff --git a/usr/src/lib/libelfsign/common/mapfile.map b/usr/src/lib/libelfsign/common/mapfile.map
new file mode 100644
index 0000000000..b79ca2d3a9
--- /dev/null
+++ b/usr/src/lib/libelfsign/common/mapfile.map
@@ -0,0 +1,62 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+
+/*
+ * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Use is subject to license terms.
+ */
+
+#pragma ident	"%Z%%M%	%I%	%E% SMI"
+
+SUNW_1.1 {
+    global:
+	elfsign_begin;
+	elfsign_buffer_len;
+	elfsign_end;
+	elfsign_extract_sig;
+	elfsign_hash;
+	elfsign_hash_esa;
+	elfsign_hash_mem_resident;
+	elfsign_insert_dso;
+	elfsign_setcallbackctx;
+	elfsign_setsigvercallback;
+	elfsign_setcertpath;
+	elfsign_sig_info;
+	elfsign_sig_info_free;
+	elfsign_signatures;
+	elfsign_strerror;
+	elfsign_verify_signature;
+	elfcertlib_getcert;
+	elfcertlib_getdn;
+	elfcertlib_getissuer;
+	elfcertlib_init;
+	elfcertlib_loadprivatekey;
+	elfcertlib_loadtokenkey;
+	elfcertlib_releasecert;
+	elfcertlib_setcertCAcallback;
+	elfcertlib_setcertvercallback;
+	elfcertlib_settoken;
+	elfcertlib_sign;
+	elfcertlib_verifycert;
+	elfcertlib_verifysig;
+    local:
+	*;
+};
diff --git a/usr/src/lib/libelfsign/i386/Makefile b/usr/src/lib/libelfsign/i386/Makefile
new file mode 100644
index 0000000000..a31def5dc7
--- /dev/null
+++ b/usr/src/lib/libelfsign/i386/Makefile
@@ -0,0 +1,35 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+#ident	"%Z%%M%	%I%	%E% SMI"
+#
+# lib/libelfsign/i386/Makefile
+#
+
+include ../Makefile.com
+
+.KEEP_STATE:
+
+install: all $(ROOTLIBS) $(ROOTLINKS) $(ROOTLINT)
diff --git a/usr/src/lib/libelfsign/sparc/Makefile b/usr/src/lib/libelfsign/sparc/Makefile
new file mode 100644
index 0000000000..7c783f69c9
--- /dev/null
+++ b/usr/src/lib/libelfsign/sparc/Makefile
@@ -0,0 +1,33 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+include ../Makefile.com
+
+.KEEP_STATE:
+
+install: all $(ROOTLIBS) $(ROOTLINKS) $(ROOTLINT)