--- a/usr/src/pkgdefs/SUNWcakr.u/prototype_com	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/pkgdefs/SUNWcakr.u/prototype_com	Thu Mar 15 09:36:39 2007 -0700
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -486,7 +486,7 @@
 d none platform/sun4u/kernel/misc/sparcv9 755 root sys
 f none platform/sun4u/kernel/misc/sparcv9/kmdbmod 755 root sys
 f none platform/sun4u/kernel/misc/sparcv9/bootdev 755 root sys
-l none platform/sun4u/kernel/misc/sparcv9/des=../../../kernel/crypto/sparcv9/des
+s none platform/sun4u/kernel/misc/sparcv9/des=../../../kernel/crypto/sparcv9/des
 f none platform/sun4u/kernel/misc/sparcv9/forthdebug 755 root sys
 f none platform/sun4u/kernel/misc/sparcv9/i2c_svc 755 root sys
 l none platform/sun4u/kernel/misc/sparcv9/md5=../../../kernel/crypto/sparcv9/md5

--- a/usr/src/pkgdefs/SUNWckr/prototype_i386	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/pkgdefs/SUNWckr/prototype_i386	Thu Mar 15 09:36:39 2007 -0700
@@ -170,7 +170,7 @@
 f none kernel/misc/cmlb 755 root sys
 f none kernel/misc/consconfig 755 root sys
 f none kernel/misc/ctf 755 root sys
-l none kernel/misc/des=../../kernel/crypto/des
+s none kernel/misc/des=../../kernel/crypto/des
 f none kernel/misc/dls 755 root sys
 f none kernel/misc/fssnap_if 755 root sys
 f none kernel/misc/gld 755 root sys
@@ -356,7 +356,7 @@
 f none kernel/misc/amd64/cmlb 755 root sys
 f none kernel/misc/amd64/consconfig 755 root sys
 f none kernel/misc/amd64/ctf 755 root sys
-l none kernel/misc/amd64/des=../../../kernel/crypto/amd64/des
+s none kernel/misc/amd64/des=../../../kernel/crypto/amd64/des
 f none kernel/misc/amd64/dls 755 root sys
 f none kernel/misc/amd64/fssnap_if 755 root sys
 f none kernel/misc/amd64/gld 755 root sys

--- a/usr/src/pkgdefs/SUNWckr/prototype_sparc	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/pkgdefs/SUNWckr/prototype_sparc	Thu Mar 15 09:36:39 2007 -0700
@@ -166,7 +166,7 @@
 f none kernel/misc/sparcv9/consconfig 755 root sys
 f none kernel/misc/sparcv9/ctf 755 root sys
 f none kernel/misc/sparcv9/dada 755 root sys
-l none kernel/misc/sparcv9/des=../../../kernel/crypto/sparcv9/des
+s none kernel/misc/sparcv9/des=../../../kernel/crypto/sparcv9/des
 f none kernel/misc/sparcv9/dls 755 root sys
 f none kernel/misc/sparcv9/fssnap_if 755 root sys
 f none kernel/misc/sparcv9/gld 755 root sys

--- a/usr/src/pkgdefs/SUNWcryptoint/prototype_i386	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/pkgdefs/SUNWcryptoint/prototype_i386	Thu Mar 15 09:36:39 2007 -0700
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -49,9 +48,9 @@
 #
 # SUNWcryptoint
 #
-l none kernel/crypto/dprov=../../kernel/drv/dprov
+s none kernel/crypto/dprov=../../kernel/drv/dprov
 f none kernel/drv/dprov 755 root sys
 d none kernel/crypto/amd64 755 root sys
-l none kernel/crypto/amd64/dprov=../../../kernel/drv/amd64/dprov
+s none kernel/crypto/amd64/dprov=../../../kernel/drv/amd64/dprov
 d none kernel/drv/amd64 755 root sys
 f none kernel/drv/amd64/dprov 755 root sys

--- a/usr/src/pkgdefs/SUNWcryptoint/prototype_sparc	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/pkgdefs/SUNWcryptoint/prototype_sparc	Thu Mar 15 09:36:39 2007 -0700
@@ -2,9 +2,8 @@
 # CDDL HEADER START
 #
 # The contents of this file are subject to the terms of the
-# Common Development and Distribution License, Version 1.0 only
-# (the "License").  You may not use this file except in compliance
-# with the License.
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
 #
 # You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
 # or http://www.opensolaris.org/os/licensing.
@@ -20,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2003 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -50,6 +49,6 @@
 # SUNWcryptoint
 #
 d none kernel/crypto/sparcv9 755 root sys
-l none kernel/crypto/sparcv9/dprov=../../../kernel/drv/sparcv9/dprov
+s none kernel/crypto/sparcv9/dprov=../../../kernel/drv/sparcv9/dprov
 d none kernel/drv/sparcv9 755 root sys
 f none kernel/drv/sparcv9/dprov 755 root sys

--- a/usr/src/tools/Makefile	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/tools/Makefile	Thu Mar 15 09:36:39 2007 -0700
@@ -36,6 +36,7 @@
 	abi \
 	bfuld \
 	codereview \
+	codesign \
 	cscope-fast \
 	ctf \
 	depcheck \

--- a/usr/src/tools/README.tools	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/tools/README.tools	Thu Mar 15 09:36:39 2007 -0700
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -84,12 +84,10 @@
 	to rebuild (because of different -I or -L paths).
 
 build_cscope
-
 	builds cscope databases in the uts, the platform subdirectories
 	of uts, and in usr/src. Uses cscope-fast.
 
 check_rtime
-
 	checks ELF attributes used by ELF dynamic objects in the proto area.
 	Used by 'nightly's -r option, to check a number of ELF runtime
 	attributes for consistency with common build rules.  nightly uses
@@ -99,16 +97,24 @@
 	sure objects don't have any strange runpaths like /opt/SUNWspro/lib.
 
 checkproto
-
 	Runs protocmp and protolist on a workspace (or uses the environment
 	variable CODEMGR_WS to determine the workspace). Checks the proto area
 	against the packages.
 
 codereview
-
 	Given two filenames, creates a postscript file with the file 
 	differences highlighted.
 
+codesign
+	Tools for signing cryptographic modules using the official
+	Sun release keys stored on a remote signing server. This
+	directory contains signit, a client program for signing
+	files with the signing server; signproto, a shell script
+	that finds crypto modules in $ROOT and signs them using
+	signit; and codesign_server.pl, the code that runs on the
+	server. The codesign_server code is not used on an ON
+	build machine but is kept here for source control purposes.
+
 cscope-fast
 	The fast version of cscope that we use internally. Seems to work,
 	but may need more testing before it's placed in the gate. The source

--- a/usr/src/tools/SUNWonbld/prototype_com	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/tools/SUNWonbld/prototype_com	Thu Mar 15 09:36:39 2007 -0700
@@ -20,7 +20,7 @@
 #
 
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 # ident	"%Z%%M%	%I%	%E% SMI"
@@ -87,6 +87,8 @@
 f none opt/onbld/bin/sccshist 555 root bin
 f none opt/onbld/bin/sccsmv 555 root bin
 f none opt/onbld/bin/sccsrm 555 root bin
+f none opt/onbld/bin/signit 555 root bin
+f none opt/onbld/bin/signproto 555 root bin
 f none opt/onbld/bin/validate_flg 555 root bin
 f none opt/onbld/bin/validate_paths 555 root bin
 f none opt/onbld/bin/wdiff 555 root bin

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/tools/codesign/Makefile	Thu Mar 15 09:36:39 2007 -0700
@@ -0,0 +1,51 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+
+SHFILES= \
+	signproto
+
+PERLFILES= \
+	signit
+
+CLEANFILES = $(SHFILES) $(PERLFILES)
+
+include ../Makefile.tools
+
+OWNER=		root
+GROUP=		bin
+
+.KEEP_STATE:
+
+all:	$(SHFILES) $(PERLFILES)
+
+install: all .WAIT $(ROOTONBLDSHFILES) $(ROOTONBLDPERLFILES)
+
+clean:
+	$(RM) $(CLEANFILES)
+
+include ../Makefile.targ
+

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/tools/codesign/codesign_server.pl	Thu Mar 15 09:36:39 2007 -0700
@@ -0,0 +1,240 @@
+#!/usr/perl5/bin/perl
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+
+# Server program for code signing server
+#
+# This program implements an ssh-based service to add digital
+# signatures to files. The sshd_config file on the server
+# contains an entry like the following to invoke this program:
+#
+#	Subsystem codesign /opt/signing/bin/server
+#
+# The client program sends a ZIP archive of the file to be
+# signed along with the name of a signing credential stored
+# on the server. Each credential is a directory containing
+# a public-key certificate, private key, and a script to
+# perform the appropriate signing operation.
+#
+# This program unpacks the input ZIP archive, invokes the
+# signing script for the specified credential, and sends
+# back an output ZIP archive, which typically contains the
+# (modified) input file but may also contain additional
+# files created by the signing script.
+
+use strict;
+use File::Temp 'tempdir';
+use File::Path;
+
+my $Base = "/opt/signing";
+my $Tmpdir = tempdir(CLEANUP => 1);	# Temporary directory
+my $Session = $$;
+
+#
+# Main program
+#
+
+# Set up
+open(AUDIT, ">>$Base/audit/log");
+$| = 1;	# Flush output on every write
+
+# Record user and client system
+my $user = `/usr/ucb/whoami`;
+chomp($user);
+my ($client) = split(/\s/, $ENV{SSH_CLIENT});
+audit("START User=$user Client=$client");
+
+# Process signing requests
+while (<STDIN>) {
+	if (/^SIGN (\d+) (\S+) (\S+)/) {
+		sign($1, $2, $3);
+	} else {
+		abnormal("WARNING Unknown command");
+	}
+}
+exit(0);
+
+#
+# get_credential(name)
+#
+# Verify that the user is allowed to use the named credential and
+# return the path to the credential directory. If the user is not
+# authorized to use the credential, return undef.
+#
+sub get_credential {
+	my $name = shift;
+	my $dir;
+
+	$dir = "$Base/cred/$2";
+	if (!open(F, "<$dir/private")) {
+		abnormal("WARNING Credential $name not available");
+		$dir = undef;
+	}
+	close(F);
+	return $dir;
+}
+
+#
+# sign(size, cred, path)
+#
+# Sign an individual file.
+#
+sub sign {
+	my ($size, $cred, $path) = @_;
+	my ($cred_dir, $msg);
+
+	# Read input file
+	recvfile("$Tmpdir/in.zip", $size) || return;
+
+	# Check path for use of .. or absolute pathname
+	my @comp = split(m:/:, $path);
+	foreach my $elem (@comp) {
+		if ($elem eq "" || $elem eq "..") {
+			abnormal("WARNING Invalid path $path");
+			return;
+		}
+	}
+
+	# Get credential directory
+	$cred_dir = get_credential($cred) || return;
+
+	# Create work area
+	rmtree("$Tmpdir/reloc");
+	mkdir("$Tmpdir/reloc");
+	chdir("$Tmpdir/reloc");
+
+	# Read and unpack input ZIP archive
+	system("/usr/bin/unzip -qo ../in.zip $path");
+
+	# Sign input file using credential-specific script
+	$msg = `cd $cred_dir; ./sign $Tmpdir/reloc/$path`;
+	if ($? != 0) {
+		chomp($msg);
+		abnormal("WARNING $msg");
+		return;
+	}
+
+	# Pack output file(s) in ZIP archive and return
+	unlink("../out.zip");
+	system("/usr/bin/zip -qr ../out.zip .");
+	chdir($Tmpdir);
+	my $hash = `digest -a md5 $Tmpdir/reloc/$path`;
+	sendfile("$Tmpdir/out.zip", $path) || return;
+
+	# Audit successful signing
+	chomp($hash);
+	audit("SIGN $path $cred $hash");
+}
+
+#
+# sendfile(file, path)
+#
+# Send a ZIP archive to the client. This involves sending
+# an OK SIGN response that includes the file size, followed by
+# the contents of the archive itself.
+#
+sub sendfile {
+	my ($file, $path) = @_;
+	my ($size, $bytes);
+
+	$size = -s $file;
+	if (!open(F, "<$file")) {
+		abnormal("ERROR Internal read error");
+		return (0);
+	}
+	read(F, $bytes, $size);
+	close(F);
+	print "OK SIGN $size $path\n";
+	syswrite(STDOUT, $bytes, $size);
+	return (1);
+}
+
+#
+# recvfile(file, size)
+#
+# Receive a ZIP archive from the client. The caller
+# provides the size argument previously obtained from the 
+# client request.
+#
+sub recvfile {
+	my ($file, $size) = @_;
+	my $bytes;
+	
+	if (!read(STDIN, $bytes, $size)) {
+		abnormal("ERROR No input data");
+		return (0);
+	}
+	if (!open(F, ">$file")) {
+		abnormal("ERROR Internal write error");
+		return (0);
+	}
+	syswrite(F, $bytes, $size);
+	close(F);
+	return (1);
+}
+
+#
+# audit(msg)
+#
+# Create an audit record. All records have this format:
+#	[date] [time] [session] [keyword] [other parameters]
+# The keywords START and END mark the boundaries of a session.
+#
+sub audit {
+	my ($msg) = @_;
+	my ($sec, $min, $hr, $day, $mon, $yr) = localtime(time);
+	my $timestamp = sprintf("%04d-%02d-%02d %02d:%02d:%02d",
+		$yr+1900, $mon+1, $day, $hr, $min, $sec);
+
+	print AUDIT "$timestamp $Session $msg\n";
+}
+
+#
+# abnormal(msg)
+#
+# Respond to an abnormal condition, which may be fatal (ERROR) or
+# non-fatal (WARNING). Send the message to the audit error log
+# and to the client program. Exit in case of fatal errors.
+#
+sub abnormal {
+	my $msg = shift;
+
+	audit($msg);
+	print("$msg\n");
+	exit(1) if ($msg =~ /^ERROR/);
+}
+
+#
+# END()
+#
+# Clean up prior to normal or abnormal exit.
+#
+sub END {
+	audit("END");
+	close(AUDIT);
+	chdir("");	# so $Tmpdir can be removed
+}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/tools/codesign/creds	Thu Mar 15 09:36:39 2007 -0700
@@ -0,0 +1,37 @@
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+# The following is a list of regular expressions that are matched against
+# the (temporary) signature on a crypto module created during the build
+# process. The first regular expression that matches is used to select the
+# signing credential to use for the file.
+#
+# Order is important: Files marked UsageLimited will also match the
+# "Solaris Cryptographic Framework" entry.
+#
+# Credential name	Regular expression
+# ---------------	------------------
+CryptoLimited_v2        UsageLimited
+Crypto_v2               Solaris Cryptographic Framework

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/tools/codesign/signit.pl	Thu Mar 15 09:36:39 2007 -0700
@@ -0,0 +1,233 @@
+#!/usr/perl5/bin/perl
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+
+# signit [-q] [-i dir][-o dir] [-l user]
+#
+# Client program for use with code signing server.
+# Reads a list of signing credential names and file pathnames
+# from standard input. Each file is read from the input directory,
+# sent to the signing server, signed with the specified credential, 
+# and written to the output directory.
+#
+# Options:
+#	-q	quiet operation: avoid printing files successfully signed
+#	-i dir	input directory (defaults to current dir)
+#	-o dir	output directory (defautls to input dir)
+#	-l user	user account on signing server (defaults to current user)
+#
+# The CODESIGN_SERVER environment variable can be used to
+# specify the hostname or IP address of the signing server
+# (defaults to quill.sfbay).
+
+use strict;
+use Cwd;
+use File::Temp 'tempdir';
+use Getopt::Std;
+use IPC::Open2;
+
+#
+# Global variables
+#
+my ($Indir, $Outdir);	# Input and output directories (may be the same)
+my $Server;		# Signing server hostname
+my $Quiet;		# Suppress printing each file successfully signed
+my ($pid);		# Process id for ssh client
+my @cred_rules;		# Array of path prefixes and credentials to use
+my $Tmpdir = tempdir(CLEANUP => 1);	# Temporary directory
+my $Warnings = 0;	# Count of warnings returned
+
+
+#
+# Main program
+#
+
+$Server = $ENV{CODESIGN_SERVER} || "quill.sfbay";
+
+# Get command-line arguments
+our($opt_c, $opt_i, $opt_o, $opt_l, $opt_q);
+if (!getopts("i:o:c:l:q")) {
+	die "Usage: $0 [-i dir] [-o dir] [-l user]\n";
+}
+$Quiet = $opt_q;
+
+# Get input/output directories
+$Indir = $opt_i || getcwd();	# default to current dir
+$Outdir = $opt_o || $Indir;	# default to input dir
+$Indir = getcwd() . "/$Indir" if (substr($Indir, 0, 1) ne "/");
+$Outdir = getcwd() . "/$Outdir" if (substr($Outdir, 0, 1) ne "/");
+
+# Create ssh connection to server
+my(@args);
+if (defined($opt_l)) {
+	push @args, "-l", $opt_l;
+}
+push @args, "-s", $Server, "codesign";
+$pid = open2(*SRV_OUT, *SRV_IN, "/usr/bin/ssh", @args) or 
+	die "Can't start server\n";
+select(SRV_IN); $| = 1; select(STDOUT);	# unbuffered writes
+
+# Sign each file with the specified credential
+chdir($Indir);
+while (<>) {
+	my ($cred, $path) = split;
+
+	sign_file($cred, $path);
+}
+exit($Warnings > 0);
+
+#
+# END()
+#
+# Clean up after normal or abnormal exit.
+#
+sub END {
+	close(SRV_IN);
+	close(SRV_OUT);
+	waitpid($pid, 0) if ($pid);
+}
+
+#
+# debug(msg)
+#
+# Print debug message to standard error.
+#
+sub debug {
+	print STDERR "### @_";
+}
+
+#
+# check_response(str)
+#
+# Validate response from server. Print messages for warnings or errors,
+# and exit in the case of an error. If the response indicates a successful
+# signing operation, return the size of the output data.
+#
+sub check_response {
+	my ($str) = @_;
+
+	if ($str =~ /^OK SIGN (\d+)/) {
+		return ($1);
+	}
+	elsif ($str =~ /^OK/) {
+		return (0);
+	}
+	elsif ($str =~ /^WARNING/) {
+		print STDERR $str;
+		$Warnings++;
+		return (-1);
+	}
+	elsif ($str =~ /^ERROR/) {
+		print STDERR $str;
+		exit(1);
+	}
+	else {
+		print STDERR "Unrecognized response\n";
+		exit(1);
+	}
+}
+
+#
+# sign_file(credential, filename)
+#
+# Send the file to the server for signing. Package the file into a
+# ZIP archive, send to the server, and extract the ZIP archive that
+# is returned. The input ZIP archive always contains a single file,
+# but the returned archive may contain one or more files.
+#
+sub sign_file {
+	my ($cred, $path) = @_;
+	my ($res, $size);
+
+	$path =~ s:^\./::g; # remove leading "./"
+	unlink("$Tmpdir/in.zip");
+	system("cd $Indir; /usr/bin/zip -q $Tmpdir/in.zip $path");
+
+	sendfile("$Tmpdir/in.zip", "$cred $path") || return;
+
+	$res = <SRV_OUT>;
+	$size = check_response($res);
+	if ($size > 0) {
+		recvfile("$Tmpdir/out.zip", $size) || return;
+		
+		if (system("cd $Outdir; /usr/bin/unzip -qo $Tmpdir/out.zip")) {
+			$Warnings++;
+		} else {
+			print "$cred\t$path\n" unless $Quiet;
+		}
+	}
+}
+
+#
+# sendfile(file, args)
+#
+# Send a ZIP archive file to the signing server. This involves
+# sending a SIGN command with the given arguments, followed by
+# the contents of the archive itself.
+#
+sub sendfile {
+	my ($file, $args) = @_;
+	my ($size, $bytes);
+
+	$size = -s $file;
+	print SRV_IN "SIGN $size $args\n";
+	if (!open(F, "<$file")) {
+		print STDERR "$file: $!\n";
+		return (0);
+	}
+	read(F, $bytes, $size);
+	close(F);
+	if (!syswrite(SRV_IN, $bytes, $size)) {
+		print STDERR "Can't send to server: $!\n";
+		return (0);
+	}
+	return (1);
+}
+
+#
+# recvfile(file, size)
+#
+# Receive a ZIP archive from the signing server. The caller
+# provides the size argument previously obtained from the 
+# server response.
+#
+sub recvfile {
+	my ($file, $size) = @_;
+	my $bytes;
+	
+	if (!read(SRV_OUT, $bytes, $size)) {
+		print STDERR "Can't read from server: $!\n";
+		return (0);
+	}
+	if (!open(F, ">$file")) {
+		print STDERR "$file: $!\n";
+		return (0);
+	}
+	syswrite(F, $bytes, $size);
+	close(F);
+	return (1);
+}

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/tools/codesign/signproto.sh	Thu Mar 15 09:36:39 2007 -0700
@@ -0,0 +1,73 @@
+#!/bin/ksh
+#
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+#
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# ident	"%Z%%M%	%I%	%E% SMI"
+
+# signproto cred_file
+#
+# Utility to find cryptographic modules in the proto area and
+# sign them using signit. Since the binaries have already been
+# signed (using development keys) during the build process,
+# we determine the correct signing credential to use based on
+# the existing signature. The cred_file argument contains a
+# list of signing server credentials and the corresponding
+# regular expressions to match against the file signatures.
+
+# Directories in proto area that may contain crypto objects
+DIRS="platform kernel usr/lib/security"
+
+# Get absolute path of current directory; used later to invoke signit
+cd .
+dir=`dirname $0`
+dir=`[[ $dir = /* ]] && print $dir || print $PWD/$dir`
+
+# Read list of credentials and regular expressions
+n=0
+grep -v "^#" $1 | while read c r
+do
+	cred[$n]=$c
+	regex[$n]=$r
+	(( n = n + 1 ))
+done
+
+# Search proto area for crypto modules
+cd $ROOT
+find $DIRS -type f -print | while read f; do
+	s=`elfsign list -f signer -e $f 2>/dev/null`
+	if [[ $? != 0 ]]; then 
+		continue
+	fi
+	# Determine credential based on signature
+	i=0
+	while [[ i -lt n ]]
+	do
+		if expr "$s" : ".*${regex[i]}" >/dev/null; then
+			echo "${cred[i]} $f"
+			break
+		fi
+		(( i = i + 1 ))
+	done
+done | $dir/signit -i $ROOT -l ${CODESIGN_USER:-${LOGNAME}}

--- a/usr/src/tools/scripts/nightly.sh	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/tools/scripts/nightly.sh	Thu Mar 15 09:36:39 2007 -0700
@@ -433,6 +433,24 @@
 	fi
 
 	#
+	#	Re-sign selected binaries using signing server
+	#	(gatekeeper builds only)
+	#
+	if [ -n "$CODESIGN_USER" ]; then
+		echo "\n==== Signing proto area at `date` ====\n" >> $LOGFILE
+		signing_file="${TMPDIR}/signing"
+		rm -f ${signing_file}
+		export CODESIGN_USER
+		signproto $SRC/tools/codesign/creds 2>&1 | \
+			tee -a ${signing_file} >> $LOGFILE
+		echo "\n==== Finished signing proto area at `date` ====\n" \
+		    >> $LOGFILE
+		echo "\n==== Crypto module signing errors ($LABEL) ====\n" \
+		    >> $mail_msg_file
+		egrep 'WARNING|ERROR' ${signing_file} >> $mail_msg_file
+	fi
+
+	#
 	#	Create cpio archives for preintegration testing (PIT)
 	#
 	if [ "$a_FLAG" = "y" -a "$this_build_ok" = "y" ]; then
@@ -1655,7 +1673,7 @@
 
 # nightly (will fail in year 2100 due to SCCS flaw)
 echo "$0 $@" | tee -a $mail_msg_file >> $LOGFILE
-echo "%M% version %I% 20%E%\n" | tee -a $mail_msg_file >> $LOGFILE
+echo "nightly.sh version 1.110 2007/03/09\n" | tee -a $mail_msg_file >> $LOGFILE
 
 # make
 whence $MAKE | tee -a $mail_msg_file >> $LOGFILE

--- a/usr/src/uts/intel/des/Makefile	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/uts/intel/des/Makefile	Thu Mar 15 09:36:39 2007 -0700
@@ -21,7 +21,7 @@
 #
 # uts/intel/des/Makefile
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -45,6 +45,9 @@
 LINTS		= $(DES_OBJS:%.o=$(LINTS_DIR)/%.ln)
 ROOTMODULE	= $(ROOT_CRYPTO_DIR)/$(MODULE)
 ROOTLINK	= $(ROOT_MISC_DIR)/$(MODULE)
+TARGET_32	= ../../kernel/crypto/$(MODULE)
+TARGET_64	= ../../../kernel/crypto/$(SUBDIR64)/$(MODULE)
+LINK_TARGET	= $(TARGET_$(CLASS))
 
 #
 #	Include common rules.
@@ -95,7 +98,7 @@
 install:	$(INSTALL_DEPS)
 
 $(ROOTLINK):	$(ROOT_MISC_DIR) $(ROOTMODULE)
-	-$(RM) $@; ln $(ROOTMODULE) $@
+	-$(RM) $@; ln -s $(LINK_TARGET) $@
 
 #
 #	Include common targets.

--- a/usr/src/uts/intel/dprov/Makefile	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/uts/intel/dprov/Makefile	Thu Mar 15 09:36:39 2007 -0700
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -43,6 +43,9 @@
 LINTS		= $(DPROV_OBJS:%.o=$(LINTS_DIR)/%.ln)
 ROOTMODULE	= $(ROOT_DRV_DIR)/$(MODULE)
 ROOTLINK	= $(ROOT_CRYPTO_DIR)/$(MODULE)
+TARGET_32	= ../../kernel/drv/$(MODULE)
+TARGET_64	= ../../../kernel/drv/$(SUBDIR64)/$(MODULE)
+LINK_TARGET	= $(TARGET_$(CLASS))
 CONF_SRCDIR	= $(UTSBASE)/common/crypto/io
 
 #
@@ -103,7 +106,7 @@
 install:	$(INSTALL_DEPS)
 
 $(ROOTLINK):	$(ROOT_CRYPTO_DIR) $(ROOTMODULE)
-	-$(RM) $@; ln $(ROOTMODULE) $@
+	-$(RM) $@; ln -s $(LINK_TARGET) $@
 
 #
 #	Include common targets.

--- a/usr/src/uts/sparc/des/Makefile	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/uts/sparc/des/Makefile	Thu Mar 15 09:36:39 2007 -0700
@@ -21,7 +21,7 @@
 #
 # uts/sparc/des/Makefile
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -45,6 +45,9 @@
 LINTS		= $(DES_OBJS:%.o=$(LINTS_DIR)/%.ln)
 ROOTMODULE	= $(ROOT_CRYPTO_DIR)/$(MODULE)
 ROOTLINK	= $(ROOT_MISC_DIR)/$(MODULE)
+TARGET_32	= ../../kernel/crypto/$(MODULE)
+TARGET_64	= ../../../kernel/crypto/$(SUBDIR64)/$(MODULE)
+LINK_TARGET	= $(TARGET_$(CLASS))
 
 #
 #	Include common rules.
@@ -105,7 +108,7 @@
 install:	$(INSTALL_DEPS)
 
 $(ROOTLINK):	$(ROOT_MISC_DIR) $(ROOTMODULE)
-	-$(RM) $@; ln $(ROOTMODULE) $@
+	-$(RM) $@; ln -s $(LINK_TARGET) $@
 #
 #	Include common targets.
 #

--- a/usr/src/uts/sparc/dprov/Makefile	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/uts/sparc/dprov/Makefile	Thu Mar 15 09:36:39 2007 -0700
@@ -19,7 +19,7 @@
 # CDDL HEADER END
 #
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -43,6 +43,9 @@
 LINTS		= $(DPROV_OBJS:%.o=$(LINTS_DIR)/%.ln)
 ROOTMODULE	= $(ROOT_DRV_DIR)/$(MODULE)
 ROOTLINK	= $(ROOT_CRYPTO_DIR)/$(MODULE)
+TARGET_32	= ../../kernel/drv/$(MODULE)
+TARGET_64	= ../../../kernel/drv/$(SUBDIR64)/$(MODULE)
+LINK_TARGET	= $(TARGET_$(CLASS))
 CONF_SRCDIR	= $(UTSBASE)/common/crypto/io
 
 #
@@ -105,7 +108,7 @@
 install:	$(INSTALL_DEPS)
 
 $(ROOTLINK):	$(ROOT_CRYPTO_DIR) $(ROOTMODULE)
-	-$(RM) $@; ln $(ROOTMODULE) $@
+	-$(RM) $@; ln -s $(LINK_TARGET) $@
 
 #
 #	Include common targets.

--- a/usr/src/uts/sun4u/des/Makefile	Thu Mar 15 09:21:03 2007 -0700
+++ b/usr/src/uts/sun4u/des/Makefile	Thu Mar 15 09:36:39 2007 -0700
@@ -21,7 +21,7 @@
 #
 # uts/sun4u/des/Makefile
 #
-# Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 #ident	"%Z%%M%	%I%	%E% SMI"
@@ -45,6 +45,9 @@
 LINTS		= $(DES_OBJS:%.o=$(LINTS_DIR)/%.ln)
 ROOTMODULE	= $(ROOT_PSM_CRYPTO_DIR)/$(MODULE)
 ROOTLINK	= $(ROOT_PSM_MISC_DIR)/$(MODULE)
+TARGET_32	= ../../kernel/crypto/$(MODULE)
+TARGET_64	= ../../../kernel/crypto/$(SUBDIR64)/$(MODULE)
+LINK_TARGET	= $(TARGET_$(CLASS))
 
 #
 #	Include common rules.
@@ -104,7 +107,7 @@
 install:	$(INSTALL_DEPS)
 
 $(ROOTLINK):	$(ROOT_PSM_MISC_DIR) $(ROOTMODULE)
-	-$(RM) $@; ln $(ROOTMODULE) $@
+	-$(RM) $@; ln -s $(LINK_TARGET) $@
 
 #
 #	Include common targets.