--- a/usr/src/lib/libelfsign/common/elfcertlib.c	Fri Jul 17 17:54:42 2009 -0700
+++ b/usr/src/lib/libelfsign/common/elfcertlib.c	Fri Jul 17 19:53:22 2009 -0700
@@ -20,12 +20,10 @@
  */
 
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <limits.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -221,7 +219,7 @@
 	cert->c_verified = E_UNCHECKED;
 
 	/*
-	 * If the cert we are loading it the trust anchor (ie the CA) then
+	 * If the cert we are loading is the trust anchor (ie the CA) then
 	 * we mark it as such in cert.  This is so that we don't attempt
 	 * to verify it later.  The CA is always implicitly verified.
 	 */
@@ -473,12 +471,13 @@
 		algid = KMF_ALGID_RSA;
 
 	/*
-	 * We tell KMF to use the OpenSSL verification
-	 * APIs here to avoid a circular dependency with
-	 * kcfd and libpkcs11.
+	 * We tell KMF to use the PKCS11 verification APIs
+	 * here to prevent the use of OpenSSL and to keep
+	 * all validation within the FIPS-140 boundary for
+	 * the Cryptographic Framework.
 	 */
 	rv = KMF_VerifyDataWithCert(ess->es_kmfhandle,
-	    KMF_KEYSTORE_OPENSSL, algid,
+	    KMF_KEYSTORE_PK11TOKEN, algid,
 	    &indata, &insig, &cert->c_cert.certificate);
 
 	return ((rv == KMF_OK));

--- a/usr/src/lib/libkmf/libkmf/common/certop.c	Fri Jul 17 17:54:42 2009 -0700
+++ b/usr/src/lib/libkmf/libkmf/common/certop.c	Fri Jul 17 19:53:22 2009 -0700
@@ -19,12 +19,10 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <stdio.h>
 #include <link.h>
 #include <fcntl.h>
@@ -955,12 +953,14 @@
  * where we want to force this operation to happen in
  * a specific keystore.
  * For example:
- *    libelfsign verifies signatures on crypto libraries.
- *    We cannot use libpkcs11 functions to verify the pkcs11
- *    libraries because it results in a circular dependency.
- *    So, when libelfsign is verifying library sigs, it
- *    always forces the operation to happen in OpenSSL
- *    to avoid the circular dependency.
+ *    libelfsign.so.1 verifies signatures on crypto libraries.
+ *    We must use pkcs11 functions to verify the pkcs11
+ *    plugins in order to keep the validation within the
+ *    Cryptographic Framework's FIPS-140 boundary. To avoid
+ *    a circular dependency, pksc11_softtoken.so.1 is
+ *    interposed by libkcfd.so.1 via kcfd, which prevents
+ *    libpkcs11.so.1's interfaces from being used when libkmf.so.1
+ *    is called from kcfd.
  */
 static KMF_RETURN
 plugin_verify_data_with_cert(KMF_HANDLE_T handle,
@@ -976,8 +976,6 @@
 	/*
 	 * If NSS, use PKCS#11, we are not accessing the database(s),
 	 * we just prefer the "verify" operation from the crypto framework.
-	 * The OpenSSL version is unique in order to avoid a dependency loop
-	 * with the kcfd(1M) process.
 	 */
 	if (kstype == KMF_KEYSTORE_NSS)
 		kstype = KMF_KEYSTORE_PK11TOKEN;
@@ -3109,9 +3107,8 @@
 
 /*
  * Use a signer cert to verify another certificate's signature.
- * This code forces the use of the OPENSSL mechanism
- * for the verify operation to avoid a circular dependency
- * with libelfsign when it attempts to verify the PKCS#11 libraries.
+ * This code forces the use of the PKCS11 mechanism for the verify
+ * operation for the Cryptographic Framework's FIPS-140 boundary.
  */
 static KMF_RETURN
 verify_cert_with_cert(KMF_HANDLE_T handle,
@@ -3172,11 +3169,10 @@
 	}
 
 	/*
-	 * To avoid recursion with kcfd consumer and libpkcs11,
-	 * do the certificate verification using the OpenSSL
-	 * plugin algorithms instead of the crypto framework.
+	 * Force use of PKCS11 API for kcfd/libelfsign.  This is
+	 * required for the Cryptographic Framework's FIPS-140 boundary.
 	 */
-	ret = plugin_verify_data_with_cert(handle, KMF_KEYSTORE_OPENSSL,
+	ret = plugin_verify_data_with_cert(handle, KMF_KEYSTORE_PK11TOKEN,
 	    algid, &data_to_verify, &signature,	SignerCertData);
 
 cleanup:

--- a/usr/src/lib/libkmf/libkmf/common/generalop.c	Fri Jul 17 17:54:42 2009 -0700
+++ b/usr/src/lib/libkmf/libkmf/common/generalop.c	Fri Jul 17 19:53:22 2009 -0700
@@ -19,13 +19,11 @@
  * CDDL HEADER END
  */
 /*
- * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
  */
 
-#pragma ident	"%Z%%M%	%I%	%E% SMI"
-
 #include <stdio.h>
 #include <dlfcn.h>
 #include <link.h>
@@ -325,7 +323,13 @@
 		free(p);
 		return (KMF_ERR_MEMORY);
 	}
-	p->dldesc = dlopen(path, RTLD_LAZY | RTLD_GROUP | RTLD_PARENT);
+	/*
+	 * Do not use RTLD_GROUP here, or this will cause a circular
+	 * dependency when kmf_pkcs11.so.1 gets its PKCS#11 functions
+	 * from libpkcs11.so.1 when kmf is used via libelfsign.so.1
+	 * called from kcfd.
+	 */
+	p->dldesc = dlopen(path, RTLD_LAZY | RTLD_PARENT);
 	if (p->dldesc == NULL) {
 		free(p->path);
 		free(p);

--- a/usr/src/lib/pkcs11/Makefile	Fri Jul 17 17:54:42 2009 -0700
+++ b/usr/src/lib/pkcs11/Makefile	Fri Jul 17 19:53:22 2009 -0700
@@ -35,7 +35,8 @@
 
 SUBDIRS = \
 	libpkcs11	\
-	libsoftcrypto
+	libsoftcrypto   \
+	libkcfd
 
 #
 # The PKCS11 TPM provider is only available for x86.

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/lib/pkcs11/libkcfd/Makefile	Fri Jul 17 19:53:22 2009 -0700
@@ -0,0 +1,47 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# lib/pkcs11/libkcfd/Makefile
+#
+
+include $(SRC)/lib/Makefile.lib
+
+SUBDIRS=	$(MACH)
+
+all	:=	TARGET= all
+clean	:=	TARGET= clean
+clobber	:=	TARGET= clobber
+install	:=	TARGET= install
+
+.KEEP_STATE:
+
+all clean clobber install: $(SUBDIRS)
+
+check lint install_h:
+
+$(SUBDIRS):	FRC
+	@cd $@; pwd; $(MAKE) $(TARGET)
+
+FRC:

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/lib/pkcs11/libkcfd/Makefile.com	Fri Jul 17 19:53:22 2009 -0700
@@ -0,0 +1,40 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# lib/pkcs11/libkcfd/Makefile.com
+#
+
+LIBRARY = libkcfd.a
+VERS = .1
+
+include $(SRC)/lib/Makefile.rootfs
+
+LIBS +=		$(LINTLIB)
+
+#
+# Identify that this library is an interposer. This identification
+# ensures that runtime symbol lookup resolves to this library
+# (before libpkcs11.so.1) regardless of dependency link order.
+# This library should only be linked to by kcfd.
+#
+DYNFLAGS	+= $(ZINTERPOSE) -R/usr/lib/security

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/lib/pkcs11/libkcfd/README	Fri Jul 17 19:53:22 2009 -0700
@@ -0,0 +1,37 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+
+This is a filter library that's used exclusively by kcfd;
+it's 32-bit-only because kcfd is 32-bit-only.
+
+libkcfd forces interposition of pkcs11_softtoken.so.1 into libkmf
+when used by kcfd as part of the Cryptographic Framework's FIPS-140
+project, to ensure that only pkcs11_softtoken.so.1 is used for
+validation of the FIPS-140 boundary.
+
+libelfsign could not be the interposer, because it would prevent
+the elfsign(1) command from accessing actual PKCS#11 tokens when using
+the -T option.

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/lib/pkcs11/libkcfd/common/llib-lkcfd	Fri Jul 17 19:53:22 2009 -0700
@@ -0,0 +1,34 @@
+/*
+ * CDDL HEADER START
+ *
+ * The contents of this file are subject to the terms of the
+ * Common Development and Distribution License (the "License").
+ * You may not use this file except in compliance with the License.
+ *
+ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+ * or http://www.opensolaris.org/os/licensing.
+ * See the License for the specific language governing permissions
+ * and limitations under the License.
+ *
+ * When distributing Covered Code, include this CDDL HEADER in each
+ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+ * If applicable, add the following below this CDDL HEADER, with the
+ * fields enclosed by brackets "[]" replaced with your own identifying
+ * information: Portions Copyright [yyyy] [name of copyright owner]
+ *
+ * CDDL HEADER END
+ */
+/* LINTLIBRARY */
+/* PROTOLIB1 */
+
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved. 
+ * Use is subject to license terms.
+ */
+
+/*
+ * usr/src/lib/pkcs11/libkcfd
+ * EMPTY library
+ */
+
+#include <security/cryptoki.h>

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/lib/pkcs11/libkcfd/common/mapfile-vers	Fri Jul 17 19:53:22 2009 -0700
@@ -0,0 +1,112 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+
+#
+# MAPFILE HEADER START
+#
+# WARNING:  STOP NOW.  DO NOT MODIFY THIS FILE.
+# Object versioning must comply with the rules detailed in
+#
+#	usr/src/lib/README.mapfiles
+#
+# You should not be making modifications here until you've read the most current
+# copy of that file. If you need help, contact a gatekeeper for guidance.
+#
+# MAPFILE HEADER END
+#
+
+SUNW_1.1 {
+    global:
+	C_CancelFunction = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_CloseAllSessions = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_CloseSession = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_CopyObject = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_CreateObject = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_Decrypt = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DecryptDigestUpdate = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DecryptFinal = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DecryptInit = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DecryptUpdate = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DecryptVerifyUpdate = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DeriveKey = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DestroyObject = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_Digest = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DigestEncryptUpdate = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DigestFinal = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DigestInit = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DigestKey = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_DigestUpdate = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_Encrypt = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_EncryptFinal = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_EncryptInit = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_EncryptUpdate = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_Finalize = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_FindObjects = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_FindObjectsFinal = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_FindObjectsInit = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GenerateKey = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GenerateKeyPair = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GenerateRandom = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetAttributeValue = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetFunctionList = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetFunctionStatus = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetInfo = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetMechanismInfo = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetMechanismList = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetObjectSize = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetOperationState = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetSessionInfo = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetSlotInfo = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetSlotList = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_GetTokenInfo = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_Initialize = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_InitPIN = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_InitToken = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_Login = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_Logout = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_OpenSession = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_SeedRandom = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_SetAttributeValue = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_SetOperationState = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_SetPIN = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_Sign = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_SignEncryptUpdate = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_SignFinal = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_SignInit = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_SignRecover = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_SignRecoverInit = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_UnwrapKey = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_Verify = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_VerifyFinal = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_VerifyInit = FUNCTION FILTER pkcs11_softtoken.so.1;
+    	C_VerifyRecover = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_VerifyRecoverInit = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_VerifyUpdate = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_WaitForSlotEvent = FUNCTION FILTER pkcs11_softtoken.so.1;
+	C_WrapKey = FUNCTION FILTER pkcs11_softtoken.so.1;
+    local:
+	*;
+};
+

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/lib/pkcs11/libkcfd/i386/Makefile	Fri Jul 17 19:53:22 2009 -0700
@@ -0,0 +1,34 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# lib/pkcs11/libkcfd/i386/Makefile
+#
+
+include $(SRC)/lib/Makefile.filter.com
+include ../Makefile.com
+
+install: all $(ROOTLIBDIR) .WAIT $(ROOTLIBS) $(ROOTLINKS) $(ROOTLINT)
+
+include $(SRC)/lib/Makefile.filter.targ

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/usr/src/lib/pkcs11/libkcfd/sparc/Makefile	Fri Jul 17 19:53:22 2009 -0700
@@ -0,0 +1,34 @@
+#
+# CDDL HEADER START
+#
+# The contents of this file are subject to the terms of the
+# Common Development and Distribution License (the "License").
+# You may not use this file except in compliance with the License.
+#
+# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
+# or http://www.opensolaris.org/os/licensing.
+# See the License for the specific language governing permissions
+# and limitations under the License.
+#
+# When distributing Covered Code, include this CDDL HEADER in each
+# file and include the License file at usr/src/OPENSOLARIS.LICENSE.
+# If applicable, add the following below this CDDL HEADER, with the
+# fields enclosed by brackets "[]" replaced with your own identifying
+# information: Portions Copyright [yyyy] [name of copyright owner]
+#
+# CDDL HEADER END
+#
+
+#
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
+# Use is subject to license terms.
+#
+# lib/pkcs11/libkcfd/sparc/Makefile
+#
+
+include $(SRC)/lib/Makefile.filter.com
+include ../Makefile.com
+
+install: all $(ROOTLIBDIR) .WAIT $(ROOTLIBS) $(ROOTLINKS) $(ROOTLINT)
+
+include	$(SRC)/lib/Makefile.filter.targ

--- a/usr/src/pkgdefs/SUNWcslr/prototype_com	Fri Jul 17 17:54:42 2009 -0700
+++ b/usr/src/pkgdefs/SUNWcslr/prototype_com	Fri Jul 17 19:53:22 2009 -0700
@@ -97,6 +97,7 @@
 f none lib/libintl.so.1 755 root bin
 s none lib/libipmp.so=./libipmp.so.1
 f none lib/libipmp.so.1 755 root bin
+f none lib/libkcfd.so.1 755 root bin
 s none lib/libkmf.so=libkmf.so.1
 f none lib/libkmf.so.1 755 root bin
 s none lib/libkmfberder.so=libkmfberder.so.1

--- a/usr/src/pkgdefs/etc/exception_list_i386	Fri Jul 17 17:54:42 2009 -0700
+++ b/usr/src/pkgdefs/etc/exception_list_i386	Fri Jul 17 19:53:22 2009 -0700
@@ -67,6 +67,9 @@
 usr/lib/llib-lsoftcrypto		i386
 usr/lib/llib-lsoftcrypto.ln		i386
 usr/lib/amd64/llib-lsoftcrypto.ln	i386
+lib/llib-lkcfd				i386
+lib/llib-lkcfd.ln			i386
+lib/libkcfd.so				i386
 #
 # The following files are used by the DHCP service, the
 # standalone's DHCP implementation, and the kernel (nfs_dlboot).

--- a/usr/src/pkgdefs/etc/exception_list_sparc	Fri Jul 17 17:54:42 2009 -0700
+++ b/usr/src/pkgdefs/etc/exception_list_sparc	Fri Jul 17 19:53:22 2009 -0700
@@ -56,6 +56,9 @@
 usr/lib/llib-lsoftcrypto		sparc
 usr/lib/llib-lsoftcrypto.ln		sparc
 usr/lib/sparcv9/llib-lsoftcrypto.ln	sparc
+lib/llib-lkcfd.ln			sparc
+lib/llib-lkcfd				sparc
+lib/libkcfd.so				sparc
 #
 # The following files are used by libdhcpsvc, the
 # standalone's DHCP implementation, and the kernel (nfs_dlboot).

--- a/usr/src/tools/elfsign/Makefile	Fri Jul 17 17:54:42 2009 -0700
+++ b/usr/src/tools/elfsign/Makefile	Fri Jul 17 19:53:22 2009 -0700
@@ -20,9 +20,7 @@
 #
 
 #
-#ident	"%Z%%M%	%I%	%E% SMI"
-#
-# Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+# Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
 
@@ -53,17 +51,6 @@
 CPPFLAGS +=	-I$(SRC)/lib/libcryptoutil/common
 LDFLAGS +=	-lmd -lelf -lkmf -lcryptoutil -lc
 
-#
-# While the gate builds a libelfsign.so linked staticly against
-# pksc11_softtoken, the tools version of libelfsign is dynamically linked
-# against the build machines pkcs11_softtoken.so.
-#
-SOFTTOKENDIR =	/usr/lib/security
-SOFTTOKENLIB =	pkcs11_softtoken.so
-LDFLAGS +=	-R $(SOFTTOKENDIR) $(SOFTTOKENDIR)/$(SOFTTOKENLIB)
-
-MKDIR=	mkdir
-
 .KEEP_STATE:
 
 all:	$(PROG) $(SHFILES)

--- a/usr/src/tools/scripts/check_rtime.pl	Fri Jul 17 17:54:42 2009 -0700
+++ b/usr/src/tools/scripts/check_rtime.pl	Fri Jul 17 19:53:22 2009 -0700
@@ -209,7 +209,9 @@
 	/lib.*\ of\ .*libxml2\.so\.2 |				# non-OSNET
 	/lib.*\ of\ .*libxslt\.so\.1 |				# non-OSNET
 	/lib.*\ of\ .*libpq\.so\.4 |				# non-OSNET
-	/lib.*\ of\ .*libpython2\.4\.so\.1\.0 			# non-OSNET
+	/lib.*\ of\ .*libpython2\.4\.so\.1\.0 |			# non-OSNET
+	/lib.*\ of\ .*kcfd |					# interposer
+	/libpkcs11\.so\.1;\.*\ of\ .*libkmf\.so\.1		# interposed
 }x;
 
 # Define any files that should only have unused (ldd -u) processing.