changeset 10:a38fd32682e4

Backport: 6606040 elfsign should use new KMF APIs
author Andrew Stormont <andyjstormont@gmail.com>
date Wed, 29 Feb 2012 07:07:12 +0000
parents 2027089f4c3a
children f427da4b677f
files usr/src/cmd/cmd-crypto/elfsign/elfsign.c usr/src/lib/libelfsign/common/elfcertlib.c
diffstat 2 files changed, 317 insertions(+), 155 deletions(-) [+]
line wrap: on
line diff
--- a/usr/src/cmd/cmd-crypto/elfsign/elfsign.c	Wed Feb 29 06:38:16 2012 +0000
+++ b/usr/src/cmd/cmd-crypto/elfsign/elfsign.c	Wed Feb 29 07:07:12 2012 +0000
@@ -212,7 +212,7 @@
 	 *	  because getopt does that for us.
 	 */
 	while (!errflag && (c = getopt(argc - 1, argv + 1, opts)) != EOF) {
-		if (strchr("ceFihkPr", c) != NULL)
+		if (strchr("ceFihkPTr", c) != NULL)
 			cryptodebug("c=%c, '%s'", c, optarg);
 		else
 			cryptodebug("c=%c", c);
@@ -737,6 +737,17 @@
 		return (ret);
 	ret = EXIT_SIGN_FAILED;
 
+	if (cmd_info.token_label &&
+	    !elfcertlib_settoken(cmd_info.ess, cmd_info.token_label)) {
+		es_error(gettext("Unable to access token: %s"),
+		    cmd_info.token_label);
+		ret = EXIT_SIGN_FAILED;
+		goto clean_esa;
+	}
+
+	if ((ret = setcertpath()) != EXIT_OKAY)
+		goto clean_esa;
+
 	/*
 	 * Find the certificate we need to sign the activation file with.
 	 */
@@ -1016,7 +1027,7 @@
 	kmfrv = f; \
 	if (kmfrv != KMF_OK) { \
 		char *e = NULL; \
-		(void) KMF_GetKMFErrorString(kmfrv, &e); \
+		(void) kmf_get_kmf_error_str(kmfrv, &e); \
 		cryptoerror(LOG_STDERR, \
 			gettext("Failed to %s: %s\n"), \
 			s, (e ? e : "unknown error")); \
@@ -1029,17 +1040,23 @@
 {
 	KMF_RETURN kmfrv = KMF_OK;
 	KMF_HANDLE_T kmfhandle = NULL;
-	KMF_CREATEKEYPAIR_PARAMS kp_params;
 	KMF_KEY_HANDLE pubk, prik;
 	KMF_X509_NAME csrSubject;
 	KMF_CSR_DATA csr;
 	KMF_ALGORITHM_INDEX sigAlg = KMF_ALGID_MD5WithRSA;
 	KMF_DATA signedCsr = { NULL, 0 };
-	KMF_CONFIG_PARAMS config;
 	char *err;
+	KMF_ATTRIBUTE	attrlist[16];
+	KMF_ENCODE_FORMAT	format;
+	KMF_KEYSTORE_TYPE	kstype;
+	KMF_KEY_ALG	keytype;
+	uint32_t	keylength;
+	KMF_CREDENTIAL	cred;
+	char	*pin = NULL;
+	int	numattr;
 
-	if ((kmfrv = KMF_Initialize(&kmfhandle, NULL, NULL)) != KMF_OK) {
-		(void) KMF_GetKMFErrorString(kmfrv, &err);
+	if ((kmfrv = kmf_initialize(&kmfhandle, NULL, NULL)) != KMF_OK) {
+		(void) kmf_get_kmf_error_str(kmfrv, &err);
 		cryptoerror(LOG_STDERR,
 		    gettext("Error initializing KMF: %s\n"),
 		    (err ? err : "unknown error"));
@@ -1049,82 +1066,109 @@
 	}
 	(void) memset(&csr, 0, sizeof (csr));
 	(void) memset(&csrSubject, 0, sizeof (csrSubject));
-	(void) memset(&kp_params, 0, sizeof (kp_params));
 
 	if (cmd_info.privpath != NULL) {
-		kp_params.kstype = KMF_KEYSTORE_OPENSSL;
-		kp_params.sslparms.keyfile = cmd_info.privpath;
-		kp_params.sslparms.format = KMF_FORMAT_ASN1;
-	} else if (cmd_info.token_label != NULL) {
+		kstype = KMF_KEYSTORE_OPENSSL;
+		format = KMF_FORMAT_ASN1;
+	} else {
+		boolean_t	readonly;
+		/* args checking verified (cmd_info.token_label != NULL) */
 
 		/* Get a PIN to store the private key in the token */
-		char *pin = getpin();
+		pin = getpin();
 
 		if (pin == NULL) {
-			(void) KMF_Finalize(kmfhandle);
+			(void) kmf_finalize(kmfhandle);
 			return (KMF_ERR_AUTH_FAILED);
 		}
 
-		kp_params.kstype = KMF_KEYSTORE_PK11TOKEN;
-		kp_params.cred.cred = pin;
-		kp_params.cred.credlen = strlen(pin);
+		kstype = KMF_KEYSTORE_PK11TOKEN;
+		readonly = B_FALSE;
 
-		(void) memset(&config, 0, sizeof (config));
-		config.kstype = KMF_KEYSTORE_PK11TOKEN;
-		config.pkcs11config.label = cmd_info.token_label;
-		config.pkcs11config.readonly = FALSE;
-		kmfrv = KMF_ConfigureKeystore(kmfhandle, &config);
+		numattr = 0;
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_TOKEN_LABEL_ATTR, cmd_info.token_label,
+		    strlen(cmd_info.token_label));
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_READONLY_ATTR, &readonly, sizeof (readonly));
+		kmfrv = kmf_configure_keystore(kmfhandle, numattr, attrlist);
 		if (kmfrv != KMF_OK) {
 			goto cleanup;
 		}
 	}
 
 	/* Create the RSA keypair */
-	kp_params.keytype = KMF_RSA;
-	kp_params.keylength = ES_DEFAULT_KEYSIZE;
+	keytype = KMF_RSA;
+	keylength = ES_DEFAULT_KEYSIZE;
+	(void) memset(&prik, 0, sizeof (prik));
+	(void) memset(&pubk, 0, sizeof (pubk));
 
-	kmfrv = KMF_CreateKeypair(kmfhandle, &kp_params, &prik, &pubk);
+	numattr = 0;
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_KEYALG_ATTR, &keytype, sizeof (keytype));
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_KEYLENGTH_ATTR, &keylength, sizeof (keylength));
+	if (pin != NULL) {
+		cred.cred = pin;
+		cred.credlen = strlen(pin);
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_CREDENTIAL_ATTR, &cred, sizeof (KMF_CREDENTIAL));
+	}
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_PRIVKEY_HANDLE_ATTR, &prik, sizeof (KMF_KEY_HANDLE));
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_PUBKEY_HANDLE_ATTR, &pubk, sizeof (KMF_KEY_HANDLE));
+	if (kstype == KMF_KEYSTORE_OPENSSL) {
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_KEY_FILENAME_ATTR, cmd_info.privpath,
+		    strlen(cmd_info.privpath));
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_ENCODE_FORMAT_ATTR, &format, sizeof (format));
+	}
+
+	kmfrv = kmf_create_keypair(kmfhandle, numattr, attrlist);
 	if (kmfrv != KMF_OK) {
-		(void) KMF_GetKMFErrorString(kmfrv, &err);
-		if (err != NULL) {
-			cryptoerror(LOG_STDERR,
-			    gettext("Create RSA keypair failed: %s"), err);
-			free(err);
-		}
+		(void) kmf_get_kmf_error_str(kmfrv, &err);
+		cryptoerror(LOG_STDERR,
+		    gettext("Create RSA keypair failed: %s"),
+		    (err ? err : "unknown error"));
+		free(err);
 		goto cleanup;
 	}
 
-	kmfrv = KMF_DNParser(dn, &csrSubject);
+	kmfrv = kmf_dn_parser(dn, &csrSubject);
 	if (kmfrv != KMF_OK) {
-		(void) KMF_GetKMFErrorString(kmfrv, &err);
-		if (err != NULL) {
-			cryptoerror(LOG_STDERR,
-			    gettext("Error parsing subject name: %s\n"), err);
-			free(err);
-		}
+		(void) kmf_get_kmf_error_str(kmfrv, &err);
+		cryptoerror(LOG_STDERR,
+		    gettext("Error parsing subject name: %s\n"),
+		    (err ? err : "unknown error"));
+		free(err);
 		goto cleanup;
 	}
 
-	SET_VALUE(KMF_SetCSRPubKey(kmfhandle, &pubk, &csr), "keypair");
+	SET_VALUE(kmf_set_csr_pubkey(kmfhandle, &pubk, &csr), "keypair");
 
-	SET_VALUE(KMF_SetCSRVersion(&csr, 2), "version number");
+	SET_VALUE(kmf_set_csr_version(&csr, 2), "version number");
 
-	SET_VALUE(KMF_SetCSRSubjectName(&csr, &csrSubject), "subject name");
+	SET_VALUE(kmf_set_csr_subject(&csr, &csrSubject), "subject name");
 
-	SET_VALUE(KMF_SetCSRSignatureAlgorithm(&csr, sigAlg),
-	    "SignatureAlgorithm");
+	SET_VALUE(kmf_set_csr_sig_alg(&csr, sigAlg), "SignatureAlgorithm");
 
-	if ((kmfrv = KMF_SignCSR(kmfhandle, &csr, &prik, &signedCsr)) ==
+	if ((kmfrv = kmf_sign_csr(kmfhandle, &csr, &prik, &signedCsr)) ==
 	    KMF_OK) {
-		kmfrv = KMF_CreateCSRFile(&signedCsr, KMF_FORMAT_PEM,
+		kmfrv = kmf_create_csr_file(&signedCsr, KMF_FORMAT_PEM,
 		    cmd_info.cert);
 	}
 
 cleanup:
-	(void) KMF_FreeKMFKey(kmfhandle, &prik);
-	(void) KMF_FreeData(&signedCsr);
-	(void) KMF_FreeSignedCSR(&csr);
-	(void) KMF_Finalize(kmfhandle);
+	(void) kmf_free_kmf_key(kmfhandle, &prik);
+	(void) kmf_free_data(&signedCsr);
+	(void) kmf_free_signed_csr(&csr);
+	(void) kmf_finalize(kmfhandle);
 
 	return (kmfrv);
 }
--- a/usr/src/lib/libelfsign/common/elfcertlib.c	Wed Feb 29 06:38:16 2012 +0000
+++ b/usr/src/lib/libelfsign/common/elfcertlib.c	Wed Feb 29 07:07:12 2012 +0000
@@ -20,7 +20,7 @@
  */
 
 /*
- * Copyright 2007 Sun Microsystems, Inc.  All rights reserved.
+ * Copyright 2009 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  */
 
@@ -84,6 +84,9 @@
 boolean_t
 elfcertlib_verifycert(ELFsign_t ess, ELFCert_t cert)
 {
+	KMF_ATTRIBUTE	attrlist[8];
+	int		numattr;
+
 	KMF_RETURN rv;
 	if ((cert->c_verified == E_OK) || (cert->c_verified == E_IS_TA)) {
 		return (B_TRUE);
@@ -101,9 +104,15 @@
 	(void) pthread_mutex_unlock(&ca_mutex);
 
 	if (CACERT != NULL) {
-		rv = KMF_VerifyCertWithCert(ess->es_kmfhandle,
-		    (const KMF_DATA *)&cert->c_cert,
-		    (const KMF_DATA *)&CACERT->c_cert.certificate);
+		numattr = 0;
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_CERT_DATA_ATTR, &cert->c_cert.certificate,
+		    sizeof (KMF_DATA));
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_SIGNER_CERT_DATA_ATTR, &CACERT->c_cert.certificate,
+		    sizeof (KMF_DATA));
+
+		rv = kmf_verify_cert(ess->es_kmfhandle, numattr, attrlist);
 		if (rv == KMF_OK) {
 			if (ess->es_certCAcallback != NULL)
 				(ess->es_certvercallback)(ess->es_callbackctx,
@@ -114,9 +123,15 @@
 	}
 
 	if (OBJCACERT != NULL) {
-		rv = KMF_VerifyCertWithCert(ess->es_kmfhandle,
-		    (const KMF_DATA *)&cert->c_cert,
-		    (const KMF_DATA *)&OBJCACERT->c_cert.certificate);
+		numattr = 0;
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_CERT_DATA_ATTR, &cert->c_cert.certificate,
+		    sizeof (KMF_DATA));
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_SIGNER_CERT_DATA_ATTR, &OBJCACERT->c_cert.certificate,
+		    sizeof (KMF_DATA));
+
+		rv = kmf_verify_cert(ess->es_kmfhandle, numattr, attrlist);
 		if (rv == KMF_OK) {
 			if (ess->es_certCAcallback != NULL)
 				(ess->es_certvercallback)(ess->es_callbackctx,
@@ -147,7 +162,6 @@
 {
 	KMF_RETURN rv;
 	ELFCert_t	cert = NULL;
-	KMF_FINDCERT_PARAMS fcparams;
 	KMF_X509_DER_CERT certbuf[2];
 	uint32_t ncerts;
 	boolean_t ret = B_FALSE;
@@ -183,31 +197,58 @@
 	}
 
 	for (plp = pathlist; *plp; plp++) {
-		(void) memset(&fcparams, 0, sizeof (fcparams));
-		fcparams.kstype = KMF_KEYSTORE_OPENSSL;
-		fcparams.sslparms.certfile = *plp;
-		fcparams.subject = signer_DN;
+		KMF_ATTRIBUTE	attrlist[8];
+		KMF_KEYSTORE_TYPE	kstype;
+		KMF_CERT_VALIDITY	certvalidity;
+		int		numattr;
+
+		kstype = KMF_KEYSTORE_OPENSSL;
+		certvalidity = KMF_ALL_CERTS;
 		ncerts = 2;
 
-		rv = KMF_FindCert(ess->es_kmfhandle, &fcparams, certbuf,
-		    &ncerts);
+		numattr = 0;
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_X509_DER_CERT_ATTR, certbuf,
+		    sizeof (KMF_X509_DER_CERT));
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_COUNT_ATTR, &ncerts, sizeof (uint32_t));
+		if (signer_DN != NULL) {
+			kmf_set_attr_at_index(attrlist, numattr++,
+			    KMF_SUBJECT_NAME_ATTR, signer_DN,
+			    strlen(signer_DN));
+		}
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_CERT_VALIDITY_ATTR, &certvalidity,
+		    sizeof (KMF_CERT_VALIDITY));
+		kmf_set_attr_at_index(attrlist, numattr++,
+		    KMF_CERT_FILENAME_ATTR, *plp, strlen (*plp));
+
+		rv = kmf_find_cert(ess->es_kmfhandle, numattr, attrlist);
+
 		if (rv != KMF_OK)
 			continue;
-		if (ncerts > 1 && signer_DN == NULL) {
-			/* There can be only one */
-			cryptodebug("elfcertlib_getcert: "
-			    "too many certificates found in %s",
-			    cert_pathname);
-			goto cleanup;
+		/* found one */
+		cert->c_cert = certbuf[0];
+		if (ncerts > 1) {
+			/* release any extras */
+			kmf_free_kmf_cert(ess->es_kmfhandle, &certbuf[1]);
+			if (signer_DN == NULL) {
+				/* There can be only one */
+				cryptodebug("elfcertlib_getcert: "
+				    "too many certificates found in %s",
+				    cert_pathname);
+				goto cleanup;
+			}
 		}
-		/* found it, cache subject and issuer */
-		cert->c_cert = certbuf[0];
-		rv = KMF_GetCertSubjectNameString(ess->es_kmfhandle,
+		/* cache subject and issuer */
+		rv = kmf_get_cert_subject_str(ess->es_kmfhandle,
 		    &cert->c_cert.certificate, &cert->c_subject);
 		if (rv != KMF_OK)
 			goto cleanup;
 
-		rv = KMF_GetCertIssuerNameString(ess->es_kmfhandle,
+		rv = kmf_get_cert_issuer_str(ess->es_kmfhandle,
 		    &cert->c_cert.certificate, &cert->c_issuer);
 		if (rv != KMF_OK)
 			goto cleanup;
@@ -264,17 +305,39 @@
 boolean_t
 elfcertlib_loadprivatekey(ELFsign_t ess, ELFCert_t cert, const char *pathname)
 {
-	KMF_RETURN rv = KMF_OK;
-	uint32_t nkeys = 2;
-	KMF_FINDKEY_PARAMS fkparams;
+	KMF_RETURN	rv = KMF_OK;
 	KMF_KEY_HANDLE	keybuf[2];
+	KMF_ATTRIBUTE	attrlist[16];
+	uint32_t	nkeys;
+	KMF_KEYSTORE_TYPE	kstype;
+	KMF_KEY_ALG	keytype;
+	KMF_KEY_CLASS	keyclass;
+	KMF_ENCODE_FORMAT	format;
+	int		numattr;
+
+	kstype = KMF_KEYSTORE_OPENSSL;
+	nkeys = 2;
+	keytype = KMF_KEYALG_NONE;
+	keyclass = KMF_ASYM_PRI;
+	format = KMF_FORMAT_UNDEF;
 
-	(void) memset(&fkparams, 0, sizeof (fkparams));
-	fkparams.keyclass = KMF_ASYM_PRI;
-	fkparams.kstype = KMF_KEYSTORE_OPENSSL;
-	fkparams.sslparms.keyfile = (char *)pathname;
+	numattr = 0;
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYSTORE_TYPE_ATTR,
+	    &kstype, sizeof (kstype));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_KEY_HANDLE_ATTR,
+	    keybuf, sizeof (KMF_KEY_HANDLE));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_COUNT_ATTR,
+	    &nkeys, sizeof (uint32_t));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYALG_ATTR,
+	    &keytype, sizeof (keytype));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYCLASS_ATTR,
+	    &keyclass, sizeof (keyclass));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_ENCODE_FORMAT_ATTR,
+	    &format, sizeof (format));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_KEY_FILENAME_ATTR,
+	    (char *)pathname, strlen(pathname));
 
-	rv = KMF_FindKey(ess->es_kmfhandle, &fkparams, keybuf, &nkeys);
+	rv = kmf_find_key(ess->es_kmfhandle, numattr, attrlist);
 	if (rv != KMF_OK)
 		return (B_FALSE);
 	if (nkeys != 1) {
@@ -301,35 +364,18 @@
 elfcertlib_loadtokenkey(ELFsign_t ess, ELFCert_t cert,
     const char *token_label, const char *pin)
 {
-	KMF_RETURN rv = KMF_OK;
-	KMF_FINDKEY_PARAMS fkparams;
-	KMF_CONFIG_PARAMS cfgparams;
-	uint32_t nkeys = 1;
-	char *idstr = NULL;
-	char *err = NULL;
-
-	(void) memset(&fkparams, 0, sizeof (fkparams));
-	(void) memset(&cfgparams, 0, sizeof (cfgparams));
-
-	cfgparams.kstype = KMF_KEYSTORE_PK11TOKEN;
-	cfgparams.pkcs11config.label = (char *)token_label;
-	cfgparams.pkcs11config.readonly = B_TRUE;
-	rv = KMF_ConfigureKeystore(ess->es_kmfhandle, &cfgparams);
-	if (rv != KMF_OK) {
-		if (KMF_GetKMFErrorString(rv, &err) == KMF_OK) {
-			cryptodebug("Error configuring token access:"
-			    " %s\n", err);
-			free(err);
-		}
-		return (B_FALSE);
-	}
-
-	fkparams.idstr = idstr;
-	fkparams.kstype = KMF_KEYSTORE_PK11TOKEN;
-	fkparams.keyclass = KMF_ASYM_PRI;
-	fkparams.cred.cred = (char *)pin;
-	fkparams.cred.credlen = (pin != NULL ? strlen(pin) : 0);
-	fkparams.pkcs11parms.private = B_TRUE;
+	KMF_RETURN	rv;
+	char		*idstr = NULL;
+	char		*kmferr;
+	KMF_ATTRIBUTE	attrlist[16];
+	uint32_t	nkeys;
+	KMF_KEYSTORE_TYPE	kstype;
+	KMF_KEY_ALG	keytype;
+	KMF_KEY_CLASS	keyclass;
+	KMF_ENCODE_FORMAT	format;
+	KMF_CREDENTIAL	pincred;
+	boolean_t	tokenbool, privatebool;
+	int		numattr;
 
 	/*
 	 * We will search for the key based on the ID attribute
@@ -337,31 +383,64 @@
 	 * a SHA-1 hash of the public modulus shared by the
 	 * key and the certificate.
 	 */
-	rv = KMF_GetCertIDString(&cert->c_cert.certificate, &idstr);
+	rv = kmf_get_cert_id_str(&cert->c_cert.certificate, &idstr);
 	if (rv != KMF_OK) {
-		if (KMF_GetKMFErrorString(rv, &err) == KMF_OK) {
-			cryptodebug("Error getting ID from cert: %s\n", err);
-			free(err);
-		}
+		(void) kmf_get_kmf_error_str(rv, &kmferr);
+		cryptodebug("Error getting ID from cert: %s\n",
+		    (kmferr ? kmferr : "Unrecognized KMF error"));
+		free(kmferr);
 		return (B_FALSE);
 	}
-	fkparams.idstr = idstr;
+
+	kstype = KMF_KEYSTORE_PK11TOKEN;
+	nkeys = 1;
+	keytype = KMF_KEYALG_NONE;
+	keyclass = KMF_ASYM_PRI;
+	format = KMF_FORMAT_UNDEF;
+	pincred.cred = (char *)pin;
+	pincred.credlen = strlen(pin);
+	tokenbool = B_FALSE;
+	privatebool = B_TRUE;
 
-	rv = KMF_FindKey(ess->es_kmfhandle, &fkparams,
-	    &cert->c_privatekey, &nkeys);
-	if (rv != KMF_OK || nkeys != 1) {
-		if (KMF_GetKMFErrorString(rv, &err) == KMF_OK) {
-			cryptodebug("Error finding private key: %s\n", err);
-			free(err);
-		}
-		free(idstr);
+	numattr = 0;
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYSTORE_TYPE_ATTR,
+	    &kstype, sizeof (kstype));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_KEY_HANDLE_ATTR,
+	    &cert->c_privatekey, sizeof (KMF_KEY_HANDLE));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_COUNT_ATTR,
+	    &nkeys, sizeof (uint32_t));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYALG_ATTR,
+	    &keytype, sizeof (keytype));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYCLASS_ATTR,
+	    &keyclass, sizeof (keyclass));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_ENCODE_FORMAT_ATTR,
+	    &format, sizeof (format));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_IDSTR_ATTR,
+	    idstr, strlen(idstr));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_CREDENTIAL_ATTR,
+	    &pincred, sizeof (KMF_CREDENTIAL));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_TOKEN_BOOL_ATTR,
+	    &tokenbool, sizeof (tokenbool));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_PRIVATE_BOOL_ATTR,
+	    &privatebool, sizeof (privatebool));
+
+	rv = kmf_find_key(ess->es_kmfhandle, numattr, attrlist);
+	free(idstr);
+	if (rv != KMF_OK) {
+		(void) kmf_get_kmf_error_str(rv, &kmferr);
+		cryptodebug("Error finding private key: %s\n",
+		    (kmferr ? kmferr : "Unrecognized KMF error"));
+		free(kmferr);
+		return (B_FALSE);
+	}
+	if (nkeys != 1) {
+		cryptodebug("Error finding private key: No key found\n");
 		return (B_FALSE);
 	}
 	cryptodebug("key found in %s", token_label);
 	cryptodebug("elfcertlib_loadprivatekey = 0x%.8X",
 	    &cert->c_privatekey);
 
-	free(idstr);
 	return (B_TRUE);
 }
 
@@ -386,10 +465,12 @@
 	const uchar_t *data, size_t data_len,
 	uchar_t *sig, size_t *sig_len)
 {
-	KMF_RETURN ret = KMF_OK;
-	KMF_DATA tobesigned;
-	KMF_DATA signature;
-	uchar_t	 der_data[sizeof (MD5_DER_PREFIX) + MD5_DIGEST_LENGTH];
+	KMF_RETURN	ret;
+	KMF_DATA	tobesigned;
+	KMF_DATA	signature;
+	uchar_t		der_data[sizeof (MD5_DER_PREFIX) + MD5_DIGEST_LENGTH];
+	KMF_ATTRIBUTE	attrlist[8];
+	int		numattr;
 
 	if (ess->es_version <= FILESIG_VERSION2) {
 		/* compatibility: take MD5 hash of SHA1 hash */
@@ -422,17 +503,28 @@
 	signature.Data = (uchar_t *)sig;
 	signature.Length = *sig_len;
 
-	ret = KMF_SignDataWithKey(ess->es_kmfhandle,
-	    &cert->c_privatekey, (KMF_OID *)&KMFOID_RSA,
-	    &tobesigned, &signature);
+	numattr = 0;
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_KEYSTORE_TYPE_ATTR, &(cert->c_privatekey.kstype),
+	    sizeof (KMF_KEYSTORE_TYPE));
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_KEY_HANDLE_ATTR, &cert->c_privatekey, sizeof (KMF_KEY_HANDLE));
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_OID_ATTR, (KMF_OID *)&KMFOID_RSA, sizeof (KMF_OID));
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_DATA_ATTR, &tobesigned, sizeof (KMF_DATA));
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_OUT_DATA_ATTR, &signature, sizeof (KMF_DATA));
+
+	ret = kmf_sign_data(ess->es_kmfhandle, numattr, attrlist);
 
 	if (ret != KMF_OK) {
-		char *err;
-		if (KMF_GetKMFErrorString(ret, &err) == KMF_OK &&
-		    err != NULL) {
-			cryptodebug("Error signing data: %s\n", err);
-			free(err);
-		}
+		char	*kmferr;
+
+		(void) kmf_get_kmf_error_str(ret, &kmferr);
+		cryptodebug("Error signing data: %s\n",
+		    (kmferr ? kmferr : "Unrecognized KMF error"));
+		free(kmferr);
 		*sig_len = 0;
 		return (B_FALSE);
 	}
@@ -461,6 +553,9 @@
 	KMF_DATA	indata;
 	KMF_DATA	insig;
 	KMF_ALGORITHM_INDEX algid;
+	KMF_ATTRIBUTE	attrlist[8];
+	KMF_KEYSTORE_TYPE	kstype;
+	int		numattr;
 
 	indata.Data = (uchar_t *)data;
 	indata.Length = data_len;
@@ -473,13 +568,26 @@
 		algid = KMF_ALGID_RSA;
 
 	/*
-	 * We tell KMF to use the OpenSSL verification
-	 * APIs here to avoid a circular dependency with
-	 * kcfd and libpkcs11.
+	 * We tell KMF to use the PKCS11 verification APIs
+	 * here to prevent the use of OpenSSL and to keep
+	 * all validation within the FIPS-140 boundary for
+	 * the Cryptographic Framework.
 	 */
-	rv = KMF_VerifyDataWithCert(ess->es_kmfhandle,
-	    KMF_KEYSTORE_OPENSSL, algid,
-	    &indata, &insig, &cert->c_cert.certificate);
+	kstype = KMF_KEYSTORE_PK11TOKEN;
+
+	numattr = 0;
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_KEYSTORE_TYPE_ATTR,
+	    &kstype,  sizeof (kstype));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_DATA_ATTR,
+	    &indata, sizeof (KMF_DATA));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_IN_SIGN_ATTR,
+	    &insig, sizeof (KMF_DATA));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_SIGNER_CERT_DATA_ATTR,
+	    (KMF_DATA *)(&cert->c_cert.certificate), sizeof (KMF_DATA));
+	kmf_set_attr_at_index(attrlist, numattr++, KMF_ALGORITHM_INDEX_ATTR,
+	    &algid, sizeof (algid));
+
+	rv = kmf_verify_data(ess->es_kmfhandle, numattr, attrlist);
 
 	return ((rv == KMF_OK));
 }
@@ -520,7 +628,7 @@
 	boolean_t rc = B_TRUE;
 	KMF_RETURN rv;
 	if (ess->es_kmfhandle == NULL) {
-		rv = KMF_Initialize(&ess->es_kmfhandle, NULL, NULL);
+		rv = kmf_initialize(&ess->es_kmfhandle, NULL, NULL);
 		if (rv != KMF_OK) {
 			cryptoerror(LOG_ERR,
 			    "unable to initialize KMF library");
@@ -533,7 +641,7 @@
 void
 elfcertlib_fini(ELFsign_t ess)
 {
-	(void) KMF_Finalize(ess->es_kmfhandle);
+	(void) kmf_finalize(ess->es_kmfhandle);
 }
 
 /*
@@ -542,15 +650,25 @@
 boolean_t
 elfcertlib_settoken(ELFsign_t ess, char *token)
 {
-	boolean_t rc = B_TRUE;
-	KMF_RETURN rv;
-	KMF_CONFIG_PARAMS cfgparams;
+	boolean_t	rc = B_TRUE;
+	KMF_RETURN	rv;
+	KMF_ATTRIBUTE	attrlist[8];
+	KMF_KEYSTORE_TYPE	kstype;
+	boolean_t	readonly;
+	int	numattr;
+
+	kstype = KMF_KEYSTORE_PK11TOKEN;
+	readonly = B_TRUE;
 
-	(void) memset(&cfgparams, 0, sizeof (cfgparams));
-	cfgparams.kstype = KMF_KEYSTORE_PK11TOKEN;
-	cfgparams.pkcs11config.label = token;
-	cfgparams.pkcs11config.readonly = B_TRUE;
-	rv = KMF_ConfigureKeystore(ess->es_kmfhandle, &cfgparams);
+	numattr = 0;
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_KEYSTORE_TYPE_ATTR, &kstype, sizeof (kstype));
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_TOKEN_LABEL_ATTR, token, strlen(token));
+	kmf_set_attr_at_index(attrlist, numattr++,
+	    KMF_READONLY_ATTR, &readonly, sizeof (readonly));
+
+	rv = kmf_configure_keystore(ess->es_kmfhandle, numattr, attrlist);
 	if (rv != KMF_OK) {
 		cryptoerror(LOG_ERR, "unable to select token\n");
 		rc = B_FALSE;
@@ -637,8 +755,8 @@
 	free(cert->c_subject);
 	free(cert->c_issuer);
 
-	KMF_FreeKMFCert(ess->es_kmfhandle, &cert->c_cert);
-	KMF_FreeKMFKey(ess->es_kmfhandle, &cert->c_privatekey);
+	kmf_free_kmf_cert(ess->es_kmfhandle, &cert->c_cert);
+	kmf_free_kmf_key(ess->es_kmfhandle, &cert->c_privatekey);
 
 	free(cert);
 }