3 files changed, 73 insertions, 13 deletions

diff --git a/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java b/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java
index 985b4ef8b..06a6398c5 100644
--- a/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java
+++ b/base/common/src/com/netscape/cms/selftests/tks/TKSKnownSessionKey.java
@@ -276,12 +276,46 @@ public class TKSKnownSessionKey
      */
     public void runSelfTest(ILogEventListener logger)
             throws ESelfTestException {
-        String logMessage = null;
+        IConfigStore cs = CMS.getConfigStore();
+        String sharedSecretName;
+        try {
+            boolean useNewNames = cs.getBoolean("tks.useNewSharedSecretNames", false);
+            if (useNewNames) {
+                String tpsList = cs.getString("tps.list", "");
+                if (tpsList.isEmpty()) {
+                    CMS.debug("TKSKnownSessionKey: no shared secrets configured, exiting");
+                    return;
+                }
+
+                for (String tpsID : tpsList.split(",")) {
+                    sharedSecretName = cs.getString("tps." + tpsID + ".nickname", "");
+                    if (!sharedSecretName.isEmpty()) {
+                        CMS.debug("TKSKnownSessionKey: testing with key " + sharedSecretName);
+                        generateSessionKey(logger, sharedSecretName);
+                    }
+                }
+            } else {
+                // legacy systems
+                sharedSecretName = cs.getString("tks.tksSharedSymKeyName", "sharedSecret");
+                generateSessionKey(logger, sharedSecretName);
+            }
+        } catch (EBaseException e) {
+            e.printStackTrace();
+            CMS.debug("TKSKnownSessionKey: failed to read config file to set up test");
+            String logMessage = CMS.getLogMessage("SELFTESTS_TKS_FAILED", getSelfTestName(), getSelfTestName());
+            mSelfTestSubsystem.log(logger, logMessage);
+            throw new ESelfTestException(logMessage);
+        }
+        return;
+    }
+
+    private void generateSessionKey(ILogEventListener logger, String sharedSecretName) throws ESelfTestException {
+        String logMessage;
         String keySet = "defKeySet";
 
-        byte[] sessionKey = SessionKey.ComputeSessionKey(mToken, mKeyName,
-                                                          mCardChallenge, mHostChallenge,
-                                                          mKeyInfo, mCUID, mMacKey, mUseSoftToken, keySet, null);
+        byte[] sessionKey = SessionKey.ComputeSessionKey(
+                mToken, mKeyName, mCardChallenge, mHostChallenge, mKeyInfo,
+                mCUID, mMacKey, mUseSoftToken, keySet, sharedSecretName);
 
         // Now we just see if we can successfully generate a session key.
         // For FIPS compliance, the routine now returns a wrapped key, which can't be extracted and compared.
@@ -296,7 +330,5 @@ public class TKSKnownSessionKey
             mSelfTestSubsystem.log(logger, logMessage);
             CMS.debug("TKSKnownSessionKey self test SUCCEEDED");
         }
-
-        return;
     }
 }
diff --git a/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java b/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
index ee6913acc..766975651 100644
--- a/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
+++ b/base/common/src/com/netscape/cms/servlet/tks/TokenServlet.java
@@ -284,10 +284,7 @@ public class TokenServlet extends CMSServlet {
         } catch (EBaseException eee) {
         }
 
-        try {
-            transportKeyName = sconfig.getString("tks.tksSharedSymKeyName", TRANSPORT_KEY_NAME);
-        } catch (EBaseException e) {
-        }
+        transportKeyName = getSharedSecretName(sconfig);
 
         CMS.debug("TokenServlet: ComputeSessionKey(): tksSharedSymKeyName: " + transportKeyName);
 
@@ -447,7 +444,7 @@ public class TokenServlet extends CMSServlet {
                             desKey = kg.generate();*/
 
                         /*
-                         * XXX GenerateSymkey firt generates a 16 byte DES2 key.
+                         * GenerateSymkey firt generates a 16 byte DES2 key.
                          * It then pads it into a 24 byte key with last
                          * 8 bytes copied from the 1st 8 bytes.  Effectively
                          * making it a 24 byte DES2 key.  We need this for
@@ -471,7 +468,7 @@ public class TokenServlet extends CMSServlet {
                         }
 
                         /*
-                         * XXX ECBencrypt actually takes the 24 byte DES2 key
+                         * ECBencrypt actually takes the 24 byte DES2 key
                          * and discard the last 8 bytes before it encrypts.
                          * This is done so that the applet can digest it
                          */
@@ -496,7 +493,7 @@ public class TokenServlet extends CMSServlet {
                         keycheck_s =
                                 com.netscape.cmsutil.util.Utils.SpecialEncode(keycheck);
 
-                        //XXX use DRM transport cert to wrap desKey
+                        //use DRM transport cert to wrap desKey
                         String drmTransNickname = CMS.getConfigStore().getString("tks.drm_transport_cert_nickname", "");
 
                         if ((drmTransNickname == null) || (drmTransNickname == "")) {
@@ -737,6 +734,36 @@ public class TokenServlet extends CMSServlet {
         audit(auditMessage);
     }
 
+    // This method will return the shared secret name.  In new 10.1 subsystems, this
+    // name will be stored in tps.X.nickname.
+    //
+    // Until multiple TKS/TPS connections is fully supported, this method will just
+    // return the first shared secret nickname found, on the assumption that only
+    // one nickname will be configured.  This will have to be changed to return the correct
+    // key based on some parameter in the request in future.
+    //
+    // On legacy systems, this method just returns what was previously returned.
+    private String getSharedSecretName(IConfigStore cs) throws EBaseException {
+        boolean useNewNames = cs.getBoolean("tks.useNewSharedSecretNames", false);
+
+        if (useNewNames) {
+            String tpsList = cs.getString("tps.list", "");
+            if (!tpsList.isEmpty()) {
+                for (String tpsID : tpsList.split(",")) {
+                    String sharedSecretName = cs.getString("tps." + tpsID + ".nickname", "");
+                    if (!sharedSecretName.isEmpty()) {
+                        return sharedSecretName;
+                    }
+                }
+            }
+            CMS.debug("getSharedSecretName: no shared secret has been configured");
+            throw new EBaseException("No shared secret has been configured");
+        }
+
+        // legacy system - return as before
+        return cs.getString("tks.tksSharedSymKeyName", TRANSPORT_KEY_NAME);
+    }
+
     private void processDiversifyKey(HttpServletRequest req,
             HttpServletResponse resp) throws EBaseException {
         byte[] KeySetData, CUID, xCUID;
diff --git a/base/tks/shared/conf/CS.cfg.in b/base/tks/shared/conf/CS.cfg.in
index c0ee3fa0c..9a7ed7f05 100644
--- a/base/tks/shared/conf/CS.cfg.in
+++ b/base/tks/shared/conf/CS.cfg.in
@@ -323,6 +323,7 @@ tks.defaultSlot=Internal Key Storage Token
 tks.drm_transport_cert_nickname=
 tks.master_key_prefix=
 tks.tksSharedSymKeyName=sharedSecret
+tks.useNewSharedSecretNames=true
 tks.useDefaultSlot=true
 usrgrp._000=##
 usrgrp._001=## User/Group