/********************************************************************************/
/*										*/
/*			 Object Templates					*/
/*			     Written by Ken Goldman				*/
/*		       IBM Thomas J. Watson Research Center			*/
/*										*/
/* (c) Copyright IBM Corporation 2016 - 2019.					*/
/*										*/
/* All rights reserved.								*/
/* 										*/
/* Redistribution and use in source and binary forms, with or without		*/
/* modification, are permitted provided that the following conditions are	*/
/* met:										*/
/* 										*/
/* Redistributions of source code must retain the above copyright notice,	*/
/* this list of conditions and the following disclaimer.			*/
/* 										*/
/* Redistributions in binary form must reproduce the above copyright		*/
/* notice, this list of conditions and the following disclaimer in the		*/
/* documentation and/or other materials provided with the distribution.		*/
/* 										*/
/* Neither the names of the IBM Corporation nor the names of its		*/
/* contributors may be used to endorse or promote products derived from		*/
/* this software without specific prior written permission.			*/
/* 										*/
/* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
/* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
/* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
/* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
/* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
/* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
/* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
/* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
/* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
/* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
/* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
/********************************************************************************/

/* These are templates suitable for creating typical objects.  The functions are shared by create
   and createprimary

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

#include <ibmtss/tss.h>
#include <ibmtss/tssutils.h>
#include <ibmtss/tssresponsecode.h>
#include <ibmtss/tssmarshal.h>

#include "objecttemplates.h"

/* asymPublicTemplate() is a template for an ECC or RSA key.

   It can create these types:

   TYPE_ST:   storage key (decrypt, restricted, RSA NULL scheme, EC NULL scheme)
   TYPE_DEN:  decryption key (not storage key, RSA NULL scheme, EC NULL scheme)
   TYPE_DEO:  decryption key (not storage key, RSA OAEP scheme, EC NULL scheme)
   TYPE_DEE:  decryption key (not storage key, RSA ES scheme, EC NULL scheme)
   TYPE_SI:   signing key (unrestricted, RSA NULL schemem EC NULL scheme)
   TYPE_SIR:  signing key (restricted, RSA RSASSA scheme, EC ECDSA scheme)
   TYPE_GP:   general purpose key
   TYPE_DAA:  signing key (unrestricted, ECDAA)
   TYPE_DAAR: signing key (restricted, ECDAA)
*/

TPM_RC asymPublicTemplate(TPMT_PUBLIC *publicArea,	/* output */
			  TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
								   here */
			  TPMA_OBJECT deleteObjectAttributes,
			  int keyType,			/* see above */
			  TPMI_ALG_PUBLIC algPublic,	/* RSA or ECC */
			  TPMI_RSA_KEY_BITS keyBits,	/* RSA modulus */
			  TPMI_ECC_CURVE curveID,	/* for ECC */
			  TPMI_ALG_HASH nalg,		/* Name algorithm */
			  TPMI_ALG_HASH halg,		/* hash algorithm */
			  const char *policyFilename)	/* binary policy, NULL means empty */
{
    TPM_RC			rc = 0;

    if (rc == 0) {
	publicArea->objectAttributes = addObjectAttributes;
	/* Table 185 - TPM2B_PUBLIC inPublic */
	/* Table 184 - TPMT_PUBLIC publicArea */
	publicArea->type = algPublic;		/* RSA or ECC */
	publicArea->nameAlg = nalg;

	/* Table 32 - TPMA_OBJECT objectAttributes */
	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;

	switch (keyType) {
	  case TYPE_DEN:
	  case TYPE_DEO:
	  case TYPE_DEE:
	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
	    publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
	    break;
	  case TYPE_ST:
	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
	    publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
	    publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
	    break;
	  case TYPE_SI:
	  case TYPE_DAA:
	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
	    break;
	  case TYPE_SIR:
	  case TYPE_DAAR:
	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
	    publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
	    break;
	  case TYPE_GP:
	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
	    publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
	    break;
	}
	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
    }
    if (rc == 0) {
	/* Table 72 -  TPM2B_DIGEST authPolicy */
	/* policy set separately */

	/* Table 182 - Definition of TPMU_PUBLIC_PARMS parameters */
	if (algPublic == TPM_ALG_RSA) {
	    /* Table 180 - Definition of {RSA} TPMS_RSA_PARMS rsaDetail */
	    /* Table 129 - Definition of TPMT_SYM_DEF_OBJECT Structure symmetric */
	    switch (keyType) {
	      case TYPE_DEN:
	      case TYPE_DEO:
	      case TYPE_DEE:
	      case TYPE_SI:
	      case TYPE_SIR:
	      case TYPE_GP:
		/* Non-storage keys must have TPM_ALG_NULL for the symmetric algorithm */
		publicArea->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_NULL;
		break;
	      case TYPE_ST:
		publicArea->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES;
		/* Table 125 - TPMU_SYM_KEY_BITS keyBits */
		publicArea->parameters.rsaDetail.symmetric.keyBits.aes = 128;
		/* Table 126 - TPMU_SYM_MODE mode */
		publicArea->parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
		break;
	    }

	    /* Table 155 - Definition of {RSA} TPMT_RSA_SCHEME scheme */
	    switch (keyType) {
	      case TYPE_DEN:
	      case TYPE_GP:
	      case TYPE_ST:
	      case TYPE_SI:
		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
		break;
	      case TYPE_DEO:
		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_OAEP;
		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
		/* Table 152 - Definition of TPMU_ASYM_SCHEME rsassa */
		/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
		/* Table 135 - Definition of TPMS_SCHEME_HASH hashAlg */
		publicArea->parameters.rsaDetail.scheme.details.oaep.hashAlg = halg;
		break;
	      case TYPE_DEE:
		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_RSAES;
		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
		/* Table 152 - Definition of TPMU_ASYM_SCHEME rsassa */
		/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
		/* Table 135 - Definition of TPMS_SCHEME_HASH hashAlg */
		publicArea->parameters.rsaDetail.scheme.details.oaep.hashAlg = halg;
		break;
	      case TYPE_SIR:
		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_RSASSA;
		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
		/* Table 152 - Definition of TPMU_ASYM_SCHEME rsassa */
		/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
		/* Table 135 - Definition of TPMS_SCHEME_HASH hashAlg */
		publicArea->parameters.rsaDetail.scheme.details.rsassa.hashAlg = halg;
		break;
	    }
	
	    /* Table 159 - Definition of {RSA} (TPM_KEY_BITS) TPMI_RSA_KEY_BITS Type keyBits */
	    publicArea->parameters.rsaDetail.keyBits = keyBits;
	    publicArea->parameters.rsaDetail.exponent = 0;
	    /* Table 177 - TPMU_PUBLIC_ID unique */
	    /* Table 177 - Definition of TPMU_PUBLIC_ID */
	    publicArea->unique.rsa.t.size = 0;
	}
	else {	/* algPublic == TPM_ALG_ECC */
	    /* Table 181 - Definition of {ECC} TPMS_ECC_PARMS Structure eccDetail */
	    /* Table 129 - Definition of TPMT_SYM_DEF_OBJECT Structure symmetric */
	    switch (keyType) {
	      case TYPE_DEN:
	      case TYPE_DEO:
	      case TYPE_DEE:
	      case TYPE_SI:
	      case TYPE_SIR:
	      case TYPE_DAA:
	      case TYPE_DAAR:
	      case TYPE_GP:
		/* Non-storage keys must have TPM_ALG_NULL for the symmetric algorithm */
		publicArea->parameters.eccDetail.symmetric.algorithm = TPM_ALG_NULL;
		break;
	      case TYPE_ST:
		publicArea->parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES;
		/* Table 125 - TPMU_SYM_KEY_BITS keyBits */
		publicArea->parameters.eccDetail.symmetric.keyBits.aes = 128;
		/* Table 126 - TPMU_SYM_MODE mode */
		publicArea->parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
		break;
	    }
	    /* Table 166 - Definition of (TPMT_SIG_SCHEME) {ECC} TPMT_ECC_SCHEME Structure scheme */
	    /* Table 164 - Definition of (TPM_ALG_ID) {ECC} TPMI_ALG_ECC_SCHEME Type scheme */
	    switch (keyType) {
	      case TYPE_GP:
	      case TYPE_SI:
	      case TYPE_DEN:
	      case TYPE_DEO:
	      case TYPE_DEE:
		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
		/* Table 165 - Definition of {ECC} (TPM_ECC_CURVE) TPMI_ECC_CURVE Type */
		/* Table 10 - Definition of (UINT16) {ECC} TPM_ECC_CURVE Constants curveID */
		publicArea->parameters.eccDetail.curveID = curveID;
		/* Table 150 - Definition of TPMT_KDF_SCHEME Structure kdf */
		/* Table 64 - Definition of (TPM_ALG_ID) TPMI_ALG_KDF Type */
		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
		break;
	      case TYPE_SIR:
		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_ECDSA;
		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
		/* Table 143 - Definition of {ECC} Types for ECC Signature Schemes */
		publicArea->parameters.eccDetail.scheme.details.ecdsa.hashAlg = halg;
		/* Table 165 - Definition of {ECC} (TPM_ECC_CURVE) TPMI_ECC_CURVE Type */
		/* Table 10 - Definition of (UINT16) {ECC} TPM_ECC_CURVE Constants curveID */
		publicArea->parameters.eccDetail.curveID = curveID;
		/* Table 150 - Definition of TPMT_KDF_SCHEME Structure kdf */
		/* Table 64 - Definition of (TPM_ALG_ID) TPMI_ALG_KDF Type */
		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
		/* Table 149 - Definition of TPMU_KDF_SCHEME Union <IN/OUT, S> */
		/* Table 148 - Definition of Types for KDF Schemes, hash-based key-
		   or mask-generation functions */
		/* Table 135 - Definition of TPMS_SCHEME_HASH Structure hashAlg */
		publicArea->parameters.eccDetail.kdf.details.mgf1.hashAlg = halg;
		break;
	      case TYPE_DAA:
	      case TYPE_DAAR:
		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_ECDAA;
		publicArea->parameters.eccDetail.scheme.details.ecdaa.hashAlg = halg;
		publicArea->parameters.eccDetail.scheme.details.ecdaa.count = 1;
		publicArea->parameters.eccDetail.curveID = curveID;
		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
		publicArea->unique.ecc.y.t.size = 0;
		publicArea->unique.ecc.x.t.size = 0;
		break;
	      case TYPE_ST:
		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
		publicArea->parameters.eccDetail.scheme.details.anySig.hashAlg = 0;
		publicArea->parameters.eccDetail.curveID = TPM_ECC_NIST_P256;
		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
		publicArea->parameters.eccDetail.kdf.details.mgf1.hashAlg = 0;
		break;
	    }
	    /* Table 177 - TPMU_PUBLIC_ID unique */
	    /* Table 177 - Definition of TPMU_PUBLIC_ID */
	    publicArea->unique.ecc.x.t.size = 0;
	    publicArea->unique.ecc.y.t.size = 0;
	}
    }
    if (rc == 0) {
	rc = getPolicy(publicArea, policyFilename);
    }
    return rc;
}

/* symmetricCipherTemplate() is a template for an AES 128 CFB key

 */

TPM_RC symmetricCipherTemplate(TPMT_PUBLIC *publicArea,		/* output */
			       TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
								   here */
			       TPMA_OBJECT deleteObjectAttributes,
			       TPMI_ALG_HASH nalg,		/* Name algorithm */
			       int rev116,		/* TPM rev 116 compatibility, sets SIGN */
			       const char *policyFilename)	/* binary policy, NULL means empty */
{
    TPM_RC rc = 0;
    
    if (rc == 0) {
	publicArea->objectAttributes = addObjectAttributes;

	/* Table 185 - TPM2B_PUBLIC inPublic */
	/* Table 184 - TPMT_PUBLIC publicArea */
	publicArea->type = TPM_ALG_SYMCIPHER;
	publicArea->nameAlg = nalg;
	/* Table 32 - TPMA_OBJECT objectAttributes */
	/* rev 116 used DECRYPT for both decrypt and encrypt.  After 116, encrypt required SIGN */
	if (!rev116) {
	    /* actually encrypt */
	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
	}
	publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
	/* Table 72 -  TPM2B_DIGEST authPolicy */
	/* policy set separately */
	/* Table 182 - Definition of TPMU_PUBLIC_PARMS parameters */
	{
	    /* Table 131 - Definition of TPMS_SYMCIPHER_PARMS symDetail */
	    {
		/* Table 129 - Definition of TPMT_SYM_DEF_OBJECT sym */
		/* Table 62 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM_OBJECT Type */
		publicArea->parameters.symDetail.sym.algorithm = TPM_ALG_AES;
		/* Table 125 - Definition of TPMU_SYM_KEY_BITS Union */
		publicArea->parameters.symDetail.sym.keyBits.aes = 128;
		/* Table 126 - Definition of TPMU_SYM_MODE Union */
		publicArea->parameters.symDetail.sym.mode.aes = TPM_ALG_CFB;
	    }
	}
	/* Table 177 - TPMU_PUBLIC_ID unique */
	/* Table 72 - Definition of TPM2B_DIGEST Structure */
	publicArea->unique.sym.t.size = 0; 
    }
    if (rc == 0) {
	rc = getPolicy(publicArea, policyFilename);
    }
    return rc;
}

/* keyedHashPublicTemplate() is a template for an HMAC key

   It can create these types:

   TYPE_KH:	HMAC key, unrestricted
   TYPE_KHR:	HMAC key, restricted
*/

TPM_RC keyedHashPublicTemplate(TPMT_PUBLIC *publicArea,		/* output */
			       TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
								   here */
			       TPMA_OBJECT deleteObjectAttributes,
			       int keyType,			/* see above */
			       TPMI_ALG_HASH nalg,		/* Name algorithm */
			       TPMI_ALG_HASH halg,		/* hash algorithm */
			       const char *policyFilename)	/* binary policy, NULL means empty */
{
    TPM_RC			rc = 0;

    if (rc == 0) {
	publicArea->objectAttributes = addObjectAttributes;

	/* Table 185 - TPM2B_PUBLIC inPublic */
	/* Table 184 - TPMT_PUBLIC publicArea */
	/* Table 176 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
	publicArea->type = TPM_ALG_KEYEDHASH;
	/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
	publicArea->nameAlg = nalg;
	/* Table 32 - TPMA_OBJECT objectAttributes */
	publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
	switch (keyType) {
	  case TYPE_KH:
	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
	    break;
	  case TYPE_KHR:
	    publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
	    break;
	}
	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
	/* Table 72 -  TPM2B_DIGEST authPolicy */
	/* policy set separately */
	{
	    /* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
	    /* Table 178 - Definition of TPMS_KEYEDHASH_PARMS Structure */
	    /* Table 141 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
	    /* Table 137 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
	    publicArea->parameters.keyedHashDetail.scheme.scheme = TPM_ALG_HMAC;
	    /* Table 140 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
	    /* Table 138 - Definition of Types for HMAC_SIG_SCHEME */
	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
	    publicArea->parameters.keyedHashDetail.scheme.details.hmac.hashAlg = halg;
	}
	/* Table 177 - TPMU_PUBLIC_ID unique */
	/* Table 72 - Definition of TPM2B_DIGEST Structure */
	publicArea->unique.sym.t.size = 0; 
    }
    if (rc == 0) {
	rc = getPolicy(publicArea, policyFilename);
    }
    return rc;
}

/* derivationParentPublicTemplate() is a template for a derivation parent

   The key is not restricted
*/

TPM_RC derivationParentPublicTemplate(TPMT_PUBLIC *publicArea,		/* output */
				      TPMA_OBJECT addObjectAttributes,	/* add default, can be
									   overridden here */
				      TPMA_OBJECT deleteObjectAttributes,
				      TPMI_ALG_HASH nalg,		/* Name algorithm */
				      TPMI_ALG_HASH halg,		/* hash algorithm */
				      const char *policyFilename)	/* binary policy, NULL means
									   empty */
{
    TPM_RC			rc = 0;

    if (rc == 0) {
	publicArea->objectAttributes = addObjectAttributes;

	/* Table 185 - TPM2B_PUBLIC inPublic */
	/* Table 184 - TPMT_PUBLIC publicArea */
	/* Table 176 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
	publicArea->type = TPM_ALG_KEYEDHASH;
	/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
	publicArea->nameAlg = nalg;
	/* Table 32 - TPMA_OBJECT objectAttributes */
	publicArea->objectAttributes.val |= TPMA_OBJECT_FIXEDTPM;
	publicArea->objectAttributes.val |= TPMA_OBJECT_FIXEDPARENT;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
	publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
	publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
	publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
	/* Table 72 -  TPM2B_DIGEST authPolicy */
	/* policy set separately */
	{
	    /* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
	    /* Table 178 - Definition of TPMS_KEYEDHASH_PARMS Structure */
	    /* Table 141 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
	    /* Table 137 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
	    publicArea->parameters.keyedHashDetail.scheme.scheme = TPM_ALG_XOR;
	    /* Table 140 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
	    /* Table 138 - Definition of Types for HMAC_SIG_SCHEME */
	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
	    publicArea->parameters.keyedHashDetail.scheme.details.xorr.kdf = TPM_ALG_KDF1_SP800_108;
	    publicArea->parameters.keyedHashDetail.scheme.details.xorr.hashAlg = halg;
	}
	/* Table 177 - TPMU_PUBLIC_ID unique */
	/* Table 72 - Definition of TPM2B_DIGEST Structure */
	publicArea->unique.sym.t.size = 0; 
    }
    if (rc == 0) {
	rc = getPolicy(publicArea, policyFilename);
    }
    return rc;
}

/* blPublicTemplate() is a template for a sealed data blob.

*/

TPM_RC blPublicTemplate(TPMT_PUBLIC *publicArea,	/* output */
			TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
								   here */
			TPMA_OBJECT deleteObjectAttributes,
			TPMI_ALG_HASH nalg,		/* Name algorithm */
			const char *policyFilename)	/* binary policy, NULL means empty */
{
    TPM_RC			rc = 0;

    if (rc == 0) {
	publicArea->objectAttributes = addObjectAttributes;

	/* Table 185 - TPM2B_PUBLIC inPublic */
	/* Table 184 - TPMT_PUBLIC publicArea */
	/* Table 176 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
	publicArea->type = TPM_ALG_KEYEDHASH;
	/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
	publicArea->nameAlg = nalg;
	/* Table 32 - TPMA_OBJECT objectAttributes */
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN;
	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
	/* Table 72 -  TPM2B_DIGEST authPolicy */
	/* policy set separately */
	{
	    /* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
	    /* Table 178 - Definition of TPMS_KEYEDHASH_PARMS Structure */
	    /* Table 141 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
	    /* Table 137 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
	    publicArea->parameters.keyedHashDetail.scheme.scheme = TPM_ALG_NULL;
	    /* Table 140 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
	}
	/* Table 177 - TPMU_PUBLIC_ID unique */
	/* Table 72 - Definition of TPM2B_DIGEST Structure */
	publicArea->unique.sym.t.size = 0; 
    }
    if (rc == 0) {
	rc = getPolicy(publicArea, policyFilename);
    }
    return rc;
}

TPM_RC getPolicy(TPMT_PUBLIC *publicArea,
		 const char *policyFilename)
{
    TPM_RC rc = 0;

    if (rc == 0) {
	if (policyFilename != NULL) {
	    rc = TSS_File_Read2B(&publicArea->authPolicy.b,
				 sizeof(publicArea->authPolicy.t.buffer),
				 policyFilename);
	}
	else {
	    publicArea->authPolicy.t.size = 0;	/* default empty policy */
	}
    }
    return rc;
}

void printUsageTemplate(void)
{
    printf("\t[Asymmetric Key Algorithm]\n");
    printf("\n");
    printf("\t-rsa keybits (default)\n");
    printf("\t\t(2048 default)\n");
    printf("\t-ecc curve\n");
    printf("\t\tbnp256\n");
    printf("\t\tnistp256\n");
    printf("\t\tnistp384\n");
    printf("\n");
    printf("\tKey attributes\n");
    printf("\n");
    printf("\t\t-bl\tdata blob for unseal (create only)\n");
    printf("\t\t\trequires -if\n");
    printf("\t\t-den\tdecryption, (unrestricted, RSA and EC NULL scheme)\n");
    printf("\t\t-deo\tdecryption, (unrestricted, RSA OAEP, EC NULL scheme)\n");
    printf("\t\t-dee\tdecryption, (unrestricted, RSA ES, EC NULL scheme)\n");
    printf("\t\t-des\tencryption/decryption, AES symmetric\n");
    printf("\t\t\t[-116 for TPM rev 116 compatibility]\n");
    printf("\t\t-st\tstorage (restricted)\n");
    printf("\t\t\t[default for primary keys]\n");
    printf("\t\t-si\tunrestricted signing (RSA and EC NULL scheme)\n");
    printf("\t\t-sir\trestricted signing (RSA RSASSA, EC ECDSA scheme)\n");
    printf("\t\t-dau\tunrestricted ECDAA signing key pair\n");
    printf("\t\t-dar\trestricted ECDAA signing key pair\n");
    printf("\t\t-kh\tkeyed hash (unrestricted, hmac)\n");
    printf("\t\t-khr\tkeyed hash (restricted, hmac)\n");
    printf("\t\t-dp\tderivation parent\n");
    printf("\t\t-gp\tgeneral purpose, not storage\n");
    printf("\n");
    printf("\t\t[-kt\t(can be specified more than once)]\n"
	   "\t\t\tf\tfixedTPM (default for primary keys and derivation parents)\n"
	   "\t\t\tp\tfixedParent (default for primary keys and derivation parents)\n"
	   "\t\t\tnf\tno fixedTPM (default for non-primary keys)\n"
	   "\t\t\tnp\tno fixedParent (default for non-primary keys)\n"
	   "\t\t\ted\tencrypted duplication (default not set)\n");
    printf("\t[-da\tobject subject to DA protection (default no)]\n");
    printf("\t[-pol\tpolicy file (default empty)]\n");
    printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n");
    printf("\t[-if\tdata (inSensitive) file name]\n");
    printf("\n");
    printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
    printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
    return;	
}