libstb/tss2/ibmtpm20tss/utils/objecttemplates.c - skiboot - Git at Google

 /********************************************************************************/
 /*										*/
 /*			 Object Templates					*/
 /*			     Written by Ken Goldman				*/
 /*		       IBM Thomas J. Watson Research Center			*/
 /*										*/
 /* (c) Copyright IBM Corporation 2016 - 2019.					*/
 /*										*/
 /* All rights reserved.								*/
 /* 										*/
 /* Redistribution and use in source and binary forms, with or without		*/
 /* modification, are permitted provided that the following conditions are	*/
 /* met:										*/
 /* 										*/
 /* Redistributions of source code must retain the above copyright notice,	*/
 /* this list of conditions and the following disclaimer.			*/
 /* 										*/
 /* Redistributions in binary form must reproduce the above copyright		*/
 /* notice, this list of conditions and the following disclaimer in the		*/
 /* documentation and/or other materials provided with the distribution.		*/
 /* 										*/
 /* Neither the names of the IBM Corporation nor the names of its		*/
 /* contributors may be used to endorse or promote products derived from		*/
 /* this software without specific prior written permission.			*/
 /* 										*/
 /* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS		*/
 /* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT		*/
 /* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR	*/
 /* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT		*/
 /* HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,	*/
 /* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT		*/
 /* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,	*/
 /* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY	*/
 /* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT		*/
 /* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE	*/
 /* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.		*/
 /********************************************************************************/

 /* These are templates suitable for creating typical objects.  The functions are shared by create
    and createprimary

 */

 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <stdint.h>

 #include <ibmtss/tss.h>
 #include <ibmtss/tssutils.h>
 #include <ibmtss/tssresponsecode.h>
 #include <ibmtss/tssmarshal.h>

 #include "objecttemplates.h"

 /* asymPublicTemplate() is a template for an ECC or RSA key.

    It can create these types:

    TYPE_ST:   storage key (decrypt, restricted, RSA NULL scheme, EC NULL scheme)
    TYPE_DEN:  decryption key (not storage key, RSA NULL scheme, EC NULL scheme)
    TYPE_DEO:  decryption key (not storage key, RSA OAEP scheme, EC NULL scheme)
    TYPE_DEE:  decryption key (not storage key, RSA ES scheme, EC NULL scheme)
    TYPE_SI:   signing key (unrestricted, RSA NULL schemem EC NULL scheme)
    TYPE_SIR:  signing key (restricted, RSA RSASSA scheme, EC ECDSA scheme)
    TYPE_GP:   general purpose key
    TYPE_DAA:  signing key (unrestricted, ECDAA)
    TYPE_DAAR: signing key (restricted, ECDAA)
 */

 TPM_RC asymPublicTemplate(TPMT_PUBLIC *publicArea,	/* output */
 			  TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
 								   here */
 			  TPMA_OBJECT deleteObjectAttributes,
 			  int keyType,			/* see above */
 			  TPMI_ALG_PUBLIC algPublic,	/* RSA or ECC */
 			  TPMI_RSA_KEY_BITS keyBits,	/* RSA modulus */
 			  TPMI_ECC_CURVE curveID,	/* for ECC */
 			  TPMI_ALG_HASH nalg,		/* Name algorithm */
 			  TPMI_ALG_HASH halg,		/* hash algorithm */
 			  const char *policyFilename)	/* binary policy, NULL means empty */
 {
     TPM_RC			rc = 0;

     if (rc == 0) {
 	publicArea->objectAttributes = addObjectAttributes;
 	/* Table 185 - TPM2B_PUBLIC inPublic */
 	/* Table 184 - TPMT_PUBLIC publicArea */
 	publicArea->type = algPublic;		/* RSA or ECC */
 	publicArea->nameAlg = nalg;

 	/* Table 32 - TPMA_OBJECT objectAttributes */
 	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;

 	switch (keyType) {
 	  case TYPE_DEN:
 	  case TYPE_DEO:
 	  case TYPE_DEE:
 	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
 	    publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
 	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
 	    break;
 	  case TYPE_ST:
 	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
 	    publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
 	    publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
 	    break;
 	  case TYPE_SI:
 	  case TYPE_DAA:
 	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
 	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
 	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
 	    break;
 	  case TYPE_SIR:
 	  case TYPE_DAAR:
 	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
 	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
 	    publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
 	    break;
 	  case TYPE_GP:
 	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
 	    publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
 	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
 	    break;
 	}
 	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
     }
     if (rc == 0) {
 	/* Table 72 -  TPM2B_DIGEST authPolicy */
 	/* policy set separately */

 	/* Table 182 - Definition of TPMU_PUBLIC_PARMS parameters */
 	if (algPublic == TPM_ALG_RSA) {
 	    /* Table 180 - Definition of {RSA} TPMS_RSA_PARMS rsaDetail */
 	    /* Table 129 - Definition of TPMT_SYM_DEF_OBJECT Structure symmetric */
 	    switch (keyType) {
 	      case TYPE_DEN:
 	      case TYPE_DEO:
 	      case TYPE_DEE:
 	      case TYPE_SI:
 	      case TYPE_SIR:
 	      case TYPE_GP:
 		/* Non-storage keys must have TPM_ALG_NULL for the symmetric algorithm */
 		publicArea->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_NULL;
 		break;
 	      case TYPE_ST:
 		publicArea->parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES;
 		/* Table 125 - TPMU_SYM_KEY_BITS keyBits */
 		publicArea->parameters.rsaDetail.symmetric.keyBits.aes = 128;
 		/* Table 126 - TPMU_SYM_MODE mode */
 		publicArea->parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
 		break;
 	    }

 	    /* Table 155 - Definition of {RSA} TPMT_RSA_SCHEME scheme */
 	    switch (keyType) {
 	      case TYPE_DEN:
 	      case TYPE_GP:
 	      case TYPE_ST:
 	      case TYPE_SI:
 		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
 		break;
 	      case TYPE_DEO:
 		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_OAEP;
 		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
 		/* Table 152 - Definition of TPMU_ASYM_SCHEME rsassa */
 		/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
 		/* Table 135 - Definition of TPMS_SCHEME_HASH hashAlg */
 		publicArea->parameters.rsaDetail.scheme.details.oaep.hashAlg = halg;
 		break;
 	      case TYPE_DEE:
 		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_RSAES;
 		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
 		/* Table 152 - Definition of TPMU_ASYM_SCHEME rsassa */
 		/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
 		/* Table 135 - Definition of TPMS_SCHEME_HASH hashAlg */
 		publicArea->parameters.rsaDetail.scheme.details.oaep.hashAlg = halg;
 		break;
 	      case TYPE_SIR:
 		publicArea->parameters.rsaDetail.scheme.scheme = TPM_ALG_RSASSA;
 		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
 		/* Table 152 - Definition of TPMU_ASYM_SCHEME rsassa */
 		/* Table 142 - Definition of {RSA} Types for RSA Signature Schemes */
 		/* Table 135 - Definition of TPMS_SCHEME_HASH hashAlg */
 		publicArea->parameters.rsaDetail.scheme.details.rsassa.hashAlg = halg;
 		break;
 	    }

 	    /* Table 159 - Definition of {RSA} (TPM_KEY_BITS) TPMI_RSA_KEY_BITS Type keyBits */
 	    publicArea->parameters.rsaDetail.keyBits = keyBits;
 	    publicArea->parameters.rsaDetail.exponent = 0;
 	    /* Table 177 - TPMU_PUBLIC_ID unique */
 	    /* Table 177 - Definition of TPMU_PUBLIC_ID */
 	    publicArea->unique.rsa.t.size = 0;
 	}
 	else {	/* algPublic == TPM_ALG_ECC */
 	    /* Table 181 - Definition of {ECC} TPMS_ECC_PARMS Structure eccDetail */
 	    /* Table 129 - Definition of TPMT_SYM_DEF_OBJECT Structure symmetric */
 	    switch (keyType) {
 	      case TYPE_DEN:
 	      case TYPE_DEO:
 	      case TYPE_DEE:
 	      case TYPE_SI:
 	      case TYPE_SIR:
 	      case TYPE_DAA:
 	      case TYPE_DAAR:
 	      case TYPE_GP:
 		/* Non-storage keys must have TPM_ALG_NULL for the symmetric algorithm */
 		publicArea->parameters.eccDetail.symmetric.algorithm = TPM_ALG_NULL;
 		break;
 	      case TYPE_ST:
 		publicArea->parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES;
 		/* Table 125 - TPMU_SYM_KEY_BITS keyBits */
 		publicArea->parameters.eccDetail.symmetric.keyBits.aes = 128;
 		/* Table 126 - TPMU_SYM_MODE mode */
 		publicArea->parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
 		break;
 	    }
 	    /* Table 166 - Definition of (TPMT_SIG_SCHEME) {ECC} TPMT_ECC_SCHEME Structure scheme */
 	    /* Table 164 - Definition of (TPM_ALG_ID) {ECC} TPMI_ALG_ECC_SCHEME Type scheme */
 	    switch (keyType) {
 	      case TYPE_GP:
 	      case TYPE_SI:
 	      case TYPE_DEN:
 	      case TYPE_DEO:
 	      case TYPE_DEE:
 		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
 		/* Table 165 - Definition of {ECC} (TPM_ECC_CURVE) TPMI_ECC_CURVE Type */
 		/* Table 10 - Definition of (UINT16) {ECC} TPM_ECC_CURVE Constants curveID */
 		publicArea->parameters.eccDetail.curveID = curveID;
 		/* Table 150 - Definition of TPMT_KDF_SCHEME Structure kdf */
 		/* Table 64 - Definition of (TPM_ALG_ID) TPMI_ALG_KDF Type */
 		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
 		break;
 	      case TYPE_SIR:
 		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_ECDSA;
 		/* Table 152 - Definition of TPMU_ASYM_SCHEME details */
 		/* Table 143 - Definition of {ECC} Types for ECC Signature Schemes */
 		publicArea->parameters.eccDetail.scheme.details.ecdsa.hashAlg = halg;
 		/* Table 165 - Definition of {ECC} (TPM_ECC_CURVE) TPMI_ECC_CURVE Type */
 		/* Table 10 - Definition of (UINT16) {ECC} TPM_ECC_CURVE Constants curveID */
 		publicArea->parameters.eccDetail.curveID = curveID;
 		/* Table 150 - Definition of TPMT_KDF_SCHEME Structure kdf */
 		/* Table 64 - Definition of (TPM_ALG_ID) TPMI_ALG_KDF Type */
 		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
 		/* Table 149 - Definition of TPMU_KDF_SCHEME Union <IN/OUT, S> */
 		/* Table 148 - Definition of Types for KDF Schemes, hash-based key-
 		   or mask-generation functions */
 		/* Table 135 - Definition of TPMS_SCHEME_HASH Structure hashAlg */
 		publicArea->parameters.eccDetail.kdf.details.mgf1.hashAlg = halg;
 		break;
 	      case TYPE_DAA:
 	      case TYPE_DAAR:
 		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_ECDAA;
 		publicArea->parameters.eccDetail.scheme.details.ecdaa.hashAlg = halg;
 		publicArea->parameters.eccDetail.scheme.details.ecdaa.count = 1;
 		publicArea->parameters.eccDetail.curveID = curveID;
 		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
 		publicArea->unique.ecc.y.t.size = 0;
 		publicArea->unique.ecc.x.t.size = 0;
 		break;
 	      case TYPE_ST:
 		publicArea->parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
 		publicArea->parameters.eccDetail.scheme.details.anySig.hashAlg = 0;
 		publicArea->parameters.eccDetail.curveID = TPM_ECC_NIST_P256;
 		publicArea->parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
 		publicArea->parameters.eccDetail.kdf.details.mgf1.hashAlg = 0;
 		break;
 	    }
 	    /* Table 177 - TPMU_PUBLIC_ID unique */
 	    /* Table 177 - Definition of TPMU_PUBLIC_ID */
 	    publicArea->unique.ecc.x.t.size = 0;
 	    publicArea->unique.ecc.y.t.size = 0;
 	}
     }
     if (rc == 0) {
 	rc = getPolicy(publicArea, policyFilename);
     }
     return rc;
 }

 /* symmetricCipherTemplate() is a template for an AES 128 CFB key

  */

 TPM_RC symmetricCipherTemplate(TPMT_PUBLIC *publicArea,		/* output */
 			       TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
 								   here */
 			       TPMA_OBJECT deleteObjectAttributes,
 			       TPMI_ALG_HASH nalg,		/* Name algorithm */
 			       int rev116,		/* TPM rev 116 compatibility, sets SIGN */
 			       const char *policyFilename)	/* binary policy, NULL means empty */
 {
     TPM_RC rc = 0;

     if (rc == 0) {
 	publicArea->objectAttributes = addObjectAttributes;

 	/* Table 185 - TPM2B_PUBLIC inPublic */
 	/* Table 184 - TPMT_PUBLIC publicArea */
 	publicArea->type = TPM_ALG_SYMCIPHER;
 	publicArea->nameAlg = nalg;
 	/* Table 32 - TPMA_OBJECT objectAttributes */
 	/* rev 116 used DECRYPT for both decrypt and encrypt.  After 116, encrypt required SIGN */
 	if (!rev116) {
 	    /* actually encrypt */
 	    publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
 	}
 	publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
 	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
 	/* Table 72 -  TPM2B_DIGEST authPolicy */
 	/* policy set separately */
 	/* Table 182 - Definition of TPMU_PUBLIC_PARMS parameters */
 	{
 	    /* Table 131 - Definition of TPMS_SYMCIPHER_PARMS symDetail */
 	    {
 		/* Table 129 - Definition of TPMT_SYM_DEF_OBJECT sym */
 		/* Table 62 - Definition of (TPM_ALG_ID) TPMI_ALG_SYM_OBJECT Type */
 		publicArea->parameters.symDetail.sym.algorithm = TPM_ALG_AES;
 		/* Table 125 - Definition of TPMU_SYM_KEY_BITS Union */
 		publicArea->parameters.symDetail.sym.keyBits.aes = 128;
 		/* Table 126 - Definition of TPMU_SYM_MODE Union */
 		publicArea->parameters.symDetail.sym.mode.aes = TPM_ALG_CFB;
 	    }
 	}
 	/* Table 177 - TPMU_PUBLIC_ID unique */
 	/* Table 72 - Definition of TPM2B_DIGEST Structure */
 	publicArea->unique.sym.t.size = 0;
     }
     if (rc == 0) {
 	rc = getPolicy(publicArea, policyFilename);
     }
     return rc;
 }

 /* keyedHashPublicTemplate() is a template for an HMAC key

    It can create these types:

    TYPE_KH:	HMAC key, unrestricted
    TYPE_KHR:	HMAC key, restricted
 */

 TPM_RC keyedHashPublicTemplate(TPMT_PUBLIC *publicArea,		/* output */
 			       TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
 								   here */
 			       TPMA_OBJECT deleteObjectAttributes,
 			       int keyType,			/* see above */
 			       TPMI_ALG_HASH nalg,		/* Name algorithm */
 			       TPMI_ALG_HASH halg,		/* hash algorithm */
 			       const char *policyFilename)	/* binary policy, NULL means empty */
 {
     TPM_RC			rc = 0;

     if (rc == 0) {
 	publicArea->objectAttributes = addObjectAttributes;

 	/* Table 185 - TPM2B_PUBLIC inPublic */
 	/* Table 184 - TPMT_PUBLIC publicArea */
 	/* Table 176 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
 	publicArea->type = TPM_ALG_KEYEDHASH;
 	/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
 	publicArea->nameAlg = nalg;
 	/* Table 32 - TPMA_OBJECT objectAttributes */
 	publicArea->objectAttributes.val |= TPMA_OBJECT_SIGN;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
 	switch (keyType) {
 	  case TYPE_KH:
 	    publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
 	    break;
 	  case TYPE_KHR:
 	    publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
 	    break;
 	}
 	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
 	/* Table 72 -  TPM2B_DIGEST authPolicy */
 	/* policy set separately */
 	{
 	    /* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
 	    /* Table 178 - Definition of TPMS_KEYEDHASH_PARMS Structure */
 	    /* Table 141 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
 	    /* Table 137 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
 	    publicArea->parameters.keyedHashDetail.scheme.scheme = TPM_ALG_HMAC;
 	    /* Table 140 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
 	    /* Table 138 - Definition of Types for HMAC_SIG_SCHEME */
 	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
 	    publicArea->parameters.keyedHashDetail.scheme.details.hmac.hashAlg = halg;
 	}
 	/* Table 177 - TPMU_PUBLIC_ID unique */
 	/* Table 72 - Definition of TPM2B_DIGEST Structure */
 	publicArea->unique.sym.t.size = 0;
     }
     if (rc == 0) {
 	rc = getPolicy(publicArea, policyFilename);
     }
     return rc;
 }

 /* derivationParentPublicTemplate() is a template for a derivation parent

    The key is not restricted
 */

 TPM_RC derivationParentPublicTemplate(TPMT_PUBLIC *publicArea,		/* output */
 				      TPMA_OBJECT addObjectAttributes,	/* add default, can be
 									   overridden here */
 				      TPMA_OBJECT deleteObjectAttributes,
 				      TPMI_ALG_HASH nalg,		/* Name algorithm */
 				      TPMI_ALG_HASH halg,		/* hash algorithm */
 				      const char *policyFilename)	/* binary policy, NULL means
 									   empty */
 {
     TPM_RC			rc = 0;

     if (rc == 0) {
 	publicArea->objectAttributes = addObjectAttributes;

 	/* Table 185 - TPM2B_PUBLIC inPublic */
 	/* Table 184 - TPMT_PUBLIC publicArea */
 	/* Table 176 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
 	publicArea->type = TPM_ALG_KEYEDHASH;
 	/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
 	publicArea->nameAlg = nalg;
 	/* Table 32 - TPMA_OBJECT objectAttributes */
 	publicArea->objectAttributes.val |= TPMA_OBJECT_FIXEDTPM;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_FIXEDPARENT;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_DECRYPT;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_SENSITIVEDATAORIGIN;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_RESTRICTED;
 	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
 	/* Table 72 -  TPM2B_DIGEST authPolicy */
 	/* policy set separately */
 	{
 	    /* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
 	    /* Table 178 - Definition of TPMS_KEYEDHASH_PARMS Structure */
 	    /* Table 141 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
 	    /* Table 137 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
 	    publicArea->parameters.keyedHashDetail.scheme.scheme = TPM_ALG_XOR;
 	    /* Table 140 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
 	    /* Table 138 - Definition of Types for HMAC_SIG_SCHEME */
 	    /* Table 135 - Definition of TPMS_SCHEME_HASH Structure */
 	    publicArea->parameters.keyedHashDetail.scheme.details.xorr.kdf = TPM_ALG_KDF1_SP800_108;
 	    publicArea->parameters.keyedHashDetail.scheme.details.xorr.hashAlg = halg;
 	}
 	/* Table 177 - TPMU_PUBLIC_ID unique */
 	/* Table 72 - Definition of TPM2B_DIGEST Structure */
 	publicArea->unique.sym.t.size = 0;
     }
     if (rc == 0) {
 	rc = getPolicy(publicArea, policyFilename);
     }
     return rc;
 }

 /* blPublicTemplate() is a template for a sealed data blob.

 */

 TPM_RC blPublicTemplate(TPMT_PUBLIC *publicArea,	/* output */
 			TPMA_OBJECT addObjectAttributes,	/* add default, can be overridden
 								   here */
 			TPMA_OBJECT deleteObjectAttributes,
 			TPMI_ALG_HASH nalg,		/* Name algorithm */
 			const char *policyFilename)	/* binary policy, NULL means empty */
 {
     TPM_RC			rc = 0;

     if (rc == 0) {
 	publicArea->objectAttributes = addObjectAttributes;

 	/* Table 185 - TPM2B_PUBLIC inPublic */
 	/* Table 184 - TPMT_PUBLIC publicArea */
 	/* Table 176 - Definition of (TPM_ALG_ID) TPMI_ALG_PUBLIC Type */
 	publicArea->type = TPM_ALG_KEYEDHASH;
 	/* Table 59 - Definition of (TPM_ALG_ID) TPMI_ALG_HASH Type  */
 	publicArea->nameAlg = nalg;
 	/* Table 32 - TPMA_OBJECT objectAttributes */
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_SIGN;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_DECRYPT;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_RESTRICTED;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_SENSITIVEDATAORIGIN;
 	publicArea->objectAttributes.val |= TPMA_OBJECT_USERWITHAUTH;
 	publicArea->objectAttributes.val &= ~TPMA_OBJECT_ADMINWITHPOLICY;
 	publicArea->objectAttributes.val &= ~deleteObjectAttributes.val;
 	/* Table 72 -  TPM2B_DIGEST authPolicy */
 	/* policy set separately */
 	{
 	    /* Table 182 - Definition of TPMU_PUBLIC_PARMS Union <IN/OUT, S> */
 	    /* Table 178 - Definition of TPMS_KEYEDHASH_PARMS Structure */
 	    /* Table 141 - Definition of TPMT_KEYEDHASH_SCHEME Structure */
 	    /* Table 137 - Definition of (TPM_ALG_ID) TPMI_ALG_KEYEDHASH_SCHEME Type */
 	    publicArea->parameters.keyedHashDetail.scheme.scheme = TPM_ALG_NULL;
 	    /* Table 140 - Definition of TPMU_SCHEME_KEYEDHASH Union <IN/OUT, S> */
 	}
 	/* Table 177 - TPMU_PUBLIC_ID unique */
 	/* Table 72 - Definition of TPM2B_DIGEST Structure */
 	publicArea->unique.sym.t.size = 0;
     }
     if (rc == 0) {
 	rc = getPolicy(publicArea, policyFilename);
     }
     return rc;
 }

 TPM_RC getPolicy(TPMT_PUBLIC *publicArea,
 		 const char *policyFilename)
 {
     TPM_RC rc = 0;

     if (rc == 0) {
 	if (policyFilename != NULL) {
 	    rc = TSS_File_Read2B(&publicArea->authPolicy.b,
 				 sizeof(publicArea->authPolicy.t.buffer),
 				 policyFilename);
 	}
 	else {
 	    publicArea->authPolicy.t.size = 0;	/* default empty policy */
 	}
     }
     return rc;
 }

 void printUsageTemplate(void)
 {
     printf("\t[Asymmetric Key Algorithm]\n");
     printf("\n");
     printf("\t-rsa keybits (default)\n");
     printf("\t\t(2048 default)\n");
     printf("\t-ecc curve\n");
     printf("\t\tbnp256\n");
     printf("\t\tnistp256\n");
     printf("\t\tnistp384\n");
     printf("\n");
     printf("\tKey attributes\n");
     printf("\n");
     printf("\t\t-bl\tdata blob for unseal (create only)\n");
     printf("\t\t\trequires -if\n");
     printf("\t\t-den\tdecryption, (unrestricted, RSA and EC NULL scheme)\n");
     printf("\t\t-deo\tdecryption, (unrestricted, RSA OAEP, EC NULL scheme)\n");
     printf("\t\t-dee\tdecryption, (unrestricted, RSA ES, EC NULL scheme)\n");
     printf("\t\t-des\tencryption/decryption, AES symmetric\n");
     printf("\t\t\t[-116 for TPM rev 116 compatibility]\n");
     printf("\t\t-st\tstorage (restricted)\n");
     printf("\t\t\t[default for primary keys]\n");
     printf("\t\t-si\tunrestricted signing (RSA and EC NULL scheme)\n");
     printf("\t\t-sir\trestricted signing (RSA RSASSA, EC ECDSA scheme)\n");
     printf("\t\t-dau\tunrestricted ECDAA signing key pair\n");
     printf("\t\t-dar\trestricted ECDAA signing key pair\n");
     printf("\t\t-kh\tkeyed hash (unrestricted, hmac)\n");
     printf("\t\t-khr\tkeyed hash (restricted, hmac)\n");
     printf("\t\t-dp\tderivation parent\n");
     printf("\t\t-gp\tgeneral purpose, not storage\n");
     printf("\n");
     printf("\t\t[-kt\t(can be specified more than once)]\n"
 	   "\t\t\tf\tfixedTPM (default for primary keys and derivation parents)\n"
 	   "\t\t\tp\tfixedParent (default for primary keys and derivation parents)\n"
 	   "\t\t\tnf\tno fixedTPM (default for non-primary keys)\n"
 	   "\t\t\tnp\tno fixedParent (default for non-primary keys)\n"
 	   "\t\t\ted\tencrypted duplication (default not set)\n");
     printf("\t[-da\tobject subject to DA protection (default no)]\n");
     printf("\t[-pol\tpolicy file (default empty)]\n");
     printf("\t[-uwa\tuserWithAuth attribute clear (default set)]\n");
     printf("\t[-if\tdata (inSensitive) file name]\n");
     printf("\n");
     printf("\t[-nalg\tname hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
     printf("\t[-halg\tscheme hash algorithm (sha1, sha256, sha384, sha512) (default sha256)]\n");
     return;
 }