/* SPDX-License-Identifier: BSD-2-Clause */

#ifdef HAVE_CONFIG_H
#include <config.h>
#endif

#include <stdlib.h>

#include "tss2_esys.h"

#include "esys_iutil.h"
#define LOGMODULE test
#include "util/log.h"
#include "util/aux_util.h"

/** This test is intended to test policy authentication for the ESAPI command
 *  Create.
 *
 * We start by creating a primary key with a password and policy.
 * Based in the primary a second key will be created using the prinary key's
 * policy for authorization.
 *
 * Tested ESAPI commands:
 *  - Esys_StartAuthSession() (M)
 *  - Esys_PolicyCommandCode() (M)
 *  - Esys_PolicyGetDigest() (M)
 *  - Esys_FlushContext() (M)
 *  - Esys_CreatePrimary() (M)
 *  - Esys_Create() (M)
 *
 * Used compiler defines: TEST_ECC
 *
 * @param[in,out] esys_context The ESYS_CONTEXT.
 * @retval EXIT_FAILURE
 * @retval EXIT_SUCCESS
 */

int
test_esys_create_policy_auth(ESYS_CONTEXT * esys_context)
{
    TSS2_RC r;
    ESYS_TR primaryHandle = ESYS_TR_NONE;
    ESYS_TR trialHandle = ESYS_TR_NONE;
    ESYS_TR policyHandle = ESYS_TR_NONE;

    TPM2B_DIGEST *trialDigest = NULL;
    TPM2B_PUBLIC *outPublic = NULL;
    TPM2B_PUBLIC *outPublic2 = NULL;
    TPM2B_PRIVATE *outPrivate2 = NULL;

    TPMT_SYM_DEF policyAlgo = {
        .algorithm = TPM2_ALG_AES,
        .keyBits.aes = 128,
        .mode.aes = TPM2_ALG_CFB,
    };

    r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
                              ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
                              NULL, TPM2_SE_TRIAL, &policyAlgo,
                              TPM2_ALG_SHA256, &trialHandle);
    goto_if_error(r, "Error esys start trial session", error);

    r = Esys_PolicyCommandCode(esys_context, trialHandle, ESYS_TR_NONE,
                               ESYS_TR_NONE, ESYS_TR_NONE, TPM2_CC_Create);
    goto_if_error(r, "Error esys policy command code", error);

    r = Esys_PolicyGetDigest(esys_context, trialHandle, ESYS_TR_NONE,
                             ESYS_TR_NONE, ESYS_TR_NONE, &trialDigest);
    goto_if_error(r, "Error esys policy get digest", error);

    r = Esys_FlushContext(esys_context, trialHandle);
    goto_if_error(r, "Error esys flush context", error);

    TPM2B_AUTH authValuePrimary = {
        .size = 5,
        .buffer = {1, 2, 3, 4, 5}
    };

    TPM2B_SENSITIVE_CREATE inSensitivePrimary = {
        .size = 0,
        .sensitive = {
            .userAuth = {
                 .size = 0,
                 .buffer = {0},
             },
            .data = {
                 .size = 0,
                 .buffer = {0},
             },
        },
    };

    inSensitivePrimary.sensitive.userAuth = authValuePrimary;

#ifdef TEST_ECC
    TPM2B_PUBLIC inPublic = {
        .size = 0,
        .publicArea = {
            .type = TPM2_ALG_ECC,
            .nameAlg = TPM2_ALG_SHA256,
            .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
                                 TPMA_OBJECT_RESTRICTED |
                                 TPMA_OBJECT_DECRYPT |
                                 TPMA_OBJECT_FIXEDTPM |
                                 TPMA_OBJECT_FIXEDPARENT |
                                 TPMA_OBJECT_SENSITIVEDATAORIGIN),
            .authPolicy = *trialDigest,
            .parameters.eccDetail = {
                 .symmetric = {
                     .algorithm = TPM2_ALG_NULL,
                     .keyBits.aes = 128,
                     .mode.aes = TPM2_ALG_CFB,
                 },
                 .scheme = {
                      .scheme = TPM2_ALG_ECDSA,
                      .details = {
                          .ecdsa = {.hashAlg  = TPM2_ALG_SHA256}},
                  },
                 .curveID = TPM2_ECC_NIST_P256,
                 .kdf = {
                      .scheme = TPM2_ALG_NULL,
                      .details = {}}
             },
            .unique.ecc = {
                 .x = {.size = 0,.buffer = {}},
                 .y = {.size = 0,.buffer = {}},
             },
        },
    };
    LOG_INFO("\nECC key will be created.");
#else
    TPM2B_PUBLIC inPublic = {
        .size = 0,
        .publicArea = {
            .type = TPM2_ALG_RSA,
            .nameAlg = TPM2_ALG_SHA256,
            .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
                                 TPMA_OBJECT_RESTRICTED |
                                 TPMA_OBJECT_DECRYPT |
                                 TPMA_OBJECT_FIXEDTPM |
                                 TPMA_OBJECT_FIXEDPARENT |
                                 TPMA_OBJECT_SENSITIVEDATAORIGIN),
            .authPolicy = *trialDigest,
            .parameters.rsaDetail = {
                 .symmetric = {
                     .algorithm = TPM2_ALG_AES,
                     .keyBits.aes = 128,
                     .mode.aes = TPM2_ALG_CFB},
                 .scheme = {
                      .scheme = TPM2_ALG_NULL
                  },
                 .keyBits = 2048,
                 .exponent = 0,
             },
            .unique.rsa = {
                 .size = 0,
                 .buffer = {},
             },
        },
    };
    LOG_INFO("\nRSA key will be created.");
#endif /* TEST_ECC */

    TPM2B_DATA outsideInfo = {
        .size = 0,
        .buffer = {},
    };

    TPML_PCR_SELECTION creationPCR = {
        .count = 0,
    };

    r = Esys_CreatePrimary(esys_context, ESYS_TR_RH_OWNER, ESYS_TR_PASSWORD,
                           ESYS_TR_NONE, ESYS_TR_NONE,
                           &inSensitivePrimary, &inPublic,
                           &outsideInfo, &creationPCR, &primaryHandle,
                           &outPublic, NULL, NULL, NULL);
    goto_if_error(r, "Error esys create primary", error);

    LOG_INFO("Created Primary Key");

    r = Esys_TR_SetAuth(esys_context, primaryHandle, &authValuePrimary);
    goto_if_error(r, "Error: TR_SetAuth", error);

    r = Esys_StartAuthSession(esys_context, ESYS_TR_NONE, ESYS_TR_NONE,
                              ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
                              NULL, TPM2_SE_POLICY, &policyAlgo,
                              TPM2_ALG_SHA256, &policyHandle);
    goto_if_error(r, "Error esys start policy session", error);

    r = Esys_PolicyCommandCode(esys_context, policyHandle, ESYS_TR_NONE,
                               ESYS_TR_NONE, ESYS_TR_NONE, TPM2_CC_Create);
    goto_if_error(r, "Error esys policy command code", error);

    TPM2B_SENSITIVE_CREATE inSensitive2 = {
        .size = 0,
        .sensitive = {
            .userAuth = {
                 .size = 0,
                 .buffer = {0}
             },
            .data = {
                 .size = 0,
                 .buffer = {0}
             }
        }
    };

    TPM2B_PUBLIC inPublic2 = {
        .size = 0,
        .publicArea = {
            .type = TPM2_ALG_RSA,
            .nameAlg = TPM2_ALG_SHA256,
            .objectAttributes = (TPMA_OBJECT_USERWITHAUTH |
                                 TPMA_OBJECT_RESTRICTED |
                                 TPMA_OBJECT_DECRYPT |
                                 TPMA_OBJECT_FIXEDTPM |
                                 TPMA_OBJECT_FIXEDPARENT |
                                 TPMA_OBJECT_SENSITIVEDATAORIGIN),

            .authPolicy = {
                 .size = 0,
             },
            .parameters.rsaDetail = {
                 .symmetric = {
                     .algorithm = TPM2_ALG_AES,
                     .keyBits.aes = 128,
                     .mode.aes = TPM2_ALG_CFB
                 },
                 .scheme = {
                      .scheme =
                      TPM2_ALG_NULL,
                  },
                 .keyBits = 2048,
                 .exponent = 0
             },
            .unique.rsa = {
                 .size = 0,
                 .buffer = {}
                 ,
             }
        }
    };

    TPM2B_DATA outsideInfo2 = {
        .size = 0,
        .buffer = {}
        ,
    };

    TPML_PCR_SELECTION creationPCR2 = {
        .count = 0,
    };

    r = Esys_Create(esys_context, primaryHandle, policyHandle, ESYS_TR_NONE,
                    ESYS_TR_NONE, &inSensitive2, &inPublic2, &outsideInfo2,
                    &creationPCR2, &outPrivate2, &outPublic2, NULL, NULL, NULL);
    goto_if_error(r, "Error esys create ", error);

    LOG_INFO("\nSecond key created.");

    r = Esys_FlushContext(esys_context, policyHandle);
    policyHandle = ESYS_TR_NONE;
    goto_if_error(r, "Error during FlushContext", error);

    r = Esys_FlushContext(esys_context, primaryHandle);
    primaryHandle = ESYS_TR_NONE;
    goto_if_error(r, "Error during FlushContext", error);

    Esys_Free(trialDigest);
    Esys_Free(outPublic);
    Esys_Free(outPublic2);
    Esys_Free(outPrivate2);
    return EXIT_SUCCESS;

error:

    if (trialHandle != ESYS_TR_NONE) {
        if (Esys_FlushContext(esys_context, trialHandle) != TSS2_RC_SUCCESS) {
            LOG_ERROR("Cleanup trialHandle failed.");
        }
    }

    if (policyHandle != ESYS_TR_NONE) {
        if (Esys_FlushContext(esys_context, policyHandle) != TSS2_RC_SUCCESS) {
            LOG_ERROR("Cleanup policyHandle failed.");
        }
    }

    if (primaryHandle != ESYS_TR_NONE) {
         if (Esys_FlushContext(esys_context, primaryHandle) != TSS2_RC_SUCCESS) {
            LOG_ERROR("Cleanup primaryHandle failed.");
        }
    }

    Esys_Free(trialDigest);
    Esys_Free(outPublic);
    Esys_Free(outPublic2);
    Esys_Free(outPrivate2);
    return EXIT_FAILURE;
}

int
test_invoke_esapi(ESYS_CONTEXT * esys_context) {
    return test_esys_create_policy_auth(esys_context);
}