tpm2_ptool: add objpol command for object policies

Policies are expected to be specified in JSON format.  The command
allows reading, writing or deleting policy set on an object.

Signed-off-by: Sergii Dmytruk <[email protected]>

Author: SergiiDmytruk

tools/tpm2_pkcs11/commandlets_keys.py

@@ -28,6 +28,7 @@
 from .utils import dump_blobs
 from .utils import dump_tsspem
 from .utils import dump_pubpem
+from .utils import validate_policy
 
 from .tpm2 import Tpm2
 
@@ -551,6 +552,55 @@ def __call__(self, args):
 
         ObjDel.delete(path, args['id'])
 
+@commandlet("objpol")
+class ObjPol(Command):
+    '''
+    Gets/sets/removes object's policy.
+    '''
+
+    @classmethod
+    def objpol(cls, path, tid, policy):
+
+        with Db(path) as db:
+            obj = db.getobject(tid)
+            if obj is None:
+                sys.exit('Not found, object with id: {}'.format(tid))
+        s = obj['attrs']
+        obj_attrs = yaml.safe_load(s)
+
+        # print policy when --policy is not specified
+        if policy is None:
+            if CKA_TPM2_POLICY_JSON not in obj_attrs:
+                sys.exit('The object has no policy set')
+
+            print(obj_attrs[CKA_TPM2_POLICY_JSON])
+            sys.exit()
+
+        if not policy:
+            # delete policy when --policy is empty
+            obj_attrs.pop(CKA_TPM2_POLICY_JSON, None)
+        else:
+            # set policy when --policy is a well-formed JSON
+            validate_policy(policy)
+            obj_attrs[CKA_TPM2_POLICY_JSON] = policy
+
+        with Db(path) as db:
+            db.updatetertiary(obj['id'], obj_attrs)
+
+    # adhere to an interface
+    def generate_options(self, group_parser):
+
+        group_parser.add_argument(
+            '--id', help='The id of the object to use.\n', required=True)
+        group_parser.add_argument(
+            '--policy', help='New policy value as JSON (empty value removes policy).\n')
+
+    def __call__(self, args):
+
+        path = args['path']
+
+        ObjPol.objpol(path, args['id'], args['policy'])
+
 @commandlet("link")
 class LinkCommand(NewKeyCommandBase):
     '''

tools/tpm2_pkcs11/utils.py

@@ -2,6 +2,7 @@
 import binascii
 import hashlib
 import io
+import json
 import os
 import argparse
 import sys
@@ -555,3 +556,9 @@ def dump_pubpem(db, obj, pin, is_sopin, output_prefix):
     with open(output_prefix + ".pem", "wb") as f:
         f.write(pub_blob.to_pem())
 
+def validate_policy(policy):
+    try:
+        # discarding result as this is just a JSON sanity check
+        json.loads(policy)
+    except json.JSONDecodeError:
+        sys.exit('Object policy must be a valid JSON')