tpm2_ptool: add --policy to addkey/import/link

SergiiDmytruk · SergiiDmytruk · commit 824688c46203 · 2023-03-21T21:24:15.000+02:00
To specify the policy right on creation.

Signed-off-by: Sergii Dmytruk &lt;sergii.dmytruk@3mdeb.com&gt;
diff --git a/tools/tpm2_pkcs11/commandlets_keys.py b/tools/tpm2_pkcs11/commandlets_keys.py
@@ -59,6 +59,9 @@ def generate_options(self, group_parser):
             '--hierarchy-auth',
             help='The hierarchyauth, required for transient pobjects.\n',
             default='')
+        group_parser.add_argument(
+            '--policy',
+            help='Policy to apply on using the key (in JSON format).\n')
         pinopts = group_parser.add_mutually_exclusive_group()
         pinopts.add_argument('--sopin', help='The Administrator pin.\n'),
         pinopts.add_argument('--userpin', help='The User pin.\n'),
@@ -174,6 +177,7 @@ def __call__(self, args):
                 key_label = args['key_label']
                 tid = args['id']
                 hierarchyauth = args['hierarchy_auth']
+                policy = args['policy']
                 passin = args['passin'] if 'passin' in args else None
 
                 privkey = None
@@ -206,6 +210,9 @@ def __call__(self, args):
                 # handle options that can add additional attributes
                 always_auth = args['attr_always_authenticate']
                 priv_attrs = {CKA_ALWAYS_AUTHENTICATE : always_auth}
+                if policy is not None:
+                    validate_policy(policy)
+                    priv_attrs[CKA_TPM2_POLICY_JSON] = policy
 
                 override_keylen = getattr(self, '_override_keylen', None)
 
