Bash script to create an authorized FAPI policy (with a PEM key, jq has to be installed)

authorize_policy.sh

#!/bin/bash
: << 'COMMENT'

Example: authorize /policy/pcr with a certain policy ref:

policy_ref="f0f1f2f3f4f5f6f7f8f9"
authorize-policy.sh /policy/pcr $policy_ref key_pub.pem key.pem > authorized_policy.json

The policy for the object to be protected can be created as follows:
cat > policy_authorize.json <<EOF
{
    "description":"Policy authorized by key.pem",
    "policy":[
      {
            "type": "POLICYAUTHORIZE",
            "keyPEM": "$(cat key_pub.pem)",
            "keyPEMhashAlg": "sha256",
            "policyRef": "$policy_ref"
        }
    ]
}
EOF
COMMENT

fapi_policy=$1
policy_ref=$2
pub_key=$3
key=$4
hash=${5-sha256}
opt=$6 #  use "-sigopt rsa_padding_mode:pss" for rsa

policy=$(tss2_exportpolicy -p $fapi_policy -o-)

policy_digest=$(echo $policy |jq ".policyDigests|.[] | select(.hashAlg == \"$hash\" )|.digest")

signature=$(echo -n ${policy_digest}${policy_ref} | xxd -r -p |openssl dgst -$hash -sign $key -hex| sed 's/^.* //')

authorization=$(cat <<EOF
{ "policyAuthorizations":[
        {
            "type": "pem",
            "keyPEMhashAlg": "sha256",
            "policyRef": "$policy_ref",
            "key": "$(cat key_pub.pem| sed -z 's/\n/\\n/g')",
            "signature": "$signature"
        }
    ]
}
EOF
)

auth_list=$(echo "$authorization" | jq '.policyAuthorizations')

if ! echo $auth_list | grep type > /dev/null; then
    auth_list = "[]"
fi

echo "$policy"|jq --argjson newval "$auth_list" '.policyAuthorizations += $newval'