refactor(policysigned)!: expiration type change with code cleanup

- Add Duration parser and use it for expiration CLI argument
- Remove unnecessary to_vec() in qualification data parsing
- Use marshall to serialise ticket more safely

Signed-off-by: Takuma IMAMURA <209989118+hyperfinitism@users.noreply.github.com>

Author: hyperfinitism

src/cmd/policysigned.rs

@@ -1,20 +1,21 @@
 // SPDX-License-Identifier: Apache-2.0
 
 use std::path::PathBuf;
+use std::time::Duration;
 
 use anyhow::Context;
 use clap::Parser;
 use log::info;
 use tss_esapi::constants::SessionType;
 use tss_esapi::handles::{ObjectHandle, SessionHandle};
 use tss_esapi::structures::{Digest, Nonce, Signature};
-use tss_esapi::traits::UnMarshall;
+use tss_esapi::traits::{Marshall, UnMarshall};
 use tss_esapi::tss2_esys::TPMT_TK_AUTH;
 
 use crate::cli::GlobalOpts;
 use crate::context::create_context;
 use crate::handle::{ContextSource, load_object_from_source};
-use crate::parse::parse_context_source;
+use crate::parse::{parse_context_source, parse_duration};
 use crate::session::load_session_from_file;
 
 /// Authorize a policy with a signed authorization.
@@ -35,8 +36,8 @@ pub struct PolicySignedCmd {
     pub signature: PathBuf,
 
     /// Expiration time in seconds (0 = no expiration)
-    #[arg(short = 'x', long = "expiration", default_value = "0")]
-    pub expiration: i32,
+    #[arg(short = 'x', long = "expiration", value_parser = parse_duration, default_value = "0")]
+    pub expiration: Option<Duration>,
 
     /// cpHash file (optional)
     #[arg(long = "cphash-input")]
@@ -84,25 +85,19 @@ impl PolicySignedCmd {
         };
 
         let policy_ref = match &self.qualification {
-            Some(bytes) => Nonce::try_from(bytes.as_slice().to_vec())
+            Some(bytes) => Nonce::try_from(bytes.as_slice())
                 .map_err(|e| anyhow::anyhow!("qualifying data: {e}"))?,
             None => Nonce::default(),
         };
 
-        let expiration = if self.expiration == 0 {
-            None
-        } else {
-            Some(std::time::Duration::from_secs(self.expiration as u64))
-        };
-
         let (timeout, ticket) = ctx
             .policy_signed(
                 policy_session,
                 auth_object,
                 Nonce::default(), // nonce_tpm
                 cp_hash,
                 policy_ref,
-                expiration,
+                self.expiration,
                 signature,
             )
             .context("TPM2_PolicySigned failed")?;
@@ -118,12 +113,9 @@ impl PolicySignedCmd {
             let tss_ticket: TPMT_TK_AUTH = ticket
                 .try_into()
                 .map_err(|e| anyhow::anyhow!("failed to convert ticket: {e:?}"))?;
-            let bytes = unsafe {
-                std::slice::from_raw_parts(
-                    &tss_ticket as *const TPMT_TK_AUTH as *const u8,
-                    std::mem::size_of::<TPMT_TK_AUTH>(),
-                )
-            };
+            let bytes = ticket
+                .marshall()
+                .map_err(|e| anyhow::anyhow!("failed to marshall ticket: {e}"))?;
             std::fs::write(path, bytes)
                 .with_context(|| format!("writing ticket to {}", path.display()))?;
         }

src/parse.rs

@@ -46,6 +46,21 @@ pub fn parse_hex_u32(s: &str) -> Result<u32, String> {
         .map_err(|_| format!("expected a hex value (e.g. 0x01400001), got: '{s}'"))
 }
 
+// ---------------------------------------------------------------------------
+// Duration
+// ---------------------------------------------------------------------------
+
+pub fn parse_duration(s: &str) -> Result<Option<std::time::Duration>, String> {
+    let secs: u64 = s
+        .parse()
+        .map_err(|_| format!("expected a u64 value, got: '{s}'"))?;
+    let duration = match secs {
+        0 => None,
+        _ => Some(std::time::Duration::from_secs(secs)),
+    };
+    Ok(duration)
+}
+
 // ---------------------------------------------------------------------------
 // Context source
 // ---------------------------------------------------------------------------