Add universal vaulting files

payloads/Tools/CreateVault/building.txt

@@ -0,0 +1,3 @@
+RsaTool - Download OpenCorePkg Source Code, patch Utilities -> RsaTool -> build_libressl.sh - "10.6" to "10.9", add "-mmacosx-version-min=10.9" to Makefile CFLAGS and LDFLAGS, then build_libressl.sh and make.
+strings - (May require an older version of macOS to compile) Download binutils Source Code, CFLAGS="-mmacosx-version-min=10.9" LDFLAGS="-mmacosx-version-min=10.9" ./configure --diable-nls --prefix=$(pwd)/bin, make configure-host, then make LDFLAGS="-all-static".
+openssl - Download OpenSSL Source Code, ./config -no-shared -mmacosx-version-min=10.9, then make.

payloads/Tools/CreateVault/create_vault.sh

@@ -4,8 +4,10 @@
 #
 #
 #  Created by Rodion Shingarev on 13.04.19.
+#  Modified by Jazzzny for OpenCore Legacy Patcher on 06.10.23.
 #
 OCPath="$1"
+UtilsPath="$PWD"
 
 if [ "${OCPath}" = "" ]; then
   echo "Usage ./create_vault.sh path/to/EFI/OC"
@@ -17,54 +19,75 @@ if [ ! -d "${OCPath}" ]; then
   exit 1
 fi
 
-if [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/xxd ]; then
+if [ ! -x /usr/bin/env ] || [ ! -x /usr/bin/find ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/sed ] || [ ! -x /usr/bin/awk ] || [ ! -x /usr/bin/sort ] || [ ! -x /usr/bin/xxd ]; then
   echo "Unix environment is broken!"
   exit 1
 fi
 
-if [ ! -x /usr/libexec/PlistBuddy ]; then
-  echo "PlistBuddy is missing!"
-  exit 1
-fi
-
-if [ ! -x /usr/bin/shasum ]; then
-  echo "shasum is missing!"
-  exit 1
-fi
-
 abort() {
   /bin/rm -rf vault.plist vault.sig /tmp/vault_hash
   echo "Fatal error: ${1}!"
   exit 1
 }
 
-echo "Chose ${OCPath} for hashing..."
+# plist output functions so we don't need PlistBuddy
+write_header() {
+  cat <<EOF > "$1"
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>Files</key>
+	<dict>
+EOF
+}
+
+write_file_name_and_hash() {
+  {
+    echo -e "\t\t<key>${2}</key>"
+    echo -e "\t\t<data>"
+    echo -e -n "\t\t"
+    cat "$3"
+    echo -e "\t\t</data>"
+  } >> "$1"
+}
+
+write_footer() {
+  cat <<EOF >> "$1"
+	</dict>
+	<key>Version</key>
+	<integer>1</integer>
+</dict>
+</plist>
+EOF
+}
 
 cd "${OCPath}" || abort "Failed to reach ${OCPath}"
 /bin/rm -rf vault.plist vault.sig || abort "Failed to cleanup"
-/usr/libexec/PlistBuddy -c "Add Version integer 1" vault.plist || abort "Failed to set vault.plist version"
 
-echo "Hashing files in ${OCPath}..."
+echo "Hashing OpenCore configuration..."
+
+write_header vault.plist
 
 /usr/bin/find . -not -path '*/\.*' -type f \
   \( ! -iname ".*" \) \
   \( ! -iname "vault.*" \) \
-  \( ! -iname "OpenCore.efi" \) | while read -r fname; do
+  \( ! -iname "MemTest86.log" \) \
+  \( ! -iname "MemTest86-Report-*.html" \) \
+  \( ! -iname "OpenCore.efi" \) | env LC_COLLATE=POSIX /usr/bin/sort | while read -r fname; do
   fname="${fname#"./"}"
   wname="${fname//\//\\\\}"
-  shasum=$(/usr/bin/shasum -a 256 "${fname}") || abort "Failed to hash ${fname}"
-  sha=$(echo "$shasum" | /usr/bin/sed 's/^\([a-f0-9]\{64\}\).*/\1/') || abort "Illegit hashsum"
+  sha=$("${UtilsPath}"/openssl sha256 "${fname}" | /usr/bin/awk '{print $2}') || abort "Failed to hash ${fname}"
   if [ "${#sha}" != 64 ] || [ "$(echo "$sha"| /usr/bin/sed 's/^[a-f0-9]*$//')" ]; then
     abort "Got invalid hash: ${sha}!"
   fi
 
-  echo "${wname}: ${sha}"
-
-  echo "${sha}" | /usr/bin/xxd -r -p > /tmp/vault_hash || abort "Hashing failure"
-  /usr/libexec/PlistBuddy -c "Import Files:'${wname}' /tmp/vault_hash" vault.plist || abort "Failed to append vault.plist!"
+  echo "${sha}" | /usr/bin/xxd -r -p | "${UtilsPath}"/openssl base64 > /tmp/vault_hash || abort "Hashing failure"
+  write_file_name_and_hash vault.plist "${wname}" /tmp/vault_hash
 done
 
 /bin/rm -rf /tmp/vault_hash
 
-echo "All done!"
+write_footer vault.plist
+
 exit 0

payloads/Tools/CreateVault/sign.command

@@ -1,16 +1,18 @@
 #!/bin/sh
 
+# Modified by Jazzzny for OpenCore Legacy Patcher on 06.10.23.
+
 abort() {
   echo "Fatal error: ${1}!"
   exit 1
 }
 
+# shellcheck disable=SC2317
 cleanup() {
-  echo "Cleaning up keys"
   rm -rf "${KeyPath}"
 }
 
-if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /usr/bin/openssl ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/strings ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/cut ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then
+if [ ! -x /usr/bin/dirname ] || [ ! -x /bin/chmod ] || [ ! -x /bin/mkdir ] || [ ! -x /bin/rm ] || [ ! -x /usr/bin/grep ] || [ ! -x /usr/bin/awk ] || [ ! -x /bin/dd ] || [ ! -x /usr/bin/uuidgen ] ; then
   abort "Unix environment is broken!"
 fi
 
@@ -22,10 +24,8 @@ if [ "$OCPath" = "" ]; then
   OCPath=../../EFI/OC
 fi
 
-KeyPath="/tmp/Keys-$(/usr/bin/uuidgen)"
+KeyPath="/tmp/$(/usr/bin/uuidgen)"
 OCBin="${OCPath}/OpenCore.efi"
-RootCA="${KeyPath}/ca.pem"
-PrivKey="${KeyPath}/privatekey.cer"
 PubKey="${KeyPath}/vault.pub"
 
 if [ ! -d "${OCPath}" ]; then
@@ -58,31 +58,14 @@ fi
 
 ./create_vault.sh "${OCPath}" || abort "create_vault.sh returns errors!"
 
-if [ ! -f "${RootCA}" ]; then
-  /usr/bin/openssl genrsa -out "${RootCA}" 2048 || abort "Failed to generate CA"
-  if [ -f "${PrivKey}" ]; then
-    echo "WARNING: Private key exists without CA"
-  fi
-fi
-
-/bin/rm -fP "${PrivKey}" || abort "Failed to remove ${PrivKey}"
-echo "Issuing a new private key..."
-/usr/bin/openssl req -new -x509 -key "${RootCA}" -out "${PrivKey}" -days 1825 -subj "/C=WO/L=127.0.0.1/O=Acidanthera/OU=Acidanthera OpenCore/CN=Greetings from Acidanthera and WWHC" || abort "Failed to issue private key!"
-
-/bin/rm -fP "${PubKey}" || abort "Failed to remove ${PubKey}"
-echo "Getting public key based off private key..."
-./RsaTool -cert "${PrivKey}" > "${PubKey}" || abort "Failed to get public key"
-
-echo "Signing ${OCBin}..."
+echo "Signing OpenCore..."
 ./RsaTool -sign "${OCPath}/vault.plist" "${OCPath}/vault.sig" "${PubKey}" || abort "Failed to patch ${PubKey}"
-
-echo "Bin-patching ${OCBin}..."
-off=$(($(/usr/bin/strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/cut -f1 -d' ') + 16))
+off=$(($(./strings -a -t d "${OCBin}" | /usr/bin/grep "=BEGIN OC VAULT=" | /usr/bin/awk '{print $1}') + 16))
 if [ "${off}" -le 16 ]; then
   abort "${OCBin} is borked"
 fi
 
 /bin/dd of="${OCBin}" if="${PubKey}" bs=1 seek="${off}" count=528 conv=notrunc || abort "Failed to bin-patch ${OCBin}"
 
-echo "All done!"
+echo "Signing complete"
 exit 0