From ddf295b16bfd4abadbbb85cfa7d4c6f2644c2c0e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Przemys=C5=82aw=20Czerpak?= Date: Sun, 21 Dec 2025 10:45:39 +0100 Subject: [PATCH] 2025-12-21 10:45 UTC+0100 Przemyslaw Czerpak (druzus/at/poczta.onet.pl) * contrib/hbssl/hbssl.hbx * contrib/hbssl/evppkey.c + added new PRG functions: EVP_PKEY_CTX_get_RSA_PSS_saltlen( , @ ) -> EVP_PKEY_CTX_set_RSA_PSS_saltlen( , ) -> EVP_PKEY_CTX_get_signature_md( , @ ) -> EVP_PKEY_CTX_set_signature_md( , | ) -> EVP_PKEY_sign_init( ) -> EVP_PKEY_sign( , @, ) -> EVP_PKEY_verify_init( ) -> EVP_PKEY_verify( , , ) -> * contrib/hbssl/hbssl.hbx * contrib/hbssl/x509.c + added new PRG function: X509_get_serialNumber( ) -> * src/rtl/base64d.c * indenting ; question: With small modification we can add support for base64url encoding (with additional parameter passed to hb_base64encode()) and decoding (can be done automatically by hb_base64decode()). Do you think it's worth to do or it's such simple thing that we should keep the code clean and user can make necessary conversions themselves. --- ChangeLog.txt | 31 +++++++ contrib/hbssl/evppkey.c | 178 +++++++++++++++++++++++++++++++++++++--- contrib/hbssl/hbssl.hbx | 9 ++ contrib/hbssl/x509.c | 21 +++++ src/rtl/base64d.c | 2 +- 5 files changed, 230 insertions(+), 11 deletions(-) diff --git a/ChangeLog.txt b/ChangeLog.txt index 3ed92661e9..ae8b3be2bd 100644 --- a/ChangeLog.txt +++ b/ChangeLog.txt @@ -7,6 +7,37 @@ Entries may not always be in chronological/commit order. See license at the end of file. */ +2025-12-21 10:45 UTC+0100 Przemyslaw Czerpak (druzus/at/poczta.onet.pl) + * contrib/hbssl/hbssl.hbx + * contrib/hbssl/evppkey.c + + added new PRG functions: + EVP_PKEY_CTX_get_RSA_PSS_saltlen( , @ ) + -> + EVP_PKEY_CTX_set_RSA_PSS_saltlen( , ) + -> + EVP_PKEY_CTX_get_signature_md( , @ ) + -> + EVP_PKEY_CTX_set_signature_md( , | ) + -> + EVP_PKEY_sign_init( ) -> + EVP_PKEY_sign( , @, ) -> + EVP_PKEY_verify_init( ) -> + EVP_PKEY_verify( , , ) -> + + * contrib/hbssl/hbssl.hbx + * contrib/hbssl/x509.c + + added new PRG function: + X509_get_serialNumber( ) -> + + * src/rtl/base64d.c + * indenting + ; question: With small modification we can add support for base64url + encoding (with additional parameter passed to hb_base64encode()) + and decoding (can be done automatically by hb_base64decode()). + Do you think it's worth to do or it's such simple thing that + we should keep the code clean and user can make necessary + conversions themselves. + 2025-12-15 11:10 UTC+0100 Aleksander Czajczynski (hb fki.pl) * src/vm/runner.c ! fix indentation diff --git a/contrib/hbssl/evppkey.c b/contrib/hbssl/evppkey.c index a29166aafa..1a485e4a69 100644 --- a/contrib/hbssl/evppkey.c +++ b/contrib/hbssl/evppkey.c @@ -360,6 +360,43 @@ HB_FUNC( EVP_PKEY_CTX_GET_RSA_PADDING ) #endif } +HB_FUNC( EVP_PKEY_CTX_SET_RSA_PSS_SALTLEN ) +{ +#if ! defined( OPENSSL_NO_RSA ) && OPENSSL_VERSION_NUMBER >= 0x10000000L + EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 ); + + if( ctx && HB_ISNUM( 2 ) ) + { + hb_retni( EVP_PKEY_CTX_set_rsa_pss_saltlen( ctx, hb_parni( 2 ) ) ); + } + else + hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#else + hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#endif +} + +HB_FUNC( EVP_PKEY_CTX_GET_RSA_PSS_SALTLEN ) +{ +#if ! defined( OPENSSL_NO_RSA ) && OPENSSL_VERSION_NUMBER >= 0x10000000L + EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 ); + + if( ctx ) + { + int saltlen = 0, ret; + + ret = EVP_PKEY_CTX_get_rsa_pss_saltlen( ctx, &saltlen ); + if( ret <= 0 ) + saltlen = ret; + hb_retni( saltlen ); + } + else + hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#else + hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#endif +} + HB_FUNC( EVP_PKEY_CTX_SET_RSA_OAEP_MD ) { #if ! defined( OPENSSL_NO_RSA ) && OPENSSL_VERSION_NUMBER >= 0x10000000L @@ -660,6 +697,137 @@ HB_FUNC( EVP_PKEY_DECRYPT ) #endif } +HB_FUNC( EVP_PKEY_CTX_SET_SIGNATURE_MD ) +{ +#if ! defined( OPENSSL_NO_RSA ) && OPENSSL_VERSION_NUMBER >= 0x10000000L + EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 ); + const EVP_MD * md = hb_EVP_MD_par( 2 ); + + if( ctx && md ) + { + hb_retni( EVP_PKEY_CTX_set_signature_md( ctx, md ) ); + } + else + hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#else + hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#endif +} + +HB_FUNC( EVP_PKEY_CTX_GET_SIGNATURE_MD ) +{ +#if ! defined( OPENSSL_NO_RSA ) && OPENSSL_VERSION_NUMBER >= 0x10000000L + EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 ); + + if( ctx ) + { + const EVP_MD * md = NULL; + int ret; + + ret = EVP_PKEY_CTX_get_signature_md( ctx, &md ); + if( ret > 0 ) + ret = hb_EVP_MD_ptr_to_id( md ); + hb_retni( ret ); + } + else + hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#else + hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#endif +} + + +HB_FUNC( EVP_PKEY_SIGN_INIT ) +{ +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 ); + + if( ctx ) + { + hb_retni( EVP_PKEY_sign_init( ctx ) ); + } + else + hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#else + hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#endif +} + +HB_FUNC( EVP_PKEY_SIGN ) +{ +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 ); + + if( ctx ) + { + const unsigned char * tbs = ( const unsigned char * ) hb_parcx( 3 ); + size_t tbslen = ( size_t ) hb_parclen( 3 ), siglen = 0; + unsigned char * sig = NULL; + int ret; + + ret = EVP_PKEY_sign( ctx, NULL, &siglen, tbs, tbslen ); + if( ret > 0 ) + { + sig = ( unsigned char * ) hb_xgrab( siglen + 1 ); + + ret = EVP_PKEY_sign( ctx, sig, &siglen, tbs, tbslen ); + if( ret > 0 ) + { + if( ! hb_storclen_buffer( ( char * ) sig, siglen, 2 ) ) + ret = 0; + } + } + if( ret <= 0 ) + { + if( sig ) + hb_xfree( sig ); + hb_storc( NULL, 2 ); + } + hb_retni( ret ); + } + else + hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#else + hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#endif +} + +HB_FUNC( EVP_PKEY_VERIFY_INIT ) +{ +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 ); + + if( ctx ) + { + hb_retni( EVP_PKEY_verify_init( ctx ) ); + } + else + hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#else + hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#endif +} + +HB_FUNC( EVP_PKEY_VERIFY ) +{ +#if OPENSSL_VERSION_NUMBER >= 0x10000000L + EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 ); + + if( ctx ) + { + const unsigned char * sig = ( const unsigned char * ) hb_parcx( 2 ); + size_t siglen = ( size_t ) hb_parclen( 2 ); + const unsigned char * tbs = ( const unsigned char * ) hb_parcx( 3 ); + size_t tbslen = ( size_t ) hb_parclen( 3 ); + + hb_retni( EVP_PKEY_verify( ctx, sig, siglen, tbs, tbslen ) ); + } + else + hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#else + hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +#endif +} #if 0 @@ -678,16 +846,6 @@ int EVP_PKEY_decrypt( unsigned char * dec_key, const unsigned char * enc_key, in int EVP_PKEY_encrypt( unsigned char * enc_key, const unsigned char * key, int key_len, EVP_PKEY * pub_key ); /* 1.0.0 */ -int EVP_PKEY_sign_init( EVP_PKEY_CTX * ctx ); -int EVP_PKEY_sign( EVP_PKEY_CTX * ctx, - unsigned char * sig, size_t * siglen, - const unsigned char * tbs, size_t tbslen ); - -int EVP_PKEY_verify_init( EVP_PKEY_CTX * ctx ); -int EVP_PKEY_verify( EVP_PKEY_CTX * ctx, - const unsigned char * sig, size_t siglen, - const unsigned char * tbs, size_t tbslen ); - int EVP_PKEY_verify_recover_init( EVP_PKEY_CTX * ctx ); int EVP_PKEY_verify_recover( EVP_PKEY_CTX * ctx, unsigned char * rout, size_t * routlen, diff --git a/contrib/hbssl/hbssl.hbx b/contrib/hbssl/hbssl.hbx index f681f47d64..71205a94c2 100644 --- a/contrib/hbssl/hbssl.hbx +++ b/contrib/hbssl/hbssl.hbx @@ -168,18 +168,26 @@ DYNAMIC EVP_PKEY_bits DYNAMIC EVP_PKEY_CTX_get_RSA_MGF1_md DYNAMIC EVP_PKEY_CTX_get_RSA_OAEP_md DYNAMIC EVP_PKEY_CTX_get_RSA_padding +DYNAMIC EVP_PKEY_CTX_get_RSA_PSS_saltlen +DYNAMIC EVP_PKEY_CTX_get_signature_md DYNAMIC EVP_PKEY_CTX_new DYNAMIC EVP_PKEY_CTX_set_RSA_MGF1_md DYNAMIC EVP_PKEY_CTX_set_RSA_OAEP_md DYNAMIC EVP_PKEY_CTX_set_RSA_padding +DYNAMIC EVP_PKEY_CTX_set_RSA_PSS_saltlen +DYNAMIC EVP_PKEY_CTX_set_signature_md DYNAMIC EVP_PKEY_decrypt DYNAMIC EVP_PKEY_decrypt_init DYNAMIC EVP_PKEY_encrypt DYNAMIC EVP_PKEY_encrypt_init DYNAMIC EVP_PKEY_free DYNAMIC EVP_PKEY_new +DYNAMIC EVP_PKEY_sign +DYNAMIC EVP_PKEY_sign_init DYNAMIC EVP_PKEY_size DYNAMIC EVP_PKEY_type +DYNAMIC EVP_PKEY_verify +DYNAMIC EVP_PKEY_verify_init DYNAMIC EVP_SealFinal DYNAMIC EVP_SealInit DYNAMIC EVP_SealUpdate @@ -398,6 +406,7 @@ DYNAMIC SSL_want_x509_lookup DYNAMIC SSL_write DYNAMIC X509_get_issuer_name DYNAMIC X509_get_PubKey +DYNAMIC X509_get_serialNumber DYNAMIC X509_get_subject_name DYNAMIC X509_name_oneline diff --git a/contrib/hbssl/x509.c b/contrib/hbssl/x509.c index 2d50482e26..3f8af5600c 100644 --- a/contrib/hbssl/x509.c +++ b/contrib/hbssl/x509.c @@ -153,6 +153,27 @@ HB_FUNC( X509_NAME_ONELINE ) #endif } +HB_FUNC( X509_GET_SERIALNUMBER ) +{ + if( hb_X509_is( 1 ) ) + { + X509 * x509 = hb_X509_par( 1 ); + + if( x509 ) + { + ASN1_INTEGER * a = X509_get_serialNumber( x509 ); + int64_t r = 0; + + if( ASN1_INTEGER_get_int64( &r, a ) > 0 ) + hb_retnint( r ); + else + hb_retni( -1 ); + } + } + else + hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS ); +} + HB_FUNC( X509_GET_PUBKEY ) { if( hb_X509_is( 1 ) ) diff --git a/src/rtl/base64d.c b/src/rtl/base64d.c index c2e823470e..0242a3ffa8 100644 --- a/src/rtl/base64d.c +++ b/src/rtl/base64d.c @@ -56,7 +56,7 @@ static signed char base64_decode_value( int value_in ) static const signed char s_decoding[] = { 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -2, -1, - -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, + -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51 };