2025-12-21 10:45 UTC+0100 Przemyslaw Czerpak (druzus/at/poczta.onet.pl)

* contrib/hbssl/hbssl.hbx
  * contrib/hbssl/evppkey.c
    + added new PRG functions:
         EVP_PKEY_CTX_get_RSA_PSS_saltlen( <pKeyCTX>, @<nSaltLen> )
               -> <nRetCode>
         EVP_PKEY_CTX_set_RSA_PSS_saltlen( <pKeyCTX>, <nSaltLen> )
               -> <nRetCode>
         EVP_PKEY_CTX_get_signature_md( <pKeyCTX>, @<nEvpHash> )
               -> <nRetCode>
         EVP_PKEY_CTX_set_signature_md( <pKeyCTX>, <nEvpHash> | <cEvpHash> )
               -> <nRetCode>
         EVP_PKEY_sign_init( <pKeyCTX> ) -> <nRetCode>
         EVP_PKEY_sign( <pKeyCTX>, @<cSignature>, <cData> ) -> <nRetCode>
         EVP_PKEY_verify_init( <pKeyCTX> ) -> <nRetCode>
         EVP_PKEY_verify( <pKeyCTX>, <cSignature>, <cData> ) -> <nRetCode>

  * contrib/hbssl/hbssl.hbx
  * contrib/hbssl/x509.c
    + added new PRG function:
         X509_get_serialNumber( <pX509> ) -> <nSerialNum>

  * src/rtl/base64d.c
    * indenting
    ; question: With small modification we can add support for base64url
                encoding (with additional parameter passed to hb_base64encode())
                and decoding (can be done automatically by hb_base64decode()).
                Do you think it's worth to do or it's such simple thing that
                we should keep the code clean and user can make necessary
                conversions themselves.

ChangeLog.txt

@@ -7,6 +7,37 @@
    Entries may not always be in chronological/commit order.
    See license at the end of file. */
 
+2025-12-21 10:45 UTC+0100 Przemyslaw Czerpak (druzus/at/poczta.onet.pl)
+  * contrib/hbssl/hbssl.hbx
+  * contrib/hbssl/evppkey.c
+    + added new PRG functions:
+         EVP_PKEY_CTX_get_RSA_PSS_saltlen( <pKeyCTX>, @<nSaltLen> )
+               -> <nRetCode>
+         EVP_PKEY_CTX_set_RSA_PSS_saltlen( <pKeyCTX>, <nSaltLen> )
+               -> <nRetCode>
+         EVP_PKEY_CTX_get_signature_md( <pKeyCTX>, @<nEvpHash> )
+               -> <nRetCode>
+         EVP_PKEY_CTX_set_signature_md( <pKeyCTX>, <nEvpHash> | <cEvpHash> )
+               -> <nRetCode>
+         EVP_PKEY_sign_init( <pKeyCTX> ) -> <nRetCode>
+         EVP_PKEY_sign( <pKeyCTX>, @<cSignature>, <cData> ) -> <nRetCode>
+         EVP_PKEY_verify_init( <pKeyCTX> ) -> <nRetCode>
+         EVP_PKEY_verify( <pKeyCTX>, <cSignature>, <cData> ) -> <nRetCode>
+
+  * contrib/hbssl/hbssl.hbx
+  * contrib/hbssl/x509.c
+    + added new PRG function:
+         X509_get_serialNumber( <pX509> ) -> <nSerialNum>
+
+  * src/rtl/base64d.c
+    * indenting
+    ; question: With small modification we can add support for base64url
+                encoding (with additional parameter passed to hb_base64encode())
+                and decoding (can be done automatically by hb_base64decode()).
+                Do you think it's worth to do or it's such simple thing that
+                we should keep the code clean and user can make necessary
+                conversions themselves.
+
 2025-12-15 11:10 UTC+0100 Aleksander Czajczynski (hb fki.pl)
   * src/vm/runner.c
     ! fix indentation

contrib/hbssl/evppkey.c

@@ -360,6 +360,43 @@ HB_FUNC( EVP_PKEY_CTX_GET_RSA_PADDING )
 #endif
 }
 
+HB_FUNC( EVP_PKEY_CTX_SET_RSA_PSS_SALTLEN )
+{
+#if ! defined( OPENSSL_NO_RSA ) && OPENSSL_VERSION_NUMBER >= 0x10000000L
+   EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 );
+
+   if( ctx && HB_ISNUM( 2 ) )
+   {
+      hb_retni( EVP_PKEY_CTX_set_rsa_pss_saltlen( ctx, hb_parni( 2 ) ) );
+   }
+   else
+      hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#else
+   hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#endif
+}
+
+HB_FUNC( EVP_PKEY_CTX_GET_RSA_PSS_SALTLEN )
+{
+#if ! defined( OPENSSL_NO_RSA ) && OPENSSL_VERSION_NUMBER >= 0x10000000L
+   EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 );
+
+   if( ctx )
+   {
+      int saltlen = 0, ret;
+
+      ret = EVP_PKEY_CTX_get_rsa_pss_saltlen( ctx, &saltlen );
+      if( ret <= 0 )
+         saltlen = ret;
+      hb_retni( saltlen );
+   }
+   else
+      hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#else
+   hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#endif
+}
+
 HB_FUNC( EVP_PKEY_CTX_SET_RSA_OAEP_MD )
 {
 #if ! defined( OPENSSL_NO_RSA ) && OPENSSL_VERSION_NUMBER >= 0x10000000L
@@ -660,6 +697,137 @@ HB_FUNC( EVP_PKEY_DECRYPT )
 #endif
 }
 
+HB_FUNC( EVP_PKEY_CTX_SET_SIGNATURE_MD )
+{
+#if ! defined( OPENSSL_NO_RSA ) && OPENSSL_VERSION_NUMBER >= 0x10000000L
+   EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 );
+   const EVP_MD * md = hb_EVP_MD_par( 2 );
+
+   if( ctx && md )
+   {
+      hb_retni( EVP_PKEY_CTX_set_signature_md( ctx, md ) );
+   }
+   else
+      hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#else
+   hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#endif
+}
+
+HB_FUNC( EVP_PKEY_CTX_GET_SIGNATURE_MD )
+{
+#if ! defined( OPENSSL_NO_RSA ) && OPENSSL_VERSION_NUMBER >= 0x10000000L
+   EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 );
+
+   if( ctx )
+   {
+      const EVP_MD * md = NULL;
+      int ret;
+
+      ret = EVP_PKEY_CTX_get_signature_md( ctx, &md );
+      if( ret > 0 )
+         ret = hb_EVP_MD_ptr_to_id( md );
+      hb_retni( ret );
+   }
+   else
+      hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#else
+   hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#endif
+}
+
+
+HB_FUNC( EVP_PKEY_SIGN_INIT )
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+   EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 );
+
+   if( ctx )
+   {
+      hb_retni( EVP_PKEY_sign_init( ctx ) );
+   }
+   else
+      hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#else
+   hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#endif
+}
+
+HB_FUNC( EVP_PKEY_SIGN )
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+   EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 );
+
+   if( ctx )
+   {
+      const unsigned char * tbs = ( const unsigned char * ) hb_parcx( 3 );
+      size_t tbslen = ( size_t ) hb_parclen( 3 ), siglen = 0;
+      unsigned char * sig = NULL;
+      int ret;
+
+      ret = EVP_PKEY_sign( ctx, NULL, &siglen, tbs, tbslen );
+      if( ret > 0 )
+      {
+         sig = ( unsigned char * ) hb_xgrab( siglen + 1 );
+
+         ret = EVP_PKEY_sign( ctx, sig, &siglen, tbs, tbslen );
+         if( ret > 0 )
+         {
+            if( ! hb_storclen_buffer( ( char * ) sig, siglen, 2 ) )
+               ret = 0;
+         }
+      }
+      if( ret <= 0 )
+      {
+         if( sig )
+            hb_xfree( sig );
+         hb_storc( NULL, 2 );
+      }
+      hb_retni( ret );
+   }
+   else
+      hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#else
+   hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#endif
+}
+
+HB_FUNC( EVP_PKEY_VERIFY_INIT )
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+   EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 );
+
+   if( ctx )
+   {
+      hb_retni( EVP_PKEY_verify_init( ctx ) );
+   }
+   else
+      hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#else
+   hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#endif
+}
+
+HB_FUNC( EVP_PKEY_VERIFY )
+{
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+   EVP_PKEY_CTX * ctx = hb_EVP_PKEY_CTX_par( 1 );
+
+   if( ctx )
+   {
+      const unsigned char * sig = ( const unsigned char * ) hb_parcx( 2 );
+      size_t siglen = ( size_t ) hb_parclen( 2 );
+      const unsigned char * tbs = ( const unsigned char * ) hb_parcx( 3 );
+      size_t tbslen = ( size_t ) hb_parclen( 3 );
+
+      hb_retni( EVP_PKEY_verify( ctx, sig, siglen, tbs, tbslen ) );
+   }
+   else
+      hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#else
+   hb_errRT_BASE( EG_NOFUNC, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+#endif
+}
 
 #if 0
 
@@ -678,16 +846,6 @@ int EVP_PKEY_decrypt( unsigned char * dec_key, const unsigned char * enc_key, in
 int EVP_PKEY_encrypt( unsigned char * enc_key, const unsigned char * key, int key_len, EVP_PKEY * pub_key     );
 
 /* 1.0.0 */
-int EVP_PKEY_sign_init( EVP_PKEY_CTX * ctx );
-int EVP_PKEY_sign( EVP_PKEY_CTX * ctx,
-                   unsigned char * sig, size_t * siglen,
-                   const unsigned char * tbs, size_t tbslen );
-
-int EVP_PKEY_verify_init( EVP_PKEY_CTX * ctx );
-int EVP_PKEY_verify( EVP_PKEY_CTX * ctx,
-                     const unsigned char * sig, size_t siglen,
-                     const unsigned char * tbs, size_t tbslen );
-
 int EVP_PKEY_verify_recover_init( EVP_PKEY_CTX * ctx );
 int EVP_PKEY_verify_recover( EVP_PKEY_CTX * ctx,
                              unsigned char * rout, size_t * routlen,

contrib/hbssl/hbssl.hbx

@@ -168,18 +168,26 @@ DYNAMIC EVP_PKEY_bits
 DYNAMIC EVP_PKEY_CTX_get_RSA_MGF1_md
 DYNAMIC EVP_PKEY_CTX_get_RSA_OAEP_md
 DYNAMIC EVP_PKEY_CTX_get_RSA_padding
+DYNAMIC EVP_PKEY_CTX_get_RSA_PSS_saltlen
+DYNAMIC EVP_PKEY_CTX_get_signature_md
 DYNAMIC EVP_PKEY_CTX_new
 DYNAMIC EVP_PKEY_CTX_set_RSA_MGF1_md
 DYNAMIC EVP_PKEY_CTX_set_RSA_OAEP_md
 DYNAMIC EVP_PKEY_CTX_set_RSA_padding
+DYNAMIC EVP_PKEY_CTX_set_RSA_PSS_saltlen
+DYNAMIC EVP_PKEY_CTX_set_signature_md
 DYNAMIC EVP_PKEY_decrypt
 DYNAMIC EVP_PKEY_decrypt_init
 DYNAMIC EVP_PKEY_encrypt
 DYNAMIC EVP_PKEY_encrypt_init
 DYNAMIC EVP_PKEY_free
 DYNAMIC EVP_PKEY_new
+DYNAMIC EVP_PKEY_sign
+DYNAMIC EVP_PKEY_sign_init
 DYNAMIC EVP_PKEY_size
 DYNAMIC EVP_PKEY_type
+DYNAMIC EVP_PKEY_verify
+DYNAMIC EVP_PKEY_verify_init
 DYNAMIC EVP_SealFinal
 DYNAMIC EVP_SealInit
 DYNAMIC EVP_SealUpdate
@@ -398,6 +406,7 @@ DYNAMIC SSL_want_x509_lookup
 DYNAMIC SSL_write
 DYNAMIC X509_get_issuer_name
 DYNAMIC X509_get_PubKey
+DYNAMIC X509_get_serialNumber
 DYNAMIC X509_get_subject_name
 DYNAMIC X509_name_oneline
 

contrib/hbssl/x509.c

@@ -153,6 +153,27 @@ HB_FUNC( X509_NAME_ONELINE )
 #endif
 }
 
+HB_FUNC( X509_GET_SERIALNUMBER )
+{
+   if( hb_X509_is( 1 ) )
+   {
+      X509 * x509 = hb_X509_par( 1 );
+
+      if( x509 )
+      {
+         ASN1_INTEGER * a = X509_get_serialNumber( x509 );
+         int64_t r = 0;
+
+         if( ASN1_INTEGER_get_int64( &r, a ) > 0 )
+            hb_retnint( r );
+         else
+            hb_retni( -1 );
+      }
+   }
+   else
+      hb_errRT_BASE( EG_ARG, 2010, NULL, HB_ERR_FUNCNAME, HB_ERR_ARGS_BASEPARAMS );
+}
+
 HB_FUNC( X509_GET_PUBKEY )
 {
    if( hb_X509_is( 1 ) )

src/rtl/base64d.c

@@ -56,7 +56,7 @@ static signed char base64_decode_value( int value_in )
    static const signed char s_decoding[] =
    {
       62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -2, -1,
-      -1, -1, 0,  1,  2,  3,  4,  5,  6,  7,  8,  9,  10, 11, 12, 13, 14, 15, 16, 17,
+      -1, -1,  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15, 16, 17,
       18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 27, 28, 29, 30, 31,
       32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51
    };