Constify return value of X509_get_X509_PUBKEY()

You really should not be mutating this. Part of #28654 Fixes: https://github.com/openssl/project/issues/1771 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/29428)
2026-01-18 17:11:31 +01:00 · 2025-09-29 15:16:33 -06:00
parent f18816261e
commit fc756e594e
10 changed files with 14 additions and 15 deletions
--- a/crypto/cms/cms_kemri.c
+++ b/crypto/cms/cms_kemri.c
@@ -83,7 +83,7 @@ int ossl_cms_RecipientInfo_kemri_init(CMS_RecipientInfo *ri, X509 *recip,
    CMS_OtherRecipientInfo *ori;
    CMS_KEMRecipientInfo *kemri;
    int idtype;
-    X509_PUBKEY *x_pubkey;
+    const X509_PUBKEY *x_pubkey;
    X509_ALGOR *x_alg;

    ri->d.ori = M_ASN1_new_of(CMS_OtherRecipientInfo);
--- a/crypto/ct/ct_local.h
+++ b/crypto/ct/ct_local.h
@@ -145,7 +145,7 @@ __owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
 * Issuer must not be NULL.
 * Returns 1 on success, 0 on failure.
 */
-__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
+__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, X509 *issuer);

 /*
 * Sets the public key of the issuer of the certificate that the SCT was created
@@ -153,14 +153,13 @@ __owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
 * The public key must not be NULL.
 * Returns 1 on success, 0 on failure.
 */
-__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
+__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, const X509_PUBKEY *pubkey);

 /*
 * Sets the public key of the CT log that the SCT is from.
 * Returns 1 on success, 0 on failure.
 */
 __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
-
 /*
 * Sets the time to evaluate the SCT against, in milliseconds since the Unix
 * epoch. If the SCT's timestamp is after this time, it will be interpreted as
--- a/crypto/ct/ct_sct_ctx.c
+++ b/crypto/ct/ct_sct_ctx.c
@@ -197,7 +197,7 @@ err:
    return 0;
 }

-__owur static int ct_public_key_hash(SCT_CTX *sctx, X509_PUBKEY *pkey,
+__owur static int ct_public_key_hash(SCT_CTX *sctx, const X509_PUBKEY *pkey,
    unsigned char **hash, size_t *hash_len)
 {
    int ret = 0;
@@ -241,12 +241,12 @@ err:
    return ret;
 }

-int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer)
+int SCT_CTX_set1_issuer(SCT_CTX *sctx, X509 *issuer)
 {
    return SCT_CTX_set1_issuer_pubkey(sctx, X509_get_X509_PUBKEY(issuer));
 }

-int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey)
+int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, const X509_PUBKEY *pubkey)
 {
    return ct_public_key_hash(sctx, pubkey, &sctx->ihash, &sctx->ihashlen);
 }
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -138,7 +138,7 @@ int X509_print_ex(BIO *bp, const X509 *x, unsigned long nmflags, unsigned long c
            goto err;
    }
    if (!(cflag & X509_FLAG_NO_PUBKEY)) {
-        X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x);
+        const X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x);
        ASN1_OBJECT *xpoid;
        X509_PUBKEY_get0_param(&xpoid, NULL, NULL, NULL, xpkey);
        if (BIO_write(bp, "        Subject Public Key Info:\n", 33) <= 0)
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -159,7 +159,7 @@ int X509_get_signature_type(const X509 *x)
    return EVP_PKEY_type(OBJ_obj2nid(x->sig_alg.algorithm));
 }

-X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
+const X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
 {
    return x->cert_info.key;
 }
--- a/doc/man3/X509_get_pubkey.pod
+++ b/doc/man3/X509_get_pubkey.pod
@@ -14,7 +14,7 @@ X509_REQ_get_X509_PUBKEY
 EVP_PKEY *X509_get_pubkey(X509 *x);
 EVP_PKEY *X509_get0_pubkey(const X509 *x);
 int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
- X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
+ const X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);

 EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
 EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req);
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -689,7 +689,7 @@ EVP_PKEY *X509_get0_pubkey(const X509 *x);
 * This one is only used so that a binary form can output, as in
 * i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &buf)
 */
-X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
+const X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
 void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
    const ASN1_BIT_STRING **psuid);
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1328,7 +1328,7 @@ unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk)
 {
    int pdata_len = 0;
    unsigned char *pdata = NULL;
-    X509_PUBKEY *xpk = NULL;
+    const X509_PUBKEY *xpk = NULL;
    unsigned long ret = 0;
    X509 *x509 = NULL;

--- a/test/algorithmid_test.c
+++ b/test/algorithmid_test.c
@@ -20,7 +20,7 @@ static const char *pubkey_filename = NULL; /* For test_spki_file() */

 #define ALGORITHMID_NAME "algorithm-id"

-static int test_spki_aid(X509_PUBKEY *pubkey, const char *filename)
+static int test_spki_aid(const X509_PUBKEY *pubkey, const char *filename)
 {
    const ASN1_OBJECT *oid;
    X509_ALGOR *alg = NULL;
@@ -103,7 +103,7 @@ end:

 static int test_x509_spki_aid(X509 *cert, const char *filename)
 {
-    X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(cert);
+    const X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(cert);

    return test_spki_aid(pubkey, filename);
 }
--- a/test/keymgmt_internal_test.c
+++ b/test/keymgmt_internal_test.c
@@ -301,7 +301,7 @@ static int test_evp_pkey_export_to_provider(int n)
    OSSL_PROVIDER *prov = NULL;
    X509 *cert = NULL;
    BIO *bio = NULL;
-    X509_PUBKEY *pubkey = NULL;
+    const X509_PUBKEY *pubkey = NULL;
    EVP_KEYMGMT *keymgmt = NULL;
    EVP_PKEY *pkey = NULL;
    void *keydata = NULL;