Constify return value of X509_get_X509_PUBKEY()

You really should not be mutating this. Part of #28654 Fixes: https://github.com/openssl/project/issues/1771 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/29428)
2026-01-18 17:11:31 +01:00 · 2025-09-29 15:16:33 -06:00
parent f18816261e
commit fc756e594e
10 changed files with 14 additions and 15 deletions
--- a/crypto/cms/cms_kemri.c
+++ b/crypto/cms/cms_kemri.c
@@ -83,7 +83,7 @@ int ossl_cms_RecipientInfo_kemri_init(CMS_RecipientInfo *ri, X509 *recip,
    CMS_OtherRecipientInfo *ori;
    CMS_KEMRecipientInfo *kemri;
    int idtype;
-    X509_PUBKEY *x_pubkey;
+    const X509_PUBKEY *x_pubkey;
    X509_ALGOR *x_alg;

    ri->d.ori = M_ASN1_new_of(CMS_OtherRecipientInfo);
--- a/crypto/ct/ct_local.h
+++ b/crypto/ct/ct_local.h
@@ -145,7 +145,7 @@ __owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
 * Issuer must not be NULL.
 * Returns 1 on success, 0 on failure.
 */
-__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
+__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, X509 *issuer);

 /*
 * Sets the public key of the issuer of the certificate that the SCT was created
@@ -153,14 +153,13 @@ __owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
 * The public key must not be NULL.
 * Returns 1 on success, 0 on failure.
 */
-__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
+__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, const X509_PUBKEY *pubkey);

 /*
 * Sets the public key of the CT log that the SCT is from.
 * Returns 1 on success, 0 on failure.
 */
 __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
-
 /*
 * Sets the time to evaluate the SCT against, in milliseconds since the Unix
 * epoch. If the SCT's timestamp is after this time, it will be interpreted as
--- a/crypto/ct/ct_sct_ctx.c
+++ b/crypto/ct/ct_sct_ctx.c
@@ -197,7 +197,7 @@ err:
    return 0;
 }

-__owur static int ct_public_key_hash(SCT_CTX *sctx, X509_PUBKEY *pkey,
+__owur static int ct_public_key_hash(SCT_CTX *sctx, const X509_PUBKEY *pkey,
    unsigned char **hash, size_t *hash_len)
 {
    int ret = 0;
@@ -241,12 +241,12 @@ err:
    return ret;
 }

-int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer)
+int SCT_CTX_set1_issuer(SCT_CTX *sctx, X509 *issuer)
 {
    return SCT_CTX_set1_issuer_pubkey(sctx, X509_get_X509_PUBKEY(issuer));
 }

-int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey)
+int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, const X509_PUBKEY *pubkey)
 {
    return ct_public_key_hash(sctx, pubkey, &sctx->ihash, &sctx->ihashlen);
 }
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -138,7 +138,7 @@ int X509_print_ex(BIO *bp, const X509 *x, unsigned long nmflags, unsigned long c
            goto err;
    }
    if (!(cflag & X509_FLAG_NO_PUBKEY)) {
-        X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x);
+        const X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x);
        ASN1_OBJECT *xpoid;
        X509_PUBKEY_get0_param(&xpoid, NULL, NULL, NULL, xpkey);
        if (BIO_write(bp, "        Subject Public Key Info:\n", 33) <= 0)
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -159,7 +159,7 @@ int X509_get_signature_type(const X509 *x)
    return EVP_PKEY_type(OBJ_obj2nid(x->sig_alg.algorithm));
 }

-X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
+const X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
 {
    return x->cert_info.key;
 }