constify X509_find_by_issuer_and_serial

Constify the return value of X509_find_by_issuer_and_serial, and fix up the callers to handle it properly (affects two pkcs7 functions) Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> MergeDate: Wed Feb 25 15:05:11 2026 (Merged from https://github.com/openssl/openssl/pull/30092)
2026-05-07 20:12:39 +00:00 · 2026-02-19 12:07:21 -05:00
parent 58d88a34ff
commit 07ee3d5db8
6 changed files with 13 additions and 10 deletions
@@ -979,7 +979,7 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
    int ret = 0, i;
    STACK_OF(X509) *untrusted;
    STACK_OF(X509_CRL) *crls;
-    X509 *signer;
+    const X509 *signer;

    if (p7 == NULL) {
        ERR_raise(ERR_LIB_PKCS7, PKCS7_R_INVALID_NULL_POINTER);
@@ -1015,7 +1015,10 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
    }

    /* Lets verify */
-    if (!X509_STORE_CTX_init(ctx, cert_store, signer, untrusted)) {
+    /*
+     * TODO: This cast can be removed when #30076 is merged
+     */
+    if (!X509_STORE_CTX_init(ctx, cert_store, (X509 *)signer, untrusted)) {
        ERR_raise(ERR_LIB_PKCS7, ERR_R_X509_LIB);
        goto err;
    }
@@ -1032,7 +1035,7 @@ err:
 }

 int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
-    X509 *signer)
+    const X509 *signer)
 {
    ASN1_OCTET_STRING *os;
    EVP_MD_CTX *mdc_tmp, *mdc;
@@ -675,7 +675,7 @@ err:
    return 0;
 }

-X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
+const X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
 {
    if (PKCS7_type_is_signed(p7))
        return (X509_find_by_issuer_and_serial(p7->d.sign->cert,
@@ -365,7 +365,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int f
    STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
    PKCS7_SIGNER_INFO *si;
    PKCS7_ISSUER_AND_SERIAL *ias;
-    X509 *signer;
+    const X509 *signer;
    int i;

    if (p7 == NULL) {
@@ -409,7 +409,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int f
            return 0;
        }

-        if (!sk_X509_push(signers, signer)) {
+        if (!sk_X509_push(signers, (X509 *)signer)) {
            sk_X509_free(signers);
            return NULL;
        }
@@ -345,7 +345,7 @@ end:
 #endif

 /* Search a stack of X509 for a match */
-X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
+const X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
    const ASN1_INTEGER *serial)
 {
    int i;
@@ -284,7 +284,7 @@ int PKCS7_content_new(PKCS7 *p7, int nid);
 int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx,
    BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si);
 int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
-    X509 *signer);
+    const X509 *signer);

 BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio);
 int PKCS7_dataFinal(PKCS7 *p7, BIO *bio);
@@ -292,7 +292,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert);

 PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509,
    EVP_PKEY *pkey, const EVP_MD *dgst);
-X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
+const X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
 int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md);
 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7);

@@ -1022,7 +1022,7 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
    const unsigned char *bytes, int len);

 /* lookup a cert from a X509 STACK */
-X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
+const X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
    const ASN1_INTEGER *serial);
 const X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name);