Constify X509_OBJECT_[get0|set1]_X509 and friends

cascades to constifying X509_get_pubkey() as well Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org> MergeDate: Tue Feb 24 19:16:50 2026 (Merged from https://github.com/openssl/openssl/pull/30117)
2026-05-07 20:12:39 +00:00 · 2026-02-20 12:37:41 -05:00
parent c8e34c64bc
commit 367c54ef11
5 changed files with 13 additions and 11 deletions
@@ -385,7 +385,7 @@ EVP_PKEY *X509_get0_pubkey(const X509 *x)
    return X509_PUBKEY_get0(x->cert_info.key);
 }

-EVP_PKEY *X509_get_pubkey(X509 *x)
+EVP_PKEY *X509_get_pubkey(const X509 *x)
 {
    if (x == NULL)
        return NULL;
@@ -412,7 +412,7 @@ static int obj_ht_foreach_certs(HT_VALUE *v, void *arg)
    int i, r;

    for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
-        X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i));
+        const X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i));

        if (cert == NULL)
            continue;
@@ -613,7 +613,7 @@ int X509_OBJECT_up_ref_count(X509_OBJECT *a)
    return 1;
 }

-X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
+const X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
 {
    if (a == NULL || a->type != X509_LU_X509)
        return NULL;
@@ -658,14 +658,14 @@ static void x509_object_free_internal(X509_OBJECT *a)
    }
 }

-int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj)
+int X509_OBJECT_set1_X509(X509_OBJECT *a, const X509 *obj)
 {
-    if (a == NULL || !X509_up_ref(obj))
+    if (a == NULL || !X509_up_ref((X509 *)obj))
        return 0;

    x509_object_free_internal(a);
    a->type = X509_LU_X509;
-    a->data.x509 = obj;
+    a->data.x509 = (X509 *)obj;
    return 1;
 }

@@ -830,7 +830,7 @@ STACK_OF(X509) *X509_STORE_get1_all_certs(X509_STORE *store)
        ossl_ht_foreach_until(store->objs_ht, obj_ht_foreach_certs, &sk);
    } else {
        for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++) {
-            X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(store->objs, i));
+            const X509 *cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(store->objs, i));

            if (cert != NULL
                && !X509_add_cert(sk, cert, X509_ADD_FLAG_UP_REF))
@@ -11,7 +11,7 @@ X509_REQ_get_X509_PUBKEY

 #include <openssl/x509.h>

- EVP_PKEY *X509_get_pubkey(X509 *x);
+ EVP_PKEY *X509_get_pubkey(const X509 *x);
 EVP_PKEY *X509_get0_pubkey(const X509 *x);
 int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
 const X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
@@ -82,6 +82,8 @@ X509_REQ_get0_X509_PUBKEY() was constified in OpenSSL 4.0.
 X509_get_pubkey() and X509_REQ_get_pubkey()
 are deprecated but retained for backward compatibility.

+X509_get_pubkey() was converted to use a const parameter in OpenSSL 4.0.
+
 =head1 COPYRIGHT

 Copyright 2015-2025 The OpenSSL Project Authors. All Rights Reserved.
@@ -683,7 +683,7 @@ int X509_get_signature_type(const X509 *x);
 #endif

 int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
-EVP_PKEY *X509_get_pubkey(X509 *x); /* deprecated */
+EVP_PKEY *X509_get_pubkey(const X509 *x); /* deprecated */
 EVP_PKEY *X509_get0_pubkey(const X509 *x);
 /*
 * This one is only used so that a binary form can output, as in
@@ -416,8 +416,8 @@ int X509_OBJECT_up_ref_count(X509_OBJECT *a);
 X509_OBJECT *X509_OBJECT_new(void);
 void X509_OBJECT_free(X509_OBJECT *a);
 X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a);
-X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a);
-int X509_OBJECT_set1_X509(X509_OBJECT *a, X509 *obj);
+const X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a);
+int X509_OBJECT_set1_X509(X509_OBJECT *a, const X509 *obj);
 X509_CRL *X509_OBJECT_get0_X509_CRL(const X509_OBJECT *a);
 int X509_OBJECT_set1_X509_CRL(X509_OBJECT *a, X509_CRL *obj);
 X509_STORE *X509_STORE_new(void);