Constify X509_STORE_CTX functions invoving X509 *

X509_STORE_CTX *ctx, const X509 *x); X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x); int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store, const X509 *target, STACK_OF(X509) *untrusted); const X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx); const X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx); const X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx); void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, const X509 *target); For #30052 Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> MergeDate: Wed Feb 25 10:24:15 2026 (Merged from https://github.com/openssl/openssl/pull/30076)
2026-05-07 20:12:39 +00:00 · 2026-02-18 17:34:12 -07:00
parent fdc8414e2a
commit e5b563366b
13 changed files with 40 additions and 35 deletions
@@ -2583,7 +2583,7 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
 static STACK_OF(X509_CRL) *crls_http_cb(const X509_STORE_CTX *ctx,
    const X509_NAME *nm)
 {
-    X509 *x;
+    const X509 *x;
    STACK_OF(X509_CRL) *crls = NULL;
    X509_CRL *crl;
    STACK_OF(DIST_POINT) *crldp;
@@ -47,7 +47,7 @@ static const char *lookup(int val, const STRINT_PAIR *list, const char *def)

 int verify_callback(int ok, X509_STORE_CTX *ctx)
 {
-    X509 *err_cert;
+    const X509 *err_cert;
    int err, depth;

    err_cert = X509_STORE_CTX_get_current_cert(ctx);
@@ -330,7 +330,7 @@ end:
 static int cb(int ok, X509_STORE_CTX *ctx)
 {
    int cert_error = X509_STORE_CTX_get_error(ctx);
-    X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
+    const X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);

    if (!ok) {
        if (current_cert != NULL) {
@@ -1271,7 +1271,7 @@ end:
 static int callb(int ok, X509_STORE_CTX *ctx)
 {
    int err;
-    X509 *err_cert;
+    const X509 *err_cert;

    /*
     * It is ok to use a self-signed certificate. This case will catch both
@@ -374,7 +374,7 @@ int X509_aux_print(BIO *out, const X509 *x, int indent)
 * Helper functions for improving certificate verification error diagnostics
 */

-int ossl_x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags)
+int ossl_x509_print_ex_brief(BIO *bio, const X509 *cert, unsigned long neg_cflags)
 {
    unsigned long flags = ASN1_STRFLGS_RFC2253 | ASN1_STRFLGS_ESC_QUOTE | XN_FLAG_SEP_CPLUS_SPC | XN_FLAG_FN_SN;
    X509_VERIFY_PARAM *vpm = X509_VERIFY_PARAM_new();
@@ -391,7 +391,8 @@ int ossl_x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags)
    if (BIO_printf(bio, "    certificate\n") <= 0
        || !X509_print_ex(bio, cert, flags, ~X509_FLAG_NO_SUBJECT))
        goto err;
-    if (X509_check_issued((X509 *)cert, cert) == X509_V_OK) {
+    /* XXX casts away const - remove cast once #30067 lands */
+    if (X509_check_issued((X509 *)cert, (X509 *)cert) == X509_V_OK) {
        if (BIO_printf(bio, "        self-issued\n") <= 0)
            goto err;
    } else {
@@ -7,6 +7,7 @@
 * https://www.openssl.org/source/license.html
 */
 #include <openssl/safestack.h>
+#include <openssl/x509_vfy.h>

 #include "internal/refcount.h"
 #include "internal/hashtable.h"
@@ -152,9 +153,9 @@ struct x509_store_st {
    /* error callback */
    int (*verify_cb)(int ok, X509_STORE_CTX *ctx);
    /* get issuers cert from ctx */
-    int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+    X509_STORE_CTX_get_issuer_fn get_issuer;
    /* check issued */
-    int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+    X509_STORE_CTX_check_issued_fn check_issued;
    /* Check revocation status of chain */
    int (*check_revocation)(X509_STORE_CTX *ctx);
    /* retrieve CRL */
@@ -52,7 +52,7 @@ static int verify_rpk(X509_STORE_CTX *ctx);
 static int dane_verify(X509_STORE_CTX *ctx);
 static int dane_verify_rpk(X509_STORE_CTX *ctx);
 static int null_callback(int ok, X509_STORE_CTX *e);
-static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+static int check_issued(X509_STORE_CTX *ctx, const X509 *x, const X509 *issuer);
 static int check_extensions(X509_STORE_CTX *ctx);
 static int check_name_constraints(X509_STORE_CTX *ctx);
 static int check_id(X509_STORE_CTX *ctx);
@@ -412,7 +412,7 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert)
 * Maybe not touch X509_STORE_CTX_get1_issuer(), for API backward compatibility.
 */
 static X509 *get0_best_issuer_sk(X509_STORE_CTX *ctx, int check_signing_allowed,
-    int no_dup, STACK_OF(X509) *sk, X509 *x)
+    int no_dup, STACK_OF(X509) *sk, const X509 *x)
 {
    int i;
    X509 *candidate, *issuer = NULL;
@@ -453,7 +453,7 @@ static X509 *get0_best_issuer_sk(X509_STORE_CTX *ctx, int check_signing_allowed,
 *  0 certificate not found.
 * -1 some other error.
 */
-int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
+int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x)
 {
    const X509_NAME *xn = X509_get_issuer_name(x);
    X509_OBJECT *obj = X509_OBJECT_new();
@@ -491,9 +491,10 @@ end:
 }

 /* Check that the given certificate |x| is issued by the certificate |issuer| */
-static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
+static int check_issued(ossl_unused X509_STORE_CTX *ctx, const X509 *x, const X509 *issuer)
 {
-    int err = ossl_x509_likely_issued(issuer, x);
+    /* XXX casts away const, remove cast when #30067 lands */
+    int err = ossl_x509_likely_issued((X509 *)issuer, (X509 *)x);

    if (err == X509_V_OK)
        return 1;
@@ -508,7 +509,7 @@ static int check_issued(ossl_unused X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
 * Alternative get_issuer method: look up from a STACK_OF(X509) in other_ctx.
 * Returns -1 on internal error.
 */
-static int get1_best_issuer_other_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
+static int get1_best_issuer_other_sk(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x)
 {
    *issuer = get0_best_issuer_sk(ctx, 0, 1 /* no_dup */, ctx->other_ctx, x);
    if (*issuer == NULL)
@@ -2706,7 +2707,7 @@ void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth)
    ctx->error_depth = depth;
 }

-X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx)
+const X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx)
 {
    return ctx->current_cert;
 }
@@ -2728,7 +2729,7 @@ STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx)
    return X509_chain_up_ref(ctx->chain);
 }

-X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx)
+const X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx)
 {
    return ctx->current_issuer;
 }
@@ -2743,9 +2744,10 @@ X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx)
    return ctx->parent;
 }

-void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x)
+void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, const X509 *x)
 {
-    ctx->cert = x;
+    /* XXX casts away const - fix by making ctx->cert const */
+    ctx->cert = (X509 *)x;
 }

 void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *rpk)
@@ -3087,7 +3089,7 @@ void X509_STORE_CTX_set_current_reasons(X509_STORE_CTX *ctx,
    ctx->current_reasons = current_reasons;
 }

-X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx)
+const X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx)
 {
    return ctx->cert;
 }
@@ -18,9 +18,9 @@ information
 void  X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
 int   X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx);
 void  X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
- X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);
+ const X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);
 void  X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
- X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
+ const X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx);
 X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx);

@@ -32,13 +32,13 @@ X509_STORE_CTX_purpose_inherit
 void X509_STORE_CTX_free(X509_STORE_CTX *ctx);

 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store,
-                         X509 *target, STACK_OF(X509) *untrusted);
+                         const X509 *target, STACK_OF(X509) *untrusted);
 int X509_STORE_CTX_init_rpk(X509_STORE_CTX *ctx, X509_STORE *trust_store,
                             EVP_PKEY *rpk);

 void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);

- void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *target);
+ void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, const X509 *target);
 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
 void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *target);

@@ -65,7 +65,7 @@ X509_STORE_CTX_lookup_certs_fn, X509_STORE_CTX_lookup_crls_fn
 void X509_STORE_set_verify(X509_STORE *xs, X509_STORE_CTX_verify_fn verify);
 X509_STORE_CTX_verify_fn X509_STORE_CTX_get_verify(const X509_STORE_CTX *ctx);

- int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x);
 X509_STORE_CTX_get_issuer_fn X509_STORE_get_get_issuer(const X509_STORE_CTX *ctx);
 void X509_STORE_set_get_issuer(X509_STORE *xs,
                                X509_STORE_CTX_get_issuer_fn get_issuer);
@@ -14,6 +14,7 @@
 #include "internal/refcount.h"
 #include <openssl/asn1.h>
 #include <openssl/x509.h>
+#include <openssl/x509_vfy.h>
 #include <openssl/conf.h>
 #include "crypto/types.h"

@@ -233,9 +234,9 @@ struct x509_store_ctx_st { /* X509_STORE_CTX */
    /* error callback */
    int (*verify_cb)(int ok, X509_STORE_CTX *ctx);
    /* get issuers cert from ctx */
-    int (*get_issuer)(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+    X509_STORE_CTX_get_issuer_fn get_issuer;
    /* check issued */
-    int (*check_issued)(X509_STORE_CTX *ctx, X509 *x, X509 *issuer);
+    X509_STORE_CTX_check_issued_fn check_issued;
    /* Check revocation status of chain */
    int (*check_revocation)(X509_STORE_CTX *ctx);
    /* retrieve CRL */
@@ -314,7 +315,7 @@ struct x509_object_st {

 int ossl_a2i_ipadd(unsigned char *ipout, const char *ipasc);
 int ossl_x509_set1_time(int *modified, ASN1_TIME **ptm, const ASN1_TIME *tm);
-int ossl_x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags);
+int ossl_x509_print_ex_brief(BIO *bio, const X509 *cert, unsigned long neg_cflags);
 int ossl_x509v3_cache_extensions(const X509 *x);
 int ossl_x509_init_sig_info(X509 *x);

@@ -158,9 +158,9 @@ typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
 int X509_STORE_CTX_print_verify_cb(int ok, X509_STORE_CTX *ctx);
 typedef int (*X509_STORE_CTX_verify_fn)(X509_STORE_CTX *);
 typedef int (*X509_STORE_CTX_get_issuer_fn)(X509 **issuer,
-    X509_STORE_CTX *ctx, X509 *x);
+    X509_STORE_CTX *ctx, const X509 *x);
 typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx,
-    X509 *x, X509 *issuer);
+    const X509 *x, const X509 *issuer);
 typedef int (*X509_STORE_CTX_check_revocation_fn)(X509_STORE_CTX *ctx);
 typedef int (*X509_STORE_CTX_get_crl_fn)(X509_STORE_CTX *ctx,
    X509_CRL **crl, X509 *x);
@@ -494,7 +494,7 @@ void *X509_STORE_get_ex_data(const X509_STORE *xs, int idx);
 X509_STORE_CTX *X509_STORE_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq);
 X509_STORE_CTX *X509_STORE_CTX_new(void);

-int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x);
+int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, const X509 *x);

 void X509_STORE_CTX_free(X509_STORE_CTX *ctx);
 int X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *trust_store,
@@ -505,7 +505,7 @@ void X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
 void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx);

 X509_STORE *X509_STORE_CTX_get0_store(const X509_STORE_CTX *ctx);
-X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
+const X509 *X509_STORE_CTX_get0_cert(const X509_STORE_CTX *ctx);
 EVP_PKEY *X509_STORE_CTX_get0_rpk(const X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get0_untrusted(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk);
@@ -688,14 +688,14 @@ int X509_STORE_CTX_get_error(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
 int X509_STORE_CTX_get_error_depth(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth);
-X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);
+const X509 *X509_STORE_CTX_get_current_cert(const X509_STORE_CTX *ctx);
 void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x);
-X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx);
+const X509 *X509_STORE_CTX_get0_current_issuer(const X509_STORE_CTX *ctx);
 X509_CRL *X509_STORE_CTX_get0_current_crl(const X509_STORE_CTX *ctx);
 X509_STORE_CTX *X509_STORE_CTX_get0_parent_ctx(const X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get0_chain(const X509_STORE_CTX *ctx);
 STACK_OF(X509) *X509_STORE_CTX_get1_chain(const X509_STORE_CTX *ctx);
-void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *target);
+void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, const X509 *target);
 void X509_STORE_CTX_set0_rpk(X509_STORE_CTX *ctx, EVP_PKEY *target);
 void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *c, STACK_OF(X509) *sk);
 void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk);
@@ -2911,7 +2911,7 @@ static int app_verify_callback(X509_STORE_CTX *ctx, void *arg)

    if (cb_arg->app_verify) {
        char *s = NULL, buf[256];
-        X509 *c = X509_STORE_CTX_get0_cert(ctx);
+        const X509 *c = X509_STORE_CTX_get0_cert(ctx);

        printf("In app_verify_callback, allowing cert. ");
        printf("Arg is: %s\n", cb_arg->string);