Constify X509_get_ext() and friends..

These all took const, but returned non const, they should return const. This then triggers constifying of a whole class of get_ext() functions. Part of #28654 and #29117 Fixes: openssl/project#1779 Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Neil Horman <nhorman@openssl.org> MergeDate: Tue Feb 24 18:53:25 2026 (Merged from https://github.com/openssl/openssl/pull/29465)
2026-05-07 20:12:39 +00:00 · 2025-09-29 16:47:44 -06:00
parent 1c4a2cc8e7
commit e75bd84ffc
27 changed files with 122 additions and 105 deletions
@@ -172,6 +172,12 @@ OpenSSL 4.0

   *Kurt Roeckx*

+ * Various function return values have been constified, particularly in X509
+   and related areas, and when functions were returning non-const objects
+   owned by a const parameter.
+
+   *Bob Beck*
+
 * The script tool `c_rehash` was removed. Use `openssl rehash` instead.

   *Norbert Pocs*
@@ -1276,8 +1276,8 @@ int copy_extensions(X509 *x, X509_REQ *req, int copy_type)
    exts = X509_REQ_get_extensions(req);

    for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
-        X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
-        ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
+        const X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
+        const ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
        int idx = X509_get_ext_by_OBJ(x, obj, -1);

        /* Does extension exist in target? */
@@ -2414,13 +2414,12 @@ static int adapt_keyid_ext(X509 *cert, X509V3_CTX *ext_ctx,

    idx = X509v3_get_ext_by_OBJ(exts, X509_EXTENSION_get_object(new_ext), -1);
    if (idx >= 0) {
-        X509_EXTENSION *found_ext = X509v3_get_ext(exts, idx);
-        ASN1_OCTET_STRING *encoded = X509_EXTENSION_get_data(found_ext);
+        const X509_EXTENSION *found_ext = X509v3_get_ext(exts, idx);
+        const ASN1_OCTET_STRING *encoded = X509_EXTENSION_get_data(found_ext);
        int disabled = ASN1_STRING_length(encoded) <= 2; /* indicating "none" */

        if (disabled) {
-            X509_delete_ext(cert, idx);
-            X509_EXTENSION_free(found_ext);
+            X509_EXTENSION_free(X509_delete_ext(cert, idx));
        } /* else keep existing key identifier, which might be outdated */
        rv = 1;
    } else {
@@ -274,7 +274,7 @@ static X509_REQ *x509_to_req(X509 *cert, int ext_copy, const char *names)
        goto err;
    for (i = 0; i < n; i++) {
        X509_EXTENSION *ex = sk_X509_EXTENSION_value(cert_exts, i);
-        ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex);
+        const ASN1_OBJECT *obj = X509_EXTENSION_get_object(ex);

        if (OBJ_cmp(obj, skid) != 0 && OBJ_cmp(obj, akid) != 0
            && !sk_X509_EXTENSION_push(exts, ex))
@@ -904,7 +904,7 @@ cert_loop:
    if (clrext && ext_names != NULL)
        BIO_puts(bio_err, "Warning: Ignoring -ext since -clrext is given\n");
    for (i = X509_get_ext_count(x) - 1; i >= 0; i--) {
-        X509_EXTENSION *ex = X509_get_ext(x, i);
+        const X509_EXTENSION *ex = X509_get_ext(x, i);
        const char *sn = OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(ex)));

        if (clrext || (ext_names != NULL && strstr(ext_names, sn) == NULL))
@@ -1343,7 +1343,7 @@ static int print_x509v3_exts(BIO *bio, X509 *x, const char *ext_names)
    const STACK_OF(X509_EXTENSION) *exts = NULL;
    STACK_OF(X509_EXTENSION) *exts2 = NULL;
    X509_EXTENSION *ext = NULL;
-    ASN1_OBJECT *obj;
+    const ASN1_OBJECT *obj;
    int i, j, ret = 0, num, nn = 0;
    const char *sn, **names = NULL;
    char *tmp_ext_names = NULL;
@@ -74,11 +74,15 @@ static int ct_x509_get_ext(X509 *cert, int nid, int *is_duplicated)
 */
 __owur static int ct_x509_cert_fixup(X509 *cert, X509 *presigner)
 {
+    int ret = 0;
    int preidx, certidx;
    int pre_akid_ext_is_dup, cert_akid_ext_is_dup;
+    X509_EXTENSION *new = NULL;

-    if (presigner == NULL)
-        return 1;
+    if (presigner == NULL) {
+        ret = 1;
+        goto done;
+    }

    preidx = ct_x509_get_ext(presigner, NID_authority_key_identifier,
        &pre_akid_ext_is_dup);
@@ -87,32 +91,41 @@ __owur static int ct_x509_cert_fixup(X509 *cert, X509 *presigner)

    /* An error occurred whilst searching for the extension */
    if (preidx < -1 || certidx < -1)
-        return 0;
+        goto done;
    /* Invalid certificate if they contain duplicate extensions */
    if (pre_akid_ext_is_dup || cert_akid_ext_is_dup)
-        return 0;
+        goto done;
    /* AKID must be present in both certificate or absent in both */
    if (preidx >= 0 && certidx == -1)
-        return 0;
+        goto done;
    if (preidx == -1 && certidx >= 0)
-        return 0;
+        goto done;
    /* Copy issuer name */
    if (!X509_set_issuer_name(cert, X509_get_issuer_name(presigner)))
-        return 0;
+        goto done;
    if (preidx != -1) {
        /* Retrieve and copy AKID encoding */
-        X509_EXTENSION *preext = X509_get_ext(presigner, preidx);
-        X509_EXTENSION *certext = X509_get_ext(cert, certidx);
-        ASN1_OCTET_STRING *preextdata;
+        const X509_EXTENSION *preext = X509_get_ext(presigner, preidx);
+        const X509_EXTENSION *certext = X509_get_ext(cert, certidx);
+        const ASN1_OCTET_STRING *preextdata;

        /* Should never happen */
        if (preext == NULL || certext == NULL)
-            return 0;
+            goto done;
+        if ((new = X509_EXTENSION_dup(certext)) == NULL)
+            goto done;
        preextdata = X509_EXTENSION_get_data(preext);
-        if (preextdata == NULL || !X509_EXTENSION_set_data(certext, preextdata))
-            return 0;
+        if (preextdata == NULL || !X509_EXTENSION_set_data(new, preextdata))
+            goto done;
+        X509_EXTENSION_free(X509_delete_ext(cert, certidx));
+        certext = NULL;
+        if (!X509_add_ext(cert, new, certidx))
+            goto done;
+        ret = 1;
    }
-    return 1;
+done:
+    X509_EXTENSION_free(new);
+    return ret;
 }

 int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner)
@@ -41,7 +41,7 @@ int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos)
    return (X509v3_get_ext_by_critical(x->tbsRequest.requestExtensions, crit, lastpos));
 }

-X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
+const X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc)
 {
    return X509v3_get_ext(x->tbsRequest.requestExtensions, loc);
 }
@@ -63,7 +63,7 @@ int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
        crit, flags);
 }

-int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc)
+int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, const X509_EXTENSION *ex, int loc)
 {
    return (X509v3_add_ext(&(x->tbsRequest.requestExtensions), ex, loc) != NULL);
 }
@@ -91,7 +91,7 @@ int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos)
    return (X509v3_get_ext_by_critical(x->singleRequestExtensions, crit, lastpos));
 }

-X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
+const X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc)
 {
    return X509v3_get_ext(x->singleRequestExtensions, loc);
 }
@@ -113,7 +113,7 @@ int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
        flags);
 }

-int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc)
+int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, const X509_EXTENSION *ex, int loc)
 {
    return (X509v3_add_ext(&(x->singleRequestExtensions), ex, loc) != NULL);
 }
@@ -142,7 +142,7 @@ int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
    return (X509v3_get_ext_by_critical(x->tbsResponseData.responseExtensions, crit, lastpos));
 }

-X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
+const X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc)
 {
    return X509v3_get_ext(x->tbsResponseData.responseExtensions, loc);
 }
@@ -166,7 +166,7 @@ int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
        value, crit, flags);
 }

-int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc)
+int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, const X509_EXTENSION *ex, int loc)
 {
    return (X509v3_add_ext(&(x->tbsResponseData.responseExtensions), ex, loc)
        != NULL);
@@ -196,7 +196,7 @@ int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
    return X509v3_get_ext_by_critical(x->singleExtensions, crit, lastpos);
 }

-X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
+const X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc)
 {
    return X509v3_get_ext(x->singleExtensions, loc);
 }
@@ -218,7 +218,7 @@ int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
    return X509V3_add1_i2d(&x->singleExtensions, nid, value, crit, flags);
 }

-int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc)
+int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, const X509_EXTENSION *ex, int loc)
 {
    return (X509v3_add_ext(&(x->singleExtensions), ex, loc) != NULL);
 }
@@ -310,7 +310,7 @@ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)
     */

    int req_idx, resp_idx;
-    X509_EXTENSION *req_ext, *resp_ext;
+    const X509_EXTENSION *req_ext, *resp_ext;
    req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
    resp_idx = OCSP_BASICRESP_get_ext_by_NID(bs, NID_id_pkix_OCSP_Nonce, -1);
    /* Check both absent */
@@ -339,7 +339,7 @@ int OCSP_check_nonce(OCSP_REQUEST *req, OCSP_BASICRESP *bs)

 int OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req)
 {
-    X509_EXTENSION *req_ext;
+    const X509_EXTENSION *req_ext;
    int req_idx;
    /* Check for nonce in request */
    req_idx = OCSP_REQUEST_get_ext_by_NID(req, NID_id_pkix_OCSP_Nonce, -1);
@@ -48,8 +48,8 @@ int TS_OBJ_print_bio(BIO *bio, const ASN1_OBJECT *obj)
 int TS_ext_print_bio(BIO *bio, const STACK_OF(X509_EXTENSION) *extensions)
 {
    int i, critical, n;
-    X509_EXTENSION *ex;
-    ASN1_OBJECT *obj;
+    const X509_EXTENSION *ex;
+    const ASN1_OBJECT *obj;

    BIO_printf(bio, "Extensions:\n");
    n = X509v3_get_ext_count(extensions);
@@ -162,7 +162,7 @@ int TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos)
    return X509v3_get_ext_by_critical(a->extensions, crit, lastpos);
 }

-X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc)
+const X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc)
 {
    return X509v3_get_ext(a->extensions, loc);
 }
@@ -323,7 +323,7 @@ int TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos)
    return X509v3_get_ext_by_critical(a->extensions, crit, lastpos);
 }

-X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc)
+const X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc)
 {
    return X509v3_get_ext(a->extensions, loc);
 }
@@ -242,8 +242,8 @@ int X509_ACERT_print_ex(BIO *bp, X509_ACERT *x, unsigned long nmflags,
            if (BIO_printf(bp, "%8sExtensions:\n", "") <= 0)
                goto err;
            for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
-                ASN1_OBJECT *obj;
-                X509_EXTENSION *ex;
+                const ASN1_OBJECT *obj;
+                const X509_EXTENSION *ex;
                int critical;

                ex = sk_X509_EXTENSION_value(exts, i);
@@ -169,8 +169,8 @@ int X509_REQ_print_ex(BIO *bp, const X509_REQ *x, unsigned long nmflags, unsigne
            if (BIO_printf(bp, "%12sRequested Extensions:\n", "") <= 0)
                goto err;
            for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
-                ASN1_OBJECT *obj;
-                X509_EXTENSION *ex;
+                const ASN1_OBJECT *obj;
+                const X509_EXTENSION *ex;
                int critical;
                ex = sk_X509_EXTENSION_value(exts, i);
                if (BIO_printf(bp, "%16s", "") <= 0)
@@ -106,7 +106,7 @@ static AUTHORITY_KEYID *v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method,
    GENERAL_NAMES *gens = NULL;
    GENERAL_NAME *gen = NULL;
    ASN1_INTEGER *serial = NULL;
-    X509_EXTENSION *ext;
+    const X509_EXTENSION *ext;
    X509 *issuer_cert;
    int same_issuer, ss;
    AUTHORITY_KEYID *akeyid = AUTHORITY_KEYID_new();
@@ -294,7 +294,7 @@ static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx,
 static void delete_ext(STACK_OF(X509_EXTENSION) *sk, X509_EXTENSION *dext)
 {
    int idx;
-    ASN1_OBJECT *obj;
+    const ASN1_OBJECT *obj;

    obj = X509_EXTENSION_get_object(dext);
    while ((idx = X509v3_get_ext_by_OBJ(sk, obj, -1)) >= 0)
@@ -70,7 +70,7 @@ const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid)
    return sk_X509V3_EXT_METHOD_value(ext_list, idx);
 }

-const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext)
+const X509V3_EXT_METHOD *X509V3_EXT_get(const X509_EXTENSION *ext)
 {
    int nid;
    if ((nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext))) == NID_undef)
@@ -131,11 +131,11 @@ int X509V3_add_standard_extensions(void)

 /* Return an extension internal structure */

-void *X509V3_EXT_d2i(X509_EXTENSION *ext)
+void *X509V3_EXT_d2i(const X509_EXTENSION *ext)
 {
    const X509V3_EXT_METHOD *method;
    const unsigned char *p;
-    ASN1_STRING *extvalue;
+    const ASN1_STRING *extvalue;
    int extlen;

    if ((method = X509V3_EXT_get(ext)) == NULL)
@@ -66,12 +66,12 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,

 /* Main routine: print out a general extension */

-int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
+int X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext, unsigned long flag,
    int indent)
 {
    void *ext_str = NULL;
    char *value = NULL;
-    ASN1_OCTET_STRING *extoct;
+    const ASN1_OCTET_STRING *extoct;
    const unsigned char *p;
    int extlen;
    const X509V3_EXT_METHOD *method;
@@ -150,8 +150,8 @@ int X509V3_extensions_print(BIO *bp, const char *title,
    }

    for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
-        ASN1_OBJECT *obj;
-        X509_EXTENSION *ex;
+        const ASN1_OBJECT *obj;
+        const X509_EXTENSION *ex;

        ex = sk_X509_EXTENSION_value(exts, i);
        obj = X509_EXTENSION_get_object(ex);
@@ -304,7 +304,7 @@ static int nid_cmp(const int *a, const int *b)
 DECLARE_OBJ_BSEARCH_CMP_FN(int, int, nid);
 IMPLEMENT_OBJ_BSEARCH_CMP_FN(int, int, nid);

-int X509_supported_extension(X509_EXTENSION *ex)
+int X509_supported_extension(const X509_EXTENSION *ex)
 {
    /*
     * This table is a list of the NIDs of supported extensions: that is
@@ -639,7 +639,7 @@ int ossl_x509v3_cache_extensions(const X509 *const_x)
        x->ex_flags |= EXFLAG_INVALID;
 #endif
    for (i = 0; i < X509_get_ext_count(x); i++) {
-        X509_EXTENSION *ex = X509_get_ext(x, i);
+        const X509_EXTENSION *ex = X509_get_ext(x, i);
        int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex));

        if (nid == NID_freshest_crl)
@@ -965,7 +965,7 @@ static int check_purpose_code_sign(const X509_PURPOSE *xp, const X509 *x,
    if (i_ext < 0)
        return 0;
    if (i_ext >= 0) {
-        X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
+        const X509_EXTENSION *ext = X509_get_ext((X509 *)x, i_ext);
        if (!X509_EXTENSION_get_critical(ext))
            return 0;
    }
@@ -337,7 +337,7 @@ static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens)
 {
    GENERAL_NAMES *ialt = NULL;
    GENERAL_NAME *gen;
-    X509_EXTENSION *ext;
+    const X509_EXTENSION *ext;
    int i, num;

    if (ctx != NULL && (ctx->flags & X509V3_CTX_TEST) != 0)
@@ -37,7 +37,7 @@ int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos)
    return X509v3_get_ext_by_critical(x->crl.extensions, crit, lastpos);
 }

-X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc)
+const X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc)
 {
    return X509v3_get_ext(x->crl.extensions, loc);
 }
@@ -70,7 +70,7 @@ int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
    return X509V3_add1_i2d(&x->crl.extensions, nid, value, crit, flags);
 }

-int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc)
+int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex, int loc)
 {
    return (X509v3_add_ext(&(x->crl.extensions), ex, loc) != NULL);
 }
@@ -95,7 +95,7 @@ int X509_get_ext_by_critical(const X509 *x, int crit, int lastpos)
    return (X509v3_get_ext_by_critical(x->cert_info.extensions, crit, lastpos));
 }

-X509_EXTENSION *X509_get_ext(const X509 *x, int loc)
+const X509_EXTENSION *X509_get_ext(const X509 *x, int loc)
 {
    return X509v3_get_ext(x->cert_info.extensions, loc);
 }
@@ -105,7 +105,7 @@ X509_EXTENSION *X509_delete_ext(X509 *x, int loc)
    return delete_ext(&x->cert_info.extensions, loc);
 }

-int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc)
+int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc)
 {
    return (X509v3_add_ext(&(x->cert_info.extensions), ex, loc) != NULL);
 }
@@ -143,7 +143,7 @@ int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit, int lastpo
    return X509v3_get_ext_by_critical(x->extensions, crit, lastpos);
 }

-X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc)
+const X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc)
 {
    return X509v3_get_ext(x->extensions, loc);
 }
@@ -80,7 +80,7 @@ int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit,
    return -1;
 }

-X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
+const X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc)
 {
    if (x == NULL || sk_X509_EXTENSION_num(x) <= loc || loc < 0)
        return NULL;
@@ -99,7 +99,7 @@ X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc)
 }

 STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
-    X509_EXTENSION *ex, int loc)
+    const X509_EXTENSION *ex, int loc)
 {
    X509_EXTENSION *new_ex = NULL;
    int n;
@@ -154,8 +154,8 @@ STACK_OF(X509_EXTENSION) *X509v3_add_extensions(STACK_OF(X509_EXTENSION) **targe
    }

    for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
-        X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
-        ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
+        const X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
+        const ASN1_OBJECT *obj = X509_EXTENSION_get_object(ext);
        int idx = X509v3_get_ext_by_OBJ(*target, obj, -1);

        /* Does extension exist in target? */
@@ -237,7 +237,7 @@ int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit)
    return 1;
 }

-int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
+int X509_EXTENSION_set_data(X509_EXTENSION *ex, const ASN1_OCTET_STRING *data)
 {
    int i;

@@ -249,14 +249,14 @@ int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data)
    return 1;
 }

-ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex)
+const ASN1_OBJECT *X509_EXTENSION_get_object(const X509_EXTENSION *ex)
 {
    if (ex == NULL)
        return NULL;
    return ex->object;
 }

-ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ex)
+const ASN1_OCTET_STRING *X509_EXTENSION_get_data(const X509_EXTENSION *ex)
 {
    if (ex == NULL)
        return NULL;
@@ -1590,7 +1590,7 @@ static int get_crl_sk(X509_STORE_CTX *ctx, X509_CRL **pcrl, X509_CRL **pdcrl,
 */
 static int crl_extension_match(X509_CRL *a, X509_CRL *b, int nid)
 {
-    ASN1_OCTET_STRING *exta = NULL, *extb = NULL;
+    const ASN1_OCTET_STRING *exta = NULL, *extb = NULL;
    int i = X509_CRL_get_ext_by_NID(a, nid, -1);

    if (i >= 0) {
@@ -2630,8 +2630,7 @@ X509_CRL *X509_CRL_diff(X509_CRL *base, X509_CRL *newer,
     * number to correct value too.
     */
    for (i = 0; i < X509_CRL_get_ext_count(newer); i++) {
-        X509_EXTENSION *ext = X509_CRL_get_ext(newer, i);
-
+        const X509_EXTENSION *ext = X509_CRL_get_ext(newer, i);
        if (!X509_CRL_add_ext(crl, ext, -1)) {
            ERR_raise(ERR_LIB_X509, ERR_R_X509_LIB);
            goto err;
@@ -19,7 +19,7 @@ X509_REVOKED_get0_extensions - X509 extension decode and encode functions
 int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,
                     int crit, unsigned long flags);

- void *X509V3_EXT_d2i(X509_EXTENSION *ext);
+ void *X509V3_EXT_d2i(const X509_EXTENSION *ext);
 X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc);

 void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
@@ -12,7 +12,7 @@ functions

 int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj);
 int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
- int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data);
+ int X509_EXTENSION_set_data(X509_EXTENSION *ex, const ASN1_OCTET_STRING *data);

 X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex,
                                              int nid, int crit,
@@ -21,9 +21,9 @@ functions
                                              const ASN1_OBJECT *obj, int crit,
                                              ASN1_OCTET_STRING *data);

- ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex);
+ const ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex);
 int X509_EXTENSION_get_critical(const X509_EXTENSION *ex);
- ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
+ const ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);

 =head1 DESCRIPTION

@@ -18,7 +18,7 @@ X509_REVOKED_add_ext - extension stack utility functions
 #include <openssl/x509.h>

 int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x);
- X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc);
+ const X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc);

 int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x,
                           int nid, int lastpos);
@@ -34,24 +34,24 @@ X509_REVOKED_add_ext - extension stack utility functions
                             const STACK_OF(X509_EXTENSION) *exts);

 int X509_get_ext_count(const X509 *x);
- X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
+ const X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
 int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos);
 int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, int lastpos);
 int X509_get_ext_by_critical(const X509 *x, int crit, int lastpos);
 X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
- int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
+ int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc);

 int X509_CRL_get_ext_count(const X509_CRL *x);
- X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
+ const X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
 int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos);
 int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj,
                             int lastpos);
 int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos);
 X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
- int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
+ int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex, int loc);

 int X509_REVOKED_get_ext_count(const X509_REVOKED *x);
- X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc);
+ const X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc);
 int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, int lastpos);
 int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj,
                                 int lastpos);
@@ -310,24 +310,24 @@ int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos);
 int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj,
    int lastpos);
 int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos);
-X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
+const X509_EXTENSION *OCSP_REQUEST_get_ext(OCSP_REQUEST *x, int loc);
 X509_EXTENSION *OCSP_REQUEST_delete_ext(OCSP_REQUEST *x, int loc);
 void *OCSP_REQUEST_get1_ext_d2i(OCSP_REQUEST *x, int nid, int *crit,
    int *idx);
 int OCSP_REQUEST_add1_ext_i2d(OCSP_REQUEST *x, int nid, void *value, int crit,
    unsigned long flags);
-int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc);
+int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, const X509_EXTENSION *ex, int loc);

 int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x);
 int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos);
 int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj, int lastpos);
 int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos);
-X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
+const X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc);
 X509_EXTENSION *OCSP_ONEREQ_delete_ext(OCSP_ONEREQ *x, int loc);
 void *OCSP_ONEREQ_get1_ext_d2i(OCSP_ONEREQ *x, int nid, int *crit, int *idx);
 int OCSP_ONEREQ_add1_ext_i2d(OCSP_ONEREQ *x, int nid, void *value, int crit,
    unsigned long flags);
-int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc);
+int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, const X509_EXTENSION *ex, int loc);

 int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x);
 int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos);
@@ -335,13 +335,13 @@ int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj,
    int lastpos);
 int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit,
    int lastpos);
-X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
+const X509_EXTENSION *OCSP_BASICRESP_get_ext(OCSP_BASICRESP *x, int loc);
 X509_EXTENSION *OCSP_BASICRESP_delete_ext(OCSP_BASICRESP *x, int loc);
 void *OCSP_BASICRESP_get1_ext_d2i(OCSP_BASICRESP *x, int nid, int *crit,
    int *idx);
 int OCSP_BASICRESP_add1_ext_i2d(OCSP_BASICRESP *x, int nid, void *value,
    int crit, unsigned long flags);
-int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc);
+int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, const X509_EXTENSION *ex, int loc);

 int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x);
 int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos);
@@ -349,13 +349,13 @@ int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, const ASN1_OBJECT *obj,
    int lastpos);
 int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit,
    int lastpos);
-X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
+const X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc);
 X509_EXTENSION *OCSP_SINGLERESP_delete_ext(OCSP_SINGLERESP *x, int loc);
 void *OCSP_SINGLERESP_get1_ext_d2i(OCSP_SINGLERESP *x, int nid, int *crit,
    int *idx);
 int OCSP_SINGLERESP_add1_ext_i2d(OCSP_SINGLERESP *x, int nid, void *value,
    int crit, unsigned long flags);
-int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc);
+int OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, const X509_EXTENSION *ex, int loc);
 const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *x);

 DECLARE_ASN1_FUNCTIONS(OCSP_SINGLERESP)
@@ -155,7 +155,7 @@ int TS_REQ_get_ext_count(TS_REQ *a);
 int TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos);
 int TS_REQ_get_ext_by_OBJ(TS_REQ *a, const ASN1_OBJECT *obj, int lastpos);
 int TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos);
-X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc);
+const X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc);
 X509_EXTENSION *TS_REQ_delete_ext(TS_REQ *a, int loc);
 int TS_REQ_add_ext(TS_REQ *a, X509_EXTENSION *ex, int loc);
 void *TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx);
@@ -217,7 +217,7 @@ int TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos);
 int TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, const ASN1_OBJECT *obj,
    int lastpos);
 int TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos);
-X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc);
+const X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc);
 X509_EXTENSION *TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc);
 int TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc);
 void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx);
@@ -899,10 +899,10 @@ int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x,
    const ASN1_OBJECT *obj, int lastpos);
 int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x,
    int crit, int lastpos);
-X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc);
+const X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc);
 X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc);
 STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x,
-    X509_EXTENSION *ex, int loc);
+    const X509_EXTENSION *ex, int loc);
 STACK_OF(X509_EXTENSION) *X509v3_add_extensions(STACK_OF(X509_EXTENSION) **target,
    const STACK_OF(X509_EXTENSION) *exts);

@@ -910,9 +910,9 @@ int X509_get_ext_count(const X509 *x);
 int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos);
 int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, int lastpos);
 int X509_get_ext_by_critical(const X509 *x, int crit, int lastpos);
-X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
+const X509_EXTENSION *X509_get_ext(const X509 *x, int loc);
 X509_EXTENSION *X509_delete_ext(X509 *x, int loc);
-int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc);
+int X509_add_ext(X509 *x, const X509_EXTENSION *ex, int loc);
 void *X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx);
 int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit,
    unsigned long flags);
@@ -922,9 +922,9 @@ int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos);
 int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj,
    int lastpos);
 int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos);
-X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
+const X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc);
 X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc);
-int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc);
+int X509_CRL_add_ext(X509_CRL *x, const X509_EXTENSION *ex, int loc);
 void *X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx);
 int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit,
    unsigned long flags);
@@ -935,7 +935,7 @@ int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj,
    int lastpos);
 int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit,
    int lastpos);
-X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc);
+const X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc);
 X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc);
 int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc);
 void *X509_REVOKED_get_ext_d2i(const X509_REVOKED *x, int nid, int *crit,
@@ -951,9 +951,9 @@ X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex,
    ASN1_OCTET_STRING *data);
 int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj);
 int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit);
-int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data);
-ASN1_OBJECT *X509_EXTENSION_get_object(X509_EXTENSION *ex);
-ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne);
+int X509_EXTENSION_set_data(X509_EXTENSION *ex, const ASN1_OCTET_STRING *data);
+const ASN1_OBJECT *X509_EXTENSION_get_object(const X509_EXTENSION *ex);
+const ASN1_OCTET_STRING *X509_EXTENSION_get_data(const X509_EXTENSION *ne);
 int X509_EXTENSION_get_critical(const X509_EXTENSION *ex);

 int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x);
@@ -715,11 +715,11 @@ int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist);
 int X509V3_EXT_add_alias(int nid_to, int nid_from);
 void X509V3_EXT_cleanup(void);

-const X509V3_EXT_METHOD *X509V3_EXT_get(X509_EXTENSION *ext);
+const X509V3_EXT_METHOD *X509V3_EXT_get(const X509_EXTENSION *ext);
 const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid);
 int X509V3_add_standard_extensions(void);
 STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line);
-void *X509V3_EXT_d2i(X509_EXTENSION *ext);
+void *X509V3_EXT_d2i(const X509_EXTENSION *ext);
 void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit,
    int *idx);

@@ -735,7 +735,7 @@ int X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value,

 void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent,
    int ml);
-int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag,
+int X509V3_EXT_print(BIO *out, const X509_EXTENSION *ext, unsigned long flag,
    int indent);
 #ifndef OPENSSL_NO_STDIO
 int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent);
@@ -746,7 +746,7 @@ int X509V3_extensions_print(BIO *out, const char *title,

 int X509_check_ca(const X509 *x);
 int X509_check_purpose(const X509 *x, int id, int ca);
-int X509_supported_extension(X509_EXTENSION *ex);
+int X509_supported_extension(const X509_EXTENSION *ex);
 int X509_check_issued(X509 *issuer, X509 *subject);
 int X509_check_akid(const X509 *issuer, const AUTHORITY_KEYID *akid);
 void X509_set_proxy_flag(X509 *x);
@@ -149,7 +149,7 @@ end:
    return result;
 }

-static int compare_extension_printout(X509_EXTENSION *extension,
+static int compare_extension_printout(const X509_EXTENSION *extension,
    const char *expected_output)
 {
    BIO *text_buffer = NULL;
@@ -250,7 +250,7 @@ static int execute_cert_test(CT_TEST_FIXTURE *fixture)
    if (fixture->certificate_file != NULL) {
        int sct_extension_index;
        int i;
-        X509_EXTENSION *sct_extension = NULL;
+        const X509_EXTENSION *sct_extension = NULL;

        if (!TEST_ptr(cert = load_pem_cert(fixture->certs_dir,
                          fixture->certificate_file)))