From: Neil Horman <nhorman@openssl.org>
Date: Thu, 19 Feb 2026 17:07:21 +0000 (-0500)
Subject: constify X509_find_by_issuer_and_serial
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=07ee3d5db8a291e0809a9ff0789b539daf6fadf0;p=thirdparty%2Fopenssl.git

constify X509_find_by_issuer_and_serial

Constify the return value of X509_find_by_issuer_and_serial, and fix up
the callers to handle it properly (affects two pkcs7 functions)

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
MergeDate: Wed Feb 25 15:05:11 2026
(Merged from https://github.com/openssl/openssl/pull/30092)
---

diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index e5b1426194..55353e3e15 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -979,7 +979,7 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
     int ret = 0, i;
     STACK_OF(X509) *untrusted;
     STACK_OF(X509_CRL) *crls;
-    X509 *signer;
+    const X509 *signer;
 
     if (p7 == NULL) {
         ERR_raise(ERR_LIB_PKCS7, PKCS7_R_INVALID_NULL_POINTER);
@@ -1015,7 +1015,10 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
     }
 
     /* Lets verify */
-    if (!X509_STORE_CTX_init(ctx, cert_store, signer, untrusted)) {
+    /*
+     * TODO: This cast can be removed when #30076 is merged
+     */
+    if (!X509_STORE_CTX_init(ctx, cert_store, (X509 *)signer, untrusted)) {
         ERR_raise(ERR_LIB_PKCS7, ERR_R_X509_LIB);
         goto err;
     }
@@ -1032,7 +1035,7 @@ err:
 }
 
 int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
-    X509 *signer)
+    const X509 *signer)
 {
     ASN1_OCTET_STRING *os;
     EVP_MD_CTX *mdc_tmp, *mdc;
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index 675c694e66..311dffd4aa 100644
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -675,7 +675,7 @@ err:
     return 0;
 }
 
-X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
+const X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
 {
     if (PKCS7_type_is_signed(p7))
         return (X509_find_by_issuer_and_serial(p7->d.sign->cert,
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index 060def46db..59a7fd4387 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -365,7 +365,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int f
     STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
     PKCS7_SIGNER_INFO *si;
     PKCS7_ISSUER_AND_SERIAL *ias;
-    X509 *signer;
+    const X509 *signer;
     int i;
 
     if (p7 == NULL) {
@@ -409,7 +409,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int f
             return 0;
         }
 
-        if (!sk_X509_push(signers, signer)) {
+        if (!sk_X509_push(signers, (X509 *)signer)) {
             sk_X509_free(signers);
             return NULL;
         }
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 0418d2d636..688dbbac82 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -345,7 +345,7 @@ end:
 #endif
 
 /* Search a stack of X509 for a match */
-X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
+const X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
     const ASN1_INTEGER *serial)
 {
     int i;
diff --git a/include/openssl/pkcs7.h.in b/include/openssl/pkcs7.h.in
index 5065591e52..7043da8ef1 100644
--- a/include/openssl/pkcs7.h.in
+++ b/include/openssl/pkcs7.h.in
@@ -284,7 +284,7 @@ int PKCS7_content_new(PKCS7 *p7, int nid);
 int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx,
     BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si);
 int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
-    X509 *signer);
+    const X509 *signer);
 
 BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio);
 int PKCS7_dataFinal(PKCS7 *p7, BIO *bio);
@@ -292,7 +292,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert);
 
 PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509,
     EVP_PKEY *pkey, const EVP_MD *dgst);
-X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
+const X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
 int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md);
 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7);
 
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 382ecc5d8c..31ddf3ebec 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -1022,7 +1022,7 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
     const unsigned char *bytes, int len);
 
 /* lookup a cert from a X509 STACK */
-X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
+const X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
     const ASN1_INTEGER *serial);
 const X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name);