Consity X509_add_cert and X509_self_signed

As part of the effort to not allow mutable X509 objects where they
aren't needed, constify the cert parameter for these two functions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Fri Feb 20 13:33:04 2026
(Merged from https://github.com/openssl/openssl/pull/30054)

diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index c915fa4d84df9513a910199fd3628a163877f1e2..51952dce5605fcbe3fecea3d774f5db1678fb45b 100644 (file)
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -187,7 +187,7 @@ int ossl_x509_add_cert_new(STACK_OF(X509) **p_sk, X509 *cert, int flags)
     return X509_add_cert(*p_sk, cert, flags);
 }
 
-int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags)
+int X509_add_cert(STACK_OF(X509) *sk, const X509 *cert, int flags)
 {
     if (sk == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
@@ -213,12 +213,16 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags)
         if (ret != 0)
             return ret > 0 ? 1 : 0;
     }
-    if ((flags & X509_ADD_FLAG_UP_REF) != 0 && !X509_up_ref(cert))
+    /*
+     * Note: We're technically mutating the cert here, but its just to up
+     * the reference count, so that should be safe, so cast away
+     */
+    if ((flags & X509_ADD_FLAG_UP_REF) != 0 && !X509_up_ref((X509 *)cert))
         return 0;
-    if (!sk_X509_insert(sk, cert,
+    if (!sk_X509_insert(sk, (X509 *)cert,
             (flags & X509_ADD_FLAG_PREPEND) != 0 ? 0 : -1)) {
         if ((flags & X509_ADD_FLAG_UP_REF) != 0)
-            X509_free(cert);
+            X509_free((X509 *)cert);
         ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
         return 0;
     }

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index a7eb7d9b3844458f71f228f423d5517ecd560b68..d36ff92150e4723780a272dc8e20883432491387 100644 (file)
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -99,7 +99,7 @@ static int null_callback(int ok, X509_STORE_CTX *e)
  * to match issuer and subject names (i.e., the cert being self-issued) and any
  * present authority key identifier to match the subject key identifier, etc.
  */
-int X509_self_signed(X509 *cert, int verify_signature)
+int X509_self_signed(const X509 *cert, int verify_signature)
 {
     EVP_PKEY *pkey;
 
@@ -107,7 +107,7 @@ int X509_self_signed(X509 *cert, int verify_signature)
         ERR_raise(ERR_LIB_X509, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
         return -1;
     }
-    if (!ossl_x509v3_cache_extensions(cert))
+    if (!ossl_x509v3_cache_extensions((X509 *)cert))
         return -1;
     if ((cert->ex_flags & EXFLAG_SS) == 0)
         return 0;

diff --git a/doc/man3/X509_add_cert.pod b/doc/man3/X509_add_cert.pod
index 2b3db78018514fb322251ad356f5f8a0351b6e1b..5246e5b8bb2e38da1932f7d2bb19a2ad21c46e82 100644 (file)
--- a/doc/man3/X509_add_cert.pod
+++ b/doc/man3/X509_add_cert.pod
@@ -10,7 +10,7 @@ X509 certificate list addition functions
 
  #include <openssl/x509.h>
 
- int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags);
+ int X509_add_cert(STACK_OF(X509) *sk, const X509 *cert, int flags);
  int X509_add_certs(STACK_OF(X509) *sk, const STACK_OF(X509) *certs, int flags);
 
 =head1 DESCRIPTION
@@ -65,6 +65,8 @@ L<X509_self_signed(3)>
 The functions X509_add_cert() and X509_add_certs()
 were added in OpenSSL 3.0.
 
+X509_add_cert() had its cert parameter converted to be I<const> in OpenSSL 4.0.
+
 =head1 COPYRIGHT
 
 Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/doc/man3/X509_verify.pod b/doc/man3/X509_verify.pod
index ad08a5fafae2d0ebfb27bd7c917a956d00c11036..1f4835ccc46502f6576287a1c1496c678a0af8f5 100644 (file)
--- a/doc/man3/X509_verify.pod
+++ b/doc/man3/X509_verify.pod
@@ -12,7 +12,7 @@ verify certificate, certificate request, or CRL signature
  #include <openssl/x509.h>
 
  int X509_verify(X509 *x, EVP_PKEY *pkey);
- int X509_self_signed(X509 *cert, int verify_signature);
+ int X509_self_signed(const X509 *cert, int verify_signature);
 
  int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
                         const char *propq);
@@ -77,6 +77,8 @@ X509_REQ_verify_ex(), and X509_self_signed() were added in OpenSSL 3.0.
 
 X509_ACERT_verify() was added in OpenSSL 3.4.
 
+X509_self_signed() had its cert parameter modified to be I<const> in OpenSSL 4.0.
+
 =head1 COPYRIGHT
 
 Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.

diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 83dff4bc0f25c4ac2543aa69112309d0b658a048..cd35d9e2724a42451f1d61739c49b5cd891978d3 100644 (file)
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -328,7 +328,7 @@ void *X509_CRL_get_meth_data(X509_CRL *crl);
 const char *X509_verify_cert_error_string(long n);
 
 int X509_verify(const X509 *a, EVP_PKEY *r);
-int X509_self_signed(X509 *cert, int verify_signature);
+int X509_self_signed(const X509 *cert, int verify_signature);
 
 int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OSSL_LIB_CTX *libctx,
     const char *propq);
@@ -807,7 +807,7 @@ unsigned long X509_subject_name_hash_old(X509 *x);
 #define X509_ADD_FLAG_PREPEND 0x2
 #define X509_ADD_FLAG_NO_DUP 0x4
 #define X509_ADD_FLAG_NO_SS 0x8
-int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags);
+int X509_add_cert(STACK_OF(X509) *sk, const X509 *cert, int flags);
 int X509_add_certs(STACK_OF(X509) *sk, const STACK_OF(X509) *certs, int flags);
 
 int X509_cmp(const X509 *a, const X509 *b);