From: kovan <xaum.io@gmail.com>
Date: Wed, 28 Jan 2026 01:22:21 +0000 (+0100)
Subject: Make X509_ATTRIBUTE accessor functions const-correct
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0c841cd5aac5c9ee0c135689e131cd58c3fcea5d;p=thirdparty%2Fopenssl.git

Make X509_ATTRIBUTE accessor functions const-correct

The X509_ATTRIBUTE accessor functions were not const-correct, preventing
callers from usefully interacting with a const X509_ATTRIBUTE pointer.

Update the following functions to accept const X509_ATTRIBUTE * and
return const pointers where appropriate:

- X509_ATTRIBUTE_get0_object: returns const ASN1_OBJECT *
- X509_ATTRIBUTE_get0_type: returns const ASN1_TYPE *
- X509_ATTRIBUTE_get0_data: returns const void *

Also update dependent PKCS12 functions:
- PKCS12_get_attr_gen: returns const ASN1_TYPE *
- PKCS12_get_attr: returns const ASN1_TYPE * (deprecated)
- PKCS8_get_attr: returns const ASN1_TYPE *

Update all callers to use const pointers for the return values.

Fixes #29811

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Feb 13 14:46:26 2026
(Merged from https://github.com/openssl/openssl/pull/29813)
---

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 4aa72866cf2..a9beaa0a3e0 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -1324,7 +1324,7 @@ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
     const char *name)
 {
     X509_ATTRIBUTE *attr;
-    ASN1_TYPE *av;
+    const ASN1_TYPE *av;
     int i, j, attr_nid;
     if (!attrlst) {
         BIO_printf(out, "%s: <No Attributes>\n", name);
@@ -1336,7 +1336,7 @@ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
     }
     BIO_printf(out, "%s\n", name);
     for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
-        ASN1_OBJECT *attr_obj;
+        const ASN1_OBJECT *attr_obj;
         attr = sk_X509_ATTRIBUTE_value(attrlst, i);
         attr_obj = X509_ATTRIBUTE_get0_object(attr);
         attr_nid = OBJ_obj2nid(attr_obj);
diff --git a/crypto/pkcs12/p12_attr.c b/crypto/pkcs12/p12_attr.c
index ec609d9b5a6..eaa3811e246 100644
--- a/crypto/pkcs12/p12_attr.c
+++ b/crypto/pkcs12/p12_attr.c
@@ -97,7 +97,7 @@ int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type,
         return 0;
 }
 
-ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
+const ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
     int attr_nid)
 {
     int i = X509at_get_attr_by_NID(attrs, attr_nid, -1);
diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c
index c9748bc5cd6..6598fe73585 100644
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@@ -14,7 +14,7 @@
 #include "crypto/x509.h"
 
 #ifndef OPENSSL_NO_DEPRECATED_1_1_0
-ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag, int attr_nid)
+const ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag, int attr_nid)
 {
     return PKCS12_get_attr_gen(bag->attrib, attr_nid);
 }
@@ -26,7 +26,7 @@ const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag,
     return PKCS12_get_attr_gen(bag->attrib, attr_nid);
 }
 
-ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid)
+const ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid)
 {
     return PKCS12_get_attr_gen(PKCS8_pkey_get0_attrs(p8), attr_nid);
 }
diff --git a/crypto/x509/t_acert.c b/crypto/x509/t_acert.c
index 1ee6b9eacb0..4bec85228bb 100644
--- a/crypto/x509/t_acert.c
+++ b/crypto/x509/t_acert.c
@@ -16,7 +16,7 @@
 
 static int print_attribute(BIO *bp, X509_ATTRIBUTE *a)
 {
-    ASN1_OBJECT *aobj;
+    const ASN1_OBJECT *aobj;
     int i, j, count;
     int ret = 0;
 
@@ -40,7 +40,7 @@ static int print_attribute(BIO *bp, X509_ATTRIBUTE *a)
         goto err;
 
     for (i = 0; i < count; i++) {
-        ASN1_TYPE *at;
+        const ASN1_TYPE *at;
         int type;
         ASN1_BIT_STRING *bs;
 
diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c
index bb10d6f6f19..75a79618c56 100644
--- a/crypto/x509/t_req.c
+++ b/crypto/x509/t_req.c
@@ -112,10 +112,10 @@ int X509_REQ_print_ex(BIO *bp, const X509_REQ *x, unsigned long nmflags, unsigne
                 goto err;
         } else {
             for (i = 0; i < X509_REQ_get_attr_count(x); i++) {
-                ASN1_TYPE *at;
+                const ASN1_TYPE *at;
                 X509_ATTRIBUTE *a;
                 ASN1_BIT_STRING *bs = NULL;
-                ASN1_OBJECT *aobj;
+                const ASN1_OBJECT *aobj;
                 int j, type = 0, count = 1, ii = 0;
 
                 a = X509_REQ_get_attr(x, i);
diff --git a/crypto/x509/v3_aaa.c b/crypto/x509/v3_aaa.c
index 64d0791eb4d..ff387334b00 100644
--- a/crypto/x509/v3_aaa.c
+++ b/crypto/x509/v3_aaa.c
@@ -39,10 +39,10 @@ static int i2r_ALLOWED_ATTRIBUTES_CHOICE(X509V3_EXT_METHOD *method,
     OSSL_ALLOWED_ATTRIBUTES_CHOICE *a,
     BIO *out, int indent)
 {
-    ASN1_OBJECT *attr_obj;
+    const ASN1_OBJECT *attr_obj;
     int attr_nid, j;
     X509_ATTRIBUTE *attr;
-    ASN1_TYPE *av;
+    const ASN1_TYPE *av;
 
     switch (a->type) {
     case (OSSL_AAA_ATTRIBUTE_TYPE):
diff --git a/crypto/x509/v3_sda.c b/crypto/x509/v3_sda.c
index a3ecc3318dc..679042110c3 100644
--- a/crypto/x509/v3_sda.c
+++ b/crypto/x509/v3_sda.c
@@ -22,7 +22,7 @@ static int i2r_ATTRIBUTES_SYNTAX(X509V3_EXT_METHOD *method,
     BIO *out, int indent)
 {
     X509_ATTRIBUTE *attr;
-    ASN1_TYPE *av;
+    const ASN1_TYPE *av;
     int i, j, attr_nid;
 
     if (!attrlst) {
@@ -37,7 +37,7 @@ static int i2r_ATTRIBUTES_SYNTAX(X509V3_EXT_METHOD *method,
     }
 
     for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
-        ASN1_OBJECT *attr_obj;
+        const ASN1_OBJECT *attr_obj;
         attr = sk_X509_ATTRIBUTE_value(attrlst, i);
         attr_obj = X509_ATTRIBUTE_get0_object(attr);
         attr_nid = OBJ_obj2nid(attr_obj);
diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c
index a0fb4454727..ec84c0ba11b 100644
--- a/crypto/x509/x509_att.c
+++ b/crypto/x509/x509_att.c
@@ -411,7 +411,7 @@ int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr)
     return sk_ASN1_TYPE_num(attr->set);
 }
 
-ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
+const ASN1_OBJECT *X509_ATTRIBUTE_get0_object(const X509_ATTRIBUTE *attr)
 {
     if (attr == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
@@ -420,10 +420,10 @@ ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
     return attr->object;
 }
 
-void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
+const void *X509_ATTRIBUTE_get0_data(const X509_ATTRIBUTE *attr, int idx,
     int atrtype, void *data)
 {
-    ASN1_TYPE *ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
+    const ASN1_TYPE *ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
 
     if (ttmp == NULL)
         return NULL;
@@ -436,7 +436,7 @@ void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
     return ttmp->value.ptr;
 }
 
-ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
+const ASN1_TYPE *X509_ATTRIBUTE_get0_type(const X509_ATTRIBUTE *attr, int idx)
 {
     if (attr == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index 014c7aa3618..de00baf1baa 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -121,7 +121,7 @@ static STACK_OF(X509_EXTENSION) *get_extensions_by_nid(const X509_REQ *req,
     int nid)
 {
     X509_ATTRIBUTE *attr;
-    ASN1_TYPE *ext = NULL;
+    const ASN1_TYPE *ext = NULL;
     const unsigned char *p;
     int idx = X509_REQ_get_attr_by_NID(req, nid, -1);
 
diff --git a/demos/cms/cms_ver.c b/demos/cms/cms_ver.c
index b454983d302..7e912479324 100644
--- a/demos/cms/cms_ver.c
+++ b/demos/cms/cms_ver.c
@@ -21,7 +21,7 @@ static void print_signingTime(CMS_ContentInfo *cms)
     STACK_OF(CMS_SignerInfo) *sis;
     CMS_SignerInfo *si;
     X509_ATTRIBUTE *attr;
-    ASN1_TYPE *t;
+    const ASN1_TYPE *t;
     ASN1_UTCTIME *utctime;
     ASN1_GENERALIZEDTIME *gtime;
     BIO *b;
diff --git a/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod b/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod
index 8ed67fbdf72..e54d54358f4 100644
--- a/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod
+++ b/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod
@@ -11,8 +11,8 @@ PKCS12_SAFEBAG_get0_attrs, PKCS12_get_attr_gen
 
  const STACK_OF(X509_ATTRIBUTE) *PKCS12_SAFEBAG_get0_attrs(const PKCS12_SAFEBAG *bag);
 
- ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
-                                int attr_nid);
+ const ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
+                                      int attr_nid);
 
 =head1 DESCRIPTION
 
diff --git a/doc/man3/X509_ATTRIBUTE.pod b/doc/man3/X509_ATTRIBUTE.pod
index f2f7597d0bf..a9588e9840d 100644
--- a/doc/man3/X509_ATTRIBUTE.pod
+++ b/doc/man3/X509_ATTRIBUTE.pod
@@ -61,11 +61,11 @@ X509_ATTRIBUTE_get0_data, X509_ATTRIBUTE_get0_object, X509_ATTRIBUTE_get0_type
  int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
  int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
                               const void *data, int len);
- void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype,
-                                void *data);
+ const void *X509_ATTRIBUTE_get0_data(const X509_ATTRIBUTE *attr, int idx,
+                                      int atrtype, void *data);
  int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr);
- ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
- ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
+ const ASN1_OBJECT *X509_ATTRIBUTE_get0_object(const X509_ATTRIBUTE *attr);
+ const ASN1_TYPE *X509_ATTRIBUTE_get0_type(const X509_ATTRIBUTE *attr, int idx);
 
 =head1 DESCRIPTION
 
diff --git a/include/openssl/pkcs12.h.in b/include/openssl/pkcs12.h.in
index f810bde7591..66b49a6b055 100644
--- a/include/openssl/pkcs12.h.in
+++ b/include/openssl/pkcs12.h.in
@@ -101,11 +101,11 @@ typedef struct pkcs12_bag_st PKCS12_BAGS;
 
 #endif
 #ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag,
+OSSL_DEPRECATEDIN_1_1_0 const ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag,
     int attr_nid);
 #endif
 
-ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid);
+const ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid);
 int PKCS12_mac_present(const PKCS12 *p12);
 void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac,
     const X509_ALGOR **pmacalg,
@@ -206,7 +206,7 @@ int PKCS12_add1_attr_by_NID(PKCS12_SAFEBAG *bag, int nid, int type,
 int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type,
     const unsigned char *bytes, int len);
 int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage);
-ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
+const ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
     int attr_nid);
 char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag);
 const STACK_OF(X509_ATTRIBUTE) *
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index ae2e19d6743..f77d0025d30 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -996,11 +996,11 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
 int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
 int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
     const void *data, int len);
-void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype,
-    void *data);
+const void *X509_ATTRIBUTE_get0_data(const X509_ATTRIBUTE *attr, int idx,
+    int atrtype, void *data);
 int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr);
-ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
-ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
+const ASN1_OBJECT *X509_ATTRIBUTE_get0_object(const X509_ATTRIBUTE *attr);
+const ASN1_TYPE *X509_ATTRIBUTE_get0_type(const X509_ATTRIBUTE *attr, int idx);
 
 int EVP_PKEY_get_attr_count(const EVP_PKEY *key);
 int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid, int lastpos);
diff --git a/test/helpers/pkcs12.c b/test/helpers/pkcs12.c
index a50ce6f1dfe..b9769960173 100644
--- a/test/helpers/pkcs12.c
+++ b/test/helpers/pkcs12.c
@@ -500,13 +500,13 @@ static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_A
 {
     int ret = 0;
     X509_ATTRIBUTE *attr;
-    ASN1_TYPE *av;
+    const ASN1_TYPE *av;
     int i, j;
     char attr_txt[100];
 
     for (i = 0; i < sk_X509_ATTRIBUTE_num(bag_attrs); i++) {
         const PKCS12_ATTR *p_attr = attrs;
-        ASN1_OBJECT *attr_obj;
+        const ASN1_OBJECT *attr_obj;
 
         attr = sk_X509_ATTRIBUTE_value(bag_attrs, i);
         attr_obj = X509_ATTRIBUTE_get0_object(attr);