From: Neil Horman <nhorman@openssl.org>
Date: Tue, 17 Feb 2026 20:47:12 +0000 (-0500)
Subject: Consity X509_add_cert and X509_self_signed
X-Git-Tag: openssl-4.0.0-alpha1~265
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8ace465709c862040842705be2c05c87cf2a1d54;p=thirdparty%2Fopenssl.git

Consity X509_add_cert and X509_self_signed

As part of the effort to not allow mutable X509 objects where they
aren't needed, constify the cert parameter for these two functions

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Fri Feb 20 13:33:04 2026
(Merged from https://github.com/openssl/openssl/pull/30054)
---

diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index c915fa4d84d..51952dce560 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -187,7 +187,7 @@ int ossl_x509_add_cert_new(STACK_OF(X509) **p_sk, X509 *cert, int flags)
     return X509_add_cert(*p_sk, cert, flags);
 }
 
-int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags)
+int X509_add_cert(STACK_OF(X509) *sk, const X509 *cert, int flags)
 {
     if (sk == NULL) {
         ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
@@ -213,12 +213,16 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags)
         if (ret != 0)
             return ret > 0 ? 1 : 0;
     }
-    if ((flags & X509_ADD_FLAG_UP_REF) != 0 && !X509_up_ref(cert))
+    /*
+     * Note: We're technically mutating the cert here, but its just to up
+     * the reference count, so that should be safe, so cast away
+     */
+    if ((flags & X509_ADD_FLAG_UP_REF) != 0 && !X509_up_ref((X509 *)cert))
         return 0;
-    if (!sk_X509_insert(sk, cert,
+    if (!sk_X509_insert(sk, (X509 *)cert,
             (flags & X509_ADD_FLAG_PREPEND) != 0 ? 0 : -1)) {
         if ((flags & X509_ADD_FLAG_UP_REF) != 0)
-            X509_free(cert);
+            X509_free((X509 *)cert);
         ERR_raise(ERR_LIB_X509, ERR_R_CRYPTO_LIB);
         return 0;
     }
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index a7eb7d9b384..d36ff92150e 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -99,7 +99,7 @@ static int null_callback(int ok, X509_STORE_CTX *e)
  * to match issuer and subject names (i.e., the cert being self-issued) and any
  * present authority key identifier to match the subject key identifier, etc.
  */
-int X509_self_signed(X509 *cert, int verify_signature)
+int X509_self_signed(const X509 *cert, int verify_signature)
 {
     EVP_PKEY *pkey;
 
@@ -107,7 +107,7 @@ int X509_self_signed(X509 *cert, int verify_signature)
         ERR_raise(ERR_LIB_X509, X509_R_UNABLE_TO_GET_CERTS_PUBLIC_KEY);
         return -1;
     }
-    if (!ossl_x509v3_cache_extensions(cert))
+    if (!ossl_x509v3_cache_extensions((X509 *)cert))
         return -1;
     if ((cert->ex_flags & EXFLAG_SS) == 0)
         return 0;
diff --git a/doc/man3/X509_add_cert.pod b/doc/man3/X509_add_cert.pod
index 2b3db780185..5246e5b8bb2 100644
--- a/doc/man3/X509_add_cert.pod
+++ b/doc/man3/X509_add_cert.pod
@@ -10,7 +10,7 @@ X509 certificate list addition functions
 
  #include <openssl/x509.h>
 
- int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags);
+ int X509_add_cert(STACK_OF(X509) *sk, const X509 *cert, int flags);
  int X509_add_certs(STACK_OF(X509) *sk, const STACK_OF(X509) *certs, int flags);
 
 =head1 DESCRIPTION
@@ -65,6 +65,8 @@ L<X509_self_signed(3)>
 The functions X509_add_cert() and X509_add_certs()
 were added in OpenSSL 3.0.
 
+X509_add_cert() had its cert parameter converted to be I<const> in OpenSSL 4.0.
+
 =head1 COPYRIGHT
 
 Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man3/X509_verify.pod b/doc/man3/X509_verify.pod
index ad08a5fafae..1f4835ccc46 100644
--- a/doc/man3/X509_verify.pod
+++ b/doc/man3/X509_verify.pod
@@ -12,7 +12,7 @@ verify certificate, certificate request, or CRL signature
  #include <openssl/x509.h>
 
  int X509_verify(X509 *x, EVP_PKEY *pkey);
- int X509_self_signed(X509 *cert, int verify_signature);
+ int X509_self_signed(const X509 *cert, int verify_signature);
 
  int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *pkey, OSSL_LIB_CTX *libctx,
                         const char *propq);
@@ -77,6 +77,8 @@ X509_REQ_verify_ex(), and X509_self_signed() were added in OpenSSL 3.0.
 
 X509_ACERT_verify() was added in OpenSSL 3.4.
 
+X509_self_signed() had its cert parameter modified to be I<const> in OpenSSL 4.0.
+
 =head1 COPYRIGHT
 
 Copyright 2015-2024 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 83dff4bc0f2..cd35d9e2724 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -328,7 +328,7 @@ void *X509_CRL_get_meth_data(X509_CRL *crl);
 const char *X509_verify_cert_error_string(long n);
 
 int X509_verify(const X509 *a, EVP_PKEY *r);
-int X509_self_signed(X509 *cert, int verify_signature);
+int X509_self_signed(const X509 *cert, int verify_signature);
 
 int X509_REQ_verify_ex(X509_REQ *a, EVP_PKEY *r, OSSL_LIB_CTX *libctx,
     const char *propq);
@@ -807,7 +807,7 @@ unsigned long X509_subject_name_hash_old(X509 *x);
 #define X509_ADD_FLAG_PREPEND 0x2
 #define X509_ADD_FLAG_NO_DUP 0x4
 #define X509_ADD_FLAG_NO_SS 0x8
-int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags);
+int X509_add_cert(STACK_OF(X509) *sk, const X509 *cert, int flags);
 int X509_add_certs(STACK_OF(X509) *sk, const STACK_OF(X509) *certs, int flags);
 
 int X509_cmp(const X509 *a, const X509 *b);