From: Neil Horman Date: Thu, 19 Feb 2026 20:17:10 +0000 (-0500) Subject: Constify X509_find_by_subject X-Git-Tag: openssl-4.0.0-alpha1~197 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0da29907e7da;p=thirdparty%2Fopenssl.git Constify X509_find_by_subject Transitively, this also requires the constification of OCSP_resp_get0_signer Reviewed-by: David von Oheimb Reviewed-by: Paul Dale Reviewed-by: Norbert Pocs MergeDate: Tue Feb 24 12:45:57 2026 (Merged from https://github.com/openssl/openssl/pull/30096) --- diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index f94e14c0f30..c3d90987b8d 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -13,21 +13,21 @@ #include "internal/sizes.h" #include "ocsp_local.h" -static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, +static int ocsp_find_signer(const X509 **psigner, OCSP_BASICRESP *bs, const STACK_OF(X509) *certs, unsigned long flags); -static X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id); +static const X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id); static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain); static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp, OCSP_CERTID **ret); static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid, STACK_OF(OCSP_SINGLERESP) *sresp); static int ocsp_check_delegated(X509 *x); -static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, +static int ocsp_req_find_signer(const X509 **psigner, OCSP_REQUEST *req, const X509_NAME *nm, const STACK_OF(X509) *certs, unsigned long flags); /* Returns 1 on success, 0 on failure, or -1 on fatal error */ -static int ocsp_verify_signer(X509 *signer, int response, +static int ocsp_verify_signer(const X509 *signer, int response, X509_STORE *st, unsigned long flags, STACK_OF(X509) *untrusted, STACK_OF(X509) **chain) { @@ -39,7 +39,10 @@ static int ocsp_verify_signer(X509 *signer, int response, ERR_raise(ERR_LIB_OCSP, ERR_R_X509_LIB); goto end; } - if (!X509_STORE_CTX_init(ctx, st, signer, untrusted)) { + /* + * TODO: The cast below can be dropped when #30076 lands + */ + if (!X509_STORE_CTX_init(ctx, st, (X509 *)signer, untrusted)) { ERR_raise(ERR_LIB_OCSP, ERR_R_X509_LIB); goto end; } @@ -74,7 +77,7 @@ end: } static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs, - X509 *signer, unsigned long flags) + const X509 *signer, unsigned long flags) { EVP_PKEY *skey; int ret = 1; @@ -98,7 +101,7 @@ static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs, int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { - X509 *signer, *x; + const X509 *signer, *x; STACK_OF(X509) *chain = NULL; STACK_OF(X509) *untrusted = NULL; int ret = ocsp_find_signer(&signer, bs, certs, flags); @@ -145,7 +148,10 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs, goto end; x = sk_X509_value(chain, sk_X509_num(chain) - 1); - if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) { + /* + * TODO: Cast below can be dropped when #30071 lands + */ + if (X509_check_trust((X509 *)x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) { ERR_raise(ERR_LIB_OCSP, OCSP_R_ROOT_CA_NOT_TRUSTED); ret = 0; goto end; @@ -159,16 +165,16 @@ end: return ret; } -int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, +int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, const X509 **signer, const STACK_OF(X509) *extra_certs) { return ocsp_find_signer(signer, bs, extra_certs, 0) > 0; } -static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, +static int ocsp_find_signer(const X509 **psigner, OCSP_BASICRESP *bs, const STACK_OF(X509) *certs, unsigned long flags) { - X509 *signer; + const X509 *signer; OCSP_RESPID *rid = &bs->tbsResponseData.responderId; if ((signer = ocsp_find_signer_sk(certs, rid)) != NULL) { @@ -185,7 +191,7 @@ static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, return 0; } -static X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id) +static const X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id) { int i, r; unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; @@ -377,7 +383,7 @@ static int ocsp_check_delegated(X509 *x) int OCSP_request_verify(OCSP_REQUEST *req, const STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags) { - X509 *signer; + const X509 *signer; const X509_NAME *nm; GENERAL_NAME *gen; int ret; @@ -410,11 +416,11 @@ int OCSP_request_verify(OCSP_REQUEST *req, const STACK_OF(X509) *certs, /* using '> 0' here to avoid breaking backward compatibility returning -1 */ } -static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req, +static int ocsp_req_find_signer(const X509 **psigner, OCSP_REQUEST *req, const X509_NAME *nm, const STACK_OF(X509) *certs, unsigned long flags) { - X509 *signer; + const X509 *signer; if ((flags & OCSP_NOINTERN) == 0) { signer = X509_find_by_subject(req->optionalSignature->certs, nm); diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index b3e42f56c25..c323df3fba2 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -365,7 +365,7 @@ X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME * return NULL; } -X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name) +const X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name) { X509 *x509; int i; @@ -373,7 +373,7 @@ X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name) for (i = 0; i < sk_X509_num(sk); i++) { x509 = sk_X509_value(sk, i); if (X509_NAME_cmp(X509_get_subject_name(x509), name) == 0) - return x509; + return (const X509 *)x509; } return NULL; } diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod index 2e36a26a88e..852ca74672e 100644 --- a/doc/man3/OCSP_resp_find_status.pod +++ b/doc/man3/OCSP_resp_find_status.pod @@ -37,7 +37,7 @@ OCSP_check_validity, OCSP_basic_verify const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs); const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs); - int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, + int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, const X509 **signer, STACK_OF(X509) *extra_certs); int OCSP_resp_get0_id(const OCSP_BASICRESP *bs, @@ -208,6 +208,10 @@ L, L, L +=head1 HISTORY + +OCSP_resp_get0_signer() was constified in OpenSSL 4.0. + =head1 COPYRIGHT Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/ocsp.h.in b/include/openssl/ocsp.h.in index f2380543ff9..c3a849ed01d 100644 --- a/include/openssl/ocsp.h.in +++ b/include/openssl/ocsp.h.in @@ -232,7 +232,7 @@ OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs); const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs); const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs); -int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer, +int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, const X509 **signer, const STACK_OF(X509) *extra_certs); int OCSP_resp_count(OCSP_BASICRESP *bs); diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in index 1846c9b688e..5832eaa146b 100644 --- a/include/openssl/x509.h.in +++ b/include/openssl/x509.h.in @@ -1024,7 +1024,7 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key, /* lookup a cert from a X509 STACK */ X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name, const ASN1_INTEGER *serial); -X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name); +const X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name); DECLARE_ASN1_FUNCTIONS(PBEPARAM) DECLARE_ASN1_FUNCTIONS(PBE2PARAM) diff --git a/test/ocspapitest.c b/test/ocspapitest.c index ce8f172494c..b377ca0aa7f 100644 --- a/test/ocspapitest.c +++ b/test/ocspapitest.c @@ -112,7 +112,8 @@ err: static int test_resp_signer(void) { OCSP_BASICRESP *bs = NULL; - X509 *signer = NULL, *tmp; + X509 *signer = NULL; + const X509 *tmp; EVP_PKEY *key = NULL; STACK_OF(X509) *extra_certs = NULL; int ret = 0;