Dev news

Commit 07ee3d5db8 for openssl.org

commit 07ee3d5db8a291e0809a9ff0789b539daf6fadf0
Author: Neil Horman <nhorman@openssl.org>
Date:   Thu Feb 19 12:07:21 2026 -0500

    constify X509_find_by_issuer_and_serial

    Constify the return value of X509_find_by_issuer_and_serial, and fix up
    the callers to handle it properly (affects two pkcs7 functions)

    Reviewed-by: Tomas Mraz <tomas@openssl.org>
    Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
    MergeDate: Wed Feb 25 15:05:11 2026
    (Merged from https://github.com/openssl/openssl/pull/30092)

diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index e5b1426194..55353e3e15 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -979,7 +979,7 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
     int ret = 0, i;
     STACK_OF(X509) *untrusted;
     STACK_OF(X509_CRL) *crls;
-    X509 *signer;
+    const X509 *signer;

     if (p7 == NULL) {
         ERR_raise(ERR_LIB_PKCS7, PKCS7_R_INVALID_NULL_POINTER);
@@ -1015,7 +1015,10 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
     }

     /* Lets verify */
-    if (!X509_STORE_CTX_init(ctx, cert_store, signer, untrusted)) {
+    /*
+     * TODO: This cast can be removed when #30076 is merged
+     */
+    if (!X509_STORE_CTX_init(ctx, cert_store, (X509 *)signer, untrusted)) {
         ERR_raise(ERR_LIB_PKCS7, ERR_R_X509_LIB);
         goto err;
     }
@@ -1032,7 +1035,7 @@ err:
 }

 int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
-    X509 *signer)
+    const X509 *signer)
 {
     ASN1_OCTET_STRING *os;
     EVP_MD_CTX *mdc_tmp, *mdc;
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index 675c694e66..311dffd4aa 100644
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -675,7 +675,7 @@ err:
     return 0;
 }

-X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
+const X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
 {
     if (PKCS7_type_is_signed(p7))
         return (X509_find_by_issuer_and_serial(p7->d.sign->cert,
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index 060def46db..59a7fd4387 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -365,7 +365,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int f
     STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
     PKCS7_SIGNER_INFO *si;
     PKCS7_ISSUER_AND_SERIAL *ias;
-    X509 *signer;
+    const X509 *signer;
     int i;

     if (p7 == NULL) {
@@ -409,7 +409,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int f
             return 0;
         }

-        if (!sk_X509_push(signers, signer)) {
+        if (!sk_X509_push(signers, (X509 *)signer)) {
             sk_X509_free(signers);
             return NULL;
         }
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 0418d2d636..688dbbac82 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -345,7 +345,7 @@ end:
 #endif

 /* Search a stack of X509 for a match */
-X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
+const X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
     const ASN1_INTEGER *serial)
 {
     int i;
diff --git a/include/openssl/pkcs7.h.in b/include/openssl/pkcs7.h.in
index 5065591e52..7043da8ef1 100644
--- a/include/openssl/pkcs7.h.in
+++ b/include/openssl/pkcs7.h.in
@@ -284,7 +284,7 @@ int PKCS7_content_new(PKCS7 *p7, int nid);
 int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx,
     BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si);
 int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si,
-    X509 *signer);
+    const X509 *signer);

 BIO *PKCS7_dataInit(PKCS7 *p7, BIO *bio);
 int PKCS7_dataFinal(PKCS7 *p7, BIO *bio);
@@ -292,7 +292,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert);

 PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509,
     EVP_PKEY *pkey, const EVP_MD *dgst);
-X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
+const X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
 int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md);
 STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7);

diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 382ecc5d8c..31ddf3ebec 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -1022,7 +1022,7 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
     const unsigned char *bytes, int len);

 /* lookup a cert from a X509 STACK */
-X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
+const X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
     const ASN1_INTEGER *serial);
 const X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name);