Commit 0c841cd5aa for openssl.org
commit 0c841cd5aac5c9ee0c135689e131cd58c3fcea5d
Author: kovan <xaum.io@gmail.com>
Date: Wed Jan 28 02:22:21 2026 +0100
Make X509_ATTRIBUTE accessor functions const-correct
The X509_ATTRIBUTE accessor functions were not const-correct, preventing
callers from usefully interacting with a const X509_ATTRIBUTE pointer.
Update the following functions to accept const X509_ATTRIBUTE * and
return const pointers where appropriate:
- X509_ATTRIBUTE_get0_object: returns const ASN1_OBJECT *
- X509_ATTRIBUTE_get0_type: returns const ASN1_TYPE *
- X509_ATTRIBUTE_get0_data: returns const void *
Also update dependent PKCS12 functions:
- PKCS12_get_attr_gen: returns const ASN1_TYPE *
- PKCS12_get_attr: returns const ASN1_TYPE * (deprecated)
- PKCS8_get_attr: returns const ASN1_TYPE *
Update all callers to use const pointers for the return values.
Fixes #29811
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
MergeDate: Fri Feb 13 14:46:26 2026
(Merged from https://github.com/openssl/openssl/pull/29813)
diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 4aa72866cf..a9beaa0a3e 100644
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -1324,7 +1324,7 @@ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
const char *name)
{
X509_ATTRIBUTE *attr;
- ASN1_TYPE *av;
+ const ASN1_TYPE *av;
int i, j, attr_nid;
if (!attrlst) {
BIO_printf(out, "%s: <No Attributes>\n", name);
@@ -1336,7 +1336,7 @@ int print_attribs(BIO *out, const STACK_OF(X509_ATTRIBUTE) *attrlst,
}
BIO_printf(out, "%s\n", name);
for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
- ASN1_OBJECT *attr_obj;
+ const ASN1_OBJECT *attr_obj;
attr = sk_X509_ATTRIBUTE_value(attrlst, i);
attr_obj = X509_ATTRIBUTE_get0_object(attr);
attr_nid = OBJ_obj2nid(attr_obj);
diff --git a/crypto/pkcs12/p12_attr.c b/crypto/pkcs12/p12_attr.c
index ec609d9b5a..eaa3811e24 100644
--- a/crypto/pkcs12/p12_attr.c
+++ b/crypto/pkcs12/p12_attr.c
@@ -97,7 +97,7 @@ int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type,
return 0;
}
-ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
+const ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
int attr_nid)
{
int i = X509at_get_attr_by_NID(attrs, attr_nid, -1);
diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c
index c9748bc5cd..6598fe7358 100644
--- a/crypto/pkcs12/p12_sbag.c
+++ b/crypto/pkcs12/p12_sbag.c
@@ -14,7 +14,7 @@
#include "crypto/x509.h"
#ifndef OPENSSL_NO_DEPRECATED_1_1_0
-ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag, int attr_nid)
+const ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag, int attr_nid)
{
return PKCS12_get_attr_gen(bag->attrib, attr_nid);
}
@@ -26,7 +26,7 @@ const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag,
return PKCS12_get_attr_gen(bag->attrib, attr_nid);
}
-ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid)
+const ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid)
{
return PKCS12_get_attr_gen(PKCS8_pkey_get0_attrs(p8), attr_nid);
}
diff --git a/crypto/x509/t_acert.c b/crypto/x509/t_acert.c
index 1ee6b9eacb..4bec85228b 100644
--- a/crypto/x509/t_acert.c
+++ b/crypto/x509/t_acert.c
@@ -16,7 +16,7 @@
static int print_attribute(BIO *bp, X509_ATTRIBUTE *a)
{
- ASN1_OBJECT *aobj;
+ const ASN1_OBJECT *aobj;
int i, j, count;
int ret = 0;
@@ -40,7 +40,7 @@ static int print_attribute(BIO *bp, X509_ATTRIBUTE *a)
goto err;
for (i = 0; i < count; i++) {
- ASN1_TYPE *at;
+ const ASN1_TYPE *at;
int type;
ASN1_BIT_STRING *bs;
diff --git a/crypto/x509/t_req.c b/crypto/x509/t_req.c
index bb10d6f6f1..75a79618c5 100644
--- a/crypto/x509/t_req.c
+++ b/crypto/x509/t_req.c
@@ -112,10 +112,10 @@ int X509_REQ_print_ex(BIO *bp, const X509_REQ *x, unsigned long nmflags, unsigne
goto err;
} else {
for (i = 0; i < X509_REQ_get_attr_count(x); i++) {
- ASN1_TYPE *at;
+ const ASN1_TYPE *at;
X509_ATTRIBUTE *a;
ASN1_BIT_STRING *bs = NULL;
- ASN1_OBJECT *aobj;
+ const ASN1_OBJECT *aobj;
int j, type = 0, count = 1, ii = 0;
a = X509_REQ_get_attr(x, i);
diff --git a/crypto/x509/v3_aaa.c b/crypto/x509/v3_aaa.c
index 64d0791eb4..ff387334b0 100644
--- a/crypto/x509/v3_aaa.c
+++ b/crypto/x509/v3_aaa.c
@@ -39,10 +39,10 @@ static int i2r_ALLOWED_ATTRIBUTES_CHOICE(X509V3_EXT_METHOD *method,
OSSL_ALLOWED_ATTRIBUTES_CHOICE *a,
BIO *out, int indent)
{
- ASN1_OBJECT *attr_obj;
+ const ASN1_OBJECT *attr_obj;
int attr_nid, j;
X509_ATTRIBUTE *attr;
- ASN1_TYPE *av;
+ const ASN1_TYPE *av;
switch (a->type) {
case (OSSL_AAA_ATTRIBUTE_TYPE):
diff --git a/crypto/x509/v3_sda.c b/crypto/x509/v3_sda.c
index a3ecc3318d..679042110c 100644
--- a/crypto/x509/v3_sda.c
+++ b/crypto/x509/v3_sda.c
@@ -22,7 +22,7 @@ static int i2r_ATTRIBUTES_SYNTAX(X509V3_EXT_METHOD *method,
BIO *out, int indent)
{
X509_ATTRIBUTE *attr;
- ASN1_TYPE *av;
+ const ASN1_TYPE *av;
int i, j, attr_nid;
if (!attrlst) {
@@ -37,7 +37,7 @@ static int i2r_ATTRIBUTES_SYNTAX(X509V3_EXT_METHOD *method,
}
for (i = 0; i < sk_X509_ATTRIBUTE_num(attrlst); i++) {
- ASN1_OBJECT *attr_obj;
+ const ASN1_OBJECT *attr_obj;
attr = sk_X509_ATTRIBUTE_value(attrlst, i);
attr_obj = X509_ATTRIBUTE_get0_object(attr);
attr_nid = OBJ_obj2nid(attr_obj);
diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c
index a0fb445472..ec84c0ba11 100644
--- a/crypto/x509/x509_att.c
+++ b/crypto/x509/x509_att.c
@@ -411,7 +411,7 @@ int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr)
return sk_ASN1_TYPE_num(attr->set);
}
-ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
+const ASN1_OBJECT *X509_ATTRIBUTE_get0_object(const X509_ATTRIBUTE *attr)
{
if (attr == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
@@ -420,10 +420,10 @@ ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr)
return attr->object;
}
-void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
+const void *X509_ATTRIBUTE_get0_data(const X509_ATTRIBUTE *attr, int idx,
int atrtype, void *data)
{
- ASN1_TYPE *ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
+ const ASN1_TYPE *ttmp = X509_ATTRIBUTE_get0_type(attr, idx);
if (ttmp == NULL)
return NULL;
@@ -436,7 +436,7 @@ void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx,
return ttmp->value.ptr;
}
-ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx)
+const ASN1_TYPE *X509_ATTRIBUTE_get0_type(const X509_ATTRIBUTE *attr, int idx)
{
if (attr == NULL) {
ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c
index 014c7aa361..de00baf1ba 100644
--- a/crypto/x509/x509_req.c
+++ b/crypto/x509/x509_req.c
@@ -121,7 +121,7 @@ static STACK_OF(X509_EXTENSION) *get_extensions_by_nid(const X509_REQ *req,
int nid)
{
X509_ATTRIBUTE *attr;
- ASN1_TYPE *ext = NULL;
+ const ASN1_TYPE *ext = NULL;
const unsigned char *p;
int idx = X509_REQ_get_attr_by_NID(req, nid, -1);
diff --git a/demos/cms/cms_ver.c b/demos/cms/cms_ver.c
index b454983d30..7e91247932 100644
--- a/demos/cms/cms_ver.c
+++ b/demos/cms/cms_ver.c
@@ -21,7 +21,7 @@ static void print_signingTime(CMS_ContentInfo *cms)
STACK_OF(CMS_SignerInfo) *sis;
CMS_SignerInfo *si;
X509_ATTRIBUTE *attr;
- ASN1_TYPE *t;
+ const ASN1_TYPE *t;
ASN1_UTCTIME *utctime;
ASN1_GENERALIZEDTIME *gtime;
BIO *b;
diff --git a/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod b/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod
index 8ed67fbdf7..e54d54358f 100644
--- a/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod
+++ b/doc/man3/PKCS12_SAFEBAG_get0_attrs.pod
@@ -11,8 +11,8 @@ PKCS12_SAFEBAG_get0_attrs, PKCS12_get_attr_gen
const STACK_OF(X509_ATTRIBUTE) *PKCS12_SAFEBAG_get0_attrs(const PKCS12_SAFEBAG *bag);
- ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
- int attr_nid);
+ const ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
+ int attr_nid);
=head1 DESCRIPTION
diff --git a/doc/man3/X509_ATTRIBUTE.pod b/doc/man3/X509_ATTRIBUTE.pod
index f2f7597d0b..a9588e9840 100644
--- a/doc/man3/X509_ATTRIBUTE.pod
+++ b/doc/man3/X509_ATTRIBUTE.pod
@@ -61,11 +61,11 @@ X509_ATTRIBUTE_get0_data, X509_ATTRIBUTE_get0_object, X509_ATTRIBUTE_get0_type
int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
const void *data, int len);
- void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype,
- void *data);
+ const void *X509_ATTRIBUTE_get0_data(const X509_ATTRIBUTE *attr, int idx,
+ int atrtype, void *data);
int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr);
- ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
- ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
+ const ASN1_OBJECT *X509_ATTRIBUTE_get0_object(const X509_ATTRIBUTE *attr);
+ const ASN1_TYPE *X509_ATTRIBUTE_get0_type(const X509_ATTRIBUTE *attr, int idx);
=head1 DESCRIPTION
diff --git a/include/openssl/pkcs12.h.in b/include/openssl/pkcs12.h.in
index f810bde759..66b49a6b05 100644
--- a/include/openssl/pkcs12.h.in
+++ b/include/openssl/pkcs12.h.in
@@ -101,11 +101,11 @@ typedef struct pkcs12_bag_st PKCS12_BAGS;
#endif
#ifndef OPENSSL_NO_DEPRECATED_1_1_0
-OSSL_DEPRECATEDIN_1_1_0 ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag,
+OSSL_DEPRECATEDIN_1_1_0 const ASN1_TYPE *PKCS12_get_attr(const PKCS12_SAFEBAG *bag,
int attr_nid);
#endif
-ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid);
+const ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid);
int PKCS12_mac_present(const PKCS12 *p12);
void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac,
const X509_ALGOR **pmacalg,
@@ -206,7 +206,7 @@ int PKCS12_add1_attr_by_NID(PKCS12_SAFEBAG *bag, int nid, int type,
int PKCS12_add1_attr_by_txt(PKCS12_SAFEBAG *bag, const char *attrname, int type,
const unsigned char *bytes, int len);
int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage);
-ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
+const ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs,
int attr_nid);
char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag);
const STACK_OF(X509_ATTRIBUTE) *
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index ae2e19d674..f77d0025d3 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -996,11 +996,11 @@ X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr,
int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj);
int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype,
const void *data, int len);
-void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype,
- void *data);
+const void *X509_ATTRIBUTE_get0_data(const X509_ATTRIBUTE *attr, int idx,
+ int atrtype, void *data);
int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr);
-ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr);
-ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx);
+const ASN1_OBJECT *X509_ATTRIBUTE_get0_object(const X509_ATTRIBUTE *attr);
+const ASN1_TYPE *X509_ATTRIBUTE_get0_type(const X509_ATTRIBUTE *attr, int idx);
int EVP_PKEY_get_attr_count(const EVP_PKEY *key);
int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid, int lastpos);
diff --git a/test/helpers/pkcs12.c b/test/helpers/pkcs12.c
index a50ce6f1df..b976996017 100644
--- a/test/helpers/pkcs12.c
+++ b/test/helpers/pkcs12.c
@@ -500,13 +500,13 @@ static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_A
{
int ret = 0;
X509_ATTRIBUTE *attr;
- ASN1_TYPE *av;
+ const ASN1_TYPE *av;
int i, j;
char attr_txt[100];
for (i = 0; i < sk_X509_ATTRIBUTE_num(bag_attrs); i++) {
const PKCS12_ATTR *p_attr = attrs;
- ASN1_OBJECT *attr_obj;
+ const ASN1_OBJECT *attr_obj;
attr = sk_X509_ATTRIBUTE_value(bag_attrs, i);
attr_obj = X509_ATTRIBUTE_get0_object(attr);