Commit b235c756f1 for openssl.org
commit b235c756f1053a79a837e2bd772eda5a059888ae
Author: Dr. David von Oheimb <David.von.Oheimb@siemens.com>
Date: Sat Oct 7 18:14:05 2023 +0200
crypto/{CMS,PKCS7,OCSP,TS,X509}: constify various cert list parameters
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/22304)
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index 07475d6a43..274336189b 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -945,7 +945,7 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
int certReqId, const OSSL_CMP_PKISI *si,
X509 *cert, const EVP_PKEY *pkey,
const X509 *encryption_recip,
- STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
+ const STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
int unprotectedErrors);
OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx);
OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index c72a7e09cd..4157b341c0 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -504,7 +504,7 @@ OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
int certReqId, const OSSL_CMP_PKISI *si,
X509 *cert, const EVP_PKEY *pkey,
const X509 *encryption_recip,
- STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
+ const STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
int unprotectedErrors)
{
OSSL_CMP_MSG *msg = NULL;
diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
index 2fd66e08ac..040c8ea22e 100644
--- a/crypto/cms/cms_sd.c
+++ b/crypto/cms/cms_sd.c
@@ -871,7 +871,7 @@ int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert)
return ossl_cms_SignerIdentifier_cert_cmp(si->sid, cert);
}
-int CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *scerts,
+int CMS_set1_signers_certs(CMS_ContentInfo *cms, const STACK_OF(X509) *scerts,
unsigned int flags)
{
CMS_SignedData *sd;
@@ -1489,8 +1489,9 @@ err:
}
BIO *CMS_SignedData_verify(CMS_SignedData *sd, BIO *detached_data,
- STACK_OF(X509) *scerts, X509_STORE *store,
- STACK_OF(X509) *extra, STACK_OF(X509_CRL) *crls,
+ const STACK_OF(X509) *scerts, X509_STORE *store,
+ const STACK_OF(X509) *extra,
+ const STACK_OF(X509_CRL) *crls,
unsigned int flags,
OSSL_LIB_CTX *libctx, const char *propq)
{
diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
index fe631b27a2..e8585ce541 100644
--- a/crypto/cms/cms_smime.c
+++ b/crypto/cms/cms_smime.c
@@ -302,7 +302,7 @@ err:
}
/* This strongly overlaps with PKCS7_verify() */
-int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
+int CMS_verify(CMS_ContentInfo *cms, const STACK_OF(X509) *certs,
X509_STORE *store, BIO *dcont, BIO *out, unsigned int flags)
{
CMS_SignerInfo *si;
@@ -494,7 +494,7 @@ err2:
}
int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms,
- STACK_OF(X509) *certs,
+ const STACK_OF(X509) *certs,
X509_STORE *store, unsigned int flags)
{
int r;
@@ -507,7 +507,7 @@ int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms,
}
CMS_ContentInfo *CMS_sign_ex(X509 *signcert, EVP_PKEY *pkey,
- STACK_OF(X509) *certs, BIO *data,
+ const STACK_OF(X509) *certs, BIO *data,
unsigned int flags, OSSL_LIB_CTX *libctx,
const char *propq)
{
@@ -554,15 +554,15 @@ err:
return NULL;
}
-CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
- BIO *data, unsigned int flags)
+CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey,
+ const STACK_OF(X509) *certs, BIO *data, unsigned int flags)
{
return CMS_sign_ex(signcert, pkey, certs, data, flags, NULL, NULL);
}
CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si,
X509 *signcert, EVP_PKEY *pkey,
- STACK_OF(X509) *certs, unsigned int flags)
+ const STACK_OF(X509) *certs, unsigned int flags)
{
CMS_SignerInfo *rct_si;
CMS_ContentInfo *cms = NULL;
@@ -632,7 +632,7 @@ err:
return NULL;
}
-CMS_ContentInfo *CMS_encrypt_ex(STACK_OF(X509) *certs, BIO *data,
+CMS_ContentInfo *CMS_encrypt_ex(const STACK_OF(X509) *certs, BIO *data,
const EVP_CIPHER *cipher, unsigned int flags,
OSSL_LIB_CTX *libctx, const char *propq)
{
@@ -669,7 +669,7 @@ err:
return NULL;
}
-CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *data,
+CMS_ContentInfo *CMS_encrypt(const STACK_OF(X509) *certs, BIO *data,
const EVP_CIPHER *cipher, unsigned int flags)
{
return CMS_encrypt_ex(certs, data, cipher, flags, NULL, NULL);
diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
index a4f954f9a4..4c20509214 100644
--- a/crypto/ocsp/ocsp_cl.c
+++ b/crypto/ocsp/ocsp_cl.c
@@ -71,7 +71,7 @@ int OCSP_request_sign(OCSP_REQUEST *req,
X509 *signer,
EVP_PKEY *key,
const EVP_MD *dgst,
- STACK_OF(X509) *certs, unsigned long flags)
+ const STACK_OF(X509) *certs, unsigned long flags)
{
if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
goto err;
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 56276ad601..6799aa84c8 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -164,7 +164,7 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
*/
int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
X509 *signer, EVP_MD_CTX *ctx,
- STACK_OF(X509) *certs, unsigned long flags)
+ const STACK_OF(X509) *certs, unsigned long flags)
{
OCSP_RESPID *rid;
EVP_PKEY *pkey;
@@ -211,7 +211,7 @@ err:
int OCSP_basic_sign(OCSP_BASICRESP *brsp,
X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
- STACK_OF(X509) *certs, unsigned long flags)
+ const STACK_OF(X509) *certs, unsigned long flags)
{
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
EVP_PKEY_CTX *pkctx = NULL;
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index 3b6b1fe052..e1faf29e08 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -14,8 +14,8 @@
#include "ocsp_local.h"
static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
- STACK_OF(X509) *certs, unsigned long flags);
-static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
+ const STACK_OF(X509) *certs, unsigned long flags);
+static X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id);
static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain);
static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp,
OCSP_CERTID **ret);
@@ -23,7 +23,7 @@ static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
STACK_OF(OCSP_SINGLERESP) *sresp);
static int ocsp_check_delegated(X509 *x);
static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
- const X509_NAME *nm, STACK_OF(X509) *certs,
+ const X509_NAME *nm, const STACK_OF(X509) *certs,
unsigned long flags);
/* Returns 1 on success, 0 on failure, or -1 on fatal error */
@@ -95,7 +95,7 @@ static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs,
}
/* Verify a basic response message */
-int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags)
{
X509 *signer, *x;
@@ -160,13 +160,13 @@ end:
}
int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
- STACK_OF(X509) *extra_certs)
+ const STACK_OF(X509) *extra_certs)
{
return ocsp_find_signer(signer, bs, extra_certs, 0) > 0;
}
static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
- STACK_OF(X509) *certs, unsigned long flags)
+ const STACK_OF(X509) *certs, unsigned long flags)
{
X509 *signer;
OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
@@ -185,7 +185,7 @@ static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
return 0;
}
-static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
+static X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id)
{
int i, r;
unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
@@ -380,7 +380,7 @@ static int ocsp_check_delegated(X509 *x)
* Just find the signer's certificate and verify it against a given trust value.
* Returns 1 on success, 0 on failure and on fatal error.
*/
-int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
+int OCSP_request_verify(OCSP_REQUEST *req, const STACK_OF(X509) *certs,
X509_STORE *store, unsigned long flags)
{
X509 *signer;
@@ -417,7 +417,7 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
}
static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
- const X509_NAME *nm, STACK_OF(X509) *certs,
+ const X509_NAME *nm, const STACK_OF(X509) *certs,
unsigned long flags)
{
X509 *signer;
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index 97f2005897..c5604864ce 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -20,9 +20,8 @@
static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
-PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
- BIO *data, int flags, OSSL_LIB_CTX *libctx,
- const char *propq)
+PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, const STACK_OF(X509) *certs,
+ BIO *data, int flags, OSSL_LIB_CTX *libctx, const char *propq)
{
PKCS7 *p7;
int i;
@@ -64,7 +63,7 @@ err:
return NULL;
}
-PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, const STACK_OF(X509) *certs,
BIO *data, int flags)
{
return PKCS7_sign_ex(signcert, pkey, certs, data, flags, NULL, NULL);
@@ -208,7 +207,7 @@ static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
}
/* This strongly overlaps with CMS_verify(), partly with PKCS7_dataVerify() */
-int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+int PKCS7_verify(PKCS7 *p7, const STACK_OF(X509) *certs, X509_STORE *store,
BIO *indata, BIO *out, int flags)
{
STACK_OF(X509) *signers;
@@ -360,8 +359,7 @@ err:
return ret;
}
-STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs,
- int flags)
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int flags)
{
STACK_OF(X509) *signers, *included_certs;
STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
@@ -421,7 +419,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs,
/* Build a complete PKCS#7 enveloped data */
-PKCS7 *PKCS7_encrypt_ex(STACK_OF(X509) *certs, BIO *in,
+PKCS7 *PKCS7_encrypt_ex(const STACK_OF(X509) *certs, BIO *in,
const EVP_CIPHER *cipher, int flags,
OSSL_LIB_CTX *libctx, const char *propq)
{
@@ -463,8 +461,7 @@ err:
return NULL;
}
-PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
- int flags)
+PKCS7 *PKCS7_encrypt(const STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags)
{
return PKCS7_encrypt_ex(certs, in, cipher, flags, NULL, NULL);
}
diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
index 40dab687d1..e03c9553db 100644
--- a/crypto/ts/ts_rsp_verify.c
+++ b/crypto/ts/ts_rsp_verify.c
@@ -84,7 +84,7 @@ static const struct {
* - Verify the signature value.
* - Returns the signer certificate in 'signer', if 'signer' is not NULL.
*/
-int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
+int TS_RESP_verify_signature(PKCS7 *token, const STACK_OF(X509) *certs,
X509_STORE *store, X509 **signer_out)
{
STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL;
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 6d9848d234..c915fa4d84 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -225,7 +225,7 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags)
return 1;
}
-int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags)
+int X509_add_certs(STACK_OF(X509) *sk, const STACK_OF(X509) *certs, int flags)
/* compiler would allow 'const' for the certs, yet they may get up-ref'ed */
{
if (sk == NULL) {
@@ -235,8 +235,7 @@ int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags)
return ossl_x509_add_certs_new(&sk, certs, flags);
}
-int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs,
- int flags)
+int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, const STACK_OF(X509) *certs, int flags)
/* compiler would allow 'const' for the certs, yet they may get up-ref'ed */
{
int n = sk_X509_num(certs /* may be NULL */);
@@ -342,7 +341,7 @@ end:
#endif
/* Search a stack of X509 for a match */
-X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name,
+X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
const ASN1_INTEGER *serial)
{
int i;
@@ -362,7 +361,7 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name,
return NULL;
}
-X509 *X509_find_by_subject(STACK_OF(X509) *sk, const X509_NAME *name)
+X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name)
{
X509 *x509;
int i;
diff --git a/doc/man3/CMS_encrypt.pod b/doc/man3/CMS_encrypt.pod
index bccf7fe432..1eaa17bef0 100644
--- a/doc/man3/CMS_encrypt.pod
+++ b/doc/man3/CMS_encrypt.pod
@@ -8,10 +8,10 @@ CMS_encrypt_ex, CMS_encrypt - create a CMS envelopedData structure
#include <openssl/cms.h>
- CMS_ContentInfo *CMS_encrypt_ex(STACK_OF(X509) *certs, BIO *in,
+ CMS_ContentInfo *CMS_encrypt_ex(const STACK_OF(X509) *certs, BIO *in,
const EVP_CIPHER *cipher, unsigned int flags,
OSSL_LIB_CTX *libctx, const char *propq);
- CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in,
+ CMS_ContentInfo *CMS_encrypt(const STACK_OF(X509) *certs, BIO *in,
const EVP_CIPHER *cipher, unsigned int flags);
=head1 DESCRIPTION
diff --git a/doc/man3/CMS_sign_receipt.pod b/doc/man3/CMS_sign_receipt.pod
index 2d3542a991..ba8a8e84aa 100644
--- a/doc/man3/CMS_sign_receipt.pod
+++ b/doc/man3/CMS_sign_receipt.pod
@@ -9,7 +9,7 @@ CMS_sign_receipt - create a CMS signed receipt
#include <openssl/cms.h>
CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert,
- EVP_PKEY *pkey, STACK_OF(X509) *certs,
+ EVP_PKEY *pkey, const STACK_OF(X509) *certs,
unsigned int flags);
=head1 DESCRIPTION
diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod
index bef4858c91..dab318fc7f 100644
--- a/doc/man3/CMS_verify.pod
+++ b/doc/man3/CMS_verify.pod
@@ -10,11 +10,13 @@ CMS_SignerInfo_verify_content, CMS_SignerInfo_verify_ex
#include <openssl/cms.h>
- int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store,
+ int CMS_verify(CMS_ContentInfo *cms, const STACK_OF(X509) *certs,
+ X509_STORE *store,
BIO *detached_data, BIO *out, unsigned int flags);
BIO *CMS_SignedData_verify(CMS_SignedData *sd, BIO *detached_data,
- STACK_OF(X509) *scerts, X509_STORE *store,
- STACK_OF(X509) *extra, STACK_OF(X509_CRL) *crls,
+ const STACK_OF(X509) *scerts, X509_STORE *store,
+ const STACK_OF(X509) *extra,
+ const STACK_OF(X509_CRL) *crls,
unsigned int flags,
OSSL_LIB_CTX *libctx, const char *propq);
diff --git a/doc/man3/CMS_verify_receipt.pod b/doc/man3/CMS_verify_receipt.pod
index bf3019ae72..414d71d45d 100644
--- a/doc/man3/CMS_verify_receipt.pod
+++ b/doc/man3/CMS_verify_receipt.pod
@@ -9,7 +9,7 @@ CMS_verify_receipt - verify a CMS signed receipt
#include <openssl/cms.h>
int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms,
- STACK_OF(X509) *certs, X509_STORE *store,
+ const STACK_OF(X509) *certs, X509_STORE *store,
unsigned int flags);
=head1 DESCRIPTION
diff --git a/doc/man3/OCSP_REQUEST_new.pod b/doc/man3/OCSP_REQUEST_new.pod
index 3f171e8229..cda2737b14 100644
--- a/doc/man3/OCSP_REQUEST_new.pod
+++ b/doc/man3/OCSP_REQUEST_new.pod
@@ -17,7 +17,7 @@ OCSP_request_onereq_get0 - OCSP request functions
int OCSP_request_sign(OCSP_REQUEST *req,
X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
- STACK_OF(X509) *certs, unsigned long flags);
+ const STACK_OF(X509) *certs, unsigned long flags);
int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod
index bc5db70862..2e36a26a88 100644
--- a/doc/man3/OCSP_resp_find_status.pod
+++ b/doc/man3/OCSP_resp_find_status.pod
@@ -51,7 +51,7 @@ OCSP_check_validity, OCSP_basic_verify
ASN1_GENERALIZEDTIME *nextupd,
long sec, long maxsec);
- int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+ int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags);
=head1 DESCRIPTION
diff --git a/doc/man3/OCSP_response_status.pod b/doc/man3/OCSP_response_status.pod
index 0902ae8a31..79c742e13e 100644
--- a/doc/man3/OCSP_response_status.pod
+++ b/doc/man3/OCSP_response_status.pod
@@ -26,10 +26,10 @@ OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx
int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert);
int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
- const EVP_MD *dgst, STACK_OF(X509) *certs,
+ const EVP_MD *dgst, const STACK_OF(X509) *certs,
unsigned long flags);
int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx,
- STACK_OF(X509) *certs, unsigned long flags);
+ const STACK_OF(X509) *certs, unsigned long flags);
=head1 DESCRIPTION
diff --git a/doc/man3/PKCS7_encrypt.pod b/doc/man3/PKCS7_encrypt.pod
index 79c769a776..41f56b5d6f 100644
--- a/doc/man3/PKCS7_encrypt.pod
+++ b/doc/man3/PKCS7_encrypt.pod
@@ -9,11 +9,11 @@ PKCS7_encrypt_ex, PKCS7_encrypt
#include <openssl/pkcs7.h>
- PKCS7 *PKCS7_encrypt_ex(STACK_OF(X509) *certs, BIO *in,
+ PKCS7 *PKCS7_encrypt_ex(const STACK_OF(X509) *certs, BIO *in,
const EVP_CIPHER *cipher, int flags,
OSSL_LIB_CTX *libctx, const char *propq);
- PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
- int flags);
+ PKCS7 *PKCS7_encrypt(const STACK_OF(X509) *certs, BIO *in,
+ const EVP_CIPHER *cipher, int flags);
=head1 DESCRIPTION
diff --git a/doc/man3/PKCS7_sign.pod b/doc/man3/PKCS7_sign.pod
index 5c55aa191d..b8f4bb0040 100644
--- a/doc/man3/PKCS7_sign.pod
+++ b/doc/man3/PKCS7_sign.pod
@@ -9,10 +9,11 @@ PKCS7_sign_ex, PKCS7_sign
#include <openssl/pkcs7.h>
- PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+ PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey,
+ const STACK_OF(X509) *certs,
BIO *data, int flags, OSSL_LIB_CTX *libctx,
const char *propq);
- PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+ PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, const STACK_OF(X509) *certs,
BIO *data, int flags);
=head1 DESCRIPTION
diff --git a/doc/man3/PKCS7_verify.pod b/doc/man3/PKCS7_verify.pod
index b9e1ee3035..3f0a484e62 100644
--- a/doc/man3/PKCS7_verify.pod
+++ b/doc/man3/PKCS7_verify.pod
@@ -8,10 +8,11 @@ PKCS7_verify, PKCS7_get0_signers - verify a PKCS#7 signedData structure
#include <openssl/pkcs7.h>
- int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+ int PKCS7_verify(PKCS7 *p7, const STACK_OF(X509) *certs, X509_STORE *store,
BIO *indata, BIO *out, int flags);
- STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags);
+ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs,
+ int flags);
=head1 DESCRIPTION
@@ -30,7 +31,7 @@ Otherwise I<indata> should be NULL, and then the signed data must be in I<p7>.
The content is written to the BIO I<out> unless it is NULL.
I<flags> is an optional set of flags, which can be used to modify the operation.
-PKCS7_get0_signers() retrieves the signer's certificates from I<p7>, it does
+PKCS7_get0_signers() retrieves the signer certificates from I<p7>, it does
B<not> check their validity or whether any signatures are valid. The I<certs>
and I<flags> parameters have the same meanings as in PKCS7_verify().
diff --git a/doc/man3/X509_add_cert.pod b/doc/man3/X509_add_cert.pod
index f59b93ba54..2b3db78018 100644
--- a/doc/man3/X509_add_cert.pod
+++ b/doc/man3/X509_add_cert.pod
@@ -11,7 +11,7 @@ X509 certificate list addition functions
#include <openssl/x509.h>
int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags);
- int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags);
+ int X509_add_certs(STACK_OF(X509) *sk, const STACK_OF(X509) *certs, int flags);
=head1 DESCRIPTION
diff --git a/include/crypto/x509.h b/include/crypto/x509.h
index fd749f1bf3..ff073e2479 100644
--- a/include/crypto/x509.h
+++ b/include/crypto/x509.h
@@ -325,8 +325,7 @@ int ossl_asn1_item_digest_ex(const ASN1_ITEM *it, const EVP_MD *type,
void *data, unsigned char *md, unsigned int *len,
OSSL_LIB_CTX *libctx, const char *propq);
int ossl_x509_add_cert_new(STACK_OF(X509) **sk, X509 *cert, int flags);
-int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs,
- int flags);
+int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, const STACK_OF(X509) *certs, int flags);
STACK_OF(X509_ATTRIBUTE) *ossl_x509at_dup(const STACK_OF(X509_ATTRIBUTE) *x);
diff --git a/include/openssl/cms.h.in b/include/openssl/cms.h.in
index cf96c712b4..60633354ed 100644
--- a/include/openssl/cms.h.in
+++ b/include/openssl/cms.h.in
@@ -137,16 +137,13 @@ int CMS_final_digest(CMS_ContentInfo *cms,
unsigned int flags);
CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey,
- STACK_OF(X509) *certs, BIO *data,
- unsigned int flags);
+ const STACK_OF(X509) *certs, BIO *data, unsigned int flags);
CMS_ContentInfo *CMS_sign_ex(X509 *signcert, EVP_PKEY *pkey,
- STACK_OF(X509) *certs, BIO *data,
- unsigned int flags, OSSL_LIB_CTX *libctx,
- const char *propq);
+ const STACK_OF(X509) *certs, BIO *data,
+ unsigned int flags, OSSL_LIB_CTX *libctx, const char *propq);
-CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si,
- X509 *signcert, EVP_PKEY *pkey,
- STACK_OF(X509) *certs, unsigned int flags);
+CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert,
+ EVP_PKEY *pkey, const STACK_OF(X509) *certs, unsigned int flags);
int CMS_data(CMS_ContentInfo *cms, BIO *out, unsigned int flags);
CMS_ContentInfo *CMS_data_create(BIO *in, unsigned int flags);
@@ -176,18 +173,17 @@ CMS_ContentInfo *CMS_EncryptedData_encrypt_ex(BIO *in, const EVP_CIPHER *cipher,
int CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph,
const unsigned char *key, size_t keylen);
-int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
+int CMS_verify(CMS_ContentInfo *cms, const STACK_OF(X509) *certs,
X509_STORE *store, BIO *dcont, BIO *out, unsigned int flags);
int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms,
- STACK_OF(X509) *certs,
- X509_STORE *store, unsigned int flags);
+ const STACK_OF(X509) *certs, X509_STORE *store, unsigned int flags);
STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms);
-CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in,
+CMS_ContentInfo *CMS_encrypt(const STACK_OF(X509) *certs, BIO *in,
const EVP_CIPHER *cipher, unsigned int flags);
-CMS_ContentInfo *CMS_encrypt_ex(STACK_OF(X509) *certs, BIO *in,
+CMS_ContentInfo *CMS_encrypt_ex(const STACK_OF(X509) *certs, BIO *in,
const EVP_CIPHER *cipher, unsigned int flags,
OSSL_LIB_CTX *libctx, const char *propq);
@@ -297,7 +293,7 @@ int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si,
ASN1_OCTET_STRING **keyid,
X509_NAME **issuer, ASN1_INTEGER **sno);
int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert);
-int CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
+int CMS_set1_signers_certs(CMS_ContentInfo *cms, const STACK_OF(X509) *certs,
unsigned int flags);
void CMS_SignerInfo_get0_algs(CMS_SignerInfo *si, EVP_PKEY **pk,
X509 **signer, X509_ALGOR **pdig,
@@ -308,8 +304,8 @@ int CMS_SignerInfo_verify(CMS_SignerInfo *si);
int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain);
int CMS_SignerInfo_verify_ex(CMS_SignerInfo *si, BIO *chain, BIO *data);
BIO *CMS_SignedData_verify(CMS_SignedData *sd, BIO *detached_data,
- STACK_OF(X509) *scerts, X509_STORE *store,
- STACK_OF(X509) *extra, STACK_OF(X509_CRL) *crls,
+ const STACK_OF(X509) *scerts, X509_STORE *store,
+ const STACK_OF(X509) *extra, const STACK_OF(X509_CRL) *crls,
unsigned int flags,
OSSL_LIB_CTX *libctx, const char *propq);
diff --git a/include/openssl/ocsp.h.in b/include/openssl/ocsp.h.in
index d2cfd9c116..f2380543ff 100644
--- a/include/openssl/ocsp.h.in
+++ b/include/openssl/ocsp.h.in
@@ -224,7 +224,7 @@ int OCSP_request_sign(OCSP_REQUEST *req,
X509 *signer,
EVP_PKEY *key,
const EVP_MD *dgst,
- STACK_OF(X509) *certs, unsigned long flags);
+ const STACK_OF(X509) *certs, unsigned long flags);
int OCSP_response_status(OCSP_RESPONSE *resp);
OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
@@ -233,7 +233,7 @@ const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
- STACK_OF(X509) *extra_certs);
+ const STACK_OF(X509) *extra_certs);
int OCSP_resp_count(OCSP_BASICRESP *bs);
OCSP_SINGLERESP *OCSP_resp_get0(OCSP_BASICRESP *bs, int idx);
@@ -259,7 +259,7 @@ int OCSP_resp_find_status(OCSP_BASICRESP *bs, OCSP_CERTID *id, int *status,
int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
ASN1_GENERALIZEDTIME *nextupd, long sec, long maxsec);
-int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
+int OCSP_request_verify(OCSP_REQUEST *req, const STACK_OF(X509) *certs,
X509_STORE *store, unsigned long flags);
#define OCSP_parse_url(url, host, port, path, ssl) \
@@ -285,10 +285,10 @@ OCSP_SINGLERESP *OCSP_basic_add1_status(OCSP_BASICRESP *rsp,
int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert);
int OCSP_basic_sign(OCSP_BASICRESP *brsp,
X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
- STACK_OF(X509) *certs, unsigned long flags);
+ const STACK_OF(X509) *certs, unsigned long flags);
int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
X509 *signer, EVP_MD_CTX *ctx,
- STACK_OF(X509) *certs, unsigned long flags);
+ const STACK_OF(X509) *certs, unsigned long flags);
int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert);
int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
OSSL_LIB_CTX *libctx, const char *propq);
@@ -381,7 +381,7 @@ const char *OCSP_crl_reason_str(long s);
int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags);
int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags);
-int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags);
#ifdef __cplusplus
diff --git a/include/openssl/pkcs7.h.in b/include/openssl/pkcs7.h.in
index 1d57255ae7..02a79c292c 100644
--- a/include/openssl/pkcs7.h.in
+++ b/include/openssl/pkcs7.h.in
@@ -319,24 +319,21 @@ int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si,
int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si,
STACK_OF(X509_ATTRIBUTE) *sk);
-PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, const STACK_OF(X509) *certs,
BIO *data, int flags);
-PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
- BIO *data, int flags, OSSL_LIB_CTX *libctx,
- const char *propq);
+PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, const STACK_OF(X509) *certs,
+ BIO *data, int flags, OSSL_LIB_CTX *libctx, const char *propq);
PKCS7_SIGNER_INFO *PKCS7_sign_add_signer(PKCS7 *p7,
X509 *signcert, EVP_PKEY *pkey,
const EVP_MD *md, int flags);
int PKCS7_final(PKCS7 *p7, BIO *data, int flags);
-int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+int PKCS7_verify(PKCS7 *p7, const STACK_OF(X509) *certs, X509_STORE *store,
BIO *indata, BIO *out, int flags);
-STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs,
- int flags);
-PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
- int flags);
-PKCS7 *PKCS7_encrypt_ex(STACK_OF(X509) *certs, BIO *in,
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int flags);
+PKCS7 *PKCS7_encrypt(const STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher, int flags);
+PKCS7 *PKCS7_encrypt_ex(const STACK_OF(X509) *certs, BIO *in,
const EVP_CIPHER *cipher, int flags,
OSSL_LIB_CTX *libctx, const char *propq);
int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data,
diff --git a/include/openssl/ts.h b/include/openssl/ts.h
index 1d5110b1b7..ace878db6d 100644
--- a/include/openssl/ts.h
+++ b/include/openssl/ts.h
@@ -358,7 +358,7 @@ TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio);
* they are defined in ts/ts_resp_verify.c.
*/
-int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
+int TS_RESP_verify_signature(PKCS7 *token, const STACK_OF(X509) *certs,
X509_STORE *store, X509 **signer_out);
/* Context structure for the generic verify method. */
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 0ecf8c9049..ae2e19d674 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -808,7 +808,7 @@ unsigned long X509_subject_name_hash_old(X509 *x);
#define X509_ADD_FLAG_NO_DUP 0x4
#define X509_ADD_FLAG_NO_SS 0x8
int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags);
-int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags);
+int X509_add_certs(STACK_OF(X509) *sk, const STACK_OF(X509) *certs, int flags);
int X509_cmp(const X509 *a, const X509 *b);
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
@@ -1020,9 +1020,9 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
const unsigned char *bytes, int len);
/* lookup a cert from a X509 STACK */
-X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name,
+X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
const ASN1_INTEGER *serial);
-X509 *X509_find_by_subject(STACK_OF(X509) *sk, const X509_NAME *name);
+X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name);
DECLARE_ASN1_FUNCTIONS(PBEPARAM)
DECLARE_ASN1_FUNCTIONS(PBE2PARAM)