Commit 81cc6cb97e for openssl.org
commit 81cc6cb97ef83ad138eebd47129368b9e963e8cd
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date: Wed Mar 4 16:04:22 2026 +0100
Revert "Constify X509_find_by_subject"
This reverts commit 0da29907e7da "Constify X509_find_by_subject",
as it operates on a stack of X509 (not const X509) objects, and returns
a pointer to one of them.
Fixes: 0da29907e7da "Constify X509_find_by_subject",
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 21:29:37 2026
(Merged from https://github.com/openssl/openssl/pull/30265)
diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
index c3d90987b8..f94e14c0f3 100644
--- a/crypto/ocsp/ocsp_vfy.c
+++ b/crypto/ocsp/ocsp_vfy.c
@@ -13,21 +13,21 @@
#include "internal/sizes.h"
#include "ocsp_local.h"
-static int ocsp_find_signer(const X509 **psigner, OCSP_BASICRESP *bs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
const STACK_OF(X509) *certs, unsigned long flags);
-static const X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id);
+static X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id);
static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain);
static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp,
OCSP_CERTID **ret);
static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
STACK_OF(OCSP_SINGLERESP) *sresp);
static int ocsp_check_delegated(X509 *x);
-static int ocsp_req_find_signer(const X509 **psigner, OCSP_REQUEST *req,
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
const X509_NAME *nm, const STACK_OF(X509) *certs,
unsigned long flags);
/* Returns 1 on success, 0 on failure, or -1 on fatal error */
-static int ocsp_verify_signer(const X509 *signer, int response,
+static int ocsp_verify_signer(X509 *signer, int response,
X509_STORE *st, unsigned long flags,
STACK_OF(X509) *untrusted, STACK_OF(X509) **chain)
{
@@ -39,10 +39,7 @@ static int ocsp_verify_signer(const X509 *signer, int response,
ERR_raise(ERR_LIB_OCSP, ERR_R_X509_LIB);
goto end;
}
- /*
- * TODO: The cast below can be dropped when #30076 lands
- */
- if (!X509_STORE_CTX_init(ctx, st, (X509 *)signer, untrusted)) {
+ if (!X509_STORE_CTX_init(ctx, st, signer, untrusted)) {
ERR_raise(ERR_LIB_OCSP, ERR_R_X509_LIB);
goto end;
}
@@ -77,7 +74,7 @@ end:
}
static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs,
- const X509 *signer, unsigned long flags)
+ X509 *signer, unsigned long flags)
{
EVP_PKEY *skey;
int ret = 1;
@@ -101,7 +98,7 @@ static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs,
int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs,
X509_STORE *st, unsigned long flags)
{
- const X509 *signer, *x;
+ X509 *signer, *x;
STACK_OF(X509) *chain = NULL;
STACK_OF(X509) *untrusted = NULL;
int ret = ocsp_find_signer(&signer, bs, certs, flags);
@@ -148,10 +145,7 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs,
goto end;
x = sk_X509_value(chain, sk_X509_num(chain) - 1);
- /*
- * TODO: Cast below can be dropped when #30071 lands
- */
- if (X509_check_trust((X509 *)x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
+ if (X509_check_trust(x, NID_OCSP_sign, 0) != X509_TRUST_TRUSTED) {
ERR_raise(ERR_LIB_OCSP, OCSP_R_ROOT_CA_NOT_TRUSTED);
ret = 0;
goto end;
@@ -165,16 +159,16 @@ end:
return ret;
}
-int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, const X509 **signer,
+int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
const STACK_OF(X509) *extra_certs)
{
return ocsp_find_signer(signer, bs, extra_certs, 0) > 0;
}
-static int ocsp_find_signer(const X509 **psigner, OCSP_BASICRESP *bs,
+static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
const STACK_OF(X509) *certs, unsigned long flags)
{
- const X509 *signer;
+ X509 *signer;
OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
if ((signer = ocsp_find_signer_sk(certs, rid)) != NULL) {
@@ -191,7 +185,7 @@ static int ocsp_find_signer(const X509 **psigner, OCSP_BASICRESP *bs,
return 0;
}
-static const X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id)
+static X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id)
{
int i, r;
unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
@@ -383,7 +377,7 @@ static int ocsp_check_delegated(X509 *x)
int OCSP_request_verify(OCSP_REQUEST *req, const STACK_OF(X509) *certs,
X509_STORE *store, unsigned long flags)
{
- const X509 *signer;
+ X509 *signer;
const X509_NAME *nm;
GENERAL_NAME *gen;
int ret;
@@ -416,11 +410,11 @@ int OCSP_request_verify(OCSP_REQUEST *req, const STACK_OF(X509) *certs,
/* using '> 0' here to avoid breaking backward compatibility returning -1 */
}
-static int ocsp_req_find_signer(const X509 **psigner, OCSP_REQUEST *req,
+static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
const X509_NAME *nm, const STACK_OF(X509) *certs,
unsigned long flags)
{
- const X509 *signer;
+ X509 *signer;
if ((flags & OCSP_NOINTERN) == 0) {
signer = X509_find_by_subject(req->optionalSignature->certs, nm);
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 0418d2d636..2768f2da06 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -365,7 +365,7 @@ X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *
return NULL;
}
-const X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name)
+X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name)
{
X509 *x509;
int i;
@@ -373,7 +373,7 @@ const X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name
for (i = 0; i < sk_X509_num(sk); i++) {
x509 = sk_X509_value(sk, i);
if (X509_NAME_cmp(X509_get_subject_name(x509), name) == 0)
- return (const X509 *)x509;
+ return x509;
}
return NULL;
}
diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod
index 852ca74672..2e36a26a88 100644
--- a/doc/man3/OCSP_resp_find_status.pod
+++ b/doc/man3/OCSP_resp_find_status.pod
@@ -37,7 +37,7 @@ OCSP_check_validity, OCSP_basic_verify
const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
const STACK_OF(X509) *OCSP_resp_get0_certs(const OCSP_BASICRESP *bs);
- int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, const X509 **signer,
+ int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
STACK_OF(X509) *extra_certs);
int OCSP_resp_get0_id(const OCSP_BASICRESP *bs,
@@ -208,10 +208,6 @@ L<OCSP_response_status(3)>,
L<OCSP_sendreq_new(3)>,
L<X509_VERIFY_PARAM_set_flags(3)>
-=head1 HISTORY
-
-OCSP_resp_get0_signer() was constified in OpenSSL 4.0.
-
=head1 COPYRIGHT
Copyright 2015-2022 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/include/openssl/ocsp.h.in b/include/openssl/ocsp.h.in
index 8c8f093afe..6075e1fc0a 100644
--- a/include/openssl/ocsp.h.in
+++ b/include/openssl/ocsp.h.in
@@ -232,7 +232,7 @@ OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp);
const ASN1_OCTET_STRING *OCSP_resp_get0_signature(const OCSP_BASICRESP *bs);
const X509_ALGOR *OCSP_resp_get0_tbs_sigalg(const OCSP_BASICRESP *bs);
const OCSP_RESPDATA *OCSP_resp_get0_respdata(const OCSP_BASICRESP *bs);
-int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, const X509 **signer,
+int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
const STACK_OF(X509) *extra_certs);
int OCSP_resp_count(OCSP_BASICRESP *bs);
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index dcff3ca49c..f3d08af1f8 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -1025,7 +1025,7 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
/* lookup a cert from a X509 STACK */
X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
const ASN1_INTEGER *serial);
-const X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name);
+X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name);
DECLARE_ASN1_FUNCTIONS(PBEPARAM)
DECLARE_ASN1_FUNCTIONS(PBE2PARAM)
diff --git a/test/ocspapitest.c b/test/ocspapitest.c
index b377ca0aa7..ce8f172494 100644
--- a/test/ocspapitest.c
+++ b/test/ocspapitest.c
@@ -112,8 +112,7 @@ err:
static int test_resp_signer(void)
{
OCSP_BASICRESP *bs = NULL;
- X509 *signer = NULL;
- const X509 *tmp;
+ X509 *signer = NULL, *tmp;
EVP_PKEY *key = NULL;
STACK_OF(X509) *extra_certs = NULL;
int ret = 0;