Commit e491465c49 for openssl.org
commit e491465c499d26b16a6cc99c3576027023a6ac1d
Author: Eugene Syromiatnikov <esyr@openssl.org>
Date: Mon Mar 2 16:41:56 2026 +0100
Un-constify the return value of X509_find_by_issuer_and_serial()
This partially reverts commit 07ee3d5db8a2 "constify
X509_find_by_issuer_and_serial", as it operates on a stack of X509
(not const X509 objects), and returns a pointer to one.
The constification of PKCS7_signatureVerify argument is sensible
(as the argument is read-only inside the function) and is remained
in place.
Fixes: 07ee3d5db8a2 "constify X509_find_by_issuer_and_serial"
Signed-off-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Nikola Pajkovsky <nikolap@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Fri Mar 6 21:29:34 2026
(Merged from https://github.com/openssl/openssl/pull/30265)
diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c
index f2894fbfc9..dff40dc201 100644
--- a/crypto/pkcs7/pk7_doit.c
+++ b/crypto/pkcs7/pk7_doit.c
@@ -979,7 +979,7 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
int ret = 0, i;
STACK_OF(X509) *untrusted;
STACK_OF(X509_CRL) *crls;
- const X509 *signer;
+ X509 *signer;
if (p7 == NULL) {
ERR_raise(ERR_LIB_PKCS7, PKCS7_R_INVALID_NULL_POINTER);
@@ -1015,10 +1015,7 @@ int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio,
}
/* Lets verify */
- /*
- * TODO: This cast can be removed when #30076 is merged
- */
- if (!X509_STORE_CTX_init(ctx, cert_store, (X509 *)signer, untrusted)) {
+ if (!X509_STORE_CTX_init(ctx, cert_store, signer, untrusted)) {
ERR_raise(ERR_LIB_PKCS7, ERR_R_X509_LIB);
goto err;
}
diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c
index 311dffd4aa..675c694e66 100644
--- a/crypto/pkcs7/pk7_lib.c
+++ b/crypto/pkcs7/pk7_lib.c
@@ -675,7 +675,7 @@ err:
return 0;
}
-const X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
+X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
{
if (PKCS7_type_is_signed(p7))
return (X509_find_by_issuer_and_serial(p7->d.sign->cert,
diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
index 59a7fd4387..060def46db 100644
--- a/crypto/pkcs7/pk7_smime.c
+++ b/crypto/pkcs7/pk7_smime.c
@@ -365,7 +365,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int f
STACK_OF(PKCS7_SIGNER_INFO) *sinfos;
PKCS7_SIGNER_INFO *si;
PKCS7_ISSUER_AND_SERIAL *ias;
- const X509 *signer;
+ X509 *signer;
int i;
if (p7 == NULL) {
@@ -409,7 +409,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs, int f
return 0;
}
- if (!sk_X509_push(signers, (X509 *)signer)) {
+ if (!sk_X509_push(signers, signer)) {
sk_X509_free(signers);
return NULL;
}
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 688dbbac82..0418d2d636 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -345,7 +345,7 @@ end:
#endif
/* Search a stack of X509 for a match */
-const X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
+X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
const ASN1_INTEGER *serial)
{
int i;
diff --git a/include/openssl/pkcs7.h.in b/include/openssl/pkcs7.h.in
index 7043da8ef1..435375405e 100644
--- a/include/openssl/pkcs7.h.in
+++ b/include/openssl/pkcs7.h.in
@@ -292,7 +292,7 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert);
PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509,
EVP_PKEY *pkey, const EVP_MD *dgst);
-const X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
+X509 *PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md);
STACK_OF(PKCS7_SIGNER_INFO) *PKCS7_get_signer_info(PKCS7 *p7);
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 6cd76829d1..dcff3ca49c 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -1023,7 +1023,7 @@ int EVP_PKEY_add1_attr_by_txt(EVP_PKEY *key,
const unsigned char *bytes, int len);
/* lookup a cert from a X509 STACK */
-const X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
+X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
const ASN1_INTEGER *serial);
const X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name);