Dev news

Commit fc756e594e for openssl.org

commit fc756e594ed5a27af378d3bfcfbe8c7142ce0dc1
Author: Bob Beck <beck@openssl.org>
Date:   Mon Sep 29 15:16:33 2025 -0600

    Constify return value of X509_get_X509_PUBKEY()

    You really should not be mutating this.

    Part of #28654
    Fixes: https://github.com/openssl/project/issues/1771

    Reviewed-by: Neil Horman <nhorman@openssl.org>
    Reviewed-by: Paul Dale <paul.dale@oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/29428)

diff --git a/crypto/cms/cms_kemri.c b/crypto/cms/cms_kemri.c
index d5900ecfc4..0e21d35c56 100644
--- a/crypto/cms/cms_kemri.c
+++ b/crypto/cms/cms_kemri.c
@@ -83,7 +83,7 @@ int ossl_cms_RecipientInfo_kemri_init(CMS_RecipientInfo *ri, X509 *recip,
     CMS_OtherRecipientInfo *ori;
     CMS_KEMRecipientInfo *kemri;
     int idtype;
-    X509_PUBKEY *x_pubkey;
+    const X509_PUBKEY *x_pubkey;
     X509_ALGOR *x_alg;

     ri->d.ori = M_ASN1_new_of(CMS_OtherRecipientInfo);
diff --git a/crypto/ct/ct_local.h b/crypto/ct/ct_local.h
index d2f6c48cbd..a06e42bb5b 100644
--- a/crypto/ct/ct_local.h
+++ b/crypto/ct/ct_local.h
@@ -145,7 +145,7 @@ __owur int SCT_CTX_set1_cert(SCT_CTX *sctx, X509 *cert, X509 *presigner);
  * Issuer must not be NULL.
  * Returns 1 on success, 0 on failure.
  */
-__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
+__owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, X509 *issuer);

 /*
  * Sets the public key of the issuer of the certificate that the SCT was created
@@ -153,14 +153,13 @@ __owur int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer);
  * The public key must not be NULL.
  * Returns 1 on success, 0 on failure.
  */
-__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
+__owur int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, const X509_PUBKEY *pubkey);

 /*
  * Sets the public key of the CT log that the SCT is from.
  * Returns 1 on success, 0 on failure.
  */
 __owur int SCT_CTX_set1_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey);
-
 /*
  * Sets the time to evaluate the SCT against, in milliseconds since the Unix
  * epoch. If the SCT's timestamp is after this time, it will be interpreted as
diff --git a/crypto/ct/ct_sct_ctx.c b/crypto/ct/ct_sct_ctx.c
index af5be04eff..aa1ebbfea7 100644
--- a/crypto/ct/ct_sct_ctx.c
+++ b/crypto/ct/ct_sct_ctx.c
@@ -197,7 +197,7 @@ err:
     return 0;
 }

-__owur static int ct_public_key_hash(SCT_CTX *sctx, X509_PUBKEY *pkey,
+__owur static int ct_public_key_hash(SCT_CTX *sctx, const X509_PUBKEY *pkey,
     unsigned char **hash, size_t *hash_len)
 {
     int ret = 0;
@@ -241,12 +241,12 @@ err:
     return ret;
 }

-int SCT_CTX_set1_issuer(SCT_CTX *sctx, const X509 *issuer)
+int SCT_CTX_set1_issuer(SCT_CTX *sctx, X509 *issuer)
 {
     return SCT_CTX_set1_issuer_pubkey(sctx, X509_get_X509_PUBKEY(issuer));
 }

-int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, X509_PUBKEY *pubkey)
+int SCT_CTX_set1_issuer_pubkey(SCT_CTX *sctx, const X509_PUBKEY *pubkey)
 {
     return ct_public_key_hash(sctx, pubkey, &sctx->ihash, &sctx->ihashlen);
 }
diff --git a/crypto/x509/t_x509.c b/crypto/x509/t_x509.c
index 7c866eec76..91351d5d78 100644
--- a/crypto/x509/t_x509.c
+++ b/crypto/x509/t_x509.c
@@ -138,7 +138,7 @@ int X509_print_ex(BIO *bp, const X509 *x, unsigned long nmflags, unsigned long c
             goto err;
     }
     if (!(cflag & X509_FLAG_NO_PUBKEY)) {
-        X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x);
+        const X509_PUBKEY *xpkey = X509_get_X509_PUBKEY(x);
         ASN1_OBJECT *xpoid;
         X509_PUBKEY_get0_param(&xpoid, NULL, NULL, NULL, xpkey);
         if (BIO_write(bp, "        Subject Public Key Info:\n", 33) <= 0)
diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c
index af5af61058..10178522a0 100644
--- a/crypto/x509/x509_set.c
+++ b/crypto/x509/x509_set.c
@@ -159,7 +159,7 @@ int X509_get_signature_type(const X509 *x)
     return EVP_PKEY_type(OBJ_obj2nid(x->sig_alg.algorithm));
 }

-X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
+const X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x)
 {
     return x->cert_info.key;
 }
diff --git a/doc/man3/X509_get_pubkey.pod b/doc/man3/X509_get_pubkey.pod
index 86c1edac63..4bf79586bc 100644
--- a/doc/man3/X509_get_pubkey.pod
+++ b/doc/man3/X509_get_pubkey.pod
@@ -14,7 +14,7 @@ X509_REQ_get_X509_PUBKEY
  EVP_PKEY *X509_get_pubkey(X509 *x);
  EVP_PKEY *X509_get0_pubkey(const X509 *x);
  int X509_set_pubkey(X509 *x, EVP_PKEY *pkey);
- X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
+ const X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);

  EVP_PKEY *X509_REQ_get_pubkey(X509_REQ *req);
  EVP_PKEY *X509_REQ_get0_pubkey(const X509_REQ *req);
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 0366320992..1a62dfad8a 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -689,7 +689,7 @@ EVP_PKEY *X509_get0_pubkey(const X509 *x);
  * This one is only used so that a binary form can output, as in
  * i2d_X509_PUBKEY(X509_get_X509_PUBKEY(x), &buf)
  */
-X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
+const X509_PUBKEY *X509_get_X509_PUBKEY(const X509 *x);
 const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x);
 void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
     const ASN1_BIT_STRING **psuid);
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 0a3ddebf36..28dc586d34 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -1328,7 +1328,7 @@ unsigned long tls_output_rpk(SSL_CONNECTION *sc, WPACKET *pkt, CERT_PKEY *cpk)
 {
     int pdata_len = 0;
     unsigned char *pdata = NULL;
-    X509_PUBKEY *xpk = NULL;
+    const X509_PUBKEY *xpk = NULL;
     unsigned long ret = 0;
     X509 *x509 = NULL;

diff --git a/test/algorithmid_test.c b/test/algorithmid_test.c
index 09ab73e839..f4732bc30c 100644
--- a/test/algorithmid_test.c
+++ b/test/algorithmid_test.c
@@ -20,7 +20,7 @@ static const char *pubkey_filename = NULL; /* For test_spki_file() */

 #define ALGORITHMID_NAME "algorithm-id"

-static int test_spki_aid(X509_PUBKEY *pubkey, const char *filename)
+static int test_spki_aid(const X509_PUBKEY *pubkey, const char *filename)
 {
     const ASN1_OBJECT *oid;
     X509_ALGOR *alg = NULL;
@@ -103,7 +103,7 @@ end:

 static int test_x509_spki_aid(X509 *cert, const char *filename)
 {
-    X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(cert);
+    const X509_PUBKEY *pubkey = X509_get_X509_PUBKEY(cert);

     return test_spki_aid(pubkey, filename);
 }
diff --git a/test/keymgmt_internal_test.c b/test/keymgmt_internal_test.c
index c44c44ed73..17cea21ed2 100644
--- a/test/keymgmt_internal_test.c
+++ b/test/keymgmt_internal_test.c
@@ -301,7 +301,7 @@ static int test_evp_pkey_export_to_provider(int n)
     OSSL_PROVIDER *prov = NULL;
     X509 *cert = NULL;
     BIO *bio = NULL;
-    X509_PUBKEY *pubkey = NULL;
+    const X509_PUBKEY *pubkey = NULL;
     EVP_KEYMGMT *keymgmt = NULL;
     EVP_PKEY *pkey = NULL;
     void *keydata = NULL;