crypto/{CMS,PKCS7,OCSP,TS,X509}: constify various cert list parameters

siemens · Oct 7, 2023 · d89d44e · d89d44e
1 parent a7891ad
commit d89d44e
Show file tree

Hide file tree

Showing 28 changed files with 105 additions and 93 deletions.
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
@@ -515,7 +515,7 @@ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
         if (X509_verify_cert(csc) <= 0)
             goto err;
 
-        if (!ossl_x509_add_certs_new(&chain,  X509_STORE_CTX_get0_chain(csc),
+        if (!ossl_x509_add_certs_new(&chain, X509_STORE_CTX_get0_chain(csc),
                                      X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
                                      | X509_ADD_FLAG_NO_SS)) {
             sk_X509_free(chain);

diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
@@ -898,7 +898,8 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int bodytype,
 OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
                                    int certReqId, const OSSL_CMP_PKISI *si,
                                    X509 *cert, const X509 *encryption_recip,
-                                   STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
+                                   const STACK_OF(X509) *chain,
+                                   STACK_OF(X509) *caPubs,
                                    int unprotectedErrors);
 OSSL_CMP_MSG *ossl_cmp_rr_new(OSSL_CMP_CTX *ctx);
 OSSL_CMP_MSG *ossl_cmp_rp_new(OSSL_CMP_CTX *ctx, const OSSL_CMP_PKISI *si,

diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
@@ -444,7 +444,8 @@ OSSL_CMP_MSG *ossl_cmp_certreq_new(OSSL_CMP_CTX *ctx, int type,
 OSSL_CMP_MSG *ossl_cmp_certrep_new(OSSL_CMP_CTX *ctx, int bodytype,
                                    int certReqId, const OSSL_CMP_PKISI *si,
                                    X509 *cert, const X509 *encryption_recip,
-                                   STACK_OF(X509) *chain, STACK_OF(X509) *caPubs,
+                                   const STACK_OF(X509) *chain,
+                                   STACK_OF(X509) *caPubs,
                                    int unprotectedErrors)
 {
     OSSL_CMP_MSG *msg = NULL;

diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c
@@ -633,7 +633,7 @@ int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert)
     return ossl_cms_SignerIdentifier_cert_cmp(si->sid, cert);
 }
 
-int CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *scerts,
+int CMS_set1_signers_certs(CMS_ContentInfo *cms, const STACK_OF(X509) *scerts,
                            unsigned int flags)
 {
     CMS_SignedData *sd;
@@ -1052,8 +1052,9 @@ int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain)
 }
 
 BIO *CMS_SignedData_verify(CMS_SignedData *sd, BIO *detached_data,
-                           STACK_OF(X509) *scerts, X509_STORE *store,
-                           STACK_OF(X509) *extra, STACK_OF(X509_CRL) *crls,
+                           const STACK_OF(X509) *scerts, X509_STORE *store,
+                           const STACK_OF(X509) *extra,
+                           const STACK_OF(X509_CRL) *crls,
                            unsigned int flags,
                            OSSL_LIB_CTX *libctx, const char *propq)
 {

diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c
@@ -302,7 +302,7 @@ static int cms_signerinfo_verify_cert(CMS_SignerInfo *si,
 }
 
 /* This strongly overlaps with PKCS7_verify() */
-int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
+int CMS_verify(CMS_ContentInfo *cms, const STACK_OF(X509) *certs,
                X509_STORE *store, BIO *dcont, BIO *out, unsigned int flags)
 {
     CMS_SignerInfo *si;
@@ -488,7 +488,7 @@ int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs,
 }
 
 int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms,
-                       STACK_OF(X509) *certs,
+                       const STACK_OF(X509) *certs,
                        X509_STORE *store, unsigned int flags)
 {
     int r;
@@ -501,7 +501,7 @@ int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms,
 }
 
 CMS_ContentInfo *CMS_sign_ex(X509 *signcert, EVP_PKEY *pkey,
-                             STACK_OF(X509) *certs, BIO *data,
+                             const STACK_OF(X509) *certs, BIO *data,
                              unsigned int flags, OSSL_LIB_CTX *libctx,
                              const char *propq)
 {
@@ -548,15 +548,17 @@ CMS_ContentInfo *CMS_sign_ex(X509 *signcert, EVP_PKEY *pkey,
     return NULL;
 }
 
-CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey,
+                          const STACK_OF(X509) *certs,
                           BIO *data, unsigned int flags)
 {
     return CMS_sign_ex(signcert, pkey, certs, data, flags, NULL, NULL);
 }
 
 CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si,
                                   X509 *signcert, EVP_PKEY *pkey,
-                                  STACK_OF(X509) *certs, unsigned int flags)
+                                  const STACK_OF(X509) *certs,
+                                  unsigned int flags)
 {
     CMS_SignerInfo *rct_si;
     CMS_ContentInfo *cms = NULL;
@@ -626,7 +628,7 @@ CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si,
 
 }
 
-CMS_ContentInfo *CMS_encrypt_ex(STACK_OF(X509) *certs, BIO *data,
+CMS_ContentInfo *CMS_encrypt_ex(const STACK_OF(X509) *certs, BIO *data,
                                 const EVP_CIPHER *cipher, unsigned int flags,
                                 OSSL_LIB_CTX *libctx, const char *propq)
 {
@@ -664,7 +666,7 @@ CMS_ContentInfo *CMS_encrypt_ex(STACK_OF(X509) *certs, BIO *data,
     return NULL;
 }
 
-CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *data,
+CMS_ContentInfo *CMS_encrypt(const STACK_OF(X509) *certs, BIO *data,
                              const EVP_CIPHER *cipher, unsigned int flags)
 {
     return CMS_encrypt_ex(certs, data, cipher, flags, NULL, NULL);

diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c
@@ -81,7 +81,7 @@ int OCSP_request_sign(OCSP_REQUEST *req,
                       X509 *signer,
                       EVP_PKEY *key,
                       const EVP_MD *dgst,
-                      STACK_OF(X509) *certs, unsigned long flags)
+                      const STACK_OF(X509) *certs, unsigned long flags)
 {
     if (!OCSP_request_set1_name(req, X509_get_subject_name(signer)))
         goto err;

diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
@@ -166,7 +166,7 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert)
  */
 int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
                     X509 *signer, EVP_MD_CTX *ctx,
-                    STACK_OF(X509) *certs, unsigned long flags)
+                    const STACK_OF(X509) *certs, unsigned long flags)
 {
     OCSP_RESPID *rid;
     EVP_PKEY *pkey;
@@ -214,7 +214,7 @@ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
 
 int OCSP_basic_sign(OCSP_BASICRESP *brsp,
                     X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
-                    STACK_OF(X509) *certs, unsigned long flags)
+                    const STACK_OF(X509) *certs, unsigned long flags)
 {
     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
     EVP_PKEY_CTX *pkctx = NULL;

diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c
@@ -14,22 +14,23 @@
 #include "ocsp_local.h"
 
 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
-                            STACK_OF(X509) *certs, unsigned long flags);
-static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id);
+                            const STACK_OF(X509) *certs, unsigned long flags);
+static X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id);
 static int ocsp_check_issuer(OCSP_BASICRESP *bs, STACK_OF(X509) *chain);
 static int ocsp_check_ids(STACK_OF(OCSP_SINGLERESP) *sresp,
                           OCSP_CERTID **ret);
 static int ocsp_match_issuerid(X509 *cert, OCSP_CERTID *cid,
                                STACK_OF(OCSP_SINGLERESP) *sresp);
 static int ocsp_check_delegated(X509 *x);
 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
-                                const X509_NAME *nm, STACK_OF(X509) *certs,
+                                const X509_NAME *nm, const STACK_OF(X509) *certs,
                                 unsigned long flags);
 
 /* Returns 1 on success, 0 on failure, or -1 on fatal error */
 static int ocsp_verify_signer(X509 *signer, int response,
                               X509_STORE *st, unsigned long flags,
-                              STACK_OF(X509) *untrusted, STACK_OF(X509) **chain)
+                              STACK_OF(X509) *untrusted,
+                              STACK_OF(X509) **chain)
 {
     X509_STORE_CTX *ctx = X509_STORE_CTX_new();
     X509_VERIFY_PARAM *vp;
@@ -95,7 +96,7 @@ static int ocsp_verify(OCSP_REQUEST *req, OCSP_BASICRESP *bs,
 }
 
 /* Verify a basic response message */
-int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs,
                       X509_STORE *st, unsigned long flags)
 {
     X509 *signer, *x;
@@ -160,13 +161,13 @@ int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
 }
 
 int OCSP_resp_get0_signer(OCSP_BASICRESP *bs, X509 **signer,
-                          STACK_OF(X509) *extra_certs)
+                          const STACK_OF(X509) *extra_certs)
 {
     return ocsp_find_signer(signer, bs, extra_certs, 0) > 0;
 }
 
 static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
-                            STACK_OF(X509) *certs, unsigned long flags)
+                            const STACK_OF(X509) *certs, unsigned long flags)
 {
     X509 *signer;
     OCSP_RESPID *rid = &bs->tbsResponseData.responderId;
@@ -186,7 +187,7 @@ static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs,
     return 0;
 }
 
-static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id)
+static X509 *ocsp_find_signer_sk(const STACK_OF(X509) *certs, OCSP_RESPID *id)
 {
     int i, r;
     unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
@@ -382,7 +383,7 @@ static int ocsp_check_delegated(X509 *x)
  * Just find the signer's certificate and verify it against a given trust value.
  * Returns 1 on success, 0 on failure and on fatal error.
  */
-int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
+int OCSP_request_verify(OCSP_REQUEST *req, const STACK_OF(X509) *certs,
                         X509_STORE *store, unsigned long flags)
 {
     X509 *signer;
@@ -419,8 +420,8 @@ int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs,
 }
 
 static int ocsp_req_find_signer(X509 **psigner, OCSP_REQUEST *req,
-                                const X509_NAME *nm, STACK_OF(X509) *certs,
-                                unsigned long flags)
+                                const X509_NAME *nm, const
+                                STACK_OF(X509) *certs, unsigned long flags)
 {
     X509 *signer;
 

diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c
@@ -20,9 +20,9 @@
 
 static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si);
 
-PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
-                     BIO *data, int flags, OSSL_LIB_CTX *libctx,
-                     const char *propq)
+PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey,
+                     const STACK_OF(X509) *certs, BIO *data, int flags,
+                     OSSL_LIB_CTX *libctx, const char *propq)
 {
     PKCS7 *p7;
     int i;
@@ -64,7 +64,7 @@ PKCS7 *PKCS7_sign_ex(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
     return NULL;
 }
 
-PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs,
+PKCS7 *PKCS7_sign(X509 *signcert, EVP_PKEY *pkey, const STACK_OF(X509) *certs,
                   BIO *data, int flags)
 {
     return PKCS7_sign_ex(signcert, pkey, certs, data, flags, NULL, NULL);
@@ -211,7 +211,7 @@ static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si)
 }
 
 /* This strongly overlaps with CMS_verify(), partly with PKCS7_dataVerify() */
-int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
+int PKCS7_verify(PKCS7 *p7, const STACK_OF(X509) *certs, X509_STORE *store,
                  BIO *indata, BIO *out, int flags)
 {
     STACK_OF(X509) *signers;
@@ -357,7 +357,7 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     return ret;
 }
 
-STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs,
+STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, const STACK_OF(X509) *certs,
                                    int flags)
 {
     STACK_OF(X509) *signers;
@@ -420,7 +420,7 @@ STACK_OF(X509) *PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs,
 
 /* Build a complete PKCS#7 enveloped data */
 
-PKCS7 *PKCS7_encrypt_ex(STACK_OF(X509) *certs, BIO *in,
+PKCS7 *PKCS7_encrypt_ex(const STACK_OF(X509) *certs, BIO *in,
                         const EVP_CIPHER *cipher, int flags,
                         OSSL_LIB_CTX *libctx, const char *propq)
 {
@@ -463,8 +463,8 @@ PKCS7 *PKCS7_encrypt_ex(STACK_OF(X509) *certs, BIO *in,
 
 }
 
-PKCS7 *PKCS7_encrypt(STACK_OF(X509) *certs, BIO *in, const EVP_CIPHER *cipher,
-                     int flags)
+PKCS7 *PKCS7_encrypt(const STACK_OF(X509) *certs, BIO *in,
+                     const EVP_CIPHER *cipher, int flags)
 {
     return PKCS7_encrypt_ex(certs, in, cipher, flags, NULL, NULL);
 }

diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c
@@ -85,7 +85,7 @@ static struct {
  *      - Verify the signature value.
  *      - Returns the signer certificate in 'signer', if 'signer' is not NULL.
  */
-int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs,
+int TS_RESP_verify_signature(PKCS7 *token, const STACK_OF(X509) *certs,
                              X509_STORE *store, X509 **signer_out)
 {
     STACK_OF(PKCS7_SIGNER_INFO) *sinfos = NULL;

diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
@@ -224,7 +224,7 @@ int X509_add_cert(STACK_OF(X509) *sk, X509 *cert, int flags)
     return 1;
 }
 
-int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags)
+int X509_add_certs(STACK_OF(X509) *sk, const STACK_OF(X509) *certs, int flags)
 /* compiler would allow 'const' for the certs, yet they may get up-ref'ed */
 {
     if (sk == NULL) {
@@ -234,7 +234,7 @@ int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags)
     return ossl_x509_add_certs_new(&sk, certs, flags);
 }
 
-int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, STACK_OF(X509) *certs,
+int ossl_x509_add_certs_new(STACK_OF(X509) **p_sk, const STACK_OF(X509) *certs,
                             int flags)
 /* compiler would allow 'const' for the certs, yet they may get up-ref'ed */
 {
@@ -345,7 +345,7 @@ unsigned long X509_NAME_hash_old(const X509_NAME *x)
 #endif
 
 /* Search a stack of X509 for a match */
-X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name,
+X509 *X509_find_by_issuer_and_serial(const STACK_OF(X509) *sk, const X509_NAME *name,
                                      const ASN1_INTEGER *serial)
 {
     int i;
@@ -365,7 +365,7 @@ X509 *X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, const X509_NAME *name,
     return NULL;
 }
 
-X509 *X509_find_by_subject(STACK_OF(X509) *sk, const X509_NAME *name)
+X509 *X509_find_by_subject(const STACK_OF(X509) *sk, const X509_NAME *name)
 {
     X509 *x509;
     int i;

diff --git a/doc/man3/CMS_encrypt.pod b/doc/man3/CMS_encrypt.pod
@@ -8,10 +8,10 @@ CMS_encrypt_ex, CMS_encrypt - create a CMS envelopedData structure
 
  #include <openssl/cms.h>
 
- CMS_ContentInfo *CMS_encrypt_ex(STACK_OF(X509) *certs, BIO *in,
+ CMS_ContentInfo *CMS_encrypt_ex(const STACK_OF(X509) *certs, BIO *in,
                                  const EVP_CIPHER *cipher, unsigned int flags,
                                  OSSL_LIB_CTX *libctx, const char *propq);
- CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in,
+ CMS_ContentInfo *CMS_encrypt(const STACK_OF(X509) *certs, BIO *in,
                               const EVP_CIPHER *cipher, unsigned int flags);
 
 =head1 DESCRIPTION

diff --git a/doc/man3/CMS_sign_receipt.pod b/doc/man3/CMS_sign_receipt.pod
@@ -9,7 +9,7 @@ CMS_sign_receipt - create a CMS signed receipt
  #include <openssl/cms.h>
 
  CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert,
-                                   EVP_PKEY *pkey, STACK_OF(X509) *certs,
+                                   EVP_PKEY *pkey, const STACK_OF(X509) *certs,
                                    unsigned int flags);
 
 =head1 DESCRIPTION

diff --git a/doc/man3/CMS_verify.pod b/doc/man3/CMS_verify.pod
@@ -9,11 +9,13 @@ CMS_get0_signers - verify a CMS SignedData structure
 
  #include <openssl/cms.h>
 
- int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store,
+ int CMS_verify(CMS_ContentInfo *cms, const STACK_OF(X509) *certs,
+                X509_STORE *store,
                 BIO *detached_data, BIO *out, unsigned int flags);
  BIO *CMS_SignedData_verify(CMS_SignedData *sd, BIO *detached_data,
-                            STACK_OF(X509) *scerts, X509_STORE *store,
-                            STACK_OF(X509) *extra, STACK_OF(X509_CRL) *crls,
+                            const STACK_OF(X509) *scerts, X509_STORE *store,
+                            const STACK_OF(X509) *extra,
+                            const STACK_OF(X509_CRL) *crls,
                             unsigned int flags,
                             OSSL_LIB_CTX *libctx, const char *propq);
 

diff --git a/doc/man3/CMS_verify_receipt.pod b/doc/man3/CMS_verify_receipt.pod
@@ -9,7 +9,7 @@ CMS_verify_receipt - verify a CMS signed receipt
  #include <openssl/cms.h>
 
  int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms,
-                        STACK_OF(X509) *certs, X509_STORE *store,
+                        const STACK_OF(X509) *certs, X509_STORE *store,
                         unsigned int flags);
 
 =head1 DESCRIPTION

diff --git a/doc/man3/OCSP_REQUEST_new.pod b/doc/man3/OCSP_REQUEST_new.pod
@@ -17,7 +17,7 @@ OCSP_request_onereq_get0 - OCSP request functions
 
  int OCSP_request_sign(OCSP_REQUEST *req,
                        X509 *signer, EVP_PKEY *key, const EVP_MD *dgst,
-                       STACK_OF(X509) *certs, unsigned long flags);
+                       const STACK_OF(X509) *certs, unsigned long flags);
 
  int OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert);
 

diff --git a/doc/man3/OCSP_resp_find_status.pod b/doc/man3/OCSP_resp_find_status.pod
@@ -51,7 +51,7 @@ OCSP_check_validity, OCSP_basic_verify
                          ASN1_GENERALIZEDTIME *nextupd,
                          long sec, long maxsec);
 
- int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs,
+ int OCSP_basic_verify(OCSP_BASICRESP *bs, const STACK_OF(X509) *certs,
                       X509_STORE *st, unsigned long flags);
 
 =head1 DESCRIPTION