Package: xmltooling Followup-For: Bug #1138487 X-Debbugs-Cc: [email protected] Control: tags -1 patch ftbfs
Dear Maintainer, The patch fixes the issue. xml-security-c should be fixed first as a build depends. https://bugs.debian.org/.internal/challenge.html?original=%2f1138461 -- System Information: Debian Release: trixie/sid APT prefers noble-updates APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 'noble'), (100, 'noble-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.8.0-117-generic (SMP w/12 CPU threads; PREEMPT) Kernel taint flags: TAINT_WARN Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Description: Fix OpenSSL 4.0 compatibility Use const for X509 accessor return values, replace removed ASN1_STRING_data() with ASN1_STRING_get0_data(), and use const for X509_NAME_ENTRY_get_data() return values. Author: Ravi Kant Sharma <[email protected]> Forwarded: https://codeberg.org/raviksharma/cpp-xmltooling/pulls/1 Bug-Ubuntu: https://bugs.launchpad.net/bugs/2155031 Bug-Debian: https://bugs.debian.org/1138487 Last-Update: 2026-07-01 Index: xmltooling/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp =================================================================== --- xmltooling.orig/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp 2026-07-01 10:45:06.169617005 +0200 +++ xmltooling/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp 2026-07-01 10:45:06.160617844 +0200 @@ -216,7 +216,7 @@ } } - X509_NAME* subject=X509_get_subject_name(certEE); + const X509_NAME* subject=X509_get_subject_name(certEE); if (subject) { // One way is a direct match to the subject DN. // Seems that the way to do the compare is to write the X509_NAME into a BIO. @@ -264,7 +264,7 @@ for (int an=0; an<numalts; an++) { const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, an); if (check->type==GEN_DNS || check->type==GEN_URI) { - const char* altptr = (char*)ASN1_STRING_data(check->d.ia5); + const char* altptr = (const char*)ASN1_STRING_get0_data(check->d.ia5); const int altlen = ASN1_STRING_length(check->d.ia5); for (set<string>::const_iterator n=trustednames.begin(); n!=trustednames.end(); n++) { #ifdef HAVE_STRCASECMP @@ -291,7 +291,7 @@ while ((j=X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0) i = j; if (i >= 0) { - ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i)); + const ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i)); // Copied in from libcurl. /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input is already UTF-8 encoded. We check for this case and copy the raw @@ -300,7 +300,7 @@ j = ASN1_STRING_length(tmp); if(j >= 0) { peer_CN = (char*)OPENSSL_malloc(j + 1); - memcpy(peer_CN, ASN1_STRING_data(tmp), j); + memcpy(peer_CN, ASN1_STRING_get0_data(tmp), j); peer_CN[j] = '\0'; } } Index: xmltooling/xmltooling/security/impl/BasicX509Credential.cpp =================================================================== --- xmltooling.orig/xmltooling/security/impl/BasicX509Credential.cpp 2026-07-01 10:45:06.169617005 +0200 +++ xmltooling/xmltooling/security/impl/BasicX509Credential.cpp 2026-07-01 10:45:06.161617751 +0200 @@ -380,7 +380,7 @@ if (!cert) return; - X509_NAME* issuer=X509_get_issuer_name(cert); + const X509_NAME* issuer=X509_get_issuer_name(cert); if (issuer) { BIO* b = BIO_new(BIO_s_mem()); X509_NAME_print_ex(b,issuer,0,XN_FLAG_RFC2253); @@ -403,7 +403,7 @@ BN_free(serialBN); } - X509_NAME* subject=X509_get_subject_name(cert); + const X509_NAME* subject=X509_get_subject_name(cert); if (subject) { BIO* b = BIO_new(BIO_s_mem()); X509_NAME_print_ex(b,subject,0,XN_FLAG_RFC2253); @@ -421,7 +421,7 @@ while ((j=X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0) i = j; if (i >= 0) { - ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i)); + const ASN1_STRING* tmp = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i)); // Copied in from libcurl. /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the input is already UTF-8 encoded. We check for this case and copy the raw @@ -430,7 +430,7 @@ j = ASN1_STRING_length(tmp); if(j >= 0) { peer_CN = (char*)OPENSSL_malloc(j + 1); - memcpy(peer_CN, ASN1_STRING_data(tmp), j); + memcpy(peer_CN, ASN1_STRING_get0_data(tmp), j); peer_CN[j] = '\0'; } } @@ -450,7 +450,7 @@ for (int an=0; an<numalts; an++) { const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, an); if (check->type==GEN_DNS || check->type==GEN_URI) { - const char* altptr = (char*)ASN1_STRING_data(check->d.ia5); + const char* altptr = (const char*)ASN1_STRING_get0_data(check->d.ia5); const int altlen = ASN1_STRING_length(check->d.ia5); if (altlen > 0) m_keyNames.insert(string(altptr, altlen)); Index: xmltooling/xmltooling/security/impl/PKIXPathValidator.cpp =================================================================== --- xmltooling.orig/xmltooling/security/impl/PKIXPathValidator.cpp 2026-07-01 10:45:06.169617005 +0200 +++ xmltooling/xmltooling/security/impl/PKIXPathValidator.cpp 2026-07-01 10:46:54.287136051 +0200 @@ -64,7 +64,7 @@ return ok; } - static string XMLTOOL_DLLLOCAL X509_NAME_to_string(X509_NAME* n) + static string XMLTOOL_DLLLOCAL X509_NAME_to_string(const X509_NAME* n) { string s; BIO* b = BIO_new(BIO_s_mem()); @@ -89,7 +89,7 @@ // of seconds is zero"). // As long as OpenSSL doesn't provide any API to convert ASN1_TIME values // time_t, we therefore have to parse it ourselves, unfortunately. - if (sscanf((const char*)a->data, "%2d%2d%2d%2d%2d%2dZ", + if (sscanf((const char*)ASN1_STRING_get0_data(a), "%2d%2d%2d%2d%2d%2dZ", &t.tm_year, &t.tm_mon, &t.tm_mday, &t.tm_hour, &t.tm_min, &t.tm_sec) == 6) { if (t.tm_year <= 50) { @@ -379,7 +379,7 @@ GENERAL_NAME* gen = sk_GENERAL_NAME_value(dp->distpoint->name.fullname, iii); // Only consider URIs, and stop after the first one we find. if (gen->type == GEN_URI) { - const char* cdpuri = (const char*)gen->d.ia5->data; + const char* cdpuri = (const char*)ASN1_STRING_get0_data(gen->d.ia5); scoped_ptr<XSECCryptoX509CRL> crl(getRemoteCRLs(cdpuri)); if (crl.get() && crl->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL && (isFreshCRL(crl.get()) || (ii == sk_DIST_POINT_num(dps)-1 && iii == sk_GENERAL_NAME_num(dp->distpoint->name.fullname)-1))) {

