Package: xmltooling
Followup-For: Bug #1138487
X-Debbugs-Cc: [email protected]
Control: tags -1 patch ftbfs

Dear Maintainer,

The patch fixes the issue. xml-security-c should be fixed first as a build 
depends. https://bugs.debian.org/.internal/challenge.html?original=%2f1138461

-- System Information:
Debian Release: trixie/sid
  APT prefers noble-updates
  APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 'noble'), 
(100, 'noble-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.8.0-117-generic (SMP w/12 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Description: Fix OpenSSL 4.0 compatibility
 Use const for X509 accessor return values, replace removed
 ASN1_STRING_data() with ASN1_STRING_get0_data(), and use const for
 X509_NAME_ENTRY_get_data() return values.
Author: Ravi Kant Sharma <[email protected]>
Forwarded: https://codeberg.org/raviksharma/cpp-xmltooling/pulls/1
Bug-Ubuntu: https://bugs.launchpad.net/bugs/2155031
Bug-Debian: https://bugs.debian.org/1138487
Last-Update: 2026-07-01

Index: xmltooling/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp
===================================================================
--- xmltooling.orig/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp        
2026-07-01 10:45:06.169617005 +0200
+++ xmltooling/xmltooling/security/impl/AbstractPKIXTrustEngine.cpp     
2026-07-01 10:45:06.160617844 +0200
@@ -216,7 +216,7 @@
         }
     }
 
-    X509_NAME* subject=X509_get_subject_name(certEE);
+    const X509_NAME* subject=X509_get_subject_name(certEE);
     if (subject) {
         // One way is a direct match to the subject DN.
         // Seems that the way to do the compare is to write the X509_NAME into 
a BIO.
@@ -264,7 +264,7 @@
             for (int an=0; an<numalts; an++) {
                 const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, 
an);
                 if (check->type==GEN_DNS || check->type==GEN_URI) {
-                    const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
+                    const char* altptr = (const 
char*)ASN1_STRING_get0_data(check->d.ia5);
                     const int altlen = ASN1_STRING_length(check->d.ia5);
                     for (set<string>::const_iterator n=trustednames.begin(); 
n!=trustednames.end(); n++) {
 #ifdef HAVE_STRCASECMP
@@ -291,7 +291,7 @@
         while ((j=X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0)
             i = j;
         if (i >= 0) {
-            ASN1_STRING* tmp = 
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i));
+            const ASN1_STRING* tmp = 
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i));
             // Copied in from libcurl.
             /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the 
input
                is already UTF-8 encoded. We check for this case and copy the 
raw
@@ -300,7 +300,7 @@
                 j = ASN1_STRING_length(tmp);
                 if(j >= 0) {
                     peer_CN = (char*)OPENSSL_malloc(j + 1);
-                    memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+                    memcpy(peer_CN, ASN1_STRING_get0_data(tmp), j);
                     peer_CN[j] = '\0';
                 }
             }
Index: xmltooling/xmltooling/security/impl/BasicX509Credential.cpp
===================================================================
--- xmltooling.orig/xmltooling/security/impl/BasicX509Credential.cpp    
2026-07-01 10:45:06.169617005 +0200
+++ xmltooling/xmltooling/security/impl/BasicX509Credential.cpp 2026-07-01 
10:45:06.161617751 +0200
@@ -380,7 +380,7 @@
     if (!cert)
         return;
 
-    X509_NAME* issuer=X509_get_issuer_name(cert);
+    const X509_NAME* issuer=X509_get_issuer_name(cert);
     if (issuer) {
         BIO* b = BIO_new(BIO_s_mem());
         X509_NAME_print_ex(b,issuer,0,XN_FLAG_RFC2253);
@@ -403,7 +403,7 @@
         BN_free(serialBN);
     }
 
-    X509_NAME* subject=X509_get_subject_name(cert);
+    const X509_NAME* subject=X509_get_subject_name(cert);
     if (subject) {
         BIO* b = BIO_new(BIO_s_mem());
         X509_NAME_print_ex(b,subject,0,XN_FLAG_RFC2253);
@@ -421,7 +421,7 @@
         while ((j=X509_NAME_get_index_by_NID(subject, NID_commonName, i)) >= 0)
             i = j;
         if (i >= 0) {
-            ASN1_STRING* tmp = 
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i));
+            const ASN1_STRING* tmp = 
X509_NAME_ENTRY_get_data(X509_NAME_get_entry(subject, i));
             // Copied in from libcurl.
             /* In OpenSSL 0.9.7d and earlier, ASN1_STRING_to_UTF8 fails if the 
input
                is already UTF-8 encoded. We check for this case and copy the 
raw
@@ -430,7 +430,7 @@
                 j = ASN1_STRING_length(tmp);
                 if(j >= 0) {
                     peer_CN = (char*)OPENSSL_malloc(j + 1);
-                    memcpy(peer_CN, ASN1_STRING_data(tmp), j);
+                    memcpy(peer_CN, ASN1_STRING_get0_data(tmp), j);
                     peer_CN[j] = '\0';
                 }
             }
@@ -450,7 +450,7 @@
             for (int an=0; an<numalts; an++) {
                 const GENERAL_NAME* check = sk_GENERAL_NAME_value(altnames, 
an);
                 if (check->type==GEN_DNS || check->type==GEN_URI) {
-                    const char* altptr = (char*)ASN1_STRING_data(check->d.ia5);
+                    const char* altptr = (const 
char*)ASN1_STRING_get0_data(check->d.ia5);
                     const int altlen = ASN1_STRING_length(check->d.ia5);
                     if (altlen > 0)
                         m_keyNames.insert(string(altptr, altlen));
Index: xmltooling/xmltooling/security/impl/PKIXPathValidator.cpp
===================================================================
--- xmltooling.orig/xmltooling/security/impl/PKIXPathValidator.cpp      
2026-07-01 10:45:06.169617005 +0200
+++ xmltooling/xmltooling/security/impl/PKIXPathValidator.cpp   2026-07-01 
10:46:54.287136051 +0200
@@ -64,7 +64,7 @@
         return ok;
     }
 
-    static string XMLTOOL_DLLLOCAL X509_NAME_to_string(X509_NAME* n)
+    static string XMLTOOL_DLLLOCAL X509_NAME_to_string(const X509_NAME* n)
     {
         string s;
         BIO* b = BIO_new(BIO_s_mem());
@@ -89,7 +89,7 @@
         // of seconds is zero").
         // As long as OpenSSL doesn't provide any API to convert ASN1_TIME 
values
         // time_t, we therefore have to parse it ourselves, unfortunately.
-        if (sscanf((const char*)a->data, "%2d%2d%2d%2d%2d%2dZ",
+        if (sscanf((const char*)ASN1_STRING_get0_data(a), 
"%2d%2d%2d%2d%2d%2dZ",
             &t.tm_year, &t.tm_mon, &t.tm_mday,
             &t.tm_hour, &t.tm_min, &t.tm_sec) == 6) {
             if (t.tm_year <= 50) {
@@ -379,7 +379,7 @@
                     GENERAL_NAME* gen = 
sk_GENERAL_NAME_value(dp->distpoint->name.fullname, iii);
                     // Only consider URIs, and stop after the first one we 
find.
                     if (gen->type == GEN_URI) {
-                        const char* cdpuri = (const char*)gen->d.ia5->data;
+                        const char* cdpuri = (const 
char*)ASN1_STRING_get0_data(gen->d.ia5);
                         scoped_ptr<XSECCryptoX509CRL> 
crl(getRemoteCRLs(cdpuri));
                         if (crl.get() && 
crl->getProviderName()==DSIGConstants::s_unicodeStrPROVOpenSSL &&
                             (isFreshCRL(crl.get()) || (ii == 
sk_DIST_POINT_num(dps)-1 && iii == 
sk_GENERAL_NAME_num(dp->distpoint->name.fullname)-1))) {

Reply via email to