Dear yubico-piv-tool maintainers, Upstream [1] developed a patch that allows yubico-piv-tool to build with both OpenSSL 3.x and OpenSSL 4.0. I verified that both builds succeed [2].
The FTBFS was caused by several OpenSSL functions now returning const pointers. The patch updates the relevant call sites to match this change, adding const qualifiers or casting pointer types accordingly. I have attached the patch to this message. Please let me know if you need anything else. Best wishes, Ruan [1]: https://github.com/Yubico/yubico-piv-tool/pull/583 [2]: https://launchpad.net/~ruancomelli/+archive/ubuntu/fix-lp2154946/+sourcepub/18609375/+listing-archive-extra
From 60eb5d965300bc3459d7ec96bf596753fe83d472 Mon Sep 17 00:00:00 2001 From: Simo Sorce <[email protected]> Date: Tue, 28 Apr 2026 17:42:08 -0400 Subject: [PATCH] Fix const correctness in OpenSSL utils Updated function signatures, variable declarations, and return casts to use the appropriate const qualifiers. This resolves compiler warnings and ensures compatibility with versions of OpenSSL that enforce stricter const-correctness in their APIs. Signed-off-by: Simo Sorce <[email protected]> Signed-off-by: Jakub Jelen <[email protected]> Origin: upstream, https://github.com/Yubico/yubico-piv-tool/commit/60eb5d965300bc3459d7ec96bf596753fe83d472 Forwarded: not-needed Bug-Debian: https://bugs.debian.org/1138400 Bug-Ubuntu: https://bugs.launchpad.net/bugs/2154946 --- tool/yubico-piv-tool.c | 2 +- ykcs11/openssl_utils.c | 10 +++++----- ykcs11/openssl_utils.h | 2 +- ykcs11/tests/ykcs11_tests_util.c | 16 ++++++++-------- 4 files changed, 15 insertions(+), 15 deletions(-) diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index 60c4f954..0837b35e 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -1905,7 +1905,7 @@ static void print_slot_info(ykpiv_state *state, enum enum_slot slot, const EVP_M ykpiv_metadata slot_md = {0}; X509 *x509 = NULL; EVP_PKEY *key = NULL; - X509_NAME *subj; + const X509_NAME *subj; BIO *bio = NULL; bool cert_found = false, metadata_found = false; diff --git a/ykcs11/openssl_utils.c b/ykcs11/openssl_utils.c index 0609e133..0b1c2451 100644 --- a/ykcs11/openssl_utils.c +++ b/ykcs11/openssl_utils.c @@ -175,8 +175,8 @@ CK_RV do_sign_empty_cert(const char *cn, ykcs11_pkey_t *pubkey, ykcs11_pkey_t *p return CKR_HOST_MEMORY; } X509_set_version(*cert, 2); // Version 3 - X509_NAME_add_entry_by_txt(X509_get_issuer_name(*cert), "CN", MBSTRING_ASC, (const unsigned char*)cn, -1, -1, 0); - X509_NAME_add_entry_by_txt(X509_get_subject_name(*cert), "CN", MBSTRING_ASC, (const unsigned char*)cn, -1, -1, 0); + X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_issuer_name(*cert), "CN", MBSTRING_ASC, (const unsigned char*)cn, -1, -1, 0); + X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_subject_name(*cert), "CN", MBSTRING_ASC, (const unsigned char*)cn, -1, -1, 0); ASN1_INTEGER_set(X509_get_serialNumber(*cert), 0); X509_gmtime_adj(X509_get_notBefore(*cert), 0); X509_gmtime_adj(X509_get_notAfter(*cert), 0); @@ -272,7 +272,7 @@ CK_RV do_get_raw_cert(ykcs11_x509_t *cert, CK_BYTE_PTR out, CK_ULONG_PTR out_len return CKR_OK; } -CK_RV do_get_raw_name(ykcs11_x509_name_t *name, CK_BYTE_PTR out, CK_ULONG_PTR out_len) { +CK_RV do_get_raw_name(const ykcs11_x509_name_t *name, CK_BYTE_PTR out, CK_ULONG_PTR out_len) { CK_BYTE_PTR p; int len; @@ -355,11 +355,11 @@ CK_RV do_parse_attestation(ykcs11_x509_t *cert, CK_BYTE_PTR pin_policy, CK_BYTE_ if (pos < 0) return CKR_FUNCTION_FAILED; - X509_EXTENSION *ext = X509_get_ext(cert, pos); + X509_EXTENSION *ext = (X509_EXTENSION *)X509_get_ext(cert, pos); if (ext == NULL) return CKR_FUNCTION_FAILED; - ASN1_OCTET_STRING *oct = X509_EXTENSION_get_data(ext); + ASN1_OCTET_STRING *oct = (ASN1_OCTET_STRING *)X509_EXTENSION_get_data(ext); if (oct == NULL) return CKR_FUNCTION_FAILED; diff --git a/ykcs11/openssl_utils.h b/ykcs11/openssl_utils.h index bc771552..0542093b 100644 --- a/ykcs11/openssl_utils.h +++ b/ykcs11/openssl_utils.h @@ -46,7 +46,7 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_ULONG algorithm, const char *cn, CK_BYTE_PTR out, CK_ULONG_PTR out_len); CK_RV do_check_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_ULONG_PTR cert_len); CK_RV do_get_raw_cert(ykcs11_x509_t *cert, CK_BYTE_PTR out, CK_ULONG_PTR out_len); -CK_RV do_get_raw_name(ykcs11_x509_name_t *name, CK_BYTE_PTR out, CK_ULONG_PTR out_len); +CK_RV do_get_raw_name(const ykcs11_x509_name_t *name, CK_BYTE_PTR out, CK_ULONG_PTR out_len); CK_RV do_get_raw_integer(ykcs11_asn1_integer_t *serial, CK_BYTE_PTR out, CK_ULONG_PTR out_len); CK_RV do_delete_cert(ykcs11_x509_t **cert); diff --git a/ykcs11/tests/ykcs11_tests_util.c b/ykcs11/tests/ykcs11_tests_util.c index 4c795a72..06bfe95e 100644 --- a/ykcs11/tests/ykcs11_tests_util.c +++ b/ykcs11/tests/ykcs11_tests_util.c @@ -334,8 +334,8 @@ EVP_PKEY* import_edkey(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session X509 *cert = X509_new(); X509_set_version(cert, 2); // Version 3 - X509_NAME_add_entry_by_txt(X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0); - X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0); + X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0); + X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0); ASN1_INTEGER_set(X509_get_serialNumber(cert), 0); X509_gmtime_adj(X509_get_notBefore(cert), 0); X509_gmtime_adj(X509_get_notAfter(cert), 0); @@ -413,8 +413,8 @@ void import_x25519key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session, X509 *cert = X509_new(); X509_set_version(cert, 2); // Version 3 - X509_NAME_add_entry_by_txt(X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0); - X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0); + X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0); + X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0); ASN1_INTEGER_set(X509_get_serialNumber(cert), 0); X509_gmtime_adj(X509_get_notBefore(cert), 0); X509_gmtime_adj(X509_get_notAfter(cert), 0); @@ -496,8 +496,8 @@ EC_KEY* import_ec_key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session, exit(EXIT_FAILURE); X509_set_version(cert, 2); // Version 3 - X509_NAME_add_entry_by_txt(X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0); - X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0); + X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0); + X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0); ASN1_INTEGER_set(X509_get_serialNumber(cert), 0); X509_gmtime_adj(X509_get_notBefore(cert), 0); X509_gmtime_adj(X509_get_notAfter(cert), 0); @@ -664,8 +664,8 @@ void import_rsa_key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session, i exit(EXIT_FAILURE); X509_set_version(cert, 2); // Version 3 - X509_NAME_add_entry_by_txt(X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0); - X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0); + X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0); + X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0); ASN1_INTEGER_set(X509_get_serialNumber(cert), 0); X509_gmtime_adj(X509_get_notBefore(cert), 0); X509_gmtime_adj(X509_get_notAfter(cert), 0);

