Dear yubico-piv-tool maintainers,

Upstream [1] developed a patch that allows yubico-piv-tool to build with
both OpenSSL 3.x and OpenSSL 4.0. I verified that both builds succeed [2].

The FTBFS was caused by several OpenSSL functions now returning const
pointers. The patch updates the relevant call sites to match this change,
adding const qualifiers or casting pointer types accordingly.

I have attached the patch to this message. Please let me know if you need
anything else.

Best wishes,
Ruan

[1]: https://github.com/Yubico/yubico-piv-tool/pull/583
[2]:
https://launchpad.net/~ruancomelli/+archive/ubuntu/fix-lp2154946/+sourcepub/18609375/+listing-archive-extra
From 60eb5d965300bc3459d7ec96bf596753fe83d472 Mon Sep 17 00:00:00 2001
From: Simo Sorce <[email protected]>
Date: Tue, 28 Apr 2026 17:42:08 -0400
Subject: [PATCH] Fix const correctness in OpenSSL utils

Updated function signatures, variable declarations, and return casts to use
the appropriate const qualifiers. This resolves compiler warnings and ensures
compatibility with versions of OpenSSL that enforce stricter const-correctness
in their APIs.

Signed-off-by: Simo Sorce <[email protected]>
Signed-off-by: Jakub Jelen <[email protected]>

Origin: upstream, https://github.com/Yubico/yubico-piv-tool/commit/60eb5d965300bc3459d7ec96bf596753fe83d472
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/1138400
Bug-Ubuntu: https://bugs.launchpad.net/bugs/2154946
---
 tool/yubico-piv-tool.c           |  2 +-
 ykcs11/openssl_utils.c           | 10 +++++-----
 ykcs11/openssl_utils.h           |  2 +-
 ykcs11/tests/ykcs11_tests_util.c | 16 ++++++++--------
 4 files changed, 15 insertions(+), 15 deletions(-)

diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c
index 60c4f954..0837b35e 100644
--- a/tool/yubico-piv-tool.c
+++ b/tool/yubico-piv-tool.c
@@ -1905,7 +1905,7 @@ static void print_slot_info(ykpiv_state *state, enum enum_slot slot, const EVP_M
   ykpiv_metadata slot_md = {0};
   X509 *x509 = NULL;
   EVP_PKEY *key = NULL;
-  X509_NAME *subj;
+  const X509_NAME *subj;
   BIO *bio = NULL;
   bool cert_found = false, metadata_found = false;
 
diff --git a/ykcs11/openssl_utils.c b/ykcs11/openssl_utils.c
index 0609e133..0b1c2451 100644
--- a/ykcs11/openssl_utils.c
+++ b/ykcs11/openssl_utils.c
@@ -175,8 +175,8 @@ CK_RV do_sign_empty_cert(const char *cn, ykcs11_pkey_t *pubkey, ykcs11_pkey_t *p
     return CKR_HOST_MEMORY;
   }
   X509_set_version(*cert, 2); // Version 3
-  X509_NAME_add_entry_by_txt(X509_get_issuer_name(*cert), "CN", MBSTRING_ASC, (const unsigned char*)cn, -1, -1, 0);
-  X509_NAME_add_entry_by_txt(X509_get_subject_name(*cert), "CN", MBSTRING_ASC, (const unsigned char*)cn, -1, -1, 0);
+  X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_issuer_name(*cert), "CN", MBSTRING_ASC, (const unsigned char*)cn, -1, -1, 0);
+  X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_subject_name(*cert), "CN", MBSTRING_ASC, (const unsigned char*)cn, -1, -1, 0);
   ASN1_INTEGER_set(X509_get_serialNumber(*cert), 0);
   X509_gmtime_adj(X509_get_notBefore(*cert), 0);
   X509_gmtime_adj(X509_get_notAfter(*cert), 0);
@@ -272,7 +272,7 @@ CK_RV do_get_raw_cert(ykcs11_x509_t *cert, CK_BYTE_PTR out, CK_ULONG_PTR out_len
   return CKR_OK;
 }
 
-CK_RV do_get_raw_name(ykcs11_x509_name_t *name, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
+CK_RV do_get_raw_name(const ykcs11_x509_name_t *name, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
 
   CK_BYTE_PTR p;
   int         len;
@@ -355,11 +355,11 @@ CK_RV do_parse_attestation(ykcs11_x509_t *cert, CK_BYTE_PTR pin_policy, CK_BYTE_
   if (pos < 0)
     return CKR_FUNCTION_FAILED;
 
-  X509_EXTENSION *ext = X509_get_ext(cert, pos);
+  X509_EXTENSION *ext = (X509_EXTENSION *)X509_get_ext(cert, pos);
   if (ext == NULL)
     return CKR_FUNCTION_FAILED;
 
-  ASN1_OCTET_STRING *oct = X509_EXTENSION_get_data(ext);
+  ASN1_OCTET_STRING *oct = (ASN1_OCTET_STRING *)X509_EXTENSION_get_data(ext);
   if (oct == NULL)
     return CKR_FUNCTION_FAILED;
 
diff --git a/ykcs11/openssl_utils.h b/ykcs11/openssl_utils.h
index bc771552..0542093b 100644
--- a/ykcs11/openssl_utils.h
+++ b/ykcs11/openssl_utils.h
@@ -46,7 +46,7 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_ULONG algorithm,
                            const char *cn, CK_BYTE_PTR out, CK_ULONG_PTR out_len);
 CK_RV do_check_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_ULONG_PTR cert_len);
 CK_RV do_get_raw_cert(ykcs11_x509_t *cert, CK_BYTE_PTR out, CK_ULONG_PTR out_len);
-CK_RV do_get_raw_name(ykcs11_x509_name_t *name, CK_BYTE_PTR out, CK_ULONG_PTR out_len);
+CK_RV do_get_raw_name(const ykcs11_x509_name_t *name, CK_BYTE_PTR out, CK_ULONG_PTR out_len);
 CK_RV do_get_raw_integer(ykcs11_asn1_integer_t *serial, CK_BYTE_PTR out, CK_ULONG_PTR out_len);
 CK_RV do_delete_cert(ykcs11_x509_t **cert);
 
diff --git a/ykcs11/tests/ykcs11_tests_util.c b/ykcs11/tests/ykcs11_tests_util.c
index 4c795a72..06bfe95e 100644
--- a/ykcs11/tests/ykcs11_tests_util.c
+++ b/ykcs11/tests/ykcs11_tests_util.c
@@ -334,8 +334,8 @@ EVP_PKEY* import_edkey(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session
 
   X509 *cert = X509_new();
   X509_set_version(cert, 2); // Version 3
-  X509_NAME_add_entry_by_txt(X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0);
-  X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0);
+  X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0);
+  X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0);
   ASN1_INTEGER_set(X509_get_serialNumber(cert), 0);
   X509_gmtime_adj(X509_get_notBefore(cert), 0);
   X509_gmtime_adj(X509_get_notAfter(cert), 0);
@@ -413,8 +413,8 @@ void import_x25519key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session,
 
   X509 *cert = X509_new();
   X509_set_version(cert, 2); // Version 3
-  X509_NAME_add_entry_by_txt(X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0);
-  X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0);
+  X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0);
+  X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0);
   ASN1_INTEGER_set(X509_get_serialNumber(cert), 0);
   X509_gmtime_adj(X509_get_notBefore(cert), 0);
   X509_gmtime_adj(X509_get_notAfter(cert), 0);
@@ -496,8 +496,8 @@ EC_KEY* import_ec_key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session,
     exit(EXIT_FAILURE);
 
   X509_set_version(cert, 2); // Version 3
-  X509_NAME_add_entry_by_txt(X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0);
-  X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0);
+  X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0);
+  X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0);
   ASN1_INTEGER_set(X509_get_serialNumber(cert), 0);
   X509_gmtime_adj(X509_get_notBefore(cert), 0);
   X509_gmtime_adj(X509_get_notAfter(cert), 0);
@@ -664,8 +664,8 @@ void import_rsa_key(CK_FUNCTION_LIST_3_0_PTR funcs, CK_SESSION_HANDLE session, i
     exit(EXIT_FAILURE);
 
   X509_set_version(cert, 2); // Version 3
-  X509_NAME_add_entry_by_txt(X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0);
-  X509_NAME_add_entry_by_txt(X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0);
+  X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_issuer_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Issuer", -1, -1, 0);
+  X509_NAME_add_entry_by_txt((X509_NAME *)X509_get_subject_name(cert), "CN", MBSTRING_ASC, (unsigned char*)"Test Subject", -1, -1, 0);
   ASN1_INTEGER_set(X509_get_serialNumber(cert), 0);
   X509_gmtime_adj(X509_get_notBefore(cert), 0);
   X509_gmtime_adj(X509_get_notAfter(cert), 0);

Reply via email to