From 68c12bfc6601d40e85146f36f26fe8ff0472f36b Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Thu, 18 Aug 2016 15:16:31 +0100
Subject: [PATCH] Add X509_get0_serialNumber() and constify OCSP_cert_to_id()

Reviewed-by: Matt Caswell <matt@openssl.org>
---
 crypto/ocsp/ocsp_lib.c               | 13 +++++++------
 crypto/x509/x509_cmp.c               |  5 +++++
 doc/crypto/X509_get_serialNumber.pod | 15 +++++++++++----
 include/openssl/ocsp.h               |  9 +++++----
 include/openssl/x509.h               |  1 +
 5 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c
index 5ff2f318b3..8edd70ac8d 100644
--- a/crypto/ocsp/ocsp_lib.c
+++ b/crypto/ocsp/ocsp_lib.c
@@ -19,16 +19,17 @@
 
 /* Convert a certificate and its issuer to an OCSP_CERTID */
 
-OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject,
+                             const X509 *issuer)
 {
     X509_NAME *iname;
-    ASN1_INTEGER *serial;
+    const ASN1_INTEGER *serial;
     ASN1_BIT_STRING *ikey;
     if (!dgst)
         dgst = EVP_sha1();
     if (subject) {
         iname = X509_get_issuer_name(subject);
-        serial = X509_get_serialNumber(subject);
+        serial = X509_get0_serialNumber(subject);
     } else {
         iname = X509_get_subject_name(issuer);
         serial = NULL;
@@ -38,9 +39,9 @@ OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer)
 }
 
 OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
-                              X509_NAME *issuerName,
-                              ASN1_BIT_STRING *issuerKey,
-                              ASN1_INTEGER *serialNumber)
+                              const X509_NAME *issuerName,
+                              const ASN1_BIT_STRING *issuerKey,
+                              const ASN1_INTEGER *serialNumber)
 {
     int nid;
     unsigned int i;
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index a33fd4779d..01056356c5 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -107,6 +107,11 @@ ASN1_INTEGER *X509_get_serialNumber(X509 *a)
     return &a->cert_info.serialNumber;
 }
 
+const ASN1_INTEGER *X509_get0_serialNumber(const X509 *a)
+{
+    return &a->cert_info.serialNumber;
+}
+
 unsigned long X509_subject_name_hash(X509 *x)
 {
     return (X509_NAME_hash(x->cert_info.subject));
diff --git a/doc/crypto/X509_get_serialNumber.pod b/doc/crypto/X509_get_serialNumber.pod
index 4f1b033ade..2e81c62396 100644
--- a/doc/crypto/X509_get_serialNumber.pod
+++ b/doc/crypto/X509_get_serialNumber.pod
@@ -2,14 +2,17 @@
 
 =head1 NAME
 
-X509_get_serialNumber, X509_set_serialNumber - get or set certificate serial
-number
+X509_get_serialNumber,
+X509_get0_serialNumber,
+X509_set_serialNumber
+- get or set certificate serial number
 
 =head1 SYNOPSIS
 
  #include <openssl/x509.h>
 
  ASN1_INTEGER *X509_get_serialNumber(X509 *x);
+ const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x);
  int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
 
 =head1 DESCRIPTION
@@ -18,13 +21,17 @@ X509_get_serialNumber() returns the serial number of certificate B<x> as an
 B<ASN1_INTEGER> structure which can be examined or initialised. The value
 returned is an internal pointer which B<MUST NOT> be freed up after the call.
 
+X509_get0_serialNumber() is the same as X509_get_serialNumber() except it
+accepts a const parameter and returns a const result.
+
 X509_set_serialNumber() sets the serial number of certificate B<x> to
 B<serial>. A copy of the serial number is used internally so B<serial> should
 be freed up after use.
 
 =head1 RETURN VALUES
 
-X509_get_serialNumber() returns an B<ASN1_INTEGER> structure.
+X509_get_serialNumber() and X509_get0_serialNumber() return an B<ASN1_INTEGER>
+structure.
 
 X509_set_serialNumber() returns 1 for success and 0 for failure.
 
@@ -50,7 +57,7 @@ L<X509_verify_cert(3)>
 =head1 HISTORY
 
 X509_get_serialNumber() and X509_set_serialNumber() are available in
-all versions of OpenSSL.
+all versions of OpenSSL. X509_get0_serialNumber() was added in OpenSSL 1.1.0.
 
 =head1 COPYRIGHT
 
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index a1e4e88201..44f7195f41 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -182,12 +182,13 @@ int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req);
 int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx,
                              const char *name, const char *value);
 
-OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer);
+OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject,
+                             const X509 *issuer);
 
 OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst,
-                              X509_NAME *issuerName,
-                              ASN1_BIT_STRING *issuerKey,
-                              ASN1_INTEGER *serialNumber);
+                              const X509_NAME *issuerName,
+                              const ASN1_BIT_STRING *issuerKey,
+                              const ASN1_INTEGER *serialNumber);
 
 OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid);
 
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 78227128a2..fe7fd78787 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -617,6 +617,7 @@ long X509_get_version(const X509 *x);
 int X509_set_version(X509 *x, long version);
 int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
 ASN1_INTEGER *X509_get_serialNumber(X509 *x);
+const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x);
 int X509_set_issuer_name(X509 *x, X509_NAME *name);
 X509_NAME *X509_get_issuer_name(const X509 *a);
 int X509_set_subject_name(X509 *x, X509_NAME *name);
-- 
2.34.1