From ee74c34ec9d1096b14e84bccff50a4d35fcf5962 Mon Sep 17 00:00:00 2001
From: Nickolay Olshevsky <o.nickolay@gmail.com>
Date: Mon, 29 Jul 2024 15:23:42 +0300
Subject: [PATCH] Update constness where applicable.

---
 src/lib/crypto/exdsa_ecdhkem.cpp        |   2 +-
 src/lib/crypto/exdsa_ecdhkem.h          |   2 +-
 src/lib/crypto/kyber.cpp                |   2 +-
 src/lib/crypto/kyber.h                  |   2 +-
 src/lib/crypto/kyber_ecdh_composite.cpp |   4 +-
 src/lib/crypto/kyber_ecdh_composite.h   |   4 +-
 src/lib/key_material.cpp                | 106 +++++++++++------------
 src/lib/key_material.hpp                | 110 ++++++++++++------------
 8 files changed, 116 insertions(+), 116 deletions(-)

diff --git a/src/lib/crypto/exdsa_ecdhkem.cpp b/src/lib/crypto/exdsa_ecdhkem.cpp
index 2d664d8598..4d8d47287c 100644
--- a/src/lib/crypto/exdsa_ecdhkem.cpp
+++ b/src/lib/crypto/exdsa_ecdhkem.cpp
@@ -116,7 +116,7 @@ ecdh_kem_private_key_t::get_pubkey_encoded(rnp::RNG *rng) const
 rnp_result_t
 ecdh_kem_public_key_t::encapsulate(rnp::RNG *            rng,
                                    std::vector<uint8_t> &ciphertext,
-                                   std::vector<uint8_t> &symmetric_key)
+                                   std::vector<uint8_t> &symmetric_key) const
 {
     if (curve_ == PGP_CURVE_25519) {
         Botan::Curve25519_PrivateKey eph_prv_key(*(rng->obj()));
diff --git a/src/lib/crypto/exdsa_ecdhkem.h b/src/lib/crypto/exdsa_ecdhkem.h
index 03fe025d6a..6fe2ab0283 100644
--- a/src/lib/crypto/exdsa_ecdhkem.h
+++ b/src/lib/crypto/exdsa_ecdhkem.h
@@ -88,7 +88,7 @@ class ecdh_kem_public_key_t : public ec_key_t {
 
     rnp_result_t encapsulate(rnp::RNG *            rng,
                              std::vector<uint8_t> &ciphertext,
-                             std::vector<uint8_t> &symmetric_key);
+                             std::vector<uint8_t> &symmetric_key) const;
 
   private:
     Botan::ECDH_PublicKey       botan_key_ecdh(rnp::RNG *rng) const;
diff --git a/src/lib/crypto/kyber.cpp b/src/lib/crypto/kyber.cpp
index f7e353c949..eaf78e2c64 100644
--- a/src/lib/crypto/kyber.cpp
+++ b/src/lib/crypto/kyber.cpp
@@ -89,7 +89,7 @@ pgp_kyber_private_key_t::botan_key() const
 }
 
 kyber_encap_result_t
-pgp_kyber_public_key_t::encapsulate(rnp::RNG *rng)
+pgp_kyber_public_key_t::encapsulate(rnp::RNG *rng) const
 {
     assert(is_initialized_);
     auto decoded_kyber_pub = botan_key();
diff --git a/src/lib/crypto/kyber.h b/src/lib/crypto/kyber.h
index 24122ce8d0..7254f28d60 100644
--- a/src/lib/crypto/kyber.h
+++ b/src/lib/crypto/kyber.h
@@ -82,7 +82,7 @@ class pgp_kyber_public_key_t {
                            kyber_parameter_e mode);
     pgp_kyber_public_key_t(std::vector<uint8_t> const &key_encoded, kyber_parameter_e mode);
     pgp_kyber_public_key_t() = default;
-    kyber_encap_result_t encapsulate(rnp::RNG *rng);
+    kyber_encap_result_t encapsulate(rnp::RNG *rng) const;
 
     bool
     operator==(const pgp_kyber_public_key_t &rhs) const
diff --git a/src/lib/crypto/kyber_ecdh_composite.cpp b/src/lib/crypto/kyber_ecdh_composite.cpp
index b343103f24..647f862252 100644
--- a/src/lib/crypto/kyber_ecdh_composite.cpp
+++ b/src/lib/crypto/kyber_ecdh_composite.cpp
@@ -339,7 +339,7 @@ rnp_result_t
 pgp_kyber_ecdh_composite_private_key_t::decrypt(rnp::RNG *                        rng,
                                                 uint8_t *                         out,
                                                 size_t *                          out_len,
-                                                const pgp_kyber_ecdh_encrypted_t *enc)
+                                                const pgp_kyber_ecdh_encrypted_t *enc) const
 {
     initialized_or_throw();
     rnp_result_t         res;
@@ -495,7 +495,7 @@ rnp_result_t
 pgp_kyber_ecdh_composite_public_key_t::encrypt(rnp::RNG *                  rng,
                                                pgp_kyber_ecdh_encrypted_t *out,
                                                const uint8_t *             session_key,
-                                               size_t                      session_key_len)
+                                               size_t session_key_len) const
 {
     initialized_or_throw();
 
diff --git a/src/lib/crypto/kyber_ecdh_composite.h b/src/lib/crypto/kyber_ecdh_composite.h
index 3450d90f89..a798dd13a3 100644
--- a/src/lib/crypto/kyber_ecdh_composite.h
+++ b/src/lib/crypto/kyber_ecdh_composite.h
@@ -99,7 +99,7 @@ class pgp_kyber_ecdh_composite_private_key_t : public pgp_kyber_ecdh_composite_k
     rnp_result_t decrypt(rnp::RNG *                        rng,
                          uint8_t *                         out,
                          size_t *                          out_len,
-                         const pgp_kyber_ecdh_encrypted_t *enc);
+                         const pgp_kyber_ecdh_encrypted_t *enc) const;
 
     bool                 is_valid(rnp::RNG *rng) const;
     std::vector<uint8_t> get_encoded() const;
@@ -148,7 +148,7 @@ class pgp_kyber_ecdh_composite_public_key_t : public pgp_kyber_ecdh_composite_ke
     rnp_result_t encrypt(rnp::RNG *                  rng,
                          pgp_kyber_ecdh_encrypted_t *out,
                          const uint8_t *             in,
-                         size_t                      in_len);
+                         size_t                      in_len) const;
 
     bool                 is_valid(rnp::RNG *rng) const;
     std::vector<uint8_t> get_encoded() const;
diff --git a/src/lib/key_material.cpp b/src/lib/key_material.cpp
index ba921bcd94..3a1d5058df 100644
--- a/src/lib/key_material.cpp
+++ b/src/lib/key_material.cpp
@@ -150,7 +150,7 @@ KeyMaterial::valid() const
 }
 
 bool
-KeyMaterial::equals(const KeyMaterial &value) noexcept
+KeyMaterial::equals(const KeyMaterial &value) const noexcept
 {
     return alg_ == value.alg_;
 }
@@ -214,7 +214,7 @@ rnp_result_t
 KeyMaterial::encrypt(rnp::SecurityContext &    ctx,
                      pgp_encrypted_material_t &out,
                      const uint8_t *           data,
-                     size_t                    len)
+                     size_t                    len) const
 {
     return RNP_ERROR_NOT_SUPPORTED;
 }
@@ -223,7 +223,7 @@ rnp_result_t
 KeyMaterial::decrypt(rnp::SecurityContext &          ctx,
                      uint8_t *                       out,
                      size_t &                        out_len,
-                     const pgp_encrypted_material_t &in)
+                     const pgp_encrypted_material_t &in) const
 {
     return RNP_ERROR_NOT_SUPPORTED;
 }
@@ -239,7 +239,7 @@ KeyMaterial::verify(const rnp::SecurityContext &       ctx,
 rnp_result_t
 KeyMaterial::sign(rnp::SecurityContext &             ctx,
                   pgp_signature_material_t &         sig,
-                  const rnp::secure_vector<uint8_t> &hash)
+                  const rnp::secure_vector<uint8_t> &hash) const
 {
     return RNP_ERROR_NOT_SUPPORTED;
 }
@@ -387,7 +387,7 @@ RSAKeyMaterial::validate_material(rnp::SecurityContext &ctx, bool reset)
 }
 
 bool
-RSAKeyMaterial::equals(const KeyMaterial &value) noexcept
+RSAKeyMaterial::equals(const KeyMaterial &value) const noexcept
 {
     auto key = dynamic_cast<const RSAKeyMaterial *>(&value);
     if (!key || !KeyMaterial::equals(value)) {
@@ -422,14 +422,14 @@ RSAKeyMaterial::parse_secret(pgp_packet_body_t &pkt) noexcept
 }
 
 void
-RSAKeyMaterial::write(pgp_packet_body_t &pkt)
+RSAKeyMaterial::write(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.n);
     pkt.add(key_.e);
 }
 
 void
-RSAKeyMaterial::write_secret(pgp_packet_body_t &pkt)
+RSAKeyMaterial::write_secret(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.d);
     pkt.add(key_.p);
@@ -456,7 +456,7 @@ rnp_result_t
 RSAKeyMaterial::encrypt(rnp::SecurityContext &    ctx,
                         pgp_encrypted_material_t &out,
                         const uint8_t *           data,
-                        size_t                    len)
+                        size_t                    len) const
 {
     return rsa_encrypt_pkcs1(&ctx.rng, &out.rsa, data, len, &key_);
 }
@@ -465,7 +465,7 @@ rnp_result_t
 RSAKeyMaterial::decrypt(rnp::SecurityContext &          ctx,
                         uint8_t *                       out,
                         size_t &                        out_len,
-                        const pgp_encrypted_material_t &in)
+                        const pgp_encrypted_material_t &in) const
 {
     if ((alg() != PGP_PKA_RSA) && (alg() != PGP_PKA_RSA_ENCRYPT_ONLY)) {
         RNP_LOG("Non-encrypting RSA algorithm: %d\n", alg());
@@ -489,7 +489,7 @@ RSAKeyMaterial::verify(const rnp::SecurityContext &       ctx,
 rnp_result_t
 RSAKeyMaterial::sign(rnp::SecurityContext &             ctx,
                      pgp_signature_material_t &         sig,
-                     const rnp::secure_vector<uint8_t> &hash)
+                     const rnp::secure_vector<uint8_t> &hash) const
 {
     return rsa_sign_pkcs1(&ctx.rng, &sig.rsa, sig.halg, hash.data(), hash.size(), &key_);
 }
@@ -568,7 +568,7 @@ DSAKeyMaterial::validate_material(rnp::SecurityContext &ctx, bool reset)
 }
 
 bool
-DSAKeyMaterial::equals(const KeyMaterial &value) noexcept
+DSAKeyMaterial::equals(const KeyMaterial &value) const noexcept
 {
     auto key = dynamic_cast<const DSAKeyMaterial *>(&value);
     if (!key || !KeyMaterial::equals(value)) {
@@ -604,7 +604,7 @@ DSAKeyMaterial::parse_secret(pgp_packet_body_t &pkt) noexcept
 }
 
 void
-DSAKeyMaterial::write(pgp_packet_body_t &pkt)
+DSAKeyMaterial::write(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.p);
     pkt.add(key_.q);
@@ -613,7 +613,7 @@ DSAKeyMaterial::write(pgp_packet_body_t &pkt)
 }
 
 void
-DSAKeyMaterial::write_secret(pgp_packet_body_t &pkt)
+DSAKeyMaterial::write_secret(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.x);
 }
@@ -639,7 +639,7 @@ DSAKeyMaterial::verify(const rnp::SecurityContext &       ctx,
 rnp_result_t
 DSAKeyMaterial::sign(rnp::SecurityContext &             ctx,
                      pgp_signature_material_t &         sig,
-                     const rnp::secure_vector<uint8_t> &hash)
+                     const rnp::secure_vector<uint8_t> &hash) const
 {
     return dsa_sign(&ctx.rng, &sig.dsa, hash.data(), hash.size(), &key_);
 }
@@ -724,7 +724,7 @@ EGKeyMaterial::validate_material(rnp::SecurityContext &ctx, bool reset)
 }
 
 bool
-EGKeyMaterial::equals(const KeyMaterial &value) noexcept
+EGKeyMaterial::equals(const KeyMaterial &value) const noexcept
 {
     auto key = dynamic_cast<const EGKeyMaterial *>(&value);
     if (!key || !KeyMaterial::equals(value)) {
@@ -759,7 +759,7 @@ EGKeyMaterial::parse_secret(pgp_packet_body_t &pkt) noexcept
 }
 
 void
-EGKeyMaterial::write(pgp_packet_body_t &pkt)
+EGKeyMaterial::write(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.p);
     pkt.add(key_.g);
@@ -767,7 +767,7 @@ EGKeyMaterial::write(pgp_packet_body_t &pkt)
 }
 
 void
-EGKeyMaterial::write_secret(pgp_packet_body_t &pkt)
+EGKeyMaterial::write_secret(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.x);
 }
@@ -791,7 +791,7 @@ rnp_result_t
 EGKeyMaterial::encrypt(rnp::SecurityContext &    ctx,
                        pgp_encrypted_material_t &out,
                        const uint8_t *           data,
-                       size_t                    len)
+                       size_t                    len) const
 {
     return elgamal_encrypt_pkcs1(&ctx.rng, &out.eg, data, len, &key_);
 }
@@ -800,7 +800,7 @@ rnp_result_t
 EGKeyMaterial::decrypt(rnp::SecurityContext &          ctx,
                        uint8_t *                       out,
                        size_t &                        out_len,
-                       const pgp_encrypted_material_t &in)
+                       const pgp_encrypted_material_t &in) const
 {
     return elgamal_decrypt_pkcs1(&ctx.rng, out, &out_len, &in.eg, &key_);
 }
@@ -858,7 +858,7 @@ ECKeyMaterial::grip_update(rnp::Hash &hash) const
 }
 
 bool
-ECKeyMaterial::equals(const KeyMaterial &value) noexcept
+ECKeyMaterial::equals(const KeyMaterial &value) const noexcept
 {
     auto key = dynamic_cast<const ECKeyMaterial *>(&value);
     if (!key || !KeyMaterial::equals(value)) {
@@ -875,7 +875,7 @@ ECKeyMaterial::clear_secret()
 }
 
 rnp_result_t
-ECKeyMaterial::check_curve(size_t hash_len)
+ECKeyMaterial::check_curve(size_t hash_len) const
 {
     const ec_curve_desc_t *curve = get_curve_desc(key_.curve);
     if (!curve) {
@@ -916,14 +916,14 @@ ECKeyMaterial::parse_secret(pgp_packet_body_t &pkt) noexcept
 }
 
 void
-ECKeyMaterial::write(pgp_packet_body_t &pkt)
+ECKeyMaterial::write(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.curve);
     pkt.add(key_.p);
 }
 
 void
-ECKeyMaterial::write_secret(pgp_packet_body_t &pkt)
+ECKeyMaterial::write_secret(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.x);
 }
@@ -1007,7 +1007,7 @@ ECDSAKeyMaterial::verify(const rnp::SecurityContext &       ctx,
 rnp_result_t
 ECDSAKeyMaterial::sign(rnp::SecurityContext &             ctx,
                        pgp_signature_material_t &         sig,
-                       const rnp::secure_vector<uint8_t> &hash)
+                       const rnp::secure_vector<uint8_t> &hash) const
 {
     auto ret = check_curve(hash.size());
     if (ret) {
@@ -1067,7 +1067,7 @@ ECDHKeyMaterial::parse(pgp_packet_body_t &pkt) noexcept
 }
 
 void
-ECDHKeyMaterial::write(pgp_packet_body_t &pkt)
+ECDHKeyMaterial::write(pgp_packet_body_t &pkt) const
 {
     ECKeyMaterial::write(pkt);
     pkt.add_byte(3);
@@ -1101,7 +1101,7 @@ rnp_result_t
 ECDHKeyMaterial::encrypt(rnp::SecurityContext &    ctx,
                          pgp_encrypted_material_t &out,
                          const uint8_t *           data,
-                         size_t                    len)
+                         size_t                    len) const
 {
     if (!curve_supported(key_.curve)) {
         RNP_LOG("ECDH encrypt: curve %d is not supported.", key_.curve);
@@ -1115,7 +1115,7 @@ rnp_result_t
 ECDHKeyMaterial::decrypt(rnp::SecurityContext &          ctx,
                          uint8_t *                       out,
                          size_t &                        out_len,
-                         const pgp_encrypted_material_t &in)
+                         const pgp_encrypted_material_t &in) const
 {
     if (!curve_supported(key_.curve)) {
         RNP_LOG("ECDH decrypt: curve %d is not supported.", key_.curve);
@@ -1184,7 +1184,7 @@ EDDSAKeyMaterial::verify(const rnp::SecurityContext &       ctx,
 rnp_result_t
 EDDSAKeyMaterial::sign(rnp::SecurityContext &             ctx,
                        pgp_signature_material_t &         sig,
-                       const rnp::secure_vector<uint8_t> &hash)
+                       const rnp::secure_vector<uint8_t> &hash) const
 {
     return eddsa_sign(&ctx.rng, &sig.ecc, hash.data(), hash.size(), &key_);
 }
@@ -1210,7 +1210,7 @@ rnp_result_t
 SM2KeyMaterial::encrypt(rnp::SecurityContext &    ctx,
                         pgp_encrypted_material_t &out,
                         const uint8_t *           data,
-                        size_t                    len)
+                        size_t                    len) const
 {
 #if defined(ENABLE_SM2)
     return sm2_encrypt(&ctx.rng, &out.sm2, data, len, PGP_HASH_SM3, &key_);
@@ -1224,7 +1224,7 @@ rnp_result_t
 SM2KeyMaterial::decrypt(rnp::SecurityContext &          ctx,
                         uint8_t *                       out,
                         size_t &                        out_len,
-                        const pgp_encrypted_material_t &in)
+                        const pgp_encrypted_material_t &in) const
 {
 #if defined(ENABLE_SM2)
     return sm2_decrypt(out, &out_len, &in.sm2, &key_);
@@ -1250,7 +1250,7 @@ SM2KeyMaterial::verify(const rnp::SecurityContext &       ctx,
 rnp_result_t
 SM2KeyMaterial::sign(rnp::SecurityContext &             ctx,
                      pgp_signature_material_t &         sig,
-                     const rnp::secure_vector<uint8_t> &hash)
+                     const rnp::secure_vector<uint8_t> &hash) const
 {
 #if defined(ENABLE_SM2)
     auto ret = check_curve(hash.size());
@@ -1300,7 +1300,7 @@ Ed25519KeyMaterial::validate_material(rnp::SecurityContext &ctx, bool reset)
 }
 
 bool
-Ed25519KeyMaterial::equals(const KeyMaterial &value) noexcept
+Ed25519KeyMaterial::equals(const KeyMaterial &value) const noexcept
 {
     auto key = dynamic_cast<const Ed25519KeyMaterial *>(&value);
     if (!key || !KeyMaterial::equals(value)) {
@@ -1345,13 +1345,13 @@ Ed25519KeyMaterial::parse_secret(pgp_packet_body_t &pkt) noexcept
 }
 
 void
-Ed25519KeyMaterial::write(pgp_packet_body_t &pkt)
+Ed25519KeyMaterial::write(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.pub);
 }
 
 void
-Ed25519KeyMaterial::write_secret(pgp_packet_body_t &pkt)
+Ed25519KeyMaterial::write_secret(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.priv);
 }
@@ -1377,7 +1377,7 @@ Ed25519KeyMaterial::verify(const rnp::SecurityContext &       ctx,
 rnp_result_t
 Ed25519KeyMaterial::sign(rnp::SecurityContext &             ctx,
                          pgp_signature_material_t &         sig,
-                         const rnp::secure_vector<uint8_t> &hash)
+                         const rnp::secure_vector<uint8_t> &hash) const
 {
     return ed25519_sign_native(&ctx.rng, sig.ed25519.sig, key_.priv, hash.data(), hash.size());
 }
@@ -1426,7 +1426,7 @@ X25519KeyMaterial::validate_material(rnp::SecurityContext &ctx, bool reset)
 }
 
 bool
-X25519KeyMaterial::equals(const KeyMaterial &value) noexcept
+X25519KeyMaterial::equals(const KeyMaterial &value) const noexcept
 {
     auto key = dynamic_cast<const X25519KeyMaterial *>(&value);
     if (!key || !KeyMaterial::equals(value)) {
@@ -1471,13 +1471,13 @@ X25519KeyMaterial::parse_secret(pgp_packet_body_t &pkt) noexcept
 }
 
 void
-X25519KeyMaterial::write(pgp_packet_body_t &pkt)
+X25519KeyMaterial::write(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.pub);
 }
 
 void
-X25519KeyMaterial::write_secret(pgp_packet_body_t &pkt)
+X25519KeyMaterial::write_secret(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.priv);
 }
@@ -1496,7 +1496,7 @@ rnp_result_t
 X25519KeyMaterial::encrypt(rnp::SecurityContext &    ctx,
                            pgp_encrypted_material_t &out,
                            const uint8_t *           data,
-                           size_t                    len)
+                           size_t                    len) const
 {
     return x25519_native_encrypt(&ctx.rng, key_.pub, data, len, &out.x25519);
 }
@@ -1505,7 +1505,7 @@ rnp_result_t
 X25519KeyMaterial::decrypt(rnp::SecurityContext &          ctx,
                            uint8_t *                       out,
                            size_t &                        out_len,
-                           const pgp_encrypted_material_t &in)
+                           const pgp_encrypted_material_t &in) const
 {
     return x25519_native_decrypt(&ctx.rng, key_, &in.x25519, out, &out_len);
 }
@@ -1555,7 +1555,7 @@ KyberKeyMaterial::validate_material(rnp::SecurityContext &ctx, bool reset)
 }
 
 bool
-KyberKeyMaterial::equals(const KeyMaterial &value) noexcept
+KyberKeyMaterial::equals(const KeyMaterial &value) const noexcept
 {
     auto key = dynamic_cast<const KyberKeyMaterial *>(&value);
     if (!key || !KeyMaterial::equals(value)) {
@@ -1598,13 +1598,13 @@ KyberKeyMaterial::parse_secret(pgp_packet_body_t &pkt) noexcept
 }
 
 void
-KyberKeyMaterial::write(pgp_packet_body_t &pkt)
+KyberKeyMaterial::write(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.pub.get_encoded());
 }
 
 void
-KyberKeyMaterial::write_secret(pgp_packet_body_t &pkt)
+KyberKeyMaterial::write_secret(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.priv.get_encoded());
 }
@@ -1623,7 +1623,7 @@ rnp_result_t
 KyberKeyMaterial::encrypt(rnp::SecurityContext &    ctx,
                           pgp_encrypted_material_t &out,
                           const uint8_t *           data,
-                          size_t                    len)
+                          size_t                    len) const
 {
     return key_.pub.encrypt(&ctx.rng, &out.kyber_ecdh, data, len);
 }
@@ -1632,7 +1632,7 @@ rnp_result_t
 KyberKeyMaterial::decrypt(rnp::SecurityContext &          ctx,
                           uint8_t *                       out,
                           size_t &                        out_len,
-                          const pgp_encrypted_material_t &in)
+                          const pgp_encrypted_material_t &in) const
 {
     return key_.priv.decrypt(&ctx.rng, out, &out_len, &in.kyber_ecdh);
 }
@@ -1674,7 +1674,7 @@ DilithiumKeyMaterial::validate_material(rnp::SecurityContext &ctx, bool reset)
 }
 
 bool
-DilithiumKeyMaterial::equals(const KeyMaterial &value) noexcept
+DilithiumKeyMaterial::equals(const KeyMaterial &value) const noexcept
 {
     auto key = dynamic_cast<const DilithiumKeyMaterial *>(&value);
     if (!key || !KeyMaterial::equals(value)) {
@@ -1717,13 +1717,13 @@ DilithiumKeyMaterial::parse_secret(pgp_packet_body_t &pkt) noexcept
 }
 
 void
-DilithiumKeyMaterial::write(pgp_packet_body_t &pkt)
+DilithiumKeyMaterial::write(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.pub.get_encoded());
 }
 
 void
-DilithiumKeyMaterial::write_secret(pgp_packet_body_t &pkt)
+DilithiumKeyMaterial::write_secret(pgp_packet_body_t &pkt) const
 {
     pkt.add(key_.priv.get_encoded());
 }
@@ -1749,7 +1749,7 @@ DilithiumKeyMaterial::verify(const rnp::SecurityContext &       ctx,
 rnp_result_t
 DilithiumKeyMaterial::sign(rnp::SecurityContext &             ctx,
                            pgp_signature_material_t &         sig,
-                           const rnp::secure_vector<uint8_t> &hash)
+                           const rnp::secure_vector<uint8_t> &hash) const
 {
     return key_.priv.sign(&ctx.rng, &sig.dilithium_exdsa, sig.halg, hash.data(), hash.size());
 }
@@ -1797,7 +1797,7 @@ SphincsPlusKeyMaterial::validate_material(rnp::SecurityContext &ctx, bool reset)
 }
 
 bool
-SphincsPlusKeyMaterial::equals(const KeyMaterial &value) noexcept
+SphincsPlusKeyMaterial::equals(const KeyMaterial &value) const noexcept
 {
     auto key = dynamic_cast<const SphincsPlusKeyMaterial *>(&value);
     if (!key || !KeyMaterial::equals(value)) {
@@ -1852,14 +1852,14 @@ SphincsPlusKeyMaterial::parse_secret(pgp_packet_body_t &pkt) noexcept
 }
 
 void
-SphincsPlusKeyMaterial::write(pgp_packet_body_t &pkt)
+SphincsPlusKeyMaterial::write(pgp_packet_body_t &pkt) const
 {
     pkt.add_byte((uint8_t) key_.pub.param());
     pkt.add(key_.pub.get_encoded());
 }
 
 void
-SphincsPlusKeyMaterial::write_secret(pgp_packet_body_t &pkt)
+SphincsPlusKeyMaterial::write_secret(pgp_packet_body_t &pkt) const
 {
     pkt.add_byte((uint8_t) key_.priv.param());
     pkt.add(key_.priv.get_encoded());
@@ -1886,7 +1886,7 @@ SphincsPlusKeyMaterial::verify(const rnp::SecurityContext &       ctx,
 rnp_result_t
 SphincsPlusKeyMaterial::sign(rnp::SecurityContext &             ctx,
                              pgp_signature_material_t &         sig,
-                             const rnp::secure_vector<uint8_t> &hash)
+                             const rnp::secure_vector<uint8_t> &hash) const
 {
     return key_.priv.sign(&ctx.rng, &sig.sphincsplus, hash.data(), hash.size());
 }
diff --git a/src/lib/key_material.hpp b/src/lib/key_material.hpp
index 62049d65f7..058dff8aff 100644
--- a/src/lib/key_material.hpp
+++ b/src/lib/key_material.hpp
@@ -58,27 +58,27 @@ class KeyMaterial {
     void                  set_validity(const pgp_validity_t &val);
     void                  reset_validity();
     bool                  valid() const;
-    virtual bool          equals(const KeyMaterial &value) noexcept;
+    virtual bool          equals(const KeyMaterial &value) const noexcept;
     virtual void          clear_secret();
     virtual bool          parse(pgp_packet_body_t &pkt) noexcept = 0;
     virtual bool          parse_secret(pgp_packet_body_t &pkt) noexcept = 0;
-    virtual void          write(pgp_packet_body_t &pkt) = 0;
-    virtual void          write_secret(pgp_packet_body_t &pkt) = 0;
+    virtual void          write(pgp_packet_body_t &pkt) const = 0;
+    virtual void          write_secret(pgp_packet_body_t &pkt) const = 0;
     virtual bool          generate(const rnp_keygen_crypto_params_t &params);
     virtual rnp_result_t  encrypt(rnp::SecurityContext &    ctx,
                                   pgp_encrypted_material_t &out,
                                   const uint8_t *           data,
-                                  size_t                    len);
+                                  size_t                    len) const;
     virtual rnp_result_t  decrypt(rnp::SecurityContext &          ctx,
                                   uint8_t *                       out,
                                   size_t &                        out_len,
-                                  const pgp_encrypted_material_t &in);
+                                  const pgp_encrypted_material_t &in) const;
     virtual rnp_result_t  verify(const rnp::SecurityContext &       ctx,
                                  const pgp_signature_material_t &   sig,
                                  const rnp::secure_vector<uint8_t> &hash) const;
     virtual rnp_result_t  sign(rnp::SecurityContext &             ctx,
                                pgp_signature_material_t &         sig,
-                               const rnp::secure_vector<uint8_t> &hash);
+                               const rnp::secure_vector<uint8_t> &hash) const;
 
     /* Pick up hash algorithm, used for signing, to be compatible with key material. */
     virtual pgp_hash_alg_t adjust_hash(pgp_hash_alg_t hash) const;
@@ -107,27 +107,27 @@ class RSAKeyMaterial : public KeyMaterial {
         : KeyMaterial(kalg, secret), key_(key){};
     std::unique_ptr<KeyMaterial> clone() override;
 
-    bool         equals(const KeyMaterial &value) noexcept override;
+    bool         equals(const KeyMaterial &value) const noexcept override;
     void         clear_secret() override;
     bool         parse(pgp_packet_body_t &pkt) noexcept override;
     bool         parse_secret(pgp_packet_body_t &pkt) noexcept override;
-    void         write(pgp_packet_body_t &pkt) override;
-    void         write_secret(pgp_packet_body_t &pkt) override;
+    void         write(pgp_packet_body_t &pkt) const override;
+    void         write_secret(pgp_packet_body_t &pkt) const override;
     bool         generate(const rnp_keygen_crypto_params_t &params) override;
     rnp_result_t encrypt(rnp::SecurityContext &    ctx,
                          pgp_encrypted_material_t &out,
                          const uint8_t *           data,
-                         size_t                    len) override;
+                         size_t                    len) const override;
     rnp_result_t decrypt(rnp::SecurityContext &          ctx,
                          uint8_t *                       out,
                          size_t &                        out_len,
-                         const pgp_encrypted_material_t &in) override;
+                         const pgp_encrypted_material_t &in) const override;
     rnp_result_t verify(const rnp::SecurityContext &       ctx,
                         const pgp_signature_material_t &   sig,
                         const rnp::secure_vector<uint8_t> &hash) const override;
     rnp_result_t sign(rnp::SecurityContext &             ctx,
                       pgp_signature_material_t &         sig,
-                      const rnp::secure_vector<uint8_t> &hash) override;
+                      const rnp::secure_vector<uint8_t> &hash) const override;
 
     void   set_secret(const mpi &d, const mpi &p, const mpi &q, const mpi &u);
     size_t bits() const noexcept override;
@@ -153,19 +153,19 @@ class DSAKeyMaterial : public KeyMaterial {
         : KeyMaterial(PGP_PKA_DSA, secret), key_(key){};
     std::unique_ptr<KeyMaterial> clone() override;
 
-    bool           equals(const KeyMaterial &value) noexcept override;
+    bool           equals(const KeyMaterial &value) const noexcept override;
     void           clear_secret() override;
     bool           parse(pgp_packet_body_t &pkt) noexcept override;
     bool           parse_secret(pgp_packet_body_t &pkt) noexcept override;
-    void           write(pgp_packet_body_t &pkt) override;
-    void           write_secret(pgp_packet_body_t &pkt) override;
+    void           write(pgp_packet_body_t &pkt) const override;
+    void           write_secret(pgp_packet_body_t &pkt) const override;
     bool           generate(const rnp_keygen_crypto_params_t &params) override;
     rnp_result_t   verify(const rnp::SecurityContext &       ctx,
                           const pgp_signature_material_t &   sig,
                           const rnp::secure_vector<uint8_t> &hash) const override;
     rnp_result_t   sign(rnp::SecurityContext &             ctx,
                         pgp_signature_material_t &         sig,
-                        const rnp::secure_vector<uint8_t> &hash) override;
+                        const rnp::secure_vector<uint8_t> &hash) const override;
     pgp_hash_alg_t adjust_hash(pgp_hash_alg_t hash) const override;
     void           set_secret(const mpi &x);
     size_t         bits() const noexcept override;
@@ -191,21 +191,21 @@ class EGKeyMaterial : public KeyMaterial {
         : KeyMaterial(kalg, secret), key_(key){};
     std::unique_ptr<KeyMaterial> clone() override;
 
-    bool         equals(const KeyMaterial &value) noexcept override;
+    bool         equals(const KeyMaterial &value) const noexcept override;
     void         clear_secret() override;
     bool         parse(pgp_packet_body_t &pkt) noexcept override;
     bool         parse_secret(pgp_packet_body_t &pkt) noexcept override;
-    void         write(pgp_packet_body_t &pkt) override;
-    void         write_secret(pgp_packet_body_t &pkt) override;
+    void         write(pgp_packet_body_t &pkt) const override;
+    void         write_secret(pgp_packet_body_t &pkt) const override;
     bool         generate(const rnp_keygen_crypto_params_t &params) override;
     rnp_result_t encrypt(rnp::SecurityContext &    ctx,
                          pgp_encrypted_material_t &out,
                          const uint8_t *           data,
-                         size_t                    len) override;
+                         size_t                    len) const override;
     rnp_result_t decrypt(rnp::SecurityContext &          ctx,
                          uint8_t *                       out,
                          size_t &                        out_len,
-                         const pgp_encrypted_material_t &in) override;
+                         const pgp_encrypted_material_t &in) const override;
     rnp_result_t verify(const rnp::SecurityContext &       ctx,
                         const pgp_signature_material_t &   sig,
                         const rnp::secure_vector<uint8_t> &hash) const override;
@@ -224,19 +224,19 @@ class ECKeyMaterial : public KeyMaterial {
     pgp_ec_key_t key_;
 
     void         grip_update(rnp::Hash &hash) const override;
-    rnp_result_t check_curve(size_t hash_len);
+    rnp_result_t check_curve(size_t hash_len) const;
 
   public:
     ECKeyMaterial(pgp_pubkey_alg_t kalg) : KeyMaterial(kalg), key_{} {};
     ECKeyMaterial(pgp_pubkey_alg_t kalg, const pgp_ec_key_t &key, bool secret = false)
         : KeyMaterial(kalg, secret), key_(key){};
 
-    bool        equals(const KeyMaterial &value) noexcept override;
+    bool        equals(const KeyMaterial &value) const noexcept override;
     void        clear_secret() override;
     bool        parse(pgp_packet_body_t &pkt) noexcept override;
     bool        parse_secret(pgp_packet_body_t &pkt) noexcept override;
-    void        write(pgp_packet_body_t &pkt) override;
-    void        write_secret(pgp_packet_body_t &pkt) override;
+    void        write(pgp_packet_body_t &pkt) const override;
+    void        write_secret(pgp_packet_body_t &pkt) const override;
     bool        generate(const rnp_keygen_crypto_params_t &params) override;
     void        set_secret(const mpi &x);
     size_t      bits() const noexcept override;
@@ -261,7 +261,7 @@ class ECDSAKeyMaterial : public ECKeyMaterial {
                           const rnp::secure_vector<uint8_t> &hash) const override;
     rnp_result_t   sign(rnp::SecurityContext &             ctx,
                         pgp_signature_material_t &         sig,
-                        const rnp::secure_vector<uint8_t> &hash) override;
+                        const rnp::secure_vector<uint8_t> &hash) const override;
     pgp_hash_alg_t adjust_hash(pgp_hash_alg_t hash) const override;
 };
 
@@ -276,16 +276,16 @@ class ECDHKeyMaterial : public ECKeyMaterial {
     std::unique_ptr<KeyMaterial> clone() override;
 
     bool         parse(pgp_packet_body_t &pkt) noexcept override;
-    void         write(pgp_packet_body_t &pkt) override;
+    void         write(pgp_packet_body_t &pkt) const override;
     bool         generate(const rnp_keygen_crypto_params_t &params) override;
     rnp_result_t encrypt(rnp::SecurityContext &    ctx,
                          pgp_encrypted_material_t &out,
                          const uint8_t *           data,
-                         size_t                    len) override;
+                         size_t                    len) const override;
     rnp_result_t decrypt(rnp::SecurityContext &          ctx,
                          uint8_t *                       out,
                          size_t &                        out_len,
-                         const pgp_encrypted_material_t &in) override;
+                         const pgp_encrypted_material_t &in) const override;
 
     pgp_hash_alg_t kdf_hash_alg() const noexcept;
     pgp_symm_alg_t key_wrap_alg() const noexcept;
@@ -309,7 +309,7 @@ class EDDSAKeyMaterial : public ECKeyMaterial {
                         const rnp::secure_vector<uint8_t> &hash) const override;
     rnp_result_t sign(rnp::SecurityContext &             ctx,
                       pgp_signature_material_t &         sig,
-                      const rnp::secure_vector<uint8_t> &hash) override;
+                      const rnp::secure_vector<uint8_t> &hash) const override;
 };
 
 class SM2KeyMaterial : public ECKeyMaterial {
@@ -325,17 +325,17 @@ class SM2KeyMaterial : public ECKeyMaterial {
     rnp_result_t encrypt(rnp::SecurityContext &    ctx,
                          pgp_encrypted_material_t &out,
                          const uint8_t *           data,
-                         size_t                    len) override;
+                         size_t                    len) const override;
     rnp_result_t decrypt(rnp::SecurityContext &          ctx,
                          uint8_t *                       out,
                          size_t &                        out_len,
-                         const pgp_encrypted_material_t &in) override;
+                         const pgp_encrypted_material_t &in) const override;
     rnp_result_t verify(const rnp::SecurityContext &       ctx,
                         const pgp_signature_material_t &   sig,
                         const rnp::secure_vector<uint8_t> &hash) const override;
     rnp_result_t sign(rnp::SecurityContext &             ctx,
                       pgp_signature_material_t &         sig,
-                      const rnp::secure_vector<uint8_t> &hash) override;
+                      const rnp::secure_vector<uint8_t> &hash) const override;
     void         compute_za(rnp::Hash &hash) const;
 };
 
@@ -351,19 +351,19 @@ class Ed25519KeyMaterial : public KeyMaterial {
     Ed25519KeyMaterial() : KeyMaterial(PGP_PKA_ED25519), key_{} {};
     std::unique_ptr<KeyMaterial> clone() override;
 
-    bool         equals(const KeyMaterial &value) noexcept override;
+    bool         equals(const KeyMaterial &value) const noexcept override;
     void         clear_secret() override;
     bool         parse(pgp_packet_body_t &pkt) noexcept override;
     bool         parse_secret(pgp_packet_body_t &pkt) noexcept override;
-    void         write(pgp_packet_body_t &pkt) override;
-    void         write_secret(pgp_packet_body_t &pkt) override;
+    void         write(pgp_packet_body_t &pkt) const override;
+    void         write_secret(pgp_packet_body_t &pkt) const override;
     bool         generate(const rnp_keygen_crypto_params_t &params) override;
     rnp_result_t verify(const rnp::SecurityContext &       ctx,
                         const pgp_signature_material_t &   sig,
                         const rnp::secure_vector<uint8_t> &hash) const override;
     rnp_result_t sign(rnp::SecurityContext &             ctx,
                       pgp_signature_material_t &         sig,
-                      const rnp::secure_vector<uint8_t> &hash) override;
+                      const rnp::secure_vector<uint8_t> &hash) const override;
     size_t       bits() const noexcept override;
     pgp_curve_t  curve() const noexcept override;
 
@@ -382,21 +382,21 @@ class X25519KeyMaterial : public KeyMaterial {
     X25519KeyMaterial() : KeyMaterial(PGP_PKA_X25519), key_{} {};
     std::unique_ptr<KeyMaterial> clone() override;
 
-    bool         equals(const KeyMaterial &value) noexcept override;
+    bool         equals(const KeyMaterial &value) const noexcept override;
     void         clear_secret() override;
     bool         parse(pgp_packet_body_t &pkt) noexcept override;
     bool         parse_secret(pgp_packet_body_t &pkt) noexcept override;
-    void         write(pgp_packet_body_t &pkt) override;
-    void         write_secret(pgp_packet_body_t &pkt) override;
+    void         write(pgp_packet_body_t &pkt) const override;
+    void         write_secret(pgp_packet_body_t &pkt) const override;
     bool         generate(const rnp_keygen_crypto_params_t &params) override;
     rnp_result_t encrypt(rnp::SecurityContext &    ctx,
                          pgp_encrypted_material_t &out,
                          const uint8_t *           data,
-                         size_t                    len) override;
+                         size_t                    len) const override;
     rnp_result_t decrypt(rnp::SecurityContext &          ctx,
                          uint8_t *                       out,
                          size_t &                        out_len,
-                         const pgp_encrypted_material_t &in) override;
+                         const pgp_encrypted_material_t &in) const override;
     size_t       bits() const noexcept override;
     pgp_curve_t  curve() const noexcept override;
 
@@ -417,21 +417,21 @@ class KyberKeyMaterial : public KeyMaterial {
     KyberKeyMaterial(pgp_pubkey_alg_t kalg) : KeyMaterial(kalg), key_{} {};
     std::unique_ptr<KeyMaterial> clone() override;
 
-    bool         equals(const KeyMaterial &value) noexcept override;
+    bool         equals(const KeyMaterial &value) const noexcept override;
     void         clear_secret() override;
     bool         parse(pgp_packet_body_t &pkt) noexcept override;
     bool         parse_secret(pgp_packet_body_t &pkt) noexcept override;
-    void         write(pgp_packet_body_t &pkt) override;
-    void         write_secret(pgp_packet_body_t &pkt) override;
+    void         write(pgp_packet_body_t &pkt) const override;
+    void         write_secret(pgp_packet_body_t &pkt) const override;
     bool         generate(const rnp_keygen_crypto_params_t &params) override;
     rnp_result_t encrypt(rnp::SecurityContext &    ctx,
                          pgp_encrypted_material_t &out,
                          const uint8_t *           data,
-                         size_t                    len) override;
+                         size_t                    len) const override;
     rnp_result_t decrypt(rnp::SecurityContext &          ctx,
                          uint8_t *                       out,
                          size_t &                        out_len,
-                         const pgp_encrypted_material_t &in) override;
+                         const pgp_encrypted_material_t &in) const override;
     size_t       bits() const noexcept override;
 
     const pgp_kyber_ecdh_composite_public_key_t & pub() const noexcept;
@@ -451,19 +451,19 @@ class DilithiumKeyMaterial : public KeyMaterial {
 
     /** @brief Check two key material for equality. Only public part is checked, so this may be
      * called on public/secret key material */
-    bool           equals(const KeyMaterial &value) noexcept override;
+    bool           equals(const KeyMaterial &value) const noexcept override;
     void           clear_secret() override;
     bool           parse(pgp_packet_body_t &pkt) noexcept override;
     bool           parse_secret(pgp_packet_body_t &pkt) noexcept override;
-    void           write(pgp_packet_body_t &pkt) override;
-    void           write_secret(pgp_packet_body_t &pkt) override;
+    void           write(pgp_packet_body_t &pkt) const override;
+    void           write_secret(pgp_packet_body_t &pkt) const override;
     bool           generate(const rnp_keygen_crypto_params_t &params) override;
     rnp_result_t   verify(const rnp::SecurityContext &       ctx,
                           const pgp_signature_material_t &   sig,
                           const rnp::secure_vector<uint8_t> &hash) const override;
     rnp_result_t   sign(rnp::SecurityContext &             ctx,
                         pgp_signature_material_t &         sig,
-                        const rnp::secure_vector<uint8_t> &hash) override;
+                        const rnp::secure_vector<uint8_t> &hash) const override;
     pgp_hash_alg_t adjust_hash(pgp_hash_alg_t hash) const override;
     size_t         bits() const noexcept override;
 
@@ -482,19 +482,19 @@ class SphincsPlusKeyMaterial : public KeyMaterial {
     SphincsPlusKeyMaterial(pgp_pubkey_alg_t kalg) : KeyMaterial(kalg), key_{} {};
     std::unique_ptr<KeyMaterial> clone() override;
 
-    bool           equals(const KeyMaterial &value) noexcept override;
+    bool           equals(const KeyMaterial &value) const noexcept override;
     void           clear_secret() override;
     bool           parse(pgp_packet_body_t &pkt) noexcept override;
     bool           parse_secret(pgp_packet_body_t &pkt) noexcept override;
-    void           write(pgp_packet_body_t &pkt) override;
-    void           write_secret(pgp_packet_body_t &pkt) override;
+    void           write(pgp_packet_body_t &pkt) const override;
+    void           write_secret(pgp_packet_body_t &pkt) const override;
     bool           generate(const rnp_keygen_crypto_params_t &params) override;
     rnp_result_t   verify(const rnp::SecurityContext &       ctx,
                           const pgp_signature_material_t &   sig,
                           const rnp::secure_vector<uint8_t> &hash) const override;
     rnp_result_t   sign(rnp::SecurityContext &             ctx,
                         pgp_signature_material_t &         sig,
-                        const rnp::secure_vector<uint8_t> &hash) override;
+                        const rnp::secure_vector<uint8_t> &hash) const override;
     pgp_hash_alg_t adjust_hash(pgp_hash_alg_t hash) const override;
     bool           sig_hash_allowed(pgp_hash_alg_t hash) const override;
     size_t         bits() const noexcept override;