rpki-client: cast away const for X509_get_X509_PUBKEY()

In cert_check_spki() the pubkey is a libcrypto-internal pointer hanging
off cert->x509, which is then passed to the very const-incorrect getter
X509_PUBKEY_get0_param(): that's a piece of art which hands back pointers
to things deeper down in the x509 - some of them const, some non-const.
OpenSSL 3 made its X509_PUBKEY argument const, but their X509_ALGOR **
still isn't. I don't believe they thought about this in #11894 as they
had a more important _cmp() vs _eq() bikeshed to sort out.

discussed with claudio

usr.sbin/rpki-client/cert.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: cert.c,v 1.224 2026/02/03 16:21:37 tb Exp $ */
+/*	$OpenBSD: cert.c,v 1.225 2026/04/03 02:10:10 tb Exp $ */
 /*
  * Copyright (c) 2022,2025 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Job Snijders <job@openbsd.org>
@@ -354,8 +354,12 @@ cert_check_spki(const char *fn, struct cert *cert)
 	const void		*pval = NULL;
 	int			 rc = 0;
 
-	/* Should be called _get0_. It returns a pointer owned by cert->x509. */
-	if ((pubkey = X509_get_X509_PUBKEY(cert->x509)) == NULL) {
+	/*
+	 * Should be called _get0_. It returns a pointer owned by cert->x509.
+	 * XXX - cast away const for OpenSSL 4.
+	 */
+	pubkey = (X509_PUBKEY *)X509_get_X509_PUBKEY(cert->x509);
+	if (pubkey == NULL) {
 		warnx("%s: RFC 6487, 4.7: certificate without SPKI", fn);
 		goto out;
 	}