rpki-client: sprinkle some const

EVP_PKEY_get0_* were made const correct in OpenSSL 3 and now cause the
build of rpki-client to emit warnings. Of course no one is able to see
these warnings because they are hidden in all the deprecation vomit.

Makes rpki-client build cleanly against OpenSSL 3 when configured with
--with-openssl-cflags=-DOPENSSL_SUPPRESS_DEPRECATED.

ok claudio deraadt job

usr.sbin/rpki-client/validate.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: validate.c,v 1.76 2024/06/17 18:52:50 tb Exp $ */
+/*	$OpenBSD: validate.c,v 1.77 2024/10/16 06:09:45 tb Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -587,7 +587,7 @@ valid_uuid(const char *s)
 static int
 valid_ca_pkey_rsa(const char *fn, EVP_PKEY *pkey)
 {
-	RSA		*rsa;
+	const RSA	*rsa;
 	const BIGNUM	*rsa_e;
 	int		 key_bits;
 
@@ -618,7 +618,7 @@ valid_ca_pkey_rsa(const char *fn, EVP_PKEY *pkey)
 static int
 valid_ca_pkey_ec(const char *fn, EVP_PKEY *pkey)
 {
-	EC_KEY		*ec;
+	const EC_KEY	*ec;
 	const EC_GROUP	*group;
 	int		 nid;
 	const char	*cname;

usr.sbin/rpki-client/x509.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509.c,v 1.103 2024/10/07 14:45:33 tb Exp $ */
+/*	$OpenBSD: x509.c,v 1.104 2024/10/16 06:09:45 tb Exp $ */
 /*
  * Copyright (c) 2022 Theo Buehler <tb@openbsd.org>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -413,7 +413,7 @@ char *
 x509_get_pubkey(X509 *x, const char *fn)
 {
 	EVP_PKEY	*pkey;
-	EC_KEY		*eckey;
+	const EC_KEY	*eckey;
 	int		 nid;
 	const char	*cname;
 	uint8_t		*pubkey = NULL;