diff --git a/crypto/x509/a_verify.c b/crypto/x509/a_verify.c
index 3cda5d0c5..ec671c035 100644
--- a/crypto/x509/a_verify.c
+++ b/crypto/x509/a_verify.c
@@ -69,7 +69,7 @@
 
 #include "internal.h"
 
-int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a,
+int ASN1_item_verify(const ASN1_ITEM *it, const X509_ALGOR *a,
                      const ASN1_BIT_STRING *signature, void *asn,
                      EVP_PKEY *pkey) {
     if (!pkey) {
diff --git a/crypto/x509/algorithm.c b/crypto/x509/algorithm.c
index c021dc443..7f904803d 100644
--- a/crypto/x509/algorithm.c
+++ b/crypto/x509/algorithm.c
@@ -110,7 +110,7 @@ int x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor) {
   return 1;
 }
 
-int x509_digest_verify_init(EVP_MD_CTX *ctx, X509_ALGOR *sigalg,
+int x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,
                             EVP_PKEY *pkey) {
   /* Convert the signature OID into digest and public key OIDs. */
   int sigalg_nid = OBJ_obj2nid(sigalg->algorithm);
diff --git a/crypto/x509/internal.h b/crypto/x509/internal.h
index 32a6a9ff3..59e980afe 100644
--- a/crypto/x509/internal.h
+++ b/crypto/x509/internal.h
@@ -139,7 +139,8 @@ struct X509_VERIFY_PARAM_st {
  * signature algorithm parameters in |sigalg| (which must have type
  * |NID_rsassaPss|) and key |pkey|. It returns one on success and zero on
  * error. */
-int x509_rsa_pss_to_ctx(EVP_MD_CTX *ctx, X509_ALGOR *sigalg, EVP_PKEY *pkey);
+int x509_rsa_pss_to_ctx(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,
+                        EVP_PKEY *pkey);
 
 /* x509_rsa_pss_to_ctx sets |algor| to the signature algorithm parameters for
  * |ctx|, which must have been configured for an RSA-PSS signing operation. It
@@ -164,7 +165,7 @@ int x509_digest_sign_algorithm(EVP_MD_CTX *ctx, X509_ALGOR *algor);
  * with public key |pkey| and parameters from |algor|. The |ctx| argument must
  * have been initialised with |EVP_MD_CTX_init|. It returns one on success, or
  * zero on error. */
-int x509_digest_verify_init(EVP_MD_CTX *ctx, X509_ALGOR *sigalg,
+int x509_digest_verify_init(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,
                             EVP_PKEY *pkey);
 
 
diff --git a/crypto/x509/rsa_pss.c b/crypto/x509/rsa_pss.c
index 39637b9ae..1520c0807 100644
--- a/crypto/x509/rsa_pss.c
+++ b/crypto/x509/rsa_pss.c
@@ -167,7 +167,8 @@ static const EVP_MD *rsa_algor_to_md(X509_ALGOR *alg) {
 }
 
 /* convert MGF1 algorithm ID to EVP_MD, default SHA1 */
-static const EVP_MD *rsa_mgf1_to_md(X509_ALGOR *alg, X509_ALGOR *maskHash) {
+static const EVP_MD *rsa_mgf1_to_md(const X509_ALGOR *alg,
+                                    X509_ALGOR *maskHash) {
   const EVP_MD *md;
   if (!alg) {
     return EVP_sha1();
@@ -246,7 +247,8 @@ err:
   return ret;
 }
 
-int x509_rsa_pss_to_ctx(EVP_MD_CTX *ctx, X509_ALGOR *sigalg, EVP_PKEY *pkey) {
+int x509_rsa_pss_to_ctx(EVP_MD_CTX *ctx, const X509_ALGOR *sigalg,
+                        EVP_PKEY *pkey) {
   assert(OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss);
 
   /* Decode PSS parameters */
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 97b3ccba5..9901bfa7f 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -1074,7 +1074,8 @@ OPENSSL_EXPORT int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type,
                                     void *data, unsigned char *md,
                                     unsigned int *len);
 
-OPENSSL_EXPORT int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *algor1,
+OPENSSL_EXPORT int ASN1_item_verify(const ASN1_ITEM *it,
+                                    const X509_ALGOR *algor1,
                                     const ASN1_BIT_STRING *signature,
                                     void *data, EVP_PKEY *pkey);