Attribute certificate getter and setter API

Only fields that are allowed by RFC 5755 are
accessible through this API.  Fields that are only supported
in version 1 attribute certificates (e.g. the AttCertIssuer
v1Form fields) are not implemented.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15857)

8 files changed, 234 insertions, 11 deletions

diff --git a/doc/build.info b/doc/build.info
index 326c4ea34b..da0e7a637f 100644
--- a/doc/build.info
+++ b/doc/build.info
@@ -2799,6 +2799,10 @@ DEPEND[html/man3/X509V3_set_ctx.html]=man3/X509V3_set_ctx.pod
 GENERATE[html/man3/X509V3_set_ctx.html]=man3/X509V3_set_ctx.pod
 DEPEND[man/man3/X509V3_set_ctx.3]=man3/X509V3_set_ctx.pod
 GENERATE[man/man3/X509V3_set_ctx.3]=man3/X509V3_set_ctx.pod
+DEPEND[html/man3/X509_ACERT_get0_holder_baseCertId.html]=man3/X509_ACERT_get0_holder_baseCertId.pod
+GENERATE[html/man3/X509_ACERT_get0_holder_baseCertId.html]=man3/X509_ACERT_get0_holder_baseCertId.pod
+DEPEND[man/man3/X509_ACERT_get0_holder_baseCertId.3]=man3/X509_ACERT_get0_holder_baseCertId.pod
+GENERATE[man/man3/X509_ACERT_get0_holder_baseCertId.3]=man3/X509_ACERT_get0_holder_baseCertId.pod
 DEPEND[html/man3/X509_ALGOR_dup.html]=man3/X509_ALGOR_dup.pod
 GENERATE[html/man3/X509_ALGOR_dup.html]=man3/X509_ALGOR_dup.pod
 DEPEND[man/man3/X509_ALGOR_dup.3]=man3/X509_ALGOR_dup.pod
@@ -3631,6 +3635,7 @@ html/man3/UI_create_method.html \
 html/man3/UI_new.html \
 html/man3/X509V3_get_d2i.html \
 html/man3/X509V3_set_ctx.html \
+html/man3/X509_ACERT_get0_holder_baseCertId.html \
 html/man3/X509_ALGOR_dup.html \
 html/man3/X509_ATTRIBUTE.html \
 html/man3/X509_CRL_get0_by_serial.html \
@@ -4276,6 +4281,7 @@ man/man3/UI_create_method.3 \
 man/man3/UI_new.3 \
 man/man3/X509V3_get_d2i.3 \
 man/man3/X509V3_set_ctx.3 \
+man/man3/X509_ACERT_get0_holder_baseCertId.3 \
 man/man3/X509_ALGOR_dup.3 \
 man/man3/X509_ATTRIBUTE.3 \
 man/man3/X509_CRL_get0_by_serial.3 \
diff --git a/doc/man3/X509_ACERT_get0_holder_baseCertId.pod b/doc/man3/X509_ACERT_get0_holder_baseCertId.pod
new file mode 100644
index 0000000000..7741f286d3
--- /dev/null
+++ b/doc/man3/X509_ACERT_get0_holder_baseCertId.pod
@@ -0,0 +1,122 @@
+=pod
+
+=head1 NAME
+
+X509_ACERT_get0_holder_baseCertId,
+X509_ACERT_get0_holder_digest,
+X509_ACERT_get0_holder_entityName,
+X509_ACERT_set0_holder_baseCertId,
+X509_ACERT_set0_holder_digest,
+X509_ACERT_set0_holder_entityName,
+OSSL_ISSUER_SERIAL_get0_issuer,
+OSSL_ISSUER_SERIAL_get0_issuerUID,
+OSSL_ISSUER_SERIAL_get0_serial,
+OSSL_ISSUER_SERIAL_set1_issuer,
+OSSL_ISSUER_SERIAL_set1_issuerUID,
+OSSL_ISSUER_SERIAL_set1_serial,
+OSSL_OBJECT_DIGEST_INFO_get0_digest,
+OSSL_OBJECT_DIGEST_INFO_set1_digest - get and set Attribute Certificate holder fields
+
+=head1 SYNOPSIS
+
+ #include <openssl/x509_acert.h>
+
+ const GENERAL_NAMES *X509_ACERT_get0_holder_entityName(const X509_ACERT *x);
+ OSSL_ISSUER_SERIAL *X509_ACERT_get0_holder_baseCertId(const X509_ACERT *x);
+ OSSL_OBJECT_DIGEST_INFO * X509_ACERT_get0_holder_digest(const X509_ACERT *x);
+ void X509_ACERT_set0_holder_entityName(X509_ACERT *x, GENERAL_NAMES *name);
+ void X509_ACERT_set0_holder_baseCertId(X509_ACERT *x, OSSL_ISSUER_SERIAL *isss);
+ void X509_ACERT_set0_holder_digest(X509_ACERT *x,
+                                    OSSL_OBJECT_DIGEST_INFO *dinfo);
+
+ X509_NAME *OSSL_ISSUER_SERIAL_get0_issuer(OSSL_ISSUER_SERIAL *isss);
+ ASN1_INTEGER *OSSL_ISSUER_SERIAL_get0_serial(OSSL_ISSUER_SERIAL *isss);
+ ASN1_BIT_STRING *OSSL_ISSUER_SERIAL_get0_issuerUID(OSSL_ISSUER_SERIAL *isss);
+ int OSSL_ISSUER_SERIAL_set1_issuer(OSSL_ISSUER_SERIAL *isss, X509_NAME *issuer);
+ int OSSL_ISSUER_SERIAL_set1_serial(OSSL_ISSUER_SERIAL *isss, ASN1_INTEGER *serial);
+ int OSSL_ISSUER_SERIAL_set1_issuerUID(OSSL_ISSUER_SERIAL *isss, ASN1_BIT_STRING *uid);
+
+ void OSSL_OBJECT_DIGEST_INFO_get0_digest(OSSL_OBJECT_DIGEST_INFO *o,
+                                          ASN1_ENUMERATED **digestedObjectType,
+                                          X509_ALGOR **digestAlgorithm,
+                                          ASN1_BIT_STRING **digest);
+ void OSSL_OBJECT_DIGEST_INFO_set1_digest(OSSL_OBJECT_DIGEST_INFO *o,
+                                          ASN1_ENUMERATED *digestedObjectType,
+                                          X509_ALGOR *digestAlgorithm,
+                                          ASN1_BIT_STRING *digest);
+
+=head1 DESCRIPTION
+
+These routines set and get the holder identity of an X509 attribute certificate.
+
+X509_ACERT_set0_holder_entityName() sets the identity as a B<GENERAL_NAME>
+I<name>, X509_ACERT_set0_holder_baseCertId() sets the identity based on the
+issuer and serial number of a certificate detailed in I<isss> and
+X509_ACERT_set0_holder_digest() sets the holder entity based on digest
+information I<dinfo>. Although RFC 5755 section 4.2.2 recommends that only
+one of the above methods be used to set the holder identity for a given
+attribute certificate I<x>, setting multiple methods at the same time is
+possible.  It is up to the application to handle cases when conflicting
+identity information is specified using different methods.
+
+Pointers to the internal structures describing the holder identity of
+attribute certificate I<x> can be retrieved with
+X509_ACERT_get0_holder_entityName(), X509_ACERT_get0_holder_baseCertId(), and
+X509_ACERT_get0_holder_digest().
+
+A B<OSSL_ISSUER_SERIAL> object holds the subject name and UID of a certificate
+issuer and a certificate's serial number.  OSSL_ISSUER_SERIAL_set1_issuer(),
+OSSL_ISSUER_SERIAL_set1_issuerUID(), and OSSL_ISSUER_SERIAL_set1_serial()
+respectively copy these values into the B<OSSL_ISSUER_SERIAL> structure.
+The application is responsible for freeing its own copy of these values after
+use.  OSSL_ISSUER_SERIAL_get0_issuer(), OSSL_ISSUER_SERIAL_get0_issuerUID(),
+and OSSL_ISSUER_SERIAL_get0_serial() return pointers to these values in the object.
+
+An B<OSSL_OBJECT_DIGEST_INFO> object holds a digest of data to identify the
+attribute certificate holder.  OSSL_OBJECT_DIGEST_INFO_set1_digest() sets the
+digest information of the object.  The type of I<digest> information is given
+by I<digestedObjectType> and can be one of:
+
+=over 4
+
+=item OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY
+
+Hash of a public key
+
+=item OSSL_OBJECT_DIGEST_INFO_PUBLIC_KEY_CERT
+
+Hash of a public key certificate
+
+=item OSSL_OBJECT_DIGEST_INFO_OTHER
+
+Hash of another object. See NOTES below.
+
+=back
+
+I<digestAlgorithm> indicates the algorithm used to compute I<digest>.
+
+=head1 RETURN VALUES
+
+All I<set0>/I<set1> routines return 1 for success and 0 for failure.
+All I<get0> functions return a pointer to the object's inner structure. These
+pointers must not be freed after use.
+
+=head1 NOTES
+
+Although the value of B<OSSL_OBJECT_DIGEST_INFO_OTHER> is defined in RFC 5755,
+its use is prohibited for conformant attribute certificates.
+
+=head1 HISTORY
+
+These functions were added in OpenSSL 3.4.
+
+=head1 COPYRIGHT
+
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut
diff --git a/doc/man3/X509_get0_notBefore.pod b/doc/man3/X509_get0_notBefore.pod
index 1ca0a1b128..84dee91850 100644
--- a/doc/man3/X509_get0_notBefore.pod
+++ b/doc/man3/X509_get0_notBefore.pod
@@ -4,6 +4,8 @@
 
 X509_get0_notBefore, X509_getm_notBefore, X509_get0_notAfter,
 X509_getm_notAfter, X509_set1_notBefore, X509_set1_notAfter,
+X509_ACERT_get0_notBefore, X509_ACERT_get0_notAfter,
+X509_ACERT_set1_notBefore, X509_ACERT_set1_notAfter,
 X509_CRL_get0_lastUpdate, X509_CRL_get0_nextUpdate, X509_CRL_set1_lastUpdate,
 X509_CRL_set1_nextUpdate - get or set certificate or CRL dates
 
@@ -20,6 +22,12 @@ X509_CRL_set1_nextUpdate - get or set certificate or CRL dates
  int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm);
  int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm);
 
+ const ASN1_GENERALIZEDTIME *X509_ACERT_get0_notBefore(const X509 *x);
+ const ASN1_GENERALIZEDTIME *X509_ACERT_get0_notAfter(const X509 *x);
+
+ int X509_ACERT_set1_notBefore(X509_ACERT *x, const ASN1_GENERALIZEDTIME *tm);
+ int X509_ACERT_set1_notAfter(X509_ACERT *x, const ASN1_GENERALIZEDTIME *tm);
+
  const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
  const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
 
@@ -43,6 +51,16 @@ and B<notAfter> fields of I<x> to I<tm>. Ownership of the passed
 parameter I<tm> is not transferred by these functions so it must
 be freed up after the call.
 
+X509_ACERT_get0_notBefore() and X509_ACERT_get0_notAfter() return
+the B<notBefore> and B<notAfter> fields of certificate B<x> respectively.
+returned is an internal pointer which must not be freed up after
+the call.
+
+X509_ACERT_set1_notBefore() and X509_ACERT_set1_notAfter() set the B<notBefore>
+and B<notAfter> fields of B<x> to B<tm>. Ownership of the passed
+parameter B<tm> is not transferred by these functions so it must
+be freed up after the call.
+
 X509_CRL_get0_lastUpdate() and X509_CRL_get0_nextUpdate() return the
 B<lastUpdate> and B<nextUpdate> fields of I<crl>. The value
 returned is an internal pointer which must not be freed up after
@@ -67,9 +85,16 @@ or NULL if the B<lastUpdate> field is absent.
 X509_set1_notBefore(), X509_set1_notAfter(), X509_CRL_set1_lastUpdate() and
 X509_CRL_set1_nextUpdate() return 1 for success or 0 for failure.
 
+=head1 NOTES
+
+Unlike the B<X509> and B<X509_CRL> routines, the B<X509_ACERT> routines
+use the ASN1_GENERALIZEDTIME format instead of ASN1_TIME for holding time
+data.
+
 =head1 SEE ALSO
 
 L<d2i_X509(3)>,
+L<ASN1_GENERALIZEDTIME_check(3)>
 L<ERR_get_error(3)>,
 L<X509_CRL_get0_by_serial(3)>,
 L<X509_get0_signature(3)>,
diff --git a/doc/man3/X509_get0_signature.pod b/doc/man3/X509_get0_signature.pod
index a49a70038e..485d39bf25 100644
--- a/doc/man3/X509_get0_signature.pod
+++ b/doc/man3/X509_get0_signature.pod
@@ -5,7 +5,9 @@
 X509_get0_signature, X509_REQ_set0_signature, X509_REQ_set1_signature_algo,
 X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature,
 X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid,
-X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set - signature information
+X509_ACERT_get0_signature, X509_ACERT_get0_info_sigalg,
+X509_ACERT_get_signature_nid, X509_get_signature_info,
+X509_SIG_INFO_get, X509_SIG_INFO_set - signature information
 
 =head1 SYNOPSIS
 
@@ -24,6 +26,8 @@ X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set - signature inform
                               const X509_ALGOR **palg);
  int X509_REQ_get_signature_nid(const X509_REQ *crl);
 
+ const X509_ALGOR *X509_ACERT_get0_info_sigalg(const X509_ACERT *x);
+
  void X509_CRL_get0_signature(const X509_CRL *crl,
                               const ASN1_BIT_STRING **psig,
                               const X509_ALGOR **palg);
@@ -37,6 +41,12 @@ X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set - signature inform
  void X509_SIG_INFO_set(X509_SIG_INFO *siginf, int mdnid, int pknid,
                         int secbits, uint32_t flags);
 
+ #include <openssl/x509_acert.h>
+
+ void X509_ACERT_get0_signature(const X509_ACERT *x,
+                                const ASN1_BIT_STRING **psig,
+                                const X509_ALGOR **palg);
+ int X509_ACERT_get_signature_nid(const X509_ACERT *x);
 =head1 DESCRIPTION
 
 X509_get0_signature() sets B<*psig> to the signature of B<x> and B<*palg>
@@ -56,6 +66,10 @@ X509_REQ_get0_signature(), X509_REQ_get_signature_nid()
 X509_CRL_get0_signature() and X509_CRL_get_signature_nid() perform the
 same function for certificate requests and CRLs.
 
+X509_ACERT_get0_signature(), X509_ACERT_get_signature_nid() and
+X509_ACERT_get0_info_sigalg() perform the same function for attribute
+certificates.
+
 X509_get_signature_info() retrieves information about the signature of
 certificate B<x>. The NID of the signing digest is written to B<*mdnid>,
 the public key algorithm to B<*pknid>, the effective security bits to
@@ -130,6 +144,9 @@ added in OpenSSL 1.1.0.
 The X509_REQ_set0_signature() and X509_REQ_set1_signature_algo()
 were added in OpenSSL 1.1.1e.
 
+The X509_ACERT_get0_signature(), X509_ACERT_get0_info_sigalg() and
+X509_ACERT_get_signature_nid() functions were added in OpenSSL 3.4.
+
 =head1 COPYRIGHT
 
 Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man3/X509_get0_uids.pod b/doc/man3/X509_get0_uids.pod
index 48ae5afc42..c265ce09bc 100644
--- a/doc/man3/X509_get0_uids.pod
+++ b/doc/man3/X509_get0_uids.pod
@@ -2,7 +2,8 @@
 
 =head1 NAME
 
-X509_get0_uids - get certificate unique identifiers
+X509_get0_uids, X509_ACERT_get0_issuerUID
+- get certificate and attribute certificate unique identifiers
 
 =head1 SYNOPSIS
 
@@ -11,11 +12,17 @@ X509_get0_uids - get certificate unique identifiers
  void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid,
                      const ASN1_BIT_STRING **psuid);
 
+ #include <openssl/x509_acert.h>
+
+ ASN1_BIT_STRING *X509_ACERT_get0_issuerUID(X509_ACERT *x);
 =head1 DESCRIPTION
 
 X509_get0_uids() sets B<*piuid> and B<*psuid> to the issuer and subject unique
 identifiers of certificate B<x> or NULL if the fields are not present.
 
+X509_ACERT_get0_issuerUID() returns the issuer unique identifier of the
+attribute certificate B<x> or NULL if the field is not present.
+
 =head1 NOTES
 
 The issuer and subject unique identifier fields are very rarely encountered in
@@ -25,6 +32,9 @@ practice outside test cases.
 
 X509_get0_uids() does not return a value.
 
+X509_ACERT_get0_issuerUID() returns a unique identifier on success or NULL
+on failure.
+
 =head1 SEE ALSO
 
 L<d2i_X509(3)>,
@@ -45,6 +55,12 @@ L<X509_sign(3)>,
 L<X509V3_get_d2i(3)>,
 L<X509_verify_cert(3)>
 
+=head1 HISTORY
+
+X509_get0_uids() was added in OpenSSL 1.1.0.
+
+X509_ACERT_get0_issuerUID() was added in OpenSSL 3.4.
+
 =head1 COPYRIGHT
 
 Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
diff --git a/doc/man3/X509_get_serialNumber.pod b/doc/man3/X509_get_serialNumber.pod
index 5594c8a284..ac93a33b8f 100644
--- a/doc/man3/X509_get_serialNumber.pod
+++ b/doc/man3/X509_get_serialNumber.pod
@@ -4,7 +4,9 @@
 
 X509_get_serialNumber,
 X509_get0_serialNumber,
-X509_set_serialNumber
+X509_set_serialNumber,
+X509_ACERT_get0_serialNumber,
+X509_ACERT_set1_serialNumber
 - get or set certificate serial number
 
 =head1 SYNOPSIS
@@ -15,6 +17,11 @@ X509_set_serialNumber
  const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x);
  int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial);
 
+ #include <openssl/x509_acert.h>
+
+ ASN1_INTEGER *X509_ACERT_get0_serialNumber(X509_ACERT *x);
+ int X509_ACERT_set1_serialNumber(X509_ACERT *x, ASN1_INTEGER *serial);
+
 =head1 DESCRIPTION
 
 X509_get_serialNumber() returns the serial number of certificate B<x> as an
@@ -28,12 +35,19 @@ X509_set_serialNumber() sets the serial number of certificate B<x> to
 B<serial>. A copy of the serial number is used internally so B<serial> should
 be freed up after use.
 
+X509_ACERT_get0_serialNumber() performs the same operation as
+X509_get_serialNumber() for attribute certificates.
+
+X509_ACERT_set1_serialNumber() performs the same operation as
+X509_set_serialNumber() for attribute certificates.
+
 =head1 RETURN VALUES
 
-X509_get_serialNumber() and X509_get0_serialNumber() return an B<ASN1_INTEGER>
-structure.
+X509_get_serialNumber(), X509_get0_serialNumber() and
+X509_ACERT_get0_serialNumber() return a pointer to an B<ASN1_INTEGER> structure.
 
-X509_set_serialNumber() returns 1 for success and 0 for failure.
+X509_set_serialNumber() and X509_ACERT_set1_serialNumber() return 1 for success
+and 0 for failure.
 
 =head1 SEE ALSO
 
@@ -59,6 +73,8 @@ L<X509_verify_cert(3)>
 The X509_get_serialNumber() and X509_set_serialNumber() functions are
 available in all versions of OpenSSL.
 The X509_get0_serialNumber() function was added in OpenSSL 1.1.0.
+The X509_ACERT_get0_serialNumber() and X509_ACERT_set1_serialNumber()
+functions were added in OpenSSL 3.4.
 
 =head1 COPYRIGHT
 
diff --git a/doc/man3/X509_get_subject_name.pod b/doc/man3/X509_get_subject_name.pod
index 64659de6ab..2f392ad7a2 100644
--- a/doc/man3/X509_get_subject_name.pod
+++ b/doc/man3/X509_get_subject_name.pod
@@ -6,6 +6,7 @@ X509_NAME_hash_ex, X509_NAME_hash,
 X509_get_subject_name, X509_set_subject_name, X509_subject_name_hash,
 X509_get_issuer_name, X509_set_issuer_name, X509_issuer_name_hash,
 X509_REQ_get_subject_name, X509_REQ_set_subject_name,
+X509_ACERT_get0_issuerName, X509_ACERT_set1_issuerName,
 X509_CRL_get_issuer, X509_CRL_set_issuer_name -
 get X509_NAME hashes or get and set issuer or subject names
 
@@ -30,6 +31,11 @@ get X509_NAME hashes or get and set issuer or subject names
  X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl);
  int X509_CRL_set_issuer_name(X509_CRL *x, const X509_NAME *name);
 
+ #include <openssl/x509_acert.h>
+
+ X509_NAME *X509_ACERT_get0_issuerName(const X509_ACERT *x);
+ int X509_ACERT_set1_issuerName(X509_ACERT *x, const X509_NAME *name);
+
 The following macro has been deprecated since OpenSSL 3.0, and can be
 hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
 see L<openssl_user_macros(7)>:
@@ -63,13 +69,19 @@ X509_get_subject_name(), X509_set_subject_name(), and X509_subject_name_hash()
 except they relate to the issuer name of I<x>.
 
 Similarly X509_REQ_get_subject_name(), X509_REQ_set_subject_name(),
+X509_ACERT_get0_issuerName(), X509_ACERT_set1_issuerName(),
 X509_CRL_get_issuer() and X509_CRL_set_issuer_name() get or set the subject
 or issuer names of certificate requests of CRLs respectively.
 
+Since attribute certificates do not have a subject name, only the issuer name
+can be set.  For details on setting X509_ACERT holder identities, see
+L<X509_ACERT_set0_holder_entityName(3)>.
+
 =head1 RETURN VALUES
 
 X509_get_subject_name(), X509_get_issuer_name(), X509_REQ_get_subject_name()
-and X509_CRL_get_issuer() return an B<X509_NAME> pointer.
+X509_ACERT_get0_issuerName() and X509_CRL_get_issuer() return
+an B<X509_NAME> pointer.
 
 X509_NAME_hash_ex(), X509_NAME_hash(),
 X509_subject_name_hash() and X509_issuer_name_hash()
@@ -77,8 +89,9 @@ return the first four bytes of the SHA1 hash value,
 converted to B<unsigned long> in little endian order,
 or 0 on failure.
 
-X509_set_subject_name(), X509_set_issuer_name(), X509_REQ_set_subject_name()
-and X509_CRL_set_issuer_name() return 1 for success and 0 for failure.
+X509_set_subject_name(), X509_set_issuer_name(), X509_REQ_set_subject_name(),
+X509_ACERT_get0_issuerName() and X509_CRL_set_issuer_name() return 1 for
+success and 0 for failure.
 
 =head1 BUGS
 
diff --git a/doc/man3/X509_get_version.pod b/doc/man3/X509_get_version.pod
index c5db26c579..d6b11e454f 100644
--- a/doc/man3/X509_get_version.pod
+++ b/doc/man3/X509_get_version.pod
@@ -3,7 +3,8 @@
 =head1 NAME
 
 X509_get_version, X509_set_version, X509_REQ_get_version, X509_REQ_set_version,
-X509_CRL_get_version, X509_CRL_set_version - get or set certificate,
+X509_ACERT_get_version, X509_ACERT_set_version, X509_CRL_get_version,
+X509_CRL_set_version - get or set certificate,
 certificate request or CRL version
 
 =head1 SYNOPSIS
@@ -19,6 +20,11 @@ certificate request or CRL version
  long X509_CRL_get_version(const X509_CRL *crl);
  int X509_CRL_set_version(X509_CRL *x, long version);
 
+ #include <openssl/x509_acert.h>
+
+ int X509_ACERT_set_version(X509_ACERT *x, long version);
+ long X509_ACERT_get_version(const X509_ACERT *x);
+
 =head1 DESCRIPTION
 
 X509_get_version() returns the numerical value of the version field of
@@ -31,9 +37,11 @@ X509_set_version() sets the numerical value of the version field of certificate
 I<x> to I<version>.
 
 Similarly X509_REQ_get_version(), X509_REQ_set_version(),
+X509_ACERT_get_version(), X509_ACERT_set_version(),
 X509_CRL_get_version() and X509_CRL_set_version() get and set the version
 number of certificate requests and CRLs. They use constants
-B<X509_REQ_VERSION_1>, B<X509_CRL_VERSION_1>, and B<X509_CRL_VERSION_2>.
+B<X509_REQ_VERSION_1>, B<X509_ACERT_VERSION_2>, B<X509_CRL_VERSION_1>,
+and B<X509_CRL_VERSION_2>.
 
 =head1 NOTES