chore(docs): new acert options and verification functoin

Author: JonathanWilbur

doc/build.info

@@ -2879,6 +2879,10 @@ DEPEND[html/man3/X509_add_cert.html]=man3/X509_add_cert.pod
 GENERATE[html/man3/X509_add_cert.html]=man3/X509_add_cert.pod
 DEPEND[man/man3/X509_add_cert.3]=man3/X509_add_cert.pod
 GENERATE[man/man3/X509_add_cert.3]=man3/X509_add_cert.pod
+DEPEND[html/man3/X509_attr_cert_verify.html]=man3/X509_attr_cert_verify.pod
+GENERATE[html/man3/X509_attr_cert_verify.html]=man3/X509_attr_cert_verify.pod
+DEPEND[man/man3/X509_attr_cert_verify.3]=man3/X509_attr_cert_verify.pod
+GENERATE[man/man3/X509_attr_cert_verify.3]=man3/X509_attr_cert_verify.pod
 DEPEND[html/man3/X509_check_ca.html]=man3/X509_check_ca.pod
 GENERATE[html/man3/X509_check_ca.html]=man3/X509_check_ca.pod
 DEPEND[man/man3/X509_check_ca.3]=man3/X509_check_ca.pod
@@ -3625,6 +3629,7 @@ html/man3/X509_STORE_new.html \
 html/man3/X509_STORE_set_verify_cb_func.html \
 html/man3/X509_VERIFY_PARAM_set_flags.html \
 html/man3/X509_add_cert.html \
+html/man3/X509_attr_cert_verify.html \
 html/man3/X509_check_ca.html \
 html/man3/X509_check_host.html \
 html/man3/X509_check_issued.html \
@@ -4262,6 +4267,7 @@ man/man3/X509_STORE_new.3 \
 man/man3/X509_STORE_set_verify_cb_func.3 \
 man/man3/X509_VERIFY_PARAM_set_flags.3 \
 man/man3/X509_add_cert.3 \
+man/man3/X509_attr_cert_verify.3 \
 man/man3/X509_check_ca.3 \
 man/man3/X509_check_host.3 \
 man/man3/X509_check_issued.3 \

doc/man1/openssl-acert.pod.in

@@ -25,6 +25,8 @@ B<openssl> B<acert>
 [B<-holder> I<filename>]
 [B<-use-holder-basecertid>]
 [B<-use-holder-name>]
+[B<-target-cert>]
+[B<-asserted-before>]
 [B<-AA> I<filename>|I<uri>]
 [B<-AAkey> I<filename>|I<uri>]
 [B<-keyform> B<DER>|B<PEM>|B<P12>|B<ENGINE>]
@@ -121,6 +123,24 @@ holder in the new attribute certificate.
 Use the holder certificate's subject name to identify the holder
 in the new attribute certificate.
 
+=item B<-target-cert> I<filename>
+
+The target certificate file, from which a TARGET (using the targetCert
+alternative) is constructed and compared against the targets listed in the
+targetingInformation X.509v3 extension, if it is present. This argument takes
+effect if the B<acert> command is used with the B<-verify> option.
+
+Verification will not fail if the targetingInformation extension does not
+exist in the verified attribute certificate, but it will fail if the extension
+is present and the target does not appear in the list of targets.
+
+=item B<-asserted-before>
+
+Specifies whether the verified attribute certificate has been asserted once
+before. If provided, this causes verification of an attribute certificate to
+fail if the singleUse X.509v3 extension is present. This argument only takes
+effect if the B<acert> command is used with the B<-verify> option.
+
 =item B<-AA> I<filename>|I<uri>
 
 Specifies the Attribute Authority certificate to be used for signing with the

doc/man3/X509_attr_cert_verify.pod

@@ -0,0 +1,63 @@
+=pod
+
+=head1 NAME
+
+X509_attr_cert_verify, X509_attr_cert_verify_ex, acert_crl
+- attribute certificate verification functions
+
+=head1 SYNOPSIS
+
+ int X509_attr_cert_verify(X509_ACERT *acert, X509 *issuer);
+ int X509_attr_cert_verify_ex(X509_ACERT *acert, X509 *issuer, X509 *holder,
+                              TARGET *tgt, int asserted_before);
+ int acert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509_ACERT *x);
+
+=head1 DESCRIPTION
+
+X509_attr_cert_verify verifies that the attribute ceritifcate B<acert> is signed
+by the issuer B<issuer> and that the attribute certificate is valid with
+respect to its validity times and its extensions. This function does B<not>
+verify the B<issuer> certificate.
+
+X509_attr_cert_verify_ex is the extended form of X509_attr_cert_verify, which
+takes an optional B<holder> argument, B<tgt> argument, and B<asserted_before>
+argument.
+
+If not B<NULL>, the subject and subject alternative names are extracted from
+the B<holder> public key certificate and compared against the holder field of
+the asserted attribute certificate, B<acert>.
+
+If not B<NULL>, the target is checked against the list of permitted targets
+within the targetingInformation X.509v3 extension, if the extension is present.
+
+If set to a truthy value, B<asserted_before> causes attribute certificate
+verification to fail if the singleUse X.509v3 extension is present.
+
+acert_crl returns 1 if the attribute certificate B<x> is not revoked in the
+certificate revocation list B<crl>, some other integer otherwise.
+
+=head1 NOTES
+
+These functions verify an X.509 attribute certificate to varying degrees. None
+of them verify the corresponding public key certificate, but the public key
+certificates can just be verified using the normal OpenSSL verification
+functions.
+
+=head1 RETURN VALUES
+
+Both X509_attr_cert_verify and X509_attr_cert_verify_ex return X509_V_OK (0) if
+the attribute certificate is valid with respect to the supplied verification
+parameters, or some other X509_V_ERR_ value otherwise. As stated above,
+acert_crl returns 1 if the attribute certificate is not revoked in the provided
+certificate revocation list, and some other integer otherwise.
+
+=head1 COPYRIGHT
+
+Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+
+Licensed under the Apache License 2.0 (the "License").  You may not use
+this file except in compliance with the License.  You can obtain a copy
+in the file LICENSE in the source distribution or at
+L<https://www.openssl.org/source/license.html>.
+
+=cut