Commit 1d4919dcc7 for openssl.org
commit 1d4919dcc77b3fe7eb82dd3eb296992f54721efc
Author: Matt Caswell <matt@openssl.org>
Date: Mon Dec 15 17:12:46 2025 +0000
Update the documentation to remove referenceds to EVP_PKEY_ASN1_METHOD
Now that EVP_PKEY_ASN1_METHODs have been removed from the public API we
need to update the documentation accordingly. They still exist internally
and so some references are still appropriate in the internal documetnation.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/29405)
diff --git a/doc/build.info b/doc/build.info
index d53aed8df8..b71e1e41d6 100644
--- a/doc/build.info
+++ b/doc/build.info
@@ -1199,10 +1199,6 @@ DEPEND[html/man3/EVP_PKEY2PKCS8.html]=man3/EVP_PKEY2PKCS8.pod
GENERATE[html/man3/EVP_PKEY2PKCS8.html]=man3/EVP_PKEY2PKCS8.pod
DEPEND[man/man3/EVP_PKEY2PKCS8.3]=man3/EVP_PKEY2PKCS8.pod
GENERATE[man/man3/EVP_PKEY2PKCS8.3]=man3/EVP_PKEY2PKCS8.pod
-DEPEND[html/man3/EVP_PKEY_ASN1_METHOD.html]=man3/EVP_PKEY_ASN1_METHOD.pod
-GENERATE[html/man3/EVP_PKEY_ASN1_METHOD.html]=man3/EVP_PKEY_ASN1_METHOD.pod
-DEPEND[man/man3/EVP_PKEY_ASN1_METHOD.3]=man3/EVP_PKEY_ASN1_METHOD.pod
-GENERATE[man/man3/EVP_PKEY_ASN1_METHOD.3]=man3/EVP_PKEY_ASN1_METHOD.pod
DEPEND[html/man3/EVP_PKEY_CTX_ctrl.html]=man3/EVP_PKEY_CTX_ctrl.pod
GENERATE[html/man3/EVP_PKEY_CTX_ctrl.html]=man3/EVP_PKEY_CTX_ctrl.pod
DEPEND[man/man3/EVP_PKEY_CTX_ctrl.3]=man3/EVP_PKEY_CTX_ctrl.pod
@@ -1247,10 +1243,6 @@ DEPEND[html/man3/EVP_PKEY_CTX_set_tls1_prf_md.html]=man3/EVP_PKEY_CTX_set_tls1_p
GENERATE[html/man3/EVP_PKEY_CTX_set_tls1_prf_md.html]=man3/EVP_PKEY_CTX_set_tls1_prf_md.pod
DEPEND[man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3]=man3/EVP_PKEY_CTX_set_tls1_prf_md.pod
GENERATE[man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3]=man3/EVP_PKEY_CTX_set_tls1_prf_md.pod
-DEPEND[html/man3/EVP_PKEY_asn1_get_count.html]=man3/EVP_PKEY_asn1_get_count.pod
-GENERATE[html/man3/EVP_PKEY_asn1_get_count.html]=man3/EVP_PKEY_asn1_get_count.pod
-DEPEND[man/man3/EVP_PKEY_asn1_get_count.3]=man3/EVP_PKEY_asn1_get_count.pod
-GENERATE[man/man3/EVP_PKEY_asn1_get_count.3]=man3/EVP_PKEY_asn1_get_count.pod
DEPEND[html/man3/EVP_PKEY_check.html]=man3/EVP_PKEY_check.pod
GENERATE[html/man3/EVP_PKEY_check.html]=man3/EVP_PKEY_check.pod
DEPEND[man/man3/EVP_PKEY_check.3]=man3/EVP_PKEY_check.pod
@@ -3349,7 +3341,6 @@ html/man3/EVP_MAC.html \
html/man3/EVP_OpenInit.html \
html/man3/EVP_PBE_CipherInit.html \
html/man3/EVP_PKEY2PKCS8.html \
-html/man3/EVP_PKEY_ASN1_METHOD.html \
html/man3/EVP_PKEY_CTX_ctrl.html \
html/man3/EVP_PKEY_CTX_get0_libctx.html \
html/man3/EVP_PKEY_CTX_get0_pkey.html \
@@ -3361,7 +3352,6 @@ html/man3/EVP_PKEY_CTX_set_params.html \
html/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.html \
html/man3/EVP_PKEY_CTX_set_scrypt_N.html \
html/man3/EVP_PKEY_CTX_set_tls1_prf_md.html \
-html/man3/EVP_PKEY_asn1_get_count.html \
html/man3/EVP_PKEY_check.html \
html/man3/EVP_PKEY_copy_parameters.html \
html/man3/EVP_PKEY_decapsulate.html \
@@ -4022,7 +4012,6 @@ man/man3/EVP_MAC.3 \
man/man3/EVP_OpenInit.3 \
man/man3/EVP_PBE_CipherInit.3 \
man/man3/EVP_PKEY2PKCS8.3 \
-man/man3/EVP_PKEY_ASN1_METHOD.3 \
man/man3/EVP_PKEY_CTX_ctrl.3 \
man/man3/EVP_PKEY_CTX_get0_libctx.3 \
man/man3/EVP_PKEY_CTX_get0_pkey.3 \
@@ -4034,7 +4023,6 @@ man/man3/EVP_PKEY_CTX_set_params.3 \
man/man3/EVP_PKEY_CTX_set_rsa_pss_keygen_md.3 \
man/man3/EVP_PKEY_CTX_set_scrypt_N.3 \
man/man3/EVP_PKEY_CTX_set_tls1_prf_md.3 \
-man/man3/EVP_PKEY_asn1_get_count.3 \
man/man3/EVP_PKEY_check.3 \
man/man3/EVP_PKEY_copy_parameters.3 \
man/man3/EVP_PKEY_decapsulate.3 \
diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
index 1008d21131..5823cd200f 100644
--- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
+++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod
@@ -91,7 +91,7 @@ B<EVP_PKEY> with EVP_PKEY_assign_RSA() and similar functions.
=head1 SEE ALSO
-L<EVP_PKEY_ASN1_METHOD(3)>, L<EVP_PKEY_assign_RSA(3)>
+L<EVP_PKEY_assign_RSA(3)>
=head1 COPYRIGHT
diff --git a/doc/internal/man7/EVP_PKEY.pod b/doc/internal/man7/EVP_PKEY.pod
index fa8288e326..197b1d78a9 100644
--- a/doc/internal/man7/EVP_PKEY.pod
+++ b/doc/internal/man7/EVP_PKEY.pod
@@ -31,7 +31,7 @@ and it can take one of the following forms:
This is the form that an B<EVP_PKEY> in OpenSSL prior to 3.0 had. The
internal key in the B<EVP_PKEY> is a pointer to the low-level key
types, such as B<RSA>, B<DSA> and B<EC>, and is governed by an associated
-L<EVP_PKEY_ASN1_METHOD(3)>.
+B<EVP_PKEY_ASN1_METHOD>.
The functions available through those two method structures get full
access to the B<EVP_PKEY> and therefore have a lot of freedom to
@@ -94,8 +94,8 @@ the L<EVP_KEYMGMT(3)>, the dirty count is maintained in the B<EVP_PKEY>
itself, and is incremented every time L<EVP_PKEY_set_params(3)> or its
specialised derivatives are called.
For legacy origin keys, this requires the associated
-L<EVP_PKEY_ASN1_METHOD(3)> to implement the dirty_cnt() function. All
-of OpenSSL's built-in L<EVP_PKEY_ASN1_METHOD(3)> implement this
+B<EVP_PKEY_ASN1_METHOD> to implement the dirty_cnt() function. All
+of OpenSSL's built-in B<EVP_PKEY_ASN1_METHOD> implement this
function.
=head2 Export cache for provider operations
@@ -122,7 +122,7 @@ there are two forms of the latter, we have the "legacy origin" and the
The export to the operation key cache can be performed independent of
what form the origin has.
For a legacy origin, this requires that the associated
-L<EVP_PKEY_ASN1_METHOD(3)> implements the functions export_to() and
+B<EVP_PKEY_ASN1_METHOD> implements the functions export_to() and
dirty_cnt().
For a provider native origin, this requires that the associated
L<EVP_KEYMGMT(3)> implements the OSSL_FUNC_keymgmt_export() function
@@ -166,7 +166,7 @@ Export the internal origin key to the provider, using the appropriate
method.
For legacy origin keys, that's done with the help of the
-L<EVP_PKEY_ASN1_METHOD(3)> export_to() function.
+B<EVP_PKEY_ASN1_METHOD> export_to() function.
For provider native origin keys, that's done by retrieving the key
data in L<OSSL_PARAM(3)> form from the origin keys, using the
diff --git a/doc/man3/EVP_PKEY_ASN1_METHOD.pod b/doc/man3/EVP_PKEY_ASN1_METHOD.pod
deleted file mode 100644
index f688356432..0000000000
--- a/doc/man3/EVP_PKEY_ASN1_METHOD.pod
+++ /dev/null
@@ -1,455 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_ASN1_METHOD,
-EVP_PKEY_asn1_new,
-EVP_PKEY_asn1_copy,
-EVP_PKEY_asn1_free,
-EVP_PKEY_asn1_add0,
-EVP_PKEY_asn1_add_alias,
-EVP_PKEY_asn1_set_public,
-EVP_PKEY_asn1_set_private,
-EVP_PKEY_asn1_set_param,
-EVP_PKEY_asn1_set_free,
-EVP_PKEY_asn1_set_ctrl,
-EVP_PKEY_asn1_set_item,
-EVP_PKEY_asn1_set_siginf,
-EVP_PKEY_asn1_set_check,
-EVP_PKEY_asn1_set_public_check,
-EVP_PKEY_asn1_set_param_check,
-EVP_PKEY_asn1_set_security_bits,
-EVP_PKEY_asn1_set_set_priv_key,
-EVP_PKEY_asn1_set_set_pub_key,
-EVP_PKEY_asn1_set_get_priv_key,
-EVP_PKEY_asn1_set_get_pub_key,
-EVP_PKEY_get0_asn1
-- manipulating and registering EVP_PKEY_ASN1_METHOD structure
-
-=head1 SYNOPSIS
-
-The following functions have been deprecated since OpenSSL 3.6, and can be
-hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
-see L<openssl_user_macros(7)>; use the provider API instead.
-
- #include <openssl/evp.h>
-
- typedef struct evp_pkey_asn1_method_st EVP_PKEY_ASN1_METHOD;
-
- EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_new(int id, int flags,
- const char *pem_str,
- const char *info);
- void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst,
- const EVP_PKEY_ASN1_METHOD *src);
- void EVP_PKEY_asn1_free(EVP_PKEY_ASN1_METHOD *ameth);
- int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth);
- int EVP_PKEY_asn1_add_alias(int to, int from);
-
- void EVP_PKEY_asn1_set_public(EVP_PKEY_ASN1_METHOD *ameth,
- int (*pub_decode) (EVP_PKEY *pk,
- const X509_PUBKEY *pub),
- int (*pub_encode) (X509_PUBKEY *pub,
- const EVP_PKEY *pk),
- int (*pub_cmp) (const EVP_PKEY *a,
- const EVP_PKEY *b),
- int (*pub_print) (BIO *out,
- const EVP_PKEY *pkey,
- int indent, ASN1_PCTX *pctx),
- int (*pkey_size) (const EVP_PKEY *pk),
- int (*pkey_bits) (const EVP_PKEY *pk));
- void EVP_PKEY_asn1_set_private(EVP_PKEY_ASN1_METHOD *ameth,
- int (*priv_decode) (EVP_PKEY *pk,
- const PKCS8_PRIV_KEY_INFO
- *p8inf),
- int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8,
- const EVP_PKEY *pk),
- int (*priv_print) (BIO *out,
- const EVP_PKEY *pkey,
- int indent,
- ASN1_PCTX *pctx));
- void EVP_PKEY_asn1_set_param(EVP_PKEY_ASN1_METHOD *ameth,
- int (*param_decode) (EVP_PKEY *pkey,
- const unsigned char **pder,
- int derlen),
- int (*param_encode) (const EVP_PKEY *pkey,
- unsigned char **pder),
- int (*param_missing) (const EVP_PKEY *pk),
- int (*param_copy) (EVP_PKEY *to,
- const EVP_PKEY *from),
- int (*param_cmp) (const EVP_PKEY *a,
- const EVP_PKEY *b),
- int (*param_print) (BIO *out,
- const EVP_PKEY *pkey,
- int indent,
- ASN1_PCTX *pctx));
-
- void EVP_PKEY_asn1_set_free(EVP_PKEY_ASN1_METHOD *ameth,
- void (*pkey_free) (EVP_PKEY *pkey));
- void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
- int (*pkey_ctrl) (EVP_PKEY *pkey, int op,
- long arg1, void *arg2));
- void EVP_PKEY_asn1_set_item(EVP_PKEY_ASN1_METHOD *ameth,
- int (*item_verify) (EVP_MD_CTX *ctx,
- const ASN1_ITEM *it,
- void *asn,
- X509_ALGOR *a,
- ASN1_BIT_STRING *sig,
- EVP_PKEY *pkey),
- int (*item_sign) (EVP_MD_CTX *ctx,
- const ASN1_ITEM *it,
- void *asn,
- X509_ALGOR *alg1,
- X509_ALGOR *alg2,
- ASN1_BIT_STRING *sig));
-
- void EVP_PKEY_asn1_set_siginf(EVP_PKEY_ASN1_METHOD *ameth,
- int (*siginf_set) (X509_SIG_INFO *siginf,
- const X509_ALGOR *alg,
- const ASN1_STRING *sig));
-
- void EVP_PKEY_asn1_set_check(EVP_PKEY_ASN1_METHOD *ameth,
- int (*pkey_check) (const EVP_PKEY *pk));
-
- void EVP_PKEY_asn1_set_public_check(EVP_PKEY_ASN1_METHOD *ameth,
- int (*pkey_pub_check) (const EVP_PKEY *pk));
-
- void EVP_PKEY_asn1_set_param_check(EVP_PKEY_ASN1_METHOD *ameth,
- int (*pkey_param_check) (const EVP_PKEY *pk));
-
- void EVP_PKEY_asn1_set_security_bits(EVP_PKEY_ASN1_METHOD *ameth,
- int (*pkey_security_bits) (const EVP_PKEY
- *pk));
-
- void EVP_PKEY_asn1_set_set_priv_key(EVP_PKEY_ASN1_METHOD *ameth,
- int (*set_priv_key) (EVP_PKEY *pk,
- const unsigned char
- *priv,
- size_t len));
-
- void EVP_PKEY_asn1_set_set_pub_key(EVP_PKEY_ASN1_METHOD *ameth,
- int (*set_pub_key) (EVP_PKEY *pk,
- const unsigned char *pub,
- size_t len));
-
- void EVP_PKEY_asn1_set_get_priv_key(EVP_PKEY_ASN1_METHOD *ameth,
- int (*get_priv_key) (const EVP_PKEY *pk,
- unsigned char *priv,
- size_t *len));
-
- void EVP_PKEY_asn1_set_get_pub_key(EVP_PKEY_ASN1_METHOD *ameth,
- int (*get_pub_key) (const EVP_PKEY *pk,
- unsigned char *pub,
- size_t *len));
-
- const EVP_PKEY_ASN1_METHOD *EVP_PKEY_get0_asn1(const EVP_PKEY *pkey);
-
-=head1 DESCRIPTION
-
-B<EVP_PKEY_ASN1_METHOD> is a structure which holds a set of ASN.1
-conversion, printing and information methods for a specific public key
-algorithm.
-
-There are two places where the B<EVP_PKEY_ASN1_METHOD> objects are
-stored: one is a built-in array representing the standard methods for
-different algorithms, and the other one is a stack of user-defined
-application-specific methods, which can be manipulated by using
-L<EVP_PKEY_asn1_add0(3)>.
-
-=head2 Methods
-
-The methods are the underlying implementations of a particular public
-key algorithm present by the B<EVP_PKEY> object.
-
- int (*pub_decode) (EVP_PKEY *pk, const X509_PUBKEY *pub);
- int (*pub_encode) (X509_PUBKEY *pub, const EVP_PKEY *pk);
- int (*pub_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
- int (*pub_print) (BIO *out, const EVP_PKEY *pkey, int indent,
- ASN1_PCTX *pctx);
-
-The pub_decode() and pub_encode() methods are called to decode /
-encode B<X509_PUBKEY> ASN.1 parameters to / from B<pk>.
-They MUST return 0 on error, 1 on success.
-They're called by L<X509_PUBKEY_get0(3)> and L<X509_PUBKEY_set(3)>.
-
-The pub_cmp() method is called when two public keys are to be
-compared.
-It MUST return 1 when the keys are equal, 0 otherwise.
-It's called by L<EVP_PKEY_eq(3)>.
-
-The pub_print() method is called to print a public key in humanly
-readable text to B<out>, indented B<indent> spaces.
-It MUST return 0 on error, 1 on success.
-It's called by L<EVP_PKEY_print_public(3)>.
-
- int (*priv_decode) (EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf);
- int (*priv_encode) (PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk);
- int (*priv_print) (BIO *out, const EVP_PKEY *pkey, int indent,
- ASN1_PCTX *pctx);
-
-The priv_decode() and priv_encode() methods are called to decode /
-encode B<PKCS8_PRIV_KEY_INFO> form private key to / from B<pk>.
-They MUST return 0 on error, 1 on success.
-They're called by L<EVP_PKCS82PKEY(3)> and L<EVP_PKEY2PKCS8(3)>.
-
-The priv_print() method is called to print a private key in humanly
-readable text to B<out>, indented B<indent> spaces.
-It MUST return 0 on error, 1 on success.
-It's called by L<EVP_PKEY_print_private(3)>.
-
- int (*pkey_size) (const EVP_PKEY *pk);
- int (*pkey_bits) (const EVP_PKEY *pk);
- int (*pkey_security_bits) (const EVP_PKEY *pk);
-
-The pkey_size() method returns the key size in bytes.
-It's called by L<EVP_PKEY_get_size(3)>.
-
-The pkey_bits() method returns the key size in bits.
-It's called by L<EVP_PKEY_get_bits(3)>.
-
- int (*param_decode) (EVP_PKEY *pkey,
- const unsigned char **pder, int derlen);
- int (*param_encode) (const EVP_PKEY *pkey, unsigned char **pder);
- int (*param_missing) (const EVP_PKEY *pk);
- int (*param_copy) (EVP_PKEY *to, const EVP_PKEY *from);
- int (*param_cmp) (const EVP_PKEY *a, const EVP_PKEY *b);
- int (*param_print) (BIO *out, const EVP_PKEY *pkey, int indent,
- ASN1_PCTX *pctx);
-
-The param_decode() and param_encode() methods are called to decode /
-encode DER formatted parameters to / from B<pk>.
-They MUST return 0 on error, 1 on success.
-They're called by L<PEM_read_bio_Parameters(3)> and the B<file:>
-L<OSSL_STORE_LOADER(3)>.
-
-The param_missing() method returns 0 if a key parameter is missing,
-otherwise 1.
-It's called by L<EVP_PKEY_missing_parameters(3)>.
-
-The param_copy() method copies key parameters from B<from> to B<to>.
-It MUST return 0 on error, 1 on success.
-It's called by L<EVP_PKEY_copy_parameters(3)>.
-
-The param_cmp() method compares the parameters of keys B<a> and B<b>.
-It MUST return 1 when the keys are equal, 0 when not equal, or a
-negative number on error.
-It's called by L<EVP_PKEY_parameters_eq(3)>.
-
-The param_print() method prints the private key parameters in humanly
-readable text to B<out>, indented B<indent> spaces.
-It MUST return 0 on error, 1 on success.
-It's called by L<EVP_PKEY_print_params(3)>.
-
- int (*sig_print) (BIO *out,
- const X509_ALGOR *sigalg, const ASN1_STRING *sig,
- int indent, ASN1_PCTX *pctx);
-
-The sig_print() method prints a signature in humanly readable text to
-B<out>, indented B<indent> spaces.
-B<sigalg> contains the exact signature algorithm.
-If the signature in B<sig> doesn't correspond to what this method
-expects, X509_signature_dump() must be used as a last resort.
-It MUST return 0 on error, 1 on success.
-It's called by L<X509_signature_print(3)>.
-
- void (*pkey_free) (EVP_PKEY *pkey);
-
-The pkey_free() method helps freeing the internals of B<pkey>.
-It's called by L<EVP_PKEY_free(3)>, L<EVP_PKEY_set_type(3)>,
-L<EVP_PKEY_set_type_str(3)>, and L<EVP_PKEY_assign(3)>.
-
- int (*pkey_ctrl) (EVP_PKEY *pkey, int op, long arg1, void *arg2);
-
-The pkey_ctrl() method adds extra algorithm specific control.
-It's called by L<EVP_PKEY_get_default_digest_nid(3)>,
-L<EVP_PKEY_set1_encoded_public_key(3)>,
-L<EVP_PKEY_get1_encoded_public_key(3)>, L<PKCS7_SIGNER_INFO_set(3)>,
-L<PKCS7_RECIP_INFO_set(3)>, ...
-
- int (*old_priv_decode) (EVP_PKEY *pkey,
- const unsigned char **pder, int derlen);
- int (*old_priv_encode) (const EVP_PKEY *pkey, unsigned char **pder);
-
-The old_priv_decode() and old_priv_encode() methods decode / encode
-they private key B<pkey> from / to a DER formatted array.
-These are exclusively used to help decoding / encoding older (pre
-PKCS#8) PEM formatted encrypted private keys.
-old_priv_decode() MUST return 0 on error, 1 on success.
-old_priv_encode() MUST the return same kind of values as
-i2d_PrivateKey().
-They're called by L<d2i_PrivateKey(3)> and L<i2d_PrivateKey(3)>.
-
- int (*item_verify) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
- X509_ALGOR *a, ASN1_BIT_STRING *sig, EVP_PKEY *pkey);
- int (*item_sign) (EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn,
- X509_ALGOR *alg1, X509_ALGOR *alg2,
- ASN1_BIT_STRING *sig);
-
-The item_sign() and item_verify() methods make it possible to have
-algorithm specific signatures and verification of them.
-
-item_sign() MUST return one of:
-
-=over 4
-
-=item <=0
-
-error
-
-=item Z<>1
-
-item_sign() did everything, OpenSSL internals just needs to pass the
-signature length back.
-
-=item Z<>2
-
-item_sign() did nothing, OpenSSL internal standard routines are
-expected to continue with the default signature production.
-
-=item Z<>3
-
-item_sign() set the algorithm identifier B<algor1> and B<algor2>,
-OpenSSL internals should just sign using those algorithms.
-
-=back
-
-item_verify() MUST return one of:
-
-=over 4
-
-=item <=0
-
-error
-
-=item Z<>1
-
-item_sign() did everything, OpenSSL internals just needs to pass the
-signature length back.
-
-=item Z<>2
-
-item_sign() did nothing, OpenSSL internal standard routines are
-expected to continue with the default signature production.
-
-=back
-
-item_verify() and item_sign() are called by L<ASN1_item_verify(3)> and
-L<ASN1_item_sign(3)>, and by extension, L<X509_verify(3)>,
-L<X509_REQ_verify(3)>, L<X509_sign(3)>, L<X509_REQ_sign(3)>, ...
-
- int (*siginf_set) (X509_SIG_INFO *siginf, const X509_ALGOR *alg,
- const ASN1_STRING *sig);
-
-The siginf_set() method is used to set custom B<X509_SIG_INFO>
-parameters.
-It MUST return 0 on error, or 1 on success.
-It's called as part of L<X509_check_purpose(3)>, L<X509_check_ca(3)>
-and L<X509_check_issued(3)>.
-
- int (*pkey_check) (const EVP_PKEY *pk);
- int (*pkey_public_check) (const EVP_PKEY *pk);
- int (*pkey_param_check) (const EVP_PKEY *pk);
-
-The pkey_check(), pkey_public_check() and pkey_param_check() methods are used
-to check the validity of B<pk> for key-pair, public component and parameters,
-respectively.
-They MUST return 0 for an invalid key, or 1 for a valid key.
-They are called by L<EVP_PKEY_check(3)>, L<EVP_PKEY_public_check(3)> and
-L<EVP_PKEY_param_check(3)> respectively.
-
- int (*set_priv_key) (EVP_PKEY *pk, const unsigned char *priv, size_t len);
- int (*set_pub_key) (EVP_PKEY *pk, const unsigned char *pub, size_t len);
-
-The set_priv_key() and set_pub_key() methods are used to set the raw private and
-public key data for an EVP_PKEY. They MUST return 0 on error, or 1 on success.
-They are called by L<EVP_PKEY_new_raw_private_key(3)>, and
-L<EVP_PKEY_new_raw_public_key(3)> respectively.
-
- size_t (*dirty) (const EVP_PKEY *pk);
- void *(*export_to) (const EVP_PKEY *pk, EVP_KEYMGMT *keymgmt);
-
-dirty_cnt() returns the internal key's dirty count.
-This can be used to synchronise different copies of the same keys.
-
-The export_to() method exports the key material from the given key to
-a provider, through the L<EVP_KEYMGMT(3)> interface, if that provider
-supports importing key material.
-
-=head2 Functions
-
-EVP_PKEY_asn1_new() creates and returns a new B<EVP_PKEY_ASN1_METHOD>
-object, and associates the given B<id>, B<flags>, B<pem_str> and
-B<info>.
-B<id> is a NID, B<pem_str> is the PEM type string, B<info> is a
-descriptive string.
-The following B<flags> are supported:
-
- ASN1_PKEY_SIGPARAM_NULL
-
-If B<ASN1_PKEY_SIGPARAM_NULL> is set, then the signature algorithm
-parameters are given the type B<V_ASN1_NULL> by default, otherwise
-they will be given the type B<V_ASN1_UNDEF> (i.e. the parameter is
-omitted).
-See L<X509_ALGOR_set0(3)> for more information.
-
-EVP_PKEY_asn1_copy() copies an B<EVP_PKEY_ASN1_METHOD> object from
-B<src> to B<dst>.
-This function is not thread safe, it's recommended to only use this
-when initializing the application.
-
-EVP_PKEY_asn1_free() frees an existing B<EVP_PKEY_ASN1_METHOD> pointed
-by B<ameth>. If the argument is NULL, nothing is done.
-
-EVP_PKEY_asn1_add0() adds B<ameth> to the user defined stack of
-methods unless another B<EVP_PKEY_ASN1_METHOD> with the same NID is
-already there.
-This function is not thread safe, it's recommended to only use this
-when initializing the application.
-
-EVP_PKEY_asn1_add_alias() creates an alias with the NID B<to> for the
-B<EVP_PKEY_ASN1_METHOD> with NID B<from> unless another
-B<EVP_PKEY_ASN1_METHOD> with the same NID is already added.
-This function is not thread safe, it's recommended to only use this
-when initializing the application.
-
-EVP_PKEY_asn1_set_public(), EVP_PKEY_asn1_set_private(),
-EVP_PKEY_asn1_set_param(), EVP_PKEY_asn1_set_free(),
-EVP_PKEY_asn1_set_ctrl(), EVP_PKEY_asn1_set_item(),
-EVP_PKEY_asn1_set_siginf(), EVP_PKEY_asn1_set_check(),
-EVP_PKEY_asn1_set_public_check(), EVP_PKEY_asn1_set_param_check(),
-EVP_PKEY_asn1_set_security_bits(), EVP_PKEY_asn1_set_set_priv_key(),
-EVP_PKEY_asn1_set_set_pub_key(), EVP_PKEY_asn1_set_get_priv_key() and
-EVP_PKEY_asn1_set_get_pub_key() set the diverse methods of the given
-B<EVP_PKEY_ASN1_METHOD> object.
-
-EVP_PKEY_get0_asn1() finds the B<EVP_PKEY_ASN1_METHOD> associated
-with the key B<pkey>.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_asn1_new() returns NULL on error, or a pointer to an
-B<EVP_PKEY_ASN1_METHOD> object otherwise.
-
-EVP_PKEY_asn1_add0() and EVP_PKEY_asn1_add_alias() return 0 on error,
-or 1 on success.
-
-EVP_PKEY_get0_asn1() returns NULL on error, or a pointer to a constant
-B<EVP_PKEY_ASN1_METHOD> object otherwise.
-
-=head1 HISTORY
-
-The signature of the I<pub_decode> functional argument of
-EVP_PKEY_asn1_set_public() has changed in OpenSSL 3.0 so its I<pub>
-parameter is now constified.
-
-All of these functions were deprecated in OpenSSL 3.6.
-
-=head1 COPYRIGHT
-
-Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
diff --git a/doc/man3/EVP_PKEY_asn1_get_count.pod b/doc/man3/EVP_PKEY_asn1_get_count.pod
deleted file mode 100644
index f367c74b04..0000000000
--- a/doc/man3/EVP_PKEY_asn1_get_count.pod
+++ /dev/null
@@ -1,85 +0,0 @@
-=pod
-
-=head1 NAME
-
-EVP_PKEY_asn1_find,
-EVP_PKEY_asn1_find_str,
-EVP_PKEY_asn1_get_count,
-EVP_PKEY_asn1_get0,
-EVP_PKEY_asn1_get0_info
-- enumerate public key ASN.1 methods
-
-=head1 SYNOPSIS
-
-The following functions have been deprecated since OpenSSL 3.6, and can be
-hidden entirely by defining B<OPENSSL_API_COMPAT> with a suitable version value,
-see L<openssl_user_macros(7)>; use the provider API instead.
-
- #include <openssl/evp.h>
-
- int EVP_PKEY_asn1_get_count(void);
- const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx);
- const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find(ENGINE **pe, int type);
- const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_find_str(ENGINE **pe,
- const char *str, int len);
- int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *pkey_base_id,
- int *ppkey_flags, const char **pinfo,
- const char **ppem_str,
- const EVP_PKEY_ASN1_METHOD *ameth);
-
-=head1 DESCRIPTION
-
-EVP_PKEY_asn1_count() returns a count of the number of public key
-ASN.1 methods available: it includes standard methods and any methods
-added by the application.
-
-EVP_PKEY_asn1_get0() returns the public key ASN.1 method B<idx>.
-The value of B<idx> must be between zero and EVP_PKEY_asn1_get_count()
-- 1.
-
-EVP_PKEY_asn1_find() looks up the B<EVP_PKEY_ASN1_METHOD> with NID
-B<type>.
-If B<pe> isn't B<NULL>, then NULL will be placed at the given address, as
-ENGINEs were removed, therefore none can be found.
-
-EVP_PKEY_asn1_find_str() looks up the B<EVP_PKEY_ASN1_METHOD> with PEM
-type string B<str>.
-Just like EVP_PKEY_asn1_find(), if B<pe> isn't B<NULL>, then NULL will be placed
-at the given address, as ENGINEs were removed, therefore none can be found.
-
-EVP_PKEY_asn1_get0_info() returns the public key ID, base public key
-ID (both NIDs), any flags, the method description and PEM type string
-associated with the public key ASN.1 method B<*ameth>.
-
-EVP_PKEY_asn1_count(), EVP_PKEY_asn1_get0(), EVP_PKEY_asn1_find() and
-EVP_PKEY_asn1_find_str() are not thread safe, but as long as all
-B<EVP_PKEY_ASN1_METHOD> objects are added before the application gets
-threaded, using them is safe. See L<EVP_PKEY_asn1_add0(3)>.
-
-=head1 RETURN VALUES
-
-EVP_PKEY_asn1_count() returns the number of available public key methods.
-
-EVP_PKEY_asn1_get0() return a public key method or B<NULL> if B<idx> is
-out of range.
-
-EVP_PKEY_asn1_get0_info() returns 0 on failure, 1 on success.
-
-=head1 SEE ALSO
-
-L<EVP_PKEY_asn1_new(3)>, L<EVP_PKEY_asn1_add0(3)>
-
-=head1 HISTORY
-
-These functions were deprecated in OpenSSL 3.6.
-
-=head1 COPYRIGHT
-
-Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved.
-
-Licensed under the Apache License 2.0 (the "License"). You may not use
-this file except in compliance with the License. You can obtain a copy
-in the file LICENSE in the source distribution or at
-L<https://www.openssl.org/source/license.html>.
-
-=cut
diff --git a/doc/man3/EVP_PKEY_get_default_digest_nid.pod b/doc/man3/EVP_PKEY_get_default_digest_nid.pod
index 726d129b52..f16208126f 100644
--- a/doc/man3/EVP_PKEY_get_default_digest_nid.pod
+++ b/doc/man3/EVP_PKEY_get_default_digest_nid.pod
@@ -25,9 +25,8 @@ EVP_PKEY_get_default_digest_nid() sets I<pnid> to the default message
digest NID for the public key signature operations associated with key
I<pkey>. Note that some signature algorithms (i.e. Ed25519 and Ed448)
do not use a digest during signing. In this case I<pnid> will be set
-to NID_undef. This function is only reliable for legacy keys, which
-are keys with a B<EVP_PKEY_ASN1_METHOD>; these keys have typically
-been created with L<EVP_PKEY_assign_RSA(3)> or similar.
+to NID_undef. This function is only reliable for legacy keys; these keys have
+typically been created with L<EVP_PKEY_assign_RSA(3)> or similar.
=head1 NOTES
diff --git a/doc/man3/EVP_PKEY_set_type.pod b/doc/man3/EVP_PKEY_set_type.pod
index 5a326df012..3ff76c615b 100644
--- a/doc/man3/EVP_PKEY_set_type.pod
+++ b/doc/man3/EVP_PKEY_set_type.pod
@@ -22,21 +22,15 @@ I<pkey> is NULL, these functions will still return the same return
values as if it wasn't.
EVP_PKEY_set_type() initialises I<pkey> to contain an internal legacy
-key. When doing this, it finds a L<EVP_PKEY_ASN1_METHOD(3)>
-corresponding to I<type>, and associates I<pkey> with the findings.
-It is an error if no L<EVP_PKEY_ASN1_METHOD(3)> could be found for
+key. It is an error if no legacy implementations could be found for
I<type>.
EVP_PKEY_set_type_str() initialises I<pkey> to contain an internal legacy
-key. When doing this, it finds a L<EVP_PKEY_ASN1_METHOD(3)>
-corresponding to I<str> that has then length I<len>, and associates
-I<pkey> with the findings.
-It is an error if no L<EVP_PKEY_ASN1_METHOD(3)> could be found for
-I<type>.
+key. It is an error if no legacy implementation could be found for I<type>.
For both EVP_PKEY_set_type() and EVP_PKEY_set_type_str(), I<pkey> gets
a numeric type, which can be retrieved with L<EVP_PKEY_get_id(3)>. This
-numeric type is taken from the L<EVP_PKEY_ASN1_METHOD(3)> that was
+numeric type is taken from the internal legacy implementation that was
found, and is equal to or closely related to I<type> in the case of
EVP_PKEY_set_type(), or related to I<str> in the case of
EVP_PKEY_set_type_str().
@@ -53,7 +47,7 @@ All functions described here return 1 if successful, or 0 on error.
=head1 SEE ALSO
L<EVP_PKEY_assign(3)>, L<EVP_PKEY_get_id(3)>, L<EVP_PKEY_get0_RSA(3)>,
-L<EVP_PKEY_copy_parameters(3)>, L<EVP_PKEY_ASN1_METHOD(3)>,
+L<EVP_PKEY_copy_parameters(3)>,
L<EVP_KEYMGMT(3)>
=head1 COPYRIGHT
diff --git a/doc/man7/ossl-guide-migration.pod b/doc/man7/ossl-guide-migration.pod
index c80955eb5c..3fc59c3bb1 100644
--- a/doc/man7/ossl-guide-migration.pod
+++ b/doc/man7/ossl-guide-migration.pod
@@ -60,7 +60,7 @@ implementation should instead use the provider API.
=head2 Main Changes from OpenSSL 3.5
-The functions EVP_PKEY_asn1_*() and L<EVP_PKEY_get0_asn1(3)> were deprecated in
+The functions EVP_PKEY_asn1_*() and EVP_PKEY_get0_asn1() were deprecated in
favour of the provider API. EVP_PKEY_assign_[DSA|SIPHASH]() were also deprecated.
Please use the new high level and provider API.