Commit 2590497f7c for openssl.org
commit 2590497f7ce33aeec26f5763ce822d6156f170d1
Author: Stefan Berger <stefanb@linux.ibm.com>
Date: Thu Mar 12 09:57:43 2026 -0500
openssl-cms.pod.in: Mention Ed448 signing with signed attributes in BUGS section
In the BUGS section mention that signing wtih an Ed448 key is not supported
when using signed-data with signed attributes due to missing support for
id-shake256-len.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 16:20:27 2026
(Merged from https://github.com/openssl/openssl/pull/30312)
diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in
index 52a7217472..8da6ee0229 100644
--- a/doc/man1/openssl-cms.pod.in
+++ b/doc/man1/openssl-cms.pod.in
@@ -474,6 +474,12 @@ B<OSSL_KDF_PARAM_INFO> parameter of the B<KEMRecipientInfo> type's KDF.
Digest algorithm to use when signing or resigning. If not present then the
default digest algorithm for the signing key will be used (usually SHA-256).
+Note that, in the case signed attributes are not used (B<-noattr>), for
+some hash-less signing schemes the given digest algorithm will be ignored
+and a digest algorithm required by the signing scheme will be used. This is
+the case for EdDSA (RFC 8419). For SLH-DSA (RFC 9814) and ML-DSA (RFC 9882),
+the scheme-suggested digest algorithm will only be used if none is given.
+
=item B<-signer> I<file>
A signing certificate. When signing or resigning a message, this option can be
@@ -924,6 +930,10 @@ the list of permitted ciphers in a database and only use those.
No revocation checking is done on the signer's certificate.
+Ed448 signing is not supported when using signed-data with signed attributes
+since OpenSSL does not currently support the digestAlgorithm id-shake256-len
+as required per RFC 8419.
+
=head1 SEE ALSO
L<ossl_store-file(7)>