1 files changed, 13 insertions, 5 deletions
diff --git a/src/lib/libcrypto/man/X509_get0_signature.3 b/src/lib/libcrypto/man/X509_get0_signature.3
index dc3be2c70a..6cebb94e56 100644
--- a/src/lib/libcrypto/man/X509_get0_signature.3
+++ b/src/lib/libcrypto/man/X509_get0_signature.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: X509_get0_signature.3,v 1.9 2024/08/28 07:18:55 tb Exp $
+.\" $OpenBSD: X509_get0_signature.3,v 1.12 2025/07/06 09:32:08 tb Exp $
 .\" selective merge up to:
 .\" OpenSSL man3/X509_get0_signature 2f7a2520 Apr 25 17:28:08 2017 +0100
 .\"
@@ -66,7 +66,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: August 28 2024 $
+.Dd $Mdocdate: July 6 2025 $
 .Dt X509_GET0_SIGNATURE 3
 .Os
 .Sh NAME
@@ -82,6 +82,7 @@
 .Nm X509_get_signature_info
 .Nd signature information
 .Sh SYNOPSIS
+.Lb libcrypto
 .In openssl/x509.h
 .Ft void
 .Fo X509_get0_signature
@@ -212,11 +213,11 @@ For a supported EdDSA algorithm (in LibreSSL this is Ed25519)
 this flag is always set.
 For an RSASSA-PSS PSS algorithm this flag is set if
 the parameters are DER encoded,
-the digest algorithm is one of SHA256, SHA384, or SHA512,
+the digest algorithm is one of SHA-256, SHA-384, or SHA-512,
 the same digest algorithm is used in the mask generation function,
 and the salt length is equal to the digest algorithm's output length.
 For all other signature algorithms this flag is set if the digest
-algorithm is one of SHA1, SHA256, SHA384, or SHA512.
+algorithm is one of SHA-1, SHA-256, SHA-384, or SHA-512.
 .El
 .Pp
 .Fn X509_get_signature_info
@@ -276,5 +277,12 @@ refer to the information available from the certificate signature
 (such as the signing digest).
 In some cases the actual security of the signature is smaller
 because the signing key is less secure.
-For example in a certificate signed using SHA512
+For example in a certificate signed using SHA-512
 and a 1024-bit RSA key.
+.Sh BUGS
+The signatures of
+.Fn X509_get0_signature ,
+.Fn X509_REQ_get0_signature ,
+and
+.Fn X509_CRL_get0_signature
+are inconsistent.

diff --git a/src/lib/libcrypto/man/X509_get0_signature.3 b/src/lib/libcrypto/man/X509_get0_signature.3 index dc3be2c70a..6cebb94e56 100644 --- a/src/lib/libcrypto/man/X509_get0_signature.3 +++ b/src/lib/libcrypto/man/X509_get0_signature.3
@@ -1,4 +1,4 @@
1	.\" $OpenBSD: X509_get0_signature.3,v 1.9 2024/08/28 07:18:55 tb Exp $	1	.\" $OpenBSD: X509_get0_signature.3,v 1.12 2025/07/06 09:32:08 tb Exp $
2	.\" selective merge up to:	2	.\" selective merge up to:
3	.\" OpenSSL man3/X509_get0_signature 2f7a2520 Apr 25 17:28:08 2017 +0100	3	.\" OpenSSL man3/X509_get0_signature 2f7a2520 Apr 25 17:28:08 2017 +0100
4	.\"	4	.\"
@@ -66,7 +66,7 @@
66	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED	66	.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
67	.\" OF THE POSSIBILITY OF SUCH DAMAGE.	67	.\" OF THE POSSIBILITY OF SUCH DAMAGE.
68	.\"	68	.\"
69	.Dd $Mdocdate: August 28 2024 $	69	.Dd $Mdocdate: July 6 2025 $
70	.Dt X509_GET0_SIGNATURE 3	70	.Dt X509_GET0_SIGNATURE 3
71	.Os	71	.Os
72	.Sh NAME	72	.Sh NAME
@@ -82,6 +82,7 @@
82	.Nm X509_get_signature_info	82	.Nm X509_get_signature_info
83	.Nd signature information	83	.Nd signature information
84	.Sh SYNOPSIS	84	.Sh SYNOPSIS
		85	.Lb libcrypto
85	.In openssl/x509.h	86	.In openssl/x509.h
86	.Ft void	87	.Ft void
87	.Fo X509_get0_signature	88	.Fo X509_get0_signature
@@ -212,11 +213,11 @@ For a supported EdDSA algorithm (in LibreSSL this is Ed25519)
212	this flag is always set.	213	this flag is always set.
213	For an RSASSA-PSS PSS algorithm this flag is set if	214	For an RSASSA-PSS PSS algorithm this flag is set if
214	the parameters are DER encoded,	215	the parameters are DER encoded,
215	the digest algorithm is one of SHA256, SHA384, or SHA512,	216	the digest algorithm is one of SHA-256, SHA-384, or SHA-512,
216	the same digest algorithm is used in the mask generation function,	217	the same digest algorithm is used in the mask generation function,
217	and the salt length is equal to the digest algorithm's output length.	218	and the salt length is equal to the digest algorithm's output length.
218	For all other signature algorithms this flag is set if the digest	219	For all other signature algorithms this flag is set if the digest
219	algorithm is one of SHA1, SHA256, SHA384, or SHA512.	220	algorithm is one of SHA-1, SHA-256, SHA-384, or SHA-512.
220	.El	221	.El
221	.Pp	222	.Pp
222	.Fn X509_get_signature_info	223	.Fn X509_get_signature_info
@@ -276,5 +277,12 @@ refer to the information available from the certificate signature
276	(such as the signing digest).	277	(such as the signing digest).
277	In some cases the actual security of the signature is smaller	278	In some cases the actual security of the signature is smaller
278	because the signing key is less secure.	279	because the signing key is less secure.
279	For example in a certificate signed using SHA512	280	For example in a certificate signed using SHA-512
280	and a 1024-bit RSA key.	281	and a 1024-bit RSA key.
		282	.Sh BUGS
		283	The signatures of
		284	.Fn X509_get0_signature ,
		285	.Fn X509_REQ_get0_signature ,
		286	and
		287	.Fn X509_CRL_get0_signature
		288	are inconsistent.