openssl-cms.pod.in: Mention Ed448 signing with signed attributes in BUGS section

In the BUGS section mention that signing wtih an Ed448 key is not supported
when using signed-data with signed attributes due to missing support for
id-shake256-len.

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
MergeDate: Tue Mar 17 16:20:27 2026
(Merged from https://github.com/openssl/openssl/pull/30312)

(cherry picked from commit 2590497f7ce33aeec26f5763ce822d6156f170d1)

diff --git a/doc/man1/openssl-cms.pod.in b/doc/man1/openssl-cms.pod.in
index 52a721747229cd2a0199cb6dc60bbabbad7a0838..8da6ee02293f13733e61654a48547fef5d5b6fa3 100644 (file)
--- a/doc/man1/openssl-cms.pod.in
+++ b/doc/man1/openssl-cms.pod.in
@@ -474,6 +474,12 @@ B<OSSL_KDF_PARAM_INFO> parameter of the B<KEMRecipientInfo> type's KDF.
 Digest algorithm to use when signing or resigning. If not present then the
 default digest algorithm for the signing key will be used (usually SHA-256).
 
+Note that, in the case signed attributes are not used (B<-noattr>), for
+some hash-less signing schemes the given digest algorithm will be ignored
+and a digest algorithm required by the signing scheme will be used. This is
+the case for EdDSA (RFC 8419). For SLH-DSA (RFC 9814) and ML-DSA (RFC 9882),
+the scheme-suggested digest algorithm will only be used if none is given.
+
 =item B<-signer> I<file>
 
 A signing certificate.  When signing or resigning a message, this option can be
@@ -924,6 +930,10 @@ the list of permitted ciphers in a database and only use those.
 
 No revocation checking is done on the signer's certificate.
 
+Ed448 signing is not supported when using signed-data with signed attributes
+since OpenSSL does not currently support the digestAlgorithm id-shake256-len
+as required per RFC 8419.
+
 =head1 SEE ALSO
 
 L<ossl_store-file(7)>