doc: expand GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE description on RSA-PSS [ci skip]

For RSA-PSS, this flag alone doens't fully enable reproducible
signatures and the user needs to indicate the fact that a zero-length
salt is used through SPKI upon verification.

Signed-off-by: Daiki Ueno <ueno@gnu.org>

diff --git a/lib/includes/gnutls/abstract.h b/lib/includes/gnutls/abstract.h
index d8805681a9f0f59bf7dd513a813c597f46a9ba6d..386ae3e49f8e8d050f4d258932773fa3c03b2284 100644 (file)
--- a/lib/includes/gnutls/abstract.h
+++ b/lib/includes/gnutls/abstract.h
@@ -372,9 +372,12 @@ int gnutls_privkey_status(gnutls_privkey_t key);
  * @GNUTLS_PRIVKEY_SIGN_FLAG_TLS1_RSA: Make an RSA signature on the hashed data as in the TLS protocol.
  * @GNUTLS_PRIVKEY_SIGN_FLAG_RSA_PSS: Make an RSA signature on the hashed data with the PSS padding.
  * @GNUTLS_PRIVKEY_FLAG_REPRODUCIBLE: Make a signature on the hashed data with reproducible parameters.
- *   For RSA-PSS, that means to use empty salt instead of random value. For ECDSA/DSA, it uses the deterministic
- *   construction of random parameter according to RFC 6979. Note that
- *   this only supports the NIST curves and DSA subgroup bits up to 512.
+ *   For RSA-PSS, that means to use empty salt instead of random value. To
+ *   verify a signature created using this flag, the corresponding SPKI needs
+ *   to be set on the public key. Use gnutls_pubkey_set_spki() for that.
+ *   For ECDSA/DSA, it uses the deterministic construction of random parameter
+ *   according to RFC 6979. Note that this only supports the NIST curves and DSA
+ *   subgroup bits up to 512.
  * @GNUTLS_PRIVKEY_IMPORT_AUTO_RELEASE: When importing a private key, automatically
  *   release it when the structure it was imported is released.
  * @GNUTLS_PRIVKEY_IMPORT_COPY: Copy required values during import.