From 7751098ecdc6598af42c99950ac9554eeb2d60b3 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Wed, 4 Jan 2017 14:06:44 +0000
Subject: [PATCH] document RSA-PSS algorithm options

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2177)
---
 doc/man1/genpkey.pod | 25 +++++++++++++++++++++++++
 doc/man1/pkeyutl.pod | 26 ++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)

diff --git a/doc/man1/genpkey.pod b/doc/man1/genpkey.pod
index e77fc7ef4e..8df09054b2 100644
--- a/doc/man1/genpkey.pod
+++ b/doc/man1/genpkey.pod
@@ -111,6 +111,31 @@ hexadecimal value if preceded by B<0x>. Default value is 65537.
 
 =back
 
+=head1 RSA-PSS KEY GENERATION OPTIONS
+
+Note: by default an B<RSA-PSS> key has no parameter restrictions.
+
+=over 4
+
+=item B<rsa_keygen_bits:numbits>, B<rsa_keygen_pubexp:value>
+
+These options have the same meaning as the B<RSA> algorithm.
+
+=item B<rsa_pss_keygen_md:digest>
+
+If set the key is restricted and can only use B<digest> for signing.
+
+=item B<rsa_pss_keygen_mgf1_md:digest>
+
+If set the key is restricted and can only use B<digest> as it's MGF1
+parameter.
+
+=item B<rsa_pss_keygen_saltlen:len>
+
+If set the key is restricted and B<len> specifies the minimum salt length.
+
+=back
+
 =head1 DSA PARAMETER GENERATION OPTIONS
 
 =over 4
diff --git a/doc/man1/pkeyutl.pod b/doc/man1/pkeyutl.pod
index ceb9de34b4..6fc0325464 100644
--- a/doc/man1/pkeyutl.pod
+++ b/doc/man1/pkeyutl.pod
@@ -221,6 +221,32 @@ sets the salt length to the maximum permissible value. When verifying -2 causes
 the salt length to be automatically determined based on the B<PSS> block
 structure.
 
+=item B<rsa_mgf1_md:digest>
+
+For PSS and OAEP padding sets the MGF1 digest. If the MGF1 digest is not
+explicitly set in PSS mode then the signing digest is used.
+
+=back
+
+=head1 RSA-PSS ALGORITHM
+
+The RSA-PSS algorithm is a restricted version of the RSA algorithm which only
+supports the sign and verify operations with PSS padding. The following
+additional B<pkeyopt> values are supported:
+
+=over 4
+
+=item B<rsa_padding_mode:mode>, B<rsa_pss_saltlen:len>, B<rsa_mgf1_md:digest>
+
+These have the same meaning as the B<RSA> algorithm with some additional
+restrictions. The padding mode can only be set to B<pss> which is the
+default value.
+
+If the key has parameter restrictions than the digest, MGF1
+digest and salt length are set to the values specified in the parameters.
+The digest and MG cannot be changed and the salt length cannot be set to a
+value less than the minimum restriction.
+
 =back
 
 =head1 DSA ALGORITHM
-- 
2.25.1