Document that SSL_PRIVATE_KEY_METHOD should configure signing prefs. Otherwise BoringSSL may select one the private key does not support. Change-Id: Ia0a57657bd6dedaa6653c23cc850bb6b6fa8f219 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/48525 Reviewed-by: Adam Langley <agl@google.com>

commit: 6191cc95a1ef9a7b0a3f79ac23cbbbba85698c0f [log] [tgz]
author: David Benjamin <davidben@google.com> Fri Jul 16 11:59:36 2021 -0400
committer: Adam Langley <agl@google.com> Fri Jul 16 17:39:25 2021 +0000
tree: 89936783d4d76bb9a127c779927bc2fc62c6a697
parent: 519c2986c73c23461b130ad19b93fd7d081353d5 [diff]
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index ed5e64f..82e1da8 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h

@@ -1219,6 +1219,11 @@
 // key hooks. This is used to off-load signing operations to a custom,
 // potentially asynchronous, backend. Metadata about the key such as the type
 // and size are parsed out of the certificate.
+//
+// Callers that use this structure should additionally call
+// |SSL_set_signing_algorithm_prefs| or |SSL_CTX_set_signing_algorithm_prefs|
+// with the private key's capabilities. This ensures BoringSSL will select a
+// suitable signature algorithm for the private key.
 struct ssl_private_key_method_st {
   // sign signs the message |in| in using the specified signature algorithm. On
   // success, it returns |ssl_private_key_success| and writes at most |max_out|
commit	6191cc95a1ef9a7b0a3f79ac23cbbbba85698c0f	[log] [tgz]
author	David Benjamin <davidben@google.com>	Fri Jul 16 11:59:36 2021 -0400
committer	Adam Langley <agl@google.com>	Fri Jul 16 17:39:25 2021 +0000
tree	89936783d4d76bb9a127c779927bc2fc62c6a697
parent	519c2986c73c23461b130ad19b93fd7d081353d5 [diff]