diff --git a/ctaocrypt/include/asn.h b/ctaocrypt/include/asn.h
index 24e045006..785e81320 100644
--- a/ctaocrypt/include/asn.h
+++ b/ctaocrypt/include/asn.h
@@ -102,7 +102,7 @@ enum Misc_ASN {
     MAX_SEQ_SZ          =   5,     /* enum(seq | con) + length(4) */  
     MAX_SET_SZ          =   5,     /* enum(set | con) + length(4) */  
     MAX_VERSION_SZ      =   5,     /* enum + id + version(byte) + (header(2))*/
-    MAX_ENCODED_DIG_SZ  =  25,     /* sha + enum(bit or octet) + legnth(4) */
+    MAX_ENCODED_DIG_SZ  =  73,     /* sha512 + enum(bit or octet) + legnth(4) */
     MAX_RSA_INT_SZ      = 517,     /* RSA raw sz 4096 for bits + tag + len(4) */
     MAX_NTRU_KEY_SZ     = 610,     /* NTRU 112 bit public key */
     MAX_NTRU_ENC_SZ     = 628,     /* NTRU 112 bit DER public encoding */
@@ -121,17 +121,19 @@ enum Oid_Types {
 
 
 enum Sig_Sum  {
-    SHAwDSA   = 517,
-    MD2wRSA   = 646,
-    MD5wRSA   = 648,
-    SHAwRSA   = 649,
-    SHAwECDSA = 520
+    SHAwDSA    = 517,
+    MD2wRSA    = 646,
+    MD5wRSA    = 648,
+    SHAwRSA    = 649,
+    SHAwECDSA  = 520,
+    SHA256wRSA = 655
 };
 
 enum Hash_Sum  {
-    MD2h  = 646,
-    MD5h  = 649,
-    SHAh  =  88
+    MD2h    = 646,
+    MD5h    = 649,
+    SHAh    =  88,
+    SHA256h = 414
 };
 
 enum Key_Sum {
diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c
index 19c7ba0a9..fcf017256 100644
--- a/ctaocrypt/src/asn.c
+++ b/ctaocrypt/src/asn.c
@@ -31,6 +31,7 @@
 #include "error.h"
 #include "pwdbased.h"
 #include "des3.h"
+#include "sha256.h"
 
 #ifdef HAVE_NTRU
     #include "crypto_ntru.h"
@@ -1468,12 +1469,14 @@ static word32 SetAlgoID(int algoOID, byte* output, int type)
     /* adding TAG_NULL and 0 to end */
     
     /* hashTypes */
-    static const byte shaAlgoID[] = { 0x2b, 0x0e, 0x03, 0x02, 0x1a,
-                                      0x05, 0x00 };
-    static const byte md5AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
-                                      0x02, 0x05, 0x05, 0x00  };
-    static const byte md2AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
-                                      0x02, 0x02, 0x05, 0x00};
+    static const byte shaAlgoID[]    = { 0x2b, 0x0e, 0x03, 0x02, 0x1a,
+                                         0x05, 0x00 };
+    static const byte sha256AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
+                                         0x04, 0x02, 0x01, 0x05, 0x00 };
+    static const byte md5AlgoID[]    = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+                                         0x02, 0x05, 0x05, 0x00  };
+    static const byte md2AlgoID[]    = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
+                                         0x02, 0x02, 0x05, 0x00};
 
     /* sigTypes */
     static const byte md5wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
@@ -1496,6 +1499,11 @@ static word32 SetAlgoID(int algoOID, byte* output, int type)
             algoName = shaAlgoID;
             break;
 
+        case SHA256h:
+            algoSz = sizeof(sha256AlgoID);
+            algoName = sha256AlgoID;
+            break;
+
         case MD2h:
             algoSz = sizeof(md2AlgoID);
             algoName = md2AlgoID;
@@ -1572,7 +1580,11 @@ word32 EncodeSignature(byte* out, const byte* digest, word32 digSz, int hashOID)
 static int ConfirmSignature(DecodedCert* cert, const byte* key, word32 keySz,
                             word32 keyOID)
 {
-    byte digest[SHA_DIGEST_SIZE]; /* max size */
+#ifndef NO_SHA256
+    byte digest[SHA256_DIGEST_SIZE]; /* max size */
+#else
+    byte digest[SHA_DIGEST_SIZE];   /* max size */
+#endif
     int  hashType, digestSz, ret;
 
     if (cert->signatureOID == MD5wRSA) {
@@ -1594,6 +1606,17 @@ static int ConfirmSignature(DecodedCert* cert, const byte* key, word32 keySz,
         hashType = SHAh;
         digestSz = SHA_DIGEST_SIZE;
     }
+#ifndef NO_SHA256
+    else if (cert->signatureOID == SHA256wRSA) {
+        Sha256 sha256;
+        InitSha256(&sha256);
+        Sha256Update(&sha256, cert->source + cert->certBegin,
+                  cert->sigIndex - cert->certBegin);
+        Sha256Final(&sha256, digest);
+        hashType = SHA256h;
+        digestSz = SHA256_DIGEST_SIZE;
+    }
+#endif
     else
         return 0; /* ASN_SIG_HASH_E; */
 
@@ -1615,8 +1638,9 @@ static int ConfirmSignature(DecodedCert* cert, const byte* key, word32 keySz,
         else {
             XMEMCPY(plain, cert->signature, cert->sigLength);
             if ( (verifySz = RsaSSL_VerifyInline(plain, cert->sigLength, &out,
-                                           &pubKey)) < 0)
+                                           &pubKey)) < 0) {
                 ret = 0; /* ASN_VERIFY_E; */
+            }
             else {
                 /* make sure we're right justified */
                 sigSz = EncodeSignature(encodedSig, digest, digestSz, hashType);
@@ -1624,6 +1648,26 @@ static int ConfirmSignature(DecodedCert* cert, const byte* key, word32 keySz,
                     ret = 0; /* ASN_VERIFY_MATCH_E; */
                 else
                     ret = 1; /* match */
+
+#ifdef CYASSL_DEBUG_ENCODING
+                {
+                int x;
+                printf("cyassl encodedSig:\n");
+                for (x = 0; x < sigSz; x++) {
+                    printf("%02x ", encodedSig[x]);
+                    if ( (x % 16) == 15)
+                        printf("\n");
+                }
+                printf("\n");
+                printf("actual digest:\n");
+                for (x = 0; x < verifySz; x++) {
+                    printf("%02x ", out[x]);
+                    if ( (x % 16) == 15)
+                        printf("\n");
+                }
+                printf("\n");
+                }
+#endif /* CYASSL_DEBUG_ENCODING */
             }
         }
         FreeRsaKey(&pubKey);
@@ -1646,8 +1690,9 @@ static int ConfirmSignature(DecodedCert* cert, const byte* key, word32 keySz,
         return 0;  /* ASN_VERIFY_E */
     }
 #endif /* HAVE_ECC */
-    else
+    else {
         return 0; /* ASN_SIG_KEY_E; */
+    }
 }