diff --git a/ctaocrypt/src/pkcs7.c b/ctaocrypt/src/pkcs7.c
index 8db8c5f97..96904c392 100644
--- a/ctaocrypt/src/pkcs7.c
+++ b/ctaocrypt/src/pkcs7.c
@@ -166,6 +166,7 @@ int PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz)
         }
         XMEMCPY(pkcs7->publicKey, dCert.publicKey, dCert.pubKeySize);
         pkcs7->publicKeySz = dCert.pubKeySize;
+        XMEMCPY(pkcs7->issuerHash, dCert.issuerHash, SHA_SIZE);
         pkcs7->issuer = dCert.issuerRaw;
         pkcs7->issuerSz = dCert.issuerRawLen;
         XMEMCPY(pkcs7->issuerSn, dCert.serial, dCert.serialSz);
@@ -1005,8 +1006,6 @@ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
     byte   issuerHash[SHA_DIGEST_SIZE];
     mp_int serialNum;
 
-    DecodedCert decoded;
-
     int encryptedKeySz, keySz;
     byte tmpIv[DES_BLOCK_SIZE];
     byte encryptedKey[MAX_ENCRYPTED_KEY_SZ];
@@ -1026,14 +1025,6 @@ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
         output == NULL || outputSz == 0)
         return BAD_FUNC_ARG;
 
-    /* parse recipient cert */
-    InitDecodedCert(&decoded, pkcs7->singleCert, pkcs7->singleCertSz, 0);
-    ret = ParseCert(&decoded, CA_TYPE, NO_VERIFY, 0);
-    if (ret < 0) {
-        FreeDecodedCert(&decoded);
-        return ret;
-    }
-
     /* load private key */
     InitRsaKey(&privKey, 0);
     ret = RsaPrivateKeyDecode(pkcs7->privateKey, &idx, &privKey,
@@ -1109,7 +1100,7 @@ CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
             return ASN_PARSE_E;
 
         /* if we found correct recipient, issuer hashes will match */
-        if (XMEMCMP(issuerHash, decoded.issuerHash, SHA_DIGEST_SIZE) == 0) {
+        if (XMEMCMP(issuerHash, pkcs7->issuerHash, SHA_DIGEST_SIZE) == 0) {
             recipFound = 1;
         }
 
diff --git a/cyassl/ctaocrypt/pkcs7.h b/cyassl/ctaocrypt/pkcs7.h
index 8ff9c281f..b4313f399 100644
--- a/cyassl/ctaocrypt/pkcs7.h
+++ b/cyassl/ctaocrypt/pkcs7.h
@@ -65,25 +65,26 @@ typedef struct PKCS7Attrib {
 
 
 typedef struct PKCS7 {
-    byte* content;                /* inner content, not owner */
-    word32 contentSz;             /* content size */
-    int contentOID;               /* PKCS#7 content type OID sum */
+    byte* content;                /* inner content, not owner             */
+    word32 contentSz;             /* content size                         */
+    int contentOID;               /* PKCS#7 content type OID sum          */
 
     RNG* rng;
 
     int hashOID;
-    int encryptOID;               /* key encryption algorithm OID */
+    int encryptOID;               /* key encryption algorithm OID         */
 
-    byte*  singleCert;            /* recipient cert, DER, not owner */
+    byte*  singleCert;            /* recipient cert, DER, not owner       */
     word32 singleCertSz;          /* size of recipient cert buffer, bytes */
-    byte*  issuer;                /* issuer name of singleCert */
-    word32 issuerSz;              /* length of issuer name */
-    byte issuerSn[MAX_SN_SZ];     /* singleCert's serial number */
-    word32 issuerSnSz;            /* length of serial number */
+    byte issuerHash[SHA_SIZE];    /* hash of all alt Names                */
+    byte*  issuer;                /* issuer name of singleCert            */
+    word32 issuerSz;              /* length of issuer name                */
+    byte issuerSn[MAX_SN_SZ];     /* singleCert's serial number           */
+    word32 issuerSnSz;            /* length of serial number              */
     byte publicKey[512];
     word32 publicKeySz;
-    byte*  privateKey;            /* private key, DER, not owner */
-    word32 privateKeySz;          /* size of private key buffer, bytes */
+    byte*  privateKey;            /* private key, DER, not owner          */
+    word32 privateKeySz;          /* size of private key buffer, bytes    */
     
     PKCS7Attrib* signedAttribs;
     word32 signedAttribsSz;