diff --git a/tests/api.c b/tests/api.c
index c45cee2b6..8ba130d06 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -17451,7 +17451,27 @@ static void test_PKCS7_signed_enveloped(void)
     /* check verify fails */
     AssertNotNull(pkcs7 = wc_PKCS7_New(NULL, 0));
     AssertIntEQ(wc_PKCS7_InitWithCert(pkcs7, cert, certSz), 0);
-    AssertIntNE(wc_PKCS7_VerifySignedData(pkcs7, sig, sigSz), 0);
+    AssertIntEQ(wc_PKCS7_VerifySignedData(pkcs7, sig, sigSz),
+            PKCS7_SIGNEEDS_CHECK);
+
+    /* try verifying the signature manually */
+    {
+        RsaKey rKey;
+        word32 idx = 0;
+        byte digest[MAX_SEQ_SZ + MAX_ALGO_SZ + MAX_OCTET_STR_SZ +
+            WC_MAX_DIGEST_SIZE];
+        int  digestSz;
+
+        AssertIntEQ(wc_InitRsaKey(&rKey, HEAP_HINT), 0);
+        AssertIntEQ(wc_RsaPrivateKeyDecode(key, &idx, &rKey, keySz), 0);
+        digestSz = wc_RsaSSL_Verify(pkcs7->signature, pkcs7->signatureSz,
+                    digest, sizeof(digest), &rKey);
+        AssertIntGT(digestSz, 0);
+        AssertIntEQ(digestSz, pkcs7->pkcs7DigestSz);
+        AssertIntEQ(XMEMCMP(digest, pkcs7->pkcs7Digest, digestSz), 0);
+        /* verify was success */
+    }
+
     wc_PKCS7_Free(pkcs7);
 
     /* create valid degenerate bundle */
diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index b05ef42d9..081016783 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -1170,6 +1170,11 @@ void wc_PKCS7_Free(PKCS7* pkcs7)
         pkcs7->plainDigest = NULL;
         pkcs7->plainDigestSz = 0;
     }
+    if (pkcs7->pkcs7Digest) {
+        XFREE(pkcs7->pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_DIGEST);
+        pkcs7->pkcs7Digest = NULL;
+        pkcs7->pkcs7DigestSz = 0;
+    }
 }
 
 
@@ -3323,7 +3328,7 @@ static int wc_PKCS7_SignedDataVerifySignature(PKCS7* pkcs7, byte* sig,
             XMEMCPY(pkcs7->signature, sig, sigSz);
             pkcs7->signatureSz = sigSz;
 
-            /* store digest */
+            /* store plain digest (CMS and ECC) */
             XFREE(pkcs7->plainDigest, pkcs7->heap, DYNAMIC_TYPE_DIGEST);
             pkcs7->plainDigest = NULL;
             pkcs7->plainDigestSz = 0;
@@ -3338,6 +3343,21 @@ static int wc_PKCS7_SignedDataVerifySignature(PKCS7* pkcs7, byte* sig,
             XMEMCPY(pkcs7->plainDigest, plainDigest, plainDigestSz);
             pkcs7->plainDigestSz = plainDigestSz;
 
+            /* store pkcs7 digest (default RSA) */
+            XFREE(pkcs7->pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_DIGEST);
+            pkcs7->pkcs7Digest = NULL;
+            pkcs7->pkcs7DigestSz = 0;
+            pkcs7->pkcs7Digest = (byte*)XMALLOC(sigSz, pkcs7->heap,
+                    DYNAMIC_TYPE_DIGEST);
+            if (pkcs7->pkcs7Digest == NULL) {
+            #ifdef WOLFSSL_SMALL_STACK
+                XFREE(pkcs7Digest, pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
+            #endif
+                return MEMORY_E;
+            }
+            XMEMCPY(pkcs7->pkcs7Digest, pkcs7Digest, pkcs7DigestSz);
+            pkcs7->pkcs7DigestSz = pkcs7DigestSz;
+
             return PKCS7_SIGNEEDS_CHECK;
         }
     }
diff --git a/wolfssl/wolfcrypt/pkcs7.h b/wolfssl/wolfcrypt/pkcs7.h
index d3e284dff..b380422d8 100644
--- a/wolfssl/wolfcrypt/pkcs7.h
+++ b/wolfssl/wolfcrypt/pkcs7.h
@@ -311,8 +311,10 @@ struct PKCS7 {
 
     byte* signature;
     byte* plainDigest;
+    byte* pkcs7Digest;
     word32 signatureSz;
     word32 plainDigestSz;
+    word32 pkcs7DigestSz;
     /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */
 };