add support for custom contentType with CMS SignedData type

2018-08-09 14:22:06 -06:00
parent bdf07e64cf
commit 70ca95b357
6 changed files with 153 additions and 51 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -59,12 +59,14 @@ CLEANFILES+= cert.der \
             pkcs7signedData_RSA_SHA_noattr.der \
             pkcs7signedData_RSA_SHA224.der \
             pkcs7signedData_RSA_SHA256.der \
             pkcs7signedData_RSA_SHA256_custom_contentType.der \
             pkcs7signedData_RSA_SHA384.der \
             pkcs7signedData_RSA_SHA512.der \
             pkcs7signedData_ECDSA_SHA.der \
             pkcs7signedData_ECDSA_SHA_noattr.der \
             pkcs7signedData_ECDSA_SHA224.der \
             pkcs7signedData_ECDSA_SHA256.der \
             pkcs7signedData_ECDSA_SHA256_custom_contentType.der \
             pkcs7signedData_ECDSA_SHA384.der \
             pkcs7signedData_ECDSA_SHA512.der
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@ -1938,7 +1938,7 @@ int DecodeObjectId(const byte* in, word32 inSz, word16* out, word32* outSz)
 *         ASN_PARSE_E when length is invalid.
 *         Otherwise, 0 to indicate success.
 */
-static int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
+int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
                          word32 maxIdx)
 {
    word32 idx = *inOutIdx;
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@ -383,6 +383,8 @@ void wc_PKCS7_Free(PKCS7* pkcs7)
        pkcs7->isDynamic = 0;
        XFREE(pkcs7, pkcs7->heap, DYNAMIC_TYPE_PKCS7);
    }
    pkcs7->contentTypeSz = 0;
 }
@ -1030,19 +1032,22 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
    const byte* hashBuf, word32 hashSz, byte* output, word32* outputSz,
    byte* output2, word32* output2Sz)
 {
-    const byte outerOid[] =
+    /* id-signedData (1.2.840.113549.1.7.2) */
-            { ASN_OBJECT_ID, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
+    static const byte outerOid[] =
-                             0x07, 0x02 };
+        { ASN_OBJECT_ID, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
                         0x07, 0x02 };
    /* default id-data OID (1.2.840.113549.1.7.1), user can override */
    const byte innerOid[] =
-            { ASN_OBJECT_ID, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
+            { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
                             0x07, 0x01 };
    /* contentType OID (1.2.840.113549.1.9.3) */
    const byte contentTypeOid[] =
            { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xF7, 0x0d, 0x01,
                             0x09, 0x03 };
-    const byte contentType[] =
+
-            { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
+    /* messageDigest OID (1.2.840.113549.1.9.4) */
                             0x07, 0x01 };
    const byte messageDigestOid[] =
            { ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
                             0x09, 0x04 };
@ -1053,7 +1058,6 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
    int digEncAlgoId, digEncAlgoType;
    byte* flatSignedAttribs = NULL;
    word32 flatSignedAttribsSz = 0;
    word32 innerOidSz = sizeof(innerOid);
    word32 outerOidSz = sizeof(outerOid);
    if (pkcs7 == NULL || pkcs7->contentSz == 0 ||
@ -1065,6 +1069,20 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
    }
    /* verify the hash size matches */
 #ifdef WOLFSSL_SMALL_STACK
    esd = (ESD*)XMALLOC(sizeof(ESD), pkcs7->heap, DYNAMIC_TYPE_TMP_BUFFER);
    if (esd == NULL)
        return MEMORY_E;
 #endif
    XMEMSET(esd, 0, sizeof(ESD));
    /* use default DATA contentType if not set by user */
    if (pkcs7->contentTypeSz == 0) {
        XMEMCPY(pkcs7->contentType, innerOid, sizeof(innerOid));
        pkcs7->contentTypeSz = sizeof(innerOid);
    }
    esd->hashType = wc_OidGetHash(pkcs7->hashOID);
    if (wc_HashGetDigestSize(esd->hashType) != (int)hashSz) {
        WOLFSSL_MSG("hashSz did not match hashOID");
@ -1080,8 +1098,8 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
    esd->innerContSeqSz = SetExplicit(0, esd->innerOctetsSz + pkcs7->contentSz,
                                esd->innerContSeq);
    esd->contentInfoSeqSz = SetSequence(pkcs7->contentSz + esd->innerOctetsSz +
-                                    innerOidSz + esd->innerContSeqSz,
+                                     pkcs7->contentTypeSz + esd->innerContSeqSz,
-                                    esd->contentInfoSeq);
+                                     esd->contentInfoSeq);
    esd->issuerSnSz = SetSerialNumber(pkcs7->issuerSn, pkcs7->issuerSnSz,
                                     esd->issuerSn, MAX_SN_SZ);
@ -1111,7 +1129,7 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
        /* build up signed attributes */
        ret = wc_PKCS7_BuildSignedAttributes(pkcs7, esd,
                                    contentTypeOid, sizeof(contentTypeOid),
-                                    contentType, sizeof(contentType),
+                                    pkcs7->contentType, pkcs7->contentTypeSz,
                                    messageDigestOid, sizeof(messageDigestOid));
        if (ret < 0) {
            return MEMORY_E;
@ -1205,8 +1223,8 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
    idx += esd->singleDigAlgoIdSz;
    XMEMCPY(output + idx, esd->contentInfoSeq, esd->contentInfoSeqSz);
    idx += esd->contentInfoSeqSz;
-    XMEMCPY(output + idx, innerOid, innerOidSz);
+    XMEMCPY(output + idx, pkcs7->contentType, pkcs7->contentTypeSz);
-    idx += innerOidSz;
+    idx += pkcs7->contentTypeSz;
    XMEMCPY(output + idx, esd->innerContSeq, esd->innerContSeqSz);
    idx += esd->innerContSeqSz;
    XMEMCPY(output + idx, esd->innerOctets, esd->innerOctetsSz);
@ -1928,13 +1946,14 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
    word32 hashSz, byte* pkiMsg, word32 pkiMsgSz,
    byte* pkiMsg2, word32 pkiMsg2Sz)
 {
-    word32 idx, contentType, hashOID, sigOID, totalSz;
+    word32 idx, outerContentType, hashOID, sigOID, contentTypeSz, totalSz;
    int length, version, ret;
    byte* content = NULL;
    byte* contentDynamic = NULL;
    byte* sig = NULL;
    byte* cert = NULL;
    byte* signedAttrib = NULL;
    byte* contentType = NULL;
    int contentSz = 0, sigSz = 0, certSz = 0, signedAttribSz = 0;
    word32 localIdx, start;
    byte degenerate;
@ -1984,10 +2003,10 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
    }
    /* Get the contentInfo contentType */
-    if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
+    if (wc_GetContentType(pkiMsg, &idx, &outerContentType, pkiMsgSz) < 0)
        return ASN_PARSE_E;
-    if (contentType != SIGNED_DATA) {
+    if (outerContentType != SIGNED_DATA) {
        WOLFSSL_MSG("PKCS#7 input not of type SignedData");
        return PKCS7_OID_E;
    }
@ -2028,12 +2047,16 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
        return ASN_PARSE_E;
    /* Get the inner ContentInfo contentType */
-    if (wc_GetContentType(pkiMsg, &idx, &contentType, pkiMsgSz) < 0)
+    {
-        return ASN_PARSE_E;
+        word32 localIdx = idx;
-    if (contentType != DATA) {
+        if (GetASNObjectId(pkiMsg, &idx, &length, pkiMsgSz) != 0)
-        WOLFSSL_MSG("PKCS#7 inner input not of type Data");
+            return ASN_PARSE_E;
-        return PKCS7_OID_E;
+
        contentType = pkiMsg + localIdx;
        contentTypeSz = length + (idx - localIdx);
        idx += length;
    }
    /* Check for content info, it could be omitted when degenerate */
@ -2240,6 +2263,10 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
    pkcs7->content   = content;
    pkcs7->contentSz = contentSz;
    /* set contentType and size after init of PKCS7 structure */
    if (wc_PKCS7_SetContentType(pkcs7, contentType, contentTypeSz) < 0)
        return ASN_PARSE_E;
    /* Get the implicit[1] set of crls */
    if (pkiMsg2[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)) {
        idx++;
@ -3532,6 +3559,30 @@ static int wc_PKCS7_GenerateIV(PKCS7* pkcs7, WC_RNG* rng, byte* iv, word32 ivSz)
 }
 /* Set custom contentType, currently supported with SignedData type
 *
 * pkcs7       - pointer to initialized PKCS7 structure
 * contentType - pointer to array with ASN.1 encoded OID value
 * sz          - length of contentType array, octets
 *
 * return 0 on success, negative upon error */
 int wc_PKCS7_SetContentType(PKCS7* pkcs7, byte* contentType, word32 sz)
 {
    if (pkcs7 == NULL || contentType == NULL || sz == 0)
        return BAD_FUNC_ARG;
    if (sz > MAX_OID_SZ) {
        WOLFSSL_MSG("input array too large, bounded by MAX_OID_SZ");
        return BAD_FUNC_ARG;
    }
    XMEMCPY(pkcs7->contentType, contentType, sz);
    pkcs7->contentTypeSz = sz;
    return 0;
 }
 /* return size of padded data, padded to blockSz chunks, or negative on error */
 int wc_PKCS7_GetPadSize(word32 inputSz, word32 blockSz)
 {
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -19298,6 +19298,8 @@ typedef struct {
    PKCS7Attrib* signedAttribs;
    word32       signedAttribsSz;
    const char*  outFileName;
    byte*        contentType;
    word32       contentTypeSz;
 } pkcs7SignedVector;
@ -19348,6 +19350,11 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
                                       sizeof(senderNonce) }
    };
    /* for testing custom contentType, FirmwarePkgData */
    byte customContentType[] = { 0x06, 0x0B, 0x2A, 0x86,
                                 0x48, 0x86, 0xF7, 0x0D,
                                 0x01, 0x09, 0x10, 0x01, 0x10 };
    const pkcs7SignedVector testVectors[] =
    {
 #ifndef NO_RSA
@ -19355,36 +19362,42 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        /* RSA with SHA */
        {data, (word32)sizeof(data), SHAh, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_RSA_SHA.der"},
+         "pkcs7signedData_RSA_SHA.der", NULL, 0},
        /* RSA with SHA, no signed attributes */
        {data, (word32)sizeof(data), SHAh, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, NULL, 0,
-         "pkcs7signedData_RSA_SHA_noattr.der"},
+         "pkcs7signedData_RSA_SHA_noattr.der", NULL, 0},
    #endif
    #ifdef WOLFSSL_SHA224
        /* RSA with SHA224 */
        {data, (word32)sizeof(data), SHA224h, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_RSA_SHA224.der"},
+         "pkcs7signedData_RSA_SHA224.der", NULL, 0},
    #endif
    #ifndef NO_SHA256
        /* RSA with SHA256 */
        {data, (word32)sizeof(data), SHA256h, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_RSA_SHA256.der"},
+         "pkcs7signedData_RSA_SHA256.der", NULL, 0},
        /* RSA with SHA256 and custom contentType */
        {data, (word32)sizeof(data), SHA256h, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
         "pkcs7signedData_RSA_SHA256_custom_contentType.der", customContentType,
         sizeof(customContentType)},
    #endif
    #if defined(WOLFSSL_SHA384)
        /* RSA with SHA384 */
        {data, (word32)sizeof(data), SHA384h, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_RSA_SHA384.der"},
+         "pkcs7signedData_RSA_SHA384.der", NULL, 0},
    #endif
    #if defined(WOLFSSL_SHA512)
        /* RSA with SHA512 */
        {data, (word32)sizeof(data), SHA512h, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_RSA_SHA512.der"},
+         "pkcs7signedData_RSA_SHA512.der", NULL, 0},
    #endif
 #endif /* NO_RSA */
@ -19393,36 +19406,42 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        /* ECDSA with SHA */
        {data, (word32)sizeof(data), SHAh, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_ECDSA_SHA.der"},
+         "pkcs7signedData_ECDSA_SHA.der", NULL, 0},
        /* ECDSA with SHA, no signed attributes */
        {data, (word32)sizeof(data), SHAh, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, NULL, 0,
-         "pkcs7signedData_ECDSA_SHA_noattr.der"},
+         "pkcs7signedData_ECDSA_SHA_noattr.der", NULL, 0},
    #endif
    #ifdef WOLFSSL_SHA224
        /* ECDSA with SHA224 */
        {data, (word32)sizeof(data), SHA224h, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_ECDSA_SHA224.der"},
+         "pkcs7signedData_ECDSA_SHA224.der", NULL, 0},
    #endif
    #ifndef NO_SHA256
        /* ECDSA with SHA256 */
        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_ECDSA_SHA256.der"},
+         "pkcs7signedData_ECDSA_SHA256.der", NULL, 0},
        /* ECDSA with SHA256 and custom contentType */
        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
         "pkcs7signedData_ECDSA_SHA256_custom_contentType.der",
         customContentType, sizeof(customContentType)},
    #endif
    #ifdef WOLFSSL_SHA384
        /* ECDSA with SHA384 */
        {data, (word32)sizeof(data), SHA384h, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_ECDSA_SHA384.der"},
+         "pkcs7signedData_ECDSA_SHA384.der", NULL, 0},
    #endif
    #ifdef WOLFSSL_SHA512
        /* ECDSA with SHA512 */
        {data, (word32)sizeof(data), SHA512h, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_ECDSA_SHA512.der"},
+         "pkcs7signedData_ECDSA_SHA512.der", NULL, 0},
    #endif
 #endif /* HAVE_ECC */
    };
@ -19476,6 +19495,17 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        pkcs7->signedAttribs   = testVectors[i].signedAttribs;
        pkcs7->signedAttribsSz = testVectors[i].signedAttribsSz;
        /* optional custom contentType, default is DATA */
        if (testVectors[i].contentType != NULL) {
            ret = wc_PKCS7_SetContentType(pkcs7, testVectors[i].contentType,
                                          testVectors[i].contentTypeSz);
            if (ret != 0) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
                return -9411;
            }
        }
        /* generate senderNonce */
        {
            senderNonce[0] = 0x04;
@ -19485,7 +19515,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
            if (ret != 0) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9411;
+                return -9412;
            }
        }
@ -19508,7 +19538,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
            if (ret != 0) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9412;
+                return -9413;
            }
            wc_ShaUpdate(&sha, pkcs7->publicKey, pkcs7->publicKeySz);
            wc_ShaFinal(&sha, digest);
@ -19518,7 +19548,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
            if (ret != 0) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9413;
+                return -9414;
            }
            wc_Sha256Update(&sha, pkcs7->publicKey, pkcs7->publicKeySz);
            wc_Sha256Final(&sha, digest);
@ -19534,7 +19564,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        if (encodedSz < 0) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9414;
+            return -9415;
        }
    #ifdef PKCS7_OUTPUT_TEST_BUNDLES
@ -19543,14 +19573,14 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        if (!file) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9415;
+            return -9416;
        }
        ret = (int)fwrite(out, 1, encodedSz, file);
        fclose(file);
        if (ret != (int)encodedSz) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9416;
+            return -9417;
        }
    #endif /* PKCS7_OUTPUT_TEST_BUNDLES */
@ -19558,20 +19588,31 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID);
        if (pkcs7 == NULL)
-            return -9410;
+            return -9418;
        wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
        ret = wc_PKCS7_VerifySignedData(pkcs7, out, outSz);
        if (ret < 0) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9417;
+            return -9419;
        }
        /* verify contentType extracted successfully for custom content types */
        if (testVectors[i].contentTypeSz > 0) {
            if (pkcs7->contentTypeSz != testVectors[i].contentTypeSz) {
                return -9420;
            } else if (XMEMCMP(pkcs7->contentType, testVectors[i].contentType,
                       pkcs7->contentTypeSz) != 0) {
                return -9421;
            }
        }
        if (pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9418;
+            return -9422;
        }
        {
@ -19590,13 +19631,13 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
                    NULL, (word32*)&bufSz) != LENGTH_ONLY_E) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9419;
+                return -9423;
            }
            if (bufSz > (int)sizeof(buf)) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9420;
+                return -9424;
            }
            bufSz = wc_PKCS7_GetAttributeValue(pkcs7, oidPt, oidSz,
@ -19605,7 +19646,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
                (testVectors[i].signedAttribs == NULL && bufSz > 0)) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9421;
+                return -9425;
            }
        }
@ -19614,7 +19655,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        if (!file) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9422;
+            return -9426;
        }
        ret = (int)fwrite(pkcs7->singleCert, 1, pkcs7->singleCertSz, file);
        fclose(file);
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@ -276,7 +276,7 @@ enum Misc_ASN {
    #endif
                                   /* Max total extensions, id + len + others */
 #endif
-#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA)
+#if defined(WOLFSSL_CERT_EXT) || defined(OPENSSL_EXTRA) || defined(HAVE_PKCS7)
    MAX_OID_SZ          = 32,      /* Max DER length of OID*/
    MAX_OID_STRING_SZ   = 64,      /* Max string length representation of OID*/
 #endif
@ -285,7 +285,8 @@ enum Misc_ASN {
    MAX_KEYUSAGE_SZ     = 18,      /* Max encoded Key Usage length */
    MAX_EXTKEYUSAGE_SZ  = 12 + (6 * (8 + 2)) +
                          CTC_MAX_EKU_OID_SZ, /* Max encoded ExtKeyUsage
-                        (SEQ/LEN + OBJID + OCTSTR/LEN + SEQ + (6 * (SEQ + OID))) */
+                          (SEQ/LEN + OBJID + OCTSTR/LEN + SEQ +
                          (6 * (SEQ + OID))) */
    MAX_CERTPOL_NB      = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */
    MAX_CERTPOL_SZ      = CTC_MAX_CERTPOL_SZ,
 #endif
@ -303,8 +304,8 @@ enum Misc_ASN {
 #endif
    TRAILING_ZERO       = 1,       /* Used for size of zero pad */
    MIN_VERSION_SZ      = 3,       /* Min bytes needed for GetMyVersion */
-#if defined(OPENSSL_ALL)  || defined(WOLFSSL_MYSQL_COMPATIBLE) || defined(WOLFSSL_NGINX) || \
+#if defined(OPENSSL_ALL)  || defined(WOLFSSL_MYSQL_COMPATIBLE) || \
-    defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)
+    defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY) || defined(OPENSSL_EXTRA)
    MAX_TIME_STRING_SZ  = 25,      /* Max length of formatted time string */
 #endif
@ -1012,6 +1013,8 @@ WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
    WOLFSSL_LOCAL int DecodeObjectId(const byte* in, word32 inSz,
        word16* out, word32* outSz);
 #endif
 WOLFSSL_LOCAL int GetASNObjectId(const byte* input, word32* inOutIdx, int* len,
                                 word32 maxIdx);
 WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
                              word32 oidType, word32 maxIdx);
 WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
--- a/wolfssl/wolfcrypt/pkcs7.h
+++ b/wolfssl/wolfcrypt/pkcs7.h
@ -147,6 +147,9 @@ typedef struct PKCS7 {
    word16 isDynamic:1;
    word16 noDegenerate:1; /* allow degenerate case in verify function */
    byte contentType[MAX_OID_SZ]; /* custom contentType byte array */
    word32 contentTypeSz;         /* size of contentType, bytes */
    /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */
 } PKCS7;
@ -177,6 +180,8 @@ WOLFSSL_API int  wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
                                          word32 pkiMsgSz, byte* output,
                                          word32 outputSz);
 WOLFSSL_API int wc_PKCS7_SetContentType(PKCS7* pkcs7, byte* contentType,
                                        word32 sz);
 WOLFSSL_API int wc_PKCS7_GetPadSize(word32 inputSz, word32 blockSz);
 WOLFSSL_API int wc_PKCS7_PadData(byte* in, word32 inSz, byte* out, word32 outSz,
                                 word32 blockSz);