add support for SubjectKeyIdentifier in CMS SignedData SignerInfo

2025-07-30 10:47:28 +02:00 · 2018-08-14 15:28:25 -06:00
parent 70ca95b357
commit 2a60fbd766
4 changed files with 188 additions and 50 deletions
--- a/Makefile.am
+++ b/Makefile.am
@ -60,6 +60,7 @@ CLEANFILES+= cert.der \
             pkcs7signedData_RSA_SHA224.der \
             pkcs7signedData_RSA_SHA256.der \
             pkcs7signedData_RSA_SHA256_custom_contentType.der \
             pkcs7signedData_RSA_SHA256_SKID.der \
             pkcs7signedData_RSA_SHA384.der \
             pkcs7signedData_RSA_SHA512.der \
             pkcs7signedData_ECDSA_SHA.der \
@ -67,6 +68,7 @@ CLEANFILES+= cert.der \
             pkcs7signedData_ECDSA_SHA224.der \
             pkcs7signedData_ECDSA_SHA256.der \
             pkcs7signedData_ECDSA_SHA256_custom_contentType.der \
             pkcs7signedData_ECDSA_SHA256_SKID.der \
             pkcs7signedData_ECDSA_SHA384.der \
             pkcs7signedData_ECDSA_SHA512.der
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@ -327,6 +327,11 @@ int wc_PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz)
        pkcs7->issuerSz = dCert->issuerRawLen;
        XMEMCPY(pkcs7->issuerSn, dCert->serial, dCert->serialSz);
        pkcs7->issuerSnSz = dCert->serialSz;
        XMEMCPY(pkcs7->issuerSubjKeyId, dCert->extSubjKeyId, KEYID_SIZE);
        /* default to IssuerAndSerialNumber for SignerIdentifier */
        pkcs7->sidType = SID_ISSUER_AND_SERIAL_NUMBER;
        FreeDecodedCert(dCert);
 #ifdef WOLFSSL_SMALL_STACK
@ -537,9 +542,13 @@ typedef struct ESD {
                byte signerInfoSet[MAX_SET_SZ];
                    byte signerInfoSeq[MAX_SEQ_SZ];
                        byte signerVersion[MAX_VERSION_SZ];
                        /* issuerAndSerialNumber ...*/
                        byte issuerSnSeq[MAX_SEQ_SZ];
                            byte issuerName[MAX_SEQ_SZ];
                            byte issuerSn[MAX_SN_SZ];
                        /* OR subjectKeyIdentifier */
                        byte issuerSKIDSeq[MAX_SEQ_SZ];
                            byte issuerSKID[MAX_OCTET_STR_SZ];
                        byte signerDigAlgoId[MAX_ALGO_SZ];
                        byte digEncAlgoId[MAX_ALGO_SZ];
                        byte signedAttribSet[MAX_SET_SZ];
@ -549,8 +558,8 @@ typedef struct ESD {
    word32 outerSeqSz, outerContentSz, innerSeqSz, versionSz, digAlgoIdSetSz,
           singleDigAlgoIdSz, certsSetSz;
    word32 signerInfoSetSz, signerInfoSeqSz, signerVersionSz,
-           issuerSnSeqSz, issuerNameSz, issuerSnSz,
+           issuerSnSeqSz, issuerNameSz, issuerSnSz, issuerSKIDSz,
-           signerDigAlgoIdSz, digEncAlgoIdSz, signerDigestSz;
+           issuerSKIDSeqSz, signerDigAlgoIdSz, digEncAlgoIdSz, signerDigestSz;
    word32 encContentDigestSz, signedAttribsSz, signedAttribsCount,
           signedAttribSetSz;
 } ESD;
@ -1058,6 +1067,7 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
    int digEncAlgoId, digEncAlgoType;
    byte* flatSignedAttribs = NULL;
    word32 flatSignedAttribsSz = 0;
    word32 innerOidSz = sizeof(innerOid);
    word32 outerOidSz = sizeof(outerOid);
    if (pkcs7 == NULL || pkcs7->contentSz == 0 ||
@ -1101,14 +1111,34 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
                                     pkcs7->contentTypeSz + esd->innerContSeqSz,
                                     esd->contentInfoSeq);
-    esd->issuerSnSz = SetSerialNumber(pkcs7->issuerSn, pkcs7->issuerSnSz,
+    /* SignerIdentifier */
-                                     esd->issuerSn, MAX_SN_SZ);
+    if (pkcs7->sidType == SID_ISSUER_AND_SERIAL_NUMBER) {
-    signerInfoSz += esd->issuerSnSz;
+        /* IssuerAndSerialNumber */
-    esd->issuerNameSz = SetSequence(pkcs7->issuerSz, esd->issuerName);
+        esd->issuerSnSz = SetSerialNumber(pkcs7->issuerSn, pkcs7->issuerSnSz,
-    signerInfoSz += esd->issuerNameSz + pkcs7->issuerSz;
+                                         esd->issuerSn, MAX_SN_SZ);
-    esd->issuerSnSeqSz = SetSequence(signerInfoSz, esd->issuerSnSeq);
+        signerInfoSz += esd->issuerSnSz;
-    signerInfoSz += esd->issuerSnSeqSz;
+        esd->issuerNameSz = SetSequence(pkcs7->issuerSz, esd->issuerName);
-    esd->signerVersionSz = SetMyVersion(1, esd->signerVersion, 0);
+        signerInfoSz += esd->issuerNameSz + pkcs7->issuerSz;
        esd->issuerSnSeqSz = SetSequence(signerInfoSz, esd->issuerSnSeq);
        signerInfoSz += esd->issuerSnSeqSz;
        /* version MUST be 1 */
        esd->signerVersionSz = SetMyVersion(1, esd->signerVersion, 0);
    } else if (pkcs7->sidType == SID_SUBJECT_KEY_IDENTIFIER) {
        /* SubjectKeyIdentifier */
        esd->issuerSKIDSz = SetOctetString(KEYID_SIZE, esd->issuerSKID);
        esd->issuerSKIDSeqSz = SetExplicit(0, esd->issuerSKIDSz + KEYID_SIZE,
                                           esd->issuerSKIDSeq);
        signerInfoSz += (esd->issuerSKIDSz + esd->issuerSKIDSeqSz +
                         KEYID_SIZE);
        /* version MUST be 3 */
        esd->signerVersionSz = SetMyVersion(3, esd->signerVersion, 0);
    } else {
        return SKID_E;
    }
    signerInfoSz += esd->signerVersionSz;
    esd->signerDigAlgoIdSz = SetAlgoID(pkcs7->hashOID, esd->signerDigAlgoId,
                                      oidHashType, 0);
@ -1250,14 +1280,28 @@ static int PKCS7_EncodeSigned(PKCS7* pkcs7, ESD* esd,
    idx += esd->signerInfoSeqSz;
    XMEMCPY(output2 + idx, esd->signerVersion, esd->signerVersionSz);
    idx += esd->signerVersionSz;
-    XMEMCPY(output2 + idx, esd->issuerSnSeq, esd->issuerSnSeqSz);
+    /* SignerIdentifier */
-    idx += esd->issuerSnSeqSz;
+    if (pkcs7->sidType == SID_ISSUER_AND_SERIAL_NUMBER) {
-    XMEMCPY(output2 + idx, esd->issuerName, esd->issuerNameSz);
+        /* IssuerAndSerialNumber */
-    idx += esd->issuerNameSz;
+        XMEMCPY(output2 + idx, esd->issuerSnSeq, esd->issuerSnSeqSz);
-    XMEMCPY(output2 + idx, pkcs7->issuer, pkcs7->issuerSz);
+        idx += esd->issuerSnSeqSz;
-    idx += pkcs7->issuerSz;
+        XMEMCPY(output2 + idx, esd->issuerName, esd->issuerNameSz);
-    XMEMCPY(output2 + idx, esd->issuerSn, esd->issuerSnSz);
+        idx += esd->issuerNameSz;
-    idx += esd->issuerSnSz;
+        XMEMCPY(output2 + idx, pkcs7->issuer, pkcs7->issuerSz);
        idx += pkcs7->issuerSz;
        XMEMCPY(output2 + idx, esd->issuerSn, esd->issuerSnSz);
        idx += esd->issuerSnSz;
    } else if (pkcs7->sidType == SID_SUBJECT_KEY_IDENTIFIER) {
        /* SubjectKeyIdentifier */
        XMEMCPY(output2 + idx, esd->issuerSKIDSeq, esd->issuerSKIDSeqSz);
        idx += esd->issuerSKIDSeqSz;
        XMEMCPY(output2 + idx, esd->issuerSKID, esd->issuerSKIDSz);
        idx += esd->issuerSKIDSz;
        XMEMCPY(output2 + idx, pkcs7->issuerSubjKeyId, KEYID_SIZE);
        idx += KEYID_SIZE;
    } else {
        return SKID_E;
    }
    XMEMCPY(output2 + idx, esd->signerDigAlgoId, esd->signerDigAlgoIdSz);
    idx += esd->signerDigAlgoIdSz;
@ -2048,7 +2092,7 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
    /* Get the inner ContentInfo contentType */
    {
-        word32 localIdx = idx;
+        localIdx = idx;
        if (GetASNObjectId(pkiMsg, &idx, &length, pkiMsgSz) != 0)
            return ASN_PARSE_E;
@ -2299,11 +2343,44 @@ static int PKCS7_VerifySignedData(PKCS7* pkcs7, const byte* hashBuf,
        if (GetMyVersion(pkiMsg2, &idx, &version, pkiMsg2Sz) < 0)
            return ASN_PARSE_E;
-        if (version != 1) {
+        if (version == 1) {
-            WOLFSSL_MSG("PKCS#7 signerInfo needs to be of version 1");
+            /* Get the sequence of IssuerAndSerialNumber */
            if (GetSequence(pkiMsg, &idx, &length, pkiMsgSz) < 0)
                return ASN_PARSE_E;
            /* Skip it */
            idx += length;
        } else if (version == 3) {
            /* Get the sequence of SubjectKeyIdentifier */
            if (pkiMsg[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 0)) {
                ret = ASN_PARSE_E;
            }
            if (ret == 0 && GetLength(pkiMsg, &idx, &length, pkiMsgSz) <= 0) {
                ret = ASN_PARSE_E;
            }
            if (ret == 0 && pkiMsg[idx++] != ASN_OCTET_STRING)
                ret = ASN_PARSE_E;
            if (ret == 0 && GetLength(pkiMsg, &idx, &length, pkiMsgSz) < 0)
                ret = ASN_PARSE_E;
            /* Skip it */
            idx += length;
        } else {
            WOLFSSL_MSG("PKCS#7 signerInfo version must be 1 or 3");
            return ASN_VERSION_E;
        }
    /* Get the sequence of digestAlgorithm */
    if (GetAlgoId(pkiMsg2, &idx, &hashOID, oidHashType, pkiMsg2Sz) < 0) {
        return ASN_PARSE_E;
    }
    pkcs7->hashOID = (int)hashOID;
        /* Get the sequence of IssuerAndSerialNumber */
        if (GetSequence(pkiMsg2, &idx, &length, pkiMsg2Sz) < 0)
            return ASN_PARSE_E;
@ -3559,6 +3636,30 @@ static int wc_PKCS7_GenerateIV(PKCS7* pkcs7, WC_RNG* rng, byte* iv, word32 ivSz)
 }
 /* Set SignerIdentifier type to be used in SignedData encoding. Is either
 * IssuerAndSerialNumber or SubjectKeyIdentifier. SignedData encoding
 * defaults to using IssuerAndSerialNumber unless set with this function.
 *
 * pkcs7 - pointer to initialized PKCS7 structure
 * type  - either SID_ISSUER_AND_SERIAL_NUMBER or SID_SUBJECT_KEY_IDENTIFIER
 *
 * return 0 on success, negative upon error */
 int wc_PKCS7_SetSignerIdentifierType(PKCS7* pkcs7, int type)
 {
    if (pkcs7 == NULL)
        return BAD_FUNC_ARG;
    if (type != SID_ISSUER_AND_SERIAL_NUMBER &&
        type != SID_SUBJECT_KEY_IDENTIFIER) {
        return BAD_FUNC_ARG;
    }
    pkcs7->sidType = type;
    return 0;
 }
 /* Set custom contentType, currently supported with SignedData type
 *
 * pkcs7       - pointer to initialized PKCS7 structure
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@ -19300,6 +19300,7 @@ typedef struct {
    const char*  outFileName;
    byte*        contentType;
    word32       contentTypeSz;
    int          sidType;
 } pkcs7SignedVector;
@ -19362,42 +19363,48 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        /* RSA with SHA */
        {data, (word32)sizeof(data), SHAh, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_RSA_SHA.der", NULL, 0},
+         "pkcs7signedData_RSA_SHA.der", NULL, 0, 0},
        /* RSA with SHA, no signed attributes */
        {data, (word32)sizeof(data), SHAh, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, NULL, 0,
-         "pkcs7signedData_RSA_SHA_noattr.der", NULL, 0},
+         "pkcs7signedData_RSA_SHA_noattr.der", NULL, 0, 0},
    #endif
    #ifdef WOLFSSL_SHA224
        /* RSA with SHA224 */
        {data, (word32)sizeof(data), SHA224h, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_RSA_SHA224.der", NULL, 0},
+         "pkcs7signedData_RSA_SHA224.der", NULL, 0, 0},
    #endif
    #ifndef NO_SHA256
        /* RSA with SHA256 */
        {data, (word32)sizeof(data), SHA256h, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_RSA_SHA256.der", NULL, 0},
+         "pkcs7signedData_RSA_SHA256.der", NULL, 0, 0},
        /* RSA with SHA256 and SubjectKeyIdentifier in SignerIdentifier */
        {data, (word32)sizeof(data), SHA256h, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
         "pkcs7signedData_RSA_SHA256_SKID.der", NULL, 0,
         SID_SUBJECT_KEY_IDENTIFIER},
        /* RSA with SHA256 and custom contentType */
        {data, (word32)sizeof(data), SHA256h, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
         "pkcs7signedData_RSA_SHA256_custom_contentType.der", customContentType,
-         sizeof(customContentType)},
+         sizeof(customContentType), 0},
    #endif
    #if defined(WOLFSSL_SHA384)
        /* RSA with SHA384 */
        {data, (word32)sizeof(data), SHA384h, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_RSA_SHA384.der", NULL, 0},
+         "pkcs7signedData_RSA_SHA384.der", NULL, 0, 0},
    #endif
    #if defined(WOLFSSL_SHA512)
        /* RSA with SHA512 */
        {data, (word32)sizeof(data), SHA512h, RSAk, rsaPrivKey, rsaPrivKeySz,
         rsaCert, rsaCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_RSA_SHA512.der", NULL, 0},
+         "pkcs7signedData_RSA_SHA512.der", NULL, 0, 0},
    #endif
 #endif /* NO_RSA */
@ -19406,42 +19413,48 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        /* ECDSA with SHA */
        {data, (word32)sizeof(data), SHAh, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_ECDSA_SHA.der", NULL, 0},
+         "pkcs7signedData_ECDSA_SHA.der", NULL, 0, 0},
        /* ECDSA with SHA, no signed attributes */
        {data, (word32)sizeof(data), SHAh, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, NULL, 0,
-         "pkcs7signedData_ECDSA_SHA_noattr.der", NULL, 0},
+         "pkcs7signedData_ECDSA_SHA_noattr.der", NULL, 0, 0},
    #endif
    #ifdef WOLFSSL_SHA224
        /* ECDSA with SHA224 */
        {data, (word32)sizeof(data), SHA224h, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_ECDSA_SHA224.der", NULL, 0},
+         "pkcs7signedData_ECDSA_SHA224.der", NULL, 0, 0},
    #endif
    #ifndef NO_SHA256
        /* ECDSA with SHA256 */
        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_ECDSA_SHA256.der", NULL, 0},
+         "pkcs7signedData_ECDSA_SHA256.der", NULL, 0, 0},
        /* ECDSA with SHA256 and SubjectKeyIdentifier in SigherIdentifier */
        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
         "pkcs7signedData_ECDSA_SHA256_SKID.der", NULL, 0,
         SID_SUBJECT_KEY_IDENTIFIER},
        /* ECDSA with SHA256 and custom contentType */
        {data, (word32)sizeof(data), SHA256h, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
         "pkcs7signedData_ECDSA_SHA256_custom_contentType.der",
-         customContentType, sizeof(customContentType)},
+         customContentType, sizeof(customContentType), 0},
    #endif
    #ifdef WOLFSSL_SHA384
        /* ECDSA with SHA384 */
        {data, (word32)sizeof(data), SHA384h, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_ECDSA_SHA384.der", NULL, 0},
+         "pkcs7signedData_ECDSA_SHA384.der", NULL, 0, 0},
    #endif
    #ifdef WOLFSSL_SHA512
        /* ECDSA with SHA512 */
        {data, (word32)sizeof(data), SHA512h, ECDSAk, eccPrivKey, eccPrivKeySz,
         eccCert, eccCertSz, attribs, (sizeof(attribs)/sizeof(PKCS7Attrib)),
-         "pkcs7signedData_ECDSA_SHA512.der", NULL, 0},
+         "pkcs7signedData_ECDSA_SHA512.der", NULL, 0, 0},
    #endif
 #endif /* HAVE_ECC */
    };
@ -19506,6 +19519,18 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
            }
        }
        /* set SignerIdentifier to use SubjectKeyIdentifier if desired,
           default is IssuerAndSerialNumber */
        if (testVectors[i].sidType == SID_SUBJECT_KEY_IDENTIFIER) {
            ret = wc_PKCS7_SetSignerIdentifierType(pkcs7,
                                                   SID_SUBJECT_KEY_IDENTIFIER);
            if (ret != 0) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
                return -9412;
            }
        }
        /* generate senderNonce */
        {
            senderNonce[0] = 0x04;
@ -19515,7 +19540,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
            if (ret != 0) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9412;
+                return -9413;
            }
        }
@ -19538,7 +19563,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
            if (ret != 0) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9413;
+                return -9414;
            }
            wc_ShaUpdate(&sha, pkcs7->publicKey, pkcs7->publicKeySz);
            wc_ShaFinal(&sha, digest);
@ -19548,7 +19573,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
            if (ret != 0) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9414;
+                return -9415;
            }
            wc_Sha256Update(&sha, pkcs7->publicKey, pkcs7->publicKeySz);
            wc_Sha256Final(&sha, digest);
@ -19564,7 +19589,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        if (encodedSz < 0) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9415;
+            return -9416;
        }
    #ifdef PKCS7_OUTPUT_TEST_BUNDLES
@ -19573,14 +19598,14 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        if (!file) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9416;
+            return -9417;
        }
        ret = (int)fwrite(out, 1, encodedSz, file);
        fclose(file);
        if (ret != (int)encodedSz) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9417;
+            return -9418;
        }
    #endif /* PKCS7_OUTPUT_TEST_BUNDLES */
@ -19588,23 +19613,23 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        pkcs7 = wc_PKCS7_New(HEAP_HINT, INVALID_DEVID);
        if (pkcs7 == NULL)
-            return -9418;
+            return -9419;
        wc_PKCS7_InitWithCert(pkcs7, NULL, 0);
        ret = wc_PKCS7_VerifySignedData(pkcs7, out, outSz);
        if (ret < 0) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9419;
+            return -9420;
        }
        /* verify contentType extracted successfully for custom content types */
        if (testVectors[i].contentTypeSz > 0) {
            if (pkcs7->contentTypeSz != testVectors[i].contentTypeSz) {
-                return -9420;
+                return -9421;
            } else if (XMEMCMP(pkcs7->contentType, testVectors[i].contentType,
                       pkcs7->contentTypeSz) != 0) {
-                return -9421;
+                return -9422;
            }
        }
@ -19612,7 +19637,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        if (pkcs7->singleCert == NULL || pkcs7->singleCertSz == 0) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9422;
+            return -9423;
        }
        {
@ -19631,13 +19656,13 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
                    NULL, (word32*)&bufSz) != LENGTH_ONLY_E) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9423;
+                return -9424;
            }
            if (bufSz > (int)sizeof(buf)) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9424;
+                return -9425;
            }
            bufSz = wc_PKCS7_GetAttributeValue(pkcs7, oidPt, oidSz,
@ -19646,7 +19671,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
                (testVectors[i].signedAttribs == NULL && bufSz > 0)) {
                XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
                wc_PKCS7_Free(pkcs7);
-                return -9425;
+                return -9426;
            }
        }
@ -19655,7 +19680,7 @@ static int pkcs7signed_run_vectors(byte* rsaCert, word32 rsaCertSz,
        if (!file) {
            XFREE(out, HEAP_HINT, DYNAMIC_TYPE_TMP_BUFFER);
            wc_PKCS7_Free(pkcs7);
-            return -9426;
+            return -9427;
        }
        ret = (int)fwrite(pkcs7->singleCert, 1, pkcs7->singleCertSz, file);
        fclose(file);
--- a/wolfssl/wolfcrypt/pkcs7.h
+++ b/wolfssl/wolfcrypt/pkcs7.h
@ -77,6 +77,10 @@ enum Pkcs7_Misc {
                            MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ
 };
 enum Pkcs7_SignerIdentifier_Types {
    SID_ISSUER_AND_SERIAL_NUMBER = 0,
    SID_SUBJECT_KEY_IDENTIFIER   = 1
 };
 typedef struct PKCS7Attrib {
    const byte* oid;
@ -150,6 +154,11 @@ typedef struct PKCS7 {
    byte contentType[MAX_OID_SZ]; /* custom contentType byte array */
    word32 contentTypeSz;         /* size of contentType, bytes */
    int sidType;                  /* SignerIdentifier type to use, of type
                                     Pkcs7_SignerIdentifier_Types, default to
                                     SID_ISSUER_AND_SERIAL_NUMBER */
    byte issuerSubjKeyId[KEYID_SIZE];  /* SubjectKeyIdentifier of singleCert */
    /* !! NEW DATA MEMBERS MUST BE ADDED AT END !! */
 } PKCS7;
@ -180,6 +189,7 @@ WOLFSSL_API int  wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
                                          word32 pkiMsgSz, byte* output,
                                          word32 outputSz);
 WOLFSSL_API int wc_PKCS7_SetSignerIdentifierType(PKCS7* pkcs7, int type);
 WOLFSSL_API int wc_PKCS7_SetContentType(PKCS7* pkcs7, byte* contentType,
                                        word32 sz);
 WOLFSSL_API int wc_PKCS7_GetPadSize(word32 inputSz, word32 blockSz);