examples/pkcs7: size output buffer for RSA-4096 signatures

aidangarske · aidangarske · commit 90846ba49f0e · 2026-04-24T22:24:57.000+01:00
MAX_PKCS7_SIZE aliased to MAX_CONTEXT_SIZE (2 KB), which is enough
  for an RSA-2048 signed blob but overflows at RSA-4096 where the
  signature alone is 512 B plus a ~1-1.5 KB cert and ASN.1 overhead.
  wc_PKCS7_EncodeSignedData then returned BUFFER_E (0xffffff7c).

  Gate on MAX_RSA_KEY_BITS so 2048-bit builds keep the exact same
  buffer size; 4096-bit builds (Nations NS350, Infineon SLB967x,
  or anyone overriding) get 4 KB.
diff --git a/examples/pkcs7/pkcs7.c b/examples/pkcs7/pkcs7.c
@@ -57,7 +57,14 @@
 #endif
 
 #ifndef MAX_PKCS7_SIZE
-#define MAX_PKCS7_SIZE MAX_CONTEXT_SIZE
+    /* Must hold the full SignedData blob (cert + signature + ASN.1 overhead).
+     * MAX_CONTEXT_SIZE (2 KB) is enough for RSA-2048 but overflows at
+     * RSA-4096 where the signature alone is 512 B. */
+    #if MAX_RSA_KEY_BITS >= 4096
+        #define MAX_PKCS7_SIZE 4096
+    #else
+        #define MAX_PKCS7_SIZE MAX_CONTEXT_SIZE
+    #endif
 #endif
 
 /******************************************************************************/
