Summary

Server-side PKCS#7/CMS encode improvements so downstream EST/SCEP enrollment code can drive the existing encoder through the public API instead of hand-rolling DER, plus a related multi-certificate decode bug fix found along the way. All changes are gated under the existing HAVE_PKCS7 - no new build options and no new public functions.

Changes

1. Allow degenerate (certs-only) SignedData encode

Relaxes the hashOID != 0 requirement in PKCS7_EncodeSigned() when sidType == DEGENERATE_SID. A caller can now produce a degenerate, certs-only SignedData (no signer, no signed attributes, no eContent - the form used by EST /cacerts and SCEP GetCACert responses) entirely through the existing public API:

wc_PKCS7_InitWithCert(pkcs7, cert, certSz);          
/* wc_PKCS7_AddCertificate() */
wc_PKCS7_SetSignerIdentifierType(pkcs7, DEGENERATE_SID);
pkcs7->detached   = 1;
pkcs7->contentOID = DATA;
wc_PKCS7_EncodeSignedData(pkcs7, out, outSz);

The output round-trips through wc_PKCS7_VerifySignedData() (which repopulates pkcs7->cert[]).

2. Size the signed-attribute array to the actual count

The SignerInfo attribute working array is now sized to the real attribute count instead of a fixed [7] array. An inline buffer (sized MAX_SIGNED_ATTRIBS_SZ, the historical footprint) covers the common case with no heap allocation - important for no-malloc/static-memory builds - and a heap buffer is used only when the count exceeds it. The default-attribute count comes from a single helper (wc_PKCS7_GetDefaultSignedAttribCount()) so the sizing matches the emission logic exactly, and the canned-attribute write is bound-checked against the array capacity so any future drift fails with BUFFER_E rather than overflowing.

This also fixes a latent overflow where the backing array was hardcoded [7] while the bound check used MAX_SIGNED_ATTRIBS_SZ. Profiles such as SCEP CertRep (RFC 8894), which carry several user attributes alongside the CMS auto-defaults, now encode without spurious BUFFER_E. MAX_SIGNED_ATTRIBS_SZ is retained for source compatibility but no longer caps the count (it only sizes the embedded inline buffer).

3. Document the decoded-attribute value shape

Documents the stable, guaranteed shape of PKCS7DecodedAttrib.value (the contents of the SET OF AttributeValue, with the outer SET tag stripped) so callers can rely on it. Documentation only - no behavior change.

4. Multi-certificate decode fix (non-streaming)

Bounds the additional-certificate loop in wc_PKCS7_VerifySignedData() against the absolute end of the certificate set (idx + length) rather than the relative length. In NO_PKCS7_STREAM builds the previous bound stopped short and dropped trailing certificates - and, with a large eContent preceding the set, could drop all but the first certificate, causing verification to fail when the signer cert was among those dropped. Streaming builds were unaffected.

Public API

No additions or changes. MAX_SIGNED_ATTRIBS_SZ is retained for source compatibility but no longer caps the attribute count (it now sizes the inline encode-time working buffer).

Tests

Added coverage in pkcs7signed_test:

• Degenerate (certs-only) encode via the public API, round-tripped through verify.
• Nine signed attributes (six user + three auto-defaults), exceeding the inline capacity to exercise the heap-fallback path.
• Decoded-attribute value shape for PrintableString and OCTET STRING.
• A multi-certificate decode regression with large content that triggers the bound bug under NO_PKCS7_STREAM.

Config-sensitive cases are guarded (MAX_PKCS7_CERTS >= 3; the nine-attribute case requires heap or an enlarged inline array). The multi-cert test only validates the bound fix under NO_PKCS7_STREAM (documented in the test); in streaming builds it is a general multi-cert round-trip check.

Verification

• Builds clean (-Werror) on the default/streaming configuration.
• wolfcrypt/test/testwolfcrypt passes (PKCS7signed test passed!).