Add PKCS7 ECC raw sign callback support

[jackctj117]

This pull request adds support for registering and using a user-defined callback for ECC raw digest signing in PKCS7 operations, similar to existing RSA support. The changes include new callback types, struct members, API functions, and corresponding test coverage.

ECC Raw Digest Signing Callback Support:

• Added a new callback type CallbackEccSignRawDigest for ECC raw digest signing, and a corresponding struct member eccSignRawDigestCb to wc_PKCS7 to allow user-supplied signing logic. [1] [2]
• Introduced the public API function wc_PKCS7_SetEccSignRawDigestCb to register the ECC signing callback with a PKCS7 context. [1] [2]
• Modified the PKCS7 signature building logic to invoke the ECC raw digest signing callback if set, enabling custom or hardware-backed ECC signing.

Testing Enhancements:

• Added an example ECC sign raw digest callback implementation (eccSignRawDigestCb) and corresponding test logic in test_pkcs7.c to verify the callback mechanism when ECC is enabled and RSA is disabled. [1] [2]

[devin-ai-integration]

🛟 Devin Lifeguard found 2 likely issues in this PR

• check-all-return-codes snippet: Check eccHashOID after wc_HashGetOID(esd->hashType) and, if it is negative, set ret to eccHashOID and break/return before invoking the callback.
• limit-stack-usage snippet: Apply the WOLFSSL_SMALL_STACK pattern: replace the on-stack declaration “ecc_key ecc;” with a pointer allocated via XMALLOC in combination with wc_ecc_init_ex (e.g., “ecc_key* ecc = (ecc_key*)XMALLOC(sizeof(ecc_key), pkcs7->heap, DYNAMIC_TYPE_ECC);”) and free it with XFREE to keep stack usage below 100 bytes.

@jackctj117
please take a look at the above issues which Devin flagged. Devin will not fix these issues automatically.

[dgarske]

unrecognized macros used:
HAVE_PKCS7_ECC_RAW_SIGN_CALLBACK
add well-formed but unknown macros to .wolfssl_known_macro_extras at top of source tree.

[Copilot]

Pull request overview

This pull request adds support for ECC raw digest signing callbacks in PKCS7 operations, mirroring the existing RSA callback functionality. The implementation allows users to provide custom ECC signing logic, which is useful for hardware-backed or alternative signing implementations.

Changes:

• Added ECC raw digest signing callback infrastructure (typedef, struct member, and API function)
• Modified PKCS7 signature building logic to invoke the ECC callback when configured
• Added comprehensive test coverage with example callback implementation

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
wolfssl/wolfcrypt/pkcs7.h	Added ECC callback typedef, struct member, and API declaration
wolfcrypt/src/pkcs7.c	Implemented callback invocation in signing logic and setter function
tests/api/test_pkcs7.c	Added example callback and test case for ECC signing
.wolfssl_known_macro_extras	Added HAVE_PKCS7_ECC_RAW_SIGN_CALLBACK macro definition

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jackctj117]

Jenkins retest please

[jackctj117]

Jenkins retest this please

[jackctj117]

Jenkins retest this

[jackctj117]

Jenkins retest this please

[dgarske]

Jenkins retest this please

[dgarske]

Also review the rsaSignRawDigestCb for same.

[lealem47]

Jenkins retest this please

[dgarske]

Jenkins retest this please.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The ECC raw-sign example callback comment says it assumes SHA-256, but the implementation explicitly ignores hashOID (and doesn’t validate digestSz for SHA-256). Either validate hashOID == SHA256h (and expected digest size) to match the documented assumption, or update the comment to indicate the callback is hash-agnostic.

[Copilot]

The ECC raw-sign callback return value is used as esd->encContentDigestSz without validating it against the provided output buffer size (sizeof(esd->encContentDigest)). If the callback mistakenly returns a size larger than outSz, later encoding will read past encContentDigest. Add a bounds check after the callback (e.g., treat ret > outSz as BUFFER_E) before accepting the size.