Request: Implement C_UnwrapKey in SIMW Top PKCS#11 (SE05X) for CMS ECDH

vishwaec08 · ‎01-18-2026

Hello NXP Team,

We need C_UnwrapKey (AES-CBC/AES-CBC-PAD) implemented in SE05X SDK PKCS#11 to enable CMS ECDH handle-only decrypt on SE05X.

Currently C_UnwrapKey returns CKR_FUNCTION_NOT_SUPPORTED in sss_pkcs11_pal_core.c. The flow requires unwrapping the CMS CEK on-token using the derived AES handle plus the 16-byte IV from CMS.

Regards
Vishwa

vishwaec08 · ‎01-19-2026

Hi,

The overall idea is that we want to encrypt and decrypt the data using OpenSSL CMS with an EC key.

For reference, the OpenSSL commands are listed below.

pkcs11-tool --module /usr/lib/libsss_pkcs11.so --slot 1 --keypairgen --key-type EC:prime256v1 --label "sss:20202022"

OPENSSL_CONF=engine.conf openssl req -engine pkcs11 -new -key "pkcs11:object=sss:20202022;type=private" -keyform engine -out ec_req.pem -x509 -subj "/CN=Test EC" -days 365

OPENSSL_CONF=engine.conf openssl x509 -engine pkcs11 -signkey "pkcs11:object=sss:20202022;type=private" -keyform engine -in ec_req.pem -out ec_cert.pem

openssl cms -encrypt -binary -outform DER -aes128 -in smcont.txt -recip ec_cert.pem -out test_ec.cms

OPENSSL_CONF=engine.conf openssl cms -decrypt -binary -inform DER -engine pkcs11 -keyform engine -inkey "pkcs11:object=sss:20202022;type=private" -recip ec_cert.pem -in test_ec.cms -out smtst.txt

Kan_Li · ‎01-18-2026

Hi @vishwaec08 ，

I have forwarded your feature request to the expert team, and will let you know when I have any feedback from there.

Thanks for your patience!

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------