Payment cryptography: Cannot decode TR34 keyblock

Hi,

Recently I start to evaluate the payment cryptography API. So far by using the cli command I can:

• Create the top KEK
• Using get-parameters-for-export command to get the export token
• Import my testing KRD CA cert
• Export the KEK in TR34 format by using my KRD's host public cert (signed by my KRD's CA)

However, when I try to use my KRD's private cert to decrypt the CMS's Ephemeral symmetric key I failed. Without that I cannot further decode the Keyblock and hence the KEK. I've tried to using openssl command or using JAVA's crypto library and it's always failed. The command is look like this:

*#openssl pkeyutl -in aws_kdh_ephemeral_key.bin -inkey certs/server.key -pkeyopt rsa_padding_mode:oaep -decrypt Public Key operation error 140139261809088:error:04099079:rsa routines:RSA_padding_check_PKCS1_OAEP_mgf1:oaep decoding error:../crypto/rsa/rsa_oaep.c:245: * (The above aws_kdh_ephemeral_key.bin is extracted from the CMS OCTECT STRING inside the OID 1.2.840.113549.1.7.3 envelopedData)

Any comments are welcome

BR, Tim