diff --git a/src/wh_server_keystore.c b/src/wh_server_keystore.c
index 55855f4c9..51e7a45c2 100644
--- a/src/wh_server_keystore.c
+++ b/src/wh_server_keystore.c
@@ -572,9 +572,12 @@ static int _AesGcmWrapKey(whServerContext* server, whKeyId serverKeyId,
     uint8_t  iv[WOLFHSM_KEYWRAP_AES_GCM_IV_SIZE];
     uint8_t  serverKey[AES_MAX_KEY_SIZE];
     uint32_t serverKeySz = sizeof(serverKey);
+    uint8_t  plainBlob[sizeof(*metadataIn) + WOLFHSM_CFG_KEYWRAP_MAX_KEY_SIZE];
+    uint32_t plainBlobSz = sizeof(*metadataIn) + keySz;
+    uint8_t* encBlob;
 
     if (server == NULL || keyIn == NULL || metadataIn == NULL ||
-        wrappedKeyOut == NULL) {
+        wrappedKeyOut == NULL || plainBlobSz > sizeof(plainBlob)) {
         return WH_ERROR_BADARGS;
     }
 
@@ -613,15 +616,14 @@ static int _AesGcmWrapKey(whServerContext* server, whKeyId serverKeyId,
     }
 
     /* Combine key and metadata into one blob */
-    uint8_t plainBlob[sizeof(*metadataIn) + keySz];
     memcpy(plainBlob, metadataIn, sizeof(*metadataIn));
     memcpy(plainBlob + sizeof(*metadataIn), keyIn, keySz);
 
-    /* Place the encrypted blob after the IV and Auth Tag*/
-    uint8_t* encBlob = (uint8_t*)wrappedKeyOut + sizeof(iv) + sizeof(authTag);
+    /* Place the encrypted blob after the IV and Auth Tag */
+    encBlob = (uint8_t*)wrappedKeyOut + sizeof(iv) + sizeof(authTag);
 
     /* Encrypt the blob */
-    ret = wc_AesGcmEncrypt(aes, encBlob, plainBlob, sizeof(plainBlob), iv,
+    ret = wc_AesGcmEncrypt(aes, encBlob, plainBlob, plainBlobSz, iv,
                            sizeof(iv), authTag, sizeof(authTag), NULL, 0);
     if (ret != 0) {
         wc_AesFree(aes);
@@ -650,10 +652,10 @@ static int _AesGcmUnwrapKey(whServerContext* server, uint16_t serverKeyId,
     uint32_t serverKeySz = sizeof(serverKey);
     uint8_t* encBlob   = (uint8_t*)wrappedKeyIn + sizeof(iv) + sizeof(authTag);
     uint16_t encBlobSz = wrappedKeySz - sizeof(iv) - sizeof(authTag);
-    uint8_t  plainBlob[sizeof(*metadataOut) + keySz];
+    uint8_t  plainBlob[sizeof(*metadataOut) + WOLFHSM_CFG_KEYWRAP_MAX_KEY_SIZE];
 
     if (server == NULL || wrappedKeyIn == NULL || metadataOut == NULL ||
-        keyOut == NULL) {
+        keyOut == NULL || keySz > WOLFHSM_CFG_KEYWRAP_MAX_KEY_SIZE) {
         return WH_ERROR_BADARGS;
     }
 
diff --git a/test/wh_test_keywrap.c b/test/wh_test_keywrap.c
index cb70aa434..a492e980e 100644
--- a/test/wh_test_keywrap.c
+++ b/test/wh_test_keywrap.c
@@ -54,20 +54,6 @@
 
 #endif /* HAVE_AESGCM */
 
-/* RSA Specific defines */
-#ifndef NO_RSA
-
-#define WH_TEST_RSA_KEY_OFFSET 0x2000
-#define WH_TEST_RSA_KEYID 3
-#define WH_TEST_RSA_MAX_DER_SIZE 2000
-
-/* We need the extra 4 bytes at the start to store the actual wrapped key size
- */
-#define WH_TEST_RSA_MAX_WRAPPED_KEYSIZE                            \
-    (sizeof(uint32_t) + WH_TEST_AES_IVSIZE + WH_TEST_AES_TAGSIZE + \
-     WH_TEST_RSA_MAX_DER_SIZE + sizeof(whNvmMetadata))
-#endif /* !NO_RSA */
-
 static int _InitServerKek(whClientContext* client)
 {
     /* IMPORTANT NOTE: Server KEK is typically intrinsic or set during
@@ -101,7 +87,7 @@ static int _AesGcm_KeyWrap(whClientContext* client, WC_RNG* rng)
     uint8_t       wrappedKey[WH_TEST_AES_WRAPPED_KEYSIZE];
     whKeyId       wrappedKeyId;
     whNvmMetadata metadata = {
-        .id    = WH_MAKE_KEYID(WH_KEYTYPE_CRYPTO, 0, WH_TEST_AESGCM_KEYID),
+        .id    = WH_MAKE_KEYID(WH_KEYTYPE_CRYPTO, client->comm->client_id, WH_TEST_AESGCM_KEYID),
         .label = "AES Key Label",
         .len   = WH_TEST_AES_KEYSIZE,
         .flags = WH_NVM_FLAGS_NONE,