diff --git a/libwvdrmengine/oemcrypto/mock/src/oemcrypto_session.cpp b/libwvdrmengine/oemcrypto/mock/src/oemcrypto_session.cpp
index 3750d6fd..e8d6ed6a 100644
--- a/libwvdrmengine/oemcrypto/mock/src/oemcrypto_session.cpp
+++ b/libwvdrmengine/oemcrypto/mock/src/oemcrypto_session.cpp
@@ -706,7 +706,7 @@ OEMCryptoResult SessionContext::LoadEntitledContentKeys(
         key_data->content_key_id,
         key_data->content_key_id + key_data->content_key_id_length);
     if (!DecryptMessage(*entitlement_key, iv, encrypted_content_key,
-                        &content_key)) {
+                        &content_key, 256 /* key size */)) {
       return OEMCrypto_ERROR_UNKNOWN_FAILURE;
     }
     if (!session_keys_->SetContentKey(entitlement_key_id, content_key_id,
@@ -726,7 +726,8 @@ OEMCryptoResult SessionContext::InstallKey(
   std::vector<uint8_t> content_key;
   std::vector<uint8_t> key_control_str;
 
-  if (!DecryptMessage(encryption_key_, key_data_iv, key_data, &content_key)) {
+  if (!DecryptMessage(encryption_key_, key_data_iv, key_data, &content_key,
+                      128 /* key size */)) {
     LOGE("[Installkey(): Could not decrypt key data]");
     return OEMCrypto_ERROR_UNKNOWN_FAILURE;
   }
@@ -749,7 +750,7 @@ OEMCryptoResult SessionContext::InstallKey(
     return OEMCrypto_ERROR_INVALID_CONTEXT;
   }
   if (!DecryptMessage(content_key, key_control_iv, key_control,
-                      &key_control_str)) {
+                      &key_control_str, 128 /* key size */)) {
     LOGE("[Installkey(): ERROR: Could not decrypt content key]");
     return OEMCrypto_ERROR_UNKNOWN_FAILURE;
   }
@@ -881,7 +882,7 @@ OEMCryptoResult SessionContext::RefreshKey(
       LOGD("Key control block is encrypted.");
     }
     if (!DecryptMessage(content_key_value, key_control_iv, key_control,
-                        &control)) {
+                        &control, 128 /* key size */)) {
       if (LogCategoryEnabled(kLoggingDumpKeyControlBlocks)) {
         LOGD("Error decrypting key control block.");
       }
@@ -1170,7 +1171,8 @@ bool SessionContext::UpdateMacKeys(const std::vector<uint8_t>& enc_mac_keys,
                                    const std::vector<uint8_t>& iv) {
   // Decrypt mac key from enc_mac_key using device_keya
   std::vector<uint8_t> mac_keys;
-  if (!DecryptMessage(encryption_key_, iv, enc_mac_keys, &mac_keys)) {
+  if (!DecryptMessage(encryption_key_, iv, enc_mac_keys, &mac_keys,
+                      128 /* key size */)) {
     return false;
   }
   mac_key_server_ = std::vector<uint8_t>(
@@ -1318,7 +1320,8 @@ OEMCryptoResult SessionContext::CopyOldUsageEntry(
 bool SessionContext::DecryptMessage(const std::vector<uint8_t>& key,
                                     const std::vector<uint8_t>& iv,
                                     const std::vector<uint8_t>& message,
-                                    std::vector<uint8_t>* decrypted) {
+                                    std::vector<uint8_t>* decrypted,
+                                    uint32_t key_size) {
   if (key.empty() || iv.empty() || message.empty() || !decrypted) {
     LOGE("[DecryptMessage(): OEMCrypto_ERROR_INVALID_CONTEXT]");
     return false;
@@ -1327,7 +1330,7 @@ bool SessionContext::DecryptMessage(const std::vector<uint8_t>& key,
   uint8_t iv_buffer[16];
   memcpy(iv_buffer, &iv[0], 16);
   AES_KEY aes_key;
-  AES_set_decrypt_key(&key[0], key.size() * 8, &aes_key);
+  AES_set_decrypt_key(&key[0], key_size, &aes_key);
   AES_cbc_encrypt(&message[0], &(decrypted->front()), message.size(), &aes_key,
                   iv_buffer, AES_DECRYPT);
   return true;
diff --git a/libwvdrmengine/oemcrypto/mock/src/oemcrypto_session.h b/libwvdrmengine/oemcrypto/mock/src/oemcrypto_session.h
index ea653a50..86625e8e 100644
--- a/libwvdrmengine/oemcrypto/mock/src/oemcrypto_session.h
+++ b/libwvdrmengine/oemcrypto/mock/src/oemcrypto_session.h
@@ -189,7 +189,8 @@ class SessionContext {
   bool DecryptMessage(const std::vector<uint8_t>& key,
                       const std::vector<uint8_t>& iv,
                       const std::vector<uint8_t>& message,
-                      std::vector<uint8_t>* decrypted);
+                      std::vector<uint8_t>* decrypted,
+                      uint32_t key_size);  // AES key size, in bits.
   // Either verify the nonce or usage entry, as required by the key control
   // block.
   OEMCryptoResult CheckNonceOrEntry(const KeyControlBlock& key_control_block);
diff --git a/libwvdrmengine/oemcrypto/test/oec_device_features.cpp b/libwvdrmengine/oemcrypto/test/oec_device_features.cpp
index 4b6317b5..b533f940 100644
--- a/libwvdrmengine/oemcrypto/test/oec_device_features.cpp
+++ b/libwvdrmengine/oemcrypto/test/oec_device_features.cpp
@@ -186,8 +186,8 @@ bool DeviceFeatures::IsTestKeyboxInstalled() {
   size_t key_data_len = sizeof(key_data);
   if (OEMCrypto_GetKeyData(key_data, &key_data_len) != OEMCrypto_SUCCESS)
     return false;
-  if (key_data_len != sizeof(kTestKeybox.data_)) return false;
-  if (memcmp(key_data, kTestKeybox.data_, key_data_len)) return false;
+  if (key_data_len != sizeof(kValidKeybox01.data_)) return false;
+  if (memcmp(key_data, kValidKeybox01.data_, key_data_len)) return false;
   uint8_t dev_id[128] = {0};
   size_t dev_id_len = 128;
   if (OEMCrypto_GetDeviceID(dev_id, &dev_id_len) != OEMCrypto_SUCCESS)
@@ -195,8 +195,8 @@ bool DeviceFeatures::IsTestKeyboxInstalled() {
   // We use strncmp instead of memcmp because we don't really care about the
   // multiple '\0' characters at the end of the device id.
   return 0 == strncmp(reinterpret_cast<const char*>(dev_id),
-                      reinterpret_cast<const char*>(kTestKeybox.device_id_),
-                      sizeof(kTestKeybox.device_id_));
+                      reinterpret_cast<const char*>(kValidKeybox01.device_id_),
+                      sizeof(kValidKeybox01.device_id_));
 }
 
 void DeviceFeatures::FilterOut(std::string* current_filter,
diff --git a/libwvdrmengine/oemcrypto/test/oec_session_util.cpp b/libwvdrmengine/oemcrypto/test/oec_session_util.cpp
index bcfa5330..72771c0d 100644
--- a/libwvdrmengine/oemcrypto/test/oec_session_util.cpp
+++ b/libwvdrmengine/oemcrypto/test/oec_session_util.cpp
@@ -105,8 +105,9 @@ Session::Session()
       enc_key_(wvcdm::KEY_SIZE),
       public_rsa_(0),
       message_size_(sizeof(MessageData)),
-      num_keys_(4) {  // Most tests only use 4 keys.
-                      // Other tests will explicitly call set_num_keys.
+      num_keys_(4),  // Most tests only use 4 keys.
+      // Other tests will explicitly call set_num_keys.
+      has_entitlement_license_(false) {
   // Stripe the padded message.
   for (size_t i = 0; i < sizeof(padded_message_.padding); i++) {
     padded_message_.padding[i] = i % 0x100;
@@ -310,6 +311,7 @@ void Session::LoadEnitlementTestKeys(const std::string& pst,
 }
 
 void Session::FillEntitledKeyArray() {
+  has_entitlement_license_ = true;
   for (size_t i = 0; i < num_keys_; ++i) {
     EntitledContentKeyData* key_data = &entitled_key_data_[i];
 
@@ -594,10 +596,10 @@ void Session::EncryptAndSign() {
   AES_cbc_encrypt(&license_.mac_keys[0], &encrypted_license().mac_keys[0],
                   2 * wvcdm::MAC_KEY_SIZE, &aes_key, iv_buffer, AES_ENCRYPT);
 
+  int key_size = has_entitlement_license() ? 256 : 128;
   for (unsigned int i = 0; i < num_keys_; i++) {
     memcpy(iv_buffer, &license_.keys[i].control_iv[0], wvcdm::KEY_IV_SIZE);
-    AES_set_encrypt_key(&license_.keys[i].key_data[0],
-                        license_.keys[i].key_data_length * 8, &aes_key);
+    AES_set_encrypt_key(&license_.keys[i].key_data[0], key_size, &aes_key);
     AES_cbc_encrypt(
         reinterpret_cast<const uint8_t*>(&license_.keys[i].control),
         reinterpret_cast<uint8_t*>(&encrypted_license().keys[i].control),
diff --git a/libwvdrmengine/oemcrypto/test/oec_session_util.h b/libwvdrmengine/oemcrypto/test/oec_session_util.h
index 15c123ac..c4b35f44 100644
--- a/libwvdrmengine/oemcrypto/test/oec_session_util.h
+++ b/libwvdrmengine/oemcrypto/test/oec_session_util.h
@@ -370,6 +370,9 @@ class Session {
   // The size of the encrypted message.
   size_t message_size() { return message_size_; }
 
+  // If this session has an entitlement license.
+  bool has_entitlement_license() const { return has_entitlement_license_; }
+
  private:
   // Generate mac and enc keys give the master key.
   void DeriveKeys(const uint8_t* master_key,
@@ -399,6 +402,7 @@ class Session {
   vector<uint8_t> encrypted_usage_entry_;
   uint32_t usage_entry_number_;
   string pst_;
+  bool has_entitlement_license_;
 
   // Clear Entitlement key data. This is the backing data for
   // |entitled_key_array_|.
diff --git a/libwvdrmengine/oemcrypto/test/oemcrypto_session_tests_helper.cpp b/libwvdrmengine/oemcrypto/test/oemcrypto_session_tests_helper.cpp
index 229a168a..1a1b09be 100644
--- a/libwvdrmengine/oemcrypto/test/oemcrypto_session_tests_helper.cpp
+++ b/libwvdrmengine/oemcrypto/test/oemcrypto_session_tests_helper.cpp
@@ -104,10 +104,10 @@ void SessionUtil::EnsureTestKeys() {
     case DeviceFeatures::LOAD_TEST_KEYBOX:
       keybox_ = kTestKeybox;
       /* Note: If you are upgrading from an older version, it may be easier to
-       * uncomment the following line.  This uses the same test keybox as we
+       * force the following condition.  This uses the same test keybox as we
        * used in older versions of this test.
       */
-      // keybox_ = kValidKeybox01;
+      if (global_features.api_version < 14) keybox_ = kValidKeybox01;
       ASSERT_EQ(OEMCrypto_SUCCESS,
                 OEMCrypto_LoadTestKeybox(
                     reinterpret_cast<const uint8_t*>(&keybox_),
@@ -117,8 +117,8 @@ void SessionUtil::EnsureTestKeys() {
       ASSERT_EQ(OEMCrypto_SUCCESS, OEMCrypto_LoadTestRSAKey());
       break;
     case DeviceFeatures::EXISTING_TEST_KEYBOX:
-      // already has test keybox.
-      keybox_ = kTestKeybox;
+      // already has old test keybox.
+      keybox_ = kValidKeybox01;
       break;
     case DeviceFeatures::FORCE_TEST_KEYBOX:
       keybox_ = kTestKeybox;
diff --git a/libwvdrmengine/oemcrypto/test/oemcrypto_test.cpp b/libwvdrmengine/oemcrypto/test/oemcrypto_test.cpp
index 1611e192..c6a22f9e 100644
--- a/libwvdrmengine/oemcrypto/test/oemcrypto_test.cpp
+++ b/libwvdrmengine/oemcrypto/test/oemcrypto_test.cpp
@@ -828,7 +828,7 @@ TEST_F(OEMCryptoSessionTests, LoadKeyWithNoMAC) {
   ASSERT_EQ(expected_signature, signature);
 }
 
-TEST_F(OEMCryptoSessionTests, LoadEntitlementKeys) {
+TEST_F(OEMCryptoSessionTests, LoadEntitlementKeysAPI14) {
   Session s;
   ASSERT_NO_FATAL_FAILURE(s.open());
   ASSERT_NO_FATAL_FAILURE(InstallTestSessionKeys(&s));
@@ -841,7 +841,7 @@ TEST_F(OEMCryptoSessionTests, LoadEntitlementKeys) {
   ASSERT_NO_FATAL_FAILURE(s.LoadEntitledContentKeys());
 }
 
-TEST_F(OEMCryptoSessionTests, LoadEntitlementKeysNoEntitlementKeys) {
+TEST_F(OEMCryptoSessionTests, LoadEntitlementKeysNoEntitlementKeysAPI14) {
   Session s;
   ASSERT_NO_FATAL_FAILURE(s.open());
   ASSERT_NO_FATAL_FAILURE(InstallTestSessionKeys(&s));