Apologies if this has been mentioned before but in the last version of
the key wrapping standard I have:
5. Generate the number of pad octets necessary to make the
result a multiple of the key-encryption algorithm block
size, then append them to the result.
This sounds as though it is incompatible with PKCS padding which adds a
block of padding octets if the result is already a multiple of the block
Since (from what I can see) symmetric algorithms for the message
encryption use PKCS padding (see CMS 6.3) I see no real reason why it
shouldn't be also applied here: it does add a small additional integrity
check. Otherwise two different padding schemes would be applied, no
padding (for key wrap) and PKCS padding (for content encryption).
Dr Stephen N. Henson. UK based freelance Cryptographic Consultant.
For info see homepage at http://www.drh-consultancy.demon.co.uk/
PGP key: via homepage.