diff --git a/lib/pk11wrap/pk11pbe.c b/lib/pk11wrap/pk11pbe.c
index 5c389cfd73..bea9333f62 100644
--- a/lib/pk11wrap/pk11pbe.c
+++ b/lib/pk11wrap/pk11pbe.c
@@ -370,6 +370,13 @@ sec_pkcs5v2_key_length(SECAlgorithmID *algid, SECAlgorithmID *cipherAlgId)
         length = sec_pkcs5v2_aes_key_length(cipherAlg);
     } else if (p5_param.keyLength.data != NULL) {
         length = DER_GetInteger(&p5_param.keyLength);
+    } else {
+        CK_MECHANISM_TYPE cipherMech;
+        cipherMech = PK11_AlgtagToMechanism(cipherAlg);
+        if (cipherMech == CKM_INVALID_MECHANISM) {
+            goto loser;
+        }
+        length = PK11_GetMaxKeyLength(cipherMech);
     }
 
 loser:
diff --git a/lib/pk11wrap/pk11priv.h b/lib/pk11wrap/pk11priv.h
index ce0f5d7fa7..d9aaeaf92c 100644
--- a/lib/pk11wrap/pk11priv.h
+++ b/lib/pk11wrap/pk11priv.h
@@ -106,6 +106,7 @@ CK_OBJECT_HANDLE PK11_FindObjectForCert(CERTCertificate *cert,
                                         void *wincx, PK11SlotInfo **pSlot);
 PK11SymKey *pk11_CopyToSlot(PK11SlotInfo *slot, CK_MECHANISM_TYPE type,
                             CK_ATTRIBUTE_TYPE operation, PK11SymKey *symKey);
+unsigned int pk11_GetPredefinedKeyLength(CK_KEY_TYPE keyType);
 
 /**********************************************************************
  *                   Certs
diff --git a/lib/pk11wrap/pk11slot.c b/lib/pk11wrap/pk11slot.c
index c66ae275ca..68d37486f7 100644
--- a/lib/pk11wrap/pk11slot.c
+++ b/lib/pk11wrap/pk11slot.c
@@ -2291,6 +2291,14 @@ PK11_GetMaxKeyLength(CK_MECHANISM_TYPE mechanism)
             }
         }
     }
+
+    /* fallback to pk11_GetPredefinedKeyLength for fixed key size algorithms */
+    if (keyLength == 0) {
+        CK_KEY_TYPE keyType;
+        keyType = PK11_GetKeyType(mechanism, 0);
+        keyLength = pk11_GetPredefinedKeyLength(keyType);
+    }
+
     if (le)
         PK11_FreeSlotListElement(list, le);
     if (freeit)