diff --git a/tests/api.c b/tests/api.c
index 537612c58..c64c17aaf 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -83662,7 +83662,71 @@ static int test_CryptoCb_Func(int thisDevId, wc_CryptoInfo* info, void* ctx)
         else if (info->pk.type == WC_PK_TYPE_RSA_PKCS ||
                  info->pk.type == WC_PK_TYPE_RSA_PSS  ||
                  info->pk.type == WC_PK_TYPE_RSA_OAEP) {
-            ret = CRYPTOCB_UNAVAILABLE; /* fallback to software */
+            RsaKey key;
+
+            if (info->pk.rsa.type == RSA_PUBLIC_ENCRYPT ||
+                info->pk.rsa.type == RSA_PUBLIC_DECRYPT) {
+                /* Have all public key ops fall back to SW */
+                return CRYPTOCB_UNAVAILABLE;
+            }
+
+            if (info->pk.rsa.padding == NULL) {
+                return BAD_FUNC_ARG;
+            }
+
+            /* Initialize key */
+            ret = load_pem_key_file_as_der(privKeyFile, &pDer,
+                &keyFormat);
+            if (ret != 0) {
+                return ret;
+            }
+
+            ret = wc_InitRsaKey(&key, HEAP_HINT);
+            if (ret == 0) {
+                word32 keyIdx = 0;
+                /* load RSA private key and perform private transform */
+                ret = wc_RsaPrivateKeyDecode(pDer->buffer, &keyIdx,
+                    &key, pDer->length);
+            }
+            /* Perform RSA operation */
+            if ((ret == 0) && (info->pk.type == WC_PK_TYPE_RSA_PKCS)) {
+            #if !defined(WOLFSSL_RSA_PUBLIC_ONLY) && !defined(WOLFSSL_RSA_VERIFY_ONLY)
+                ret = wc_RsaSSL_Sign(info->pk.rsa.in, info->pk.rsa.inLen,
+                    info->pk.rsa.out, *info->pk.rsa.outLen, &key,
+                    info->pk.rsa.rng);
+            #else
+                ret = CRYPTOCB_UNAVAILABLE;
+            #endif
+            }
+            if ((ret == 0) && (info->pk.type == WC_PK_TYPE_RSA_PSS)) {
+            #ifdef WC_RSA_PSS
+                ret = wc_RsaPSS_Sign_ex(info->pk.rsa.in, info->pk.rsa.inLen,
+                    info->pk.rsa.out, *info->pk.rsa.outLen,
+                    info->pk.rsa.padding->hash, info->pk.rsa.padding->mgf,
+                    info->pk.rsa.padding->saltLen, &key, info->pk.rsa.rng);
+            #else
+                ret = CRYPTOCB_UNAVAILABLE;
+            #endif
+            }
+            if ((ret == 0) && (info->pk.type == WC_PK_TYPE_RSA_OAEP)) {
+            #if !defined(WC_NO_RSA_OAEP) || defined(WC_RSA_NO_PADDING)
+                ret = wc_RsaPrivateDecrypt_ex(
+                    info->pk.rsa.in, info->pk.rsa.inLen,
+                    info->pk.rsa.out, *info->pk.rsa.outLen,
+                    &key, WC_RSA_OAEP_PAD, info->pk.rsa.padding->hash,
+                    info->pk.rsa.padding->mgf, info->pk.rsa.padding->label,
+                    info->pk.rsa.padding->labelSz);
+            #else
+                ret = CRYPTOCB_UNAVAILABLE;
+            #endif
+            }
+
+            if (ret > 0) {
+                *info->pk.rsa.outLen = ret;
+            }
+
+            wc_FreeRsaKey(&key);
+            wc_FreeDer(&pDer); pDer = NULL;
         }
         #endif /* ifdef WOLF_CRYPTO_CB_RSA_PAD */
     #endif /* !NO_RSA */
diff --git a/wolfcrypt/src/wc_pkcs11.c b/wolfcrypt/src/wc_pkcs11.c
index d85e195e6..885e495ee 100644
--- a/wolfcrypt/src/wc_pkcs11.c
+++ b/wolfcrypt/src/wc_pkcs11.c
@@ -1809,57 +1809,78 @@ static int Pkcs11RsaPrivateKey(Pkcs11Session* session, RsaKey* rsaKey,
     return ret;
 }
 
+/**
+ * Get the hash length associated with the WolfCrypt hash type.
+ *
+ * @param  [in]   hType   Hash Type.
+ * @return  -1 if hash type not recognized.
+ * @return  hash length on success.
+ */
 int wc_hash2sz(int hType)
 {
     switch(hType) {
     case WC_HASH_TYPE_SHA:
         return 20;
+    case WC_HASH_TYPE_SHA224:
+        return 24;
     case WC_HASH_TYPE_SHA256:
         return 32;
     case WC_HASH_TYPE_SHA384:
         return 48;
     case WC_HASH_TYPE_SHA512:
         return 64;
-    case WC_HASH_TYPE_SHA224:
-        return 24;
     default:
         /* unsupported WC_HASH_TYPE_XXXX */
         return -1;
     }
 }
 
+/**
+ * Get PKCS11 hash mechanism associated with the WolfCrypt hash type.
+ *
+ * @param  [in]   hType   Hash Type.
+ * @return  0 if hash type not recognized.
+ * @return  PKCS11 mechanism on success.
+ */
 CK_MECHANISM_TYPE wc_hash2ckm(int hType)
 {
     switch(hType) {
     case WC_HASH_TYPE_SHA:
         return CKM_SHA_1;
+    case WC_HASH_TYPE_SHA224:
+        return CKM_SHA224;
     case WC_HASH_TYPE_SHA256:
         return CKM_SHA256;
     case WC_HASH_TYPE_SHA384:
         return CKM_SHA384;
     case WC_HASH_TYPE_SHA512:
         return CKM_SHA512;
-    case WC_HASH_TYPE_SHA224:
-        return CKM_SHA224;
     default:
         /* unsupported WC_HASH_TYPE_XXXX */
         return 0UL;
     }
 }
 
+/**
+ * Get PKCS11 MGF hash mechanism associated with the WolfCrypt MGF hash type.
+ *
+ * @param  [in]   mgf   MGF Type.
+ * @return  0 if MGF type not recognized.
+ * @return  PKCS11 MGF hash mechanism on success.
+ */
 CK_MECHANISM_TYPE wc_mgf2ckm(int mgf)
 {
     switch(mgf) {
     case WC_MGF1SHA1:
         return CKG_MGF1_SHA1;
+    case WC_MGF1SHA224:
+        return CKG_MGF1_SHA224;
     case WC_MGF1SHA256:
         return CKG_MGF1_SHA256;
     case WC_MGF1SHA384:
         return CKG_MGF1_SHA384;
     case WC_MGF1SHA512:
         return CKG_MGF1_SHA512;
-    case WC_MGF1SHA224:
-        return CKG_MGF1_SHA224;
     default:
         /* unsupported WC_MGF1XXXX */
         return 0x0UL;