Applied a patch (bsc#1256673, CVE-2026-22791).

Modified the .spec file for Immutable Mode (jsc#PED-14798)

ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch

@@ -1,179 +0,0 @@
-From 144456ede9897662eed35ac8415d0ecb1c5907e3 Mon Sep 17 00:00:00 2001
-From: Ingo Franzki <ifranzki@linux.ibm.com>
-Date: Wed, 13 Aug 2025 13:50:24 +0200
-Subject: [PATCH] PKCSSLOTD: Remove the use of MD5
-
-The pkcsslotd uses MD5 to calculate kind of a checksum of the token directory
-path, for easy checking if the same token directory has already been used by
-other tokens.
-
-The use of MD5 for this is just historical, and has no security relevance at
-all. Still, OpenSSL running in FIPS mode might reject the use of MD5, so
-pkcsslotd will fail to start.
-
-Change the code to use SHA256 instead.
-
-Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
----
- usr/sbin/pkcsslotd/pkcsslotd.h |  6 +---
- usr/sbin/pkcsslotd/slotmgr.c   | 52 ++++++++++++++--------------------
- 2 files changed, 23 insertions(+), 35 deletions(-)
-
-diff --git a/usr/sbin/pkcsslotd/pkcsslotd.h b/usr/sbin/pkcsslotd/pkcsslotd.h
-index ec6a489a5..fa0db30f7 100644
---- a/usr/sbin/pkcsslotd/pkcsslotd.h
-+++ b/usr/sbin/pkcsslotd/pkcsslotd.h
-@@ -42,11 +42,7 @@
- 
- #endif                          /* DEV */
- 
--#define HASH_SHA1   1
--#define HASH_MD5    2
--#define compute_md5(a,b,c)      compute_hash(HASH_MD5,b,a,c)
--
--int compute_hash(int hash_type, int buf_size, char *buf, char *digest);
-+int compute_sha256(char *buf, int buf_size, char *digest);
- 
- /********************
-  * Global Variables *
-diff --git a/usr/sbin/pkcsslotd/slotmgr.c b/usr/sbin/pkcsslotd/slotmgr.c
-index 0c1a5586f..d0d85a85f 100644
---- a/usr/sbin/pkcsslotd/slotmgr.c
-+++ b/usr/sbin/pkcsslotd/slotmgr.c
-@@ -27,7 +27,7 @@
- #include "configuration.h"
- 
- #define OBJ_DIR "TOK_OBJ"
--#define MD5_HASH_SIZE 16
-+#define SHA256_HASH_SIZE 32
- 
- #define DEF_MANUFID "IBM"
- 
-@@ -44,8 +44,8 @@
-     #define DEF_SLOTDESC    "Linux"
- #endif
- 
--typedef char md5_hash_entry[MD5_HASH_SIZE];
--md5_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED];
-+typedef char sha256_hash_entry[SHA256_HASH_SIZE];
-+sha256_hash_entry tokname_hash_table[NUMBER_SLOTS_MANAGED];
- 
- Slot_Mgr_Shr_t *shmp;           // pointer to the shared memory region.
- int shmid;
-@@ -86,27 +86,19 @@ void DumpSharedMemory(void)
-     }
- }
- 
--int compute_hash(int hash_type, int buf_size, char *buf, char *digest)
-+int compute_sha256(char *buf, int buf_size, char *digest)
- {
-     EVP_MD_CTX *md_ctx = NULL;
-     unsigned int result_size;
-     int rc;
- 
-     md_ctx = EVP_MD_CTX_create();
--
--    switch (hash_type) {
--    case HASH_SHA1:
--        rc = EVP_DigestInit(md_ctx, EVP_sha1());
--        break;
--    case HASH_MD5:
--        rc = EVP_DigestInit(md_ctx, EVP_md5());
--        break;
--    default:
--        EVP_MD_CTX_destroy(md_ctx);
-+    if (md_ctx == NULL) {
-+        fprintf(stderr, "EVP_MD_CTX_create() failed\n");
-         return -1;
--        break;
-     }
- 
-+    rc = EVP_DigestInit(md_ctx, EVP_sha256());
-     if (rc != 1) {
-         fprintf(stderr, "EVP_DigestInit() failed: rc = %d\n", rc);
-         return -1;
-@@ -374,12 +366,12 @@ void run_sanity_checks(void)
-     }
- }
- 
--int is_duplicate(md5_hash_entry hash, md5_hash_entry *hash_table)
-+int is_duplicate(sha256_hash_entry hash, sha256_hash_entry *hash_table)
- {
-     int i;
- 
-     for (i = 0; i < NUMBER_SLOTS_MANAGED; i++) {
--        if (memcmp(hash_table[i], hash, sizeof(md5_hash_entry)) == 0)
-+        if (memcmp(hash_table[i], hash, sizeof(sha256_hash_entry)) == 0)
-             return 1;
-     }
- 
-@@ -483,7 +475,7 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
-     mode_t proc_umask;
-     char *tokdir = psinfo->tokname;
-     char *tokgroup = psinfo->usergroup;
--    char token_md5_hash[MD5_HASH_SIZE];
-+    char token_sha256_hash[SHA256_HASH_SIZE];
- 
-     if (psinfo->present == FALSE)
-         return 0;
-@@ -517,26 +509,26 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
-      */
-     if (!tokdir || strlen(tokdir) == 0) {
-         /*
--         * Build the md5 hash from the dll name prefixed with 'dll:' to
-+         * Build the SHA256 hash from the dll name prefixed with 'dll:' to
-          * check for duplicate tokens with no 'tokname'.
-          */
-         snprintf(tokendir, sizeof(tokendir), "dll:%s", psinfo->dll_location);
--        rc = compute_md5(tokendir, strlen(tokendir), token_md5_hash);
-+        rc = compute_sha256(tokendir, strlen(tokendir), token_sha256_hash);
-         if (rc) {
--            fprintf(stderr, "Error calculating MD5 of token name!\n");
-+            fprintf(stderr, "Error calculating SHA256 of token name!\n");
-             return -1;
-         }
- 
-         /* check for duplicate token names */
--        if (is_duplicate(token_md5_hash, tokname_hash_table)) {
-+        if (is_duplicate(token_sha256_hash, tokname_hash_table)) {
-             fprintf(stderr, "Duplicate token in slot %llu!\n",
-                     psinfo->slot_number);
-             return -1;
-         }
- 
-         /* add entry into hash table */
--        memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash,
--               MD5_HASH_SIZE);
-+        memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash,
-+               SHA256_HASH_SIZE);
- 
-         return 0;
-     }
-@@ -549,21 +541,21 @@ int chk_create_tokdir(Slot_Info_t_64 *psinfo)
-         return -1;
-     }
- 
--    /* calculate md5 hash from token name */
--    rc = compute_md5(tokdir, strlen(tokdir), token_md5_hash);
-+    /* calculate SHA256 hash from token name */
-+    rc = compute_sha256(tokdir, strlen(tokdir), token_sha256_hash);
-     if (rc) {
--        fprintf(stderr, "Error calculating MD5 of token name!\n");
-+        fprintf(stderr, "Error calculating SHA256 of token name!\n");
-         return -1;
-     }
-     /* check for duplicate token names */
--    if (is_duplicate(token_md5_hash, tokname_hash_table)) {
-+    if (is_duplicate(token_sha256_hash, tokname_hash_table)) {
-         fprintf(stderr, "Duplicate token name '%s'!\n", tokdir);
-         return -1;
-     }
- 
-     /* add entry into hash table */
--    memcpy(tokname_hash_table[psinfo->slot_number], token_md5_hash,
--           MD5_HASH_SIZE);
-+    memcpy(tokname_hash_table[psinfo->slot_number], token_sha256_hash,
-+           SHA256_HASH_SIZE);
- 
-     /* Create token specific directory */
-     /* sprintf checked above */

ocki-3.26-remove-make-install-chgrp.patch

@@ -1,5 +1,5 @@
---- a/Makefile.am	2025-06-10 08:52:39.000000000 +0200
-+++ b/Makefile.am	2025-06-16 12:25:31.040661532 +0200
+--- a/Makefile.am	2025-11-11 08:58:19.000000000 +0100
++++ b/Makefile.am	2025-11-12 10:21:00.563936369 +0100
 @@ -51,19 +51,9 @@
  include doc/doc.mk
  

openCryptoki-CVE-2026-22791-commit-e37e912.patch

@@ -0,0 +1,113 @@
+From e37e9127deeeb7bf3c3c4d852c594256c57ec3a8 Mon Sep 17 00:00:00 2001
+From: Ingo Franzki <ifranzki@linux.ibm.com>
+Date: Thu, 8 Jan 2026 10:48:29 +0100
+Subject: [PATCH] COMMON: Fix CKM_ECDH_AES_KEY_WRAP buffer size calculation
+ with compressed keys
+
+When a C_WrapKey with CKM_ECDH_AES_KEY_WRAP is performed, and the EC public
+key used with it uses a compressed EC point, then the size of the wrapped
+key material is calculated wrongly. This may lead to an out-of-bounds write
+when the caller provides a buffer of that calculated size.
+
+The temporary EC key generated internally by this mechanism is always
+uses an uncompressed EC point, but the buffer size is erroneously calculated
+using the EC point of the supplied EC public key. Thus, in case a compressed
+EC point is supplied, the buffer size calculation results in a too short
+buffer.
+
+Fix this by calculating the buffer size using the EC point of the internally
+generated EC key, because this is what is later on written to the buffer.
+
+Fixes: 785d7577e1477d12fbe235554e7e7b24f2de34b7
+Reported-by: Pavel Kohout of Aisle Research, www.aisle.com
+Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
+---
+ usr/lib/common/mech_ec.c | 54 ++++++++++++++++++++--------------------
+ 1 file changed, 27 insertions(+), 27 deletions(-)
+
+diff --git a/usr/lib/common/mech_ec.c b/usr/lib/common/mech_ec.c
+index 2399c1cfb..ce031ec0c 100644
+--- a/usr/lib/common/mech_ec.c
++++ b/usr/lib/common/mech_ec.c
+@@ -1758,6 +1758,31 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+         goto done;
+     }
+ 
++    /* Get the (raw) size of the generated EC point */
++    rc = object_mgr_find_in_map1(tokdata, ec_publ_key_handle,
++                                 &pub_key_obj, READ_LOCK);
++    if (rc != CKR_OK) {
++        TRACE_ERROR("Failed to acquire key from EC public key handle.\n");
++        if (rc == CKR_OBJECT_HANDLE_INVALID)
++            rc = CKR_KEY_HANDLE_INVALID;
++        goto done;
++    }
++
++    rc = template_attribute_get_non_empty(pub_key_obj->template, CKA_EC_POINT,
++                                          &ec_point);
++    if (rc != CKR_OK) {
++        TRACE_DEVEL("Failed to get CKA_EC_POINT.\n");
++        goto done;
++    }
++
++    rc = ber_decode_OCTET_STRING((CK_BYTE *)ec_point->pValue,
++                                  &pub_ec_point, &pub_ec_point_len, &field_len);
++    if (rc != CKR_OK || field_len != ec_point->ulValueLen) {
++        rc = CKR_FUNCTION_FAILED;
++        TRACE_DEVEL("Failed to decode CKA_EC_POINT.\n");
++        goto done;
++    }
++
+     /* Perform ECDH to derive a shared AES key */
+     ecdh_params.kdf = params->kdf;
+     ecdh_params.pSharedData = params->pSharedData;
+@@ -1813,7 +1838,7 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+     }
+ 
+     /* Calculate the final length of the wrapped key data */
+-    total_len = ecdh_params.ulPublicDataLen + wrapped_key_len;
++    total_len = pub_ec_point_len + wrapped_key_len;
+ 
+     if (length_only) {
+         *out_data_len = total_len;
+@@ -1831,31 +1856,6 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+      * Copy the (raw) EC point of the public transport EC key as first part of
+      * the wrapped key data.
+      */
+-    rc = object_mgr_find_in_map1(tokdata, ec_publ_key_handle,
+-                                 &pub_key_obj, READ_LOCK);
+-    if (rc != CKR_OK) {
+-        TRACE_ERROR("Failed to acquire key from EC public key handle.\n");
+-        if (rc == CKR_OBJECT_HANDLE_INVALID)
+-            return CKR_KEY_HANDLE_INVALID;
+-        else
+-            return rc;
+-    }
+-
+-    rc = template_attribute_get_non_empty(pub_key_obj->template, CKA_EC_POINT,
+-                                          &ec_point);
+-    if (rc != CKR_OK) {
+-        TRACE_DEVEL("Failed to get CKA_EC_POINT.\n");
+-        goto done;
+-    }
+-
+-    rc = ber_decode_OCTET_STRING((CK_BYTE *)ec_point->pValue,
+-                                  &pub_ec_point, &pub_ec_point_len, &field_len);
+-    if (rc != CKR_OK || field_len != ec_point->ulValueLen) {
+-        rc = CKR_FUNCTION_FAILED;
+-        TRACE_DEVEL("Failed to decode CKA_EC_POINT.\n");
+-        goto done;
+-    }
+-
+     memcpy(out_data, pub_ec_point, pub_ec_point_len);
+ 
+     /*
+@@ -1864,7 +1864,7 @@ CK_RV ecdh_aes_key_wrap(STDLL_TokData_t *tokdata, SESSION *sess,
+      */
+     rc = encr_mgr_encrypt(tokdata, sess, FALSE, &aeskw_ctx,
+                           in_data, in_data_len,
+-                          out_data + ecdh_params.ulPublicDataLen,
++                          out_data + pub_ec_point_len,
+                           &wrapped_key_len);
+     if (rc != CKR_OK) {
+         TRACE_ERROR("Failed to encrypt the to-be-wrapped key: %s (0x%lx)\n",

openCryptoki.changes

@@ -1,3 +1,39 @@
+-------------------------------------------------------------------
+Fri Jan 16 08:33:23 UTC 2026 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Applied a patch (bsc#1256673, CVE-2026-22791)
+  * openCryptoki-CVE-2026-22791-commit-e37e912.patch
+- Modified the .spec file for Immutable Mode (jsc#PED-14798) 
+
+-------------------------------------------------------------------
+Wed Nov 12 09:04:02 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
+
+- Upgrade openCryptoki to 3.26 (jsc#PED-14609) 
+  * Soft: Add support for RSA keys up to 16K bits.
+  * CCA: Add support for RSA keys up to 8K bits (requires CCA v8.4 or v7.6 or later).
+  * p11sak: Add support for generating RSA keys up to 16K bits.
+  * Soft/ICA: Add support for SHA512/224 and SHA512/256 key derivation mechanism (CKM_SHA512_224_KEY_DERIVATION and CKM_SHA512_256_KEY_DERIVATION).
+  * Soft/ICA/CCA/EP11: Add support for SHA-HMAC key types CKK_SHAxxx_HMAC and key gen mechanisms CKM_SHAxxx_KEY_GEN.
+  * p11sak: Add support for SHA-HMAC key types and key generation.
+  * p11sak: Add support for key wrap and unwrap commands to export and import private and secret keys by means of key wrapping/unwrapping 
+    with various key wrapping mechanism.
+  * p11kmip: Add support for using an HSM-protected TLS client key via a PKCS#11 provider.
+  * p11sak: Add support for exporting non-sensitive private keys to password protected PEM files.
+  * Add support for canceling an operation via NULL mechanism pointer at C_XxxInit() call as an alternative to C_SessionCancel() (PKCS#11 v3.0).
+  * EP11: Add support for pairing friendly BLS12-381 EC curve for sign/verify using CKM_IBM_ECDSA_OTHER and signature/public key aggregation using CKM_IBM_EC_AGGREGATE.
+  * p11sak: Add support for generating BLS12-381 EC keys.
+  * EP11: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires an EP11 host library v4.2 or later, and 
+    a CEX8P crypto card with firmware v9.6 or later on IBM z17, and v8.39 or later on IBM z16).
+  * CCA: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires CCA v8.4 or later).
+  * Soft: Add support for IBM-specific ML-DSA and ML-KEM key types and mechanisms (requires OpenSSL 3.5 or later, or the OQS-provider must be configured).
+  * p11sak: Add support for IBM-specific ML-DSA and ML-KEM key types.
+  * Bug fixes. 
+- Removed obsolete patches
+  * ocki-3.25-remove-make-install-chgrp.patch 
+  * ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
+- Applied a new patch for version 3.26
+  * ocki-3.26-remove-make-install-chgrp.patch 
+
 -------------------------------------------------------------------
 Thu Aug 14 04:56:04 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 
@@ -7,7 +43,7 @@ Thu Aug 14 04:56:04 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>
 -------------------------------------------------------------------
 Tue Jul 29 07:27:20 UTC 2025 - Andreas Schwab <schwab@suse.de>
 
-- Add riscv54 to openCryptoki_64bit_arch
+- Add riscv64 to openCryptoki_64bit_arch
 
 -------------------------------------------------------------------
 Mon Jun 16 09:43:23 UTC 2025 - Nikolay Gueorguiev <nikolay.gueorguiev@suse.com>

openCryptoki.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package openCryptoki
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -27,7 +27,7 @@
 %define oc_cvs_tag opencryptoki
 
 Name:           openCryptoki
-Version:        3.25.0
+Version:        3.26.0
 Release:        0
 Summary:        An Implementation of PKCS#11 (Cryptoki) v2.11 for IBM Cryptographic Hardware
 License:        CPL-1.0
@@ -39,9 +39,9 @@ Source2:        openCryptoki-TFAQ.html
 Source3:        openCryptoki-rpmlintrc
 # Patch 0 is needed because group pkcs11 doesn't exist in the build environment
 # and because we don't want(?) various file and directory permissions to be 0700.
-Patch000:       ocki-3.25-remove-make-install-chgrp.patch
+Patch000:       ocki-3.26-remove-make-install-chgrp.patch
 #
-Patch010:       ocki-3.25-PKCSSLOTD-Remove-the-use-of-MD5.patch
+Patch010:       openCryptoki-CVE-2026-22791-commit-e37e912.patch
 #
 BuildRequires:  bison
 BuildRequires:  dos2unix
@@ -171,10 +171,25 @@ dos2unix doc/README.ep11_stdll
 %install
 %make_install
 install -d %{buildroot}%{_includedir}
-install -d %{buildroot}%{_localstatedir}/lib/opencryptoki
+# Move data templates from /var to /usr/share/opencryptoki for tmpfiles to use
+install -d %{buildroot}%{_datadir}/opencryptoki/templates
 install -d %{buildroot}%{_initddir}
 install -d %{buildroot}%{_sbindir}
 install -d %{buildroot}%{_prefix}/lib/tmpfiles.d
+# Define the tmpfiles.d configuration
+cat > %{buildroot}%{_prefix}/lib/tmpfiles.d/opencryptoki.conf <<EOF
+# Type Path        Mode UID  GID  Age Argument
+d /var/lib/opencryptoki 0755 root pkcs11 - -
+d /var/lib/opencryptoki/swtok 0770 root pkcs11 - -
+d /var/lib/opencryptoki/swtok/TOK_OBJ 0770 root pkcs11 - -
+d /var/lib/opencryptoki/tpm 0770 root pkcs11 - -
+d /var/lib/opencryptoki/icsf 0770 root pkcs11 - -
+d /var/log/opencryptoki 0770 root pkcs11 - -
+L+ /etc/pkcs11 - - - - /var/lib/opencryptoki
+EOF
+# Remove manual directory creation in %install that belongs in /var
+rm -rf %{buildroot}%{_localstatedir}/lib/opencryptoki
+rm -rf %{buildroot}%{_localstatedir}/log/opencryptoki
 #
 mkdir -p %{buildroot}%{_datadir}/opencryptoki
 cp %{buildroot}%{_datadir}/doc/opencryptoki/*.conf %{buildroot}%{_datadir}/opencryptoki
@@ -199,22 +214,13 @@ getent passwd pkcsslotd 2>/dev/null || %{_sbindir}/useradd -g %{pkcs_group} -r p
 %{service_del_preun pkcsslotd.service}
 
 %post
-# Symlink from /var/lib/opencryptoki to /etc/pkcs11
-if [ ! -L %{_sysconfdir}/pkcs11 ] ; then
-	if [ -e %{_sysconfdir}/pkcs11/pk_config_data ] ; then
-		mv %{_sysconfdir}/pkcs11/* %{_localstatedir}/lib/opencryptoki
-		cd %{_sysconfdir} && rm -rf pkcs11 && \
-			ln -sf %{_localstatedir}/lib/opencryptoki pkcs11
-	fi
-fi
+# Use the systemd-tmpfiles macro to ensure directories are created on next boot/transaction
+%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf
 /sbin/ldconfig
-%{?tmpfiles_create:%tmpfiles_create %{_tmpfilesdir}/opencryptoki.conf}
 %{service_add_post pkcsslotd.service}
 
 %postun
-if [ -L %{_sysconfdir}/pkcs11 ] ; then
-	rm %{_sysconfdir}/pkcs11
-fi
+/sbin/ldconfig
 %{service_del_postun pkcsslotd.service}
 
 %ifarch %{openCryptoki_32bit_arch}
@@ -282,8 +288,6 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %ifnarch i586
 %config %{_sysconfdir}/opencryptoki/ccatok.conf
 %{_sbindir}/pkcscca
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ccatok/TOK_OBJ
 %endif
 %{_sbindir}/p11kmip
 %{_sbindir}/pkcsslotd
@@ -295,20 +299,12 @@ ln -sf %{_libdir}/opencryptoki/libopencryptoki.so %{_prefix}/lib/pkcs11/PKCS11_A
 %dir %{_libdir}/opencryptoki
 %dir %{_libdir}/opencryptoki/stdll
   # State and lock directories
-%dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/swtok/TOK_OBJ
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/tpm
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/icsf
-%ifarch s390 s390x
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/ep11tok/TOK_OBJ
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki/lite/TOK_OBJ
-%endif
-%dir %attr(770,root,%{pkcs_group}) %{_localstatedir}/log/opencryptoki/
 %{_mandir}/man*/*
 %{_sbindir}/pkcshsm_mk_change
+#
+%{_prefix}/lib/tmpfiles.d/opencryptoki.conf
+# Ensure we don't package files in /var directly
+%ghost %dir %attr(755,root,%{pkcs_group}) %{_localstatedir}/lib/opencryptoki
 
 %files devel
 %dir %{_libdir}/opencryptoki